Edit tour

Windows Analysis Report
J18uCKmoAw.exe

Overview

General Information

Sample name:	J18uCKmoAw.exe renamed because original name is a hash value
Original sample name:	9ab250b0dc1d156e2d123d277eb4d132.exe
Analysis ID:	1580295
MD5:	9ab250b0dc1d156e2d123d277eb4d132
SHA1:	3b434ff78208c10f570dfe686455fd3094f3dd48
SHA256:	49bfa0b1c3553208e59b6b881a58c94bb4aa3d09e51c3f510f207b7b24675864
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

J18uCKmoAw.exe (PID: 7648 cmdline: "C:\Users\user\Desktop\J18uCKmoAw.exe" MD5: 9AB250B0DC1D156E2D123D277EB4D132)

conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

J18uCKmoAw.exe (PID: 7748 cmdline: "C:\Users\user\Desktop\J18uCKmoAw.exe" MD5: 9AB250B0DC1D156E2D123D277EB4D132)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["shapestickyr.lat", "slipperyloo.lat", "tentabatte.lat", "manyrestro.lat", "curverpluch.lat", "bashfulacid.lat", "talkynicer.lat", "wordyfindy.lat", "pancakedipyps.click"], "Build id": "FATE99--test"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T08:54:40.655706+0100	2028371	3	Unknown Traffic	192.168.2.11	49705	172.67.209.202	443	TCP
2024-12-24T08:54:43.109571+0100	2028371	3	Unknown Traffic	192.168.2.11	49706	172.67.209.202	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T08:54:41.404704+0100	2054653	1	A Network Trojan was detected	192.168.2.11	49705	172.67.209.202	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T08:54:41.404704+0100	2049836	1	A Network Trojan was detected	192.168.2.11	49705	172.67.209.202	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T08:54:40.655706+0100	2058398	1	Domain Observed Used for C2 Detected	192.168.2.11	49705	172.67.209.202	443	TCP
2024-12-24T08:54:43.109571+0100	2058398	1	Domain Observed Used for C2 Detected	192.168.2.11	49706	172.67.209.202	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pancakedipyps .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-24T08:54:39.112406+0100	2058397	1	Domain Observed Used for C2 Detected	192.168.2.11	56351	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://pancakedipyps.click/e	Avira URL Cloud: Label: malware
Source: https://pancakedipyps.click/V	Avira URL Cloud: Label: malware
Source: https://pancakedipyps.click/piju	Avira URL Cloud: Label: malware
Source: https://pancakedipyps.click/Au	Avira URL Cloud: Label: malware
Source: https://pancakedipyps.click:443/apiC	Avira URL Cloud: Label: malware
Source: https://pancakedipyps.click/apiC	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1299958142.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["shapestickyr.lat", "slipperyloo.lat", "tentabatte.lat", "manyrestro.lat", "curverpluch.lat", "bashfulacid.lat", "talkynicer.lat", "wordyfindy.lat", "pancakedipyps.click"], "Build id": "FATE99--test"}

Multi AV Scanner detection for submitted file

Source: J18uCKmoAw.exe	Virustotal: Detection: 37%			Perma Link
Source: J18uCKmoAw.exe	ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: J18uCKmoAw.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: bashfulacid.lat
Source: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tentabatte.lat
Source: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: curverpluch.lat
Source: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: talkynicer.lat
Source: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: shapestickyr.lat
Source: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: manyrestro.lat
Source: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: slipperyloo.lat
Source: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wordyfindy.lat
Source: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: pancakedipyps.click
Source: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: FATE99--test

Source: J18uCKmoAw.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.209.202:443 -> 192.168.2.11:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.202:443 -> 192.168.2.11:49706 version: TLS 1.2

Source: J18uCKmoAw.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 0_2_00180CF8 FindFirstFileExW,	0_2_00180CF8
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 0_2_00180DA9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00180DA9
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00180CF8 FindFirstFileExW,	3_2_00180CF8
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00180DA9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00180DA9

Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then lea esi, dword ptr [eax+00000270h]	3_2_00408A50
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov edx, ebx	3_2_00408600
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-16h]	3_2_00441720
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042C850
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then push esi	3_2_0040C805
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00422830
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]	3_2_0043C830
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov esi, ecx	3_2_004290D0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042E0DA
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov ecx, eax	3_2_0041D8D8
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov ecx, eax	3_2_0041D8D8
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042C0E6
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov edx, ecx	3_2_0041B8F6
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov edx, ecx	3_2_0041B8F6
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042C09E
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov eax, ebx	3_2_0041C8A0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-000000BEh]	3_2_0041C8A0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+edx+0Ah]	3_2_0041C8A0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2E3D7ACEh]	3_2_0041C8A0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov ecx, eax	3_2_0041D8AC
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov ecx, eax	3_2_0041D8AC
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042C09E
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-16h]	3_2_00441160
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov eax, dword ptr [00446130h]	3_2_00418169
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	3_2_0042B170
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov ecx, eax	3_2_0042D17D
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov ecx, eax	3_2_0042D116
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_004281CC
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_004289E9
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042B980
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	3_2_0043C990
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then jmp edx	3_2_004239B9
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	3_2_004239B9
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 385488F2h	3_2_0043CA40
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00421A10
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00436210
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then dec edx	3_2_0043FA20
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042AAC0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+0Ah]	3_2_0040AB40
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	3_2_00440340
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042D34A
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov ecx, eax	3_2_0041C300
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then dec edx	3_2_0043FB10
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov edx, ecx	3_2_00418B1B
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then dec edx	3_2_0043FB2A
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then dec edx	3_2_0043FB28
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_004073D0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_004073D0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_004283D8
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-6E2DD57Fh]	3_2_0041EB80
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov eax, ebx	3_2_00427440
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+09AD4080h]	3_2_00427440
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx edx, byte ptr [eax+edi-74D5A7FEh]	3_2_0042C465
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042C465
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov edi, dword ptr [esi+30h]	3_2_0040CC7A
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0041747D
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov word ptr [edx], di	3_2_0041747D
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00414CA0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then dec edx	3_2_0043FD70
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+61765397h]	3_2_0041B57D
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-16h]	3_2_00440D20
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	3_2_00428528
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov edx, ecx	3_2_00426D2E
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+eax-46h]	3_2_0043EDC1
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	3_2_0043CDF0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-3ECB279Fh]	3_2_0043CDF0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2213E57Fh	3_2_0043CDF0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 7F7BECC6h	3_2_0043CDF0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042DDFF
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov edi, ecx	3_2_0042A5B6
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov ecx, eax	3_2_00422E6D
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then jmp edx	3_2_00422E6D
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	3_2_00422E6D
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then dec edx	3_2_0043FE00
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0042DE07
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-16h]	3_2_004406F0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov edx, ecx	3_2_00429E80
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	3_2_00402EB0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	3_2_00427740
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00416F52
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov ecx, eax	3_2_0042BF13
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov edi, dword ptr [esp+28h]	3_2_00425F1B
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then jmp eax	3_2_00429739
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then jmp edx	3_2_004237D6
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 4x nop then mov dword ptr [esp+20h], eax	3_2_00409780

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058398 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI) : 192.168.2.11:49705 -> 172.67.209.202:443
Source: Network traffic	Suricata IDS: 2058397 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pancakedipyps .click) : 192.168.2.11:56351 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058398 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI) : 192.168.2.11:49706 -> 172.67.209.202:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.11:49705 -> 172.67.209.202:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:49705 -> 172.67.209.202:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: pancakedipyps.click

Source: Joe Sandbox View

IP Address: 172.67.209.202 172.67.209.202

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49705 -> 172.67.209.202:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49706 -> 172.67.209.202:443

Source: global traffic

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: pancakedipyps.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: pancakedipyps.click

Source: unknown

Source: J18uCKmoAw.exe, 00000003.00000003.1340319102.0000000000D14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microhe
Source: J18uCKmoAw.exe, 00000003.00000003.1340387904.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000002.1341855428.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/
Source: J18uCKmoAw.exe, 00000003.00000003.1340387904.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000002.1341855428.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/Au
Source: J18uCKmoAw.exe, 00000003.00000002.1341720744.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/V
Source: J18uCKmoAw.exe, 00000003.00000002.1341798317.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000003.1340387904.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000003.1340387904.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000002.1341720744.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000002.1341855428.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/api
Source: J18uCKmoAw.exe, 00000003.00000002.1341798317.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000003.1340387904.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/apiC
Source: J18uCKmoAw.exe, 00000003.00000003.1340387904.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000002.1341855428.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/e
Source: J18uCKmoAw.exe, 00000003.00000003.1340387904.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000002.1341855428.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click/piju
Source: J18uCKmoAw.exe, 00000003.00000002.1341798317.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000003.1340387904.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click:443/api
Source: J18uCKmoAw.exe, 00000003.00000002.1341798317.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000003.1340387904.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pancakedipyps.click:443/apiC

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown	HTTPS traffic detected: 172.67.209.202:443 -> 192.168.2.11:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.209.202:443 -> 192.168.2.11:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\J18uCKmoAw.exe

Code function: 3_2_00433E30 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00433E30

Source: C:\Users\user\Desktop\J18uCKmoAw.exe

Code function: 3_2_00433E30 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_00433E30

Source: C:\Users\user\Desktop\J18uCKmoAw.exe

Code function: 3_2_004348C2 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_004348C2

Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 0_2_00161000	0_2_00161000
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 0_2_0016E094	0_2_0016E094
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 0_2_00186102	0_2_00186102
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 0_2_00172AA1	0_2_00172AA1
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 0_2_001843FF	0_2_001843FF
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 0_2_00178D90	0_2_00178D90
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 0_2_00173EA0	0_2_00173EA0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00161000	3_2_00161000
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0016E094	3_2_0016E094
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00186102	3_2_00186102
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00172AA1	3_2_00172AA1
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_001843FF	3_2_001843FF
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00178D90	3_2_00178D90
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00173EA0	3_2_00173EA0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00408600	3_2_00408600
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0040C840	3_2_0040C840
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0041D003	3_2_0041D003
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0040D021	3_2_0040D021
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0040D83C	3_2_0040D83C
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_004038C0	3_2_004038C0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0042A0CA	3_2_0042A0CA
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_004338D0	3_2_004338D0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0042C0E6	3_2_0042C0E6
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_004160E9	3_2_004160E9
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0041B8F6	3_2_0041B8F6
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0042C09E	3_2_0042C09E
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0041C8A0	3_2_0041C8A0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_004388B0	3_2_004388B0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0042C09E	3_2_0042C09E
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00406160	3_2_00406160
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0041E960	3_2_0041E960
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00418169	3_2_00418169
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00405900	3_2_00405900
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0040B100	3_2_0040B100
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00426910	3_2_00426910
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_004281CC	3_2_004281CC
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_004409E0	3_2_004409E0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0042C9EB	3_2_0042C9EB
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0042E180	3_2_0042E180
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0043F18B	3_2_0043F18B
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_004291AE	3_2_004291AE
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_004239B9	3_2_004239B9
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0043CA40	3_2_0043CA40
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00435A4F	3_2_00435A4F
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0043DA4D	3_2_0043DA4D
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00404270	3_2_00404270
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0041E220	3_2_0041E220
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0043FA20	3_2_0043FA20
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00411227	3_2_00411227
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00419AD0	3_2_00419AD0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_004242D0	3_2_004242D0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00439280	3_2_00439280
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00439A80	3_2_00439A80
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00428ABC	3_2_00428ABC
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0040AB40	3_2_0040AB40
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00421340	3_2_00421340
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0042D34A	3_2_0042D34A
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0042F377	3_2_0042F377
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00409310	3_2_00409310
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0043FB10	3_2_0043FB10
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00418B1B	3_2_00418B1B
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0043FB2A	3_2_0043FB2A
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0043FB28	3_2_0043FB28
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0040F3C0	3_2_0040F3C0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_004073D0	3_2_004073D0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_004283D8	3_2_004283D8
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0041EB80	3_2_0041EB80
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00404BA0	3_2_00404BA0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00427440	3_2_00427440
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0043A440	3_2_0043A440
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00440460	3_2_00440460
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0041747D	3_2_0041747D
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00433C10	3_2_00433C10
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_004204C6	3_2_004204C6
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_004224E0	3_2_004224E0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0040D4F3	3_2_0040D4F3
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00431CF0	3_2_00431CF0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00414CA0	3_2_00414CA0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0042CD4C	3_2_0042CD4C
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0042CD5E	3_2_0042CD5E
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00424560	3_2_00424560
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0043FD70	3_2_0043FD70
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00421D00	3_2_00421D00
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00440D20	3_2_00440D20
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00411D2B	3_2_00411D2B
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00426D2E	3_2_00426D2E
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00439D30	3_2_00439D30
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0042C53C	3_2_0042C53C
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00405DC0	3_2_00405DC0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0043A5D4	3_2_0043A5D4
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_004065F0	3_2_004065F0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0043CDF0	3_2_0043CDF0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0043C5A0	3_2_0043C5A0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00437DA9	3_2_00437DA9
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00438650	3_2_00438650
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0042EE63	3_2_0042EE63
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00420E6C	3_2_00420E6C
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00422E6D	3_2_00422E6D
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0042FE74	3_2_0042FE74
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0043FE00	3_2_0043FE00
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0040F60D	3_2_0040F60D
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0041961B	3_2_0041961B
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0041E630	3_2_0041E630
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_004246D0	3_2_004246D0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_004406F0	3_2_004406F0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0040E687	3_2_0040E687
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00438EA0	3_2_00438EA0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00402EB0	3_2_00402EB0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0041AEB0	3_2_0041AEB0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00427740	3_2_00427740
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0041DF50	3_2_0041DF50
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00412750	3_2_00412750
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00416F52	3_2_00416F52
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00425F1B	3_2_00425F1B
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00429739	3_2_00429739
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_004157C0	3_2_004157C0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00409780	3_2_00409780

Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: String function: 00414C90 appears 77 times
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: String function: 0016E5A0 appears 98 times
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: String function: 001775AB appears 42 times
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: String function: 0017BE0D appears 40 times
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: String function: 00407F60 appears 40 times

Source: J18uCKmoAw.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: J18uCKmoAw.exe

Static PE information: Section: .bss ZLIB complexity 1.0003244500411184

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/1@1/1

Source: C:\Users\user\Desktop\J18uCKmoAw.exe

Code function: 3_2_00432070 CoCreateInstance,

3_2_00432070

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03

Source: J18uCKmoAw.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\J18uCKmoAw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: J18uCKmoAw.exe	Virustotal: Detection: 37%
Source: J18uCKmoAw.exe	ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\J18uCKmoAw.exe

File read: C:\Users\user\Desktop\J18uCKmoAw.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\J18uCKmoAw.exe "C:\Users\user\Desktop\J18uCKmoAw.exe"
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Process created: C:\Users\user\Desktop\J18uCKmoAw.exe "C:\Users\user\Desktop\J18uCKmoAw.exe"
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Process created: C:\Users\user\Desktop\J18uCKmoAw.exe "C:\Users\user\Desktop\J18uCKmoAw.exe"	Jump to behavior

Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: J18uCKmoAw.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 0_2_0016E75A push ecx; ret	0_2_0016E76D
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0016E75A push ecx; ret	3_2_0016E76D
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00437069 push es; retf	3_2_00437074
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0043C990 push eax; mov dword ptr [esp], 5C5D5E5Fh	3_2_0043C99E
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0041B324 push F3B90044h; retf	3_2_0041B32A
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00445C05 push ds; iretd	3_2_00445C08
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0044856B push cs; retf	3_2_0044856C

Source: C:\Users\user\Desktop\J18uCKmoAw.exe

API coverage: 4.7 %

Source: C:\Users\user\Desktop\J18uCKmoAw.exe TID: 7768	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\J18uCKmoAw.exe TID: 7764	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 0_2_00180CF8 FindFirstFileExW,	0_2_00180CF8
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 0_2_00180DA9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00180DA9
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00180CF8 FindFirstFileExW,	3_2_00180CF8
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00180DA9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00180DA9

Source: J18uCKmoAw.exe, 00000003.00000003.1340387904.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000002.1341720744.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000002.1341855428.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\J18uCKmoAw.exe

Code function: 3_2_0043E110 LdrInitializeThunk,

3_2_0043E110

Source: C:\Users\user\Desktop\J18uCKmoAw.exe

Code function: 0_2_001772FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_001772FD

Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 0_2_0019619E mov edi, dword ptr fs:[00000030h]	0_2_0019619E
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 0_2_00161690 mov edi, dword ptr fs:[00000030h]	0_2_00161690
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_00161690 mov edi, dword ptr fs:[00000030h]	3_2_00161690

Source: C:\Users\user\Desktop\J18uCKmoAw.exe

Code function: 0_2_0017C705 GetProcessHeap,

0_2_0017C705

Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 0_2_0016E06C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0016E06C
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 0_2_001772FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_001772FD
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 0_2_0016E420 SetUnhandledExceptionFilter,	0_2_0016E420
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 0_2_0016E42C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0016E42C
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0016E06C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_0016E06C
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_001772FD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_001772FD
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0016E420 SetUnhandledExceptionFilter,	3_2_0016E420
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: 3_2_0016E42C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0016E42C

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\J18uCKmoAw.exe

Code function: 0_2_0019619E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_0019619E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\J18uCKmoAw.exe

Memory written: C:\Users\user\Desktop\J18uCKmoAw.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: J18uCKmoAw.exe, 00000000.00000002.1299958142.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: J18uCKmoAw.exe, 00000000.00000002.1299958142.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: J18uCKmoAw.exe, 00000000.00000002.1299958142.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: J18uCKmoAw.exe, 00000000.00000002.1299958142.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: J18uCKmoAw.exe, 00000000.00000002.1299958142.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: J18uCKmoAw.exe, 00000000.00000002.1299958142.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: J18uCKmoAw.exe, 00000000.00000002.1299958142.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: J18uCKmoAw.exe, 00000000.00000002.1299958142.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: J18uCKmoAw.exe, 00000000.00000002.1299958142.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: pancakedipyps.click

Source: C:\Users\user\Desktop\J18uCKmoAw.exe

Process created: C:\Users\user\Desktop\J18uCKmoAw.exe "C:\Users\user\Desktop\J18uCKmoAw.exe"

Jump to behavior

Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00180062
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: GetLocaleInfoW,	0_2_001808CD
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: GetLocaleInfoW,	0_2_0017BA4C
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: EnumSystemLocalesW,	0_2_001802B3
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0018034E
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: EnumSystemLocalesW,	0_2_001805A1
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: GetLocaleInfoW,	0_2_00180600
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: EnumSystemLocalesW,	0_2_001806D5
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: GetLocaleInfoW,	0_2_00180720
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_001807C7
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: EnumSystemLocalesW,	0_2_0017BFF0
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00180062
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: GetLocaleInfoW,	3_2_001808CD
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: GetLocaleInfoW,	3_2_0017BA4C
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: EnumSystemLocalesW,	3_2_001802B3
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_0018034E
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: EnumSystemLocalesW,	3_2_001805A1
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: GetLocaleInfoW,	3_2_00180600
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: EnumSystemLocalesW,	3_2_001806D5
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: GetLocaleInfoW,	3_2_00180720
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_001807C7
Source: C:\Users\user\Desktop\J18uCKmoAw.exe	Code function: EnumSystemLocalesW,	3_2_0017BFF0

Source: C:\Users\user\Desktop\J18uCKmoAw.exe

Code function: 0_2_0016EB50 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_0016EB50

Source: C:\Users\user\Desktop\J18uCKmoAw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 PowerShell	1 DLL Side-Loading	211 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
J18uCKmoAw.exe	38%	Virustotal		Browse
J18uCKmoAw.exe	55%	ReversingLabs	Win32.Trojan.LummaStealer
J18uCKmoAw.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://pancakedipyps.click/e	100%	Avira URL Cloud	malware
https://pancakedipyps.click/V	100%	Avira URL Cloud	malware
https://pancakedipyps.click/piju	100%	Avira URL Cloud	malware
https://pancakedipyps.click/Au	100%	Avira URL Cloud	malware
https://pancakedipyps.click:443/apiC	100%	Avira URL Cloud	malware
https://pancakedipyps.click/apiC	100%	Avira URL Cloud	malware
http://crl.microhe	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pancakedipyps.click	172.67.209.202	true	false		high

Contacted URLs

Name	Malicious	Reputation
pancakedipyps.click	false	high
wordyfindy.lat	false	high
slipperyloo.lat	false	high
curverpluch.lat	false	high
tentabatte.lat	false	high
manyrestro.lat	false	high
bashfulacid.lat	false	high
shapestickyr.lat	false	high
https://pancakedipyps.click/api	false	high
talkynicer.lat	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://pancakedipyps.click/e	J18uCKmoAw.exe, 00000003.00000003.1340387904.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000002.1341855428.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://pancakedipyps.click/piju	J18uCKmoAw.exe, 00000003.00000003.1340387904.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000002.1341855428.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.microhe	J18uCKmoAw.exe, 00000003.00000003.1340319102.0000000000D14000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pancakedipyps.click:443/apiC	J18uCKmoAw.exe, 00000003.00000002.1341798317.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000003.1340387904.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://pancakedipyps.click/Au	J18uCKmoAw.exe, 00000003.00000003.1340387904.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000002.1341855428.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://pancakedipyps.click/	J18uCKmoAw.exe, 00000003.00000003.1340387904.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000002.1341855428.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pancakedipyps.click/apiC	J18uCKmoAw.exe, 00000003.00000002.1341798317.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000003.1340387904.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://pancakedipyps.click:443/api	J18uCKmoAw.exe, 00000003.00000002.1341798317.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp, J18uCKmoAw.exe, 00000003.00000003.1340387904.0000000000CA3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://pancakedipyps.click/V	J18uCKmoAw.exe, 00000003.00000002.1341720744.0000000000C8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.209.202	pancakedipyps.click	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580295
Start date and time:	2024-12-24 08:53:43 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	J18uCKmoAw.exe renamed because original name is a hash value
Original Sample Name:	9ab250b0dc1d156e2d123d277eb4d132.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 32 Number of non-executed functions: 157
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63
Excluded domains from analysis (whitelisted): otelrules.azureedge.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:54:40	API Interceptor	2x Sleep call for process: J18uCKmoAw.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.209.202	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse
	AWrVzd6XpC.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRAT	Browse
	random.exe_Y.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pancakedipyps.click	fkawMJ7FH8.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc	Browse	172.67.209.202
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.209.202
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.67.209.202
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Vidar, Xmrig	Browse	104.21.23.76
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, SystemBC, zgRAT	Browse	104.21.23.76
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, zgRAT	Browse	104.21.23.76
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	172.67.209.202
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	104.21.23.76
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	172.67.209.202
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	104.21.23.76

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	y001L6lEK4.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.199.72
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	4W3cB5WEYH.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	ElmEHL9kP9.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.199.72
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse	104.21.36.201
	yO9EAqDV15.exe	Get hash	malicious	LummaC	Browse	172.67.199.72
	singl6.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.37.173
	HALKBANK EKSTRE.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	eMBO6wS1b5.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.169.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	y001L6lEK4.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.209.202
	tTGxYWtjG5.exe	Get hash	malicious	LummaC	Browse	172.67.209.202
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	172.67.209.202
	4W3cB5WEYH.exe	Get hash	malicious	LummaC	Browse	172.67.209.202
	ElmEHL9kP9.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.209.202
	yuij5p5p3W.exe	Get hash	malicious	LummaC	Browse	172.67.209.202
	yO9EAqDV15.exe	Get hash	malicious	LummaC	Browse	172.67.209.202
	singl6.mp4.hta	Get hash	malicious	LummaC	Browse	172.67.209.202
	eMBO6wS1b5.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.209.202
	qoqD1RxV0F.exe	Get hash	malicious	LummaC	Browse	172.67.209.202

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\J18uCKmoAw.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	15
Entropy (8bit):	3.906890595608518
Encrypted:	false
SSDEEP:	3:SXhRi75n:SC5
MD5:	3A33AF4BC7DC9699EE324B91553C2B46
SHA1:	4CCE2BF1011CA006FAAB23506A349173ACC40434
SHA-256:	226D20C16ED4D8DDDFD00870E83E3B6EEDEDB86704A7BF43B5826B71D61500AE
SHA-512:	960194C8B60C086520D1A76B94F52BA88AC2DDEC76A18B2D7ABF758FFFF138E9EDD23E62D4375A34072B42FBA51C6D186554B1AA71D60835EF1E18BEB8873B1D
Malicious:	false
Reputation:	low
Preview:	1.29548Enjoy!..

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.614709628313703
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	J18uCKmoAw.exe
File size:	540'672 bytes
MD5:	9ab250b0dc1d156e2d123d277eb4d132
SHA1:	3b434ff78208c10f570dfe686455fd3094f3dd48
SHA256:	49bfa0b1c3553208e59b6b881a58c94bb4aa3d09e51c3f510f207b7b24675864
SHA512:	a30fb204b556b0decd7fab56a44e62356c7102bc8146b2dfd88e6545dea7574e043a3254035b7514ee0c686a726b8f5ba99bcd91e8c2c7f39c105e2724080ef0
SSDEEP:	12288:huB9du8NOZx84E5YoShCwrp1OkwWFewdYHMUzN4r52ki:i9du88Zx8VAwBkewVUckki
TLSH:	D7B4E010B491C072C9672477587AEB6A8A3EF9204F326ADFA7840DB9CF355D1E730726
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...WZig..........".................R.............@.......................................@.................................dH..<..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40ef52
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, TERMINAL_SERVER_AWARE
Time Stamp:	0x67695A57 [Mon Dec 23 12:40:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5cc7e689f2864a0a9a8589c00efad8df

Entrypoint Preview

Instruction
call 00007F3C2C80AB9Ah
jmp 00007F3C2C80AA09h
mov ecx, dword ptr [00436840h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F3C2C80AB96h
test esi, ecx
jne 00007F3C2C80ABB8h
call 00007F3C2C80ABC1h
mov ecx, eax
cmp ecx, edi
jne 00007F3C2C80AB99h
mov ecx, BB40E64Fh
jmp 00007F3C2C80ABA0h
test esi, ecx
jne 00007F3C2C80AB9Ch
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [00436840h], ecx
not ecx
pop edi
mov dword ptr [00436880h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [00434AC4h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00434A78h]
xor dword ptr [ebp-04h], eax
call dword ptr [00434A74h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [00434B0Ch]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00437E18h
call dword ptr [00434AE4h]
ret
mov al, 01h
ret
push 00030000h
push 00010000h
push 00000000h
call 00007F3C2C81237Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x34864	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3a000	0x1d70	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x30d08	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2d008	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x34a0c	0x16c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2a52b	0x2a600	ca7697ad91eaacd837ed51179759a947	False	0.5367809734513275	data	6.539348053061756	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2c000	0x9d7c	0x9e00	964f1e27d13bf05fbdae349f651c8112	False	0.4288221914556962	data	4.95389314063731	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x36000	0x25e4	0x1600	f9cffcfbe2a982ed0d73caf2c5c26405	False	0.40678267045454547	data	4.770466622070642	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x39000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x3a000	0x1d70	0x1e00	050a442cf25b388dea29342e31853d9f	False	0.7709635416666667	data	6.524650010128688	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x3c000	0x4c000	0x4c000	9eaf422a324664e2395959636348fe22	False	1.0003244500411184	data	7.999467342003005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, CreateThread, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameA, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

USER32.dll

DefWindowProcW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-24T08:54:39.112406+0100	2058397	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pancakedipyps .click)	1	192.168.2.11	56351	1.1.1.1	53	UDP
2024-12-24T08:54:40.655706+0100	2058398	ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI)	1	192.168.2.11	49705	172.67.209.202	443	TCP
2024-12-24T08:54:40.655706+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49705	172.67.209.202	443	TCP
2024-12-24T08:54:41.404704+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.11	49705	172.67.209.202	443	TCP
2024-12-24T08:54:41.404704+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.11	49705	172.67.209.202	443	TCP
2024-12-24T08:54:43.109571+0100	2058398	ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI)	1	192.168.2.11	49706	172.67.209.202	443	TCP
2024-12-24T08:54:43.109571+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49706	172.67.209.202	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 08:54:39.433912039 CET	49705	443	192.168.2.11	172.67.209.202
Dec 24, 2024 08:54:39.433969021 CET	443	49705	172.67.209.202	192.168.2.11
Dec 24, 2024 08:54:39.434046030 CET	49705	443	192.168.2.11	172.67.209.202
Dec 24, 2024 08:54:39.437408924 CET	49705	443	192.168.2.11	172.67.209.202
Dec 24, 2024 08:54:39.437426090 CET	443	49705	172.67.209.202	192.168.2.11
Dec 24, 2024 08:54:40.655613899 CET	443	49705	172.67.209.202	192.168.2.11
Dec 24, 2024 08:54:40.655705929 CET	49705	443	192.168.2.11	172.67.209.202
Dec 24, 2024 08:54:40.659559965 CET	49705	443	192.168.2.11	172.67.209.202
Dec 24, 2024 08:54:40.659579039 CET	443	49705	172.67.209.202	192.168.2.11
Dec 24, 2024 08:54:40.659965038 CET	443	49705	172.67.209.202	192.168.2.11
Dec 24, 2024 08:54:40.699784040 CET	49705	443	192.168.2.11	172.67.209.202
Dec 24, 2024 08:54:40.726357937 CET	49705	443	192.168.2.11	172.67.209.202
Dec 24, 2024 08:54:40.726383924 CET	49705	443	192.168.2.11	172.67.209.202
Dec 24, 2024 08:54:40.726612091 CET	443	49705	172.67.209.202	192.168.2.11
Dec 24, 2024 08:54:41.404813051 CET	443	49705	172.67.209.202	192.168.2.11
Dec 24, 2024 08:54:41.405101061 CET	443	49705	172.67.209.202	192.168.2.11
Dec 24, 2024 08:54:41.405147076 CET	49705	443	192.168.2.11	172.67.209.202
Dec 24, 2024 08:54:41.407113075 CET	49705	443	192.168.2.11	172.67.209.202
Dec 24, 2024 08:54:41.407136917 CET	443	49705	172.67.209.202	192.168.2.11
Dec 24, 2024 08:54:41.419612885 CET	49706	443	192.168.2.11	172.67.209.202
Dec 24, 2024 08:54:41.419672012 CET	443	49706	172.67.209.202	192.168.2.11
Dec 24, 2024 08:54:41.419815063 CET	49706	443	192.168.2.11	172.67.209.202
Dec 24, 2024 08:54:41.420232058 CET	49706	443	192.168.2.11	172.67.209.202
Dec 24, 2024 08:54:41.420248032 CET	443	49706	172.67.209.202	192.168.2.11
Dec 24, 2024 08:54:43.109502077 CET	443	49706	172.67.209.202	192.168.2.11
Dec 24, 2024 08:54:43.109570980 CET	49706	443	192.168.2.11	172.67.209.202
Dec 24, 2024 08:54:43.125493050 CET	49706	443	192.168.2.11	172.67.209.202
Dec 24, 2024 08:54:43.125538111 CET	443	49706	172.67.209.202	192.168.2.11
Dec 24, 2024 08:54:43.125590086 CET	49706	443	192.168.2.11	172.67.209.202

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 08:54:39.112406015 CET	56351	53	192.168.2.11	1.1.1.1
Dec 24, 2024 08:54:39.428394079 CET	53	56351	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 08:54:39.112406015 CET	192.168.2.11	1.1.1.1	0xd6a9	Standard query (0)	pancakedipyps.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 08:54:39.428394079 CET	1.1.1.1	192.168.2.11	0xd6a9	No error (0)	pancakedipyps.click		172.67.209.202	A (IP address)	IN (0x0001)	false
Dec 24, 2024 08:54:39.428394079 CET	1.1.1.1	192.168.2.11	0xd6a9	No error (0)	pancakedipyps.click		104.21.23.76	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pancakedipyps.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49705	172.67.209.202	443	7748	C:\Users\user\Desktop\J18uCKmoAw.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-24 07:54:40 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: pancakedipyps.click
2024-12-24 07:54:40 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-24 07:54:41 UTC	1119	IN	HTTP/1.1 200 OK Date: Tue, 24 Dec 2024 07:54:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gboh7emg4aj0p9cjejip9u7jen; expires=Sat, 19 Apr 2025 01:41:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ELMAI4D8J0djIknJMFMWV65Cw3O3RmTJKqXiQPkr0xDqwgqv6dhj5XLzfCw8mIEQIxpoQao7gVpVGe4L5IgprWbMrzq0hjanQB5sRRzytzHIssuuUVp1Ygd5qiYs2WiefmzgFavA"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f6f0655c98f32f4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1810&min_rtt=1808&rtt_var=683&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=910&delivery_rate=1596500&cwnd=112&unsent_bytes=0&cid=cebdd6bae0a4bb78&ts=760&x=0"
2024-12-24 07:54:41 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-24 07:54:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:54:37
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\J18uCKmoAw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\J18uCKmoAw.exe"
Imagebase:	0x160000
File size:	540'672 bytes
MD5 hash:	9AB250B0DC1D156E2D123D277EB4D132
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:54:37
Start date:	24/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:54:37
Start date:	24/12/2024
Path:	C:\Users\user\Desktop\J18uCKmoAw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\J18uCKmoAw.exe"
Imagebase:	0x160000
File size:	540'672 bytes
MD5 hash:	9AB250B0DC1D156E2D123D277EB4D132
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	1.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	32

Executed Functions

Function 0019619E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00196110,00196100), ref: 00196334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00196347
Wow64GetThreadContext.KERNEL32(0000009C,00000000), ref: 00196365
ReadProcessMemory.KERNELBASE(0000008C,?,00196154,00000004,00000000), ref: 00196389
VirtualAllocEx.KERNELBASE(0000008C,?,?,00003000,00000040), ref: 001963B4
WriteProcessMemory.KERNELBASE(0000008C,00000000,?,?,00000000,?), ref: 0019640C
WriteProcessMemory.KERNELBASE(0000008C,00400000,?,?,00000000,?,00000028), ref: 00196457
WriteProcessMemory.KERNELBASE(0000008C,?,?,00000004,00000000), ref: 00196495
Wow64SetThreadContext.KERNEL32(0000009C,00F40000), ref: 001964D1
ResumeThread.KERNELBASE(0000009C), ref: 001964E0

Strings

ResumeThread, xrefs: 001962D8
VirtualAlloc, xrefs: 00196263
ress, xrefs: 00196226
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 00196333
GetP, xrefs: 0019621E
VirtualAllocEx, xrefs: 0019629C
aryA, xrefs: 001961E2
SetThreadContext, xrefs: 001962C2
ReadProcessMemory, xrefs: 00196289
WriteProcessMemory, xrefs: 001962AF
TerminateProcess, xrefs: 001963C3
Load, xrefs: 001961DA
GetThreadContext, xrefs: 00196276
CreateProcessW, xrefs: 00196250

Memory Dump Source

Source File: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: 176bba7450d0a9aa23103b22d40c55726762ec3b9567dd3077a5429bf85bb1a7
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 78B1F97664064AAFDB60CF68CC80BDA73A5FF88714F158124EA0CAB341D774FA51CBA4

Function 0017BD42 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,6CA949D0,?,0017BE51,?,?,00000000), ref: 0017BE03

Strings

api-ms-, xrefs: 0017BD99
ext-ms-, xrefs: 0017BDAD

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 3357bb2cd70dd1e9dccff011b28aad9c9d5e0224203318357250309c075782a8
Instruction ID: 0b977532fc56d7cbd020aa57ccd6914a01fc1984d2c68b9fa266886ed5cf0572
Opcode Fuzzy Hash: 3357bb2cd70dd1e9dccff011b28aad9c9d5e0224203318357250309c075782a8
Instruction Fuzzy Hash: AD212735A09214ABD7319BA4DC81FAB37B8AF02364F258121FD1AA7290DB30ED01C6D0

Function 00161860 Relevance: 9.2, APIs: 6, Instructions: 162
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 001618E3
GetFileSize.KERNEL32 ref: 00161912
CloseHandle.KERNEL32 ref: 0016192E

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: b58c19b8b07dc64eb3954c55e71d4dfd2c395f77035dd2414fd61839c8e2528c
Instruction ID: 9a961ec74ccdfd97ef5c7af2bf036f3a66efddd765203bb5e2c88995d74bbac8
Opcode Fuzzy Hash: b58c19b8b07dc64eb3954c55e71d4dfd2c395f77035dd2414fd61839c8e2528c
Instruction Fuzzy Hash: 9F71A0B4D082489FDB00EFA8D98879DBBF0BF48308F14852AE499EB340D7749955CF52

Function 0016A4D0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 477
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strcspn.LIBCMT ref: 0016A631
_strcspn.LIBCMT ref: 0016A65F

Strings

@, xrefs: 0016A92F

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: _strcspn
String ID: @
API String ID: 3709121408-2766056989
Opcode ID: 86348472ac06bd292918c81d3f8f231344bb767bb76527da7ad9aed3c5ba9557
Instruction ID: 6cf00aa48ae51b8d125506fc217029a992e45d820f240d318087bb1d44413605
Opcode Fuzzy Hash: 86348472ac06bd292918c81d3f8f231344bb767bb76527da7ad9aed3c5ba9557
Instruction Fuzzy Hash: CA32D3B4904269CFCB24DF68C981A9DFBF1BF58300F0585AAE849A7341D734AE95CF52

Function 00161700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 0016176B
VirtualProtect.KERNELBASE ref: 0016181B

Strings

@, xrefs: 0016180F

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ConsoleFreeProtectVirtual
String ID: @
API String ID: 621788221-2766056989
Opcode ID: 7f6fd0ede0741d8f794563eb251d0a560bfe3e8c7c7c60ecd8aa3189cc7d2e4e
Instruction ID: e2182057880df637a21b834870c620503272ff80421b2117ffcad907699b2bd5
Opcode Fuzzy Hash: 7f6fd0ede0741d8f794563eb251d0a560bfe3e8c7c7c60ecd8aa3189cc7d2e4e
Instruction Fuzzy Hash: 1D41DEB0D04208EFDB04EFA9D98469EBBF0FF48354F15881AE858AB350D775A984CF91

Function 0017481D Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(?,?,Function_00014935,00000000,?,?), ref: 00174866
GetLastError.KERNEL32(?,00000000,00000000,?,0016B58D), ref: 00174872
__dosmaperr.LIBCMT ref: 00174879

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 7eb3070e7b1a288aee349f9cdbf5aac97910aba9d5d53f2c4a0b97f47fe2de33
Instruction ID: 15a9c145b03feb7843465b9681a36fcd18d9118bb43ff57c595d7cad471d22d5
Opcode Fuzzy Hash: 7eb3070e7b1a288aee349f9cdbf5aac97910aba9d5d53f2c4a0b97f47fe2de33
Instruction Fuzzy Hash: 60019E72A10259BBDF159FE0DC06AAE3B78EF10360F008059F90996190DB70CA50DB91

Function 001749B3 Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0017B104: GetLastError.KERNEL32(00000000,?,00176BB6,0017C132,?,?,0017B000,00000001,00000364,?,00000005,000000FF,?,0017495A,001956B0,0000000C), ref: 0017B108
Part of subcall function 0017B104: SetLastError.KERNEL32(00000000), ref: 0017B1AA

CloseHandle.KERNEL32(?,?,?,001748AD,?,?,00174993,00000000), ref: 001749E4
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,001748AD,?,?,00174993,00000000), ref: 001749FA
ExitThread.KERNEL32 ref: 00174A03

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 90673597837048da1e91e5035c181f44d8a7d23c50eed4188f9934b52228f1d0
Instruction ID: 24ec48cb121e60253b0ba0a7bfdf4df781dc1d067f4495dc4b327df4d534600d
Opcode Fuzzy Hash: 90673597837048da1e91e5035c181f44d8a7d23c50eed4188f9934b52228f1d0
Instruction Fuzzy Hash: E6F05E31148640ABCB315B75A848A5B3AB86F04364B19C620F92FD79B0EB20DC81C698

Function 00174B24 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,00174BE6,00177849,00177849,?,00000002,6CA949D0,00177849,00000002), ref: 00174B35
TerminateProcess.KERNEL32(00000000,?,00174BE6,00177849,00177849,?,00000002,6CA949D0,00177849,00000002), ref: 00174B3C
ExitProcess.KERNEL32 ref: 00174B4E

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: be9d2f6f791f455dc4ed45e17d5e5fdb5d82c6ee32634f3f4d317edd2f2f4046
Instruction ID: 913065dde4e7f2042520e867bb08b90634db83991992587e1cc501a70480236e
Opcode Fuzzy Hash: be9d2f6f791f455dc4ed45e17d5e5fdb5d82c6ee32634f3f4d317edd2f2f4046
Instruction Fuzzy Hash: 58D06C32044108ABCF116FA1EC09E593F3AAB40382B448411B90A4B871DB72DD92DA98

Function 00182D15 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001830BF: GetConsoleOutputCP.KERNEL32(6CA949D0,00000000,00000000,?), ref: 00183122

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,?,?,001724F1,?,00172753), ref: 00182E9A
GetLastError.KERNEL32(?,001724F1,?,00172753,?,00172753,?,?,?,?,?,?,?,?,?,?), ref: 00182EA4

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: cce97e8f113b103410bbe061d03876f84f7eddfa57ba0312ba0f0d455007dc2c
Instruction ID: abe67f65794b1123f010705ef166f6ade3b2e9fd04486287c30609a01448f16f
Opcode Fuzzy Hash: cce97e8f113b103410bbe061d03876f84f7eddfa57ba0312ba0f0d455007dc2c
Instruction Fuzzy Hash: 75619F72904109AFDF16EFA8C885AAEBFB9BF19704F150145F900A7252D732DB41CFA4

Function 001834EE Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00182E80,?,00172753,?,?,?,00000000), ref: 0018358A
GetLastError.KERNEL32(?,00182E80,?,00172753,?,?,?,00000000,?,?,?,?,?,001724F1,?,00172753), ref: 001835B0

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: b2d339ba39f02242e9c97f9e4445953a79a3cd1c2f478a5e688b3698434e46d3
Instruction ID: c412891978cce39f886921392f756777adae931478b0ab3acef3389a8289effc
Opcode Fuzzy Hash: b2d339ba39f02242e9c97f9e4445953a79a3cd1c2f478a5e688b3698434e46d3
Instruction Fuzzy Hash: 8E219F34A002199FCF19DF29DC909E9B7B9EB49705F1840AAE906D7211E730EF86CF64

Function 0017C862 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,?,00000000,0017C751,00195BA0), ref: 0017C8AE
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,?,00000000,0017C751,00195BA0), ref: 0017C8C0

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: f963627474c9b8403b0c1a40a3ab06fdef89aa6789f0623fed4cc28ea252549e
Instruction ID: 9b5e24ac894e72a066f5e409a821ced5e2c46a6d6cbad30608bce6136a05dbeb
Opcode Fuzzy Hash: f963627474c9b8403b0c1a40a3ab06fdef89aa6789f0623fed4cc28ea252549e
Instruction Fuzzy Hash: BF11B1716047524AC7344E3E8C88632BAA4AB56334B39875ED1BEC7AF1C370D986D686

Function 00174935 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(001956B0,0000000C), ref: 00174948
ExitThread.KERNEL32 ref: 0017494F

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 77492ca3d5a64d79d41b8f6ad06e77169d44cff2c61d3671c3a939b63e53ef92
Instruction ID: 75ea31f3ed9c0b6766251f2c68e9c6d660ab86cc8cc4a2633f9a1465422e8987
Opcode Fuzzy Hash: 77492ca3d5a64d79d41b8f6ad06e77169d44cff2c61d3671c3a939b63e53ef92
Instruction Fuzzy Hash: 58F0C2B4940205AFDB05AFB0D84AA2E7BB4FF55711F20814AF40A97692DB705D82CFA1

Function 00161B70 Relevance: 3.0, APIs: 2, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 00161B98
GetModuleFileNameA.KERNEL32 ref: 00161BB8

Part of subcall function 00161860: CreateFileA.KERNELBASE ref: 001618E3

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: FileModule$CreateHandleName
String ID:
API String ID: 2828212432-0
Opcode ID: cb7f465cbbb4b77100e00d08f7b580fee85d4b61a6aef6652730bedd08be374c
Instruction ID: 70b536a0f2e69968c54bee4b7130a91032d2f3f0efd7b17cae9edd08ca2211d8
Opcode Fuzzy Hash: cb7f465cbbb4b77100e00d08f7b580fee85d4b61a6aef6652730bedd08be374c
Instruction Fuzzy Hash: ABF01DB090820C8FC750EF78E84569DBBF4AB14300F4145AED4CAD7240EB7459D88F86

Function 0017AD27 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,0017F0A4,?,00000000,?,?,0017ED44,?,00000007,?,?,0017F68A,?,?), ref: 0017AD3D
GetLastError.KERNEL32(?,?,0017F0A4,?,00000000,?,?,0017ED44,?,00000007,?,?,0017F68A,?,?), ref: 0017AD48

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 35ea16d189d262da21c638a01a6b203106da04f110e49d75bb36f6009da7e076
Instruction ID: 6660c3b1faab5cd379e3c8cb4cf9776e7c7c7bfcab43f2e154e723cd4fb352b3
Opcode Fuzzy Hash: 35ea16d189d262da21c638a01a6b203106da04f110e49d75bb36f6009da7e076
Instruction Fuzzy Hash: D3E08632100604A7CB212BA4FC09B993BA8AF45759F148021F60DCB871DB308891C798

Function 00161EA0 Relevance: 1.8, APIs: 1, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 00161ECA

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 052bf4f954e012302c89fd8a05c9bb1c3f130471ff878b27a415271b84c7c7ea
Instruction ID: 3d403dc9f16cb9cbb9cfe91031d9ef3797f79dd07a48bc2789e276977c3a0169
Opcode Fuzzy Hash: 052bf4f954e012302c89fd8a05c9bb1c3f130471ff878b27a415271b84c7c7ea
Instruction Fuzzy Hash: D9C128746087409FC704EF28D895A2ABBF0EF9A354F05892DF896CB351E735D924CB42

Function 0016CE13 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1653a23f52b4e82d981a2780b6a967dde93591702bd0f01cb1b7eb20c84a73ac
Instruction ID: 533c8772e5112d602b3c560373a1ad3b92efde10e5f2be76390ecf3c113454b0
Opcode Fuzzy Hash: 1653a23f52b4e82d981a2780b6a967dde93591702bd0f01cb1b7eb20c84a73ac
Instruction Fuzzy Hash: F341A031A1011AAFCB14DFA8C8909FDB7B9FF08310B544169E486E7A40E731E961DBE0

Function 0017BE0D Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c511edb14039fdac1e4e48d2297652d72402b76c1e080469e88cf468addd8cbc
Instruction ID: b26d9a1815d5794c16595814cb989820841e24db70446e37d641ecc715e60af7
Opcode Fuzzy Hash: c511edb14039fdac1e4e48d2297652d72402b76c1e080469e88cf468addd8cbc
Instruction Fuzzy Hash: 9301D8332186159F9B169F68ECC1AA733B6BBC1764725C229FB19CB654DF30DC409790

Function 0016B510 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 0016B5BB

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: 8193f83da37fad3b946629d6a9e0bf8885d278d0ab3bcc0cac63ba56fd39f8e9
Instruction ID: d0aac9e3a6fd70e1e2d2f8df3dcfc9435e2e03665baa7523e9bf5bdd31109d01
Opcode Fuzzy Hash: 8193f83da37fad3b946629d6a9e0bf8885d278d0ab3bcc0cac63ba56fd39f8e9
Instruction Fuzzy Hash: 9E21BAB4908209DFDB04DFA4D9917AEBBF0BF54304F00846DE449AB350E7749A95CF91

Function 0017AD61 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0017CD3A,?,?,0017CD3A,00000220,?,00000000,?), ref: 0017AD93

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cb1ab2f8d871ecb594605e3003d805d233feecfcb7a5ceafe11ffbed24cac1c3
Instruction ID: 2222a45ed585e6c6ebee576e8adebe7df7c6e779ea53378eed9d31873e0c9187
Opcode Fuzzy Hash: cb1ab2f8d871ecb594605e3003d805d233feecfcb7a5ceafe11ffbed24cac1c3
Instruction Fuzzy Hash: 28E0653224061157D73626F5DC05B9E7679DFD27A2F5AC111AC4D96A90EB10CC0085E6

Non-executed Functions

Function 00186102 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00186319

Strings

1#INF, xrefs: 00186238
1#IND, xrefs: 00186207
1#QNAN, xrefs: 00186215
1#SNAN, xrefs: 0018620E

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 13b6484376dcfb9a5347dd4ccbd4f3768f782ca610357f075b9d4d7dd15cbfce
Instruction ID: 261dbef7c1bee19f6f9f63761d05bed8911be4dde2cf8037d24ef0f6626c56ab
Opcode Fuzzy Hash: 13b6484376dcfb9a5347dd4ccbd4f3768f782ca610357f075b9d4d7dd15cbfce
Instruction Fuzzy Hash: 7FD23871E086298FDB65DE28DD447EAB7B5EB54304F1441EAD80DE7280EB78AF818F41

Function 001807C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00180198,00000002,00000000,?,?,?,00180198,?,00000000), ref: 00180860
GetLocaleInfoW.KERNEL32(?,20001004,00180198,00000002,00000000,?,?,?,00180198,?,00000000), ref: 00180889
GetACP.KERNEL32(?,?,00180198,?,00000000), ref: 0018089E

Strings

OCP, xrefs: 0018081B
ACP, xrefs: 001807E5

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 257d02d5985575ebf89800a6ede6e19ec21984490d617de15e3c492a2b610ba8
Instruction ID: 87a86d9942b2df6449f418e2899a47db4fe9008899c78068a3d98406eccd960d
Opcode Fuzzy Hash: 257d02d5985575ebf89800a6ede6e19ec21984490d617de15e3c492a2b610ba8
Instruction Fuzzy Hash: 4C21D622F00108AADBB6AF54C940A9773A6EF5AB50B578024E80AD7114E732DFC5CBD0

Function 00180062 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0017AFB3: GetLastError.KERNEL32(?,?,0017495A,001956B0,0000000C), ref: 0017AFB7
Part of subcall function 0017AFB3: SetLastError.KERNEL32(00000000), ref: 0017B059

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 0018016A
IsValidCodePage.KERNEL32(00000000), ref: 001801A8
IsValidLocale.KERNEL32(?,00000001), ref: 001801BB
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00180203
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0018021E

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: ca1493793ae59b845fe08e0cf23067dd85eadede7456ca1e1679cbbdc5a85198
Instruction ID: 66a383107b075cfb7d6571b24267ae32d0a9fe295c5e7d8b7e7172414bf0b967
Opcode Fuzzy Hash: ca1493793ae59b845fe08e0cf23067dd85eadede7456ca1e1679cbbdc5a85198
Instruction Fuzzy Hash: 49518071A00209AFDB52EFA4CC89ABE73B9BF18700F154429F905E7190E7B0DB488F61

Function 00178D90 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db70b6725760ee1e7b0c82764c85399648d13b1201e1b058b4d747cb3a019c3f
Instruction ID: 2084d79a976a85b72cdaed8429f3e8bc7625230f20d298c660af63727de2dff4
Opcode Fuzzy Hash: db70b6725760ee1e7b0c82764c85399648d13b1201e1b058b4d747cb3a019c3f
Instruction Fuzzy Hash: 0B024D71E012199BDF14CFA9C8846AEFBF5FF48314F258269E519E7381D731AA05CB90

Function 00180DA9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00180E99

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 9347159ed05d234b7d820dd38a434b1a0a8f804416569339a6b5bc3748d29294
Instruction ID: f5344d5a3350a4ed09b6883923b3a94bf022716d504c4a1b3416c3676a150472
Opcode Fuzzy Hash: 9347159ed05d234b7d820dd38a434b1a0a8f804416569339a6b5bc3748d29294
Instruction Fuzzy Hash: 1771B07294515C6FDF72AF688C89AAEBBB8AF09300F5481D9E009A3251DB315F898F10

Function 0016E42C Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0016E438
IsDebuggerPresent.KERNEL32 ref: 0016E504
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0016E51D
UnhandledExceptionFilter.KERNEL32(?), ref: 0016E527

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 4e00defdeaccda22e603de949215539622b2f0d99818cc1483ab3149b4dfe76d
Instruction ID: 6b769f7eb07212d64edeab959bf85b22377bdf5bed66270f04ba8fa459b9275a
Opcode Fuzzy Hash: 4e00defdeaccda22e603de949215539622b2f0d99818cc1483ab3149b4dfe76d
Instruction Fuzzy Hash: 0931F5B9D052189BDF20DFA5DD49BCDBBF8AF18300F1041AAE40DAB250EB719A85CF45

Function 0018034E Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0017AFB3: GetLastError.KERNEL32(?,?,0017495A,001956B0,0000000C), ref: 0017AFB7
Part of subcall function 0017AFB3: SetLastError.KERNEL32(00000000), ref: 0017B059

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001803A2
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001803EC
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001804B2

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 748de3c502e1cd38301be2e2ce8096d22ba9ee598535d8c4975adfd740d181ec
Instruction ID: 68e9e3179eb776ec824246745bc0ebcd76ce02801eae50c47dd2f40fcd768a52
Opcode Fuzzy Hash: 748de3c502e1cd38301be2e2ce8096d22ba9ee598535d8c4975adfd740d181ec
Instruction Fuzzy Hash: 1C61827194420B9FEB69EF28CC82BAA77A8EF18300F104169ED05C6585EB34DB89DF50

Function 001772FD Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 001773F5
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 001773FF
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 0017740C

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 5ceee4e77e226a45b39b465779fb59ffaedc09eb4c67c31c54befd1b81000bcc
Instruction ID: 10f60c6b51dd0a890ccbd33575d157ce72568cadd3a505ceaba4c6a8c2f77716
Opcode Fuzzy Hash: 5ceee4e77e226a45b39b465779fb59ffaedc09eb4c67c31c54befd1b81000bcc
Instruction Fuzzy Hash: E631E574901219ABCB21DF28DC88B9DBBB8BF18310F5041EAE41CA7290E7709F858F44

Function 0016EB50 Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,0016EA53,?,?,?,?,0016EA77,000000FF,?,?,?,0016E971,00000000), ref: 0016EB88
GetSystemTimeAsFileTime.KERNEL32(?,6CA949D0,?,?,0018B30E,000000FF,?,0016EA53,?,?,?,?,0016EA77,000000FF,?), ref: 0016EB8C

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: 359cf7c95ca8562ebca1db8d3296196bbca78ce6e2449ac72830e54666838a12
Instruction ID: 7b76a57ef401ecc006e95abcb014e39f1c1a38c6e59905e2fd477be76d3e6e38
Opcode Fuzzy Hash: 359cf7c95ca8562ebca1db8d3296196bbca78ce6e2449ac72830e54666838a12
Instruction Fuzzy Hash: 47F03076A48554AFC7169F44DC41F59BBE8FB09B10F01436AE81297B90D774A9408B94

Function 001843FF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0018435A,?,?,?,?,?,?,00000000), ref: 0018462C

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 10e728349ebf2043142a64d0d9d4c215b50dd270f52c536160f52fe156c94dc9
Instruction ID: d36223f17ed6e73d21979bee6786e093f641bef580c8f57f213d3f5a87766926
Opcode Fuzzy Hash: 10e728349ebf2043142a64d0d9d4c215b50dd270f52c536160f52fe156c94dc9
Instruction Fuzzy Hash: 2BB16F7161060ACFD719DF28C48AB647BE0FF45364F268658E89ACF2A1CB35DA81CF40

Function 0016E094 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0016E0AA

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 332286ec580fc581baadaf8d6f1694d9d42ecaa1f0c6230741719b70bf8854d2
Instruction ID: fa9b7ebe1093fe2c914a5016732ad737af6a8548f3214d31a3bf08e539c2212e
Opcode Fuzzy Hash: 332286ec580fc581baadaf8d6f1694d9d42ecaa1f0c6230741719b70bf8854d2
Instruction Fuzzy Hash: A8A157B5D107068FDB18CF58DC856A9BBF1FB58324F24822AD451EB7A4D3389994CF60

Function 00180CF8 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0017C0E0: HeapAlloc.KERNEL32(00000008,?,?,?,0017B000,00000001,00000364,?,00000005,000000FF,?,0017495A,001956B0,0000000C), ref: 0017C121

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00180E99
FindNextFileW.KERNEL32(00000000,?), ref: 00180F8D
FindClose.KERNEL32(00000000), ref: 00180FCC
FindClose.KERNEL32(00000000), ref: 00180FFF

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: Find$CloseFile$AllocFirstHeapNext
String ID:
API String ID: 2701053895-0
Opcode ID: 194dd855054cf0b405936a8e396ac09e4679a90f1a951c5c15977d751c1ecbd1
Instruction ID: f8d05884f4c1e54d682391b94f9c3c6a004cd9af79083eea69f8744aba120cbe
Opcode Fuzzy Hash: 194dd855054cf0b405936a8e396ac09e4679a90f1a951c5c15977d751c1ecbd1
Instruction Fuzzy Hash: 6851577290410CAFDB65BFA89C85ABF77B9DF89314F14429DF81993201EB309E499F60

Function 00180600 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0017AFB3: GetLastError.KERNEL32(?,?,0017495A,001956B0,0000000C), ref: 0017AFB7
Part of subcall function 0017AFB3: SetLastError.KERNEL32(00000000), ref: 0017B059

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00180654

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 461c45f99597f09ff79adce22d417a903a59da2c2c32bbc006ff933b8629a8c4
Instruction ID: 76a8c3db1501e4fe78f869edce7ef4f8559642aa0281609c9ae03a2d94e884eb
Opcode Fuzzy Hash: 461c45f99597f09ff79adce22d417a903a59da2c2c32bbc006ff933b8629a8c4
Instruction Fuzzy Hash: D221C57261520AABEB29AB24DC91A7B73B8EF98310B20407AFD05C6241FB74DE548F50

Function 00173EA0 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

0, xrefs: 00174010

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 782cbb2683b5ba8949bc8d9b8952673931641ff2f07c75940a05ff67778bbd50
Instruction ID: 401761ebe20c5eb488a10ad02fb184f151e2af92d28d88ad454234bd972eca07
Opcode Fuzzy Hash: 782cbb2683b5ba8949bc8d9b8952673931641ff2f07c75940a05ff67778bbd50
Instruction Fuzzy Hash: 0AC1E1349007068FCB38DF68C9846BABBB1AF15340F54C61DE5AE97691C731EE85DB12

Function 00172AA1 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 00172C25

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 93ec2c903b86d8c02c504b8d50c08a908ccd5fb0ef704ea5f96a8d8c7fe2c8d2
Instruction ID: c7cd3c3d01bfb02fd04c0a7066202175eba95bc2189b1406c2054b8946c2dcc9
Opcode Fuzzy Hash: 93ec2c903b86d8c02c504b8d50c08a908ccd5fb0ef704ea5f96a8d8c7fe2c8d2
Instruction Fuzzy Hash: 83B1D230A0060A8BCB39CF68C995ABEB7B1AF15310F24C61ED89E97691C774DA43DB51

Function 001802B3 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0017AFB3: GetLastError.KERNEL32(?,?,0017495A,001956B0,0000000C), ref: 0017AFB7
Part of subcall function 0017AFB3: SetLastError.KERNEL32(00000000), ref: 0017B059

EnumSystemLocalesW.KERNEL32(0018034E,00000001,00000000,?,-00000050,?,0018013E,00000000,-00000002,00000000,?,00000055,?), ref: 00180325

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 8ac608122caf623b2ba410317ce06e1d222af1b2a618b2a334a90d51229fc71f
Instruction ID: 82d3c1e3da4d392b7de9bcfd0f184ae8cad022aa5025832d47e54fea4d5e2854
Opcode Fuzzy Hash: 8ac608122caf623b2ba410317ce06e1d222af1b2a618b2a334a90d51229fc71f
Instruction Fuzzy Hash: 6911293A2047095FDB28AF39C89167EB7A2FF84358B15442DE94B87B40D3716946CB40

Function 00180720 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0017AFB3: GetLastError.KERNEL32(?,?,0017495A,001956B0,0000000C), ref: 0017AFB7
Part of subcall function 0017AFB3: SetLastError.KERNEL32(00000000), ref: 0017B059

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00180774

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 714dd03cfefc33b113b7231ef8d483409997f00f98bd73fd778d936572d3f9cd
Instruction ID: ffe4c261eeebb0872c29cad1d5288514f91bbcaf928e77c4e70f7af8acb3b2f0
Opcode Fuzzy Hash: 714dd03cfefc33b113b7231ef8d483409997f00f98bd73fd778d936572d3f9cd
Instruction Fuzzy Hash: 0211067261020AABD719AF68DC42ABA77FCEF08310B10417AF505D7641EB34EE448F90

Function 001808CD Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0017AFB3: GetLastError.KERNEL32(?,?,0017495A,001956B0,0000000C), ref: 0017AFB7
Part of subcall function 0017AFB3: SetLastError.KERNEL32(00000000), ref: 0017B059

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0018056A,00000000,00000000,?), ref: 001808F9

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 303576da9c01c1b10ffd06dfb7bb53c151d0ae2d791c3e147347cc0435f9b0b1
Instruction ID: 026f1b7411a80c6404b8c890d92ba289e8026cdd019236c5080b1cd7c0bced5f
Opcode Fuzzy Hash: 303576da9c01c1b10ffd06dfb7bb53c151d0ae2d791c3e147347cc0435f9b0b1
Instruction Fuzzy Hash: 37012633F0011ABBEB2D6A248805BBA7768DB4435CF165428EC4AA3181EB30EF45CFD0

Function 001805A1 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0017AFB3: GetLastError.KERNEL32(?,?,0017495A,001956B0,0000000C), ref: 0017AFB7
Part of subcall function 0017AFB3: SetLastError.KERNEL32(00000000), ref: 0017B059

EnumSystemLocalesW.KERNEL32(00180600,00000001,?,?,-00000050,?,00180106,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 001805EB

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 88332016451107b82fa28c7bdde793034c34b0add83a06b301f9e05b0fdc25c1
Instruction ID: 735cae80a6209e86c494f0a8d7b20f9f07cdceeda55a69d9ffcea371cc3d5179
Opcode Fuzzy Hash: 88332016451107b82fa28c7bdde793034c34b0add83a06b301f9e05b0fdc25c1
Instruction Fuzzy Hash: E5F0F6362003085FEB256F39D881A7A7BA1EF84368F15842DF9464BA90D7B1AD42CF50

Function 0017BFF0 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00177594: EnterCriticalSection.KERNEL32(?,?,0017B440,?,00195B00,00000008,0017B332,?,?,?), ref: 001775A3

EnumSystemLocalesW.KERNEL32(0017BFE3,00000001,00195B80,0000000C,0017B948,-00000050), ref: 0017C028

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: c72e836d3fc7b2251d1f9ccb57cdf43a58731c0e5e3479288b42145e5febe8ca
Instruction ID: 6ee0d8fc0416793f69be4fbf6029bf7b312e18f7185c90fc0d2c9be0357831ed
Opcode Fuzzy Hash: c72e836d3fc7b2251d1f9ccb57cdf43a58731c0e5e3479288b42145e5febe8ca
Instruction Fuzzy Hash: D8F04936A54304EFDB00EF98E842B9D77F0FB19B24F10811AF5059B6A0DB754940CF91

Function 001806D5 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0017AFB3: GetLastError.KERNEL32(?,?,0017495A,001956B0,0000000C), ref: 0017AFB7
Part of subcall function 0017AFB3: SetLastError.KERNEL32(00000000), ref: 0017B059

EnumSystemLocalesW.KERNEL32(00180720,00000001,?,?,?,00180160,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 0018070C

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: cc84d31d807205b3de98cd6a8bd128f0831c46cd57f3fbeb6cad0538a5b40318
Instruction ID: 58613070e2dfbc33ac5ca236ed9a011fb334fc4ea576091a79d8662e9c8b800d
Opcode Fuzzy Hash: cc84d31d807205b3de98cd6a8bd128f0831c46cd57f3fbeb6cad0538a5b40318
Instruction Fuzzy Hash: 5BF0553A30020857CB15AF35D805A6FBFA0EFC5710B0A4058FA0A8BA80C371AD42CF94

Function 0017BA4C Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,001762F0,?,20001004,00000000,00000002,?,?,00175202), ref: 0017BA80

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d6f2d27332b45a412cd21db0d455f3510671372f65f196759b772b48e6e89767
Instruction ID: a0eff7a541d3463f29c14cc02e0dda466d2f840a9745f91dfee351a9ed516581
Opcode Fuzzy Hash: d6f2d27332b45a412cd21db0d455f3510671372f65f196759b772b48e6e89767
Instruction Fuzzy Hash: 6CE04F35948118BBCF226F61DC44FAE3F35EF44751F018011FD0A66620CB318961AA94

Function 0016E420 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000E541), ref: 0016E425

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eead723bb4c179a47c26c620112cf09ec73135c33422f9f1c6e63f34609004f4
Instruction ID: 445492a2ccb9c73a3074580a8ceb7b9f25784bd4b3a48a26dcc57937965d1c68
Opcode Fuzzy Hash: eead723bb4c179a47c26c620112cf09ec73135c33422f9f1c6e63f34609004f4
Instruction Fuzzy Hash:

Function 0017C705 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0017C705

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 401e6785f7462c4f3e0f5036a500d1bb2dd35a2a194b9957bca3f0b531f27636
Instruction ID: b863c944e43e052004547d0764bb56b137866e07f9493bf33cee514250d632b7
Opcode Fuzzy Hash: 401e6785f7462c4f3e0f5036a500d1bb2dd35a2a194b9957bca3f0b531f27636
Instruction Fuzzy Hash: 2EA001706412418B97608F36AA096193BE9AB46A99709886AA40AC6970EA2485929F15

Function 00161000 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d0c0165b79564ce5f3e34b1a9679780976f79f02631351f340488e6833bfce
Instruction ID: fe07c9cce0ed0dcd1f5828d06f7921fdfb467e92a77ae1a54712de34e419c8d0
Opcode Fuzzy Hash: e2d0c0165b79564ce5f3e34b1a9679780976f79f02631351f340488e6833bfce
Instruction Fuzzy Hash: 3C519AB0D1020DAFCB44DFA8C9919EEBBF4AB09350F24445AE815FB310D730AA51CB65

Function 00161690 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: defeef9732a767b2ebd5551748bf70b529e8807ad572411e0bbabec0eb56d855
Instruction ID: e47df16c3915be0a95ccfddab8442e55ea3fa18e9b28cdebe42ca4f3af8a2775
Opcode Fuzzy Hash: defeef9732a767b2ebd5551748bf70b529e8807ad572411e0bbabec0eb56d855
Instruction Fuzzy Hash: D0D06C3A655A58AFC210CF4AE840D41F7A8FB8D670B168066EA1893B20C231F811CEE0

Function 0018A1B2 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00F64BD8,00F64BD8,00000000,7FFFFFFF,?,0018A19D,00F64BD8,00F64BD8,00000000,00F64BD8,?,?,?,?,00F64BD8,00000000), ref: 0018A258
__alloca_probe_16.LIBCMT ref: 0018A313
__alloca_probe_16.LIBCMT ref: 0018A3A2
__freea.LIBCMT ref: 0018A3ED
__freea.LIBCMT ref: 0018A3F3
__freea.LIBCMT ref: 0018A429
__freea.LIBCMT ref: 0018A42F
__freea.LIBCMT ref: 0018A43F

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 557ba8d19fe5ca26064f9bef0474d7b2bd2e760da2f946d036ac61bdcd5ae0bb
Instruction ID: 75ff680a1033c5c380287d0a5d75a6bb81894a693484e26374e849b399578c96
Opcode Fuzzy Hash: 557ba8d19fe5ca26064f9bef0474d7b2bd2e760da2f946d036ac61bdcd5ae0bb
Instruction Fuzzy Hash: 9A71D6729002495BFF31BF948C81FAE77BAAF59310F994057ED04A7281E7769E408B52

Function 0017DC7B Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0017DD01

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: cbff355201e6154b52781c3113966492e3c4af968235757aaf5a3f6f2afe1b0b
Instruction ID: a3409e0fe8cff2a3d82952f7e5276c1ac88a2b708465de5d6461f8dcce81bd24
Opcode Fuzzy Hash: cbff355201e6154b52781c3113966492e3c4af968235757aaf5a3f6f2afe1b0b
Instruction Fuzzy Hash: EBB169729043599FEB269F64DC82BBE7BB5EF65310F15C155E808AF282D770D901C7A0

Function 0016F7F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0016F827
___except_validate_context_record.LIBVCRUNTIME ref: 0016F82F
_ValidateLocalCookies.LIBCMT ref: 0016F8B8
__IsNonwritableInCurrentImage.LIBCMT ref: 0016F8E3
_ValidateLocalCookies.LIBCMT ref: 0016F938

Strings

csm, xrefs: 0016F8CD

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: dda4d3b714c4451727524948c58de5d97d02b3f4e59b12879f942754c43e21b9
Instruction ID: ac73e63a21b135791a126e12b388ce9a057af7354a9efc242902c43c44cf5538
Opcode Fuzzy Hash: dda4d3b714c4451727524948c58de5d97d02b3f4e59b12879f942754c43e21b9
Instruction Fuzzy Hash: 4F41B530E00218ABCF10DF68DC85A9E7BB5BF45314F1481A9F8189B392D7319A66CB91

Function 0016EB1C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0016EB22
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0016EB30
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 0016EB41

Strings

kernel32.dll, xrefs: 0016EB1D
GetSystemTimePreciseAsFileTime, xrefs: 0016EB2A
GetTempPath2W, xrefs: 0016EB36

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 479e9e7f8ade7758d159055b25bbcd77bc699d630d1c023aae925d4d42a03134
Instruction ID: 1f310334e36ee2635114622063a2d1d6c6b2bd09142306443b3781af3d8eaa02
Opcode Fuzzy Hash: 479e9e7f8ade7758d159055b25bbcd77bc699d630d1c023aae925d4d42a03134
Instruction Fuzzy Hash: 21D09E355993616FC7019B71BC0DC963E95BF056153054857F412D39A0D7B409C18B98

Function 00188A9C Relevance: 9.3, APIs: 6, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803fabb1cd05d4d42a0d1c1bc3c33dd7dc729704fa6df59c68383b8a3a56f3e0
Instruction ID: 0c44cd0f7a7b8d2efc7e81a9d95c4d2fea441d2faf107cab82061787b7908ed8
Opcode Fuzzy Hash: 803fabb1cd05d4d42a0d1c1bc3c33dd7dc729704fa6df59c68383b8a3a56f3e0
Instruction Fuzzy Hash: DAB1F870A04249AFDB15EF98C881BAE7BB1BF66314F544259E405A73D6CB709F42CF60

Function 00179AF4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00179AEB,0016F5BA,0016E585), ref: 00179B02
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00179B10
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00179B29
SetLastError.KERNEL32(00000000,00179AEB,0016F5BA,0016E585), ref: 00179B7B

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: d127dfd26a5808e25f5509aa14794e808b9c7a16d6b6ba1f94f8d8719daae074
Instruction ID: 6c52d9add583b84d2e175245d29bdf22187f0a0744a8e13963ce3bea0ecd8933
Opcode Fuzzy Hash: d127dfd26a5808e25f5509aa14794e808b9c7a16d6b6ba1f94f8d8719daae074
Instruction Fuzzy Hash: 1F014C32119A215ED72427B4BC85D5B2E76EB257B5730832BF41A634F1EF114C449654

Function 0017A3BC Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0017A4DB
CallUnexpected.LIBVCRUNTIME ref: 0017A754

Strings

csm, xrefs: 0017A3F9
csm, xrefs: 0017A466
csm, xrefs: 0017A512

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: 57db0ea9afc0ce5934c9abeeb133c687aabf93dee6bb9aba3a993ca08824c889
Instruction ID: ca1b0c2f666394e64ba5c5b2f05725f4b6a5c2507c63d8d765f285b35fc89919
Opcode Fuzzy Hash: 57db0ea9afc0ce5934c9abeeb133c687aabf93dee6bb9aba3a993ca08824c889
Instruction Fuzzy Hash: 89B1C171800209DFCF19DFA4C8459AEBBB5FFA4300F98855AF8096B212D731DA51CF92

Function 00174A89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,6CA949D0,?,?,00000000,0018B3E5,000000FF,?,00174B4A,00000002,?,00174BE6,00177849), ref: 00174ABE
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00174AD0
FreeLibrary.KERNEL32(00000000,?,?,00000000,0018B3E5,000000FF,?,00174B4A,00000002,?,00174BE6,00177849), ref: 00174AF2

Strings

CorExitProcess, xrefs: 00174AC8
mscoree.dll, xrefs: 00174AB7

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 7fbae6647d508423e01b5a4769164dceaa0856a692a0ba631c612cc312cffacf
Instruction ID: fc0da82a0c2179fe30f8104dccffd625fa7100d6d55bb090d063f854399f7086
Opcode Fuzzy Hash: 7fbae6647d508423e01b5a4769164dceaa0856a692a0ba631c612cc312cffacf
Instruction Fuzzy Hash: DB016735944615AFDB119F90DC05FAE7BB8FB05B15F01452AF822A3A90DB749940CA94

Function 0017C516 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0017C59B
__alloca_probe_16.LIBCMT ref: 0017C664
__freea.LIBCMT ref: 0017C6CB

Part of subcall function 0017AD61: RtlAllocateHeap.NTDLL(00000000,0017CD3A,?,?,0017CD3A,00000220,?,00000000,?), ref: 0017AD93

__freea.LIBCMT ref: 0017C6DE
__freea.LIBCMT ref: 0017C6EB

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: ae963b1085628f3b1d1e800e8ae2df63a143fe434f91459e8ce049b880cb9d2d
Instruction ID: 518ab9ac4859e9438970556b40772b94775846f62fca3f5cc61502edf86dbc4a
Opcode Fuzzy Hash: ae963b1085628f3b1d1e800e8ae2df63a143fe434f91459e8ce049b880cb9d2d
Instruction Fuzzy Hash: 0E51A072600246AFEB215FA4CCC1EAB7AB9EF58710B15812EFD08D7241EB71DD508AA0

Function 0016E8E7 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0016E8FB
AcquireSRWLockExclusive.KERNEL32(?,?,00000000,0018B3C8,000000FF,?,0016B697), ref: 0016E91A
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,0018B3C8,000000FF,?,0016B697), ref: 0016E948
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,0018B3C8,000000FF,?,0016B697), ref: 0016E9A3
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,0018B3C8,000000FF,?,0016B697), ref: 0016E9BA

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 9bc850bce2c37f06b6782c0980a65f6a57962bfab0efb1278039bffd9726076d
Instruction ID: 599e3529820a982340eca09653fed4ac9caf9071b3a3e51be3a743968d551f06
Opcode Fuzzy Hash: 9bc850bce2c37f06b6782c0980a65f6a57962bfab0efb1278039bffd9726076d
Instruction Fuzzy Hash: E4416A39900606DFCB64DF69CC85A6AB3F4FF05318B204B2AE456D7A40D730E9A5CF51

Function 0016C054 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0016C05B
std::_Lockit::_Lockit.LIBCPMT ref: 0016C066
std::_Lockit::~_Lockit.LIBCPMT ref: 0016C0D4

Part of subcall function 0016BF5D: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0016BF75

std::locale::_Setgloballocale.LIBCPMT ref: 0016C081
_Yarn.LIBCPMT ref: 0016C097

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 7e4aec7e46184b51a4247e27b301f9172ff7c07840e5d0c1edf5fd1cc7bacc93
Instruction ID: c43a5d393bdf27296a18f042ec12b207865bc0e0003e8f40bf821c5ed7f75f6f
Opcode Fuzzy Hash: 7e4aec7e46184b51a4247e27b301f9172ff7c07840e5d0c1edf5fd1cc7bacc93
Instruction Fuzzy Hash: 7201DF7AA045149BCB06EB60CC85A7D7BB1FFA5710B150009F816973D1CF346EA2CBD1

Function 001852C1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0018535D,00000000,?,00198180,?,?,?,00185294,00000004,InitializeCriticalSectionEx,0018F434,0018F43C), ref: 001852CE
GetLastError.KERNEL32(?,0018535D,00000000,?,00198180,?,?,?,00185294,00000004,InitializeCriticalSectionEx,0018F434,0018F43C,00000000,?,0017AA0C), ref: 001852D8
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00185300

Strings

api-ms-, xrefs: 001852E5

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 4107f4b54c63a0257a0207e4e85bfdbff62d521590743b2e9b51b29a1de29bb8
Instruction ID: d535d5a07c71fb235aec92e5b13776e5ce268790aa2bab32520031cac8d012c6
Opcode Fuzzy Hash: 4107f4b54c63a0257a0207e4e85bfdbff62d521590743b2e9b51b29a1de29bb8
Instruction Fuzzy Hash: CAE0BF346C4705B7EF202B61ED06F693F9AFB10B96F144031FD0EA88E1D7A1E952DA48

Function 001830BF Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(6CA949D0,00000000,00000000,?), ref: 00183122

Part of subcall function 0017AE71: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0017C6C1,?,00000000,-00000008), ref: 0017AED2

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00183374
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 001833BA
GetLastError.KERNEL32 ref: 0018345D

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 396f5217f30c3633dd9f6b17b4a40107f514ee4036ec2e5cfa5c0c83b4595c32
Instruction ID: 184bfa09f4a82910ac59769a549c736b4d02a846a14e6b7b750b1347ae37f61b
Opcode Fuzzy Hash: 396f5217f30c3633dd9f6b17b4a40107f514ee4036ec2e5cfa5c0c83b4595c32
Instruction Fuzzy Hash: AAD17975D04248AFCF15DFA8D8809ADBBB5FF49714F28416AE826EB351E730AA41CF50

Function 0017A0E3 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0017A1AA
___AdjustPointer.LIBCMT ref: 0017A1CD
___AdjustPointer.LIBCMT ref: 0017A269

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 5062ea5513f3b3421f3b7f03a931c9d48c6ef85913f0584f6965633315ea3988
Instruction ID: 5fccbbc993a4323715f6c79e466e44e34548784f5ef17ecadeb217d2cab4ada7
Opcode Fuzzy Hash: 5062ea5513f3b3421f3b7f03a931c9d48c6ef85913f0584f6965633315ea3988
Instruction Fuzzy Hash: C651F4766012029FEB298F54D841B7E77B5FF94710FA4852DEC0A47292E732ED81CB52

Function 00180B86 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0017AE71: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0017C6C1,?,00000000,-00000008), ref: 0017AED2

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00180BEA
__dosmaperr.LIBCMT ref: 00180BF1
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00180C2B
__dosmaperr.LIBCMT ref: 00180C32

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 3a9c15395a44a8bd879683782311b145e15539d59c36e26fbd53e037ea8ba96b
Instruction ID: 2f08896bfdfc44e4d0f00cdec96fe6e2d904c305c8abda965cb62438c6fa4778
Opcode Fuzzy Hash: 3a9c15395a44a8bd879683782311b145e15539d59c36e26fbd53e037ea8ba96b
Instruction Fuzzy Hash: 2121077160060DAF9B66BF65C881D6BB7A8FF19368B118658F81DD7211DB30ED448F90

Function 00171652 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33c71d9e9c484c78022445af10e8da07e6e24e561b0a809ce77e6c582e120aa
Instruction ID: 68cc67a63eb0ce38b126c30c7434a6d28fa42c1fe0a2fceb559af8c1f75b53ae
Opcode Fuzzy Hash: b33c71d9e9c484c78022445af10e8da07e6e24e561b0a809ce77e6c582e120aa
Instruction Fuzzy Hash: 9B21F035300205BF8B24AF698C81C6B77BEAF91364724C928F81ED7650EB30EC5087A0

Function 00181F7C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00181F84

Part of subcall function 0017AE71: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0017C6C1,?,00000000,-00000008), ref: 0017AED2

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00181FBC
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00181FDC

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: bb47e932d403fba792c8b4ea4d22e4136e39619be7c7c5351cdfdebb27213c51
Instruction ID: 3d1468cdbade98e475c78b713d61f53e603f40d2f13973ced70232b6a05e8247
Opcode Fuzzy Hash: bb47e932d403fba792c8b4ea4d22e4136e39619be7c7c5351cdfdebb27213c51
Instruction Fuzzy Hash: 6F1104B25046197F663237F19C89C6F796CCF993A57510015F80692501FB34CE01DAB2

Function 00162A60 Relevance: 6.1, APIs: 4, Instructions: 53threadCOMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00162A8D
GetCurrentThreadId.KERNEL32 ref: 00162A9B
std::_Throw_Cpp_error.LIBCPMT ref: 00162AB4
std::_Throw_Cpp_error.LIBCPMT ref: 00162AF3

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: c7efe88cf3ec949bad0401425f398e99257070e6e3cbe756ae329d70ecf18408
Instruction ID: 8b5a07670691df4629ac2ab7778f817d8cdffbe0a013febe4e7ab2f566fe2527
Opcode Fuzzy Hash: c7efe88cf3ec949bad0401425f398e99257070e6e3cbe756ae329d70ecf18408
Instruction Fuzzy Hash: 9B21E4B4E042098FCB08EFE8D9956AEBBF0AF58300F01845DE859AB391D7789950CF51

Function 0018A470 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00189952,00000000,00000001,?,?,?,001834B1,?,00000000,00000000), ref: 0018A487
GetLastError.KERNEL32(?,00189952,00000000,00000001,?,?,?,001834B1,?,00000000,00000000,?,?,?,00182DF7,?), ref: 0018A493

Part of subcall function 0018A4E4: CloseHandle.KERNEL32(FFFFFFFE,0018A4A3,?,00189952,00000000,00000001,?,?,?,001834B1,?,00000000,00000000,?,?), ref: 0018A4F4

___initconout.LIBCMT ref: 0018A4A3

Part of subcall function 0018A4C5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0018A461,0018993F,?,?,001834B1,?,00000000,00000000,?), ref: 0018A4D8

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00189952,00000000,00000001,?,?,?,001834B1,?,00000000,00000000,?), ref: 0018A4B8

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ee31d32c6e811f6287fd62a4ad3d324c89d5d590b1ed8fc18cd17c7c91198506
Instruction ID: b59335c61f22b0e5fd366e4cd70d1d9b43333922f8841926de1dfb4b51a4eec4
Opcode Fuzzy Hash: ee31d32c6e811f6287fd62a4ad3d324c89d5d590b1ed8fc18cd17c7c91198506
Instruction Fuzzy Hash: 88F01C36004615BBCF222F91EC08E893F66FF493A0B454412FA1D85561C7728A60AB95

Function 0016EFA7 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0016EFB9
GetCurrentThreadId.KERNEL32 ref: 0016EFC8
GetCurrentProcessId.KERNEL32 ref: 0016EFD1
QueryPerformanceCounter.KERNEL32(?), ref: 0016EFDE

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 4451e87df8e75570738c34cc5f7369a9436946c5d6196a0c6dac55ec3383025e
Instruction ID: 456e39e12d7e28bf6c0ce8805a5a05d42f292e719ebf5aebabfadcbac7b519fd
Opcode Fuzzy Hash: 4451e87df8e75570738c34cc5f7369a9436946c5d6196a0c6dac55ec3383025e
Instruction Fuzzy Hash: BEF0B270C0020CEBCB00DFB4CA4898EBBF4EF1C201B914996A412E7550E730AB85CB54

Function 0017F766 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0017AFB3: GetLastError.KERNEL32(?,?,0017495A,001956B0,0000000C), ref: 0017AFB7
Part of subcall function 0017AFB3: SetLastError.KERNEL32(00000000), ref: 0017B059

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,0017509A,?,?,?,00000055,?,-00000050,?,?,?), ref: 0017F825
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,0017509A,?,?,?,00000055,?,-00000050,?,?), ref: 0017F85C

Strings

utf8, xrefs: 0017F92E

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: 3431f15082daa31b6c50ae0553673a1ff369952e3799fac29c157e9ee2d1b352
Instruction ID: 96be2e30cd9257cdad28bf89086c105b7b993b768ccddbee8527567a457e826a
Opcode Fuzzy Hash: 3431f15082daa31b6c50ae0553673a1ff369952e3799fac29c157e9ee2d1b352
Instruction Fuzzy Hash: 2451D571604206BADB28BB748C46BB773B8EF14704F25843DF65D975C1FB70E94286A2

Function 0017A7E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0017A6E1,?,?,00000000,00000000,00000000,?), ref: 0017A805

Strings

RCC, xrefs: 0017A81F
MOC, xrefs: 0017A817

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: df8df69f8264b48f9c99a1cda0bd4751bfd68850caa2cee774ee88011086c5d6
Instruction ID: 93fac7a6709b3984162cf0e6ffad9ca3d73613f38e11f0e5b2781d842994bde4
Opcode Fuzzy Hash: df8df69f8264b48f9c99a1cda0bd4751bfd68850caa2cee774ee88011086c5d6
Instruction Fuzzy Hash: 6B418B71900209AFCF16CF94CC81AEEBBB5FF88305F158169FA086B211D3359961DB52

Function 0017A04C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0017A2C3

Strings

csm, xrefs: 0017A2E5
csm, xrefs: 0017A356

Memory Dump Source

Source File: 00000000.00000002.1299523777.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000000.00000002.1299499349.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299556829.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299575488.0000000000196000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299594769.0000000000197000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299614989.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1299634583.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 1b4171970dccfdbc97c9c0e369294896d83ede03063e3eab7fd7a7fb600a2aff
Instruction ID: 3e383eddc44ff943b044c2ff5f5e0d9ab797a6e01b5bc364450333e882a598c3
Opcode Fuzzy Hash: 1b4171970dccfdbc97c9c0e369294896d83ede03063e3eab7fd7a7fb600a2aff
Instruction Fuzzy Hash: E931CF72400218EBCF268F54C8408BE7B76FF8971AB98C15AF84C49221C336DCA1DB83

Analysis Process: J18uCKmoAw.exePID: 7748, Parent PID: 7648COMMON

Execution Graph

Execution Coverage:	1.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	33.8%
Total number of Nodes:	68
Total number of Limit Nodes:	3

Executed Functions

Function 00408600 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 351
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408624
GetCurrentThreadId.KERNEL32 ref: 0040862E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004087FA
GetForegroundWindow.USER32 ref: 00408974

Part of subcall function 0040B7B0: FreeLibrary.KERNEL32(00408A31), ref: 0040B7B6
Part of subcall function 0040B7B0: FreeLibrary.KERNEL32 ref: 0040B7D7

ExitProcess.KERNEL32 ref: 00408A4A

Strings

}, xrefs: 00408913
b]u), xrefs: 00408877
}, xrefs: 0040890C

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: b]u)$}$}
API String ID: 3676751680-2900034282
Opcode ID: 6a07f0384f71d87041b62ad58867324155b1be50ba3e74cb306905e4ea8226d7
Instruction ID: 3bf81113ce60e3950654fa87f9b5bc85db09618474996d7b9c4e13ef7b0d228f
Opcode Fuzzy Hash: 6a07f0384f71d87041b62ad58867324155b1be50ba3e74cb306905e4ea8226d7
Instruction Fuzzy Hash: C4C1E673E187144BC708DF69C84125AF7D6ABC8710F0AC53EA898EB391EA74DD048BC6

Function 0043E110 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0044148A,?,00000018,?,?,00000018,?,?,?), ref: 0043E13E

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00441720 Relevance: 1.4, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=<32, xrefs: 0044176D

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: InitializeThunk
String ID: =<32
API String ID: 2994545307-852023076
Opcode ID: 806326fabb1518b066f083a03506ad00710994454575a613e60301918d7e52c2
Instruction ID: 3b6fc7dbca8d43659897c6c89a338d9db0430b3797e073dd088a6240ba40644d
Opcode Fuzzy Hash: 806326fabb1518b066f083a03506ad00710994454575a613e60301918d7e52c2
Instruction Fuzzy Hash: 7A314438608304ABF714AE159C91B3BB3A6EB85750F18852EE695573F1D738DC90878A

Function 00408A50 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8a8dcc9c3ab3076e5cd776fb6cd32bc0718f272d39d571d2e216b7fbce9e89
Instruction ID: c6ef65a4040eb9722264cce64ace65176086622d4161082164e2e1e487573ca7
Opcode Fuzzy Hash: de8a8dcc9c3ab3076e5cd776fb6cd32bc0718f272d39d571d2e216b7fbce9e89
Instruction Fuzzy Hash: E121C837A62B184BD3108E54DCC87917761E7D9318F3E86B8C9249F7D2C97BA91386C0

Function 00409D1E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 142
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(?,00000000), ref: 00409D98
LoadLibraryExW.KERNEL32(?,00000000), ref: 00409E78

Strings

CKI, xrefs: 00409E85

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: LibraryLoad
String ID: CKI
API String ID: 1029625771-2433779057
Opcode ID: 46ebf1f11a428727df2c69ed2ddcf1f0c4f78635cb5cf24ba122c25d2125fb43
Instruction ID: 9df50abc4230604fad3af689b86cbcfc4f62151ff32a39ed9a717dc759385280
Opcode Fuzzy Hash: 46ebf1f11a428727df2c69ed2ddcf1f0c4f78635cb5cf24ba122c25d2125fb43
Instruction Fuzzy Hash: 1041EFB4D003009FEB149F789992A9A7F71EB06324F5152ADD4902F3E6C635981A8BE6

Function 0043E34B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043E3BA

Strings

, xrefs: 0043E365, 0043E37C

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-3019521637
Opcode ID: 1a0742d174ed02cdc22a72f35ed7972a2a7288d22f9a72e178f62dae787fe3a6
Instruction ID: 528e16a96f9d9f00b26d3e5e14e5fe829b229e0aa49aafaba4eb36a7b6cd6e75
Opcode Fuzzy Hash: 1a0742d174ed02cdc22a72f35ed7972a2a7288d22f9a72e178f62dae787fe3a6
Instruction Fuzzy Hash: FA112B7AE418614BEF08CF39DC171AA77A2B3C5325B2D56B98816E32D0DA3C5C068A84

Function 0040EF53 Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040EF57
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040F09C

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c72aef12464a92cc2c3f2d51aa4abadf574ffcca3a61543972ef4f2091f679da
Instruction ID: f51fb2f77ad80b64b0419191bf69b8e44a6001040ca864f0c8a1fa7d7adef59f
Opcode Fuzzy Hash: c72aef12464a92cc2c3f2d51aa4abadf574ffcca3a61543972ef4f2091f679da
Instruction Fuzzy Hash: 9341C6B4C10B40AFD370EF399A0B7137EB8AB05250F504B1DF9E6866D4E231A4198BD7

Function 0040EC77 Relevance: 3.0, APIs: 2, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040EC89
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040ECA2

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: fb62f50cd5accdd3f8c0e7536e39a1f07535dd0835aa916c8da64f7b89d0cef8
Instruction ID: 738adb6083984dd8bacecb44fa1de3dd99d04845307cbd3813f349a55eb87af8
Opcode Fuzzy Hash: fb62f50cd5accdd3f8c0e7536e39a1f07535dd0835aa916c8da64f7b89d0cef8
Instruction Fuzzy Hash: 8BE042783D97417BF6795B14ED57F143225AB86F26F304314B7253D6E58AE03201451D

Function 00437764 Relevance: 1.6, APIs: 1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0043779D

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: bc18d378b5dd9222f1d4b2f2bf41a228d576f499a8aff68b17f4869370526a21
Instruction ID: 54b6fee0e0571655c33f26142f93ff03fb1190c0e218daea6acb4e94425ab4d3
Opcode Fuzzy Hash: bc18d378b5dd9222f1d4b2f2bf41a228d576f499a8aff68b17f4869370526a21
Instruction Fuzzy Hash: 0C31E472A466418FD7158B78C8837ADBBE28BD5314F0A80AEE459C73A2D9388942CB10

Function 0043E3A9 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043E3BA

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 0e9d24a3901733470457e1249cc7f7470b5df7d452cc394c81079ce9d69cb8f4
Instruction ID: 5efd1ee9a03ea3c3eb0c12d762aaad34ed982eea5bb01117e5cc31371429f0ae
Opcode Fuzzy Hash: 0e9d24a3901733470457e1249cc7f7470b5df7d452cc394c81079ce9d69cb8f4
Instruction Fuzzy Hash: 29F0A0FEE805528FDB04CF55EC5446533A3B7D930631D8479D501A3229DE74A902DA45

Function 0043C570 Relevance: 1.5, APIs: 1, Instructions: 15
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0043E0F9), ref: 0043C590

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4ca71c55d9fe9b281f7981d367328e1df5632f63ab8c1559b6560bf0dd0d3b5a
Instruction ID: b893ccae00c0100e086c015fd95e4a651a52546402759b79cf5975c20580b1f3
Opcode Fuzzy Hash: 4ca71c55d9fe9b281f7981d367328e1df5632f63ab8c1559b6560bf0dd0d3b5a
Instruction Fuzzy Hash: 28D01231815232FBC6102F28BC05BCB3B54DF5A321F0708A2F404AB075C764EC91DAD8

Function 0043C55B Relevance: 1.5, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0043C561

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1e4e484f05b9e0d440bcaef072417b378b3908eb1398e6cf47b9ef0a4f9b27b4
Instruction ID: acefbe7e0d7c30d89c71afa01d78d71c03f6ee103d6cd382e15fa3716b8bb47b
Opcode Fuzzy Hash: 1e4e484f05b9e0d440bcaef072417b378b3908eb1398e6cf47b9ef0a4f9b27b4
Instruction Fuzzy Hash: 13A012310401109AC5111B10BC08FC53E10DB05221F020051F000040B28260C841C584

Function 0040DDBB Relevance: 1.3, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 0040DDC3

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: 0a614a96431d9d701f40230e0772b67ec7475a12848427324b9a6d407e3c9b36
Instruction ID: 5bb00a4b7ef97e9f22d5c03d32b859c0f98b2e4320e2e689d4767ab94f51e1d5
Opcode Fuzzy Hash: 0a614a96431d9d701f40230e0772b67ec7475a12848427324b9a6d407e3c9b36
Instruction Fuzzy Hash: BBC0807C61C0018BC708D731EC2643732569F8B34D724443ED40785357DB7465114A4D

Non-executed Functions

Function 00422E6D Relevance: 50.5, APIs: 3, Strings: 25, Instructions: 1504COMMON

Download Yara Rule

Strings

Q*RG, xrefs: 00422F5F
9#', xrefs: 00423040
=]=_, xrefs: 00423D0E
+A#C=]=_, xrefs: 00423F9D
R03!, xrefs: 00422F77
I, xrefs: 00423048
~SS}, xrefs: 00422F37
rp, xrefs: 00423FF3
_^]\, xrefs: 00422EA5
p7B, xrefs: 004238C0
V], xrefs: 004231FA
JOSP, xrefs: 00422F6F
_^]\, xrefs: 00423695
Fm, xrefs: 004231F2
wdnf, xrefs: 00422F07
].n^, xrefs: 00422F57
pancakedipyps.click, xrefs: 004233BD
eN, xrefs: 004241BA
- $f, xrefs: 00423038
s, xrefs: 00422FCA
%", xrefs: 0042334A
g}zh, xrefs: 00422F27
CNF8, xrefs: 00422F3F
8]pY, xrefs: 00422EFF
"7B, xrefs: 00423719

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: "7B$%"$+A#C=]=_$- $f$8]pY$9#'$=]=_$CNF8$Fm$I$JOSP$Q*RG$R03!$V]$].n^$_^]\$_^]\$eN$g}zh$p7B$pancakedipyps.click$s$wdnf$~SS}$rp
API String ID: 0-1637947137
Opcode ID: e7edffdd5fd14d72b39b69682efa331384b3f5ec70a2e9e708273cc4b8c2f64b
Instruction ID: c461727374bb2b2ad86d2c2bcda0cf258ef6ef710b96b519a2ac6f34890c1cf1
Opcode Fuzzy Hash: e7edffdd5fd14d72b39b69682efa331384b3f5ec70a2e9e708273cc4b8c2f64b
Instruction Fuzzy Hash: 4CB241B5A08311CFD714CF29D8816ABBBF2FF86310F19856DE4859B391D7389902CB96

Function 00433E30 Relevance: 33.4, APIs: 6, Strings: 13, Instructions: 116clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00433E44
GetClipboardData.USER32 ref: 00433E5F
GlobalLock.KERNEL32 ref: 00433E78
GetWindowLongW.USER32 ref: 00433ED7
GlobalUnlock.KERNEL32 ref: 00433FA9
CloseClipboard.USER32 ref: 00433FB4

Strings

-, xrefs: 00433F1F
L, xrefs: 00433EFC
;, xrefs: 00433F0B
q, xrefs: 00433EE8
(, xrefs: 00433F1A
', xrefs: 00433EED
6, xrefs: 00433F10
I, xrefs: 00433F06
5, xrefs: 00433EF2
*, xrefs: 00433F24
8, xrefs: 00433F01
=, xrefs: 00433EF7
}, xrefs: 00433F15

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: '$($*$-$5$6$8$;$=$I$L$q$}
API String ID: 2832541153-2064290267
Opcode ID: e5da5b9a56329a51e64cc872523e0dfe2627c190021f4751e0eab4ab2fc29bc9
Instruction ID: e1340490ca777862a7890bfc042d0e04e3e37fcf4304b8f7f5516f793469ed24
Opcode Fuzzy Hash: e5da5b9a56329a51e64cc872523e0dfe2627c190021f4751e0eab4ab2fc29bc9
Instruction Fuzzy Hash: E0417FB150C3818ED301AF78958835EFEE0AB89319F04497EE4C987292D7BD8689C757

Function 004239B9 Relevance: 18.3, APIs: 3, Strings: 7, Instructions: 821COMMON

Download Yara Rule

Strings

eN, xrefs: 004241BA
rp, xrefs: 00423FF3
p7B, xrefs: 004238C0
_^]\, xrefs: 00423865
":B, xrefs: 00423A0E
=]=_, xrefs: 00423D0E
+A#C=]=_, xrefs: 00423F9D

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: ":B$+A#C=]=_$=]=_$_^]\$eN$p7B$rp
API String ID: 0-2092896893
Opcode ID: ed0750c71e1987e5a6d7bbb2feff7f6cba7481729a1a1e0e14759066178fedbc
Instruction ID: 182eaf4e6841349a8ef13573fe29d1f0c1c004a6e50f6283d231cbe69a191b93
Opcode Fuzzy Hash: ed0750c71e1987e5a6d7bbb2feff7f6cba7481729a1a1e0e14759066178fedbc
Instruction Fuzzy Hash: 594267B5B04211CFD714CF28D8816AABBB2FF8A311F1A81BDD4459B395D738D942CB85

Function 00411D2B Relevance: 18.0, APIs: 1, Strings: 9, Instructions: 479COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL ref: 00411EC3

Strings

[, xrefs: 004121EB
8, xrefs: 00411EEA
|, xrefs: 00412267
a, xrefs: 004121E6
?, xrefs: 00411EE2
p, xrefs: 00412095
L, xrefs: 00411D8F
^, xrefs: 00412034
y, xrefs: 00411EF2

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 8$?$L$[$^$a$p$y$|
API String ID: 237503144-3949209405
Opcode ID: 4a8879f59250b1b40dd97a34ff5c93777886415510556bea7e1a63f8662ddf82
Instruction ID: f3e99263922766072051b57ffb7fb6feee41006b6636dbb619e47a4599fab130
Opcode Fuzzy Hash: 4a8879f59250b1b40dd97a34ff5c93777886415510556bea7e1a63f8662ddf82
Instruction Fuzzy Hash: 3512A17160C7808BC324DB38C5913EFBBE1AF85314F184A2EE9D9D7392D67898858B47

Function 00427740 Relevance: 16.6, Strings: 13, Instructions: 338COMMON

Download Yara Rule

Strings

O=q?, xrefs: 00427F6D
f!V#, xrefs: 00427F78
Z)o+, xrefs: 00427F8E
}9F;, xrefs: 00427F62
s1z3, xrefs: 00427F4C
!A/C, xrefs: 00427FD0
1Q>S, xrefs: 00427FA4
r, xrefs: 0042831A
S%g', xrefs: 00427F83
$Y)[, xrefs: 00427FBA
}5x7, xrefs: 00427F57
P-X/, xrefs: 00427F99
DE, xrefs: 00427FDB

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: !A/C$$Y)[$1Q>S$DE$O=q?$P-X/$S%g'$Z)o+$f!V#$r$s1z3$}5x7$}9F;
API String ID: 0-3413813421
Opcode ID: 458a8bf2b899d5374d71cf77dcf3c349152665624c54811c7463cc9c4c7509d7
Instruction ID: 5d18dcd57d5afae5d2d04a22ff7efa295b4e1cb49f3d19f2d9ec184adb64bcbb
Opcode Fuzzy Hash: 458a8bf2b899d5374d71cf77dcf3c349152665624c54811c7463cc9c4c7509d7
Instruction Fuzzy Hash: FBC1DFB460C3418FE724DF25D85176BBBF1EF81304F05496DE5998B3A2D7388906CB9A

Function 0041C8A0 Relevance: 15.6, Strings: 12, Instructions: 585COMMON

Download Yara Rule

Strings

wt, xrefs: 0041CB3E
a`|v, xrefs: 0041C8A1
\701, xrefs: 0041CF0C, 0041CF03
4UW, xrefs: 0041CCE0
uvw, xrefs: 0041CA0A
*", xrefs: 0041CE7A
AC, xrefs: 0041CCF8
pv, xrefs: 0041CB36
MO, xrefs: 0041CD10
\701, xrefs: 0041CF55
"nl, xrefs: 0041CC10
#M%O, xrefs: 0041C9FA

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: "nl$#M%O$*"$4UW$\701$\701$a`|v$wt$AC$MO$pv$uvw
API String ID: 0-635595044
Opcode ID: 667693208df0268b9ec092dcfe9b45baca584c7d5a41cd89dd0410bc245c86b8
Instruction ID: cacfe30d0b9b21159c86ccf72fc2d8f2746876e9854ab90a0990479cac9f29fc
Opcode Fuzzy Hash: 667693208df0268b9ec092dcfe9b45baca584c7d5a41cd89dd0410bc245c86b8
Instruction Fuzzy Hash: 8902F3B594C3008BC7049F29D8916ABBBF1EFD2314F15892DF4C59B351E238DA49C79A

Function 0041EB80 Relevance: 12.1, Strings: 9, Instructions: 812COMMON

Download Yara Rule

Strings

Yxqs, xrefs: 0041EEC8
AL, xrefs: 0041EF3D
t|f, xrefs: 0041EE88
hch&, xrefs: 0041EEA8
CPm5, xrefs: 0041EEE0
uvqs, xrefs: 0041EEC0
, xrefs: 0041F25F, 0041F26A, 0041F29C
f>mI, xrefs: 0041EED0
O}nl, xrefs: 0041EED8

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: AL$CPm5$O}nl$Yxqs$f>mI$hch&$t|f$uvqs$
API String ID: 0-1556426300
Opcode ID: 735fdd800c882bc2084322a437c9c924766bb235598593207dd1441ed3ed4d6f
Instruction ID: 72dbec98d39b44e021400b4b3f7dd457a245ac0fe219d5a174d4001ed2214f73
Opcode Fuzzy Hash: 735fdd800c882bc2084322a437c9c924766bb235598593207dd1441ed3ed4d6f
Instruction Fuzzy Hash: 0252467050C3918FC721CF25C8406AFBBE1AF95314F144A7EE8E45B392D739994ACB9A

Function 0042B980 Relevance: 10.3, Strings: 8, Instructions: 329COMMON

Download Yara Rule

Strings

pMC@, xrefs: 0042BC3A
AZDH, xrefs: 0042BC44
47:, xrefs: 0042BBD6
" , xrefs: 0042BC08
nV[k, xrefs: 0042BC30
UXWZ, xrefs: 0042BC26
220, xrefs: 0042BBE0
:/', xrefs: 0042BBFE

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: 47:$ " $220$AZDH$UXWZ$nV[k$pMC@$:/'
API String ID: 0-3711047884
Opcode ID: a4c9283d45bc98dcba5f61ed0453037d099fbeaad371f82cb7e9938c9b68f646
Instruction ID: 65e572282dc53975798f39d0df5fbe4ea82dc72bdd677536ff169635eb849b4a
Opcode Fuzzy Hash: a4c9283d45bc98dcba5f61ed0453037d099fbeaad371f82cb7e9938c9b68f646
Instruction Fuzzy Hash: 46C169B4904B819FD320AF3A95467A3BFF0EB06300F444A5ED4EA4B795E735601ACBD6

Function 0041747D Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1238COMMON

Download Yara Rule

Strings

_^]\, xrefs: 004175C5

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: b96ce21cf214a16ae07447a79efeb4cc0916feeea9f87c928e3a685268b8bebc
Instruction ID: 53d5d62a5b06f007e29734ec6a967500c823bb8f017ec32fffb38b320ea18f22
Opcode Fuzzy Hash: b96ce21cf214a16ae07447a79efeb4cc0916feeea9f87c928e3a685268b8bebc
Instruction Fuzzy Hash: CC8234715083518BC724CF28C8917ABB7F1EFCA324F198A6DE8D5973A5E7388845C746

Function 00418B1B Relevance: 9.7, Strings: 7, Instructions: 994COMMON

Download Yara Rule

Strings

/, xrefs: 004192BA
_^]\, xrefs: 00419425
_^]\, xrefs: 00419115
_^]\, xrefs: 00418B44
_^]\, xrefs: 00418F25
_^]\, xrefs: 00418DE5
BVLm, xrefs: 0041902A

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: InitializeThunk
String ID: /$BVLm$_^]\$_^]\$_^]\$_^]\$_^]\
API String ID: 2994545307-2892575238
Opcode ID: 6e5268ea999838320bcd053c9cc8e9dfea5d0472b35df6685e8a938bf7b93b82
Instruction ID: 8a47e0abde06d641331a8f2ba33a8f9f198beecf63cce3fe2238518d353f80c2
Opcode Fuzzy Hash: 6e5268ea999838320bcd053c9cc8e9dfea5d0472b35df6685e8a938bf7b93b82
Instruction Fuzzy Hash: F5325AB56083408BD718CB348CA17BBB7D2FBD6314F19593DD0D6872A2DB398D428B5A

Function 001807C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00180198,00000002,00000000,?,?,?,00180198,?,00000000), ref: 00180860
GetLocaleInfoW.KERNEL32(?,20001004,00180198,00000002,00000000,?,?,?,00180198,?,00000000), ref: 00180889
GetACP.KERNEL32(?,?,00180198,?,00000000), ref: 0018089E

Strings

OCP, xrefs: 0018081B
ACP, xrefs: 001807E5

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 257d02d5985575ebf89800a6ede6e19ec21984490d617de15e3c492a2b610ba8
Instruction ID: 87a86d9942b2df6449f418e2899a47db4fe9008899c78068a3d98406eccd960d
Opcode Fuzzy Hash: 257d02d5985575ebf89800a6ede6e19ec21984490d617de15e3c492a2b610ba8
Instruction Fuzzy Hash: 4C21D622F00108AADBB6AF54C940A9773A6EF5AB50B578024E80AD7114E732DFC5CBD0

Function 00426D2E Relevance: 8.0, Strings: 6, Instructions: 482COMMON

Download Yara Rule

Strings

uYD\, xrefs: 00426E3D
\R, xrefs: 00426DAC
_^]\_^]\, xrefs: 00427064
rqB, xrefs: 0042715F
X^, xrefs: 00426DA5
PV, xrefs: 00426DB3

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: _^]\_^]\$rqB$uYD\$PV$X^$\R
API String ID: 0-1627709806
Opcode ID: 3df9218c4e884d0bc4ea657edaa843c97e8fa3da6c91276e4a67d9cf42d70f5f
Instruction ID: 5825545f21314853fe0769d62852bd8f916bf307171877822417e4e5256747d8
Opcode Fuzzy Hash: 3df9218c4e884d0bc4ea657edaa843c97e8fa3da6c91276e4a67d9cf42d70f5f
Instruction Fuzzy Hash: 42F1EEB5E04318CFDB14CFA9D8816AEBBB1FF49304F18446DD642AB351D779A902CB98

Function 0040AB40 Relevance: 8.0, Strings: 6, Instructions: 481COMMON

Download Yara Rule

Strings

Y2^0, xrefs: 0040AC7B
HYZF, xrefs: 0040AE40
]><, xrefs: 0040AC83
UMAG, xrefs: 0040AEF0
HYZF, xrefs: 0040B07E, 0040B075, 0040AE05
>, xrefs: 0040AB5E

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: >$HYZF$HYZF$UMAG$Y2^0$]><
API String ID: 0-2666672646
Opcode ID: 32375935e6ef412caa3837e9f6c66e3b8adf22c54bae03c550ad84a2513a055e
Instruction ID: 560480d45fa7c8791f5dd325a32e0fd9eca2933a49feb221361dc50e24506aec
Opcode Fuzzy Hash: 32375935e6ef412caa3837e9f6c66e3b8adf22c54bae03c550ad84a2513a055e
Instruction Fuzzy Hash: 38E12A7674C7504BD324CF6888512AFBBE2DFC1304F18893EE5E5AB385DA798905878A

Function 00180062 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0017AFB3: GetLastError.KERNEL32(00000000,?,0017D392), ref: 0017AFB7
Part of subcall function 0017AFB3: SetLastError.KERNEL32(00000000,?,?,00000028,00177816), ref: 0017B059

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 0018016A
IsValidCodePage.KERNEL32(00000000), ref: 001801A8
IsValidLocale.KERNEL32(?,00000001), ref: 001801BB
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00180203
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0018021E

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 52611096de8d26cabdc51ea8537bd47a5311b410d76340864207c3479976f69c
Instruction ID: 66a383107b075cfb7d6571b24267ae32d0a9fe295c5e7d8b7e7172414bf0b967
Opcode Fuzzy Hash: 52611096de8d26cabdc51ea8537bd47a5311b410d76340864207c3479976f69c
Instruction Fuzzy Hash: 49518071A00209AFDB52EFA4CC89ABE73B9BF18700F154429F905E7190E7B0DB488F61

Function 004281CC Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 593COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004284BD
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004285B4

Strings

LF7Y, xrefs: 00428951
_^]\, xrefs: 00428A15

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: LF7Y$_^]\
API String ID: 237503144-3688711800
Opcode ID: 26de5ca542a2a6977b9e84e77be44b5ac01a7d5cb18c837ff72e8e2a41646e8e
Instruction ID: 00d2ad6f27f0b0783341daf9d6c4bd9e01a02a9b0560c8c7bc353a94b2bfb0e2
Opcode Fuzzy Hash: 26de5ca542a2a6977b9e84e77be44b5ac01a7d5cb18c837ff72e8e2a41646e8e
Instruction Fuzzy Hash: 90221375A08351CFD3248F28E88072FB7E1BF8A310F194A7DE995673A1D7349912CB5A

Function 004283D8 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 542COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004284BD
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 004285B4

Strings

LF7Y, xrefs: 00428951
_^]\, xrefs: 00428A15

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: LF7Y$_^]\
API String ID: 237503144-3688711800
Opcode ID: d13f070fd010028f18266c39e4bf0995e2ea579b86d440724d5feb7531688b93
Instruction ID: 9e148bf222026bc2ff09e9b78a5b6d6e6f400f6959469ba780e6b53d717f86de
Opcode Fuzzy Hash: d13f070fd010028f18266c39e4bf0995e2ea579b86d440724d5feb7531688b93
Instruction Fuzzy Hash: F812F175A08351CFD3248F28E88071FBBE1BF8A310F194A6DE995673A1D734D942CB5A

Function 0043CDF0 Relevance: 6.9, Strings: 5, Instructions: 697COMMON

Download Yara Rule

Strings

f, xrefs: 0043D081
_^]\, xrefs: 0043CE29
fiP, xrefs: 0043D2CF
_^]\, xrefs: 0043D006
jiP, xrefs: 0043D301

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: InitializeThunk
String ID: _^]\$_^]\$f$fiP$jiP
API String ID: 2994545307-2734853458
Opcode ID: 02867def88f330cc357aa33e98f5089401e16d469949ca3e2fbae4f2ba5b0f1e
Instruction ID: 745ca490046a6ac68c59f9825e457d0a566b3cc6b4523f93947a3945e487c19a
Opcode Fuzzy Hash: 02867def88f330cc357aa33e98f5089401e16d469949ca3e2fbae4f2ba5b0f1e
Instruction Fuzzy Hash: 972213B1A0C3029FD718CF29D89072FBBE2ABD9314F189A2DE4D597395D634DC418B4A

Function 00418169 Relevance: 6.5, Strings: 5, Instructions: 299COMMON

Download Yara Rule

Strings

2h?n, xrefs: 004183A0
SP, xrefs: 00418396
gfff, xrefs: 00418458
7, xrefs: 00418419
^`/4, xrefs: 004181E1

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: 2h?n$7$SP$^`/4$gfff
API String ID: 0-3257051659
Opcode ID: e0427b1a9b77ff7e65e449d5ce122ac57cd39ae6c2270757774d7d10ffd74788
Instruction ID: 27920faaac780ccf3f5efe4f99c0b1a63c78e90bde3d2871b705a1280bebe65e
Opcode Fuzzy Hash: e0427b1a9b77ff7e65e449d5ce122ac57cd39ae6c2270757774d7d10ffd74788
Instruction Fuzzy Hash: 59A14876A143504BD314CF28C8517AFB7E2FBC5318F198A3EE895D7391EA3889428786

Function 00178D90 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db70b6725760ee1e7b0c82764c85399648d13b1201e1b058b4d747cb3a019c3f
Instruction ID: 2084d79a976a85b72cdaed8429f3e8bc7625230f20d298c660af63727de2dff4
Opcode Fuzzy Hash: db70b6725760ee1e7b0c82764c85399648d13b1201e1b058b4d747cb3a019c3f
Instruction Fuzzy Hash: 0B024D71E012199BDF14CFA9C8846AEFBF5FF48314F258269E519E7381D731AA05CB90

Function 00180DA9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00180E99

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 2414ce650eede987cda66207a25f8d866202811c9df9f8cd129af2a06fdfc094
Instruction ID: f5344d5a3350a4ed09b6883923b3a94bf022716d504c4a1b3416c3676a150472
Opcode Fuzzy Hash: 2414ce650eede987cda66207a25f8d866202811c9df9f8cd129af2a06fdfc094
Instruction Fuzzy Hash: 1771B07294515C6FDF72AF688C89AAEBBB8AF09300F5481D9E009A3251DB315F898F10

Function 0016E42C Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0016E438
IsDebuggerPresent.KERNEL32 ref: 0016E504
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0016E51D
UnhandledExceptionFilter.KERNEL32(?), ref: 0016E527

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 4e26eae05ae8d6d4e3e5ea755fa482ab7c3a9b9e69b09bd663f3b4f605849cdf
Instruction ID: 6b769f7eb07212d64edeab959bf85b22377bdf5bed66270f04ba8fa459b9275a
Opcode Fuzzy Hash: 4e26eae05ae8d6d4e3e5ea755fa482ab7c3a9b9e69b09bd663f3b4f605849cdf
Instruction Fuzzy Hash: 0931F5B9D052189BDF20DFA5DD49BCDBBF8AF18300F1041AAE40DAB250EB719A85CF45

Function 004291AE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?), ref: 004291DA

Strings

wpq, xrefs: 004292B7
+Ku, xrefs: 004292AF

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +Ku$wpq
API String ID: 237503144-1953850642
Opcode ID: dd00e6cff4bb86df55339bea6a97020402cd2a79317d379f18720dc196f8341f
Instruction ID: 7bb714cd0adbe8f34d65affdf2b55708b4274e5c8486b9e210027d19f02d6b7d
Opcode Fuzzy Hash: dd00e6cff4bb86df55339bea6a97020402cd2a79317d379f18720dc196f8341f
Instruction Fuzzy Hash: 6F51CE7220C3528FC324CF29984076FB7E2EBC5310F55892EE5D9CB285DB34D50A8B96

Function 004348C2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00434910
GetSystemMetrics.USER32 ref: 0043491F

Strings

, xrefs: 004349F3

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: e2dbdaae214771375078ea694cbe3190168a6d9690373aa5dbc97004a2b0131a
Instruction ID: fc399c5893f09ab22ce38e0ca23dce90b2d9510c132352c7ff6b67ebebce5796
Opcode Fuzzy Hash: e2dbdaae214771375078ea694cbe3190168a6d9690373aa5dbc97004a2b0131a
Instruction Fuzzy Hash: 725160B4E142089FCB40EFACD98569DBBF0AB48710F11852EE898E7350D734A944CF96

Function 004290D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00429170

Strings

M/(, xrefs: 0042913D
M/(, xrefs: 0042919E

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: M/($M/(
API String ID: 237503144-1710806632
Opcode ID: ff58c78b0b27bbba40667f193cd225ec620092edf491b3be0aa44738014710da
Instruction ID: a6fe4633539d009e024b46cdafe5f934a4e6010abeff1ae95be2d2e31fad33eb
Opcode Fuzzy Hash: ff58c78b0b27bbba40667f193cd225ec620092edf491b3be0aa44738014710da
Instruction Fuzzy Hash: 9E21017165C3615BE714CE34A88579BB7AAEBC2700F01892CA0D1AB2C5D679880B8756

Function 0042A5B6 Relevance: 5.1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

Strings

i, xrefs: 0042A5CD
VN, xrefs: 0042A5C6
i, xrefs: 0042A527
VN, xrefs: 0042A520

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: VN$VN$i$i
API String ID: 0-1885346908
Opcode ID: f2560a5eb87e48c54c403f4c235dd9b7370a68364d9f3f272869781b585ee5e7
Instruction ID: 20de38ffdec1ef662448aae0f94b74d237ba66483fbda11b24aa8be7d4a8abcc
Opcode Fuzzy Hash: f2560a5eb87e48c54c403f4c235dd9b7370a68364d9f3f272869781b585ee5e7
Instruction Fuzzy Hash: B721F6212083918BD3058E6590402A7BBE3AFC6318F684A5FD8F15B395E63BC94A875B

Function 00414CA0 Relevance: 4.8, Strings: 3, Instructions: 1046COMMON

Download Yara Rule

Strings

D]+\, xrefs: 00415380
_^]\, xrefs: 00415715
7UA, xrefs: 00415528

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: 7UA$D]+\$_^]\
API String ID: 0-3619184598
Opcode ID: 2e0cd4d93215bffa60c50a2cc29c154bb915ce2da521f1faa8d3ae08ee25634b
Instruction ID: 9cee455d72e7dd9915cda87ad3665199875abe0b71a1f7719e3c07a7155446ef
Opcode Fuzzy Hash: 2e0cd4d93215bffa60c50a2cc29c154bb915ce2da521f1faa8d3ae08ee25634b
Instruction Fuzzy Hash: E4524474608300DBE704DF28EC527BBB3A1FB86314F19493DE586973A1E7399981CB5A

Function 0042D17D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(1A11171A), ref: 0042D2A4

Strings

ou, xrefs: 0042D2A4

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: FreeLibrary
String ID: ou
API String ID: 3664257935-3837949563
Opcode ID: 78db4c3670b02004b5ce09dd30d6be68ef6f26a73c645ae10e47e490a35e64f0
Instruction ID: 8c0201977aaad96103e3db66e91fe0e05dd0d7e7661fbda8aa4fd031d2e77fc5
Opcode Fuzzy Hash: 78db4c3670b02004b5ce09dd30d6be68ef6f26a73c645ae10e47e490a35e64f0
Instruction Fuzzy Hash: 1B41F3706043828BE3158F34D9A0B63BFE0EF57318F28869DE5D64B393D63998068769

Function 00440D20 Relevance: 2.9, Strings: 2, Instructions: 425COMMON

Download Yara Rule

Strings

@Ukx, xrefs: 00440F53
, xrefs: 00440DC3, 00440EAB

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: InitializeThunk
String ID: @Ukx$
API String ID: 2994545307-3636270652
Opcode ID: 68fd1405b344facc4b0026b9fe161e78bdc877d3fcaeb6f8274981348c185207
Instruction ID: 03a383fb22d51b403848371ba2a4540fe2b40c56cab5129fcdd4839ce92f9fe8
Opcode Fuzzy Hash: 68fd1405b344facc4b0026b9fe161e78bdc877d3fcaeb6f8274981348c185207
Instruction Fuzzy Hash: DDB17833B083104BE728CE28DCD22BBB792EBC5314F19C93DDA9657395DA399C458786

Function 00409780 Relevance: 2.9, Strings: 2, Instructions: 420COMMON

Download Yara Rule

Strings

A, xrefs: 00409922
1, xrefs: 00409A7B

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: 1$A
API String ID: 0-719046165
Opcode ID: bd1ee34c9fa08e29029345848de4dd2afdd75f18fa78b65bf56a6416e37b6555
Instruction ID: e807b6bde7ca49dc404e07dafbff5fc9189e5662c362ff5d9520ac40bf6a6c7c
Opcode Fuzzy Hash: bd1ee34c9fa08e29029345848de4dd2afdd75f18fa78b65bf56a6416e37b6555
Instruction Fuzzy Hash: 41D1E4B55083508BD718DF24C8517ABBBE1FFC5318F08896DE4D99B382DB389906CB96

Function 00422830 Relevance: 2.9, Strings: 2, Instructions: 411COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00422C05
C@, xrefs: 0042285E

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: C@$_^]\
API String ID: 0-1259475386
Opcode ID: e06a379b46e52741ffd7a8eb9d43fc02087815218cdea83b303c67149d7ce589
Instruction ID: 97f681d162b0ce7800c7d58e7d4b110804466645679b58dd264a8ebd8314ce09
Opcode Fuzzy Hash: e06a379b46e52741ffd7a8eb9d43fc02087815218cdea83b303c67149d7ce589
Instruction Fuzzy Hash: A2B149A1B083206BD714DF25995273BB3F1EFD1324F59892EE88697381E27CE941835A

Function 00429739 Relevance: 2.8, Strings: 2, Instructions: 308COMMON

Download Yara Rule

Strings

,7, xrefs: 00429786
(. 7, xrefs: 0042977E

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: (. 7$,7
API String ID: 0-1315767106
Opcode ID: 3dc14f1719d0dcaf1c8e7808f16df868dad44d99b75b9089029e889b2ab59045
Instruction ID: aca24a6d404cff65d8132a2c5354bf9a6b34cab982d47b5a163a498561acaf8d
Opcode Fuzzy Hash: 3dc14f1719d0dcaf1c8e7808f16df868dad44d99b75b9089029e889b2ab59045
Instruction Fuzzy Hash: 73A1DFB190C3519FC714DF25D85262BBBE2EF86314F44892DF4D58B392E738A841CB5A

Function 0041B8F6 Relevance: 1.7, Strings: 1, Instructions: 477COMMON

Download Yara Rule

Strings

EWC`, xrefs: 0041BD43

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: EWC`
API String ID: 0-1922773688
Opcode ID: 96f336dbcf29f94cd9f9a1eaede8d54ada638bb942813ff3d340c66f321929fb
Instruction ID: 3092ec9d695e803f581415aef64df2e1d782c7e4da9fd3e94958caedbaf0e785
Opcode Fuzzy Hash: 96f336dbcf29f94cd9f9a1eaede8d54ada638bb942813ff3d340c66f321929fb
Instruction Fuzzy Hash: 20D11F746047028BC3358F28C4A26A3BBF2EF96304F18542ED5C78BB91E739E846C794

Function 0042D34A Relevance: 1.6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

Strings

><+, xrefs: 0042D353

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: ><+
API String ID: 0-2918635699
Opcode ID: 3980c0afaf6dac2d4ca75895f3ce9cc4aa60152e4397ff49cad2d9ebd5e9afb7
Instruction ID: 444f218a8ad5829191449d1546b31e79214a0b4c0f4cfb8ef7368535fe843fa0
Opcode Fuzzy Hash: 3980c0afaf6dac2d4ca75895f3ce9cc4aa60152e4397ff49cad2d9ebd5e9afb7
Instruction Fuzzy Hash: 72C1E575A047418FD725CF2AD490762FBE2BF9A310F28859EC4DA8B752C739E806CB54

Function 0042B170 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

", xrefs: 0042B458

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: d05c80c795993c871168dd86f7d1ea5d1d218413b04f758d20a6faf4e3c25647
Instruction ID: f2fd7e02527a425c6081b095c58e6bcd0ab65349b2e1505f4c1e2091d8d38838
Opcode Fuzzy Hash: d05c80c795993c871168dd86f7d1ea5d1d218413b04f758d20a6faf4e3c25647
Instruction Fuzzy Hash: 82C15872B043256BD711CE25E49076BB7D5EF84314F98892FE8958B382E738EC4487DA

Function 00429E80 Relevance: 1.6, APIs: 1, Instructions: 125COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 00429F6C

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: bf0f97b787aa3901fc489b07fc1f7d675bb90a5acac53e645be6843c85619458
Instruction ID: 56439e7850811f5116bb8c84f174b1b770b1ea540e4d3f3412480b83843e5581
Opcode Fuzzy Hash: bf0f97b787aa3901fc489b07fc1f7d675bb90a5acac53e645be6843c85619458
Instruction Fuzzy Hash: B141C1B454C341CFD3109F20A98166BBBF4EB86718F10487DE5969B292D735E507CB8B

Function 00416F52 Relevance: 1.6, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

t, xrefs: 004170C9

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: t
API String ID: 0-2238339752
Opcode ID: 039beb9b53b4255e9ee2e6f2bbcbd7cde69c3a8df900983a1a0d2cd4bed9f5c8
Instruction ID: 1cd3e92b5432f2ec1c5279b22e8dfdc45cf82fdb07faf4288aa06f6d08a0fcad
Opcode Fuzzy Hash: 039beb9b53b4255e9ee2e6f2bbcbd7cde69c3a8df900983a1a0d2cd4bed9f5c8
Instruction Fuzzy Hash: 15B187B05093818BD3358F25C9A13EBBBE0EFDA304F04896DD9C94B391EB395546CB86

Function 00427440 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00427465

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: InitializeThunk
String ID: _^]\
API String ID: 2994545307-3116432788
Opcode ID: b4c7d66211ae49d8fd9eccf31c03fcf250aa2d1c5501d05c3c86452f57ff21d1
Instruction ID: 2cadfa6051f0cea8981a5c3a8346752ded914f405fdfafbc00b99242be117cb3
Opcode Fuzzy Hash: b4c7d66211ae49d8fd9eccf31c03fcf250aa2d1c5501d05c3c86452f57ff21d1
Instruction Fuzzy Hash: 1A714B75B0C3205BD7149B29EC9273BB7A1DF86318F58843EE58697382E23CDC45835A

Function 00425F1B Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00425F89

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: 18627fe42d59fa6849b5f8a45ac1d7137aaf139f75de676eaf8c8d08dd2ee1c0
Instruction ID: 4542599af833d18a30e416191cc565c9845a3175e58f9edfc757ba35f46fda4c
Opcode Fuzzy Hash: 18627fe42d59fa6849b5f8a45ac1d7137aaf139f75de676eaf8c8d08dd2ee1c0
Instruction Fuzzy Hash: 8F714775A0C3508BD324CF68D89166BB7E1EFC5304F59486DE8C597362EB789842CB8A

Function 0043CA40 Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

_^]\, xrefs: 0043CC20

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: InitializeThunk
String ID: _^]\
API String ID: 2994545307-3116432788
Opcode ID: a83dfb6a84884be77bbdeb245f1cea9c60f563621f19ebf7a2bdccf3372ac9f2
Instruction ID: 696eb795723ead0f6ba9be3735fd8be620dffa71c9a4400ef3d7ad22a9e3dc13
Opcode Fuzzy Hash: a83dfb6a84884be77bbdeb245f1cea9c60f563621f19ebf7a2bdccf3372ac9f2
Instruction Fuzzy Hash: C2712871A043014FDB1CDF28CCE162FBB92EB8A710F19A63EE496E7395D6349C418789

Function 0042C0E6 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

N&, xrefs: 0042C173

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: N&
API String ID: 0-3274356042
Opcode ID: 8fff828ef7096bc6de3c5e3531ef3bcfddfa3f41189f47e61279592947ff70fd
Instruction ID: 81471823a485b6705c349d61d83959a7e20011983708bf5e147628ffe1b1dd5e
Opcode Fuzzy Hash: 8fff828ef7096bc6de3c5e3531ef3bcfddfa3f41189f47e61279592947ff70fd
Instruction Fuzzy Hash: DE51F625604B904BD729CB3A98513B7BBD3ABDB310B58969EC4D7C7786CA3CE4068B14

Function 0042C09E Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

N&, xrefs: 0042C173

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: N&
API String ID: 0-3274356042
Opcode ID: 09941e67317fc8cb3ce7ea217b500117e96f00fb937d19bfefd61d270a526b4e
Instruction ID: e5864593d1339f498270878ef60363620a1941cd2fe9c21c7a7607c55bfa5eb6
Opcode Fuzzy Hash: 09941e67317fc8cb3ce7ea217b500117e96f00fb937d19bfefd61d270a526b4e
Instruction Fuzzy Hash: B2512925604B904AD729CB3A98513B77BD3AF9B310F9C969DC4D7C7B86CA3C94028B15

Function 00441160 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

@, xrefs: 0044123B

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 1bf28d208f4d471862e62771911b4b91396caa8be407dd285211548932c35c82
Instruction ID: 1aa89e2f6171c8b600b289c24d78a6f9a5b4d57d8403bbd31509dc912f19ad9e
Opcode Fuzzy Hash: 1bf28d208f4d471862e62771911b4b91396caa8be407dd285211548932c35c82
Instruction Fuzzy Hash: 0D4123B19043109BE714CF54CC56B7BBBA1FFD5354F088A2DE5855B3A0E3799844C78A

Function 0042C465 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

AB@|, xrefs: 0042D9F4

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: AB@|
API String ID: 0-3627600888
Opcode ID: f041e5b4f18625dfaa42653504e20addc449c282f38dd463f45fba843b59f9ad
Instruction ID: 9d680adfff61346dbcddf561b221a097d06f6077c5c56bfff523f23a55ee5db6
Opcode Fuzzy Hash: f041e5b4f18625dfaa42653504e20addc449c282f38dd463f45fba843b59f9ad
Instruction Fuzzy Hash: 634106B15046928FD7228F39C850767FBE1BF97310B189699D0D28B796C738E845CB54

Function 0043C830 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

0$z, xrefs: 0043C915

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: 0$z
API String ID: 0-542936926
Opcode ID: 56022ef5e62e296913ac47c6de968db9b320837307f66e6c85d4f38a5b4770bc
Instruction ID: 598e6e7b5ab3f32ace4510c997d5c2914f2054150b2e0cbc2781ed5d43e0899f
Opcode Fuzzy Hash: 56022ef5e62e296913ac47c6de968db9b320837307f66e6c85d4f38a5b4770bc
Instruction Fuzzy Hash: 7A3104B2A193114BD314DF24CC8471BBBD2EB89714F0A992DE484A7342D37A9C428BDA

Function 00428528 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00428545

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: f6a8d254ef2cb00699e79095288bd1bdad4cbdf7a23a769f2daf49ab799d3e86
Instruction ID: fa1734f8cecfd62dbfa6e1ffd5af071ca539f15cf05182bc01822064141da677
Opcode Fuzzy Hash: f6a8d254ef2cb00699e79095288bd1bdad4cbdf7a23a769f2daf49ab799d3e86
Instruction Fuzzy Hash: 9C21EC7470A2109BD71C8B34DC91B3F73A3FBC6314F69152ED193527A6CB399852468D

Function 00421A10 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

,-, xrefs: 00421A64

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: ,-
API String ID: 0-1027024164
Opcode ID: e841ffa07ed1daa646f5eb3df3353fcb7b3331a6bb754204e02c01eb04e9c511
Instruction ID: 3df528e0a1c1aaf7ae1dd87ce3c0daf4cbce6c1de34562fe1b5624c5cc0b1623
Opcode Fuzzy Hash: e841ffa07ed1daa646f5eb3df3353fcb7b3331a6bb754204e02c01eb04e9c511
Instruction Fuzzy Hash: E8216A61A153108BC7109F29CC52537B7B1EF92364F85861EE4828B361F778CD05C79B

Function 00440340 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

@, xrefs: 004403AD

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 6ebeeff5786163907a1946c8d73bc8e49d379f446760a2416b3547ff48868a07
Instruction ID: 33784d5b8146ae1d6e83e41184c2528a054757f8bcb0ba64dcdd6e2a9e18c57c
Opcode Fuzzy Hash: 6ebeeff5786163907a1946c8d73bc8e49d379f446760a2416b3547ff48868a07
Instruction Fuzzy Hash: 1831FF756083048BE314DF58D8C266FBBE4EBC5324F14892DEA9883390D739D858CB9A

Function 0042DE07 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

ses`, xrefs: 0042DE34

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: ses`
API String ID: 0-1601344200
Opcode ID: 7ecea65e69f80fd34ed937d50154ad00ae80800854f723ecc4b508468e07b142
Instruction ID: c16a7131854b6aed293f14fd3f65d90cfdcd1604bceaaf5e70633509fa898857
Opcode Fuzzy Hash: 7ecea65e69f80fd34ed937d50154ad00ae80800854f723ecc4b508468e07b142
Instruction Fuzzy Hash: AD110B645046528BEB168F359C55726BBF1AF33354F1892DCD0D1DF292D624C442CB28

Function 0042DDFF Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

ses`, xrefs: 0042DE34

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: ses`
API String ID: 0-1601344200
Opcode ID: acdcb12a599db5bd8b29fdd08185f7d8639ff27a1d18159ef2967bd0d873cb9e
Instruction ID: 2b194369684db8568e4cc4b10858fb41ea2ffb87a76b3f2bea81f07ece6f04e6
Opcode Fuzzy Hash: acdcb12a599db5bd8b29fdd08185f7d8639ff27a1d18159ef2967bd0d873cb9e
Instruction Fuzzy Hash: 21014EA46446538BE7128F359C15726FBF1EF33350F18E2A8D091DF2A2D634C842CB18

Function 004289E9 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

_^]\, xrefs: 00428A15

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID: _^]\
API String ID: 0-3116432788
Opcode ID: 7248b21c1a5d66122527e099d388fada2b713c8df9422b832066424d84c6be5f
Instruction ID: a8dfba8dee4ad149da4611bc05b701b5a33fd88c903e8634cd43ba9cb2d750ed
Opcode Fuzzy Hash: 7248b21c1a5d66122527e099d388fada2b713c8df9422b832066424d84c6be5f
Instruction Fuzzy Hash: ED01D6B0B0A32187D708CB15D49162FB7E2BBCA310F195A2ED0D623755C738E84287CE

Function 0043FA20 Relevance: .7, Instructions: 685COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c171becab70a86a6e575e69f5b8f9388b08847a9ebf173f34fd08f30fb17e69
Instruction ID: 15bf1ea58ee97730c61fd6eda894784fa47516086410607d7a072294ae37ca60
Opcode Fuzzy Hash: 6c171becab70a86a6e575e69f5b8f9388b08847a9ebf173f34fd08f30fb17e69
Instruction Fuzzy Hash: DB22243AB54211CFDB08CF78D8A12AAB3E2FF8A314F1A857DC94697351D7389851CB85

Function 00402EB0 Relevance: .7, Instructions: 664COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9edad3ee9539bfad45d948b53ca40223dce90882209d286bf0c99f9c6cd7d631
Instruction ID: 4eb073694aac07531e4e37dd991e5aaa8cdb99ba0f72cd08d303837d400a2551
Opcode Fuzzy Hash: 9edad3ee9539bfad45d948b53ca40223dce90882209d286bf0c99f9c6cd7d631
Instruction Fuzzy Hash: 3552F5715083458FCB15CF24C0906AABFE1BF89305F188A7EF8996B381D779D949CB89

Function 004073D0 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e797157fb35717b6a91bbe19d3c6782b16ec68ef1e5ad1ec3f47f605a4e618f
Instruction ID: 6123c4b066af5df033588bdcadea87e91db6a899c9f8ce647c920f563282eda9
Opcode Fuzzy Hash: 6e797157fb35717b6a91bbe19d3c6782b16ec68ef1e5ad1ec3f47f605a4e618f
Instruction Fuzzy Hash: E322A472A087118BD725DF18D8806ABB3E1BFC4319F19893ED986A7385D738B811CB57

Function 0043FB10 Relevance: .5, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b217010d00d36b6e532b914cc2c8748e4c1d1399e6fa795548d92cd5122fdeb
Instruction ID: bc1c9a79bd48fbe04f38ca9b4e00e2ed040d16652403f2f97064ad5dbaff0f70
Opcode Fuzzy Hash: 5b217010d00d36b6e532b914cc2c8748e4c1d1399e6fa795548d92cd5122fdeb
Instruction Fuzzy Hash: 9502483AB54211CFD708CF78D8E02AAB7A2FF8A314F1A857DC94693351D739A851CB85

Function 0043FB2A Relevance: .5, Instructions: 527COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87e449dc06f3ba1431d52dba96a7b849506db30f3e9f92c5d405e1d6b40a5de
Instruction ID: a1c715d08816259ade05fabf2ed31b4fea3a659fa95dcf98a80d69cb0f26fb97
Opcode Fuzzy Hash: c87e449dc06f3ba1431d52dba96a7b849506db30f3e9f92c5d405e1d6b40a5de
Instruction Fuzzy Hash: 59F13939B54211CFD708CF78D8E02AAB3A2FF8A314F1A857DC94693351D735A851CB85

Function 0043FB28 Relevance: .5, Instructions: 526COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a977913465e41e9bc8fdf4fe2f93bdf54fd14983a5a5a95a9e13933d6850651
Instruction ID: 7c816634e29e8635841472aa4442699fe105e1924a6df37b46faa06d9bb3fd90
Opcode Fuzzy Hash: 3a977913465e41e9bc8fdf4fe2f93bdf54fd14983a5a5a95a9e13933d6850651
Instruction Fuzzy Hash: 87F13939B54211CFDB08CF78D8E02AAB3A2FF8A314F19857DC94693351D739A851CB85

Function 0041D8AC Relevance: .5, Instructions: 505COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d8542304fd61a6ec4704e93bd93ae71f34bee62e8590f6df1c4416f41d4fae
Instruction ID: 5e9d7e84427f8d5228b95ea90cb98d597139ae8c2cd507701152bf7f0d2aec8f
Opcode Fuzzy Hash: 80d8542304fd61a6ec4704e93bd93ae71f34bee62e8590f6df1c4416f41d4fae
Instruction Fuzzy Hash: DBE117B1E00215CFCB14CF69C8516BBBBB1FF4A310F18465DE496AB391E338A951CB99

Function 0041D8D8 Relevance: .5, Instructions: 499COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75f06d64608b7b62d8af53fcc16e7372a13ff163848b6366e20841680721154
Instruction ID: 0a10cce7f6b7f4c9e5a99d8e2b4a5133f7361f2e21e3c94240870ffe1abc1756
Opcode Fuzzy Hash: e75f06d64608b7b62d8af53fcc16e7372a13ff163848b6366e20841680721154
Instruction Fuzzy Hash: FAE105B1E00615CFCB14CF69C8516BBBBB1FF4A310F18465DE496AB391E338A951CB98

Function 0043FD70 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6587f211f8bb243ac471bf4d418ae114b6383508c51c90636e998149a2c9f481
Instruction ID: 0795aabbeeca3c289a54d5a983081f6cc9b815f424e4503ad834db78cbe5b8b0
Opcode Fuzzy Hash: 6587f211f8bb243ac471bf4d418ae114b6383508c51c90636e998149a2c9f481
Instruction Fuzzy Hash: 46B1FF39B04211CFCB08CF78E8902AAB7B2FF8A324F1985BDD94593351C775A861CB85

Function 0043FE00 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f54337c51817de601ce1ec662ea4a86470746f121211f08e90cfc523ef7306dd
Instruction ID: 8f12c1f11cf7dd9d5989c678c09bce864ea8bb7899150d07336210a81ccf9f3f
Opcode Fuzzy Hash: f54337c51817de601ce1ec662ea4a86470746f121211f08e90cfc523ef7306dd
Instruction Fuzzy Hash: 2AB11E39A04205CFDB08CF78D8902AEB7B2FF8A314F19857DD94593391D735A922CB85

Function 004406F0 Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e85f12f7bbac3723ecb9eee596fb1eeda3fecaf8cb6cd1164115649647f81f7d
Instruction ID: bbaad09b7466ea8e443d8553dc44a5451933c837b4ca1b8c359bd5f9b3e4a5a9
Opcode Fuzzy Hash: e85f12f7bbac3723ecb9eee596fb1eeda3fecaf8cb6cd1164115649647f81f7d
Instruction Fuzzy Hash: 478115756083018BE714DF19C890A2BB7A2FFD5710F19852DEAC49B395EB38DC61CB86

Function 0042BF13 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d79f1fd880ab180e1b863fa2a9d981922e66a5893552c9cd54a43db72e04df75
Instruction ID: 1ae5c22645a0c49bea9d6a70653e44e8157fd1e252da5b34c0afae31fd87a2fe
Opcode Fuzzy Hash: d79f1fd880ab180e1b863fa2a9d981922e66a5893552c9cd54a43db72e04df75
Instruction Fuzzy Hash: 314129A4204790CBE7328B3A98E0B737FE0EF27305F48198DE4E78B646D3299405CB59

Function 0041B57D Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e0094a64ed9e0f308886f35ab180eb3d940b80439b08ae9969d5e3e11de77b
Instruction ID: d8b4a6cdd0763d1df8515212ee66b27a55189a0bec8caba65ff171ec82452c36
Opcode Fuzzy Hash: c7e0094a64ed9e0f308886f35ab180eb3d940b80439b08ae9969d5e3e11de77b
Instruction Fuzzy Hash: D23138745047904BD7368B3584A17737FE09F2B308F58489ED1D387293D22A9549C796

Function 0040CC7A Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: EnvironmentExpandStrings$Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID:
API String ID: 1780199113-0
Opcode ID: 94b07ba9958116a24f49aa2ce181052b6958ac39138e9011af663e1bf14a50e6
Instruction ID: 6b5d6437c4fa7b8805f8ed77d50acdad1f0dd5a7239fa4c95c8d74861a36b3c0
Opcode Fuzzy Hash: 94b07ba9958116a24f49aa2ce181052b6958ac39138e9011af663e1bf14a50e6
Instruction Fuzzy Hash: 0531E4EAF405405BE5057A232863A6F21674BD071CF48103EF84A272C3ED7DB916959F

Function 00432070 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33cc46eaab1da60d5c7c303c1f4bff1ac88459165d933fbad2b388fb389fe25a
Instruction ID: 1166d7d1cf2a9c2f689b228294c5ddb55241fb8fb130d34f92ce9a1e81a5b4f1
Opcode Fuzzy Hash: 33cc46eaab1da60d5c7c303c1f4bff1ac88459165d933fbad2b388fb389fe25a
Instruction Fuzzy Hash: 0D814CB451A7808FE374DF05D59869FBBE0FB8A308F11891ED4984B350CBB86549CF9A

Function 00436210 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 63507484b2069e2e8211a278e3cf8cd1c2c15e4e039033c761ca6b325ddcdd3c
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 94112C336041D50ED3119D3C8500566BFD30AD7334F1BD3DAF4B8972D2D6268D8A8359

Function 0042AAC0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5d740ace398df56c1bc651b30677a1090a792db8fb55b3a5b1b7746f8ad41c
Instruction ID: a0f30dc86e724eb7f88f9efd602dd5de4cd53b28ec3d007000181f31979604c4
Opcode Fuzzy Hash: 7b5d740ace398df56c1bc651b30677a1090a792db8fb55b3a5b1b7746f8ad41c
Instruction Fuzzy Hash: 67019EB1B0031197E6209E25A5C1B27B6A96F94708F18003EED0657342DB7DFC24C29B

Function 0043C990 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6d6b89a0769f86010591fd06291181582dea7eebbe521dc95f02f92bd725890
Instruction ID: ef255d715ab18d882adc5ea52eeea8cbfa11f5837c70251ee56aeac1239934a6
Opcode Fuzzy Hash: b6d6b89a0769f86010591fd06291181582dea7eebbe521dc95f02f92bd725890
Instruction Fuzzy Hash: 410126B5B052264BD720EE55ECC073F7756A7DE711F1EA07AD48077305D2348C419399

Function 0041C300 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d915abd692c596d351a76ef7c44155bf2f7634e88133afcabaf1f94f6f3ee80c
Instruction ID: 3b5a2521859e6f9e2b7c42681b895aeeefce9f58c49972f42ecf2407dd3de83c
Opcode Fuzzy Hash: d915abd692c596d351a76ef7c44155bf2f7634e88133afcabaf1f94f6f3ee80c
Instruction Fuzzy Hash: 91F03160104B914AD7328F3985643B3FFE09B13218F545A4DC9E357AD2D36AD14A8798

Function 0043EDC1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c87cf7490ba7f349dbf4ff6d15317452443a64d08c45edd5236fd878cf74ed6
Instruction ID: 6759ef11ba54ebcff8aa8f6da36673660d6dd1d1c904dc71617b67ba0d321406
Opcode Fuzzy Hash: 2c87cf7490ba7f349dbf4ff6d15317452443a64d08c45edd5236fd878cf74ed6
Instruction Fuzzy Hash: EC01B174E412688BCB24CF66E8912BEB7B1FF56305F186068E482FB380DB358C05CB59

Function 0042C850 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98f4e3217fe9b5c4e997299aec1ba0aa40f02e45b7d4679749b3d65f6db5070c
Instruction ID: 934d56785e493b3be4b0c9c008a8aca41c7e0e8933f1bbf3a4c9d2d3fb154c99
Opcode Fuzzy Hash: 98f4e3217fe9b5c4e997299aec1ba0aa40f02e45b7d4679749b3d65f6db5070c
Instruction Fuzzy Hash: 16F0F0244086938ADB059F2980A0776FBA1AF23345F2C41DEC4C0AB393CB2AC8068758

Function 0042E0DA Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74d5857912f424093c70e21deeb6922a10a882864307659604c18145d6e58bc
Instruction ID: 53e9e5a03a9e822e66d5819fe35fee1f40f302e6fc978103a9a9be73ad9cdb27
Opcode Fuzzy Hash: a74d5857912f424093c70e21deeb6922a10a882864307659604c18145d6e58bc
Instruction Fuzzy Hash: C7F065105087F28ADB234B3E54606B3AFE09B63120B581BD6C8E19B3C7C3199497C36A

Function 0042D116 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6e45a90e1ceaff6c5d0e3e053bdb80ffa80649d360dfdb931296267ad3d0f33
Instruction ID: e2807706931cebe5a4fd8447433720849932be0b4ea6b6dd525263aa63fc0ea0
Opcode Fuzzy Hash: f6e45a90e1ceaff6c5d0e3e053bdb80ffa80649d360dfdb931296267ad3d0f33
Instruction Fuzzy Hash: 270149306042428BD344CF38CCA056BFBA1EB83324F08C79DC45687796C638C442C799

Function 0040C805 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4f87736648c9b6f2dd64c8d371659d93ba6f9c6e5d05e4d379e6cf43d16ee00
Instruction ID: 2cc704b116e4bd3b8fd511eeb7f6c98f4211d06ad42a95779158915a2f3845ef
Opcode Fuzzy Hash: c4f87736648c9b6f2dd64c8d371659d93ba6f9c6e5d05e4d379e6cf43d16ee00
Instruction Fuzzy Hash: C6C0123C583840DF83088F20EC08879B374BB0B202B006824E807E33A2CB22A511AA6E

Function 004237D6 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40189d29a415ea6312dcdd67a1103e7914f9f9b1922703845f218493d16d700
Instruction ID: b006575f33bb30629b5eebf8556c7f8348362c77d274ae0a1f7cd2f0d910ddfd
Opcode Fuzzy Hash: a40189d29a415ea6312dcdd67a1103e7914f9f9b1922703845f218493d16d700
Instruction Fuzzy Hash: 92B092B4A1C2018A87088F00E140039EAB4629F202F30A02E908A63215C225C1058A8E

Function 0043315D Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 85COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004331A3

Strings

j, xrefs: 00433207
B, xrefs: 004331E9
y, xrefs: 004331D5
q, xrefs: 004331F3
D, xrefs: 004331DF
K, xrefs: 004331FD
B, xrefs: 004331C1
M, xrefs: 00433221
w, xrefs: 00433231
A, xrefs: 004331CB

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: InitVariant
String ID: A$B$B$D$K$M$j$q$w$y
API String ID: 1927566239-3160828158
Opcode ID: eddacfeeedbf2f75f6d5a413a3fd0e74a564a643395569db151e54d21141464b
Instruction ID: 1c928e62d6be9c8abd40ab69893dd7e66488cb55e0e55af33186cf6b993705b4
Opcode Fuzzy Hash: eddacfeeedbf2f75f6d5a413a3fd0e74a564a643395569db151e54d21141464b
Instruction Fuzzy Hash: 6241287050CBC18AD335DB38845879EBFD16BD2214F188A9DE2E94B3E2D7788145CB57

Function 0043240F Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 148memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00432482

Strings

c, xrefs: 0043242C
0, xrefs: 0043270A
a, xrefs: 00432422
f, xrefs: 0043243B
e, xrefs: 00432436
g, xrefs: 00432440

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: AllocString
String ID: 0$a$c$e$f$g
API String ID: 2525500382-100324306
Opcode ID: 6fa382de4c939dc68479ac497997f55f83f35014caf28410cf75d298f2d01ba0
Instruction ID: 2beeffe621b162477516d1a3ffd6e32473519446922c4ca7b5322f15d7df1e3d
Opcode Fuzzy Hash: 6fa382de4c939dc68479ac497997f55f83f35014caf28410cf75d298f2d01ba0
Instruction Fuzzy Hash: EB91812110DBC28DD3328A7C595879BBED16BA7234F484B9EE0E98B3E6D7704106C767

Function 0018A1B2 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,00000000,7FFFFFFF,?,0018A19D,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 0018A258
__alloca_probe_16.LIBCMT ref: 0018A313
__alloca_probe_16.LIBCMT ref: 0018A3A2
__freea.LIBCMT ref: 0018A3ED
__freea.LIBCMT ref: 0018A3F3
__freea.LIBCMT ref: 0018A429
__freea.LIBCMT ref: 0018A42F
__freea.LIBCMT ref: 0018A43F

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: c21e687ae88f075989c9d5e91bfc279644934dc6b400fd7f9ee40c747b3ba9ad
Instruction ID: 75ff680a1033c5c380287d0a5d75a6bb81894a693484e26374e849b399578c96
Opcode Fuzzy Hash: c21e687ae88f075989c9d5e91bfc279644934dc6b400fd7f9ee40c747b3ba9ad
Instruction Fuzzy Hash: 9A71D6729002495BFF31BF948C81FAE77BAAF59310F994057ED04A7281E7769E408B52

Function 0017DC7B Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0017DD01

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 76cd254f3b8e765761cdde82e3165a3a1630fbfe1fb7a850d07f14f5abbed5a0
Instruction ID: a3409e0fe8cff2a3d82952f7e5276c1ac88a2b708465de5d6461f8dcce81bd24
Opcode Fuzzy Hash: 76cd254f3b8e765761cdde82e3165a3a1630fbfe1fb7a850d07f14f5abbed5a0
Instruction Fuzzy Hash: EBB169729043599FEB269F64DC82BBE7BB5EF65310F15C155E808AF282D770D901C7A0

Function 0016F7F0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0016F827
___except_validate_context_record.LIBVCRUNTIME ref: 0016F82F
_ValidateLocalCookies.LIBCMT ref: 0016F8B8
__IsNonwritableInCurrentImage.LIBCMT ref: 0016F8E3
_ValidateLocalCookies.LIBCMT ref: 0016F938

Strings

csm, xrefs: 0016F8CD

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 1b72d1cd99cac4b00f54c0ae2d91360730c4a02ee30f94c3580a5cea9f040587
Instruction ID: ac73e63a21b135791a126e12b388ce9a057af7354a9efc242902c43c44cf5538
Opcode Fuzzy Hash: 1b72d1cd99cac4b00f54c0ae2d91360730c4a02ee30f94c3580a5cea9f040587
Instruction Fuzzy Hash: 4F41B530E00218ABCF10DF68DC85A9E7BB5BF45314F1481A9F8189B392D7319A66CB91

Function 0017BD42 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,BB40E64E,?,0017BE51,001635D2,?,00000000,?), ref: 0017BE03

Strings

api-ms-, xrefs: 0017BD99
ext-ms-, xrefs: 0017BDAD

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 3357bb2cd70dd1e9dccff011b28aad9c9d5e0224203318357250309c075782a8
Instruction ID: 0b977532fc56d7cbd020aa57ccd6914a01fc1984d2c68b9fa266886ed5cf0572
Opcode Fuzzy Hash: 3357bb2cd70dd1e9dccff011b28aad9c9d5e0224203318357250309c075782a8
Instruction Fuzzy Hash: AD212735A09214ABD7319BA4DC81FAB37B8AF02364F258121FD1AA7290DB30ED01C6D0

Function 00432A42 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00432A4C
VariantInit.OLEAUT32 ref: 00432A5F

Strings

T, xrefs: 00432AFD
C, xrefs: 00432B0D
P, xrefs: 00432B1D
C, xrefs: 00432B2D

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: Variant$ClearInit
String ID: C$C$P$T
API String ID: 2610073882-3051599793
Opcode ID: 70cc15cec2ffaa4e64ca4ef94809e37c86eda4dcb3d81504480f7fa9456d32e2
Instruction ID: 97d45b2a61606388edab5b45fc9f71e82de55712b11621588c9e0c32b5ea6509
Opcode Fuzzy Hash: 70cc15cec2ffaa4e64ca4ef94809e37c86eda4dcb3d81504480f7fa9456d32e2
Instruction Fuzzy Hash: 0141E52000C7C18AD3728B38845979FBFE06B96324F488A9DD4ED8B3D2DB754149DB53

Function 0016EB1C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0016EB22
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0016EB30
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 0016EB41

Strings

GetSystemTimePreciseAsFileTime, xrefs: 0016EB2A
GetTempPath2W, xrefs: 0016EB36
kernel32.dll, xrefs: 0016EB1D

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: 479e9e7f8ade7758d159055b25bbcd77bc699d630d1c023aae925d4d42a03134
Instruction ID: 1f310334e36ee2635114622063a2d1d6c6b2bd09142306443b3781af3d8eaa02
Opcode Fuzzy Hash: 479e9e7f8ade7758d159055b25bbcd77bc699d630d1c023aae925d4d42a03134
Instruction Fuzzy Hash: 21D09E355993616FC7019B71BC0DC963E95BF056153054857F412D39A0D7B409C18B98

Function 00188A9C Relevance: 9.3, APIs: 6, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f3bc5caf3fc5be250898df17e2910bf8ff620e3aca25d889a7686779f495cf6
Instruction ID: 0c44cd0f7a7b8d2efc7e81a9d95c4d2fea441d2faf107cab82061787b7908ed8
Opcode Fuzzy Hash: 7f3bc5caf3fc5be250898df17e2910bf8ff620e3aca25d889a7686779f495cf6
Instruction Fuzzy Hash: DAB1F870A04249AFDB15EF98C881BAE7BB1BF66314F544259E405A73D6CB709F42CF60

Function 00179AF4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00179AEB,0016F5BA,0016E585), ref: 00179B02
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00179B10
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00179B29
SetLastError.KERNEL32(00000000,00179AEB,0016F5BA,0016E585), ref: 00179B7B

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1286fe8f449c63dad51f82596122d67e470bed4ab0b2c6b3e35fdbf6ac86d265
Instruction ID: 6c52d9add583b84d2e175245d29bdf22187f0a0744a8e13963ce3bea0ecd8933
Opcode Fuzzy Hash: 1286fe8f449c63dad51f82596122d67e470bed4ab0b2c6b3e35fdbf6ac86d265
Instruction Fuzzy Hash: 1F014C32119A215ED72427B4BC85D5B2E76EB257B5730832BF41A634F1EF114C449654

Function 0017A3BC Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0017A4DB
CallUnexpected.LIBVCRUNTIME ref: 0017A754

Strings

csm, xrefs: 0017A512
csm, xrefs: 0017A466
csm, xrefs: 0017A3F9

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: 93280e217a9a99248685f4164d753a028008501e13f7a9fef22d109f68e08030
Instruction ID: ca1b0c2f666394e64ba5c5b2f05725f4b6a5c2507c63d8d765f285b35fc89919
Opcode Fuzzy Hash: 93280e217a9a99248685f4164d753a028008501e13f7a9fef22d109f68e08030
Instruction Fuzzy Hash: 89B1C171800209DFCF19DFA4C8459AEBBB5FFA4300F98855AF8096B212D731DA51CF92

Function 00174A89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,0018B3E5,000000FF,?,00174B4A,00174A31,?,00174BE6,00000000), ref: 00174ABE
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00174AD0
FreeLibrary.KERNEL32(00000000,?,?,00000000,0018B3E5,000000FF,?,00174B4A,00174A31,?,00174BE6,00000000), ref: 00174AF2

Strings

mscoree.dll, xrefs: 00174AB7
CorExitProcess, xrefs: 00174AC8

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 7fbae6647d508423e01b5a4769164dceaa0856a692a0ba631c612cc312cffacf
Instruction ID: fc0da82a0c2179fe30f8104dccffd625fa7100d6d55bb090d063f854399f7086
Opcode Fuzzy Hash: 7fbae6647d508423e01b5a4769164dceaa0856a692a0ba631c612cc312cffacf
Instruction Fuzzy Hash: DB016735944615AFDB119F90DC05FAE7BB8FB05B15F01452AF822A3A90DB749940CA94

Function 0017C516 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0017C59B
__alloca_probe_16.LIBCMT ref: 0017C664
__freea.LIBCMT ref: 0017C6CB

Part of subcall function 0017AD61: HeapAlloc.KERNEL32(00000000,?,?,?,0016B9E5,?,?,001635D2,00001000,?,0016351A), ref: 0017AD93

__freea.LIBCMT ref: 0017C6DE
__freea.LIBCMT ref: 0017C6EB

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 92ffa99992c9735d5467decc45ae5a5926a457d75ebfef9cc90cad4c22c8ee3c
Instruction ID: 518ab9ac4859e9438970556b40772b94775846f62fca3f5cc61502edf86dbc4a
Opcode Fuzzy Hash: 92ffa99992c9735d5467decc45ae5a5926a457d75ebfef9cc90cad4c22c8ee3c
Instruction Fuzzy Hash: 0E51A072600246AFEB215FA4CCC1EAB7AB9EF58710B15812EFD08D7241EB71DD508AA0

Function 00161860 Relevance: 7.7, APIs: 5, Instructions: 162COMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32 ref: 00161912
CloseHandle.KERNEL32 ref: 0016192E

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: CloseFileHandleSize
String ID:
API String ID: 3849164406-0
Opcode ID: d7dcb13ac5e26d63654c3a958806f3bb1dc6b2ea008023dcce99db83e6660f84
Instruction ID: 9a961ec74ccdfd97ef5c7af2bf036f3a66efddd765203bb5e2c88995d74bbac8
Opcode Fuzzy Hash: d7dcb13ac5e26d63654c3a958806f3bb1dc6b2ea008023dcce99db83e6660f84
Instruction Fuzzy Hash: 9F71A0B4D082489FDB00EFA8D98879DBBF0BF48308F14852AE499EB340D7749955CF52

Function 0016E8E7 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0016E8FB
AcquireSRWLockExclusive.KERNEL32(?,?,00000000,0018B3C8,000000FF,?,0016B697), ref: 0016E91A
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,0018B3C8,000000FF,?,0016B697), ref: 0016E948
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,0018B3C8,000000FF,?,0016B697), ref: 0016E9A3
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,00000000,0018B3C8,000000FF,?,0016B697), ref: 0016E9BA

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: acd65e7ce407b2f17ca5ffd89874ea71543ddad5e262a17e5b9d2ad91c74091a
Instruction ID: 599e3529820a982340eca09653fed4ac9caf9071b3a3e51be3a743968d551f06
Opcode Fuzzy Hash: acd65e7ce407b2f17ca5ffd89874ea71543ddad5e262a17e5b9d2ad91c74091a
Instruction Fuzzy Hash: E4416A39900606DFCB64DF69CC85A6AB3F4FF05318B204B2AE456D7A40D730E9A5CF51

Function 0016C054 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0016C05B
std::_Lockit::_Lockit.LIBCPMT ref: 0016C066
std::_Lockit::~_Lockit.LIBCPMT ref: 0016C0D4

Part of subcall function 0016BF5D: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0016BF75

std::locale::_Setgloballocale.LIBCPMT ref: 0016C081
_Yarn.LIBCPMT ref: 0016C097

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 7e4aec7e46184b51a4247e27b301f9172ff7c07840e5d0c1edf5fd1cc7bacc93
Instruction ID: c43a5d393bdf27296a18f042ec12b207865bc0e0003e8f40bf821c5ed7f75f6f
Opcode Fuzzy Hash: 7e4aec7e46184b51a4247e27b301f9172ff7c07840e5d0c1edf5fd1cc7bacc93
Instruction Fuzzy Hash: 7201DF7AA045149BCB06EB60CC85A7D7BB1FFA5710B150009F816973D1CF346EA2CBD1

Function 001852C1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0018535D,00000000,?,00198180,?,?,?,00185294,00000004,InitializeCriticalSectionEx,0018F434,0018F43C), ref: 001852CE
GetLastError.KERNEL32(?,0018535D,00000000,?,00198180,?,?,?,00185294,00000004,InitializeCriticalSectionEx,0018F434,0018F43C,00000000,?,0017AA0C), ref: 001852D8
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00185300

Strings

api-ms-, xrefs: 001852E5

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 4107f4b54c63a0257a0207e4e85bfdbff62d521590743b2e9b51b29a1de29bb8
Instruction ID: d535d5a07c71fb235aec92e5b13776e5ce268790aa2bab32520031cac8d012c6
Opcode Fuzzy Hash: 4107f4b54c63a0257a0207e4e85bfdbff62d521590743b2e9b51b29a1de29bb8
Instruction Fuzzy Hash: CAE0BF346C4705B7EF202B61ED06F693F9AFB10B96F144031FD0EA88E1D7A1E952DA48

Function 001830BF Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00183122

Part of subcall function 0017AE71: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0017C6C1,?,00000000,-00000008), ref: 0017AED2

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00183374
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 001833BA
GetLastError.KERNEL32 ref: 0018345D

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: dbfc09f9927418bfa500ad27e0e2bbedba728e3806feb8dc25484a5ddf292047
Instruction ID: 184bfa09f4a82910ac59769a549c736b4d02a846a14e6b7b750b1347ae37f61b
Opcode Fuzzy Hash: dbfc09f9927418bfa500ad27e0e2bbedba728e3806feb8dc25484a5ddf292047
Instruction Fuzzy Hash: AAD17975D04248AFCF15DFA8D8809ADBBB5FF49714F28416AE826EB351E730AA41CF50

Function 0017A0E3 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0017A1AA
___AdjustPointer.LIBCMT ref: 0017A1CD
___AdjustPointer.LIBCMT ref: 0017A269

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 39b5cce606a0805eda5b52602f5f34796f55355ac586ae8425a9ec668eee6e03
Instruction ID: 5fccbbc993a4323715f6c79e466e44e34548784f5ef17ecadeb217d2cab4ada7
Opcode Fuzzy Hash: 39b5cce606a0805eda5b52602f5f34796f55355ac586ae8425a9ec668eee6e03
Instruction Fuzzy Hash: C651F4766012029FEB298F54D841B7E77B5FF94710FA4852DEC0A47292E732ED81CB52

Function 00180B86 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0017AE71: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0017C6C1,?,00000000,-00000008), ref: 0017AED2

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00180BEA
__dosmaperr.LIBCMT ref: 00180BF1
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00180C2B
__dosmaperr.LIBCMT ref: 00180C32

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 6b329e42a26295ed915ededc0cf0c7f6b72a4a44fb2607c88dd5fe427e519974
Instruction ID: 2f08896bfdfc44e4d0f00cdec96fe6e2d904c305c8abda965cb62438c6fa4778
Opcode Fuzzy Hash: 6b329e42a26295ed915ededc0cf0c7f6b72a4a44fb2607c88dd5fe427e519974
Instruction Fuzzy Hash: 2121077160060DAF9B66BF65C881D6BB7A8FF19368B118658F81DD7211DB30ED448F90

Function 00171652 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f5f4ee3c83580c3b73e22779d98906e88307981d20f5428dcc70918d88be2d
Instruction ID: 68cc67a63eb0ce38b126c30c7434a6d28fa42c1fe0a2fceb559af8c1f75b53ae
Opcode Fuzzy Hash: e5f5f4ee3c83580c3b73e22779d98906e88307981d20f5428dcc70918d88be2d
Instruction Fuzzy Hash: 9B21F035300205BF8B24AF698C81C6B77BEAF91364724C928F81ED7650EB30EC5087A0

Function 00181F7C Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00181F84

Part of subcall function 0017AE71: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0017C6C1,?,00000000,-00000008), ref: 0017AED2

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00181FBC
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00181FDC

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 41c928784b47a079d4371362bb7def2a9ca533909dee9ae32a0a6f3104c70f57
Instruction ID: 3d1468cdbade98e475c78b713d61f53e603f40d2f13973ced70232b6a05e8247
Opcode Fuzzy Hash: 41c928784b47a079d4371362bb7def2a9ca533909dee9ae32a0a6f3104c70f57
Instruction Fuzzy Hash: 6F1104B25046197F663237F19C89C6F796CCF993A57510015F80692501FB34CE01DAB2

Function 00162A60 Relevance: 6.1, APIs: 4, Instructions: 53threadCOMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00162A8D
GetCurrentThreadId.KERNEL32 ref: 00162A9B
std::_Throw_Cpp_error.LIBCPMT ref: 00162AB4
std::_Throw_Cpp_error.LIBCPMT ref: 00162AF3

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: a77f7638a7d587301e7083a9a023a5a737958689b983759d638ceb555daee6ff
Instruction ID: 8b5a07670691df4629ac2ab7778f817d8cdffbe0a013febe4e7ab2f566fe2527
Opcode Fuzzy Hash: a77f7638a7d587301e7083a9a023a5a737958689b983759d638ceb555daee6ff
Instruction Fuzzy Hash: 9B21E4B4E042098FCB08EFE8D9956AEBBF0AF58300F01845DE859AB391D7789950CF51

Function 0018A470 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,00189952,00000000,00000001,?,?,?,001834B1,?,00000000,00000000), ref: 0018A487
GetLastError.KERNEL32(?,00189952,00000000,00000001,?,?,?,001834B1,?,00000000,00000000,?,?,?,00182DF7,?), ref: 0018A493

Part of subcall function 0018A4E4: CloseHandle.KERNEL32(FFFFFFFE,0018A4A3,?,00189952,00000000,00000001,?,?,?,001834B1,?,00000000,00000000,?,?), ref: 0018A4F4

___initconout.LIBCMT ref: 0018A4A3

Part of subcall function 0018A4C5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0018A461,0018993F,?,?,001834B1,?,00000000,00000000,?), ref: 0018A4D8

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,00189952,00000000,00000001,?,?,?,001834B1,?,00000000,00000000,?), ref: 0018A4B8

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ee31d32c6e811f6287fd62a4ad3d324c89d5d590b1ed8fc18cd17c7c91198506
Instruction ID: b59335c61f22b0e5fd366e4cd70d1d9b43333922f8841926de1dfb4b51a4eec4
Opcode Fuzzy Hash: ee31d32c6e811f6287fd62a4ad3d324c89d5d590b1ed8fc18cd17c7c91198506
Instruction Fuzzy Hash: 88F01C36004615BBCF222F91EC08E893F66FF493A0B454412FA1D85561C7728A60AB95

Function 0016EFA7 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 0016EFB9
GetCurrentThreadId.KERNEL32 ref: 0016EFC8
GetCurrentProcessId.KERNEL32 ref: 0016EFD1
QueryPerformanceCounter.KERNEL32(?), ref: 0016EFDE

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 4451e87df8e75570738c34cc5f7369a9436946c5d6196a0c6dac55ec3383025e
Instruction ID: 456e39e12d7e28bf6c0ce8805a5a05d42f292e719ebf5aebabfadcbac7b519fd
Opcode Fuzzy Hash: 4451e87df8e75570738c34cc5f7369a9436946c5d6196a0c6dac55ec3383025e
Instruction Fuzzy Hash: BEF0B270C0020CEBCB00DFB4CA4898EBBF4EF1C201B914996A412E7550E730AB85CB54

Function 0016A4D0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 477COMMON

Download Yara Rule

APIs

_strcspn.LIBCMT ref: 0016A631
_strcspn.LIBCMT ref: 0016A65F

Strings

@, xrefs: 0016A92F

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: _strcspn
String ID: @
API String ID: 3709121408-2766056989
Opcode ID: c99cf67dd332d41c4a4638e18ab4426d5b58983745887c1b31f16b5f6290ffcf
Instruction ID: 6cf00aa48ae51b8d125506fc217029a992e45d820f240d318087bb1d44413605
Opcode Fuzzy Hash: c99cf67dd332d41c4a4638e18ab4426d5b58983745887c1b31f16b5f6290ffcf
Instruction Fuzzy Hash: CA32D3B4904269CFCB24DF68C981A9DFBF1BF58300F0585AAE849A7341D734AE95CF52

Function 0017F766 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0017AFB3: GetLastError.KERNEL32(00000000,?,0017D392), ref: 0017AFB7
Part of subcall function 0017AFB3: SetLastError.KERNEL32(00000000,?,?,00000028,00177816), ref: 0017B059

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,0017509A,?,?,?,00000055,?,-00000050,?,?,?), ref: 0017F825
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,0017509A,?,?,?,00000055,?,-00000050,?,?), ref: 0017F85C

Strings

utf8, xrefs: 0017F92E

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: dea70d85f2ebe2fad658c1d0345dc7fef006378f9a0f0a69398346174f50cf47
Instruction ID: 96be2e30cd9257cdad28bf89086c105b7b993b768ccddbee8527567a457e826a
Opcode Fuzzy Hash: dea70d85f2ebe2fad658c1d0345dc7fef006378f9a0f0a69398346174f50cf47
Instruction Fuzzy Hash: 2451D571604206BADB28BB748C46BB773B8EF14704F25843DF65D975C1FB70E94286A2

Function 0017A7E0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0017A6E1,?,?,00000000,00000000,00000000,?), ref: 0017A805

Strings

MOC, xrefs: 0017A817
RCC, xrefs: 0017A81F

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 3c623021122a501ee6da11939de864713e9ae86c864e450fc909c908daca1502
Instruction ID: 93fac7a6709b3984162cf0e6ffad9ca3d73613f38e11f0e5b2781d842994bde4
Opcode Fuzzy Hash: 3c623021122a501ee6da11939de864713e9ae86c864e450fc909c908daca1502
Instruction Fuzzy Hash: 6B418B71900209AFCF16CF94CC81AEEBBB5FF88305F158169FA086B211D3359961DB52

Function 0017A04C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0017A2C3

Strings

csm, xrefs: 0017A2E5
csm, xrefs: 0017A356

Memory Dump Source

Source File: 00000003.00000002.1341282750.0000000000161000.00000020.00000001.01000000.00000003.sdmp, Offset: 00160000, based on PE: true

Associated: 00000003.00000002.1341248949.0000000000160000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341323279.000000000018C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341350536.0000000000196000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341367777.000000000019A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.1341399698.000000000019C000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_160000_J18uCKmoAw.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: df1ab2e6cfe95aa779d67f35f2ecc34dd1dcc371cd7c2ddb6bed1af84bec5acd
Instruction ID: 3e383eddc44ff943b044c2ff5f5e0d9ab797a6e01b5bc364450333e882a598c3
Opcode Fuzzy Hash: df1ab2e6cfe95aa779d67f35f2ecc34dd1dcc371cd7c2ddb6bed1af84bec5acd
Instruction Fuzzy Hash: E931CF72400218EBCF268F54C8408BE7B76FF8971AB98C15AF84C49221C336DCA1DB83

Function 0042D7EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042D898

Strings

ou, xrefs: 0042D898
;87>, xrefs: 0042DBEB

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: FreeLibrary
String ID: ;87>$ou
API String ID: 3664257935-2936904059
Opcode ID: 8948d3cd5bc622644077d860e0ab694d6f95e2090f86dfe1e4841dcaad48535a
Instruction ID: 6bca69879cb3e651ebc8ca0b13598fe737171d623fe99421924d523c2323336e
Opcode Fuzzy Hash: 8948d3cd5bc622644077d860e0ab694d6f95e2090f86dfe1e4841dcaad48535a
Instruction Fuzzy Hash: FF214B70A043928FDB218F25D850727BFE1AF4B301F68869AD4D28B396D6389842CB15

Function 004345DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043460B
GetSystemMetrics.USER32 ref: 0043461A

Strings

, xrefs: 004346C8

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 21c571957f9eedbc13ecd4bfc36bc2f66f2a3654bfb69307476122a183b7950a
Instruction ID: a44d6496935459a921f5505b3ec94aa74778db30aba9446cb93c37adee0bb457
Opcode Fuzzy Hash: 21c571957f9eedbc13ecd4bfc36bc2f66f2a3654bfb69307476122a183b7950a
Instruction Fuzzy Hash: D0317DF49143149FDB00EFA8D98561EBBF4BB89704F11852EE898DB364D374A948CF86

Function 0042D893 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042D898

Strings

ou, xrefs: 0042D898
;87>, xrefs: 0042DBEB

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: FreeLibrary
String ID: ;87>$ou
API String ID: 3664257935-2936904059
Opcode ID: fd3193656894a668b22de869095197b6b1e72f9b9e7d47cf1e04037ab90bc313
Instruction ID: 86d99b7f9b2e41fbf427bd52e774bdff68d06f883e7a09e1f2f077771d0b6d71
Opcode Fuzzy Hash: fd3193656894a668b22de869095197b6b1e72f9b9e7d47cf1e04037ab90bc313
Instruction Fuzzy Hash: D6112BB1600602CFD7118F35EC5072BBBE2FF4B311F59C6A9D4968B392EA389842CB55

Function 0040B7B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00408A31), ref: 0040B7B6
FreeLibrary.KERNEL32 ref: 0040B7D7

Strings

ou, xrefs: 0040B7B6, 0040B7D7

Memory Dump Source

Source File: 00000003.00000002.1341473938.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_J18uCKmoAw.jbxd

Similarity

API ID: FreeLibrary
String ID: ou
API String ID: 3664257935-3837949563
Opcode ID: da798694984a35fde46e4bcd63e174060923e03d5e302a6048e3f29a9fc80685
Instruction ID: 8d13b867a32c3a4b7460dc0ab53feb316509c0c4818bc205b844e3f8a964c7f0
Opcode Fuzzy Hash: da798694984a35fde46e4bcd63e174060923e03d5e302a6048e3f29a9fc80685
Instruction Fuzzy Hash: 0DC002799914029FEF056FA1FE0E8593B22FB5630670401B6B90590632EA6B09B4AB5F

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report J18uCKmoAw.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
J18uCKmoAw.exe

Function 0019619E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 0017BD42 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 00161860 Relevance: 9.2, APIs: 6, Instructions: 162
fileCOMMON

Function 0016A4D0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 477
COMMON

Function 00161700 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81
memoryCOMMON

Function 0017481D Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 001749B3 Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Function 00174B24 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 00182D15 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 001834EE Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 0017C862 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00174935 Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Function 00161B70 Relevance: 3.0, APIs: 2, Instructions: 28
COMMON

Function 0017AD27 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Function 00161EA0 Relevance: 1.8, APIs: 1, Instructions: 289
COMMON