Edit tour

Windows Analysis Report
aQ7bSXduYp.exe

Overview

General Information

Sample name:	aQ7bSXduYp.exe renamed because original name is a hash value
Original sample name:	9755ac9d8308666a712c1e3e3d28c497e58be9592ce2556cf374ecac2e88b8ee.exe
Analysis ID:	1579608
MD5:	042ebfc9792a51bd61554078b19c7e6c
SHA1:	5cc50b4a2634ce0986b20eb55c650d2cfd01ec70
SHA256:	9755ac9d8308666a712c1e3e3d28c497e58be9592ce2556cf374ecac2e88b8ee
Tags:	backdoorexepurplefoxupxuser-zhuzhu0009
Infos:

Detection

GhostRat, Nitol

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GhostRat

Yara detected Nitol

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Checks if browser processes are running

Contains functionality to capture and log keystrokes

Found stalling execution ending in API Sleep call

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to read device registry values (via SetupAPI)

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after accessing registry keys)

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries device information via Setup API

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Communication To Uncommon Destination Ports

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

aQ7bSXduYp.exe (PID: 7536 cmdline: "C:\Users\user\Desktop\aQ7bSXduYp.exe" MD5: 042EBFC9792A51BD61554078B19C7E6C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Nitol		No Attribution	https://asec.ahnlab.com/en/44504/ https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/ https://en.wikipedia.org/wiki/Nitol_botnet https://krebsonsecurity.com/tag/nitol/	https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol

Malware Configuration

Threatname: GhostRat

{"C2 url": "156.225.22.155"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
Process Memory Space: aQ7bSXduYp.exe PID: 7536	JoeSecurity_Nitol	Yara detected Nitol	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.aQ7bSXduYp.exe.10000000.1.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.2.aQ7bSXduYp.exe.10000000.1.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
0.2.aQ7bSXduYp.exe.10000000.1.unpack	MALWARE_Win_Nitol	Detects Nitol backdoor	ditekSHen	0x11978:$s2: Applications\iexplore.exe\shell\open\command 0x12ad8:$s3: taskkill /f /im rundll32.exe 0x11024:$s4: \Tencent\Users\. 0x11634:$s5: [Pause Break] 0x1187a:$s6: :]%d-%d-%d %d:%d:%d 0x11ac8:$domain: www.xy999.com
0.2.aQ7bSXduYp.exe.400000.0.unpack	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security
0.2.aQ7bSXduYp.exe.400000.0.unpack	JoeSecurity_Nitol	Yara detected Nitol	Joe Security
0.2.aQ7bSXduYp.exe.400000.0.unpack	MALWARE_Win_Nitol	Detects Nitol backdoor	ditekSHen	0x229d4:$s2: Applications\iexplore.exe\shell\open\command 0x23b34:$s3: taskkill /f /im rundll32.exe 0x22080:$s4: \Tencent\Users\. 0x22690:$s5: [Pause Break] 0x228d6:$s6: :]%d-%d-%d %d:%d:%d 0x11040:$domain: www.xy999.com 0x22b24:$domain: www.xy999.com
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 156.225.22.155, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\Desktop\aQ7bSXduYp.exe, Initiated: true, ProcessId: 7536, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49706

Suricata Signatures

ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-23T05:19:54.763350+0100	2851179	1	Malware Command and Control Activity Detected	192.168.2.8	49714	156.225.22.155	8080	TCP
2024-12-23T05:20:02.449574+0100	2851179	1	Malware Command and Control Activity Detected	192.168.2.8	49706	156.225.22.155	8080	TCP
2024-12-23T05:20:23.825452+0100	2851179	1	Malware Command and Control Activity Detected	192.168.2.8	49706	156.225.22.155	8080	TCP
2024-12-23T05:20:24.764822+0100	2851179	1	Malware Command and Control Activity Detected	192.168.2.8	49709	156.225.22.155	8080	TCP
2024-12-23T05:20:46.388737+0100	2851179	1	Malware Command and Control Activity Detected	192.168.2.8	49709	156.225.22.155	8080	TCP
2024-12-23T05:20:47.288726+0100	2851179	1	Malware Command and Control Activity Detected	192.168.2.8	49710	156.225.22.155	8080	TCP
2024-12-23T05:21:08.951009+0100	2851179	1	Malware Command and Control Activity Detected	192.168.2.8	49710	156.225.22.155	8080	TCP
2024-12-23T05:21:09.840927+0100	2851179	1	Malware Command and Control Activity Detected	192.168.2.8	49712	156.225.22.155	8080	TCP
2024-12-23T05:21:31.498441+0100	2851179	1	Malware Command and Control Activity Detected	192.168.2.8	49712	156.225.22.155	8080	TCP
2024-12-23T05:21:32.411046+0100	2851179	1	Malware Command and Control Activity Detected	192.168.2.8	49713	156.225.22.155	8080	TCP
2024-12-23T05:21:54.014295+0100	2851179	1	Malware Command and Control Activity Detected	192.168.2.8	49713	156.225.22.155	8080	TCP
2024-12-23T05:21:54.928786+0100	2851179	1	Malware Command and Control Activity Detected	192.168.2.8	49714	156.225.22.155	8080	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.aQ7bSXduYp.exe.10000000.1.unpack

Malware Configuration Extractor: GhostRat {"C2 url": "156.225.22.155"}

Multi AV Scanner detection for submitted file

Source: aQ7bSXduYp.exe	Virustotal: Detection: 71%			Perma Link
Source: aQ7bSXduYp.exe	ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.8% probability

Machine Learning detection for sample

Source: aQ7bSXduYp.exe

Joe Sandbox ML: detected

Source: aQ7bSXduYp.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_10001560 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindNextFileA,

0_2_10001560

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 4x nop then push 00000014h	0_2_0040149C
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 4x nop then mov eax, dword ptr [ebp-48h]	0_2_00401EB4
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-18h]	0_2_00401B9F
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 4x nop then inc eax	0_2_004012C7
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 4x nop then mov edx, dword ptr [ebp-20h]	0_2_00401D14

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2851179 - Severity 1 - ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2 : 192.168.2.8:49706 -> 156.225.22.155:8080
Source: Network traffic	Suricata IDS: 2851179 - Severity 1 - ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2 : 192.168.2.8:49712 -> 156.225.22.155:8080
Source: Network traffic	Suricata IDS: 2851179 - Severity 1 - ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2 : 192.168.2.8:49713 -> 156.225.22.155:8080
Source: Network traffic	Suricata IDS: 2851179 - Severity 1 - ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2 : 192.168.2.8:49709 -> 156.225.22.155:8080
Source: Network traffic	Suricata IDS: 2851179 - Severity 1 - ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2 : 192.168.2.8:49714 -> 156.225.22.155:8080
Source: Network traffic	Suricata IDS: 2851179 - Severity 1 - ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2 : 192.168.2.8:49710 -> 156.225.22.155:8080

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 156.225.22.155

Source: global traffic

TCP traffic: 192.168.2.8:49706 -> 156.225.22.155:8080

Source: Joe Sandbox View

ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS

Source: global traffic

HTTP traffic detected: GET /1.jpg HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: x.vay.ccConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_10001E20 recv,select,recv,

0_2_10001E20

Source: global traffic

DNS traffic detected: DNS query: x.vay.cc

Source: aQ7bSXduYp.exe, aQ7bSXduYp.exe, 00000000.00000003.1870370198.000000000072E000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2321479805.000000000072E000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2096068480.000000000072E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x.vay.cc/
Source: aQ7bSXduYp.exe, aQ7bSXduYp.exe, 00000000.00000002.2650988632.000000000072E000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2546503244.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000003.1870370198.000000000072E000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2321479805.000000000072E000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2096068480.000000000072E000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.1870265040.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2650988632.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2650988632.000000000070E000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2095867332.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2546573333.000000000072E000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2650696741.0000000000630000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2321396688.0000000000774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x.vay.cc/1.jpg
Source: aQ7bSXduYp.exe, 00000000.00000003.2546503244.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.1870265040.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2650988632.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2095867332.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2321396688.0000000000774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x.vay.cc/1.jpg(M
Source: aQ7bSXduYp.exe, 00000000.00000002.2650696741.0000000000630000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x.vay.cc/1.jpg:
Source: aQ7bSXduYp.exe, 00000000.00000003.2546503244.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.1870265040.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2650988632.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2095867332.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2321396688.0000000000774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x.vay.cc/1.jpg:M.
Source: aQ7bSXduYp.exe, 00000000.00000002.2650988632.000000000070E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x.vay.cc/1.jpgiy9
Source: aQ7bSXduYp.exe, 00000000.00000003.2546503244.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.1870265040.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2650988632.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2095867332.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2321396688.0000000000774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: <BackSpace>		0_2_100026A0
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: <Enter>		0_2_100026A0

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_10001A30 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_10001A30

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_10001A30 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_10001A30

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_100014C0 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_100014C0

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_100026A0 GetKeyState,Sleep,lstrlenA,GetKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,lstrcatA,lstrlenA,lstrcatA,lstrcatA,

0_2_100026A0

E-Banking Fraud

Checks if browser processes are running

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: lstrlenA,strstr,lstrcpyA,CreateProcessA, Applications\iexplore.exe\shell\open\command

0_2_100035C0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.aQ7bSXduYp.exe.10000000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol backdoor Author: ditekSHen
Source: 0.2.aQ7bSXduYp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Nitol backdoor Author: ditekSHen

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_100016D0: CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,exit,

0_2_100016D0

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_10003CE0 Sleep,OpenSCManagerA,OpenServiceA,DeleteService,GetSystemDirectoryA,lstrcatA,DeleteFileA,exit,VirtualAlloc,VirtualAlloc,Sleep,Sleep,VirtualAlloc,

0_2_10003CE0

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_10006880 LoadLibraryA,LoadLibraryA,GetProcAddress,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,LoadLibraryA,GetProcAddress,SetTokenInformation,CreateProcessAsUserA,CloseHandle,CloseHandle,CloseHandle,FreeLibrary,

0_2_10006880

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 0_2_100016D0 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,exit,		0_2_100016D0
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 0_2_10002DA0 ExitWindowsEx,		0_2_10002DA0

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 0_2_00407400	0_2_00407400
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 0_2_00402603	0_2_00402603
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 0_2_1000B460	0_2_1000B460
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 0_2_10009899	0_2_10009899
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 0_2_1000A8B0	0_2_1000A8B0
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 0_2_10008EE0	0_2_10008EE0
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 0_2_1000AD50	0_2_1000AD50
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 0_2_1000B1D0	0_2_1000B1D0
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 0_2_100095EE	0_2_100095EE

Source: aQ7bSXduYp.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.aQ7bSXduYp.exe.10000000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Nitol author = ditekSHen, description = Detects Nitol backdoor
Source: 0.2.aQ7bSXduYp.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Nitol author = ditekSHen, description = Detects Nitol backdoor

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_100016D0 CreateFileA,DeviceIoControl,DeviceIoControl,WriteFile,DeviceIoControl,CloseHandle,Sleep,GetVersion,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,exit,

0_2_100016D0

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_100059D0 lstrcpyA,lstrcpyA,lstrcpyA,getsockname,GetVersionExA,RegOpenKeyA,RegQueryValueExA,RegCloseKey,wsprintfA,wsprintfA,wsprintfA,GlobalMemoryStatusEx,GetDriveTypeA,GetDriveTypeA,GetDiskFreeSpaceExA,GetLastInputInfo,GetTickCount,lstrcpyA,

0_2_100059D0

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: GetModuleFileNameA,ExpandEnvironmentStringsA,strncmp,wsprintfA,CopyFileA,SetFileAttributesA,OpenSCManagerA,CreateServiceA,LockServiceDatabase,ChangeServiceConfig2A,ChangeServiceConfig2A,UnlockServiceDatabase,GetLastError,OpenServiceA,StartServiceA,StartServiceA,RegOpenKeyA,lstrlenA,RegSetValueExA,

0_2_100076E0

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_10007070 LoadLibraryA,GetProcAddress,OutputDebugStringA,CreateToolhelp32Snapshot,Process32First,Process32Next,

0_2_10007070

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_10007BC0 GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,GetCurrentProcessId,ExitProcess,GetVersionExA,GetVersionExA,GetVersionExA,CreateThread,WaitForSingleObject,CloseHandle,Sleep,Sleep,Sleep,Sleep,StartServiceCtrlDispatcherA,StartServiceCtrlDispatcherA,Sleep,StartServiceCtrlDispatcherA,ExpandEnvironmentStringsA,wsprintfA,GetModuleFileNameA,CopyFileA,Sleep,ExitProcess,CreateThread,WaitForSingleObject,CloseHandle,Sleep,Sleep,sprintf,lstrlenA,wsprintfA,GetModuleFileNameA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,MoveFileA,GetModuleFileNameA,Sleep,Sleep,WaitForSingleObject,CloseHandle,Sleep,

0_2_10007BC0

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 0_2_10007BC0 GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,GetCurrentProcessId,ExitProcess,GetVersionExA,GetVersionExA,GetVersionExA,CreateThread,WaitForSingleObject,CloseHandle,Sleep,Sleep,Sleep,Sleep,StartServiceCtrlDispatcherA,StartServiceCtrlDispatcherA,Sleep,StartServiceCtrlDispatcherA,ExpandEnvironmentStringsA,wsprintfA,GetModuleFileNameA,CopyFileA,Sleep,ExitProcess,CreateThread,WaitForSingleObject,CloseHandle,Sleep,Sleep,sprintf,lstrlenA,wsprintfA,GetModuleFileNameA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,MoveFileA,GetModuleFileNameA,Sleep,Sleep,WaitForSingleObject,CloseHandle,Sleep,		0_2_10007BC0
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 0_2_10007200 GetInputState,GetCurrentThreadId,PostThreadMessageA,GetMessageA,OutputDebugStringA,GetCurrentProcessId,ExitProcess,GetVersionExA,GetVersionExA,GetVersionExA,CreateThread,WaitForSingleObject,CloseHandle,Sleep,Sleep,Sleep,Sleep,StartServiceCtrlDispatcherA,StartServiceCtrlDispatcherA,Sleep,StartServiceCtrlDispatcherA,ExpandEnvironmentStringsA,wsprintfA,GetModuleFileNameA,CopyFileA,Sleep,ExitProcess,CreateThread,WaitForSingleObject,CloseHandle,Sleep,Sleep,sprintf,lstrlenA,wsprintfA,GetModuleFileNameA,SHGetSpecialFolderPathA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,MoveFileA,Sleep,Sleep,WaitForSingleObject,CloseHandle,Sleep,		0_2_10007200

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Mutant created: \Sessions\1\BaseNamedObjects\156.225.22.155:8080:Rsssqi yqeaiusa

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aQ7bSXduYp.exe	Virustotal: Detection: 71%
Source: aQ7bSXduYp.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Section loaded: msvfw32.dll	Jump to behavior

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_0040149C LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualAlloc,VirtualAlloc,VirtualAlloc,

0_2_0040149C

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 0_2_0040AF30 push eax; ret		0_2_0040AF5E
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 0_2_1000B780 push eax; ret		0_2_1000B7AE

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Rsssqi yqeaiusa

Jump to behavior

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

0_2_10007BC0

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon289.png

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_10002E20 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog,

0_2_10002E20

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-10197

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_10001860 SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,GetLastError,SetupDiGetDeviceRegistryPropertyA,SetupDiGetDeviceRegistryPropertyA,GetLastError,GetLastError,GetLastError,LocalFree,SetupDiGetDeviceRegistryPropertyA,GetLastError,_strcmpi,SetupDiSetClassInstallParamsA,GetLastError,SetupDiCallClassInstaller,GetLastError,SetupDiEnumDeviceInfo,GetLastError,SetupDiDestroyDeviceInfoList,SetLastError,

0_2_10001860

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Window / User API: threadDelayed 7334

Jump to behavior

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_0-10936

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe TID: 7652	Thread sleep count: 7334 > 30			Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe TID: 7652	Thread sleep time: -73340s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Thread sleep count: Count: 7334 delay: -10

Jump to behavior

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_10001560 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindNextFileA,

0_2_10001560

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_10004D90 GetSystemInfo,wsprintfA,

0_2_10004D90

Source: aQ7bSXduYp.exe, 00000000.00000002.2650988632.000000000072E000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.1870370198.000000000072E000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2321479805.000000000072E000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2096068480.000000000072E000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2546573333.000000000072E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX)y%SystemRoot%\system32\mswsock.dll]
Source: aQ7bSXduYp.exe, 00000000.00000003.2321396688.0000000000791000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.1870265040.0000000000791000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2095867332.0000000000791000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2650988632.0000000000789000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWwk
Source: aQ7bSXduYp.exe, aQ7bSXduYp.exe, 00000000.00000003.2095867332.0000000000789000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2321396688.0000000000789000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2546503244.0000000000789000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.1870265040.0000000000789000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2650988632.0000000000789000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

API call chain: ExitProcess graph end node

graph_0-10848

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_0040149C LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,VirtualAlloc,VirtualAlloc,VirtualAlloc,

0_2_0040149C

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_10004620 VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc,

0_2_10004620

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 0_2_00404740 SetUnhandledExceptionFilter,		0_2_00404740
Source: C:\Users\user\Desktop\aQ7bSXduYp.exe	Code function: 0_2_00404760 SetUnhandledExceptionFilter,		0_2_00404760

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: LoadLibraryA,OutputDebugStringA,GetProcAddress,OutputDebugStringA,CreateToolhelp32Snapshot,Process32First,_strcmpi,_strcmpi,Process32Next, explorer.exe

0_2_10007120

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

0_2_10001860

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_10005D90 GetVersionExA,wsprintfA,wsprintfA,GetLocalTime,wsprintfA,lstrlenA,

0_2_10005D90

Source: C:\Users\user\Desktop\aQ7bSXduYp.exe

Code function: 0_2_00403260 EntryPoint,GetVersion,

0_2_00403260

Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vsserv.exe
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avcenter.exe
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cpf.exe
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: F-PROT.exe
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: spidernt.exe
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: F-PROT.EXE
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: rtvscan.exe
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: nspupsvc.exe
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 360tray.exe
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: ashDisp.exe
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SBAMSvc.exe
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: a2guard.exe
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgwdsvc.exe
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: AYAgent.aye
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: vsmon.exe
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: RavMonD.exe
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe
Source: aQ7bSXduYp.exe, aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Mcshield.exe
Source: aQ7bSXduYp.exe, 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: K7TSecurity.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match	File source: 0.2.aQ7bSXduYp.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.aQ7bSXduYp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Yara detected Nitol

Source: Yara match	File source: 0.2.aQ7bSXduYp.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.aQ7bSXduYp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aQ7bSXduYp.exe PID: 7536, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match	File source: 0.2.aQ7bSXduYp.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.aQ7bSXduYp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Yara detected Nitol

Source: Yara match	File source: 0.2.aQ7bSXduYp.exe.10000000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.aQ7bSXduYp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aQ7bSXduYp.exe PID: 7536, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	21 Obfuscated Files or Information	111 Input Capture	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	1 Replication Through Removable Media	12 Service Execution	1 Valid Accounts	1 Valid Accounts	1 Software Packing	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	111 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	23 Windows Service	11 Access Token Manipulation	1 DLL Side-Loading	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	23 Windows Service	1 Masquerading	NTDS	16 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Process Injection	1 Valid Accounts	LSA Secrets	1 Query Registry	SSH	Keylogging	112 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Virtualization/Sandbox Evasion	Cached Domain Credentials	21 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Access Token Manipulation	DCSync	2 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Process Injection	Proc Filesystem	12 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Indicator Removal	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
aQ7bSXduYp.exe	72%	Virustotal		Browse
aQ7bSXduYp.exe	71%	ReversingLabs	Win32.Trojan.PolyPatch
aQ7bSXduYp.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
x.vay.cc	156.225.22.155	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
156.225.22.155	true		unknown
http://x.vay.cc/1.jpg	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://x.vay.cc/	aQ7bSXduYp.exe, aQ7bSXduYp.exe, 00000000.00000003.1870370198.000000000072E000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2321479805.000000000072E000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2096068480.000000000072E000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://x.vay.cc/1.jpg(M	aQ7bSXduYp.exe, 00000000.00000003.2546503244.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.1870265040.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2650988632.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2095867332.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2321396688.0000000000774000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://x.vay.cc/1.jpg:M.	aQ7bSXduYp.exe, 00000000.00000003.2546503244.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.1870265040.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000002.2650988632.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2095867332.0000000000774000.00000004.00000020.00020000.00000000.sdmp, aQ7bSXduYp.exe, 00000000.00000003.2321396688.0000000000774000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://x.vay.cc/1.jpg:	aQ7bSXduYp.exe, 00000000.00000002.2650696741.0000000000630000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://x.vay.cc/1.jpgiy9	aQ7bSXduYp.exe, 00000000.00000002.2650988632.000000000070E000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
156.225.22.155	x.vay.cc	Seychelles		136800	XIAOZHIYUN1-AS-APICIDCNETWORKUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1579608
Start date and time:	2024-12-23 05:19:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	aQ7bSXduYp.exe renamed because original name is a hash value
Original Sample Name:	9755ac9d8308666a712c1e3e3d28c497e58be9592ce2556cf374ecac2e88b8ee.exe
Detection:	MAL
Classification:	mal100.bank.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 40 Number of non-executed functions: 92
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:20:51	API Interceptor	4408x Sleep call for process: aQ7bSXduYp.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
XIAOZHIYUN1-AS-APICIDCNETWORKUS	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	103.199.102.178
	nsharm.elf	Get hash	malicious	Mirai	Browse	156.234.199.255
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	156.234.199.204
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	45.207.113.55
	arm5.nn-20241218-0633.elf	Get hash	malicious	Mirai, Okiru	Browse	156.226.203.160
	jew.mpsl.elf	Get hash	malicious	Unknown	Browse	156.226.185.157
	powerpc.elf	Get hash	malicious	Unknown	Browse	154.222.104.79
	arm6.elf	Get hash	malicious	Unknown	Browse	156.241.59.21
	x86_64.elf	Get hash	malicious	Mirai	Browse	156.253.67.13
	i686.elf	Get hash	malicious	Mirai	Browse	156.226.137.248

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	3.3897809942320607
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	aQ7bSXduYp.exe
File size:	507'904 bytes
MD5:	042ebfc9792a51bd61554078b19c7e6c
SHA1:	5cc50b4a2634ce0986b20eb55c650d2cfd01ec70
SHA256:	9755ac9d8308666a712c1e3e3d28c497e58be9592ce2556cf374ecac2e88b8ee
SHA512:	1b3a1bdfe82668b74578b056c215db7e02236686e8b85da06c7b2fbc6c6224ac12de76f58708e008558b2f2e734a184bf36f2dffd451da841d8e767ef5c73ab0
SSDEEP:	3072:3yZK/yLrQbWaR5Qax8c2JKgm45EWWdfnaZfw4luiu2/ZVXfR:CQyLEbWaR5Cc5E6nmomxF
TLSH:	4CB4C001F640C419E1C5C1B6E6BEC7BFB82D9EB0134528D3A2E4B6AA37352D159339DB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Mdy.Mdy.Mdy..xw.Xdy.{Bs..dy..k$.Ndy.Mdx..dy.{Br.Fdy.RichMdy.................PE..L....(.b.....................@......`2.....

File Icon


Icon Hash:	74f2d1d1d3d3d752

Static PE Info

General

Entrypoint:	0x403260
Entrypoint Section:	UPX0
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x620B28E9 [Tue Feb 15 04:15:37 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	032ac126bef9dc99c70a99a6b91b16f2

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0040F128h
push 00405AF8h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0040F028h]
mov dword ptr [0045DCE0h], eax
mov eax, dword ptr [0045DCE0h]
shr eax, 08h
and eax, 000000FFh
mov dword ptr [0045DCECh], eax
mov ecx, dword ptr [0045DCE0h]
and ecx, 000000FFh
mov dword ptr [0045DCE8h], ecx
mov edx, dword ptr [0045DCE8h]
shl edx, 08h
add edx, dword ptr [0045DCECh]
mov dword ptr [0045DCE4h], edx
mov eax, dword ptr [0045DCE0h]
shr eax, 10h
and eax, 0000FFFFh
mov dword ptr [0045DCE0h], eax
push 00000001h
call 00007F8D69488E42h
add esp, 04h
test eax, eax
jne 00007F8D694866CCh
push 0000001Ch
call 00007F8D694867D4h
add esp, 04h
call 00007F8D6948783Ch
test eax, eax
jne 00007F8D694866CCh
push 00000010h
call 00007F8D694867C1h
add esp, 04h
mov dword ptr [ebp-04h], 00000000h
call 00007F8D69488852h
call dword ptr [0040F024h]
mov dword ptr [0045F378h], eax
call 00007F8D69488622h
mov dword ptr [0045DC68h], eax

Rich Headers

Programming Language:

[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) SP6 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6e000	0x14	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x67000	0x3750	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x49000	0x49000	4846e42971a99b098aeccd5ada1e28f9	False	0.365257785744863	data	4.602843880355792	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x4a000	0x1d000	0x1d000	1f49befe1249d80d39aab52aafefd609	False	0.07623080549568965	data	0.9890847068640483	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x67000	0x15000	0x15000	4ebb12fea01399f8300fe6b5e15f0eaa	False	0.07845052083333333	data	1.4073187956554571	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x670d4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.3865145228215768
RT_ICON	0x69680	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.4523921200750469
RT_GROUP_ICON	0x6a72c	0x22	data	Chinese	China	0.9117647058823529

Imports

DLL

Import

KERNEL32.DLL

GetProcAddress, LoadLibraryA, VirtualAlloc, VirtualFree, FreeLibrary, RtlUnwind, RaiseException, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersion, ExitProcess, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapFree, GetCurrentThreadId, TlsSetValue, TlsAlloc, SetLastError, TlsGetValue, GetLastError, SetUnhandledExceptionFilter, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetEnvironmentVariableA, GetVersionExA, HeapDestroy, HeapCreate, WriteFile, IsBadWritePtr, IsBadReadPtr, HeapValidate, HeapAlloc, HeapReAlloc, DebugBreak, InterlockedDecrement, OutputDebugStringA, InterlockedIncrement, IsBadCodePtr, GetCPInfo, GetACP, GetOEMCP, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, SetFilePointer, SetStdHandle, FlushFileBuffers, CloseHandle

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-23T05:19:54.763350+0100	2851179	ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2	1	192.168.2.8	49714	156.225.22.155	8080	TCP
2024-12-23T05:20:02.449574+0100	2851179	ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2	1	192.168.2.8	49706	156.225.22.155	8080	TCP
2024-12-23T05:20:23.825452+0100	2851179	ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2	1	192.168.2.8	49706	156.225.22.155	8080	TCP
2024-12-23T05:20:24.764822+0100	2851179	ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2	1	192.168.2.8	49709	156.225.22.155	8080	TCP
2024-12-23T05:20:46.388737+0100	2851179	ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2	1	192.168.2.8	49709	156.225.22.155	8080	TCP
2024-12-23T05:20:47.288726+0100	2851179	ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2	1	192.168.2.8	49710	156.225.22.155	8080	TCP
2024-12-23T05:21:08.951009+0100	2851179	ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2	1	192.168.2.8	49710	156.225.22.155	8080	TCP
2024-12-23T05:21:09.840927+0100	2851179	ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2	1	192.168.2.8	49712	156.225.22.155	8080	TCP
2024-12-23T05:21:31.498441+0100	2851179	ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2	1	192.168.2.8	49712	156.225.22.155	8080	TCP
2024-12-23T05:21:32.411046+0100	2851179	ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2	1	192.168.2.8	49713	156.225.22.155	8080	TCP
2024-12-23T05:21:54.014295+0100	2851179	ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2	1	192.168.2.8	49713	156.225.22.155	8080	TCP
2024-12-23T05:21:54.928786+0100	2851179	ETPRO MALWARE PurpleFox Backdoor/Rootkit Checkin M2	1	192.168.2.8	49714	156.225.22.155	8080	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 05:20:01.782222986 CET	49706	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:20:01.902033091 CET	8080	49706	156.225.22.155	192.168.2.8
Dec 23, 2024 05:20:01.904166937 CET	49706	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:20:02.449573994 CET	49706	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:20:02.569108009 CET	8080	49706	156.225.22.155	192.168.2.8
Dec 23, 2024 05:20:03.255043030 CET	49707	80	192.168.2.8	156.225.22.155
Dec 23, 2024 05:20:03.374679089 CET	80	49707	156.225.22.155	192.168.2.8
Dec 23, 2024 05:20:03.374767065 CET	49707	80	192.168.2.8	156.225.22.155
Dec 23, 2024 05:20:03.375006914 CET	49707	80	192.168.2.8	156.225.22.155
Dec 23, 2024 05:20:03.494469881 CET	80	49707	156.225.22.155	192.168.2.8
Dec 23, 2024 05:20:23.824930906 CET	8080	49706	156.225.22.155	192.168.2.8
Dec 23, 2024 05:20:23.825227022 CET	49706	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:20:23.825452089 CET	49706	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:20:24.331134081 CET	49709	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:20:24.450859070 CET	8080	49709	156.225.22.155	192.168.2.8
Dec 23, 2024 05:20:24.450931072 CET	49709	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:20:24.764822006 CET	49709	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:20:24.884560108 CET	8080	49709	156.225.22.155	192.168.2.8
Dec 23, 2024 05:20:25.278244019 CET	80	49707	156.225.22.155	192.168.2.8
Dec 23, 2024 05:20:25.278458118 CET	49707	80	192.168.2.8	156.225.22.155
Dec 23, 2024 05:20:25.279560089 CET	49707	80	192.168.2.8	156.225.22.155
Dec 23, 2024 05:20:25.399266005 CET	80	49707	156.225.22.155	192.168.2.8
Dec 23, 2024 05:20:46.388504982 CET	8080	49709	156.225.22.155	192.168.2.8
Dec 23, 2024 05:20:46.388596058 CET	49709	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:20:46.388736963 CET	49709	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:20:46.893873930 CET	49710	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:20:47.013875961 CET	8080	49710	156.225.22.155	192.168.2.8
Dec 23, 2024 05:20:47.014132023 CET	49710	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:20:47.288726091 CET	49710	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:20:47.408508062 CET	8080	49710	156.225.22.155	192.168.2.8
Dec 23, 2024 05:21:08.950860023 CET	8080	49710	156.225.22.155	192.168.2.8
Dec 23, 2024 05:21:08.950936079 CET	49710	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:21:08.951009035 CET	49710	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:21:09.456084013 CET	49712	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:21:09.575834990 CET	8080	49712	156.225.22.155	192.168.2.8
Dec 23, 2024 05:21:09.575948954 CET	49712	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:21:09.840926886 CET	49712	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:21:09.960597992 CET	8080	49712	156.225.22.155	192.168.2.8
Dec 23, 2024 05:21:31.498214006 CET	8080	49712	156.225.22.155	192.168.2.8
Dec 23, 2024 05:21:31.498322010 CET	49712	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:21:31.498440981 CET	49712	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:21:32.003227949 CET	49713	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:21:32.123182058 CET	8080	49713	156.225.22.155	192.168.2.8
Dec 23, 2024 05:21:32.123321056 CET	49713	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:21:32.411046028 CET	49713	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:21:32.530920982 CET	8080	49713	156.225.22.155	192.168.2.8
Dec 23, 2024 05:21:54.014118910 CET	8080	49713	156.225.22.155	192.168.2.8
Dec 23, 2024 05:21:54.014202118 CET	49713	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:21:54.014295101 CET	49713	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:21:54.518939018 CET	49714	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:21:54.638712883 CET	8080	49714	156.225.22.155	192.168.2.8
Dec 23, 2024 05:21:54.638804913 CET	49714	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:21:54.928786039 CET	49714	8080	192.168.2.8	156.225.22.155
Dec 23, 2024 05:21:55.048449039 CET	8080	49714	156.225.22.155	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 23, 2024 05:20:02.473928928 CET	58786	53	192.168.2.8	1.1.1.1
Dec 23, 2024 05:20:02.700536013 CET	53	58786	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 23, 2024 05:20:02.473928928 CET	192.168.2.8	1.1.1.1	0x4cfd	Standard query (0)	x.vay.cc	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 23, 2024 05:20:02.700536013 CET	1.1.1.1	192.168.2.8	0x4cfd	No error (0)	x.vay.cc		156.225.22.155	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

x.vay.cc

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	156.225.22.155	80	7536	C:\Users\user\Desktop\aQ7bSXduYp.exe

Timestamp	Bytes transferred	Direction	Data
Dec 23, 2024 05:20:03.375006914 CET	272	OUT	GET /1.jpg HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: x.vay.cc Connection: Keep-Alive

Target ID:	0
Start time:	23:19:59
Start date:	22/12/2024
Path:	C:\Users\user\Desktop\aQ7bSXduYp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\aQ7bSXduYp.exe"
Imagebase:	0x400000
File size:	507'904 bytes
MD5 hash:	042EBFC9792A51BD61554078B19C7E6C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GhostRat, Description: Yara detected GhostRat, Source: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Nitol, Description: Yara detected Nitol, Source: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	46.4%
Signature Coverage:	17.2%
Total number of Nodes:	1742
Total number of Limit Nodes:	22

Executed Functions

Function 10007BC0 Relevance: 105.4, APIs: 40, Strings: 20, Instructions: 378
sleepthreadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 10007BC9
GetCurrentThreadId.KERNEL32 ref: 10007BD4
PostThreadMessageA.USER32(00000000), ref: 10007BDB
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 10007BEC
GetCurrentProcessId.KERNEL32 ref: 10007C01

Part of subcall function 10007070: LoadLibraryA.KERNEL32(Kernel32.dll,?,00000000,00000000), ref: 10007088
Part of subcall function 10007070: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 10007094
Part of subcall function 10007070: OutputDebugStringA.KERNEL32(GetProc error), ref: 100070A6

ExitProcess.KERNEL32 ref: 10007C1C
GetVersionExA.KERNEL32 ref: 10007C3B
GetVersionExA.KERNEL32(?), ref: 10007C80
CreateThread.KERNEL32(00000000,00000000,10006DC0,00000000,00000000,00000000), ref: 10007CB5
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?), ref: 10007CD3
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 10007CDA
Sleep.KERNEL32(000F4240,?,?,?,?,?,?,?,?,?,?), ref: 10007CEB
Sleep.KERNEL32 ref: 10007D28
StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 10007D35
Sleep.KERNEL32(000003E8), ref: 10007D3C
StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 10007D43
ExitProcess.KERNEL32 ref: 10007E88

Part of subcall function 10007120: LoadLibraryA.KERNEL32(Kernel32.dll,?,?,00000000), ref: 10007138
Part of subcall function 10007120: OutputDebugStringA.KERNEL32(Loaddll error), ref: 1000714B

ExpandEnvironmentStringsA.KERNEL32(%ProgramFiles%\Microsoft Msmiou\,?,00000104,?,?,?), ref: 10007D5C
wsprintfA.USER32 ref: 10007D7F
GetModuleFileNameA.KERNEL32(00000000,?,000000E1), ref: 10007E29
CopyFileA.KERNEL32(?,?,00000000), ref: 10007E40
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,Aaegmai.exe,?,?,?), ref: 10007E7B

Strings

.exe, xrefs: 10008037
.Wu, xrefs: 10007CDA, 10007EE1, 1000809C
s, xrefs: 10007F24
Mqgaku auegyyegeecmkimecg, xrefs: 10007E46
C, xrefs: 10007F56
http://x.vay.cc/1.jpg, xrefs: 10007C3D, 10007C4A
u, xrefs: 10007F7C
Default, xrefs: 10007E5A, 10007E96, 10007FA4
Rsssqi yqeaiusa, xrefs: 10007D10, 10007E50, 10007E5F, 10007E69, 10007E9B, 10007EA5, 10007F14, 10007F1A, 10007F51, 10007FA9, 10007FB3
t, xrefs: 10007F6D
e, xrefs: 10007F63
r, xrefs: 10007F77
\, xrefs: 10007D99
G, xrefs: 10007F72
Aaegmai.exe, xrefs: 10007D66
%ProgramFiles%\Microsoft Msmiou\, xrefs: 10007D57
c, xrefs: 10007F68
Saukqc waqoaeiw, xrefs: 10007E4B
%, xrefs: 10007F1F
p, xrefs: 10007F81

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Sleep$ProcessThread$CtrlCurrentDebugDispatcherExitFileLibraryLoadMessageOutputServiceStartStringVersion$AddressCloseCopyCreateEnvironmentExpandHandleInputModuleNameObjectPostProcSingleStateStringsWaitwsprintf
String ID: %$%ProgramFiles%\Microsoft Msmiou\$.exe$Aaegmai.exe$C$Default$G$Mqgaku auegyyegeecmkimecg$Rsssqi yqeaiusa$Saukqc waqoaeiw$\$c$e$http://x.vay.cc/1.jpg$p$r$s$t$u$.Wu
API String ID: 4008411486-1395517537
Opcode ID: bab88af11f6b48f30df971d4e62b5e3ec82fa2ef94e2e934d60d71c8370059ba
Instruction ID: ed3127d2ed973381872836914633078b1d508e2121c281cc79069413aba0975f
Opcode Fuzzy Hash: bab88af11f6b48f30df971d4e62b5e3ec82fa2ef94e2e934d60d71c8370059ba
Instruction Fuzzy Hash: 02C1F6B1408348AFF314DB748C85EEF7BECFB89384F040A1CF68556196DB7499058BA6

Function 0040149C Relevance: 105.3, APIs: 9, Strings: 51, Instructions: 331
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll,HeapAlloc), ref: 00401502
GetProcAddress.KERNEL32(00000000), ref: 00401509
LoadLibraryA.KERNEL32(kernel32.dll,VirtualAlloc), ref: 00401598
GetProcAddress.KERNEL32(00000000), ref: 0040159F
LoadLibraryA.KERNEL32(kernel32.dll,GetProcessHeap), ref: 004015F1
GetProcAddress.KERNEL32(00000000), ref: 004015F8

Strings

u, xrefs: 0040156A
t, xrefs: 00401566
a, xrefs: 004014D8
N, xrefs: 004014A8
c, xrefs: 00401586
., xrefs: 00401546
VirtualAlloc, xrefs: 0040158E
a, xrefs: 0040156E
l, xrefs: 0040157A
E, xrefs: 004014AC
kernel32.dll, xrefs: 00401593
L, xrefs: 0040153A
l, xrefs: 004014E8
3, xrefs: 004014B4
L, xrefs: 004014B0
o, xrefs: 00401582
HeapAlloc, xrefs: 004014F8
., xrefs: 004014BC
kernel32.dll, xrefs: 004015EC
l, xrefs: 0040157E
c, xrefs: 004014F0
kernel32.dll, xrefs: 004014FD
A, xrefs: 004014E0
l, xrefs: 004014E4
2, xrefs: 004014B8
l, xrefs: 0040154E
K, xrefs: 0040149C
V, xrefs: 0040155A
r, xrefs: 00401562
R, xrefs: 00401528
p, xrefs: 004014DC
l, xrefs: 004014C4
l, xrefs: 00401552
E, xrefs: 00401536
E, xrefs: 004014A0
o, xrefs: 004014EC
i, xrefs: 0040155E
A, xrefs: 00401576
d, xrefs: 0040154A
l, xrefs: 00401572
d, xrefs: 004014C0
N, xrefs: 0040152F
E, xrefs: 00401521
e, xrefs: 004014D4
GetProcessHeap, xrefs: 004015E8, 004015EB
H, xrefs: 004014D0
2, xrefs: 00401542
K, xrefs: 0040151A
R, xrefs: 004014A4
l, xrefs: 004014C8
3, xrefs: 0040153E

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: .$.$2$2$3$3$A$A$E$E$E$E$GetProcessHeap$H$HeapAlloc$K$K$L$L$N$N$R$R$V$VirtualAlloc$a$a$c$c$d$d$e$i$kernel32.dll$kernel32.dll$kernel32.dll$l$l$l$l$l$l$l$l$l$o$o$p$r$t$u
API String ID: 2574300362-4013917992
Opcode ID: 712b4ef04c9159f4835f35c4a3c6e821e28e79fd423ca0a0ed8b518a40decddf
Instruction ID: 8114380cada086979454d1969582b8d3431fd090255e38395bd1b8d59baf883f
Opcode Fuzzy Hash: 712b4ef04c9159f4835f35c4a3c6e821e28e79fd423ca0a0ed8b518a40decddf
Instruction Fuzzy Hash: 75C15174D04288DFEB11CBE8C848BDEBFB1AF15309F144198E5487B392C7BA5949CB69

Function 10005D90 Relevance: 57.9, APIs: 4, Strings: 29, Instructions: 139
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 10005E82
GetLocalTime.KERNEL32(?,?,75571760,00000000), ref: 10005E8C
wsprintfA.USER32 ref: 10005F2C
lstrlenA.KERNEL32 ref: 10005F64

Part of subcall function 10008A30: LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,?,00000000,?,1000B800,1000C368,000000FF), ref: 10008A5F
Part of subcall function 10008A30: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 10008A76
Part of subcall function 10008A30: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 10008A81
Part of subcall function 10008A30: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 10008A8C
Part of subcall function 10008A30: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 10008A97
Part of subcall function 10008A30: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 10008AA2
Part of subcall function 10008A30: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 10008AAC

Strings

%, xrefs: 10005E78
-, xrefs: 10005F1D
%, xrefs: 10005EC0
r, xrefs: 10005E60
o, xrefs: 10005E3F
a, xrefs: 10005F3A
Y, xrefs: 10005E09
r, xrefs: 10005E2C
-, xrefs: 10005EBB
k, xrefs: 10005F47
v, xrefs: 10005E65
i, xrefs: 10005F51
o, xrefs: 10005E4E
i, xrefs: 10005E6A
l, xrefs: 10005E53
%, xrefs: 10005F22
T, xrefs: 10005E0E
M, xrefs: 10005E18
r, xrefs: 10005F42
n, xrefs: 10005E44
T, xrefs: 10005F4C
M, xrefs: 10005F35
E, xrefs: 10005E13
C, xrefs: 10005E3A
C, xrefs: 10005E1D
m, xrefs: 10005F56
n, xrefs: 10005E35
r, xrefs: 10005E49
c, xrefs: 10005E6F

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressProc$wsprintf$LibraryLoadLocalTimelstrlen
String ID: %$%$%$-$-$C$C$E$M$M$T$T$Y$a$c$i$i$k$l$m$n$n$o$o$r$r$r$r$v
API String ID: 1449506856-1324992209
Opcode ID: 85a800a94a4e8cba2e98fecf3d026871f8f9ae41bc4d057c3f8553274830ddb0
Instruction ID: e44eca6ed3266e0cbe6ed09acf468b45f17c01723d41422cdbf0e1ff620ae683
Opcode Fuzzy Hash: 85a800a94a4e8cba2e98fecf3d026871f8f9ae41bc4d057c3f8553274830ddb0
Instruction Fuzzy Hash: 4551E52100D7C19EE312CB68988879BFFE55FA6348F48499DF2C447292C6AA964CC777

Function 100059D0 Relevance: 42.2, APIs: 15, Strings: 9, Instructions: 206
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32(?), ref: 10005A04

Part of subcall function 10004F70: lstrlenA.KERNEL32(?,?,?,?,755683C0,Rsssqi yqeaiusa,00000000,00000000,1F901F90), ref: 10004FD9
Part of subcall function 10004F70: lstrcpyA.KERNEL32(?,Default), ref: 10004FE5
Part of subcall function 10004F70: lstrlenA.KERNEL32(?), ref: 10004FEC

lstrcpyA.KERNEL32(?,Default,00000000,00000000,1F901F90), ref: 10005A3C
getsockname.WS2_32(?), ref: 10005A8A
GetVersionExA.KERNEL32 ref: 10005AC5
RegOpenKeyA.ADVAPI32(80000002,HARDWARE\DESCRIPTION\System\CentralProcessor\0,?), ref: 10005B07
RegQueryValueExA.KERNEL32(?,~MHz,00000000,?,?,?,?,?,?), ref: 10005B28
RegCloseKey.ADVAPI32(?,?,?,?), ref: 10005B33
wsprintfA.USER32 ref: 10005B89
wsprintfA.USER32 ref: 10005BA4
GlobalMemoryStatusEx.KERNEL32(?), ref: 10005BB6
GetDriveTypeA.KERNEL32(?), ref: 10005BFC
GetDiskFreeSpaceExA.KERNEL32(?,?,?,?), ref: 10005C17
GetLastInputInfo.USER32(?), ref: 10005CA1
GetTickCount.KERNEL32 ref: 10005CA7
lstrcpyA.KERNEL32(?,10011C70,?,?,?,?,?,?,?,?,?,?), ref: 10005CEF

Strings

Default, xrefs: 10005A25, 10005A33
~MHz, xrefs: 10005B22
@, xrefs: 10005BAD
HARDWARE\DESCRIPTION\System\CentralProcessor\0, xrefs: 10005AF5
Rsssqi yqeaiusa, xrefs: 100059ED
V9.5, xrefs: 10005B7D, 10005B8B
V5.0, xrefs: 10005B9E
:, xrefs: 10005BED
\, xrefs: 10005BF2

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlenwsprintf$CloseCountDiskDriveFreeGlobalInfoInputLastMemoryOpenQuerySpaceStatusTickTypeValueVersiongetsockname
String ID: :$@$Default$HARDWARE\DESCRIPTION\System\CentralProcessor\0$Rsssqi yqeaiusa$V5.0$V9.5$\$~MHz
API String ID: 568875508-787302955
Opcode ID: abbeaf24fb284591937f580f060cf7e450266c720b9a3a3193ac98d61eab76e4
Instruction ID: 56df92f5f37225f3c4c5383eac6adf3c2b23c19ba9dfa00b355b0c64cf377daf
Opcode Fuzzy Hash: abbeaf24fb284591937f580f060cf7e450266c720b9a3a3193ac98d61eab76e4
Instruction Fuzzy Hash: 588138B55083859FE720CB60D884FDBB7E8EFC8345F40891EF68997254EB74A548CB92

Function 10007120 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 96
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Kernel32.dll,?,?,00000000), ref: 10007138
OutputDebugStringA.KERNEL32(Loaddll error), ref: 1000714B
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 10007161
OutputDebugStringA.KERNEL32(GetProc error), ref: 10007179

Strings

Loaddll error, xrefs: 10007146
Kernel32.dll, xrefs: 10007130
GetProc error, xrefs: 10007174
CreateToolhelp32Snapshot, xrefs: 1000715B
explorer.exe, xrefs: 100071C5

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: DebugOutputString$AddressLibraryLoadProc
String ID: CreateToolhelp32Snapshot$GetProc error$Kernel32.dll$Loaddll error$explorer.exe
API String ID: 1020089312-3138658180
Opcode ID: 4025efbf808970fbaaf7cadac909587e224237a4606c5147075b4c15ae5bfc20
Instruction ID: 5f00e2c2720a6fa663694ed9185400f081eba7d1abc25da340defbc7ad3a255d
Opcode Fuzzy Hash: 4025efbf808970fbaaf7cadac909587e224237a4606c5147075b4c15ae5bfc20
Instruction Fuzzy Hash: 1E212976E0451C97F710EBA95CC8AF973A8FB453A7F000366ED6DD21D4DB309951C660

Function 100026A0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 156
keyboardsleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(0000000A), ref: 10002706
lstrlenA.KERNEL32(?), ref: 10002711
GetKeyState.USER32(00000010), ref: 1000275B
GetAsyncKeyState.USER32(0000000D), ref: 10002767
GetKeyState.USER32(00000014), ref: 10002774
GetKeyState.USER32(00000014), ref: 1000279C

Strings

<Enter>, xrefs: 1000283D
<BackSpace>, xrefs: 10002808

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: State$AsyncSleeplstrlen
String ID: <BackSpace>$<Enter>
API String ID: 43598291-3792472884
Opcode ID: c5cbdbf5fef63062adc8feb3bc6158000b59bf5a96a0c2c72ef7be3b408fe2ab
Instruction ID: f377390131d6ee888f65603b6ab40ea5564e5195fa5945844a904dd60498c128
Opcode Fuzzy Hash: c5cbdbf5fef63062adc8feb3bc6158000b59bf5a96a0c2c72ef7be3b408fe2ab
Instruction Fuzzy Hash: 625101394097969BFB10EB60DC80BAB73A9EB883C4F110E29E95583199EB31D4498353

Function 10007070 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 72
libraryprocessloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Kernel32.dll,?,00000000,00000000), ref: 10007088
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 10007094
OutputDebugStringA.KERNEL32(GetProc error), ref: 100070A6
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100070C2
Process32First.KERNEL32(00000000,?), ref: 100070DD
Process32Next.KERNEL32(00000000,00000128), ref: 100070FB

Strings

Kernel32.dll, xrefs: 10007083
GetProc error, xrefs: 100070A1
CreateToolhelp32Snapshot, xrefs: 1000708E

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Process32$AddressCreateDebugFirstLibraryLoadNextOutputProcSnapshotStringToolhelp32
String ID: CreateToolhelp32Snapshot$GetProc error$Kernel32.dll
API String ID: 3128448922-2077241676
Opcode ID: 295daeb23bcfde2618456ea959a71a62bb36e26ecaa461f8c76c1baadd31b639
Instruction ID: 507c309df4cf87117a48498e4d3ef66e97e44aff555986cfcf13dff8ea8059fa
Opcode Fuzzy Hash: 295daeb23bcfde2618456ea959a71a62bb36e26ecaa461f8c76c1baadd31b639
Instruction Fuzzy Hash: B111AE71D0051C9BE710DBA98CC9AF9B7B8FB543E6F100396EE5DD2194DB349D81C660

Function 00401EB4 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 223libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(KERNEL32.dll,IsBadReadPtr), ref: 00401F27
GetProcAddress.KERNEL32(00000000), ref: 00401F2E
LoadLibraryA.KERNEL32(00000000), ref: 00401FB0

Strings

IsBadReadPtr, xrefs: 00401F1F, 00401F22
KERNEL32.dll, xrefs: 00401F23, 00401F26
B, xrefs: 004020EF

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AddressProc
String ID: B$IsBadReadPtr$KERNEL32.dll
API String ID: 1469910268-3420668620
Opcode ID: eefd4b8f1daa93a4577590aa29fc122f3aea43f51d69fa26bb5480e27314cb1f
Instruction ID: 064745a50b26fa7c1a372de2f7048e5898e4f938477faf6bf4bd766cdbdb6b02
Opcode Fuzzy Hash: eefd4b8f1daa93a4577590aa29fc122f3aea43f51d69fa26bb5480e27314cb1f
Instruction Fuzzy Hash: B4915D74D04289CFDB04CF98C588BDEBBB1BF49308F188169D5457B391C3B9A946CB69

Function 00401B9F Relevance: 3.1, APIs: 2, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,00004000), ref: 00401C33
VirtualProtect.KERNEL32(?,?,?,?), ref: 00401CE1

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Virtual$FreeProtect
String ID:
API String ID: 2581862158-0
Opcode ID: 6c05861f2a5891a13ed92c4e0e41e14a43f93bc6d9a88a91653539556f261a3c
Instruction ID: fffa9f1e529b255b45960d0ee6fdc1920ff1a43c67b3da6f5f52efa33736b65f
Opcode Fuzzy Hash: 6c05861f2a5891a13ed92c4e0e41e14a43f93bc6d9a88a91653539556f261a3c
Instruction Fuzzy Hash: 2D41CEB4E04209DFDB08CF55C591EAEB7B2BF88304F149269D905AB395D734E842CF94

Function 10001E20 Relevance: 3.1, APIs: 2, Instructions: 74networkCOMMON

Download Yara Rule

APIs

select.WS2_32(00000000,?,00000000,00000000,00000000), ref: 10001E7B
recv.WS2_32(?,?,00002000,00000000), ref: 10001EAC

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: recvselect
String ID:
API String ID: 741273618-0
Opcode ID: 871a2907844a5b652a681063f6f6bfa09c943abc455f13851db8aa7e61c54d5c
Instruction ID: 383b25f4726329bae5db19e016879abe1d3d968958dc0de2e6bd548a2a5084d3
Opcode Fuzzy Hash: 871a2907844a5b652a681063f6f6bfa09c943abc455f13851db8aa7e61c54d5c
Instruction Fuzzy Hash: 0421D57624034567E720CA68DC85BDF7395EFC47E0F000A3DFA64971C6DB75A94A83A2

Function 10004D90 Relevance: 3.0, APIs: 2, Instructions: 12COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10004D98
wsprintfA.USER32 ref: 10004DAD

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 4ee8b2c5c2afc367d6198751d22ea984fbe173bb3ef40887e6be74c354f8fdfd
Instruction ID: 97120f9da4bd28782017b24a4ea70e1ab9c57392149cacdebe9d3a8909138bc2
Opcode Fuzzy Hash: 4ee8b2c5c2afc367d6198751d22ea984fbe173bb3ef40887e6be74c354f8fdfd
Instruction Fuzzy Hash: E4D0C9B8404314ABD208EBA0CCC9C6B7BA8BB88244F444A08F94A52214D634D558CB62

Function 00403260 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 00403286

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 818341d8fc485062122c1d51d3c390d6a5d3e06ed646751cc090d88ee85653da
Instruction ID: 866cea4765af16411f253e5ce4b0b67a6240cb3589ecf1f98e99485b69932c6d
Opcode Fuzzy Hash: 818341d8fc485062122c1d51d3c390d6a5d3e06ed646751cc090d88ee85653da
Instruction Fuzzy Hash: C0F014F1D44B419FD363CF5CEC82B217BA9FF44762F10423AA014926A2DAB89480DF98

Function 10008580 Relevance: 57.9, APIs: 12, Strings: 21, Instructions: 116
libraryprocessstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 1000864B
GetProcAddress.KERNEL32(00000000), ref: 10008652
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000865C
??2@YAPAXI@Z.MSVCRT(00000128), ref: 10008665
Process32First.KERNEL32(00000000,00000000), ref: 10008677
_strcmpi.MSVCRT ref: 10008689
??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000869A
Process32Next.KERNEL32(00000000,00000000), ref: 100086AE
lstrcmpiA.KERNEL32(00000024,?), ref: 100086B9
Process32Next.KERNEL32(00000000,00000000), ref: 100086C5
CloseHandle.KERNEL32(00000000,00000000), ref: 100086CF
??3@YAXPAX@Z.MSVCRT(00000000), ref: 100086D6

Strings

.Wu, xrefs: 100086CF
t, xrefs: 10008609
r, xrefs: 100085FB
3, xrefs: 1000861F
n, xrefs: 1000862E
L, xrefs: 100085D8
a, xrefs: 10008604
d, xrefs: 100085EC
T, xrefs: 10008612
K, xrefs: 100085C9
3, xrefs: 100085DD
t, xrefs: 10008641
2, xrefs: 10008624
S, xrefs: 10008629
R, xrefs: 100085CE
a, xrefs: 10008633
s, xrefs: 10008638
2, xrefs: 100085E2
., xrefs: 100085E7
C, xrefs: 100085F6
N, xrefs: 100085D3

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Process32$??3@Next$??2@AddressCloseCreateFirstHandleLibraryLoadProcSnapshotToolhelp32_strcmpilstrcmpi
String ID: .$2$2$3$3$C$K$L$N$R$S$T$a$a$d$n$r$s$t$t$.Wu
API String ID: 1825602229-222072272
Opcode ID: 7ce39e9619a4b459c6ef2c8217cac0212bf4b46d3c87e1cca43305406b8d310f
Instruction ID: 20ee00d77892bc51f8a53c1edb579a40f65325d4756f784b5e9045799c2fa881
Opcode Fuzzy Hash: 7ce39e9619a4b459c6ef2c8217cac0212bf4b46d3c87e1cca43305406b8d310f
Instruction Fuzzy Hash: 5C415E2110D3C09DE312CB79888479BBFD49FA6288F48099DF5C856287D6AAD20CC77B

Function 100050D0 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 265
stringlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 100057A3
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 100057B7
GetProcAddress.KERNEL32(00000000,Process32First), ref: 100057C1
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 100057CD
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 100057D7
strstr.MSVCRT ref: 100057F8
Process32First.KERNEL32(00000000,?,?,755732F0,00000001), ref: 10005817
lstrcmpiA.KERNEL32(?,?), ref: 1000582A
lstrcatA.KERNEL32(?,?), ref: 10005859
lstrcatA.KERNEL32(?,1001194C), ref: 10005868
strstr.MSVCRT ref: 10005881
CloseHandle.KERNEL32(00000000), ref: 10005890
lstrlenA.KERNEL32(?), ref: 1000589E
lstrcpyA.KERNEL32(?,-/-), ref: 100058AE
FreeLibrary.KERNEL32(00000000), ref: 100058B9

Strings

.Wu, xrefs: 10005890
Process32First, xrefs: 100057B9
-/-, xrefs: 100058A8
CreateToolhelp32Snapshot, xrefs: 100057B1
Mcshield.exe, xrefs: 100050D7
Process32Next, xrefs: 100057C3
kernel32.dll, xrefs: 1000579E

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressProc$Librarylstrcatstrstr$CloseCreateFirstFreeHandleLoadProcess32SnapshotToolhelp32lstrcmpilstrcpylstrlen
String ID: -/-$CreateToolhelp32Snapshot$Mcshield.exe$Process32First$Process32Next$kernel32.dll$.Wu
API String ID: 2300032177-2469977333
Opcode ID: bb8bc624cc39c13df69926a1ae9fd9d6cde2e49158f923fe306c03369e031264
Instruction ID: cc1ecaae6683d165517e05800a742c989659b430ae820f92cda3658fe5a5e26e
Opcode Fuzzy Hash: bb8bc624cc39c13df69926a1ae9fd9d6cde2e49158f923fe306c03369e031264
Instruction Fuzzy Hash: 91F156F000A3C59BD774CF5589846DFBAA4FB86340F90890CD59A6F251CBBAC1A1CF96

Function 10006440 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 233
stringsynchronizationsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 10006482
CreateMutexA.KERNEL32(00000000,00000000,?), ref: 10006497
GetLastError.KERNEL32 ref: 100064A3
ReleaseMutex.KERNEL32(00000000), ref: 100064B1
CloseHandle.KERNEL32(00000000), ref: 100064B8
exit.MSVCRT ref: 100064C0

Part of subcall function 100021C0: setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 100021E7
Part of subcall function 100021C0: CancelIo.KERNEL32(?), ref: 100021F1
Part of subcall function 100021C0: InterlockedExchange.KERNEL32(?,00000000), ref: 100021FD
Part of subcall function 100021C0: closesocket.WS2_32(?), ref: 10002207
Part of subcall function 100021C0: SetEvent.KERNEL32(?), ref: 10002211

Part of subcall function 10003AC0: TerminateThread.KERNEL32(?,000000FF,00000000,?,00000000,1F901F90,1000676D), ref: 10003AE6
Part of subcall function 10003AC0: CloseHandle.KERNEL32 ref: 10003AEB

strstr.MSVCRT ref: 10006596
strcspn.MSVCRT ref: 100065B3
strncpy.MSVCRT ref: 100065BC
strcspn.MSVCRT ref: 100065C8
lstrcatA.KERNEL32(?,?), ref: 10006602
atoi.MSVCRT(?), ref: 10006610
lstrcatA.KERNEL32(00000000,156.225.22.155), ref: 10006636
GetTickCount.KERNEL32 ref: 10006679
GetTickCount.KERNEL32 ref: 1000669B
WaitForSingleObject.KERNEL32(?,00000BB8), ref: 1000671D
Sleep.KERNEL32(000001F4), ref: 1000672A

Strings

.Wu, xrefs: 100064B8
156.225.22.155, xrefs: 10006470, 1000662A
%s:%d:%s, xrefs: 1000647C
Rsssqi yqeaiusa, xrefs: 1000646A, 100064C6

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: CloseCountHandleMutexTicklstrcatstrcspn$CancelCreateErrorEventExchangeInterlockedLastObjectReleaseSingleSleepTerminateThreadWaitatoiclosesocketexitsetsockoptstrncpystrstrwsprintf
String ID: %s:%d:%s$156.225.22.155$Rsssqi yqeaiusa$.Wu
API String ID: 3077434019-1852655475
Opcode ID: a11d83c3e9ae5d9a6a0cc2d7c690a3bfcd63a8508b6342766bc76147a56c70c0
Instruction ID: 936c7ba1aeec0b68900dfaa2bcecedb94024cf1f17f1b00cb6aeefd646a4d3c3
Opcode Fuzzy Hash: a11d83c3e9ae5d9a6a0cc2d7c690a3bfcd63a8508b6342766bc76147a56c70c0
Instruction Fuzzy Hash: 5581C3351087959BF324CB64CC95FDB77E9EF893C0F104928F98A97285EB35A908C762

Function 10002EE0 Relevance: 36.1, APIs: 2, Strings: 22, Instructions: 81
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 10002FCF
lstrlenA.KERNEL32(?,00000000,?,?,75571760), ref: 10002FE2

Part of subcall function 10008A30: LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,?,00000000,?,1000B800,1000C368,000000FF), ref: 10008A5F
Part of subcall function 10008A30: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 10008A76
Part of subcall function 10008A30: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 10008A81
Part of subcall function 10008A30: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 10008A8C
Part of subcall function 10008A30: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 10008A97
Part of subcall function 10008A30: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 10008AA2
Part of subcall function 10008A30: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 10008AAC

Strings

t, xrefs: 10002F98
i, xrefs: 10002FB6
Y, xrefs: 10002F5C
n, xrefs: 10002F7F
T, xrefs: 10002F61
\, xrefs: 10002F70
\, xrefs: 10002FAC
\, xrefs: 10002FC0
u, xrefs: 10002F7A
l, xrefs: 10002FA2
C, xrefs: 10002F75
t, xrefs: 10002F84
C, xrefs: 10002F89
o, xrefs: 10002F8E
E, xrefs: 10002F66
o, xrefs: 10002F9D
t, xrefs: 10002FA7
%, xrefs: 10002FC5
c, xrefs: 10002FBB
n, xrefs: 10002F93
v, xrefs: 10002FB1
M, xrefs: 10002F6B

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoadlstrlenwsprintf
String ID: %$C$C$E$M$T$Y$\$\$\$c$i$l$n$n$o$o$t$t$t$u$v
API String ID: 2349312171-2259266472
Opcode ID: 64dc2888341b0670352cd3d4f5dd59b5a6cd510f73c4438b7a0b62dd08301ed6
Instruction ID: 3a389a8193fcd0131c7d052384cde78d3639474158572851c350a6658b524500
Opcode Fuzzy Hash: 64dc2888341b0670352cd3d4f5dd59b5a6cd510f73c4438b7a0b62dd08301ed6
Instruction Fuzzy Hash: DB31E81110D3C1DDE352DA688448B9FBFD15FA6648F48099DF2C817292C6AA974CC7BB

Function 10004DC0 Relevance: 34.6, APIs: 1, Strings: 22, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 10004ED2

Part of subcall function 10008760: LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,?,00000000), ref: 100087AE
Part of subcall function 10008760: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 100087C8
Part of subcall function 10008760: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 100087D2
Part of subcall function 10008760: GetProcAddress.KERNEL32(00000000,RegEnumValueA), ref: 100087DD
Part of subcall function 10008760: GetProcAddress.KERNEL32(00000000,RegEnumKeyExA), ref: 100087E5
Part of subcall function 10008760: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 100087ED
Part of subcall function 10008760: RegOpenKeyExA.KERNEL32(75571760,?,00000000,00020019,?), ref: 10008812
Part of subcall function 10008760: FreeLibrary.KERNEL32(00000000), ref: 1000899B

Strings

n, xrefs: 10004E82
u, xrefs: 10004E7D
t, xrefs: 10004E9B
Y, xrefs: 10004DF4
o, xrefs: 10004EA0
\, xrefs: 10004EAF
C, xrefs: 10004E78
o, xrefs: 10004E91
E, xrefs: 10004E69
\, xrefs: 10004EC3
c, xrefs: 10004EBE
t, xrefs: 10004EAA
T, xrefs: 10004E64
\, xrefs: 10004E73
t, xrefs: 10004E87
%, xrefs: 10004EC8
n, xrefs: 10004E96
l, xrefs: 10004EA5
v, xrefs: 10004EB4
M, xrefs: 10004E6E
C, xrefs: 10004E8C
i, xrefs: 10004EB9

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoadOpenwsprintf
String ID: %$C$C$E$M$T$Y$\$\$\$c$i$l$n$n$o$o$t$t$t$u$v
API String ID: 4113823538-2259266472
Opcode ID: e17e5a31cb6b74c8cb34c47ca1cc637edb495c1cfba2363829f116dee32bb029
Instruction ID: c0b8f888539ecc2b337d7a97f6379b4e3860572a7028072eb7cbad3acca4f5fb
Opcode Fuzzy Hash: e17e5a31cb6b74c8cb34c47ca1cc637edb495c1cfba2363829f116dee32bb029
Instruction Fuzzy Hash: 6D41192110D3C0DEE352C668844479BFFD25BEA648F48599CF2C81B382C6BA961CC77B

Function 10008760 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 188
libraryloaderregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,?,00000000), ref: 100087AE
GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 100087C8
GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 100087D2
GetProcAddress.KERNEL32(00000000,RegEnumValueA), ref: 100087DD
GetProcAddress.KERNEL32(00000000,RegEnumKeyExA), ref: 100087E5
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 100087ED
RegOpenKeyExA.KERNEL32(75571760,?,00000000,00020019,?), ref: 10008812
FreeLibrary.KERNEL32(00000000), ref: 1000899B

Strings

RegCloseKey, xrefs: 100087E7
%08X, xrefs: 10008971
RegQueryValueExA, xrefs: 100087BC
RegOpenKeyExA, xrefs: 100087CC
ADVAPI32.dll, xrefs: 100087A9
RegEnumKeyExA, xrefs: 100087DF
RegEnumValueA, xrefs: 100087D7

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoadOpen
String ID: %08X$ADVAPI32.dll$RegCloseKey$RegEnumKeyExA$RegEnumValueA$RegOpenKeyExA$RegQueryValueExA
API String ID: 906421942-2913591164
Opcode ID: b53f3c26470d4968c2903438ec2dd6e63a23fa3cef330f6e3b07f12076739156
Instruction ID: 8c4d25f6b69c8f63784c1d53e9d9fbe15789118adcb351b840f422686eb70828
Opcode Fuzzy Hash: b53f3c26470d4968c2903438ec2dd6e63a23fa3cef330f6e3b07f12076739156
Instruction Fuzzy Hash: 32616DB2900219EBEB10DF94CC84FEFB7B8FB48740F144159F649A7284DB75AA45CBA1

Function 10008A30 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 152
libraryloaderregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,?,00000000,?,1000B800,1000C368,000000FF), ref: 10008A5F
GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 10008A76
GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 10008A81
GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 10008A8C
GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 10008A97
GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 10008AA2
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 10008AAC
RegCreateKeyExA.KERNEL32(?,00000001,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 10008AE8
RegOpenKeyExA.KERNEL32(?,00000001,00000000,0002001F,?), ref: 10008B06
lstrlenA.KERNEL32(80000002), ref: 10008B2A
RegSetValueExA.KERNEL32(?,?,00000000,?,80000002,00000001), ref: 10008B46
FreeLibrary.KERNEL32(00000000), ref: 10008BB9

Strings

RegCloseKey, xrefs: 10008AA6
RegOpenKeyExA, xrefs: 10008A9C
RegDeleteValueA, xrefs: 10008A91
ADVAPI32.dll, xrefs: 10008A5A
RegDeleteKeyA, xrefs: 10008A86
RegCreateKeyExA, xrefs: 10008A6A
RegSetValueExA, xrefs: 10008A7B

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$CreateFreeLoadOpenValuelstrlen
String ID: ADVAPI32.dll$RegCloseKey$RegCreateKeyExA$RegDeleteKeyA$RegDeleteValueA$RegOpenKeyExA$RegSetValueExA
API String ID: 3458221994-3188892968
Opcode ID: 55df64ef12231d941170aab4b13e0f0724291a0721f31477d5a477d93c4e0095
Instruction ID: d79a726ba8ef5e53d6a0f0444169fe093e458c7cd5bbc3b26cc650ea72237b90
Opcode Fuzzy Hash: 55df64ef12231d941170aab4b13e0f0724291a0721f31477d5a477d93c4e0095
Instruction Fuzzy Hash: 0E510AB1A00219BBEB04DFA4DC84FEEB7B8FF49780F108119FA55E7294D774A9018B61

Function 10004C30 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 142
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Ole32.dll,00000000,755732F0,?,00000001), ref: 10004C42
GetProcAddress.KERNEL32(00000000,CoInitialize), ref: 10004C52
GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 10004C5C
GetProcAddress.KERNEL32(00000000,CoCreateInstance), ref: 10004C68
LoadLibraryA.KERNEL32(Oleaut32.dll,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10004C73
GetProcAddress.KERNEL32(00000000,SysFreeString), ref: 10004C7D
CoInitialize.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10004C83

Strings

FriendlyName, xrefs: 10004D23
CoUninitialize, xrefs: 10004C54
SysFreeString, xrefs: 10004C77
Ole32.dll, xrefs: 10004C3D
Oleaut32.dll, xrefs: 10004C6A
CoCreateInstance, xrefs: 10004C5E
CoInitialize, xrefs: 10004C4C

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$Initialize
String ID: CoCreateInstance$CoInitialize$CoUninitialize$FriendlyName$Ole32.dll$Oleaut32.dll$SysFreeString
API String ID: 2287434211-3340630095
Opcode ID: cb434f53078fdba30b2bb0be0b2bcb7d9073196d91b39f1257c6526418b678c7
Instruction ID: 4ca749c3dd386b8f5ba94f1f0f354c4942880b4c6214c0f3594ddcc719ae528a
Opcode Fuzzy Hash: cb434f53078fdba30b2bb0be0b2bcb7d9073196d91b39f1257c6526418b678c7
Instruction Fuzzy Hash: 59417D71604306AFE200DF75CC84E5BBBE8FF89694F014919F644DB250EB35E84A8BA2

Function 0040BB40 Relevance: 15.3, APIs: 10, Instructions: 253COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0040FD4C,00000001,00000000,00000000), ref: 0040BB81
LCMapStringA.KERNEL32(00000000,00000100,0040FD48,00000001,00000000,00000000), ref: 0040BBA9
LCMapStringA.KERNEL32(000004E4,00000100,?,00000000,00000020,00000100), ref: 0040BC00
MultiByteToWideChar.KERNEL32(00000000,0040A6B5,?,00000000,00000000,00000000), ref: 0040BC45
MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000), ref: 0040BCC0

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 57030e4d6ad603c3d6b87f7d243d4da753c8ea1d8d156a4662d4ba1f69d19dfc
Instruction ID: c8a72bfbc34c50cc10ee7a795bf5ac019ffeac40bdefbd4da4d57afbef0b44b1
Opcode Fuzzy Hash: 57030e4d6ad603c3d6b87f7d243d4da753c8ea1d8d156a4662d4ba1f69d19dfc
Instruction Fuzzy Hash: 7D91FB71A14209ABDB10CF94DC85FEF77B5EB48710F20852AF615B72C0D778A9418BAD

Function 10004F10 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 34stringnetworkCOMMON

Download Yara Rule

APIs

Part of subcall function 10004DC0: wsprintfA.USER32 ref: 10004ED2

lstrlenA.KERNEL32(?,?,?,755683C0,1F901F90,?,10005A58,?,?,00000100), ref: 10004F52
gethostname.WS2_32(?,?), ref: 10004F5A
lstrlenA.KERNEL32(?,?,10005A58,?,?,00000100), ref: 10004F61

Strings

H, xrefs: 10004F2A
s, xrefs: 10004F34
o, xrefs: 10004F2F
t, xrefs: 10004F39

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: lstrlen$gethostnamewsprintf
String ID: H$o$s$t
API String ID: 2011373664-2997942591
Opcode ID: dc1b33caf8c5d92fc9d27f1bcbacecf99daad83217f76fd9b86bd276126c4ff0
Instruction ID: 195b30958b9f004f239f721d133d4540b2d882fa839fc41ac6bd1cdcff48019c
Opcode Fuzzy Hash: dc1b33caf8c5d92fc9d27f1bcbacecf99daad83217f76fd9b86bd276126c4ff0
Instruction Fuzzy Hash: 3CF0962100D3929AE301DB589C44E5FBFD8EFC6254F04095CF58452146C769A60DC7FB

Function 10001D00 Relevance: 10.6, APIs: 7, Instructions: 97networkCOMMON

Download Yara Rule

APIs

Part of subcall function 100021C0: setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 100021E7
Part of subcall function 100021C0: CancelIo.KERNEL32(?), ref: 100021F1
Part of subcall function 100021C0: InterlockedExchange.KERNEL32(?,00000000), ref: 100021FD
Part of subcall function 100021C0: closesocket.WS2_32(?), ref: 10002207
Part of subcall function 100021C0: SetEvent.KERNEL32(?), ref: 10002211

ResetEvent.KERNEL32(?,00000000,10013460), ref: 10001D10
socket.WS2_32 ref: 10001D20
gethostbyname.WS2_32(?), ref: 10001D3D

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Event$CancelExchangeInterlockedResetclosesocketgethostbynamesetsockoptsocket
String ID:
API String ID: 513860241-0
Opcode ID: 49f0bde48943a12045197487d7f321ca135c5609154bfa06ddcc468a0ef1862c
Instruction ID: 0ab3f8268d16afc13eb63b7ce6a82c30aab0cc91fcf30b6f79a0feea18b7711f
Opcode Fuzzy Hash: 49f0bde48943a12045197487d7f321ca135c5609154bfa06ddcc468a0ef1862c
Instruction Fuzzy Hash: 78318DB1144311AFE310DF69CC85F9B77E8BF88754F00491DF2859A294D6B1E9888B62

Function 10007020 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 10007025
CoCreateGuid.OLE32(00000000,?,?,?,10007FC5), ref: 10007030
_snprintf.MSVCRT ref: 1000704B
CoUninitialize.COMBASE(?,?,?,10007FC5), ref: 10007054

Strings

%08X, xrefs: 1000703F
1C093A1E, xrefs: 10007046, 1000705A

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: CreateGuidInitializeUninitialize_snprintf
String ID: %08X$1C093A1E
API String ID: 61646808-2509886562
Opcode ID: 46ea967f007e1341beaccad40756c24012115f556016e63794a524742450986c
Instruction ID: 263f48dfaef9095c76100317287a0be80b452200891cd3d20973d8d69edd3cf8
Opcode Fuzzy Hash: 46ea967f007e1341beaccad40756c24012115f556016e63794a524742450986c
Instruction Fuzzy Hash: 2FE0C274984355ABF700FB948CCDF6A3B65FF10381F844448F64B851A6E735D0608B53

Function 10005920 Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 10005936
GetIfTable.IPHLPAPI ref: 1000595B
free.MSVCRT ref: 1000596C
malloc.MSVCRT ref: 10005973

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: malloc$Tablefree
String ID:
API String ID: 2903114640-0
Opcode ID: bd5a544da2b69ade10387c9bc969f7a27429d6ea055e7b46cd8c5b737e286342
Instruction ID: a5415cd87c6273a78d959c32fc7f8bc2d366dd0271ea90c27853accd055239b0
Opcode Fuzzy Hash: bd5a544da2b69ade10387c9bc969f7a27429d6ea055e7b46cd8c5b737e286342
Instruction Fuzzy Hash: 84110C737013155BF314CA0ABC81AEFB3DCEBC16B1F15052AF955C7204DB66AD0546E2

Function 10006170 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76filestringnetworkCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 10006196
strrchr.MSVCRT ref: 100061B3
wsprintfA.USER32 ref: 100061E1
URLDownloadToFileA.URLMON(00000000,00000000,?,00000000,00000000), ref: 100061F6

Part of subcall function 10008550: GetFileAttributesA.KERNEL32(?,10006209,?), ref: 10008555
Part of subcall function 10008550: GetLastError.KERNEL32 ref: 10008560

Part of subcall function 10005FA0: strrchr.MSVCRT ref: 10005FC9

Strings

c:\%s, xrefs: 100061DA

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Filestrrchr$AttributesDownloadErrorLastmallocwsprintf
String ID: c:\%s
API String ID: 1809852422-3279930864
Opcode ID: 42af66eab8004a3d2a5560a97285f3cd4f5a80f1d9281ef6eee5d20c7b228d9e
Instruction ID: 642eac388d9637214fe81173592c1bef9b8eea6dda56b7b84067276b66d186f9
Opcode Fuzzy Hash: 42af66eab8004a3d2a5560a97285f3cd4f5a80f1d9281ef6eee5d20c7b228d9e
Instruction Fuzzy Hash: 73117B766103002BF304C778DC45BBB73C9EBD8350F144439FE15C62C1EAB99A098362

Function 10008140 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,75571760,00000000,00000000,00000000,00000000), ref: 1000815C
_beginthreadex.MSVCRT ref: 10008184
WaitForSingleObject.KERNEL32(?,000000FF), ref: 10008196
CloseHandle.KERNEL32(?), ref: 100081A1

Strings

.Wu, xrefs: 100081A1

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: CloseCreateEventHandleObjectSingleWait_beginthreadex
String ID: .Wu
API String ID: 92035984-3424199868
Opcode ID: baa944a629af42372f5d8f2e2333c628e0688425d9f32cc3f2d37009f8296061
Instruction ID: f857c391777d8c366786b4090d3c3db3a64e4b005c1083bac85649b0adf554ab
Opcode Fuzzy Hash: baa944a629af42372f5d8f2e2333c628e0688425d9f32cc3f2d37009f8296061
Instruction Fuzzy Hash: 4B01F674608311AFE314DF18CC85F6BBBE4FB89754F144A0DF998A3395D634EA048B92

Function 100021C0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 100021E7
CancelIo.KERNEL32(?), ref: 100021F1
InterlockedExchange.KERNEL32(?,00000000), ref: 100021FD
closesocket.WS2_32(?), ref: 10002207
SetEvent.KERNEL32(?), ref: 10002211

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
String ID:
API String ID: 1486965892-0
Opcode ID: c5cb8189381730b384fee02563421651531b032639a49d17508a848de7e61f69
Instruction ID: bd3fc856b2ee71789fb1c63483ee779e84cb3b5a540c39c39a08c2d163932c29
Opcode Fuzzy Hash: c5cb8189381730b384fee02563421651531b032639a49d17508a848de7e61f69
Instruction Fuzzy Hash: 96F09072104325AFE324CF94CC88E9B73B8AF48311F104A0DF782826E4CB71E4448B50

Function 00404D70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\aQ7bSXduYp.exe,00000104), ref: 00404D90

Strings

C:\Users\user\Desktop\aQ7bSXduYp.exe, xrefs: 00404D89, 00404D96
stdargv.c, xrefs: 00404DE2
%p, xrefs: 00404DA0, 00404DB7

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID: C:\Users\user\Desktop\aQ7bSXduYp.exe$stdargv.c$%p
API String ID: 514040917-289923974
Opcode ID: e91d81416b772ac04a81b8feb6f2004f988655c4935d20421c561d3baebc0de9
Instruction ID: 4f025f47108e8652e79001dbdfa36325de1fabc67bad4b42f0a04ca65805b3c0
Opcode Fuzzy Hash: e91d81416b772ac04a81b8feb6f2004f988655c4935d20421c561d3baebc0de9
Instruction Fuzzy Hash: F9219FB4D00209AFDB14EF94D881FAE77B4BB84705F10817EE911B7282D674A608CB99

Function 004032E3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 00403313
GetStartupInfoA.KERNEL32(?), ref: 00403342
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0040337A

Part of subcall function 00403400: ExitProcess.KERNEL32 ref: 00403422

Strings

%p, xrefs: 00403319

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: CommandExitHandleInfoLineModuleProcessStartup
String ID: %p
API String ID: 2164999147-1556559175
Opcode ID: 7dd73d02d9c2fac171bbf6c11e4a9c9439ea667cebe605c8e52d80075529a8c1
Instruction ID: 2201ff6311b7bd07c2d5c1d8a1f62c6ad5e1d163e1fbacbfa95269d927f4f072
Opcode Fuzzy Hash: 7dd73d02d9c2fac171bbf6c11e4a9c9439ea667cebe605c8e52d80075529a8c1
Instruction Fuzzy Hash: 77111DB5D003049BDB10EFE5E946B9E7AB5AF84709F10403EE605BB2D2DB389504CB69

Function 10001B60 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 10001BCD
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 10001BDB

Strings

y, xrefs: 10001BE6
x, xrefs: 10001BE1

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: CreateEventStartup
String ID: x$y
API String ID: 1546077022-2106771652
Opcode ID: 426ecb344f0b08d2cb45c40d3dedcf2a379ef812f491c83adadb1465f5656b9e
Instruction ID: c8a3d2ba0344312a6bce927157729c4d9ee91638349e8c3330d949956953cfd7
Opcode Fuzzy Hash: 426ecb344f0b08d2cb45c40d3dedcf2a379ef812f491c83adadb1465f5656b9e
Instruction Fuzzy Hash: 72116D341097809EE331CF28C945BD6BBE4EB1AB94F40891DE4DA877C5CBB96048CB63

Function 0040A590 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(000004E4,?), ref: 0040A5A7

Strings

z, xrefs: 0040A841
, xrefs: 0040A64C

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Info
String ID: $z
API String ID: 1807457897-2251613814
Opcode ID: 8ea7662d8286fdfc1452980aff72eadbfd65cf4211e5c969f7c0a9973e679ef5
Instruction ID: e25080547dbd5d999750e601fd7b11c573f40e369b89516b4e4b9c3e18cf8790
Opcode Fuzzy Hash: 8ea7662d8286fdfc1452980aff72eadbfd65cf4211e5c969f7c0a9973e679ef5
Instruction Fuzzy Hash: B881B47494465CCBDB24CB54CC50BEBBB75AB48302F14C1EAD44967382C2365F96CF9A

Function 0040B150 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(006B0000,00000000,00000000), ref: 0040B286

Strings

R`@, xrefs: 0040B17C, 0040B198, 0040B19B

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: R`@
API String ID: 1279760036-2203585019
Opcode ID: ea0d65dc5ebfeac53a9caf7a64beb67daa6323502dbd79376e402a4a91830054
Instruction ID: aed69060c0eb56d7c6e8fcb121ea7dd52fadd965f7285890864e90ba9df31ae5
Opcode Fuzzy Hash: ea0d65dc5ebfeac53a9caf7a64beb67daa6323502dbd79376e402a4a91830054
Instruction Fuzzy Hash: D13170B1904248EBDB10DF58D849BAE3770EB01359F24827AF8156F2C1C379AA45CBCE

Function 10001230 Relevance: 4.6, APIs: 3, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

_ftol.MSVCRT ref: 10001274
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,?,?,?,?,?,?,?,10005D0E,?,0000022C), ref: 10001288

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AllocVirtual_ftol
String ID:
API String ID: 2737540598-0
Opcode ID: cfc840a8b6786815519e745eefe0d9c00073eac5ba6829d38652545ea074e0ed
Instruction ID: 6908696e533b2aa954a8ce573bf45ff01ca13c428f3c73a91b775599d79457cc
Opcode Fuzzy Hash: cfc840a8b6786815519e745eefe0d9c00073eac5ba6829d38652545ea074e0ed
Instruction Fuzzy Hash: 881102357443048BE704EF29AC817AAB7E4EFD42A1F04843EFE09CB285DA75D818CA65

Function 10002390 Relevance: 4.6, APIs: 3, Instructions: 68networksleepCOMMON

Download Yara Rule

APIs

send.WS2_32(?,00000003,00002000,00000000), ref: 100023CA
Sleep.KERNEL32(0000000A), ref: 100023F7
send.WS2_32(?,00000003,?,00000000), ref: 10002411

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: send$Sleep
String ID:
API String ID: 3329562092-0
Opcode ID: ac1a046c781eb947e43fee74e26503661c97bf61f8be5c5cedc578b3cfb7a9db
Instruction ID: 4a9a241c68524aee76ec91de3a6fabbafdb6c0f762ad73af93a68b78635ad0cd
Opcode Fuzzy Hash: ac1a046c781eb947e43fee74e26503661c97bf61f8be5c5cedc578b3cfb7a9db
Instruction Fuzzy Hash: 40117C326043129BE314CF59CCC4B5FBBE8EB85B90F11092DF94596285D670DD4A8BA2

Function 10004550 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 5COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,10003B08,00000000,1F901F90,1000676D), ref: 1000455A

Strings

.Wu, xrefs: 1000455A

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID: .Wu
API String ID: 2962429428-3424199868
Opcode ID: 3516c36fcb6986ea655a9ad33279f0a0e61dfbcd4ee5f32034a5f00f11764ef4
Instruction ID: 3745094fa8e85b9ac4cc01dd982d642109f166637319b05583a497fdafc83de2
Opcode Fuzzy Hash: 3516c36fcb6986ea655a9ad33279f0a0e61dfbcd4ee5f32034a5f00f11764ef4
Instruction Fuzzy Hash: 35B012704003088FDF00DF20C458C023B24EB023843188084E4448721BC3368402CA00

Function 0040A0E0 Relevance: 1.7, APIs: 1, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 2bee19067ff3c82a4c8288c50c1f98c969a423d989482c7a9c3ae6ee972f33bf
Instruction ID: e6e9b2471936f98a2a0985a6b24402172fa604f0918a7ba489a8f63e118d382f
Opcode Fuzzy Hash: 2bee19067ff3c82a4c8288c50c1f98c969a423d989482c7a9c3ae6ee972f33bf
Instruction Fuzzy Hash: 5EA17E70D04204DBDB04DF94D9446EDBBF1BF48308F2884BAD446BB382D23A9A65DB5B

Function 00401F7B Relevance: 1.5, APIs: 1, Instructions: 30libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000), ref: 00401FB0

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 188172162600be29632338a5308ac4ad1829ebda56a93be96e69ddcf1fb249ce
Instruction ID: c5dc83629bcdb0a0f5ac40e06384724b92d9a083beba33d1b2d3cea22322ab14
Opcode Fuzzy Hash: 188172162600be29632338a5308ac4ad1829ebda56a93be96e69ddcf1fb249ce
Instruction Fuzzy Hash: 0DF0E274D00649CBDB10DF95CA886AEB7B5FB44319F20822AD615BB2A0C378AD42CF14

Function 00402E70 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL(?,?,00410070,?,?,?,?,?,0040105E,0000002D,00410070), ref: 00402EA3

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 504c3df098ef20354e4df235f4c1b1e352f87f6bea0b8b9abae6d1421e38f675
Instruction ID: 0e5cd092de92c1dc5847f928907223a595e81f3d2a0c8ac990d0af89312a6172
Opcode Fuzzy Hash: 504c3df098ef20354e4df235f4c1b1e352f87f6bea0b8b9abae6d1421e38f675
Instruction Fuzzy Hash: 38F0AC76D00118ABCB14DF99D8409EEB7B9FB8D310F00856AE919B7640D6746909DBA4

Function 100013E0 Relevance: 1.3, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,?,10002247,?,?,?,?,?,10005D0E,?,0000022C), ref: 100013F2

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 14ab1d68f21f23075cf7b2e2abad107260decba5c574609cacbbda05bdbf7880
Instruction ID: 7d0e7bcbdbd1ae8c3abe6f2ee10f44ff9d79e60c744fc710ad2ad4863104cedd
Opcode Fuzzy Hash: 14ab1d68f21f23075cf7b2e2abad107260decba5c574609cacbbda05bdbf7880
Instruction Fuzzy Hash: 91D0C970644B119BF7708F15EC48B8377E8AB04B54F11C85DE4AA9BAC4CBB8E8488F94

Non-executed Functions

Function 10007200 Relevance: 107.1, APIs: 40, Strings: 21, Instructions: 368sleepthreadwindowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 10007209
GetCurrentThreadId.KERNEL32 ref: 10007214
PostThreadMessageA.USER32(00000000), ref: 1000721B
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1000722C
OutputDebugStringA.KERNEL32(Dele_fs), ref: 1000723F

Part of subcall function 10007120: LoadLibraryA.KERNEL32(Kernel32.dll,?,?,00000000), ref: 10007138
Part of subcall function 10007120: OutputDebugStringA.KERNEL32(Loaddll error), ref: 1000714B

GetCurrentProcessId.KERNEL32 ref: 1000724C

Part of subcall function 10007070: LoadLibraryA.KERNEL32(Kernel32.dll,?,00000000,00000000), ref: 10007088
Part of subcall function 10007070: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 10007094
Part of subcall function 10007070: OutputDebugStringA.KERNEL32(GetProc error), ref: 100070A6

ExitProcess.KERNEL32 ref: 10007267
GetVersionExA.KERNEL32 ref: 10007286
GetVersionExA.KERNEL32(?), ref: 100072CB
CreateThread.KERNEL32(00000000,00000000,Function_00006DC0,00000000,00000000,00000000), ref: 10007300
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1000731E
CloseHandle.KERNEL32(00000000), ref: 10007325
Sleep.KERNEL32(000F4240), ref: 10007336
Sleep.KERNEL32 ref: 10007373
StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 10007380
Sleep.KERNEL32(000003E8), ref: 10007387
StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 1000738E
ExpandEnvironmentStringsA.KERNEL32(%ProgramFiles%\Microsoft Msmiou\,?,00000104), ref: 100073A7
wsprintfA.USER32 ref: 100073CA
GetModuleFileNameA.KERNEL32(00000000,?,000000E1), ref: 10007474
CopyFileA.KERNEL32(?,?,00000000), ref: 1000748B
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,Aaegmai.exe), ref: 100074C6
ExitProcess.KERNEL32 ref: 100074D3

Strings

.exe, xrefs: 10007679
.Wu, xrefs: 10007325, 1000752C, 100076BD
u, xrefs: 100075C7
C, xrefs: 100075A1
Mqgaku auegyyegeecmkimecg, xrefs: 10007491
http://x.vay.cc/1.jpg, xrefs: 10007288, 10007295
Default, xrefs: 100074A5, 100074E1, 100075EF
r, xrefs: 100075C2
p, xrefs: 100075CC
Rsssqi yqeaiusa, xrefs: 1000735B, 1000749B, 100074AA, 100074B4, 100074E6, 100074F0, 1000755F, 10007565, 1000759C, 100075F4, 100075FE
G, xrefs: 100075BD
\, xrefs: 100073E4
Dele_fs, xrefs: 1000723A
t, xrefs: 100075B8
c, xrefs: 100075B3
e, xrefs: 100075AE
Aaegmai.exe, xrefs: 100073B1
%ProgramFiles%\Microsoft Msmiou\, xrefs: 100073A2
s, xrefs: 1000756F
%, xrefs: 1000756A
Saukqc waqoaeiw, xrefs: 10007496

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Sleep$DebugOutputProcessStringThread$CtrlCurrentDispatcherExitFileLibraryLoadMessageServiceStartVersion$AddressCloseCopyCreateEnvironmentExpandHandleInputModuleNameObjectPostProcSingleStateStringsWaitwsprintf
String ID: %$%ProgramFiles%\Microsoft Msmiou\$.exe$Aaegmai.exe$C$Default$Dele_fs$G$Mqgaku auegyyegeecmkimecg$Rsssqi yqeaiusa$Saukqc waqoaeiw$\$c$e$http://x.vay.cc/1.jpg$p$r$s$t$u$.Wu
API String ID: 81703965-427030306
Opcode ID: 1bc2ff75900ca4db3b8c891c4345d69501e1d3f43621e7ffb2d53e015f4afebc
Instruction ID: 88a1e9cc268378a1592cc313e96216eeba8de6f82b883423bac26bfb2869f79c
Opcode Fuzzy Hash: 1bc2ff75900ca4db3b8c891c4345d69501e1d3f43621e7ffb2d53e015f4afebc
Instruction Fuzzy Hash: 6DC104B1408348AFF314DB748C85EEF7B9CFB89384F040A1CF68556196DB789A058BA6

Function 004012C7 Relevance: 101.6, APIs: 6, Strings: 52, Instructions: 108libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,HeapReAlloc), ref: 00401335
GetProcAddress.KERNEL32(00000000), ref: 0040133C
LoadLibraryA.KERNEL32(kernel32.dll,HeapAlloc), ref: 00401377
GetProcAddress.KERNEL32(00000000), ref: 0040137E
LoadLibraryA.KERNEL32(kernel32.dll,GetProcessHeap), ref: 004013D5
GetProcAddress.KERNEL32(00000000), ref: 004013DC

Strings

e, xrefs: 0040130F
t, xrefs: 00401397
2, xrefs: 004012E3
., xrefs: 004012E7
3, xrefs: 004012DF
l, xrefs: 00401317
l, xrefs: 0040131B
HeapAlloc, xrefs: 0040136D
N, xrefs: 004012D3
H, xrefs: 00401345
A, xrefs: 00401355
HeapReAlloc, xrefs: 0040132B
E, xrefs: 004012CB
R, xrefs: 004012CF
s, xrefs: 004013B3
l, xrefs: 0040135D
H, xrefs: 004013B7
o, xrefs: 0040131F
kernel32.dll, xrefs: 00401330
kernel32.dll, xrefs: 00401372
e, xrefs: 00401393
p, xrefs: 00401307
e, xrefs: 00401349
A, xrefs: 00401313
l, xrefs: 004012EF
E, xrefs: 004012D7
o, xrefs: 004013A3
r, xrefs: 0040139F
G, xrefs: 0040138F
e, xrefs: 004013BB
l, xrefs: 00401359
K, xrefs: 004012C7
p, xrefs: 004013C3
a, xrefs: 004013BF
H, xrefs: 004012FB
a, xrefs: 0040134D
L, xrefs: 004012DB
o, xrefs: 00401361
GetProcessHeap, xrefs: 004013CB
l, xrefs: 004012F3
e, xrefs: 004013AB
kernel32.dll, xrefs: 004013D0
d, xrefs: 004012EB
P, xrefs: 0040139B
c, xrefs: 004013A7
e, xrefs: 004012FF
p, xrefs: 00401351
s, xrefs: 004013AF
R, xrefs: 0040130B
a, xrefs: 00401303
c, xrefs: 00401323
c, xrefs: 00401365

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: .$2$3$A$A$E$E$G$GetProcessHeap$H$H$H$HeapAlloc$HeapReAlloc$K$L$N$P$R$R$a$a$a$c$c$c$d$e$e$e$e$e$e$kernel32.dll$kernel32.dll$kernel32.dll$l$l$l$l$l$l$o$o$o$p$p$p$r$s$s$t
API String ID: 2574300362-1412782267
Opcode ID: 024ed6269add65bb879169941b2fd0d3083ecbb0b3343712da361891da8eae23
Instruction ID: e3bfb5ed5b37cb8be8f4df4aa4d0fd607de3c52dbb5d6cf9c797f6be4d6cb49f
Opcode Fuzzy Hash: 024ed6269add65bb879169941b2fd0d3083ecbb0b3343712da361891da8eae23
Instruction Fuzzy Hash: 0551C760C082C8D9EB12D7E8D84C7DEBFB15F26709F084099E5847A292C7FE0559C77A

Function 100076E0 Relevance: 47.5, APIs: 19, Strings: 8, Instructions: 294serviceregistrystringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000), ref: 10007715
ExpandEnvironmentStringsA.KERNEL32(%ProgramFiles%\Microsoft Msmiou\,?,00000104), ref: 1000772C
strncmp.MSVCRT ref: 10007751
wsprintfA.USER32 ref: 10007799
CopyFileA.KERNEL32(?,?,00000000), ref: 10007841
SetFileAttributesA.KERNEL32(?,74680007), ref: 100078A0
OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 100078C6
CreateServiceA.ADVAPI32(00000000,?,?,000F01FF,00000110,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 100078FF
LockServiceDatabase.ADVAPI32(00000000), ref: 1000790E
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,Rsssqi yqeaiusa), ref: 1000792E
ChangeServiceConfig2A.ADVAPI32(00000000,00000002,00015180), ref: 100079B7
UnlockServiceDatabase.ADVAPI32(?), ref: 100079C4
GetLastError.KERNEL32 ref: 100079CE
OpenServiceA.ADVAPI32(00000000,?,000F01FF), ref: 100079E5
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 100079FE
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 10007A07

Part of subcall function 100063B0: _access.MSVCRT ref: 10006405
Part of subcall function 100063B0: CreateDirectoryA.KERNEL32(?,00000000), ref: 10006416

RegOpenKeyA.ADVAPI32(80000002,?,?), ref: 10007A7E
lstrlenA.KERNEL32(?), ref: 10007A88
RegSetValueExA.ADVAPI32(?,Description,00000000,00000001,?,00000000), ref: 10007AA0

Part of subcall function 10007AD9: CloseServiceHandle.ADVAPI32(00000000,10007ABA), ref: 10007ADE
Part of subcall function 10007AD9: CloseServiceHandle.ADVAPI32(00000000,10007ABA), ref: 10007AE9
Part of subcall function 10007AD9: RegCloseKey.ADVAPI32(?,10007ABA), ref: 10007AFA
Part of subcall function 10007AD9: Sleep.KERNEL32(000001F4,10007ABA), ref: 10007B05

Strings

%, xrefs: 10007771
s, xrefs: 10007778
\, xrefs: 100077B2
Description, xrefs: 10007A94
Aaegmai.exe, xrefs: 10007786
%ProgramFiles%\Microsoft Msmiou\, xrefs: 10007727
Rsssqi yqeaiusa, xrefs: 1000791A, 1000792A
SYSTEM\CurrentControlSet\Services\, xrefs: 10007A1B

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Service$CloseFileOpen$ChangeConfig2CreateDatabaseHandleStart$AttributesCopyDirectoryEnvironmentErrorExpandLastLockManagerModuleNameSleepStringsUnlockValue_accesslstrlenstrncmpwsprintf
String ID: %$%ProgramFiles%\Microsoft Msmiou\$Aaegmai.exe$Description$Rsssqi yqeaiusa$SYSTEM\CurrentControlSet\Services\$\$s
API String ID: 3790363062-3995887331
Opcode ID: e4b3b6daffb285c63ad86877fa5addb509bdb35b6eeabc8bb2d963f4c62d2ca7
Instruction ID: 5c30ca6fcc712d38e342b9667786387558bda50c993f602cf64b20952b599d07
Opcode Fuzzy Hash: e4b3b6daffb285c63ad86877fa5addb509bdb35b6eeabc8bb2d963f4c62d2ca7
Instruction Fuzzy Hash: 71B196719002289BDB25CB649C85BDE7BB9FB49750F00429DF51A971C5CBB45F84CF90

Function 100016D0 Relevance: 47.4, APIs: 13, Strings: 14, Instructions: 113filesleepshutdownCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 10001773
DeviceIoControl.KERNEL32(00000000,00090018,00000000,00000000,00000000,00000000,C0000000,00000000), ref: 1000179F
WriteFile.KERNEL32(00000000,?,00000200,00000003,00000000), ref: 100017B3
DeviceIoControl.KERNEL32(00000000,0009001C,00000000,00000000,00000000,00000000,C0000000,00000000), ref: 100017CE
CloseHandle.KERNEL32(00000000), ref: 100017D1
Sleep.KERNEL32(000007D0), ref: 100017DC
GetVersion.KERNEL32 ref: 100017E2
GetCurrentProcess.KERNEL32(00000028,00000003), ref: 100017F6
OpenProcessToken.ADVAPI32(00000000), ref: 100017FD
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 1000180F
AdjustTokenPrivileges.ADVAPI32(00000003,00000000,DLAC,00000000,00000000,00000000), ref: 10001837
ExitWindowsEx.USER32(00000006,00000000), ref: 10001841
exit.MSVCRT ref: 10001849

Strings

.Wu, xrefs: 100017D1
H, xrefs: 1000172F
DLAC, xrefs: 1000181D, 10001823
U, xrefs: 10001715
., xrefs: 10001725
S, xrefs: 10001739
C, xrefs: 10001742
0, xrefs: 10001769
SeShutdownPrivilege, xrefs: 10001808
P, xrefs: 1000172A
L, xrefs: 1000174C
A, xrefs: 10001747
Y, xrefs: 10001734
E, xrefs: 10001764

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: ControlDeviceFileProcessToken$AdjustCloseCreateCurrentExitHandleLookupOpenPrivilegePrivilegesSleepValueVersionWindowsWriteexit
String ID: .$0$A$C$DLAC$E$H$L$P$S$SeShutdownPrivilege$U$Y$.Wu
API String ID: 1264138919-3908245136
Opcode ID: 6fa703d6b52aeb68faa550979059f33683fa09f48bfe30dd443d6114e9b7918c
Instruction ID: ecba3bd938ea97beba5de9f3e4b012c150556fb508d925a7fd554e55ce58fae3
Opcode Fuzzy Hash: 6fa703d6b52aeb68faa550979059f33683fa09f48bfe30dd443d6114e9b7918c
Instruction Fuzzy Hash: C841713114C3C0AEF311DB648C49F9BBFE46B9A749F444A4CF3946A1D2C6B59608C76B

Function 10003CE0 Relevance: 40.6, APIs: 13, Strings: 10, Instructions: 371sleepmemoryserviceCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8), ref: 10003CEB
OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 10003CF7
OpenServiceA.ADVAPI32(00000000,Rsssqi yqeaiusa,000F01FF), ref: 10003D08
DeleteService.ADVAPI32(00000000), ref: 10003D0F
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10003D1F
lstrcatA.KERNEL32 ref: 10003D70
DeleteFileA.KERNEL32(.a\), ref: 10003D7B

Part of subcall function 10003B60: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10003B77
Part of subcall function 10003B60: GetShortPathNameA.KERNEL32(?,?,00000104), ref: 10003B94
Part of subcall function 10003B60: GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 10003BB4
Part of subcall function 10003B60: lstrcpyA.KERNEL32(?, /c del ), ref: 10003BCF
Part of subcall function 10003B60: lstrcatA.KERNEL32(?,?), ref: 10003BE8
Part of subcall function 10003B60: lstrcatA.KERNEL32(?, > nul), ref: 10003BF7
Part of subcall function 10003B60: lstrcatA.KERNEL32(?,?), ref: 10003C09
Part of subcall function 10003B60: GetCurrentProcess.KERNEL32 ref: 10003C4A
Part of subcall function 10003B60: SetPriorityClass.KERNEL32(00000000), ref: 10003C53
Part of subcall function 10003B60: GetCurrentThread.KERNEL32 ref: 10003C5D
Part of subcall function 10003B60: SetThreadPriority.KERNEL32(00000000), ref: 10003C66
Part of subcall function 10003B60: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,0000000C,00000000,00000000,?,?), ref: 10003C88
Part of subcall function 10003B60: SetPriorityClass.KERNEL32(?,00000040), ref: 10003C99
Part of subcall function 10003B60: SetThreadPriority.KERNEL32(00000100,000000F1), ref: 10003CA2
Part of subcall function 10003B60: ResumeThread.KERNEL32(00000100), ref: 10003CA9

exit.MSVCRT ref: 10003D88
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,Function_000039F0,?,00000000,00000000,00000000), ref: 10003DCA
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,Function_00002AC0,00000000,00000000,00000000,00000001,?,00000000,00000000,00000000), ref: 10003E10
Sleep.KERNEL32(0000000A,?,?,?,?,?,?,?,?,?,?,?,Function_00002A10,00000000,00000000,00000000), ref: 10003E92
Sleep.KERNEL32(00000064), ref: 10003F29
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 10004032

Strings

D, xrefs: 10003D36
a, xrefs: 10003D44
.a\, xrefs: 10003D76, 10003D7A
y, xrefs: 10003D66
Rsssqi yqeaiusa, xrefs: 10003D02, 10003ECD, 10003EE3
u, xrefs: 10003D49
\, xrefs: 10003D31
f, xrefs: 10003D3F
l, xrefs: 10003D4E
t, xrefs: 10003D53

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: PriorityThreadlstrcat$AllocSleepVirtual$ClassCurrentDeleteFileNameOpenProcessService$CreateDirectoryEnvironmentManagerModulePathResumeShortSystemVariableexitlstrcpy
String ID: .a\$D$Rsssqi yqeaiusa$\$a$f$l$t$u$y
API String ID: 3590732025-988682999
Opcode ID: 61c3a47928d235452a5fd8c6fa91931a4892519e0c0b6017ea361fd58e430c63
Instruction ID: b244be189efcdeb6cc92b075c93be6bdaf1c08e27fc697086f98e0db2580f7bf
Opcode Fuzzy Hash: 61c3a47928d235452a5fd8c6fa91931a4892519e0c0b6017ea361fd58e430c63
Instruction Fuzzy Hash: 6AB14536344304ABF710DB54EC82FABBB58EB95796F04803AFB459E1CADBB360148761

Function 10001860 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

SetupDiGetClassDevsA.SETUPAPI(00000000,PCI,00000000,00000006), ref: 10001886
SetupDiEnumDeviceInfo.SETUPAPI ref: 100018B8
SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,?,00000008,00000000,?,00000064,?), ref: 10001908
GetLastError.KERNEL32 ref: 1000190E
GetLastError.KERNEL32 ref: 10001910
GetLastError.KERNEL32 ref: 10001917
LocalFree.KERNEL32(00000000), ref: 1000192F
SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,?,00000008,?,?,?,?), ref: 10001951
GetLastError.KERNEL32 ref: 10001957
_strcmpi.MSVCRT ref: 10001970
SetupDiSetClassInstallParamsA.SETUPAPI ref: 100019AA
GetLastError.KERNEL32 ref: 100019B4
SetupDiCallClassInstaller.SETUPAPI(00000012,00000000,?), ref: 100019BE
GetLastError.KERNEL32 ref: 100019C8

Strings

{4D36E972-E325-11CE-BFC1-08002BE10318}, xrefs: 1000196B
d, xrefs: 10001900
PCI, xrefs: 1000187B

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: ErrorLastSetup$ClassDevice$PropertyRegistry$CallDevsEnumFreeInfoInstallInstallerLocalParams_strcmpi
String ID: PCI$d${4D36E972-E325-11CE-BFC1-08002BE10318}
API String ID: 3489100548-713369733
Opcode ID: 7005b48a16ad0ebacf396c7ca7f1c3da0a9b2f8559a61461d0719d8e286a00a0
Instruction ID: 2b17c4ba8dad4854c59fb3ea2eab905c43b9bc95da52602cb632f4d8605aef69
Opcode Fuzzy Hash: 7005b48a16ad0ebacf396c7ca7f1c3da0a9b2f8559a61461d0719d8e286a00a0
Instruction Fuzzy Hash: 93414E71104359ABF300DBA4CC95FEBB7E8FF85784F40491DFA8596184E7B4D9088B62

Function 10006880 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 107libraryloaderprocessCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(userenv.dll), ref: 10006892
GetProcAddress.KERNEL32(00000000,CreateEnvironmentBlock), ref: 1000689C
GetCurrentProcess.KERNEL32 ref: 100068F5
OpenProcessToken.ADVAPI32(00000000,000F01FF,?), ref: 10006906
DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,?), ref: 10006920
LoadLibraryA.KERNEL32(Kernel32.dll,WTSGetActiveConsoleSessionId), ref: 10006930
GetProcAddress.KERNEL32(00000000), ref: 10006933
SetTokenInformation.ADVAPI32(?,0000000C,?,00000004), ref: 10006951
CreateProcessAsUserA.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000430,?,00000000,00000044,?), ref: 1000698C
CloseHandle.KERNEL32(?), ref: 100069A1
CloseHandle.KERNEL32(?), ref: 100069A8
FreeLibrary.KERNEL32(00000000), ref: 100069B3

Strings

Kernel32.dll, xrefs: 1000692B
CreateEnvironmentBlock, xrefs: 10006896
userenv.dll, xrefs: 1000688D
D, xrefs: 100068E5
WTSGetActiveConsoleSessionId, xrefs: 10006926

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: LibraryProcessToken$AddressCloseHandleLoadProc$CreateCurrentDuplicateFreeInformationOpenUser
String ID: CreateEnvironmentBlock$D$Kernel32.dll$WTSGetActiveConsoleSessionId$userenv.dll
API String ID: 1797627335-609967149
Opcode ID: 28db3a70bec168a2f067cef202fe6c884769c6fdfd67d7c63dd3e7b957af29b4
Instruction ID: 6c8faf9185daa6d3cb4a3ef148a5aecad5bd36bfe1131a22130b012f6e80a81c
Opcode Fuzzy Hash: 28db3a70bec168a2f067cef202fe6c884769c6fdfd67d7c63dd3e7b957af29b4
Instruction Fuzzy Hash: 4F3115B1518315AFE600DF65CC88E5BBBE8FBC8B44F004A0EF68993254D770D909CBA2

Function 10001560 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131fileCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,0000001A,00000000), ref: 10001593
FindFirstFileA.KERNEL32(?,?), ref: 1000161D
FindNextFileA.KERNEL32(00000000,?), ref: 10001631
FindNextFileA.KERNEL32(00000000,?), ref: 1000163B
FindNextFileA.KERNEL32(00000000,00000010), ref: 100016B6

Strings

\Tencent\Users\*.*, xrefs: 100015E8

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: FileFind$Next$FirstFolderPathSpecial
String ID: \Tencent\Users\*.*
API String ID: 2928578574-2867266411
Opcode ID: 574d862e1081ecde5ac50e721bfd1d19110dbe5ec7564eae71b279cea5334adc
Instruction ID: 393567bf372bf7f76afcdd7d334bc6448685448c28d66662a974c839ba3671ae
Opcode Fuzzy Hash: 574d862e1081ecde5ac50e721bfd1d19110dbe5ec7564eae71b279cea5334adc
Instruction Fuzzy Hash: 9641E6322047485BD328C6788C557EB77D5FBC4361F450B2EFA67972D4DEF499088241

Function 10001A30 Relevance: 10.6, APIs: 7, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Event
String ID:
API String ID: 4201588131-0
Opcode ID: 72a9966f78db4782842ee1ddd4924beea740902d761926a3ec385324d09e37ad
Instruction ID: f499b291814b811c83a97806797d7be1ec9ba0a1496daf92aab79aef3217052a
Opcode Fuzzy Hash: 72a9966f78db4782842ee1ddd4924beea740902d761926a3ec385324d09e37ad
Instruction Fuzzy Hash: 33117B393042155FF304E7F89C89AAA77C8DB866E2F10422AF187C31CACE608C458372

Function 100035C0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73stringprocessCOMMON

Download Yara Rule

APIs

Part of subcall function 10008760: LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,?,00000000), ref: 100087AE
Part of subcall function 10008760: GetProcAddress.KERNEL32(00000000,RegQueryValueExA), ref: 100087C8
Part of subcall function 10008760: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 100087D2
Part of subcall function 10008760: GetProcAddress.KERNEL32(00000000,RegEnumValueA), ref: 100087DD
Part of subcall function 10008760: GetProcAddress.KERNEL32(00000000,RegEnumKeyExA), ref: 100087E5
Part of subcall function 10008760: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 100087ED
Part of subcall function 10008760: RegOpenKeyExA.KERNEL32(75571760,?,00000000,00020019,?), ref: 10008812
Part of subcall function 10008760: FreeLibrary.KERNEL32(00000000), ref: 1000899B

lstrlenA.KERNEL32(?), ref: 1000361B
strstr.MSVCRT ref: 1000362F
lstrcpyA.KERNEL32(00000000,?), ref: 1000363E
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 1000369A

Strings

D, xrefs: 10003658
Applications\iexplore.exe\shell\open\command, xrefs: 100035FC

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$CreateFreeLoadOpenProcesslstrcpylstrlenstrstr
String ID: Applications\iexplore.exe\shell\open\command$D
API String ID: 3176674629-535818822
Opcode ID: 666f1638132c99918fb24f8d193807154dbbcf2b7eff2c9ee9c26017fb28e5ab
Instruction ID: 3c7c75f77b2c05db0d19b1f3ba4dd3d011b93e8e2404cc49e21dea0be2637339
Opcode Fuzzy Hash: 666f1638132c99918fb24f8d193807154dbbcf2b7eff2c9ee9c26017fb28e5ab
Instruction Fuzzy Hash: F9218E71114700AAF750CB64CC45BEBB7ECEB84381F40891CBA55A62D4EBB6E5448B62

Function 00407400 Relevance: 9.5, APIs: 3, Strings: 3, Instructions: 458COMMON

Download Yara Rule

Strings

, xrefs: 00407782
, xrefs: 00407630
, xrefs: 004074B0

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID:
String ID: $ $
API String ID: 0-3665324030
Opcode ID: ddffb5defa1e59829f3234e8e1589640ab1fcdbe4b706babe3f04c33649a3e3a
Instruction ID: 3530f8b7d0a1b963a0034aff1d8e652a030b7b762c5cfea18934d513d3907353
Opcode Fuzzy Hash: ddffb5defa1e59829f3234e8e1589640ab1fcdbe4b706babe3f04c33649a3e3a
Instruction Fuzzy Hash: 2922F779E012099FCB08CF98D590AADBBF2BF88314F24C1A9E815AB356C735E941CF55

Function 10004620 Relevance: 7.6, APIs: 6, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 319ef1e59eca53be3e16f270085130441ae959a47dd33c77f14fc1b27aa0896c
Instruction ID: 8d2c18ba67f0487f6209aecac05d75a0c4e551dea5673684c326ec8ff49ac4f0
Opcode Fuzzy Hash: 319ef1e59eca53be3e16f270085130441ae959a47dd33c77f14fc1b27aa0896c
Instruction Fuzzy Hash: B841E4F27053056FE704DF68AC81B67B3D8FB84295F16412AFA05C7686EFB1E81487A4

Function 100014C0 Relevance: 7.6, APIs: 5, Instructions: 54clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 100014C8
GetClipboardData.USER32(00000001), ref: 100014DA
GlobalLock.KERNEL32(00000000), ref: 100014E3
GlobalUnlock.KERNEL32(00000000), ref: 1000154C
CloseClipboard.USER32 ref: 10001552

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: b69ab7b4f17cff2844c24c881cc7e6a000170ef6716410263ea5647b65c9d92c
Instruction ID: 8307db010902a887664cff108ee7aa31ae3e0e3fff18e3d430beacd02437c1e7
Opcode Fuzzy Hash: b69ab7b4f17cff2844c24c881cc7e6a000170ef6716410263ea5647b65c9d92c
Instruction Fuzzy Hash: 2211C678604761ABF318DB348C8899A3BE0EBC93A1F10861DF855832E5EBB4D90487A5

Function 10002E20 Relevance: 4.6, APIs: 3, Instructions: 52COMMON

Download Yara Rule

APIs

OpenEventLogA.ADVAPI32(00000000), ref: 10002E9D
ClearEventLogA.ADVAPI32(00000000,00000000), ref: 10002EA8
CloseEventLog.ADVAPI32(00000000), ref: 10002EAB

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Event$ClearCloseOpen
String ID:
API String ID: 1391105993-0
Opcode ID: b70ffc2c62dc2dec69516cf1bd47191b730bf8ea45cfc114df946b0144b177a7
Instruction ID: 07f93a36fd5fe316aff954bb92eca92d8bf612cadc73f9ea17d1e091f2a11fdd
Opcode Fuzzy Hash: b70ffc2c62dc2dec69516cf1bd47191b730bf8ea45cfc114df946b0144b177a7
Instruction Fuzzy Hash: 5A115EB1548395AFE310CF18C880A5FBBE4FB89790F50892DF988CB214D339D944CB66

Function 10002DA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 10008390: LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,10002DAC,SeShutdownPrivilege,00000001), ref: 100083A7
Part of subcall function 10008390: GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 100083B7
Part of subcall function 10008390: GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 100083C1
Part of subcall function 10008390: GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 100083CD
Part of subcall function 10008390: LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,?,?,10002DAC,SeShutdownPrivilege), ref: 100083D8
Part of subcall function 10008390: GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 100083E4

ExitWindowsEx.USER32(?,00000000), ref: 10002DB6

Part of subcall function 10008390: LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 10008440
Part of subcall function 10008390: GetProcAddress.KERNEL32(00000000,GetLastError), ref: 10008448
Part of subcall function 10008390: CloseHandle.KERNEL32(?), ref: 1000845A
Part of subcall function 10008390: FreeLibrary.KERNEL32(00000000), ref: 1000846B
Part of subcall function 10008390: FreeLibrary.KERNEL32(?), ref: 10008476

Strings

SeShutdownPrivilege, xrefs: 10002DA2, 10002DBE

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$Load$Free$CloseExitHandleWindows
String ID: SeShutdownPrivilege
API String ID: 3789203340-3733053543
Opcode ID: 7a58245bb5eff222f8108f6104cad989a67e4da206da56029bee0577b97d090e
Instruction ID: 83f9ef3de106cdeeb747a248e5f0f3247bd8612a5196f129aec919e7817163a2
Opcode Fuzzy Hash: 7a58245bb5eff222f8108f6104cad989a67e4da206da56029bee0577b97d090e
Instruction Fuzzy Hash: 23C012349506002AF91493A45C47F893250BB84A81F400540F7D46D1C5D5F1B3984266

Function 100095EE Relevance: 2.7, Strings: 2, Instructions: 199COMMON

Download Yara Rule

Strings

, xrefs: 100095EE
, xrefs: 10009612

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 3a9c2d31f389efb7f264c21c275e64e0ffe3238d54e5f2972f9c7b4b81ca4b42
Instruction ID: a66656210b83fd0df57e8b558d00acce7a5cd6fe2d80571edcf340883a0670cb
Opcode Fuzzy Hash: 3a9c2d31f389efb7f264c21c275e64e0ffe3238d54e5f2972f9c7b4b81ca4b42
Instruction Fuzzy Hash: 9F61A1B56087458BE754CF18D88032ABBE1FBC6390F508A2EE895CB349D7B5D945CB82

Function 1000AD50 Relevance: 1.6, Strings: 1, Instructions: 353COMMON

Download Yara Rule

Strings

@, xrefs: 1000B170

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: f4bf2680ef3248429d39c3b8066eb94c847ce6e0231793368804ed1634a09217
Instruction ID: 13f9ebc2374390c495546a099d653296fd997bac0217c3e36fb0d9ef46117357
Opcode Fuzzy Hash: f4bf2680ef3248429d39c3b8066eb94c847ce6e0231793368804ed1634a09217
Instruction Fuzzy Hash: 63D18B716083828FE724CF28C4906AFB7E1FFC9380F654A2DE88597354D7759986CB82

Function 00404740 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000046E0), ref: 00404748

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 3306b3174313b55bf8be29f039b9ddbaac2ac983cf4e6601462b486b8aa1252c
Instruction ID: e56077977efb1732e8bec96efd377264990ebaf83d5f5d42c289fe92ea7d206e
Opcode Fuzzy Hash: 3306b3174313b55bf8be29f039b9ddbaac2ac983cf4e6601462b486b8aa1252c
Instruction Fuzzy Hash: 7AB01274444308ABD610BFE7BC054057B9CD942A513104033E90992652E9F66004C96E

Function 00404760 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00404769

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6963baa75a27ebb195acaf6b01503b7126bd8a997433f31c9fc9f9307439e5b1
Instruction ID: 85756d268d16d83a847e015f8d150b6bd15ce2b1526d02d400bfa6abffa5d8bd
Opcode Fuzzy Hash: 6963baa75a27ebb195acaf6b01503b7126bd8a997433f31c9fc9f9307439e5b1
Instruction Fuzzy Hash: E4B01231400348D7C510B7ECBC08842739C9B089013004030B109C3513CAB0F400C669

Function 00401D14 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

", xrefs: 00401DF1

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 54c5e86aec0f2748e05579c184993dcbf9dbf0596ea3bff60650ea41aacc1006
Instruction ID: 388db6d1f01a0f7db8352f7145bd4645a94910a9a349946d4481ec59318e247a
Opcode Fuzzy Hash: 54c5e86aec0f2748e05579c184993dcbf9dbf0596ea3bff60650ea41aacc1006
Instruction Fuzzy Hash: F231E775D00209DBCB04CF98C981BAEFBB1FF49314F24922AE515BB380D338A941CB99

Function 10009899 Relevance: .9, Instructions: 897COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29f5d243be617eb6698dd051341d873243d397d5d56500ed40f776a4dea7b810
Instruction ID: 08e5a79b20f77a293d72b4dd4a5b0ab38bcdc72d282846e0d439398825a31733
Opcode Fuzzy Hash: 29f5d243be617eb6698dd051341d873243d397d5d56500ed40f776a4dea7b810
Instruction Fuzzy Hash: BC726D716087428FDB58DF18C89066AB7E2FFC9340F144A6DE896CB349E774D985CB82

Function 10008EE0 Relevance: .7, Instructions: 725COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9709bcbb5a1bad45d3bab01697a71c48898f17f490beb2bea85d9ccf3f9f9657
Instruction ID: 250c5ea3547accfd089bfcc3fe628247e14d1ee97697f6cae587cc5f5f07bd0f
Opcode Fuzzy Hash: 9709bcbb5a1bad45d3bab01697a71c48898f17f490beb2bea85d9ccf3f9f9657
Instruction Fuzzy Hash: 20528F706047418FEB48CF19C880B6ABBE1FFC5380F114A6DE8858B34AD771E945CB92

Function 1000A8B0 Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb5d4079a9ed0d26703fe803cf78960c33ac773f335689581c61450468df882
Instruction ID: 901090ba863dcf6a7da9903f4275f9156b72296b619cd34df61bfda641677d1a
Opcode Fuzzy Hash: 3bb5d4079a9ed0d26703fe803cf78960c33ac773f335689581c61450468df882
Instruction Fuzzy Hash: 63F17D316083868FD708DF2CC89066ABBE1EF8A384F154A7DE9D6C7342D675D885CB46

Function 1000B1D0 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
Instruction ID: 8f57e891ba8db73c944690b8d0185df232bac97677883d55374a267a0d41c5eb
Opcode Fuzzy Hash: dca000b2f6927503bda9435cdfa2d38ec8c2434b44ad82a88198043659fe7c76
Instruction Fuzzy Hash: D6717233755A8207F71CCE3E8C602BAABD38FC925472EC87E94DAC7746EC69D4165204

Function 00402603 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e51c949339fc18b029399bf83d93c29fbcbd76fb2ccc872c93cae2b815755d
Instruction ID: d8a5d6a4d46c8641a611cc0348d87d8b0695ff799a5e3dd4007f4c57e3acc660
Opcode Fuzzy Hash: 75e51c949339fc18b029399bf83d93c29fbcbd76fb2ccc872c93cae2b815755d
Instruction Fuzzy Hash: 86A1E775A0414DDFCB08CFA8C595AEEBBB2FF88314F14C299D956AB345D730AA41CB84

Function 1000B460 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85ce8d0ef776024ddb259d9a2a5fcac40c2af7a67b56185cc24cd593861807f
Instruction ID: bca32d7d635a6743aa564981c353ed3202441003e5e76482013228cc6dd9a8c3
Opcode Fuzzy Hash: c85ce8d0ef776024ddb259d9a2a5fcac40c2af7a67b56185cc24cd593861807f
Instruction Fuzzy Hash: 3581B9727185524BF719DF29DCD052F77E3EBCD380B19863EC6858735AE930A8198B90

Function 10006E60 Relevance: 63.2, APIs: 10, Strings: 26, Instructions: 150sleepregistryCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10006E7F

Part of subcall function 100067E0: GetTickCount.KERNEL32 ref: 100067E1
Part of subcall function 100067E0: rand.MSVCRT ref: 100067E9

wsprintfA.USER32 ref: 10006F8E
RegOpenKeyExA.ADVAPI32(80000002,SOFT,00000000,00020006,?), ref: 10006FAB
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10006FC3
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,00000000), ref: 10006FD9
Sleep.KERNEL32(00000000), ref: 10006FE9
printf.MSVCRT ref: 10006FF5
Sleep.KERNEL32(00000000), ref: 10007000
RegCloseKey.ADVAPI32(?), ref: 10007006
Sleep.KERNEL32(00000000), ref: 10007013

Strings

E, xrefs: 10006EAB
V, xrefs: 10006F08
u, xrefs: 10006EF3
s, xrefs: 10006F13
%c%c%c%c%c%c, xrefs: 10006F88
w, xrefs: 10006EE4
t, xrefs: 10006F04
SOFT, xrefs: 10006F9A, 10006FA5
sssssss894sa8d9748asf48a74fs9898g, xrefs: 10006FF0
u, xrefs: 10006F28
i, xrefs: 10006ED6
s, xrefs: 10006EE8
R, xrefs: 10006EA7
c, xrefs: 10006EBA
A, xrefs: 10006EA3
t, xrefs: 10006ECF
i, xrefs: 10006EB6
R, xrefs: 10006F24
C, xrefs: 10006EEF
i, xrefs: 10006F17
e, xrefs: 10006EFD
e, xrefs: 10006F0C
f, xrefs: 10006ECB
s, xrefs: 10006EC4
d, xrefs: 10006EDD
M, xrefs: 10006EB2

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Sleep$FileModuleName$CloseCountOpenTickValueprintfrandwsprintf
String ID: %c%c%c%c%c%c$A$C$E$M$R$R$SOFT$V$c$d$e$e$f$i$i$i$s$s$s$sssssss894sa8d9748asf48a74fs9898g$t$t$u$u$w
API String ID: 1608177436-3228888539
Opcode ID: 6201ad9aa8d7dc043c6790680b903a2137fa2258fe65d183e6588477d92159e3
Instruction ID: 4ee3ec84b17b1c5dcf399050531c59c277722f6681821ca1fdc42a60e278d094
Opcode Fuzzy Hash: 6201ad9aa8d7dc043c6790680b903a2137fa2258fe65d183e6588477d92159e3
Instruction Fuzzy Hash: 7F5171A1D0D2CCEDFB01C7E89C45BEEBF755F26348F084099E5447A282D2AA5618C776

Function 0040189D Relevance: 50.8, APIs: 2, Strings: 27, Instructions: 82libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,VirtualAlloc), ref: 00401931
GetProcAddress.KERNEL32(00000000), ref: 00401938

Part of subcall function 00402E70: KiUserExceptionDispatcher.NTDLL(?,?,00410070,?,?,?,?,?,0040105E,0000002D,00410070), ref: 00402EA3

Strings

VirtualAlloc, xrefs: 00401927
c, xrefs: 0040191F
kernel32.dll, xrefs: 0040192C
R, xrefs: 004018C7
E, xrefs: 004018CF
L, xrefs: 004018D3
K, xrefs: 004018BF
2, xrefs: 004018DB
i, xrefs: 004018F7
., xrefs: 004018DF
l, xrefs: 004018EB
N, xrefs: 004018CB
a, xrefs: 00401907
V, xrefs: 004018F3
u, xrefs: 00401903
t, xrefs: 004018FF
o, xrefs: 0040191B
l, xrefs: 00401917
r, xrefs: 004018FB
3, xrefs: 004018D7
l, xrefs: 004018E7
d, xrefs: 004018E3
PKE., xrefs: 00401984, 00401987
A, xrefs: 0040190F
E, xrefs: 004018C3
l, xrefs: 00401913
l, xrefs: 0040190B

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressDispatcherExceptionLibraryLoadProcUser
String ID: .$2$3$A$E$E$K$L$N$PKE.$R$V$VirtualAlloc$a$c$d$i$kernel32.dll$l$l$l$l$l$o$r$t$u
API String ID: 1886913702-4028478765
Opcode ID: 4ef809b5726fb3139421dd50b0718fed76d7718ecafa033577060d2b1ce95e18
Instruction ID: b989b2ae7dfb34a7103c7879cfcc8143ecfb91dabf2696620dc30b45d3be86b1
Opcode Fuzzy Hash: 4ef809b5726fb3139421dd50b0718fed76d7718ecafa033577060d2b1ce95e18
Instruction Fuzzy Hash: FD314C70D082C8DAEB11CBA8D448BDDBFB1AB26708F140199E59477382C3BE4409C77A

Function 10003B60 Relevance: 40.4, APIs: 19, Strings: 4, Instructions: 120threadstringprocessCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10003B77
GetShortPathNameA.KERNEL32(?,?,00000104), ref: 10003B94
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 10003BB4
lstrcpyA.KERNEL32(?, /c del ), ref: 10003BCF
lstrcatA.KERNEL32(?,?), ref: 10003BE8
lstrcatA.KERNEL32(?, > nul), ref: 10003BF7
lstrcatA.KERNEL32(?,?), ref: 10003C09
GetCurrentProcess.KERNEL32 ref: 10003C4A
SetPriorityClass.KERNEL32(00000000), ref: 10003C53
GetCurrentThread.KERNEL32 ref: 10003C5D
SetThreadPriority.KERNEL32(00000000), ref: 10003C66
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,0000000C,00000000,00000000,?,?), ref: 10003C88
SetPriorityClass.KERNEL32(?,00000040), ref: 10003C99
SetThreadPriority.KERNEL32(00000100,000000F1), ref: 10003CA2
ResumeThread.KERNEL32(00000100), ref: 10003CA9
GetCurrentProcess.KERNEL32(00000020), ref: 10003CC1
SetPriorityClass.KERNEL32(00000000), ref: 10003CC4
GetCurrentThread.KERNEL32 ref: 10003CC8
SetThreadPriority.KERNEL32(00000000), ref: 10003CCB

Strings

D, xrefs: 10003C3A
COMSPEC, xrefs: 10003BAF
/c del , xrefs: 10003BC9
> nul, xrefs: 10003BF1

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: PriorityThread$Current$ClassProcesslstrcat$Name$CreateEnvironmentFileModulePathResumeShortVariablelstrcpy
String ID: /c del $ > nul$COMSPEC$D
API String ID: 3725893594-850586679
Opcode ID: 54fbc1f53e90734bf33b5bcde083400d5116cb4d044677edd240d241b6b10a04
Instruction ID: e7bdb26fbee75a5f6cd2c3611a9187368e1173e7e8cf91e5f688b2eed28bb1b1
Opcode Fuzzy Hash: 54fbc1f53e90734bf33b5bcde083400d5116cb4d044677edd240d241b6b10a04
Instruction Fuzzy Hash: 28414F71618318ABF714DBA0DC85FABB7ACFB84740F004A1DF645D6184DBB5E908CB62

Function 00401ABE Relevance: 40.3, APIs: 4, Strings: 19, Instructions: 81libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,VirtualFree), ref: 00401AEA
GetProcAddress.KERNEL32(00000000), ref: 00401AF1
LoadLibraryA.KERNEL32(kernel32.dll,VirtualProtect), ref: 00401B45
GetProcAddress.KERNEL32(00000000), ref: 00401B4C

Part of subcall function 00402E70: KiUserExceptionDispatcher.NTDLL(?,?,00410070,?,?,?,?,?,0040105E,0000002D,00410070), ref: 00402EA3

Strings

r, xrefs: 00401B1F
t, xrefs: 00401B27
o, xrefs: 00401B23
kernel32.dll, xrefs: 00401AE5
VirtualProtect, xrefs: 00401B3B
t, xrefs: 00401B0B
e, xrefs: 00401B2B
c, xrefs: 00401B2F
r, xrefs: 00401B07
VirtualFree, xrefs: 00401AE0
i, xrefs: 00401B03
@, xrefs: 00401B85
P, xrefs: 00401B1B
l, xrefs: 00401B17
u, xrefs: 00401B0F
t, xrefs: 00401B33
V, xrefs: 00401AFF
a, xrefs: 00401B13
kernel32.dll, xrefs: 00401B40

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$DispatcherExceptionUser
String ID: @$P$V$VirtualFree$VirtualProtect$a$c$e$i$kernel32.dll$kernel32.dll$l$o$r$r$t$t$t$u
API String ID: 109903041-3203620437
Opcode ID: 47935b526a153d22c9f38f43a766c04ef3fc6742b82a4ecc72367dd90494dbf6
Instruction ID: 8f8edad36a8844111e4ea6da53c9dfc8a874efb3bc9e7fb3566b758854e825f8
Opcode Fuzzy Hash: 47935b526a153d22c9f38f43a766c04ef3fc6742b82a4ecc72367dd90494dbf6
Instruction Fuzzy Hash: 84317170D48288DADB10CBA8C909BDEBFB5AB1A714F140169E944773D2C3BE5508C77A

Function 100069D0 Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 136sleepregistryCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(Rsssqi yqeaiusa,10006B00), ref: 100069E2
SetServiceStatus.ADVAPI32(00000000,100139F0), ref: 10006A35
Sleep.KERNEL32(000001F4), ref: 10006A4C
GetVersionExA.KERNEL32(?), ref: 10006A5B
SetServiceStatus.ADVAPI32(00000000,100139F0), ref: 10006A7E

Part of subcall function 100067A0: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,10007E87,?,?,?,?,?,?), ref: 100067BF
Part of subcall function 100067A0: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,10007E87,?,?,?,?,?,?,?), ref: 100067C6

Sleep.KERNEL32(0000003C), ref: 10006A87
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10006A9A
wsprintfA.USER32 ref: 10006AB5
CloseHandle.KERNEL32(00000000), ref: 10006ACC
SetServiceStatus.ADVAPI32(00000000,100139F0), ref: 10006AE7
exit.MSVCRT ref: 10006AEB
SetServiceStatus.ADVAPI32(00000000,100139F0,756904E0), ref: 10006B5E
Sleep.KERNEL32(000001F4), ref: 10006B65
SetServiceStatus.ADVAPI32(00000000,100139F0), ref: 10006B8B

Strings

.Wu, xrefs: 10006ACC
Rsssqi yqeaiusa, xrefs: 100069DD
%s Win7, xrefs: 10006AAF

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Service$Status$Sleep$CloseHandle$CtrlFileHandlerModuleNameObjectRegisterSingleVersionWaitexitwsprintf
String ID: %s Win7$Rsssqi yqeaiusa$.Wu
API String ID: 617891212-966947304
Opcode ID: 2ad54932797aafbc30b25fc021203933e186005e07ef1ac160e5349e1e025df4
Instruction ID: be7a7a9dc8521a97ca6a371e5d9d1867d4f57154c79d6d0d78abe06bd75d98c0
Opcode Fuzzy Hash: 2ad54932797aafbc30b25fc021203933e186005e07ef1ac160e5349e1e025df4
Instruction Fuzzy Hash: 1A51FBB1546365ABF304DF94CC8AF967FA8EB89744F00C618E248AB2A5C7F59084CF51

Function 10008390 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,10002DAC,SeShutdownPrivilege,00000001), ref: 100083A7
GetProcAddress.KERNEL32(00000000,OpenProcessToken), ref: 100083B7
GetProcAddress.KERNEL32(00000000,AdjustTokenPrivileges), ref: 100083C1
GetProcAddress.KERNEL32(00000000,LookupPrivilegeValueA), ref: 100083CD
LoadLibraryA.KERNEL32(kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,?,?,10002DAC,SeShutdownPrivilege), ref: 100083D8
GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 100083E4
LoadLibraryA.KERNEL32(KERNEL32.dll), ref: 10008440
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 10008448
CloseHandle.KERNEL32(?), ref: 1000845A
FreeLibrary.KERNEL32(00000000), ref: 1000846B
FreeLibrary.KERNEL32(?), ref: 10008476

Strings

.Wu, xrefs: 1000845A
KERNEL32.dll, xrefs: 1000843B
ADVAPI32.dll, xrefs: 1000839D
AdjustTokenPrivileges, xrefs: 100083B9
OpenProcessToken, xrefs: 100083B1
LookupPrivilegeValueA, xrefs: 100083C3
GetLastError, xrefs: 10008442
GetCurrentProcess, xrefs: 100083DA
kernel32.dll, xrefs: 100083CF

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$Load$Free$CloseHandle
String ID: ADVAPI32.dll$AdjustTokenPrivileges$GetCurrentProcess$GetLastError$KERNEL32.dll$LookupPrivilegeValueA$OpenProcessToken$kernel32.dll$.Wu
API String ID: 2887716753-1297170231
Opcode ID: bc1d1333d400c750d1f9856437150adc5f43a741e5bf62c8d62a4a71a5088aef
Instruction ID: f301a40821df81d7dc462619c10b5cde91244197f9f0ec9ce5f72fdbc0275710
Opcode Fuzzy Hash: bc1d1333d400c750d1f9856437150adc5f43a741e5bf62c8d62a4a71a5088aef
Instruction Fuzzy Hash: C12194B16043056BE300DB75CC85F6FBBE8EFC8694F44491DF68497140DB75DA448BA6

Function 100036B0 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 125libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(wininet.dll), ref: 100036D2
GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 100036E6
GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 10003703
FreeLibrary.KERNEL32(00000000), ref: 10003728
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 10003752
GetProcAddress.KERNEL32(00000000,InternetReadFile), ref: 10003774
WriteFile.KERNEL32(?,?,?,?,00000000), ref: 100037B0
CloseHandle.KERNEL32(?), ref: 100037CA
Sleep.KERNEL32(00000001), ref: 100037D6
GetProcAddress.KERNEL32(00000000,InternetCloseHandle), ref: 100037E2
FreeLibrary.KERNEL32(00000000), ref: 100037F5

Strings

InternetCloseHandle, xrefs: 100037DC
.Wu, xrefs: 100037CA
InternetReadFile, xrefs: 1000376C
wininet.dll, xrefs: 100036C1
MZ, xrefs: 10003790
InternetOpenA, xrefs: 100036E0
InternetOpenUrlA, xrefs: 100036FD
MSIE 6.0, xrefs: 100036EC

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite
String ID: InternetCloseHandle$InternetOpenA$InternetOpenUrlA$InternetReadFile$MSIE 6.0$MZ$wininet.dll$.Wu
API String ID: 2977986460-3197645918
Opcode ID: 0bfaf2880d9a4a802b049c59113daa5498a9a5d02bbc2dfc40136576c0a0fc57
Instruction ID: 3666ced693ccb845996f430b1c3d1107c8a7800bd8690e7c3b5605d68986f6f5
Opcode Fuzzy Hash: 0bfaf2880d9a4a802b049c59113daa5498a9a5d02bbc2dfc40136576c0a0fc57
Instruction Fuzzy Hash: 0931C3B1208345ABF321DB65CC94FAFB7E8EFC9B90F10451DF64496180DB74E90987AA

Function 10006C50 Relevance: 31.6, APIs: 13, Strings: 5, Instructions: 102stringthreadCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10006CAE
GetShortPathNameA.KERNEL32(?,?,00000104), ref: 10006CC3
GetEnvironmentVariableA.KERNEL32(COMSPEC,?,00000104), ref: 10006CDB
lstrcatA.KERNEL32(?,/c del ), ref: 10006CF4
lstrcatA.KERNEL32(?,?), ref: 10006D03
lstrcatA.KERNEL32(?, > nul), ref: 10006D12
ShellExecuteExA.SHELL32 ref: 10006D53
SetPriorityClass.KERNEL32(?,00000040), ref: 10006D6A
GetCurrentProcess.KERNEL32(00000100), ref: 10006D71
SetPriorityClass.KERNEL32(00000000), ref: 10006D78
GetCurrentThread.KERNEL32 ref: 10006D7C
SetThreadPriority.KERNEL32(00000000), ref: 10006D83
SHChangeNotify.SHELL32(00000004,00000001,?,00000000), ref: 10006D93

Strings

@, xrefs: 10006D4B
COMSPEC, xrefs: 10006CD6
<, xrefs: 10006D27
> nul, xrefs: 10006D0C
/c del , xrefs: 10006CEE

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Prioritylstrcat$ClassCurrentNameThread$ChangeEnvironmentExecuteFileModuleNotifyPathProcessShellShortVariable
String ID: > nul$/c del $<$@$COMSPEC
API String ID: 2091984646-3567428472
Opcode ID: 4e0f0f29ea395dbc5a403466097e4696b05239ee6d2b6a21f43b065a5371378d
Instruction ID: 258d5b7cc21e178090f30a69b78e91572c1f89f14ece20d994ae93f435e76a13
Opcode Fuzzy Hash: 4e0f0f29ea395dbc5a403466097e4696b05239ee6d2b6a21f43b065a5371378d
Instruction Fuzzy Hash: E8315CB1508349AFE710DB64CC84FDBBBA8FBC9394F00492DF78996190DA759508CBA2

Function 10005FA0 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 157registrystringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 10005FC9
RegOpenKeyExA.ADVAPI32(80000000,00000000,00000000,000F003F,?,?,00000000), ref: 10005FFB

Strings

"%1, xrefs: 100060C3
%s\shell\open\command, xrefs: 10006050
D, xrefs: 1000612B

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Openstrrchr
String ID: "%1$%s\shell\open\command$D
API String ID: 1564636448-1634606264
Opcode ID: f8fadf5d45f201080859017d28aa8ca60d29a73c56c4841201857da525bb7b99
Instruction ID: 799b5bd3833e65ca799b9e2eb06c40be4e437a2eca7bc72d22d887cf82a183a3
Opcode Fuzzy Hash: f8fadf5d45f201080859017d28aa8ca60d29a73c56c4841201857da525bb7b99
Instruction Fuzzy Hash: 15418372204345ABE714CB60DC80FEBB7E9EBC4344F044D1DFA5497250EA75E549C7A2

Function 00401138 Relevance: 29.8, APIs: 4, Strings: 13, Instructions: 88libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,HeapFree), ref: 004011BC
GetProcAddress.KERNEL32(00000000), ref: 004011C3
LoadLibraryA.KERNEL32(KERNEL32.dll,GetProcessHeap), ref: 00401210
GetProcAddress.KERNEL32(00000000), ref: 00401217

Part of subcall function 00402E70: KiUserExceptionDispatcher.NTDLL(?,?,00410070,?,?,?,?,?,0040105E,0000002D,00410070), ref: 00402EA3

Strings

e, xrefs: 0040115E
GetProcessHeap, xrefs: 00401208, 0040120B
r, xrefs: 0040116E
kernel32.dll, xrefs: 004011B7
e, xrefs: 00401176
c, xrefs: 00401235
a, xrefs: 00401162
HeapFree, xrefs: 004011B2
KERNEL32.dll, xrefs: 0040120C, 0040120F
p, xrefs: 00401166
H, xrefs: 0040115A
F, xrefs: 0040116A
e, xrefs: 00401172

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$DispatcherExceptionUser
String ID: F$GetProcessHeap$H$HeapFree$KERNEL32.dll$a$c$e$e$e$kernel32.dll$p$r
API String ID: 109903041-3689313246
Opcode ID: bb8c3953176cde90c5b35ca12f2989082ed73af47aa4abd779e29b0ead38e1a4
Instruction ID: 69c7d6370a8dd438e4874d72da0fe88dc6561b03f8dbd0dd4fbf006d741de7f5
Opcode Fuzzy Hash: bb8c3953176cde90c5b35ca12f2989082ed73af47aa4abd779e29b0ead38e1a4
Instruction Fuzzy Hash: F741F160D082C8D9EB12C7A8D9487DEBFB55B26719F180199E584762C2C7FF0618C7BA

Function 00409640 Relevance: 26.4, APIs: 9, Strings: 6, Instructions: 200libraryloaderCOMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0045D1D8), ref: 00409645
LoadLibraryA.KERNEL32(user32.dll), ref: 00409661
GetProcAddress.KERNEL32(00000000,wsprintfA), ref: 00409682
OutputDebugStringA.KERNEL32(?), ref: 004096C2
InterlockedDecrement.KERNEL32(0045D1D8), ref: 004096CD
InterlockedDecrement.KERNEL32(0045D1D8), ref: 0040983B

Strings

wsprintfA, xrefs: 00409676
user32.dll, xrefs: 0040965C
_CrtDbgReport: String too long or IO Error, xrefs: 00409709, 004097DC
%s(%d) : %s, xrefs: 004097BF
R:, xrefs: 00409910
Second Chance Assertion Failed: File %s, Line %d, xrefs: 004096A6

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Interlocked$Decrement$AddressDebugIncrementLibraryLoadOutputProcString
String ID: %s(%d) : %s$R:$Second Chance Assertion Failed: File %s, Line %d$_CrtDbgReport: String too long or IO Error$user32.dll$wsprintfA
API String ID: 1024810826-2213716946
Opcode ID: ac30aebc00a2b65d6ffe6751ad345a08069c68c6f6ece29ed597163b867a85a3
Instruction ID: bf86a47b5444c72da6d17ff0f440cdf0d0983f1ba59a11e2de5bbafff5f8e696
Opcode Fuzzy Hash: ac30aebc00a2b65d6ffe6751ad345a08069c68c6f6ece29ed597163b867a85a3
Instruction Fuzzy Hash: E081BF76910304EBDB24DF54DC95BEA3378AF48305F1485BAF809A62C2D7789E88CF59

Function 100081B0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 80libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,00000000,00000000,00000000), ref: 100081E1
GetProcAddress.KERNEL32(00000000,GetThreadDesktop), ref: 100081F4
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 100081FF
GetProcAddress.KERNEL32(00000000,SetThreadDesktop), ref: 1000820A
GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 10008218
LoadLibraryA.KERNEL32(kernel32.dll), ref: 10008222
GetProcAddress.KERNEL32(00000000,GetCurrentThreadId), ref: 1000822F

Strings

SetThreadDesktop, xrefs: 10008204
CloseDesktop, xrefs: 10008212
GetCurrentThreadId, xrefs: 10008229
GetUserObjectInformationA, xrefs: 100081F9
user32.dll, xrefs: 100081D6
GetThreadDesktop, xrefs: 100081E8
kernel32.dll, xrefs: 1000821D

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$GetCurrentThreadId$GetThreadDesktop$GetUserObjectInformationA$SetThreadDesktop$kernel32.dll$user32.dll
API String ID: 2238633743-588083535
Opcode ID: 29abb12e586fa040ba1daad7168e19b3db925dde575962b9aa71365ffed2a0b2
Instruction ID: d9e335a01bcf499399397701cc45019b0ccf4ef7b405941e9ebc317f74ff5936
Opcode Fuzzy Hash: 29abb12e586fa040ba1daad7168e19b3db925dde575962b9aa71365ffed2a0b2
Instruction Fuzzy Hash: EA212FB1D00618AFEB10DFA5CC84FEEBBB8FB48790F10411AF614E7240DB749A408BA5

Function 00402310 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,HeapFree), ref: 0040233C
GetProcAddress.KERNEL32(00000000), ref: 00402343
LoadLibraryA.KERNEL32(KERNEL32.dll,VirtualFree), ref: 004023BF
GetProcAddress.KERNEL32(00000000), ref: 004023C6
LoadLibraryA.KERNEL32(KERNEL32.dll,GetProcessHeap), ref: 004023D9
GetProcAddress.KERNEL32(00000000), ref: 004023E0

Part of subcall function 00402E70: KiUserExceptionDispatcher.NTDLL(?,?,00410070,?,?,?,?,?,0040105E,0000002D,00410070), ref: 00402EA3

Strings

D, xrefs: 00402407
HeapFree, xrefs: 00402332
KERNEL32.dll, xrefs: 004023D4
GetProcessHeap, xrefs: 004023CF
kernel32.dll, xrefs: 00402337
VirtualFree, xrefs: 004023B7, 004023BA
KERNEL32.dll, xrefs: 004023BB, 004023BE

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$DispatcherExceptionUser
String ID: D$GetProcessHeap$HeapFree$KERNEL32.dll$KERNEL32.dll$VirtualFree$kernel32.dll
API String ID: 109903041-3217695185
Opcode ID: 0471020af816e0c10deb91e709e11e4ca2be90c61c551be4d9350030257f12a5
Instruction ID: dd5e1e6dc17e71a7484664c5c96d99ba48e4eb391a0bd6fa7bb913cf4fb6e21f
Opcode Fuzzy Hash: 0471020af816e0c10deb91e709e11e4ca2be90c61c551be4d9350030257f12a5
Instruction Fuzzy Hash: 80315670D483C8EAEB11CBE8D948B9EBFB5AB12719F140169E544772C2C7BE4508C77A

Function 10003110 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 186COMMON

Download Yara Rule

Strings

"%1, xrefs: 10003296
%s\shell\open\command, xrefs: 10003209
D, xrefs: 100032F0

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID:
String ID: "%1$%s\shell\open\command$D
API String ID: 0-1634606264
Opcode ID: af3f44a66e067d319cc4f4095ccf4bb989ec2faebcd3ce1dc9429fc4ac04dea9
Instruction ID: 3b60721297add876bbf5fc82eedd6e34e95aeaf5cbbf963108d86314e992faf5
Opcode Fuzzy Hash: af3f44a66e067d319cc4f4095ccf4bb989ec2faebcd3ce1dc9429fc4ac04dea9
Instruction Fuzzy Hash: 13511432108745ABF724C764CC55FEB77D8EB84381F40482DFB54962C5EBB5A608CB92

Function 10002450 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 120filestringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10002464
CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 10002505
GetFileSize.KERNEL32 ref: 10002518
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 1000252C
lstrlenA.KERNEL32(?), ref: 1000253A
??2@YAPAXI@Z.MSVCRT(00000000), ref: 10002543
lstrlenA.KERNEL32(?,?,00000000,00000000), ref: 10002569
WriteFile.KERNEL32(00000000,00000000,00000000), ref: 10002572
CloseHandle.KERNEL32(00000000), ref: 10002579

Strings

.Wu, xrefs: 10002579
.key, xrefs: 100024D1
Default, xrefs: 100024A2

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: File$lstrlen$??2@CloseCreateDirectoryHandlePointerSizeSystemWrite
String ID: .key$Default$.Wu
API String ID: 686648604-754640202
Opcode ID: c8e073827d887def72b4b277827f220a939d3f284d1fe10410174d1b95eabb2c
Instruction ID: 94fbe2f20e4dfee87ea8ff808e77046cee4651ddaf7763b7102ed85f1552d9b6
Opcode Fuzzy Hash: c8e073827d887def72b4b277827f220a939d3f284d1fe10410174d1b95eabb2c
Instruction Fuzzy Hash: B0312B312007081BE718DB748C9AFAB3A4AEBC57B1F54072DFA578B2D6DEE49D088250

Function 10008490 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 65libraryloaderstringCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 1000849F
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 100084B3
GetProcAddress.KERNEL32(00000000,Process32First), ref: 100084BD
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 100084C7
lstrcmpiA.KERNEL32(?,?), ref: 10008508
CloseHandle.KERNEL32(00000000), ref: 10008521
FreeLibrary.KERNEL32(00000000), ref: 1000852C

Strings

.Wu, xrefs: 10008521
Process32First, xrefs: 100084B5
CreateToolhelp32Snapshot, xrefs: 100084AD
Process32Next, xrefs: 100084BF
kernel32.dll, xrefs: 1000849A

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$CloseFreeHandleLoadlstrcmpi
String ID: CreateToolhelp32Snapshot$Process32First$Process32Next$kernel32.dll$.Wu
API String ID: 1314729832-281824930
Opcode ID: b4d04c0ec4fb893e7aa4a79bf5d107acaacc7aa3e2847d76f07c2cd52efc22e1
Instruction ID: 75bed72865b25e84cb0fd308bc054aeba0a201aa0dae88120b2183505ababa2c
Opcode Fuzzy Hash: b4d04c0ec4fb893e7aa4a79bf5d107acaacc7aa3e2847d76f07c2cd52efc22e1
Instruction Fuzzy Hash: 9D11A370144715ABE311DB718C88FAB7AE8FFD97C1F010418FA8483245EB74DA098BA2

Function 00405280 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 173COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0040529D
GetEnvironmentStrings.KERNEL32 ref: 004052B8
GetEnvironmentStringsW.KERNEL32 ref: 004052ED
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00405357
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405388
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 004053AD
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 004053D0
GetEnvironmentStrings.KERNEL32 ref: 004053F1
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00405466
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00405488

Strings

a_env.c, xrefs: 00405368, 00405446

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID: a_env.c
API String ID: 158306478-1218344748
Opcode ID: b5e6de8868c18dcb80ccc168d0f9724616bae644a3193a429e9ae2cde91faea9
Instruction ID: b10cc31f32a9c0d4791375c3cdb41f7fd8d0871ec8412da233b981226d490063
Opcode Fuzzy Hash: b5e6de8868c18dcb80ccc168d0f9724616bae644a3193a429e9ae2cde91faea9
Instruction Fuzzy Hash: 3C611C70D00609EFDB14DFA4D84ABAFBBB1EF48305F24447AD501BA281D7785985CF99

Function 10002AE0 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 86COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 10002B6E
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10002BC6

Strings

n, xrefs: 10002B4B
y, xrefs: 10002B64
O, xrefs: 10002B3C
e, xrefs: 10002B46
p, xrefs: 10002B41
P, xrefs: 10002B50
x, xrefs: 10002B5F
r, xrefs: 10002B55
o, xrefs: 10002B5A

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: ??2@??3@
String ID: O$P$e$n$o$p$r$x$y
API String ID: 1936579350-665402123
Opcode ID: a9f15a5609e470d7b506450aa7368d1fa0b88d0a6f048e2faa9dbb145b1f1aac
Instruction ID: 3692af032c8f74a7448cfbc9b25724ec032470320efd82e58de406069b8f673d
Opcode Fuzzy Hash: a9f15a5609e470d7b506450aa7368d1fa0b88d0a6f048e2faa9dbb145b1f1aac
Instruction Fuzzy Hash: 7121E4A16083815FE301DE78984572BBBC6EB95684F44442CF94497386DFBAEA0D83A3

Function 10004F70 Relevance: 18.0, APIs: 3, Strings: 9, Instructions: 42stringCOMMON

Download Yara Rule

APIs

Part of subcall function 10004DC0: wsprintfA.USER32 ref: 10004ED2

lstrlenA.KERNEL32(?,?,?,?,755683C0,Rsssqi yqeaiusa,00000000,00000000,1F901F90), ref: 10004FD9
lstrcpyA.KERNEL32(?,Default), ref: 10004FE5
lstrlenA.KERNEL32(?), ref: 10004FEC

Strings

t, xrefs: 10004FAC
r, xrefs: 10004FB6
p, xrefs: 10004FC0
Default, xrefs: 10004FDF
C, xrefs: 10004F9D
u, xrefs: 10004FBB
G, xrefs: 10004FB1
e, xrefs: 10004FA2
c, xrefs: 10004FA7

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpywsprintf
String ID: C$Default$G$c$e$p$r$t$u
API String ID: 3119633594-4271276820
Opcode ID: 53b571e7e5782a6b10e4944cb20398db5a19ad4df56a1d283e74e2a9cb397cb2
Instruction ID: 4cb25a30716088ae15ae6051cb06f13dced165f59787a813520f2c1d2ff989c5
Opcode Fuzzy Hash: 53b571e7e5782a6b10e4944cb20398db5a19ad4df56a1d283e74e2a9cb397cb2
Instruction Fuzzy Hash: 74015B2140D3D19AE302DB298844B8FBFD48FE6248F08898CF1C857253D6B9961DC7BB

Function 0040CB4C Relevance: 18.0, APIs: 5, Strings: 5, Instructions: 497COMMON

Download Yara Rule

APIs

_get_int_arg.LIBCMTD ref: 0040CB50

Strings

ch != _T('\0'), xrefs: 0040C68D
., xrefs: 0040C84E
-, xrefs: 0040D047
5, xrefs: 0040C8E1
output.c, xrefs: 0040C699, 0040CC12

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: _get_int_arg
String ID: -$.$5$ch != _T('\0')$output.c
API String ID: 1853115473-969519535
Opcode ID: 77878b7f5e4b14ac23e318a867e009683f67d1b7fd0176462cbae87527bf0eec
Instruction ID: 0b30f0e5d39e4640d1bcf628ae85e314e075eaa161c9280c7354a6fc1720db46
Opcode Fuzzy Hash: 77878b7f5e4b14ac23e318a867e009683f67d1b7fd0176462cbae87527bf0eec
Instruction Fuzzy Hash: 832279B5D04218DBDB24CF94C8947EEB7B1AF49304F2482EAD419BB280D7389E85DF59

Function 100042D0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127fileCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10004302
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100043A3
GetFileSize.KERNEL32(00000000,00000000), ref: 100043B2
??2@YAPAXI@Z.MSVCRT(00000000), ref: 100043BB
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 100043CE
??3@YAXPAX@Z.MSVCRT(00000000), ref: 100043F6
CloseHandle.KERNEL32(00000000), ref: 100043FF

Strings

.Wu, xrefs: 100043FF
.key, xrefs: 1000436F
Default, xrefs: 10004340

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: File$??2@??3@CloseCreateDirectoryHandleReadSizeSystem
String ID: .key$Default$.Wu
API String ID: 672438164-754640202
Opcode ID: c5984c09ec34bd10944bea341ec4145ab8e351a683e2eb105694719c3a40ca63
Instruction ID: 0df5a831510a63df1367d60be323571a78bc34c8aae415aa1ce2a19351602c89
Opcode Fuzzy Hash: c5984c09ec34bd10944bea341ec4145ab8e351a683e2eb105694719c3a40ca63
Instruction Fuzzy Hash: 27314A316047081FE318DB749C5596F7A8AEBC92B0F55073DFA67872C2EEF09D088691

Function 10005000 Relevance: 16.5, APIs: 3, Strings: 8, Instructions: 36stringCOMMON

Download Yara Rule

APIs

Part of subcall function 10004DC0: wsprintfA.USER32 ref: 10004ED2

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10005055
lstrcpyA.KERNEL32(?,10012198,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10005061
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10005068

Strings

e, xrefs: 1000503C
M, xrefs: 10005019
k, xrefs: 10005028
T, xrefs: 1000502D
a, xrefs: 1000501E
i, xrefs: 10005032
r, xrefs: 10005023
m, xrefs: 10005037

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcpywsprintf
String ID: M$T$a$e$i$k$m$r
API String ID: 3119633594-394501062
Opcode ID: a2d2ada28ae358257b563558a7e43129e4b2749408b5bd0a1175ba5b5f92fe47
Instruction ID: 43671457a03df2c0adf9ef3ddb2966a26eab9649ea6081fc9b36d8f2d5bd91c3
Opcode Fuzzy Hash: a2d2ada28ae358257b563558a7e43129e4b2749408b5bd0a1175ba5b5f92fe47
Instruction Fuzzy Hash: 7401286110C3D29AE302DB288848B8FBFD59FE2648F08084DF5C446242D76A926D87F7

Function 10005D20 Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 27processCOMMON

Download Yara Rule

APIs

Part of subcall function 10008580: LoadLibraryA.KERNEL32 ref: 1000864B
Part of subcall function 10008580: GetProcAddress.KERNEL32(00000000), ref: 10008652
Part of subcall function 10008580: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 1000865C
Part of subcall function 10008580: ??2@YAPAXI@Z.MSVCRT(00000128), ref: 10008665
Part of subcall function 10008580: Process32First.KERNEL32(00000000,00000000), ref: 10008677
Part of subcall function 10008580: _strcmpi.MSVCRT ref: 10008689
Part of subcall function 10008580: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 1000869A

WinExec.KERNEL32(taskkill /f /im rundll32.exe,00000000), ref: 10005D7C

Strings

., xrefs: 10005D5A
x, xrefs: 10005D5F
taskkill /f /im rundll32.exe, xrefs: 10005D77
d, xrefs: 10005D4B
3, xrefs: 10005D50
2, xrefs: 10005D55
u, xrefs: 10005D34
n, xrefs: 10005D45

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: ??2@??3@AddressCreateExecFirstLibraryLoadProcProcess32SnapshotToolhelp32_strcmpi
String ID: .$2$3$d$n$taskkill /f /im rundll32.exe$u$x
API String ID: 1235656449-3094880203
Opcode ID: c101da3c5a201e27bad7d979422eb9688827141025a338f21c82d2f45f12132b
Instruction ID: 96f1eca156b0e4eff2f5dc6913b3ee451fa91117cbec719f6b5fbf4d114350d2
Opcode Fuzzy Hash: c101da3c5a201e27bad7d979422eb9688827141025a338f21c82d2f45f12132b
Instruction Fuzzy Hash: 25F0971444C3C0ADE302DB6C840974BBED55BA2688F48C89EE4DC5A297D6BAD25CC773

Function 00409963 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 181COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,00409916,00000002,00000000,00000000,?,?), ref: 0040999C

Part of subcall function 004095B0: DebugBreak.KERNEL32 ref: 004095B3

Strings

szUserMessage != NULL, xrefs: 00409963
dbgrpt.c, xrefs: 0040996F
_CrtDbgReport: String too long or IO Error, xrefs: 00409BF9
..., xrefs: 004099EC, 00409A44
<program name unknown>, xrefs: 004099A6
Debug %s!Program: %s%s%s%s%s%s%s%s%s%s%s(Press Retry to debug the application), xrefs: 00409BDC
Microsoft Visual C++ Debug Library, xrefs: 00409C12

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: BreakDebugFileModuleName
String ID: ...$<program name unknown>$Debug %s!Program: %s%s%s%s%s%s%s%s%s%s%s(Press Retry to debug the application)$Microsoft Visual C++ Debug Library$_CrtDbgReport: String too long or IO Error$dbgrpt.c$szUserMessage != NULL
API String ID: 3969911889-457056794
Opcode ID: 0f33eab89c74a6f7f70dc8e371eaa4b3b4d7f8afa29fd5e269344d6ad445eed3
Instruction ID: 82c6c3db928ba7a11471b822d675effb30d4a5a2ff11710b561130670d3adb26
Opcode Fuzzy Hash: 0f33eab89c74a6f7f70dc8e371eaa4b3b4d7f8afa29fd5e269344d6ad445eed3
Instruction Fuzzy Hash: 3D7177B4E00218ABDB24DF54DC42BDAB374BB59304F1085BAE609762C2D3789F95CF99

Function 10004980 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 105libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 100049A3
GetProcAddress.KERNEL32(00000000,IsBadReadPtr), ref: 100049B3
LoadLibraryA.KERNEL32(?), ref: 100049EB
realloc.MSVCRT ref: 10004A0A
GetProcAddress.KERNEL32(00000000,?), ref: 10004A59
FreeLibrary.KERNEL32(?,00000000,?,?,10004717,00000000,?), ref: 10004AAA

Strings

IsBadReadPtr, xrefs: 100049A9
kernel32.dll, xrefs: 1000498B

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Library$AddressLoadProc$Freerealloc
String ID: IsBadReadPtr$kernel32.dll
API String ID: 343009874-2271619998
Opcode ID: 0edb90ad8a3f97d5b32876884c508db8f96aa26cb441f3ac87e1f665d0d36104
Instruction ID: 943f36dfc45f3edd014fbf9aefcaaf0a29c58e454401c9a78b426052af33b81d
Opcode Fuzzy Hash: 0edb90ad8a3f97d5b32876884c508db8f96aa26cb441f3ac87e1f665d0d36104
Instruction Fuzzy Hash: C63150B1A007179BE710CF29C844B16B7E8FF45388F028929ED59D7255EB34ED14CB9A

Function 100082C0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 65libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,?,?,1000C348,000000FF,?,10008109,00000000), ref: 100082E8
GetProcAddress.KERNEL32(00000000,OpenInputDesktop), ref: 100082FF
GetProcAddress.KERNEL32(00000000,OpenDesktopA), ref: 1000830A
GetProcAddress.KERNEL32(00000000,CloseDesktop), ref: 10008314

Strings

OpenDesktopA, xrefs: 10008304
CloseDesktop, xrefs: 1000830E
user32.dll, xrefs: 100082E3
OpenInputDesktop, xrefs: 100082F3

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CloseDesktop$OpenDesktopA$OpenInputDesktop$user32.dll
API String ID: 2238633743-3711086354
Opcode ID: 87f077cc38fa9355382c0ad814016904e34658d0567dc41e845f42e717152d04
Instruction ID: 639762d0b2d001fcf54d4d449a3be421f04d5924b7195cc0df15fed843997a13
Opcode Fuzzy Hash: 87f077cc38fa9355382c0ad814016904e34658d0567dc41e845f42e717152d04
Instruction Fuzzy Hash: F7116671D00618AFE700DFA58C44FDEBBF8FF48690F104125FA14E3284D7745A018BA1

Function 0040AF60 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,Microsoft Visual C++ Debug Library), ref: 0040AF7B
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0040AF93
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0040AFB4
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0040AFC8

Strings

user32.dll, xrefs: 0040AF76
GetLastActivePopup, xrefs: 0040AFBF
MessageBoxA, xrefs: 0040AF8A
GetActiveWindow, xrefs: 0040AFAB

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 6c28c6b1f8e5e04ee614dce1f282fd38a31f25c6fcfaff65a1037fb506f0a287
Instruction ID: de20af04a8c214f7d121f0f85548d5ea39c6fa4b49d3416487e07ed0eeee28c2
Opcode Fuzzy Hash: 6c28c6b1f8e5e04ee614dce1f282fd38a31f25c6fcfaff65a1037fb506f0a287
Instruction Fuzzy Hash: B1114CB4D00708EFCB20DFA4D949B9E7BB4FB18747F10457AE901A7691C3B89988CB59

Function 10002970 Relevance: 13.5, APIs: 1, Strings: 8, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 100029F4

Part of subcall function 10004BA0: FreeLibrary.KERNEL32(?,00000000,00000000,00000000,10004747,00000000,?,?), ref: 10004BF0
Part of subcall function 10004BA0: free.MSVCRT ref: 10004BFF
Part of subcall function 10004BA0: VirtualFree.KERNEL32(5D5E5FC0,00000000,00008000,00000000,10004747,00000000,?,?), ref: 10004C18
Part of subcall function 10004BA0: GetProcessHeap.KERNEL32(00000000,10004747,00000000,10004747,00000000,?,?), ref: 10004C21
Part of subcall function 10004BA0: HeapFree.KERNEL32(00000000,?,?), ref: 10004C28

Strings

n, xrefs: 10002993
P, xrefs: 10002979
l, xrefs: 1000297F
g, xrefs: 10002989
e, xrefs: 1000299D
i, xrefs: 1000298E
u, xrefs: 10002984
M, xrefs: 10002998

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Free$HeapVirtual$LibraryProcessfree
String ID: M$P$e$g$i$l$n$u
API String ID: 1525015432-1729584574
Opcode ID: dc96b8bb69206cd3f6e3527d9060e7c40065f5498cc4de25d2c2e22e5569962f
Instruction ID: 3cd4cd10520a3ceb6f1e40123bde33da23cbbf893c65359a72b0183ae737aca1
Opcode Fuzzy Hash: dc96b8bb69206cd3f6e3527d9060e7c40065f5498cc4de25d2c2e22e5569962f
Instruction Fuzzy Hash: A4017C7140C380AAE311DB589845B6BBBD9AFD6744F08880CF5C856295DBBAD90883B7

Function 10002A30 Relevance: 13.5, APIs: 1, Strings: 8, Instructions: 44COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000), ref: 10002AA6

Part of subcall function 10004BA0: FreeLibrary.KERNEL32(?,00000000,00000000,00000000,10004747,00000000,?,?), ref: 10004BF0
Part of subcall function 10004BA0: free.MSVCRT ref: 10004BFF
Part of subcall function 10004BA0: VirtualFree.KERNEL32(5D5E5FC0,00000000,00008000,00000000,10004747,00000000,?,?), ref: 10004C18
Part of subcall function 10004BA0: GetProcessHeap.KERNEL32(00000000,10004747,00000000,10004747,00000000,?,?), ref: 10004C21
Part of subcall function 10004BA0: HeapFree.KERNEL32(00000000,?,?), ref: 10004C28

Strings

P, xrefs: 10002A39
l, xrefs: 10002A3F
u, xrefs: 10002A44
g, xrefs: 10002A49
n, xrefs: 10002A53
i, xrefs: 10002A4E
e, xrefs: 10002A5D
M, xrefs: 10002A58

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Free$HeapVirtual$LibraryProcessfree
String ID: M$P$e$g$i$l$n$u
API String ID: 1525015432-1729584574
Opcode ID: 16e5facdf6395daf8fae5cb4b1721a79098da2994c3da5b7dd2472f1d18b9f37
Instruction ID: 9b38f55cc4ba52800e70aa4bf33643b90296dfa00965b85e298b3884a1199f6d
Opcode Fuzzy Hash: 16e5facdf6395daf8fae5cb4b1721a79098da2994c3da5b7dd2472f1d18b9f37
Instruction Fuzzy Hash: E501806150C380AAE311DA289804B9FBED98FD6794F08454DF8C856296CBBAD65C83B7

Function 00405C20 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 131fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,?,00000000), ref: 00405CD6
WriteFile.KERNEL32(00000000,?,00000000), ref: 00405CDD
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00405D03

Strings

..., xrefs: 00405D59
<program name unknown>, xrefs: 00405D0D
Runtime Error!Program: , xrefs: 00405D6A
Microsoft Visual C++ Runtime Library, xrefs: 00405DC4

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 7da677e911cda10281670ec787c1eddfd45c1811d09e76ac564727a7cc2abb3c
Instruction ID: c66328e3824cdc0b33dd50bd2a94af21d3face6f33e503974c5ccbb0c5265c84
Opcode Fuzzy Hash: 7da677e911cda10281670ec787c1eddfd45c1811d09e76ac564727a7cc2abb3c
Instruction Fuzzy Hash: CB41B5B1D00308EBDB20DB90DC82BAF7374EB14305F10857AE505762C2E7799A99CF99

Function 10003350 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 107fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 1000339C
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 100033D2

Strings

.Wu, xrefs: 100033E7
%s %s, xrefs: 10003414

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: File$CreateWrite
String ID: %s %s$.Wu
API String ID: 2263783195-2135594154
Opcode ID: 20d9cf86228e1c1e6c50905047135263e8ca82ba7906513989c4d2c8763dfb55
Instruction ID: 3743ef5fdc58a93c92196b36047ebbee77f50bb103d2af28ea4dba453ef85ca5
Opcode Fuzzy Hash: 20d9cf86228e1c1e6c50905047135263e8ca82ba7906513989c4d2c8763dfb55
Instruction Fuzzy Hash: C03107761043466BF321CB28DC89FEF73D8EBC43A1F404929FA54961C4DB78A50D87A2

Function 100028B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57registryfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 100028D9
CopyFileA.KERNEL32(?,?,00000000), ref: 10002909
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 10002925
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,00000104), ref: 1000294B
RegCloseKey.ADVAPI32 ref: 10002956

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 1000291B
C:\Program Files\Common Files\scvh0st.exe, xrefs: 100028E4

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: File$CloseCopyModuleNameOpenValue
String ID: C:\Program Files\Common Files\scvh0st.exe$SOFTWARE\Microsoft\Windows\CurrentVersion\Run
API String ID: 3295893203-1185028701
Opcode ID: 17ad042768858737f052513e4b875a1417c86927ba6e98811639907262b2814a
Instruction ID: 2807fe29cd3542294ee6844bf3f849b1890e9e9cd354654402acd874cc838904
Opcode Fuzzy Hash: 17ad042768858737f052513e4b875a1417c86927ba6e98811639907262b2814a
Instruction Fuzzy Hash: 6B115E71208304BBF704C764CC45FEBB7A9EBC8740F004A18F64596294DAB5A448C752

Function 10005070 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,755732F0,00000001,?,10005C5D), ref: 10005079
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 10005095
GetProcAddress.KERNEL32(00000000,GetCurrentProcess), ref: 1000509F
FreeLibrary.KERNEL32(00000000,?,10005C5D), ref: 100050B4

Strings

IsWow64Process, xrefs: 10005087
GetCurrentProcess, xrefs: 10005097
kernel32.dll, xrefs: 10005074

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressLibraryProc$FreeLoad
String ID: GetCurrentProcess$IsWow64Process$kernel32.dll
API String ID: 2256533930-2522683910
Opcode ID: de5a23b5b84dff248027fb193cbefa81c82c4469be5486f87854405e39234b22
Instruction ID: 95e96d424b8dc866bf610e1a79f0de374263097fada87e72b7105fa79506478b
Opcode Fuzzy Hash: de5a23b5b84dff248027fb193cbefa81c82c4469be5486f87854405e39234b22
Instruction Fuzzy Hash: 33E065B6102324BFF214D7748C88EAF77A8DF856E5B004509F945D3204DB31CC0486B2

Function 10006800 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 32fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1000681A
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000682A
GetTickCount.KERNEL32 ref: 10006830
wsprintfA.USER32 ref: 10006846
MoveFileA.KERNEL32(?), ref: 1000685C
MoveFileExA.KERNEL32(?,00000000,00000004(MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 1000686B

Strings

%s\%d.bak, xrefs: 10006840

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: File$Move$CountDirectoryModuleNameSystemTickwsprintf
String ID: %s\%d.bak
API String ID: 830686190-2116986511
Opcode ID: 6a1be2c848eb7a969d7db17d9e86234426fe5d8290cc3d5521ce5b5f56e96b41
Instruction ID: e657657075605cfff884c4cc4a2bea9d1db9898d2ec1cc003315c848a05afbb7
Opcode Fuzzy Hash: 6a1be2c848eb7a969d7db17d9e86234426fe5d8290cc3d5521ce5b5f56e96b41
Instruction Fuzzy Hash: 05F01DF6004318BBE314EBA0CDC9EEB776CFB94745F408A18F38595095DBB49558CB52

Function 10001F30 Relevance: 12.2, APIs: 8, Instructions: 226COMMON

Download Yara Rule

APIs

_CxxThrowException.MSVCRT(?,1000EEF8), ref: 10001FFE
??2@YAPAXI@Z.MSVCRT(10001EC6,?,00000004,00000000,00000004,10001ED5,00000004,?,00000003,00000003,00000000,?,10001ED5,?,00000000,?), ref: 10002072
??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,00000000,1000BAF0,000000FF,753523A0,10001ED5,?,00000000), ref: 10002083
??3@YAXPAX@Z.MSVCRT(00000000,00000000,10001EC6,?,?), ref: 10002149
??3@YAXPAX@Z.MSVCRT(00000000,10001EC6,?,?), ref: 10002152
_CxxThrowException.MSVCRT(?), ref: 10002172
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,1000BAF0,000000FF,753523A0,10001ED5,?,00000000), ref: 1000217F
??3@YAXPAX@Z.MSVCRT(1000BAF0,?,?,?,?,?,00000000,1000BAF0,000000FF,753523A0,10001ED5,?,00000000), ref: 1000218F

Part of subcall function 10002230: ??2@YAPAXI@Z.MSVCRT(?,?,?,?,?,?,10005D0E,?,0000022C), ref: 10002258

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: ??3@$??2@$ExceptionThrow
String ID:
API String ID: 4137962090-0
Opcode ID: f6aa161688ee4f6ee0024ddb390261e06af80915ade76e8f9d84d39527ff759a
Instruction ID: 7cfd08a3667c8f3bff20fe777b419f2fee706ce4a41ed334fdf56aa4ac6b698a
Opcode Fuzzy Hash: f6aa161688ee4f6ee0024ddb390261e06af80915ade76e8f9d84d39527ff759a
Instruction Fuzzy Hash: DE717775A00149ABEF04DFA4C891AEFB7B9EF887C0F104429F605AB245DB74BE45C7A1

Function 004054A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 00405527
GetFileType.KERNEL32(?), ref: 00405686
GetStdHandle.KERNEL32(?), ref: 00405728
GetFileType.KERNEL32(000000FF), ref: 0040573B
SetHandleCount.KERNEL32(00000020), ref: 004057BA

Strings

ioinit.c, xrefs: 004054AB, 004055A6

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: FileHandleType$CountInfoStartup
String ID: ioinit.c
API String ID: 1710529072-350981760
Opcode ID: ba4bf6655b9ce77474aa3cdc962939841fd669aaa1d81c5ade1d16592a99e302
Instruction ID: 708b14380a247b9ade55c17a13c8d3c41876aceecd1145cc7bd7b15b65bd0dd8
Opcode Fuzzy Hash: ba4bf6655b9ce77474aa3cdc962939841fd669aaa1d81c5ade1d16592a99e302
Instruction Fuzzy Hash: 1AB12474A00748CFDB14CFD8C894AAEBBB2FB45304F24866AD4056F399C779984ACF49

Function 100062C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000,?), ref: 100062F9
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?), ref: 10006312
GetFileSize.KERNEL32(00000000,00000000), ref: 1000631B
WriteFile.KERNEL32(00000000,?,00000400,00000000,00000000), ref: 10006389
CloseHandle.KERNEL32(00000000), ref: 10006396

Strings

.Wu, xrefs: 10006396

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandlePointerSizeWrite
String ID: .Wu
API String ID: 1886887421-3424199868
Opcode ID: 220bfaa021bea67525b236f0f04cdc36db5342f36e34257a21021ad22f91ca23
Instruction ID: b0029bd9fb1e005456cfc35da5dd38bb37c3330f5ee9c25cfa7a0fbc93e4cf82
Opcode Fuzzy Hash: 220bfaa021bea67525b236f0f04cdc36db5342f36e34257a21021ad22f91ca23
Instruction Fuzzy Hash: 22217F752403556FF3209B24CC85FBF769AEB88BC0F104534FB46661C6CAB469098698

Function 10006DC0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathA.SHELL32(00000000,?,00000007,00000000), ref: 10006DD5
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 10006DFC
RegOpenKeyExA.ADVAPI32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Run,00000000,000F003F,?), ref: 10006E18
RegSetValueExA.ADVAPI32(?,10013460,00000000,00000001,?,00000104), ref: 10006E3B
RegCloseKey.ADVAPI32(?,?,10013460,00000000,00000001,?,00000104), ref: 10006E46

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 10006E0E

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: CloseFileFolderModuleNameOpenPathSpecialValue
String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
API String ID: 3065614200-3913687870
Opcode ID: 8c430a6efb7b864261c6ee0dc320bcd0facc867f682ed069a28d88e3fd618178
Instruction ID: fbbb8ee022bfa8af7ce0853a2e641239e4fc611deb7e72754b99820753c5bc93
Opcode Fuzzy Hash: 8c430a6efb7b864261c6ee0dc320bcd0facc867f682ed069a28d88e3fd618178
Instruction Fuzzy Hash: E10162B4248344BBF314D764CC8AFAB7BA4EBC8B44F10891CF789AA1D5DAB4A444C752

Function 00408220 Relevance: 9.3, APIs: 3, Strings: 3, Instructions: 331COMMON

Download Yara Rule

APIs

IsBadWritePtr.KERNEL32(00000000,00000000), ref: 00408239
IsBadWritePtr.KERNEL32(?,000041C4), ref: 0040829F

Strings

?, xrefs: 00408670
, xrefs: 004086D3
, xrefs: 00408303

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Write
String ID: $ $?
API String ID: 3165279579-1466984971
Opcode ID: 3bf11002b635388773db174a007a06e7b85aba451dd92a0086ce8152766c5557
Instruction ID: 7cd4307bbffec7d52c3a7db334ebc04e617089b284f55b84a26793f0cff8a4a3
Opcode Fuzzy Hash: 3bf11002b635388773db174a007a06e7b85aba451dd92a0086ce8152766c5557
Instruction Fuzzy Hash: 3EF1B570A00529CBCB64CF59CE907EDB7B1BB85314F6082EAD459AB394CB35AE81CF45

Function 0040BEA0 Relevance: 9.1, APIs: 6, Instructions: 143COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0040FD4C,00000001,00000001), ref: 0040BEDC
GetStringTypeA.KERNEL32(00000000,00000001,0040FD48,00000001,00000001), ref: 0040BF01
GetStringTypeA.KERNEL32(00000000,00000000,000004E4,?,00000100), ref: 0040BF4A
MultiByteToWideChar.KERNEL32(00000000,0040A680,000004E4,?,00000000,00000000), ref: 0040BF8F
MultiByteToWideChar.KERNEL32(00000000,00000001,000004E4,?,00000000,00000000), ref: 0040C01B

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 2e8ce4bc642123c617d8f20b99919d8b5b848cc1161f7770a587f8aa546bdb8d
Instruction ID: 4c3ce5b9d6f761a6f3ea0860c9838c3b330106d6d33055a688869aefd4a6a07a
Opcode Fuzzy Hash: 2e8ce4bc642123c617d8f20b99919d8b5b848cc1161f7770a587f8aa546bdb8d
Instruction Fuzzy Hash: D55139B1A10209EBCB10CF98CC86BAB77B5EB48711F10863AF515F72C0D7799945CBA9

Function 10003490 Relevance: 9.1, APIs: 6, Instructions: 51stringwindowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 1000349F
SendMessageA.USER32(?,0000000D,00000400,00000000), ref: 100034CC
lstrlenA.KERNEL32(00000000), ref: 100034D7
_strupr.MSVCRT ref: 100034F0
_strupr.MSVCRT ref: 100034FB
strstr.MSVCRT ref: 10003501

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: _strupr$MessageSendVisibleWindowlstrlenstrstr
String ID:
API String ID: 850376632-0
Opcode ID: 8f874e1fc1454320b976937ab8c21b85a6d687aaad34c7fbfcabefb16f4094b3
Instruction ID: ea269e3bfa838260eddff204f0556494777ae984c0a8e72db09fbaad5451d422
Opcode Fuzzy Hash: 8f874e1fc1454320b976937ab8c21b85a6d687aaad34c7fbfcabefb16f4094b3
Instruction Fuzzy Hash: 340192B16003156BF710D768DC84FDBBBDCAF45388F008839E644E21A4EA35E5098BA6

Function 0040CD3C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 107COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 0040CF71
__aulldiv.LIBCMT ref: 0040CF96

Strings

', xrefs: 0040CD3C
0, xrefs: 0040CD5D
9, xrefs: 0040CFA7

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: __aulldiv__aullrem
String ID: '$0$9
API String ID: 3839614884-269856862
Opcode ID: 7fba6f0986731dc7c67397734f7e0973bc6ddaa7e56d86bd279fc43707d16fc5
Instruction ID: 1484ed002eee6c801e9fcd347e662f4492a4880fbd3adf435be06999b1b2b901
Opcode Fuzzy Hash: 7fba6f0986731dc7c67397734f7e0973bc6ddaa7e56d86bd279fc43707d16fc5
Instruction Fuzzy Hash: F1510370909229CBDF24DF28C9887AAB7B1BB44304F2082EAE00DB7280D7395E85CF44

Function 10003810 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79processCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?), ref: 10003830
??3@YAXPAX@Z.MSVCRT(00000000), ref: 100038C1

Part of subcall function 100036B0: LoadLibraryA.KERNEL32(wininet.dll), ref: 100036D2
Part of subcall function 100036B0: GetProcAddress.KERNEL32(00000000,InternetOpenA), ref: 100036E6
Part of subcall function 100036B0: GetProcAddress.KERNEL32(00000000,InternetOpenUrlA), ref: 10003703
Part of subcall function 100036B0: FreeLibrary.KERNEL32(00000000), ref: 10003728

Part of subcall function 10008550: GetFileAttributesA.KERNEL32(?,10006209,?), ref: 10008555
Part of subcall function 10008550: GetLastError.KERNEL32 ref: 10008560

CreateProcessA.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 100038A3
??3@YAXPAX@Z.MSVCRT(00000000,?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 100038AA

Strings

D, xrefs: 10003889

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: ??3@AddressLibraryProc$??2@AttributesCreateErrorFileFreeLastLoadProcess
String ID: D
API String ID: 4236665762-2746444292
Opcode ID: e0fe488ed2437090df209219b4c602549d70b81b895ed81b94df822e75cee367
Instruction ID: a5bde385685e12b30f7c7c259c52aa5e73f7a25028a22e3bab38776bf1136713
Opcode Fuzzy Hash: e0fe488ed2437090df209219b4c602549d70b81b895ed81b94df822e75cee367
Instruction Fuzzy Hash: 6A1108B65146001BF605DA349C01A6B77DDDBD42A0F048439F90A97285EAB6E90E87A2

Function 10001C50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47synchronizationnetworkCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,?,00000000,1000BADC,000000FF,10006781), ref: 10001C86
CloseHandle.KERNEL32(?,?,00000000,?,00000000,1000BADC,000000FF,10006781), ref: 10001CA3
CloseHandle.KERNEL32(?,?,00000000,?,00000000,1000BADC,000000FF,10006781), ref: 10001CA9
WSACleanup.WS2_32 ref: 10001CAB

Part of subcall function 100021C0: setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 100021E7
Part of subcall function 100021C0: CancelIo.KERNEL32(?), ref: 100021F1
Part of subcall function 100021C0: InterlockedExchange.KERNEL32(?,00000000), ref: 100021FD
Part of subcall function 100021C0: closesocket.WS2_32(?), ref: 10002207
Part of subcall function 100021C0: SetEvent.KERNEL32(?), ref: 10002211

Strings

.Wu, xrefs: 10001C9C

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: CloseHandle$CancelCleanupEventExchangeInterlockedObjectSingleWaitclosesocketsetsockopt
String ID: .Wu
API String ID: 136543108-3424199868
Opcode ID: 13e63e094bd2eb5bd89276c4cc1018c774a8f945e9222548d8b146be8698d900
Instruction ID: f209caddfa5839f10d9a3c33a85bf07631f9ea308632b1ee6666812f23b3a2b8
Opcode Fuzzy Hash: 13e63e094bd2eb5bd89276c4cc1018c774a8f945e9222548d8b146be8698d900
Instruction Fuzzy Hash: A7119175004B91CFE310DF18C984B9AB7E8EB45B60F504A0CF1A6536D5CBB8A909CBA3

Function 100058D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(ntdll.dll,?,75571760,10007C96,?,?,?), ref: 100058D9
GetProcAddress.KERNEL32(00000000,RtlGetNtVersionNumbers), ref: 100058EB
FreeLibrary.KERNEL32(00000000), ref: 10005915

Strings

RtlGetNtVersionNumbers, xrefs: 100058E5
ntdll.dll, xrefs: 100058D2

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: RtlGetNtVersionNumbers$ntdll.dll
API String ID: 145871493-1263206204
Opcode ID: 0c67c078b8ae09ff37aa46c3dcf20c292fe727355f7212a1f1e47316ffe1a4a1
Instruction ID: d3d1fa96fb756a2bf0946433c0eac4786d00cde402a2b740953615462e2fc08b
Opcode Fuzzy Hash: 0c67c078b8ae09ff37aa46c3dcf20c292fe727355f7212a1f1e47316ffe1a4a1
Instruction Fuzzy Hash: 66F065762006229BE361DB25DC88D6B37A6EFC57A1B154528F544D7344CB34DD06C771

Function 004040C0 Relevance: 7.7, APIs: 5, Instructions: 225COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMTD ref: 0040416D
___AdjustPointer.LIBCMTD ref: 004041F1
___AdjustPointer.LIBCMTD ref: 0040424F
___AdjustPointer.LIBCMTD ref: 004042CA

Part of subcall function 00409C60: IsBadReadPtr.KERNEL32(?,?), ref: 00409C73

Part of subcall function 00409C90: IsBadWritePtr.KERNEL32(?,00404294), ref: 00409CA3

___AdjustPointer.LIBCMTD ref: 004042F3

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AdjustPointer$ReadWrite
String ID:
API String ID: 152555143-0
Opcode ID: a2577821a99ff62d0e1a3424e32d0e674afdc4c4875c46c1386e2c30ec489300
Instruction ID: fbd5b16380e2c49ff7a606291ce4cb993ee0c5a068ac3461fe3ea520fec72d2d
Opcode Fuzzy Hash: a2577821a99ff62d0e1a3424e32d0e674afdc4c4875c46c1386e2c30ec489300
Instruction Fuzzy Hash: 58819FB5B002059BDB04DF55E885E6B73B5AF98309F10812DFE05AB3C2D639EC52CBA5

Function 10002590 Relevance: 7.6, APIs: 5, Instructions: 71stringtimeCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?), ref: 100025A6
GetWindowTextA.USER32(00000000,100134CC,00000400), ref: 100025BC
lstrlenA.KERNEL32(100134CC), ref: 100025F1
GetLocalTime.KERNEL32(?), ref: 10002604
wsprintfA.USER32 ref: 10002659

Part of subcall function 10002450: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10002464
Part of subcall function 10002450: CreateFileA.KERNEL32(?,40000000,00000002,00000000,00000004,00000080,00000000), ref: 10002505
Part of subcall function 10002450: GetFileSize.KERNEL32 ref: 10002518
Part of subcall function 10002450: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 1000252C
Part of subcall function 10002450: lstrlenA.KERNEL32(?), ref: 1000253A
Part of subcall function 10002450: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 10002543

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: File$Windowlstrlen$??2@CreateDirectoryForegroundLocalPointerSizeSystemTextTimewsprintf
String ID:
API String ID: 1247169605-0
Opcode ID: 056dc71ff4e629217caae47359128fb0abf0ecaf49f57d8664b6d7b9b678489f
Instruction ID: a48b67f0896fe2f38bf58be364837e2218b236164bb0912a55cfe2f5c32c33e0
Opcode Fuzzy Hash: 056dc71ff4e629217caae47359128fb0abf0ecaf49f57d8664b6d7b9b678489f
Instruction Fuzzy Hash: A121A1B12053136BE705DB28CC94AA777E5EF88344F508938F245D7794DA38E8498B65

Function 10004BA0 Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,00000000,00000000,00000000,10004747,00000000,?,?), ref: 10004BF0
free.MSVCRT ref: 10004BFF
VirtualFree.KERNEL32(5D5E5FC0,00000000,00008000,00000000,10004747,00000000,?,?), ref: 10004C18
GetProcessHeap.KERNEL32(00000000,10004747,00000000,10004747,00000000,?,?), ref: 10004C21
HeapFree.KERNEL32(00000000,?,?), ref: 10004C28

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Free$Heap$LibraryProcessVirtualfree
String ID:
API String ID: 831075735-0
Opcode ID: e502b7b0df1307f1dc68fd0e58be9ec16ce209b13cf9b9819544c2e320b6bc93
Instruction ID: c4b22691f729e0e73a0b112ff6c8b73a5f6ad4d15aaf35290984b53f91244410
Opcode Fuzzy Hash: e502b7b0df1307f1dc68fd0e58be9ec16ce209b13cf9b9819544c2e320b6bc93
Instruction Fuzzy Hash: FB112AB12007119BE760CB69CCC4F57B3E8BF48690F128918F59AC7299DB70F845CB54

Function 004038B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

APIs

CatchIt.LIBCMTD ref: 00403ADB

Strings

csm, xrefs: 0040396E
csm, xrefs: 004038E8
csm, xrefs: 004039A8

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Catch
String ID: csm$csm$csm
API String ID: 78271584-393685449
Opcode ID: 42041f55aedd2a658c860c43a8bd6268828e80dfdf72fed6d069a4e319bf414a
Instruction ID: 1081b5c0fc64e7567b7813433359b24f0f379af0ea5cb2948763b65feeeeacf6
Opcode Fuzzy Hash: 42041f55aedd2a658c860c43a8bd6268828e80dfdf72fed6d069a4e319bf414a
Instruction Fuzzy Hash: B89113B5A00109DFCF04DF95C480AAEBBB9BF48305F10816AE955AB381D739EE41CF99

Function 0040CD26 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 0040CF71
__aulldiv.LIBCMT ref: 0040CF96

Strings

0, xrefs: 0040CD5D
9, xrefs: 0040CFA7

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: __aulldiv__aullrem
String ID: 0$9
API String ID: 3839614884-1975997740
Opcode ID: e0ed0c947f0032e83b22bdeb66a77682cdb916694bcad444b9a5c41dff3ff05f
Instruction ID: 21bc1264f8b0b3200022bf3a121e9f51d813f477de1a6d366d8be312cfae0f20
Opcode Fuzzy Hash: e0ed0c947f0032e83b22bdeb66a77682cdb916694bcad444b9a5c41dff3ff05f
Instruction Fuzzy Hash: D451F370909229CBDF24DF28C9887AAB7B1BB44304F2082EAE04DB7280D7395E85DF45

Function 10004420 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82fileCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 1000445B
DeleteFileA.KERNEL32(?), ref: 100044EC

Part of subcall function 100042D0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 10004302
Part of subcall function 100042D0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 100043A3
Part of subcall function 100042D0: GetFileSize.KERNEL32(00000000,00000000), ref: 100043B2
Part of subcall function 100042D0: ??2@YAPAXI@Z.MSVCRT(00000000), ref: 100043BB

Strings

.key, xrefs: 100044BF
Default, xrefs: 10004493

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: File$DirectorySystem$??2@CreateDeleteSize
String ID: .key$Default
API String ID: 2930496114-1583214558
Opcode ID: 66b09590ffcb0c1b3da8410adecc627db9d377959ad880a2b8652abb80ea05f6
Instruction ID: 141a8b37691aae2fbd8da05fdbc6e3495a09b372ee2bec7482234fe0d6603d82
Opcode Fuzzy Hash: 66b09590ffcb0c1b3da8410adecc627db9d377959ad880a2b8652abb80ea05f6
Instruction Fuzzy Hash: F32126766006441BD72CCA78949566A76C2FBC5370F69472EF6B7872C5DEF08D488240

Function 0040C120 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(0045F008), ref: 0040C14C
InterlockedDecrement.KERNEL32(0045F008), ref: 0040C160
InterlockedDecrement.KERNEL32(0045F008), ref: 0040C1A6

Strings

z, xrefs: 0040C133

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Interlocked$Decrement$Increment
String ID: z
API String ID: 2574743344-1657960367
Opcode ID: c412f6aa3aa6ae6142b7f87bdd3515a78cfa3495b29279b984b89f068f8699bb
Instruction ID: 2b8a8a0e75cc9b87a3f5748db09485aa13002c131676a62cc4f0f5a3e329d174
Opcode Fuzzy Hash: c412f6aa3aa6ae6142b7f87bdd3515a78cfa3495b29279b984b89f068f8699bb
Instruction Fuzzy Hash: 9B015275540208EFEB10DF54D98579A3B65AB0470AF14823AFC096E2C3D7799A88CF9B

Function 00404470 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00403430: InitializeCriticalSection.KERNEL32(0045DC90), ref: 00403439
Part of subcall function 00403430: InitializeCriticalSection.KERNEL32(0045DCC0), ref: 00403446
Part of subcall function 00403430: InitializeCriticalSection.KERNEL32(0045DCA8), ref: 00403453
Part of subcall function 00403430: InitializeCriticalSection.KERNEL32(0045DC78), ref: 0040345F

TlsAlloc.KERNEL32 ref: 00404479
TlsSetValue.KERNEL32(00000001,00000000), ref: 004044BA

Strings

tidtable.c, xrefs: 00404493

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection$AllocValue
String ID: tidtable.c
API String ID: 3805685275-1617207422
Opcode ID: d6bc5191b5ba4ef757adf66d6b70cc4044b0d41f729a829732c4e7105f474861
Instruction ID: 671459543a1281f39d466c8307b7a22d350fb038fbf37dc563bf0b76e076690c
Opcode Fuzzy Hash: d6bc5191b5ba4ef757adf66d6b70cc4044b0d41f729a829732c4e7105f474861
Instruction Fuzzy Hash: 1F01DFF4A00204EBD720EFB0EE05B5A77A4AB48715F204779EA16B72C3E3399A00D758

Function 00408840 Relevance: 6.4, APIs: 5, Instructions: 130memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(006B0000,00000000,00002020,?,?,00409051), ref: 00408865
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004), ref: 00408889
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004), ref: 004088AC
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004089F6
HeapFree.KERNEL32(006B0000,00000000,0045B1B0), ref: 00408A12

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: e222481e2887e826b0159ec41dde2bc037073fa34ec96e36dd2596f5fe098146
Instruction ID: b11544ad845e826f7db3b9b90aba117d37baededb7bb2ca324301372f2666f67
Opcode Fuzzy Hash: e222481e2887e826b0159ec41dde2bc037073fa34ec96e36dd2596f5fe098146
Instruction Fuzzy Hash: 8F512874A00208EFDB10DF94C958BADB7B1FB44315F20C1BAE9517B392C7789A45DB89

Function 0040D770 Relevance: 6.2, APIs: 4, Instructions: 182fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040D8BD

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: b03e5c944414cff1cf2b17dd77434943c7c65ed34fc496e3ce839834ae763251
Instruction ID: fdaa2fb25cf05a2213b49bd8640ee482f1167bf6c5f83201068bca996552bf0f
Opcode Fuzzy Hash: b03e5c944414cff1cf2b17dd77434943c7c65ed34fc496e3ce839834ae763251
Instruction Fuzzy Hash: 8C8151B1D04248DFCB18DF94C890BAEBBB1BF44304F14C1BAE516AB285D7349A85DF59

Function 10002230 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

APIs

Part of subcall function 100013E0: VirtualFree.KERNELBASE(?,00000000,00008000,?,10002247,?,?,?,?,?,10005D0E,?,0000022C), ref: 100013F2

??2@YAPAXI@Z.MSVCRT(?,?,?,?,?,?,10005D0E,?,0000022C), ref: 10002258
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?), ref: 100022E0
??2@YAPAXI@Z.MSVCRT(?,00000000,00000000,?), ref: 100022EA
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,?,00000003,?,?,10005D0E,?,0000022C), ref: 1000232C

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: ??2@??3@$FreeVirtual
String ID:
API String ID: 1650017971-0
Opcode ID: c5e5d27ccef60cc8be74dcaa34ac63e01c33774272376b1c3775be7e886e16a8
Instruction ID: d3fa48762b05b9e9323a2ca31b24d982332920f663e6929492fff3a8368ba7d1
Opcode Fuzzy Hash: c5e5d27ccef60cc8be74dcaa34ac63e01c33774272376b1c3775be7e886e16a8
Instruction Fuzzy Hash: 5831D9793443041BE704DE648852B6FB3D9EFC86D0F44092CF94A57386DAB4BE088795

Function 10003970 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 36stringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 100039A4
lstrlenA.KERNEL32(?,00000000), ref: 100039B7

Part of subcall function 10008A30: LoadLibraryA.KERNEL32(ADVAPI32.dll,00000000,?,00000000,?,1000B800,1000C368,000000FF), ref: 10008A5F
Part of subcall function 10008A30: GetProcAddress.KERNEL32(00000000,RegCreateKeyExA), ref: 10008A76
Part of subcall function 10008A30: GetProcAddress.KERNEL32(00000000,RegSetValueExA), ref: 10008A81
Part of subcall function 10008A30: GetProcAddress.KERNEL32(00000000,RegDeleteKeyA), ref: 10008A8C
Part of subcall function 10008A30: GetProcAddress.KERNEL32(00000000,RegDeleteValueA), ref: 10008A97
Part of subcall function 10008A30: GetProcAddress.KERNEL32(00000000,RegOpenKeyExA), ref: 10008AA2
Part of subcall function 10008A30: GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 10008AAC

Strings

Clore, xrefs: 100039C5
SYSTEM\Clore, xrefs: 10003998

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoadlstrlenwsprintf
String ID: Clore$SYSTEM\Clore
API String ID: 2349312171-3032097531
Opcode ID: 66a52a2ed3d64cd27f1ec8e0d28a8f3c72f2030accc327ee81c9046f3cd0c22d
Instruction ID: 820f47de7e5b7802a1b7fb9489fe39e42b639f32d9662c75ebce772ce3c5df1f
Opcode Fuzzy Hash: 66a52a2ed3d64cd27f1ec8e0d28a8f3c72f2030accc327ee81c9046f3cd0c22d
Instruction Fuzzy Hash: BFF0B4361052107BE3109758CC05BE7BF98EF88340F804839F745A61A2E674A25886A7

Function 10007AD9 Relevance: 6.0, APIs: 4, Instructions: 19servicesleepregistryCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(00000000,10007ABA), ref: 10007ADE
CloseServiceHandle.ADVAPI32(00000000,10007ABA), ref: 10007AE9
RegCloseKey.ADVAPI32(?,10007ABA), ref: 10007AFA
Sleep.KERNEL32(000001F4,10007ABA), ref: 10007B05

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Close$HandleService$Sleep
String ID:
API String ID: 994006413-0
Opcode ID: 9a0e4b5660d2efa5304ec43b3332a1052fa86b0f6711dbbd10502f37b2f495ea
Instruction ID: 65ac2dfc12c58c512becd3c8d3c7521bc5e031c31c44808cc6bb81eec709054b
Opcode Fuzzy Hash: 9a0e4b5660d2efa5304ec43b3332a1052fa86b0f6711dbbd10502f37b2f495ea
Instruction Fuzzy Hash: D5E0EC30A013249BF641E7608CC8A6E3665F749FC57900954F0469105CCB384840CA91

Function 0040CD7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 0040CF71
__aulldiv.LIBCMT ref: 0040CF96

Strings

9, xrefs: 0040CFA7

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: __aulldiv__aullrem
String ID: 9
API String ID: 3839614884-2366072709
Opcode ID: 958e21a9cd15d81a582a1124451a163dff5f3f1bc1b0f61a0603cc9cafd4b8c8
Instruction ID: 8d03bc6037125a3e2ecd1e752aa0f73b5bcd253a9f613774c54d6ac970b2668f
Opcode Fuzzy Hash: 958e21a9cd15d81a582a1124451a163dff5f3f1bc1b0f61a0603cc9cafd4b8c8
Instruction Fuzzy Hash: E3410671D09219CBDF24DF69C9897AAB7B5BB44304F2082EAE44DB7280D7399E85CF44

Function 0040CD1A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

_get_int_arg.LIBCMTD ref: 0040CDDD
__aullrem.LIBCMT ref: 0040CF71
__aulldiv.LIBCMT ref: 0040CF96

Strings

9, xrefs: 0040CFA7

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: __aulldiv__aullrem_get_int_arg
String ID: 9
API String ID: 1225292562-2366072709
Opcode ID: 98a172039d4150e514bc1a3f41f0bf78351ae1e9735974a3cb1e126cc2fe2e54
Instruction ID: ad62f49ec76c792fb98bffde15ed811b684334197f234f1b984b84098178ec9f
Opcode Fuzzy Hash: 98a172039d4150e514bc1a3f41f0bf78351ae1e9735974a3cb1e126cc2fe2e54
Instruction Fuzzy Hash: A641F771D09229CBDF24DF69C9887A9B7B5BB44304F2082EAE40DB7284D7395E85CF45

Function 10007B20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?), ref: 10007BA8

Strings

Rsssqi yqeaiusa, xrefs: 10007B6A
SYSTEM\CurrentControlSet\Services\, xrefs: 10007B42

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Open
String ID: Rsssqi yqeaiusa$SYSTEM\CurrentControlSet\Services\
API String ID: 71445658-3799923235
Opcode ID: 3985fd40b17addd00207b7d41fbee87c9d65ff839c7e0df91eb3abc1b4b84038
Instruction ID: caae09da150ae1ca5f385957c9647905fb565e9fad3fc4eeec72bee49261548c
Opcode Fuzzy Hash: 3985fd40b17addd00207b7d41fbee87c9d65ff839c7e0df91eb3abc1b4b84038
Instruction Fuzzy Hash: 7801C4322186041BD718C97CD855AAB7AC6EBD4270F640B3EBA67C71C0DEE4890D8191

Function 00404812 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 00404816
TerminateProcess.KERNEL32(00000000), ref: 0040481D

Strings

+", xrefs: 004048A0

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: Process$CurrentTerminate
String ID: +"
API String ID: 2429186680-1193355281
Opcode ID: 9ce8f4ce1f2a35572cf061478f595c7c9687750fc7816b2635dd6978b9cb1d89
Instruction ID: 7f03d689e6a001cce194c690d092f6444c184fc11b58b80f7bcd927e96ccf4d7
Opcode Fuzzy Hash: 9ce8f4ce1f2a35572cf061478f595c7c9687750fc7816b2635dd6978b9cb1d89
Instruction Fuzzy Hash: B91121B5D00244DBDB10EFA5ED057A937A1BB85305F208576EA01626E2C7789A88CB5A

Function 10003AC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(?,000000FF,00000000,?,00000000,1F901F90,1000676D), ref: 10003AE6
CloseHandle.KERNEL32 ref: 10003AEB

Strings

.Wu, xrefs: 10003AEB

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: CloseHandleTerminateThread
String ID: .Wu
API String ID: 2476175854-3424199868
Opcode ID: ecf0781d584861efdefd12e0d0dc3ad8a7dd559ffa829062700c37be060fd4fc
Instruction ID: f8fafb5c612ae70fb252c92c9e28510685fa6dd80ed7e1ba4b18f47684ddcb9f
Opcode Fuzzy Hash: ecf0781d584861efdefd12e0d0dc3ad8a7dd559ffa829062700c37be060fd4fc
Instruction Fuzzy Hash: E8F039763003259BEB14DFAEDCD0D5BB3A9EF856A07110536EE55D724ECE31A8418A24

Function 100067A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 10008140: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,75571760,00000000,00000000,00000000,00000000), ref: 1000815C
Part of subcall function 10008140: _beginthreadex.MSVCRT ref: 10008184
Part of subcall function 10008140: WaitForSingleObject.KERNEL32(?,000000FF), ref: 10008196
Part of subcall function 10008140: CloseHandle.KERNEL32(?), ref: 100081A1

WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,10007E87,?,?,?,?,?,?), ref: 100067BF
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,10007E87,?,?,?,?,?,?,?), ref: 100067C6

Strings

.Wu, xrefs: 100067C6

Memory Dump Source

Source File: 00000000.00000002.2652091238.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2652056131.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652124873.000000001000C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2652139468.0000000010011000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: CloseHandleObjectSingleWait$CreateEvent_beginthreadex
String ID: .Wu
API String ID: 1089044457-3424199868
Opcode ID: c094c382bb003335e962e14bba7ae2994990265d9fc6328f3f8a97f6cffa9aac
Instruction ID: 977c1e53b05c9923654f862d4e07a1a1af9861af21d07574cdd5dbfdf25decf7
Opcode Fuzzy Hash: c094c382bb003335e962e14bba7ae2994990265d9fc6328f3f8a97f6cffa9aac
Instruction Fuzzy Hash: 6ED0C93568573036F17127196C4BFCA25049B07FA1F340250FB14BD2DADA94394242AE

Function 00407F20 Relevance: 5.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(006B0000,00000000,00000000,-00000010,?,?,00407B27), ref: 00407F4D
HeapAlloc.KERNEL32(006B0000,00000008,000041C4,?,?,00407B27), ref: 00407F9C
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004,?,00407B27), ref: 00407FC3
HeapFree.KERNEL32(006B0000,00000000,00000000,?,00407B27), ref: 00407FE8

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 1427f94a1975e0d4b451b94547360274fd9ed767bead6ab8e95d48f53152bf47
Instruction ID: cfca7ecdcb1c783ca09ebc5a15e7acdf923e519563a376cf1469654e27d81cbf
Opcode Fuzzy Hash: 1427f94a1975e0d4b451b94547360274fd9ed767bead6ab8e95d48f53152bf47
Instruction Fuzzy Hash: B03138B4A40204EFC704DF58D994B1AB7B1FB48315F2086B8E105AB392C772EE05DB4A

Function 00403430 Relevance: 5.0, APIs: 4, Instructions: 16COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(0045DC90), ref: 00403439
InitializeCriticalSection.KERNEL32(0045DCC0), ref: 00403446
InitializeCriticalSection.KERNEL32(0045DCA8), ref: 00403453
InitializeCriticalSection.KERNEL32(0045DC78), ref: 0040345F

Memory Dump Source

Source File: 00000000.00000002.2650353946.0000000000401000.00000080.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2650340456.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650367446.000000000040F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650378798.0000000000410000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650394770.0000000000411000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650416735.000000000045A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650428711.000000000045D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650565114.000000000045F000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650578256.0000000000464000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.0000000000467000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2650590503.000000000046E000.00000004.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_aQ7bSXduYp.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 5f1b8555b0a628452610dbccf8852f53c226535e74953eadea85dfe7828eb152
Instruction ID: ed7a8e8709a4d8ce4fb65f0a5350aeeb54ef97483a5e59ea8638f4d556142151
Opcode Fuzzy Hash: 5f1b8555b0a628452610dbccf8852f53c226535e74953eadea85dfe7828eb152
Instruction Fuzzy Hash: C2D0B7B65223049FC614ABA4FD4C956377DB74C64E3048634F50593622CB35E416CB5A

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report aQ7bSXduYp.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: GhostRat

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
aQ7bSXduYp.exe

Function 10007BC0 Relevance: 105.4, APIs: 40, Strings: 20, Instructions: 378
sleepthreadwindowCOMMON

Function 0040149C Relevance: 105.3, APIs: 9, Strings: 51, Instructions: 331
libraryloaderCOMMON

Function 10005D90 Relevance: 57.9, APIs: 4, Strings: 29, Instructions: 139
stringtimeCOMMON

Function 100059D0 Relevance: 42.2, APIs: 15, Strings: 9, Instructions: 206
registrystringCOMMON

Function 10007120 Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 96
libraryloaderCOMMON

Function 100026A0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 156
keyboardsleepstringCOMMON

Function 10007070 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 72
libraryprocessloaderCOMMON

Function 10008580 Relevance: 57.9, APIs: 12, Strings: 21, Instructions: 116
libraryprocessstringCOMMON

Function 100050D0 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 265
stringlibraryloaderCOMMON

Function 10006440 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 233
stringsynchronizationsleepCOMMON

Function 10002EE0 Relevance: 36.1, APIs: 2, Strings: 22, Instructions: 81
stringCOMMON

Function 10004DC0 Relevance: 34.6, APIs: 1, Strings: 22, Instructions: 91
COMMON

Function 10008760 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 188
libraryloaderregistryCOMMON

Function 10008A30 Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 152
libraryloaderregistryCOMMON

Function 10004C30 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 142
libraryloaderCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre