Edit tour

Windows Analysis Report
wRhEMj1swo.exe

Overview

General Information

Sample name:	wRhEMj1swo.exe renamed because original name is a hash value
Original sample name:	d7ae3392a9ce8d10923040dd4c3ef0af.exe
Analysis ID:	1585798
MD5:	d7ae3392a9ce8d10923040dd4c3ef0af
SHA1:	37c5b3cf8831a841c5ed87a4129595c8a721302e
SHA256:	dbac017142912cc3bef0a236b80857511776be8119f7abd64253cccd23ebd6e4
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for dropped file

Machine Learning detection for sample

Yara detected aPLib compressed binary

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

wRhEMj1swo.exe (PID: 5932 cmdline: "C:\Users\user\Desktop\wRhEMj1swo.exe" MD5: D7AE3392A9CE8D10923040DD4C3EF0AF)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
wRhEMj1swo.exe	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\update.exe	CN_Honker_WordpressScanner	Sample from CN Honker Pentest Toolset - file WordpressScanner.exe	Florian Roth	0xd571c:$s0: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) 0xe8368:$s1: (http://www.eyuyan.com) 0xcbd6c:$s2: GetConnectString 0xe2cd4:$s4: #if !defined(AFX_RESOURCE_DLL) \|\| defined(AFX_TARG_CHS)

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000000.00000000.1716850322.00000000006F0000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: wRhEMj1swo.exe PID: 5932	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.0.wRhEMj1swo.exe.742ca5.3.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.wRhEMj1swo.exe.742ca5.2.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.wRhEMj1swo.exe.70cec9.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.0.wRhEMj1swo.exe.70cec9.2.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.2.wRhEMj1swo.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0.0.wRhEMj1swo.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Click to see the 1 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T09:41:05.555259+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	103.235.46.96	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Desktop\update.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: wRhEMj1swo.exe

ReversingLabs: Detection: 54%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\Desktop\update.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: wRhEMj1swo.exe

Joe Sandbox ML: detected

Source: wRhEMj1swo.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 103.235.46.96:443 -> 192.168.2.4:49730 version: TLS 1.2

Source: Joe Sandbox View	IP Address: 103.235.46.96 103.235.46.96
Source: Joe Sandbox View	IP Address: 103.235.46.96 103.235.46.96

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 103.235.46.96:443

Source: global traffic

HTTP traffic detected: HEAD / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveAccept: text/html, application/xhtml+xml, */*Accept-Encoding: identityAccept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Host: www.baidu.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: www.baidu.com

Source: update.exe.0.dr	String found in binary or memory: http://47.92.98.180:88/MQNT/GX_RZ.txt
Source: wRhEMj1swo.exe	String found in binary or memory: http://47.92.98.180:88/MQNT/MQNT.exe
Source: wRhEMj1swo.exe, update.exe.0.dr	String found in binary or memory: http://47.92.98.180:88/MQNT/data.txt
Source: wRhEMj1swo.exe	String found in binary or memory: http://ip-api.com/json/?lang=zh-CN
Source: wRhEMj1swo.exe	String found in binary or memory: http://q1.qlogo.cn/g?b=qq&nk=
Source: wRhEMj1swo.exe	String found in binary or memory: http://q4.qlogo.cn/g?b=qq&nk=2911606375&s=100
Source: wRhEMj1swo.exe	String found in binary or memory: http://q4.qlogo.cn/g?b=qq&nk=2911606375&s=1007451f2903af691535062ed068339ac36
Source: wRhEMj1swo.exe	String found in binary or memory: http://whois.pconline.com.cn/ipJson.jsp?json=true
Source: wRhEMj1swo.exe	String found in binary or memory: http://www.eyuyan.com
Source: wRhEMj1swo.exe, update.exe.0.dr	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: wRhEMj1swo.exe	String found in binary or memory: http://www.eyuyan.comservice
Source: wRhEMj1swo.exe	String found in binary or memory: http://www.ibsensoftware.com/
Source: wRhEMj1swo.exe	String found in binary or memory: http://www.ip138.com
Source: wRhEMj1swo.exe	String found in binary or memory: http://www.ip138.comUser-Agent:
Source: wRhEMj1swo.exe	String found in binary or memory: https://api.ip.sb/ip
Source: wRhEMj1swo.exe	String found in binary or memory: https://cdid.c-ctrip.com/model-poc2/h
Source: wRhEMj1swo.exe	String found in binary or memory: https://cdid.c-ctrip.com/model-poc2/hhttps://ip.cn/api/index?ip=&type=0User-Agent:
Source: wRhEMj1swo.exe	String found in binary or memory: https://club.vip.qq.com/api/aggregation?g_tk=
Source: wRhEMj1swo.exe	String found in binary or memory: https://club.vip.qq.com/api/aggregation?g_tk=content-type:
Source: wRhEMj1swo.exe	String found in binary or memory: https://ip.cn/api/index?ip=&type=0
Source: wRhEMj1swo.exe	String found in binary or memory: https://ipinfo.io/json
Source: wRhEMj1swo.exe	String found in binary or memory: https://www.baidu.com
Source: wRhEMj1swo.exe, 00000000.00000003.1736612849.0000000000A89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.baidu.com/
Source: wRhEMj1swo.exe	String found in binary or memory: https://www.baidu.comDate:KB3140245/
Source: wRhEMj1swo.exe	String found in binary or memory: https://www.uc.cn/ip
Source: wRhEMj1swo.exe	String found in binary or memory: https://www.uc.cn/ipIP:https://api.ip.sb/iphttps://ipinfo.io/jsonip

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 103.235.46.96:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Users\user\Desktop\update.exe, type: DROPPED

Matched rule: Sample from CN Honker Pentest Toolset - file WordpressScanner.exe Author: Florian Roth

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

Code function: 0_2_004119E8: CreateFileA,DeviceIoControl,CloseHandle,

0_2_004119E8

Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Code function: 0_2_004175E6		0_2_004175E6
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Code function: 0_2_0047677F		0_2_0047677F

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

Code function: String function: 00401111 appears 85 times

Source: wRhEMj1swo.exe, 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXY.HWSS.dllf# vs wRhEMj1swo.exe
Source: wRhEMj1swo.exe, 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexy.WSS.HTTPS.dllp( vs wRhEMj1swo.exe
Source: wRhEMj1swo.exe	Binary or memory string: OriginalFilenameXY.HWSS.dllf# vs wRhEMj1swo.exe
Source: wRhEMj1swo.exe	Binary or memory string: OriginalFilenamexy.WSS.HTTPS.dllp( vs wRhEMj1swo.exe

Source: wRhEMj1swo.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\update.exe, type: DROPPED

Matched rule: CN_Honker_WordpressScanner date = 2015-06-23, author = Florian Roth, description = Sample from CN Honker Pentest Toolset - file WordpressScanner.exe, score = 0b3c5015ba3616cbc616fc9ba805fea73e98bc83, reference = Disclosed CN Honker Pentest Toolset, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal80.evad.winEXE@1/3@1/1

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

Code function: 0_2_00401BFE CreateToolhelp32Snapshot,Module32First,

0_2_00401BFE

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

File created: C:\Users\user\Desktop\update.exe

Jump to behavior

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

Mutant created: \Sessions\1\BaseNamedObjects\NULL

Source: wRhEMj1swo.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wRhEMj1swo.exe

ReversingLabs: Detection: 54%

Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: avifil32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

File written: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Automated click: OK
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Automated click: OK

Source: wRhEMj1swo.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: wRhEMj1swo.exe

Static file information: File size 5660160 > 1048576

Source: wRhEMj1swo.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x205c00
Source: wRhEMj1swo.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x32e200

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: wRhEMj1swo.exe, type: SAMPLE
Source: Yara match	File source: 0.0.wRhEMj1swo.exe.742ca5.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wRhEMj1swo.exe.742ca5.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wRhEMj1swo.exe.70cec9.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wRhEMj1swo.exe.70cec9.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.wRhEMj1swo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.wRhEMj1swo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1716850322.00000000006F0000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wRhEMj1swo.exe PID: 5932, type: MEMORYSTR

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

Code function: 0_2_005E4C20 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_005E4C20

Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Code function: 0_2_005DB148 push eax; ret		0_2_005DB166
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Code function: 0_2_005D8C50 push eax; ret		0_2_005D8C7E

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

File created: C:\Users\user\Desktop\update.exe

Jump to dropped file

Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\update.exe

Jump to dropped file

Source: C:\Users\user\Desktop\wRhEMj1swo.exe TID: 3244

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

File opened: PhysicalDrive0

Jump to behavior

Source: wRhEMj1swo.exe, 00000000.00000003.1736612849.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, wRhEMj1swo.exe, 00000000.00000003.1800223111.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, wRhEMj1swo.exe, 00000000.00000003.1774306071.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, wRhEMj1swo.exe, 00000000.00000002.1801411579.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, wRhEMj1swo.exe, 00000000.00000002.1801509032.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

Code function: 0_2_005E4C20 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_005E4C20

Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Code function: 0_2_0044086C mov ebx, dword ptr fs:[00000030h]	0_2_0044086C
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Code function: 0_2_004222F3 mov ebx, dword ptr fs:[00000030h]	0_2_004222F3
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Code function: 0_2_0047FB4C mov ebx, dword ptr fs:[00000030h]	0_2_0047FB4C
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Code function: 0_2_00421EEC mov ebx, dword ptr fs:[00000030h]	0_2_00421EEC
Source: C:\Users\user\Desktop\wRhEMj1swo.exe	Code function: 0_2_0043E797 mov ebx, dword ptr fs:[00000030h]	0_2_0043E797

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

Code function: 0_2_004706E8 HeapAlloc,RtlFreeHeap,GetProcessHeap,HeapReAlloc,

0_2_004706E8

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

Code function: 0_2_004200FF cpuid

0_2_004200FF

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

Code function: 0_2_005DD4AC GetVersionExA,GetEnvironmentVariableA,GetModuleFileNameA,

0_2_005DD4AC

Source: C:\Users\user\Desktop\wRhEMj1swo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
wRhEMj1swo.exe	54%	ReversingLabs	Win32.Trojan.Generic
wRhEMj1swo.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\update.exe	100%	Joe Sandbox ML
C:\Users\user\Desktop\update.exe	37%	ReversingLabs

Source	Detection	Scanner	Label
http://www.ip138.comUser-Agent:	0%	Avira URL Cloud	safe
https://www.uc.cn/ipIP:https://api.ip.sb/iphttps://ipinfo.io/jsonip	0%	Avira URL Cloud	safe
http://47.92.98.180:88/MQNT/MQNT.exe	0%	Avira URL Cloud	safe
http://www.eyuyan.com	0%	Avira URL Cloud	safe
http://www.eyuyan.comservice	0%	Avira URL Cloud	safe
https://www.uc.cn/ip	0%	Avira URL Cloud	safe
https://www.baidu.comDate:KB3140245/	0%	Avira URL Cloud	safe
http://47.92.98.180:88/MQNT/data.txt	0%	Avira URL Cloud	safe
http://47.92.98.180:88/MQNT/GX_RZ.txt	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.wshifen.com	103.235.46.96	true	false		high
www.baidu.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.eyuyan.com)DVarFileInfo$	wRhEMj1swo.exe, update.exe.0.dr	false		high
https://api.ip.sb/ip	wRhEMj1swo.exe	false		high
http://whois.pconline.com.cn/ipJson.jsp?json=true	wRhEMj1swo.exe	false		high
http://www.ip138.comUser-Agent:	wRhEMj1swo.exe	false	Avira URL Cloud: safe	unknown
https://club.vip.qq.com/api/aggregation?g_tk=content-type:	wRhEMj1swo.exe	false		high
http://www.ibsensoftware.com/	wRhEMj1swo.exe	false		high
https://cdid.c-ctrip.com/model-poc2/hhttps://ip.cn/api/index?ip=&type=0User-Agent:	wRhEMj1swo.exe	false		high
https://ip.cn/api/index?ip=&type=0	wRhEMj1swo.exe	false		high
https://www.uc.cn/ipIP:https://api.ip.sb/iphttps://ipinfo.io/jsonip	wRhEMj1swo.exe	false	Avira URL Cloud: safe	unknown
http://www.eyuyan.com	wRhEMj1swo.exe	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json/?lang=zh-CN	wRhEMj1swo.exe	false		high
http://q1.qlogo.cn/g?b=qq&nk=	wRhEMj1swo.exe	false		high
http://q4.qlogo.cn/g?b=qq&nk=2911606375&s=100	wRhEMj1swo.exe	false		high
https://www.baidu.com	wRhEMj1swo.exe	false		high
http://47.92.98.180:88/MQNT/GX_RZ.txt	update.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://club.vip.qq.com/api/aggregation?g_tk=	wRhEMj1swo.exe	false		high
http://www.eyuyan.comservice	wRhEMj1swo.exe	false	Avira URL Cloud: safe	unknown
http://q4.qlogo.cn/g?b=qq&nk=2911606375&s=1007451f2903af691535062ed068339ac36	wRhEMj1swo.exe	false		high
https://cdid.c-ctrip.com/model-poc2/h	wRhEMj1swo.exe	false		high
https://ipinfo.io/json	wRhEMj1swo.exe	false		high
https://www.baidu.comDate:KB3140245/	wRhEMj1swo.exe	false	Avira URL Cloud: safe	unknown
http://47.92.98.180:88/MQNT/MQNT.exe	wRhEMj1swo.exe	false	Avira URL Cloud: safe	unknown
http://47.92.98.180:88/MQNT/data.txt	wRhEMj1swo.exe, update.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://www.uc.cn/ip	wRhEMj1swo.exe	false	Avira URL Cloud: safe	unknown
http://www.ip138.com	wRhEMj1swo.exe	false		high
https://www.baidu.com/	wRhEMj1swo.exe, 00000000.00000003.1736612849.0000000000A89000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.235.46.96	www.wshifen.com	Hong Kong		55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585798
Start date and time:	2025-01-08 09:40:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wRhEMj1swo.exe renamed because original name is a hash value
Original Sample Name:	d7ae3392a9ce8d10923040dd4c3ef0af.exe
Detection:	MAL
Classification:	mal80.evad.winEXE@1/3@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.190.159.64, 20.109.210.53, 2.23.227.208, 13.107.246.45
Excluded domains from analysis (whitelisted): www.bing.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:41:05	API Interceptor	1x Sleep call for process: wRhEMj1swo.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
103.235.46.96	VIP-#U4f1a#U5458#U7248.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	DNF#U604b#U62180224a.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/s?wd=www.cfjuzi.com&rsv_spt=1&issp=1&rsv_bp=0&ie=utf-8&tn=utf8speed_dg&inputT=453
	New Al Maktoum International Airport Enquiry Ref #2401249.exe	Get hash	malicious	FormBook	Browse	www.wvufcw948o.top/pt46/?ara=runx2q514acjuuceA0OTyKdTIzcy0YcAOvUMICEfyLgC3vUfTcW2aWKxfLyo5+IB4FDn&D8V=_FNDAz
	4.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	2.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	1.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	3.exe	Get hash	malicious	BlackMoon, XRed	Browse	www.baidu.com/
	1.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	f1.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	SecuriteInfo.com.FileRepMalware.29184.31872.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.wshifen.com	U02LaPwnkd.exe	Get hash	malicious	ValleyRAT	Browse	103.235.47.188
	letsVPN.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	letsVPN.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnk	Get hash	malicious	Unknown	Browse	103.235.47.188
	2024-12-10#U67e5#U9605_uninst.exe	Get hash	malicious	ValleyRAT	Browse	103.235.47.188
	2024-12-10#U67e5#U9605_uninst.exe	Get hash	malicious	ValleyRAT	Browse	103.235.47.188
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	103.235.47.188
	b6FArHy7yA.exe	Get hash	malicious	LummaC Stealer	Browse	103.235.47.188
	VIP-#U4f1a#U5458#U7248.exe	Get hash	malicious	BlackMoon	Browse	103.235.46.96
	360safe.exe	Get hash	malicious	Unknown	Browse	103.235.47.188

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	U02LaPwnkd.exe	Get hash	malicious	ValleyRAT	Browse	103.235.47.188
	letsVPN.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	letsVPN.exe	Get hash	malicious	Unknown	Browse	103.235.46.96
	db0fa4b8db0333367e9bda3ab68b8042.m68k.elf	Get hash	malicious	Mirai, Gafgyt	Browse	106.13.224.246
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	119.75.215.154
	nsharm7.elf	Get hash	malicious	Mirai	Browse	182.61.224.140
	3.elf	Get hash	malicious	Unknown	Browse	182.61.224.138
	Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnk	Get hash	malicious	Unknown	Browse	103.235.47.188
	elitebotnet.sh4.elf	Get hash	malicious	Mirai, Okiru	Browse	180.76.189.193
	2024-12-10#U67e5#U9605_uninst.exe	Get hash	malicious	ValleyRAT	Browse	103.235.47.188

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse	103.235.46.96
	socolo.exe	Get hash	malicious	LummaC	Browse	103.235.46.96
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	103.235.46.96
	Setup.exe	Get hash	malicious	LummaC	Browse	103.235.46.96
	setup.exe	Get hash	malicious	LummaC	Browse	103.235.46.96
	'Set-up.exe	Get hash	malicious	LummaC	Browse	103.235.46.96
	SET_UP.exe	Get hash	malicious	LummaC	Browse	103.235.46.96
	Set-UpFile_v25.exe	Get hash	malicious	LummaC	Browse	103.235.46.96
	Setup.exe	Get hash	malicious	LummaC	Browse	103.235.46.96
	LVkAi4PBv6.exe	Get hash	malicious	Unknown	Browse	103.235.46.96

Process:	C:\Users\user\Desktop\wRhEMj1swo.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	432
Entropy (8bit):	4.001798566475806
Encrypted:	false
SSDEEP:	12:QZsiL5wmHOlDmo0qmWvclLwv2R9G4wmDg86uCEuyLyn:QCGwv4o0BlLw+rTV6uuyW
MD5:	2FC4766F11242121D9AE2116FF5E663D
SHA1:	8109000AC241302981D42F11FFEE04E3C61FCD93
SHA-256:	EC5937989CD48D8BCDBF562C52BC3903FB135491E98C89B1AA88996E7BD008E6
SHA-512:	650EDD5B580926CD743E5D8186B2CD5EB8B3070126575DB304C1B809F1AA4841E0316A6D4701EC3B730025F0161EDE1CAD041DA10C575830185804D99298664A
Malicious:	false
Reputation:	low
Preview:	......[...S.h.e.l.l.C.l.a.s.s.I.n.f.o.].....L.o.c.a.l.i.z.e.d.R.e.s.o.u.r.c.e.N.a.m.e.=.@.%.S.y.s.t.e.m.R.o.o.t.%.\.s.y.s.t.e.m.3.2.\.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....I.c.o.n.R.e.s.o.u.r.c.e.=.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.D.o.c.u.m.e.n.t.s.\.1.9.C.A.D.7.2.1.B.5.9.B.0.9.B.2.0.8.B.5.A.7.E.2.F.6.3.8.7.8.4.3...i.c.o.....I.n.f.o.T.i.p.=.P.i.k.a.c.h.u.N.T............. ............. .................Q.Q.........................

C:\Users\user\Desktop\update.exe

Download File

Process:	C:\Users\user\Desktop\wRhEMj1swo.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	954368
Entropy (8bit):	6.344965617584001
Encrypted:	false
SSDEEP:	24576:YvtI2D6CEhvugYa3EZfup4jflORg0RBQI:YevLEZ7cRg0RJ
MD5:	8A619EBB79546DD4487F312B9C57934F
SHA1:	6986759E032DB2694D625C85EC5C8B4AD74A689B
SHA-256:	0C274B149400E89EBC0F6335A9181005B4249CABEFA8EC8B47C1D56710B2D3EF
SHA-512:	AB29923B35AA1D21813F9D6B012979385F7C4B161FEE51C28A4987768B93297C81E88EAA969B9F491F0A359FD18F3515CC19C694ABD95413A575053C5BA29C7B
Malicious:	true
Yara Hits:	Rule: CN_Honker_WordpressScanner, Description: Sample from CN Honker Pentest Toolset - file WordpressScanner.exe, Source: C:\Users\user\Desktop\update.exe, Author: Florian Roth
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......p.-.4.C.4.C.4.C.[.H.=.C.[.I.2.C...M...C.O.O.1.C.b.P...C.V.P.(.C.4.B...C.....7.C...H.E.C...I..C..H.W.C..I./.C.4.C.m.C..E.5.C.Rich4.C.........................PE..L.....\|g.........................................@..........................................................................Q..,....0...e..............................................................................0............................text...n........................... ..`.rdata.............................@..@.data...j...........................@....rsrc....e...0...p... ..............@..@................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\19CAD721B59B09B208B5A7E2F6387843.ico

Download File

Process:	C:\Users\user\Desktop\wRhEMj1swo.exe
File Type:	MS Windows icon resource - 1 icon, -128x-128, 32 bits/pixel
Category:	dropped
Size (bytes):	67646
Entropy (8bit):	5.7039139970238075
Encrypted:	false
SSDEEP:	1536:vrpcQaRJlr5a3QEC2ADfYVmqpPZf++r7MJsEzlDtr66Evbag:vrpcQaGHVmOhf++razdtYp
MD5:	19CAD721B59B09B208B5A7E2F6387843
SHA1:	7AB6F085A11E86D5514E182BF0DF1C96723C8901
SHA-256:	F9DFF22EF297227202F34343DA1BA9585F843B3AA0834B1074F273C9D9542252
SHA-512:	E6DB461CB85A7B4C9F44019678E49562B68B820FFF6F0EE82A7533F710858C7AA7DF72FE57E4FE0A6A8291C33AAD819C5DCD7B75F9A55CFF12AF12344A555E81
Malicious:	false
Reputation:	low
Preview:	............ .(.......(............. .................................................200.............................................. ...! ..! ..! ..$!..$!..$"..%#..&#..&#..'$..'$..(%.!(%.&+).),.,-+.,-+.),.-+.,-+.-.,.+.,.+.,.-.,.-.,.-.,.,-+.,,.(-,.(-,.'-,.'-,.'-,.&.-.'/..)/..)/..+32.+32.-32.-32.+33.+33.-32.-32..43..43..31..31..31..31..31./42.-41.+2/./-.+0..+2/.+2/.-0..).,.(-+.'.+.'.+.'.+.(-+.'.+.(/,.&/,.(/,.(/,.(/,.(/,.(/,.(/,.(/,.&/,.#,).!,). +(..'..(%..'$..%"..%"..&$..&$..$#..#"..#".."!.." .." .........................................PRR.............................................#%&.............................................. ..!!..!!..#!..$"..&$..%#..'$..&$..(%..'%..(&..(&..)'.!,.$,+.%-,.%-,.%-,.%-,.&.-.'/..'20.(31.21.21.21.+32.)33.)33.44.(44.)55.)55.)55.)55.66.+77.)55.)55.)55.)55.)55.)55.)55.)55.-77.-86.-86.-86.-86.-86.-86.-86.,75.+64.)42.(31.+64.+64.+32.(31.)42.'42.'42.'42.'42.'42.'42.&42.#0..#0..#0.."/-."/-.!.,.!.,.!.,..-+...+..,..,)..(..)&..'%..&$..%#..%$..$

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.061578692374249
TrID:	Win32 Executable (generic) a (10002005/4) 99.26% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02%
File name:	wRhEMj1swo.exe
File size:	5'660'160 bytes
MD5:	d7ae3392a9ce8d10923040dd4c3ef0af
SHA1:	37c5b3cf8831a841c5ed87a4129595c8a721302e
SHA256:	dbac017142912cc3bef0a236b80857511776be8119f7abd64253cccd23ebd6e4
SHA512:	731bee53652b0f6190ff9df76417f7f30193c939f635b023bf58a464ee2428535daf153e937fd591aa94d06999dd3db7fa86c3daf211b65416ab9d0046b1bf8e
SSDEEP:	98304:HdxNmK4FEV5TEZ7ce0Rg52Pw8B4DgXUtJBAUZLn:HtaV0RgYPxoKWJV7
TLSH:	B346BF23F042C0B2D5261AF032B6573CA9759FA11A35C983EBE4FEB5ED33162979510E
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........D.}ID.}ID.}I+.vIM.}I+.wIB.}I?.qIA.}I..nIh.}I.. IF.}I..sIh.}ID.\|I..}I&.nI[.}IM..IE.}I..oIN.}Ir.vI..}Ir.wI..}I..vI*.}I..wIt.}

File Icon


Icon Hash:	2731d28aae6e218f

Static PE Info

General

Entrypoint:	0x5d7650
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x677CD3FB [Tue Jan 7 07:12:59 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1841bc7befa66af3a16d317711e55a7e

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00860868h
push 005DA5B4h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [006071C8h]
xor edx, edx
mov dl, ah
mov dword ptr [009BC1D4h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [009BC1D0h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [009BC1CCh], ecx
shr eax, 10h
mov dword ptr [009BC1C8h], eax
push 00000001h
call 00007F5124F01D2Bh
pop ecx
test eax, eax
jne 00007F5124EFBDEAh
push 0000001Ch
call 00007F5124EFBEA8h
pop ecx
call 00007F5124F01AD6h
test eax, eax
jne 00007F5124EFBDEAh
push 00000010h
call 00007F5124EFBE97h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F5124F01904h
call dword ptr [006073F0h]
mov dword ptr [009C1444h], eax
call 00007F5124F017C2h
mov dword ptr [009BC140h], eax
call 00007F5124F0156Bh
call 00007F5124F014ADh
call 00007F5124EFF35Eh
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [00607260h]
call 00007F5124F0143Eh
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F5124EFBDE8h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[C++] VS98 (6.0) SP6 build 8804
[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[ C ] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x532738	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c2000	0x791c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x207000	0x80c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x205b5e	0x205c00	50aeeeb9ec9474888a2b10d9199f7d4b	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x207000	0x32e0c0	0x32e200	1a465cc638bc8f7704c968afb5dde86d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x536000	0x8b44a	0x2a200	0c1683502fdca9c65eabe46d3c312c96	False	0.3508844120919881	data	5.9722288998144375	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5c2000	0x791c	0x7a00	b0d5482a2c2286e7ebd7b631f9302e7d	False	0.44041367827868855	data	5.292361705762094	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TEXTINCLUDE	0x5c2d9c	0xb	ASCII text, with no line terminators	Chinese	China	1.7272727272727273
TEXTINCLUDE	0x5c2da8	0x16	data	Chinese	China	1.3636363636363635
TEXTINCLUDE	0x5c2dc0	0x151	C source, ASCII text, with CRLF line terminators	Chinese	China	0.6201780415430267
WAVE	0x5c2f14	0x1448	RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 22050 Hz	Chinese	China	0.8330123266563945
RT_CURSOR	0x5c435c	0x134	data	Chinese	China	0.5811688311688312
RT_CURSOR	0x5c4490	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	Chinese	China	0.37662337662337664
RT_CURSOR	0x5c45c4	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Chinese	China	0.4805194805194805
RT_CURSOR	0x5c46f8	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Chinese	China	0.7
RT_CURSOR	0x5c47ac	0x134	AmigaOS bitmap font "(", fc_YSize 4294967292, 3840 elements, 2nd "\377\370\017\377\377\374\037\377\377\376?\377\377\377\177\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Chinese	China	0.32792207792207795
RT_CURSOR	0x5c48e0	0x134	AmigaOS bitmap font "(", fc_YSize 4294967288, 3840 elements, 2nd "\377\370\037\377\377\370\037\377\377\370\037\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Chinese	China	0.3246753246753247
RT_BITMAP	0x5c4a14	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	Chinese	China	0.3598901098901099
RT_BITMAP	0x5c4b80	0x248	Device independent bitmap graphic, 64 x 15 x 4, image size 480	Chinese	China	0.3407534246575342
RT_BITMAP	0x5c4dc8	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.4444444444444444
RT_BITMAP	0x5c4f0c	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.26453488372093026
RT_BITMAP	0x5c5064	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2616279069767442
RT_BITMAP	0x5c51bc	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2441860465116279
RT_BITMAP	0x5c5314	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.24709302325581395
RT_BITMAP	0x5c546c	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2238372093023256
RT_BITMAP	0x5c55c4	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.19476744186046513
RT_BITMAP	0x5c571c	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.20930232558139536
RT_BITMAP	0x5c5874	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.18895348837209303
RT_BITMAP	0x5c59cc	0x5e4	Device independent bitmap graphic, 70 x 39 x 4, image size 1404	Chinese	China	0.34615384615384615
RT_BITMAP	0x5c5fb0	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Chinese	China	0.44565217391304346
RT_BITMAP	0x5c6068	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	Chinese	China	0.28296703296703296
RT_BITMAP	0x5c61d4	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.37962962962962965
RT_ICON	0x5c6318	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.26344086021505375
RT_ICON	0x5c6600	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.41216216216216217
RT_ICON	0x5c6728	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096			0.5215759849906192
RT_MENU	0x5c77d0	0xc	data	Chinese	China	1.5
RT_MENU	0x5c77dc	0x284	data	Chinese	China	0.5
RT_DIALOG	0x5c7a60	0x98	data	Chinese	China	0.7171052631578947
RT_DIALOG	0x5c7af8	0x17a	data	Chinese	China	0.5185185185185185
RT_DIALOG	0x5c7c74	0xfa	data	Chinese	China	0.696
RT_DIALOG	0x5c7d70	0xea	data	Chinese	China	0.6239316239316239
RT_DIALOG	0x5c7e5c	0x8ae	data	Chinese	China	0.39603960396039606
RT_DIALOG	0x5c870c	0xb2	data	Chinese	China	0.7359550561797753
RT_DIALOG	0x5c87c0	0xcc	data	Chinese	China	0.7647058823529411
RT_DIALOG	0x5c888c	0xb2	data	Chinese	China	0.6629213483146067
RT_DIALOG	0x5c8940	0xe2	data	Chinese	China	0.6637168141592921
RT_DIALOG	0x5c8a24	0x18c	data	Chinese	China	0.5227272727272727
RT_STRING	0x5c8bb0	0x50	data	Chinese	China	0.85
RT_STRING	0x5c8c00	0x2c	data	Chinese	China	0.5909090909090909
RT_STRING	0x5c8c2c	0x78	data	Chinese	China	0.925
RT_STRING	0x5c8ca4	0x1c4	data	Chinese	China	0.8141592920353983
RT_STRING	0x5c8e68	0x12a	data	Chinese	China	0.5201342281879194
RT_STRING	0x5c8f94	0x146	data	Chinese	China	0.6288343558282209
RT_STRING	0x5c90dc	0x40	data	Chinese	China	0.65625
RT_STRING	0x5c911c	0x64	data	Chinese	China	0.73
RT_STRING	0x5c9180	0x1d8	data	Chinese	China	0.6758474576271186
RT_STRING	0x5c9358	0x114	data	Chinese	China	0.6376811594202898
RT_STRING	0x5c946c	0x24	data	Chinese	China	0.4444444444444444
RT_GROUP_CURSOR	0x5c9490	0x14	data	Chinese	China	1.4
RT_GROUP_CURSOR	0x5c94a4	0x14	data	Chinese	China	1.4
RT_GROUP_CURSOR	0x5c94b8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x5c94cc	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x5c94e0	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China	1.0294117647058822
RT_GROUP_ICON	0x5c9504	0x14	data			1.2
RT_GROUP_ICON	0x5c9518	0x14	data	Chinese	China	1.2
RT_GROUP_ICON	0x5c952c	0x14	data	Chinese	China	1.25
RT_VERSION	0x5c9540	0x20c	data	Chinese	China	0.5534351145038168
RT_MANIFEST	0x5c974c	0x1cd	XML 1.0 document, ASCII text, with very long lines (461), with no line terminators			0.5878524945770065

Imports

DLL	Import
MSVFW32.dll	DrawDibDraw
AVIFIL32.dll	AVIStreamGetFrame, AVIStreamInfoA
iphlpapi.dll	GetAdaptersInfo
WINMM.dll	midiStreamRestart, midiStreamClose, midiOutReset, midiStreamStop, waveOutRestart, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, waveOutClose, midiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutGetNumDevs, PlaySoundA
WS2_32.dll	inet_ntoa, WSAStartup, WSACleanup, select, send, closesocket, WSAAsyncSelect, recvfrom, ioctlsocket, recv, getpeername, accept, ntohl
RASAPI32.dll	RasGetConnectStatusA, RasHangUpA
KERNEL32.dll	GetVersion, FileTimeToSystemTime, TerminateThread, VirtualAlloc, VirtualFree, CreateMutexA, ReleaseMutex, SuspendThread, InterlockedIncrement, InterlockedDecrement, LocalFree, FileTimeToLocalFileTime, lstrcpynA, DuplicateHandle, FlushFileBuffers, LockFile, UnlockFile, SetEndOfFile, lstrcmpiA, GlobalDeleteAtom, GlobalFindAtomA, GlobalAddAtomA, GlobalGetAtomNameA, lstrcmpA, LocalAlloc, TlsAlloc, GlobalHandle, TlsFree, TlsSetValue, LocalReAlloc, TlsGetValue, GetFileTime, GetCurrentThread, GlobalFlags, SetErrorMode, GetProcessVersion, GetCPInfo, GetOEMCP, GetStartupInfoA, RtlUnwind, GetSystemTime, GetLocalTime, RaiseException, HeapSize, GetACP, SetStdHandle, GetFileType, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetEnvironmentVariableA, HeapDestroy, HeapCreate, SetEnvironmentVariableA, LCMapStringA, LCMapStringW, IsBadWritePtr, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, SetLastError, GetSystemDirectoryA, GetWindowsDirectoryA, TerminateProcess, GetCurrentProcess, GetFileSize, SetFilePointer, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, lstrlenW, RemoveDirectoryA, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetUserDefaultLCID, MultiByteToWideChar, WideCharToMultiByte, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, CreateThread, CreateEventA, Sleep, GlobalAlloc, GlobalLock, GlobalUnlock, GetTempPathA, FindFirstFileA, FindClose, SetFileAttributesA, GetFileAttributesA, MoveFileA, DeleteFileA, CopyFileA, CreateDirectoryA, SetCurrentDirectoryA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, SetLocalTime, GetCommandLineA, GetTickCount, WaitForSingleObject, CloseHandle, InterlockedExchange, GetTimeZoneInformation
USER32.dll	GetSysColorBrush, GetMenuCheckMarkDimensions, GetMenuState, SetMenuItemBitmaps, CheckMenuItem, MoveWindow, IsDialogMessageA, ScrollWindowEx, SendDlgItemMessageA, MapWindowPoints, AdjustWindowRectEx, GetScrollPos, RegisterClassA, GetMenuItemCount, GetMenuItemID, SetWindowsHookExA, CallNextHookEx, GetClassLongA, SetPropA, UnhookWindowsHookEx, GetPropA, RemovePropA, GetMessageTime, GetLastActivePopup, RegisterWindowMessageA, GetWindowPlacement, EndDialog, CreateDialogIndirectParamA, DestroyWindow, GrayStringA, DrawTextA, TabbedTextOutA, EndPaint, BeginPaint, GetWindowDC, CharUpperA, GetWindowTextLengthA, SetWindowTextA, GetForegroundWindow, UnregisterHotKey, RegisterHotKey, CreateWindowExA, CallWindowProcA, GetWindowTextA, GetDlgItem, GetClassNameA, GetDesktopWindow, DrawStateA, FrameRect, GetNextDlgTabItem, LoadIconA, TranslateMessage, DrawFrameControl, DrawEdge, DrawFocusRect, WindowFromPoint, GetMessageA, DispatchMessageA, SetRectEmpty, RegisterClipboardFormatA, CreateIconFromResourceEx, DrawIconEx, CreatePopupMenu, AppendMenuA, ModifyMenuA, CreateMenu, CreateAcceleratorTableA, GetDlgCtrlID, GetSubMenu, EnableMenuItem, ClientToScreen, EnumDisplaySettingsA, LoadImageA, SystemParametersInfoA, ShowWindow, IsWindowEnabled, TranslateAcceleratorA, GetKeyState, CopyAcceleratorTableA, PostQuitMessage, IsZoomed, GetClassInfoA, DefWindowProcA, GetSystemMenu, DeleteMenu, GetMenu, SetMenu, PeekMessageA, IsIconic, SetFocus, GetActiveWindow, GetWindow, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, WinHelpA, KillTimer, SetTimer, ReleaseCapture, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, InflateRect, DestroyIcon, PtInRect, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, SetCursorPos, LoadCursorA, SetCursor, GetDC, FillRect, IsRectEmpty, ReleaseDC, IsChild, TrackPopupMenu, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBoxA, GetCursorPos, GetSystemMetrics, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, LoadStringA, CreateIconFromResource, IntersectRect, UnregisterClassA
GDI32.dll	CreateSolidBrush, FillRgn, CreateRectRgn, CombineRgn, PatBlt, CreatePen, SelectObject, CreatePatternBrush, CreateBitmap, CreateDCA, CreateCompatibleBitmap, GetPolyFillMode, GetStretchBltMode, GetROP2, GetBkColor, GetBkMode, GetTextColor, CreateRoundRectRgn, CreateEllipticRgn, PathToRegion, EndPath, BeginPath, GetWindowOrgEx, GetViewportOrgEx, GetWindowExtEx, TranslateCharsetInfo, SaveDC, RestoreDC, SetROP2, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, GetClipBox, ExcludeClipRect, MoveToEx, CreateFontIndirectA, ExtSelectClipRgn, GetViewportExtEx, PtVisible, RectVisible, ExtTextOutA, Escape, GetTextMetricsA, SetDIBitsToDevice, SetTextColor, SetBkMode, TextOutA, SetBkColor, CreateRectRgnIndirect, CreateDIBSection, SetStretchBltMode, GetClipRgn, CreatePolygonRgn, SelectClipRgn, DeleteObject, CreateDIBitmap, GetSystemPaletteEntries, CreatePalette, StretchBlt, SelectPalette, RealizePalette, GetDIBits, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, CreateFontA, GetStockObject, GetObjectA, EndPage, EndDoc, DeleteDC, StartDocA, StartPage, BitBlt, GetPixel, CreateCompatibleDC, GetTextExtentPoint32A, LineTo, SetPolyFillMode, GetDeviceCaps
WINSPOOL.DRV	DocumentPropertiesA, ClosePrinter, OpenPrinterA
comdlg32.dll	ChooseColorA, ChooseFontA, GetOpenFileNameA, GetSaveFileNameA, GetFileTitleA
ADVAPI32.dll	RegCreateKeyExA, RegQueryValueA, RegSetValueExA, RegOpenKeyExA, RegCloseKey
SHELL32.dll	DragAcceptFiles, DragQueryFileA, ShellExecuteA, Shell_NotifyIconA, SHGetSpecialFolderPathA, DragFinish
ole32.dll	CLSIDFromProgID, OleInitialize, CLSIDFromString, CoCreateInstance, OleRun, OleUninitialize
OLEAUT32.dll	VariantChangeType, VariantCopy, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayGetDim, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetElement, VariantCopyInd, VariantClear, SysAllocString, SafeArrayDestroy, SafeArrayCreate, SafeArrayPutElement, RegisterTypeLib, LHashValOfNameSys, LoadTypeLib, UnRegisterTypeLib, VariantInit
COMCTL32.dll	ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_Destroy, ImageList_Create, ImageList_BeginDrag, ImageList_DragShowNolock, _TrackMouseEvent, ImageList_SetBkColor, ImageList_GetImageCount, ImageList_EndDrag, ImageList_Read, ImageList_Duplicate, ImageList_Add
WININET.dll	InternetCrackUrlA, HttpOpenRequestA, HttpSendRequestA, HttpQueryInfoA, InternetReadFile, InternetConnectA, InternetSetOptionA, InternetOpenA, InternetCloseHandle, InternetCanonicalizeUrlA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T09:41:05.555259+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	103.235.46.96	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 09:41:04.323394060 CET	49730	443	192.168.2.4	103.235.46.96
Jan 8, 2025 09:41:04.323431015 CET	443	49730	103.235.46.96	192.168.2.4
Jan 8, 2025 09:41:04.323549032 CET	49730	443	192.168.2.4	103.235.46.96
Jan 8, 2025 09:41:04.350248098 CET	49730	443	192.168.2.4	103.235.46.96
Jan 8, 2025 09:41:04.350264072 CET	443	49730	103.235.46.96	192.168.2.4
Jan 8, 2025 09:41:05.555145025 CET	443	49730	103.235.46.96	192.168.2.4
Jan 8, 2025 09:41:05.555258989 CET	49730	443	192.168.2.4	103.235.46.96
Jan 8, 2025 09:41:05.555285931 CET	443	49730	103.235.46.96	192.168.2.4
Jan 8, 2025 09:41:05.555339098 CET	49730	443	192.168.2.4	103.235.46.96
Jan 8, 2025 09:41:05.558995008 CET	49730	443	192.168.2.4	103.235.46.96
Jan 8, 2025 09:41:05.559001923 CET	443	49730	103.235.46.96	192.168.2.4
Jan 8, 2025 09:41:05.559232950 CET	443	49730	103.235.46.96	192.168.2.4
Jan 8, 2025 09:41:05.608397007 CET	49730	443	192.168.2.4	103.235.46.96
Jan 8, 2025 09:41:05.675046921 CET	49730	443	192.168.2.4	103.235.46.96
Jan 8, 2025 09:41:05.719326973 CET	443	49730	103.235.46.96	192.168.2.4
Jan 8, 2025 09:41:05.997812033 CET	443	49730	103.235.46.96	192.168.2.4
Jan 8, 2025 09:41:05.997873068 CET	443	49730	103.235.46.96	192.168.2.4
Jan 8, 2025 09:41:05.997984886 CET	49730	443	192.168.2.4	103.235.46.96
Jan 8, 2025 09:41:06.016196966 CET	49730	443	192.168.2.4	103.235.46.96
Jan 8, 2025 09:41:06.016218901 CET	443	49730	103.235.46.96	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 09:41:04.311626911 CET	49724	53	192.168.2.4	1.1.1.1
Jan 8, 2025 09:41:04.318355083 CET	53	49724	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 09:41:04.311626911 CET	192.168.2.4	1.1.1.1	0xb855	Standard query (0)	www.baidu.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 09:41:04.318355083 CET	1.1.1.1	192.168.2.4	0xb855	No error (0)	www.baidu.com	www.a.shifen.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 09:41:04.318355083 CET	1.1.1.1	192.168.2.4	0xb855	No error (0)	www.a.shifen.com	www.wshifen.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 09:41:04.318355083 CET	1.1.1.1	192.168.2.4	0xb855	No error (0)	www.wshifen.com		103.235.46.96	A (IP address)	IN (0x0001)	false
Jan 8, 2025 09:41:04.318355083 CET	1.1.1.1	192.168.2.4	0xb855	No error (0)	www.wshifen.com		103.235.47.188	A (IP address)	IN (0x0001)	false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	103.235.46.96	443	5932	C:\Users\user\Desktop\wRhEMj1swo.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 08:41:05 UTC	271	OUT	HEAD / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Accept: text/html, application/xhtml+xml, / Accept-Encoding: identity Accept-Language: zh-cn User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: www.baidu.com
2025-01-08 08:41:05 UTC	327	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform Content-Length: 277 Content-Type: text/html Date: Wed, 08 Jan 2025 08:41:05 GMT Etag: "575e1f6f-115" Last-Modified: Mon, 13 Jun 2016 02:50:23 GMT Pragma: no-cache Server: bfe/1.0.8.18 Connection: close

Target ID:	0
Start time:	03:41:03
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\wRhEMj1swo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wRhEMj1swo.exe"
Imagebase:	0x400000
File size:	5'660'160 bytes
MD5 hash:	D7AE3392A9CE8D10923040DD4C3EF0AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000000.1716850322.00000000006F0000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.5%
Total number of Nodes:	191
Total number of Limit Nodes:	16

Executed Functions

Function 00401BFE Relevance: .5, Instructions: 534
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43e91f5658e9c6bdc4b122ac241575454e0efba38d0e65e7341f6a4c2de222da
Instruction ID: cb2145ec05dfb67c699404afd3450a093bca2c7e454c731c957cacca2c279613
Opcode Fuzzy Hash: 43e91f5658e9c6bdc4b122ac241575454e0efba38d0e65e7341f6a4c2de222da
Instruction Fuzzy Hash: 2D0252B1A402169BFB00DF58ECC179AB7B1FF59324F280475E906AB381D379B951CB61

Function 004119E8 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a32d5af4d972bfee726ceb9e89cbc4e1c7d499818ae25d7447f144db315e6365
Instruction ID: 95d3b870bcb6fef589d624824f285a6dfde7cca0d58eb0d5bed38eb91d277166
Opcode Fuzzy Hash: a32d5af4d972bfee726ceb9e89cbc4e1c7d499818ae25d7447f144db315e6365
Instruction Fuzzy Hash: 3C7163B1E40309ABEF10DB949D87BDF7AB8BF14711F140425F604BB2C1E6B66A508B66

Function 005FF6A1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(009BBDA0,009BBD74,00000000,?,009BBD84,009BBD84,005FFA3C,?,00000000,005FF48F,005FED89,005FF4AB,005FA80A,005FBAAF,?,00000000), ref: 005FF6B0
GlobalAlloc.KERNEL32(00002002,00000000,?,?,009BBD84,009BBD84,005FFA3C,?,00000000,005FF48F,005FED89,005FF4AB,005FA80A,005FBAAF,?,00000000), ref: 005FF705
GlobalHandle.KERNEL32(00A02CA8), ref: 005FF70E
GlobalUnlock.KERNEL32(00000000), ref: 005FF717
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 005FF729
GlobalHandle.KERNEL32(00A02CA8), ref: 005FF740
GlobalLock.KERNEL32(00000000), ref: 005FF747
LeaveCriticalSection.KERNEL32(0w],?,?,009BBD84,009BBD84,005FFA3C,?,00000000,005FF48F,005FED89,005FF4AB,005FA80A,005FBAAF,?,00000000), ref: 005FF74D
GlobalLock.KERNEL32(00000000), ref: 005FF75C
LeaveCriticalSection.KERNEL32(?), ref: 005FF7A5

Strings

0w], xrefs: 005FF749

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID: 0w]
API String ID: 2667261700-2928606970
Opcode ID: 14a836d19322825eb98e50977cbab833775139a0b03f3b30fda316f9b2db858e
Instruction ID: e4875093aeb34c1d1859b7ac233102ab66a60a198e2d70f333e85c5cf3fdfa25
Opcode Fuzzy Hash: 14a836d19322825eb98e50977cbab833775139a0b03f3b30fda316f9b2db858e
Instruction Fuzzy Hash: 6E3152756447099FE7249F28DC89A2BBBEAFF44301B01492DF962C3A61E775F9048B50

Function 00600303 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNEL32(00000000,00000000,005FBACE,00000000,00000000,00000000,00000000,?,00000000,?,005F2A02,00000000,00000000,00000000,00000000,005D7730), ref: 0060030C
SetErrorMode.KERNEL32(00000000,?,00000000,?,005F2A02,00000000,00000000,00000000,00000000,005D7730,00000000), ref: 00600313

Part of subcall function 00600366: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00600397
Part of subcall function 00600366: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00600438
Part of subcall function 00600366: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00600465

Strings

0w], xrefs: 00600341

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID: 0w]
API String ID: 3389432936-2928606970
Opcode ID: 47e4f9777f6a79a288a2dea7bea5aa65c4acc3ef56cddde84d818b1dead3bc02
Instruction ID: 1dc92e5776812a81564c81046c9759732a25e12866b477459d5017e929169995
Opcode Fuzzy Hash: 47e4f9777f6a79a288a2dea7bea5aa65c4acc3ef56cddde84d818b1dead3bc02
Instruction Fuzzy Hash: 6BF0AF709142158FD719EF24D409B1B7BD5BF88710F05845EF0488B3A2CB74D800CB96

Function 005DD5F4 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,005D76AE,00000001), ref: 005DD605

Part of subcall function 005DD4AC: GetVersionExA.KERNEL32 ref: 005DD4CB

HeapDestroy.KERNEL32 ref: 005DD644

Part of subcall function 005E0E85: HeapAlloc.KERNEL32(00000000,00000140,005DD62D,000003F8), ref: 005E0E92

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: ee9f81f39e98385bde099ac8dc098cacc9890575f16db357e8c92dc1698a566f
Instruction ID: f51865484d63e975acad0fd8690db07e25b02cc39a601c185f58abc0afb40669
Opcode Fuzzy Hash: ee9f81f39e98385bde099ac8dc098cacc9890575f16db357e8c92dc1698a566f
Instruction Fuzzy Hash: 35F06570D59202EADB706B385D46B352DB4BBC0741F140467F545C92E4EAB0C580E972

Function 005FA81A Relevance: 3.0, APIs: 2, Instructions: 27
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 005FA82D
SetWindowsHookExA.USER32(000000FF,005FAB72,00000000,00000000), ref: 005FA83D

Part of subcall function 005FFA9D: __EH_prolog.LIBCMT ref: 005FFAA2

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID:
API String ID: 2183259885-0
Opcode ID: 0c2c1aa7fc58c9d56cbeeb8ef714bf320bdc978e384402e41bddc0c42901e30d
Instruction ID: f5ed20bf61019511605a88c4788485b709784f6c60d40d311a46a49e7abb285c
Opcode Fuzzy Hash: 0c2c1aa7fc58c9d56cbeeb8ef714bf320bdc978e384402e41bddc0c42901e30d
Instruction Fuzzy Hash: 87F082719406095AD7302BB0AC0DBBA2E91BF44710F010664F756565E1C6A8AC80C362

Function 005D9E16 Relevance: 1.6, APIs: 1, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,00000000,00000001,005DD43D,00000001,00000074,?,?,00000000,00000001), ref: 005D9F0C

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4a4e00daba088b312a59f1e63b1d627a9e119932e2158916c2e3a2ad72ae283b
Instruction ID: 2295377f52eeddbdbb6692e29cfe38e717927bd603d5e5ec95010e135b5468a9
Opcode Fuzzy Hash: 4a4e00daba088b312a59f1e63b1d627a9e119932e2158916c2e3a2ad72ae283b
Instruction Fuzzy Hash: E6316D72D0426AAACF30EFAC9C8569EBB78FB44720F10422BE825B63D1C7745940DB65

Function 005D8F95 Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 005D907C

Part of subcall function 005DFCB4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,005D9ECC,00000009,00000000,00000000,00000001,005DD43D,00000001,00000074,?,?,00000000,00000001), ref: 005DFCF1
Part of subcall function 005DFCB4: EnterCriticalSection.KERNEL32(?,?,?,005D9ECC,00000009,00000000,00000000,00000001,005DD43D,00000001,00000074,?,?,00000000,00000001), ref: 005DFD0C

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 8ec08ea2c924c909b59c300af9342ff282d32ebe7c11619cd78ce379eeaf0e38
Instruction ID: 09522eea6c53038dc6314c9c2b0df1236d70be449a201506881ef74c61323e33
Opcode Fuzzy Hash: 8ec08ea2c924c909b59c300af9342ff282d32ebe7c11619cd78ce379eeaf0e38
Instruction Fuzzy Hash: 8721A332A04245EBDB30EB6DAC4AB9A7BA4FB00720F144127F514EB3D0C774A941DA55

Function 005D8E6E Relevance: 1.6, APIs: 1, Instructions: 75
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,005D9ECC,00000009,00000000,00000000,00000001,005DD43D,00000001,00000074), ref: 005D8F42

Part of subcall function 005DFCB4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,005D9ECC,00000009,00000000,00000000,00000001,005DD43D,00000001,00000074,?,?,00000000,00000001), ref: 005DFCF1
Part of subcall function 005DFCB4: EnterCriticalSection.KERNEL32(?,?,?,005D9ECC,00000009,00000000,00000000,00000001,005DD43D,00000001,00000074,?,?,00000000,00000001), ref: 005DFD0C

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapInitialize
String ID:
API String ID: 641406236-0
Opcode ID: 04b427a55df56949080c880f240842ec9d895abdb337ec261fcf515ca9117cbf
Instruction ID: 1447a8390f272f1d4d8db05219eb5a1331b5a87278219865f92cd809b0c012bd
Opcode Fuzzy Hash: 04b427a55df56949080c880f240842ec9d895abdb337ec261fcf515ca9117cbf
Instruction Fuzzy Hash: 9721C27294560AEADF20AB999C06BAE7F79FB45720F240527F410E23D0DB748940CAA5

Function 005FB616 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringA.USER32(?,?,?,?), ref: 005FB62D

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 82a880801e5d08906efaa71aee530ab6f1199bf736357138b4e2b1e52b71859b
Instruction ID: 566ca7b208f0e282238efe5439be3387d1b48e5e3a7ef24473bfca7a846deded
Opcode Fuzzy Hash: 82a880801e5d08906efaa71aee530ab6f1199bf736357138b4e2b1e52b71859b
Instruction Fuzzy Hash: 99D0A9724593A39BCB01DF64D80CD9FBFA8BF98320B094C4DF59083211C328E844CB62

Non-executed Functions

Function 004175E6 Relevance: 22.2, Strings: 17, Instructions: 951COMMON

Download Yara Rule

Strings

\main\data\app\!tmp.xlz, xrefs: 00417674
\main\corn, xrefs: 00417938, 0041799D
\main\work_plugin_tmp\, xrefs: 00417623
\main, xrefs: 00417716, 0041777B
\main\data\pack, xrefs: 00417D7C, 00417DE1
\main\data\plugin, xrefs: 00417C10, 00417C75
\main\data\pack\origin, xrefs: 00417E32, 00417E97
\main\work_plugin_tmp, xrefs: 00417EE8, 00417F4D
\main\corn\zlib.dll, xrefs: 004181B0, 004181B5
\main\wke, xrefs: 004179EE, 00417A53
\main\plugin, xrefs: 004177CC, 00417831
\main\data, xrefs: 00417882, 004178E7, 00417AA4, 00417B09
\main\corn\libeay32.dll, xrefs: 00417F9E, 00417FA3
\main\data\versiondownload, xrefs: 00417CC6, 00417D2B
\main\wke\, xrefs: 004176C5
\main\corn\sqlite3.dll, xrefs: 004180A7, 004180AC
\main\data\app, xrefs: 00417B5A, 00417BBF

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID:
String ID: \main$\main\corn$\main\corn\libeay32.dll$\main\corn\sqlite3.dll$\main\corn\zlib.dll$\main\data$\main\data\app$\main\data\app\!tmp.xlz$\main\data\pack$\main\data\pack\origin$\main\data\plugin$\main\data\versiondownload$\main\plugin$\main\wke$\main\wke\$\main\work_plugin_tmp$\main\work_plugin_tmp\
API String ID: 0-1824072935
Opcode ID: cce16c0dc29e8666691254cd87ae415d179acc0e7e2869831ec293002b5af1ca
Instruction ID: 26c4af1515f830f3e269d3404704aa3efc9029cf975fead263daa6ae651b8f83
Opcode Fuzzy Hash: cce16c0dc29e8666691254cd87ae415d179acc0e7e2869831ec293002b5af1ca
Instruction Fuzzy Hash: 7A6260B1F4030477EB50AAA19CC3F6F7AA5EF54704F044079FB05BA3C2E6B6AA508755

Function 005E4C20 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,005DD7AE,?,Microsoft Visual C++ Runtime Library,00012010,?,00860CFC,?,00860D4C,?,?,?,Runtime Error!Program: ), ref: 005E4C32
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 005E4C4A
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 005E4C5B
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 005E4C68

Strings

GetLastActivePopup, xrefs: 005E4C5D
MessageBoxA, xrefs: 005E4C44
user32.dll, xrefs: 005E4C2D
GetActiveWindow, xrefs: 005E4C55

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: e1390d88d63d0e02cca65ee5f025441b1b0106c97e04a45066dec27e20cf2b62
Instruction ID: de4fbce00d682f29a0ce494114c779e92a484c627ae46b0b14b4045c67234134
Opcode Fuzzy Hash: e1390d88d63d0e02cca65ee5f025441b1b0106c97e04a45066dec27e20cf2b62
Instruction Fuzzy Hash: BB01B571614351AF87109FB79E889277EDAFA887603150469B54AC3221DAB49C00BF30

Function 005DD4AC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 005DD4CB
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 005DD500
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 005DD560

Strings

__MSVCRT_HEAP_SELECT, xrefs: 005DD4FB
__GLOBAL_HEAP_SELECTED, xrefs: 005DD53A

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: fa03274e213e86f904198252615b5b51fb8a0383b59c7726dc10a3f852e706d4
Instruction ID: 943668c1126a5bbfb7c16b57ccec6431720ccca8c3bfcde4f5e3552d89214658
Opcode Fuzzy Hash: fa03274e213e86f904198252615b5b51fb8a0383b59c7726dc10a3f852e706d4
Instruction Fuzzy Hash: F331F6719452886EEB35867C7C45BE97F78BB02308F6404DBE185DA342E6709E89CB31

Function 0047677F Relevance: 3.5, Strings: 1, Instructions: 2217COMMON

Download Yara Rule

Strings

!, xrefs: 00476801

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: 0ea7c4aa144994aedc4b2d19b68276e92db77d8258ff7d3e863f327036cfbfcb
Instruction ID: afcc0b830ff8fc352c1429649a0e47f960f10b6ddff15dd95f6362921a47e7e5
Opcode Fuzzy Hash: 0ea7c4aa144994aedc4b2d19b68276e92db77d8258ff7d3e863f327036cfbfcb
Instruction Fuzzy Hash: A4131470D00629EBDF00EF91EC86ADDBF71FF58310F14866AF9587A295DB721A608B41

Function 0044086C Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
Instruction ID: b917172686b5d614e026440cdc05949f0510fa4c7c16ac5965b68feb5ee08fe6
Opcode Fuzzy Hash: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
Instruction Fuzzy Hash: 9D112B64A10208DBEB00DFA4D580BAFB375FF5C700F105069D608EB395E77A9E10C7AA

Function 004222F3 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
Instruction ID: 4b9d438164f6e2214db0c9e65cd9984ff7cee6f9638b44ee477d6fad7f2157df
Opcode Fuzzy Hash: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
Instruction Fuzzy Hash: 6E112B64A10209D7EB00CFA4D580BAFB376FF5C700F105069D908EB395E77A9E10C7AA

Function 00421EEC Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
Instruction ID: 4dad3647fca4719f91576c2b966fa23797f4e4dcffaba2399a2060a7f383dc43
Opcode Fuzzy Hash: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
Instruction Fuzzy Hash: 20112B64A10208D7EB00CFA4D580BAFB375FF6C700F105069D908EB395E77A9E51C7AA

Function 0043E797 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
Instruction ID: 2fefb3e5dec1af4fac95c34bb9b0853e4fc8bd943c71c77400ee65158f1d5662
Opcode Fuzzy Hash: df243571f50a38fa1868784450a17c7f6b8ff57fb907259a4febf094eb20b85c
Instruction Fuzzy Hash: AE111964A10208D7EB00DFA5D580BAFB375FF2C700F105069D508EB395E77A9E11C7AA

Function 004706E8 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ad7dfa48c239ea3d0e4e6a6947198e39da5d0cc551757ff1b228b18c1839d9
Instruction ID: 5c3b48c2abf1ef263d97beb9245c49f927de98a4584c7822c65cdc96364cf23e
Opcode Fuzzy Hash: 66ad7dfa48c239ea3d0e4e6a6947198e39da5d0cc551757ff1b228b18c1839d9
Instruction Fuzzy Hash: 49113C78A45318EFCB11CF59E9C0A89BBB0FF1E310B5154A9DA489B306D3706E50EB62

Function 0047FB4C Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4166609f46e1e3870822f18e47ad906b85be3cb121b05c48cc550c3ccd7ee5f7
Instruction ID: d69b516b65d026ecdfe2c868a76ccb602657c2c5d6c07752d9e3d3657f5cfb13
Opcode Fuzzy Hash: 4166609f46e1e3870822f18e47ad906b85be3cb121b05c48cc550c3ccd7ee5f7
Instruction Fuzzy Hash: 8FD0C934250749CFDB01CF14C0E2B41B3A8EB89B58F108071DD419B345D2B8F945CAA5

Function 004200FF Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f257f19965b87bcb6f7454717a867be4e02cacbce74783232d48ec6df0bfb573
Instruction ID: 431d3468442b92c2cdb8e9e687ab02f782d16e4631adfba4a2873e85dca12162
Opcode Fuzzy Hash: f257f19965b87bcb6f7454717a867be4e02cacbce74783232d48ec6df0bfb573
Instruction Fuzzy Hash: FFB0121630810517F300004FEC41702718DC3C426CF44C060A005E2381E083EC0001A0

Function 005DD0C3 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,005D76E6), ref: 005DD0DE
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,005D76E6), ref: 005DD0F2
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,005D76E6), ref: 005DD11E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,005D76E6), ref: 005DD156
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,005D76E6), ref: 005DD178
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,005D76E6), ref: 005DD191
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,005D76E6), ref: 005DD1A4
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 005DD1E2

Strings

v], xrefs: 005DD18C, 005DD17E

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID: v]
API String ID: 1823725401-2291034021
Opcode ID: e63f48da157bcda2c4ac90e8bbbb8e7fe552414e3e559f0ff1665d52e1c84d81
Instruction ID: 44a1fbb1b994fbf6a949b6afa0a61ca7f9344a5ae7da90bb61b5ea80c1978c2a
Opcode Fuzzy Hash: e63f48da157bcda2c4ac90e8bbbb8e7fe552414e3e559f0ff1665d52e1c84d81
Instruction Fuzzy Hash: A631A3B29092666FDB307BFC9C8883BBEBDF686358B15092BF955C3300E6615D45C2B1

Function 005E0BB4 Relevance: 13.7, APIs: 9, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,00860F7C,00000001,00000000,00000000,74DEE860,009C00A4,?,?,?,005D942D,?,?,?,00000000), ref: 005E0BF6
LCMapStringA.KERNEL32(00000000,00000100,00860F78,00000001,00000000,00000000,?,?,005D942D,?,?,?,00000000,00000001), ref: 005E0C12
LCMapStringA.KERNEL32(?,?,?,005D942D,?,?,74DEE860,009C00A4,?,?,?,005D942D,?,?,?,00000000), ref: 005E0C5B
MultiByteToWideChar.KERNEL32(?,009C00A5,?,005D942D,00000000,00000000,74DEE860,009C00A4,?,?,?,005D942D,?,?,?,00000000), ref: 005E0C93
MultiByteToWideChar.KERNEL32(00000000,00000001,?,005D942D,?,00000000,?,?,005D942D,?), ref: 005E0CEB
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,005D942D,?), ref: 005E0D01
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,005D942D,?), ref: 005E0D34
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,005D942D,?), ref: 005E0D9C

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: adff8b6602b683eecb763217cde7e0ccfa3a80c8f3106b84fa1ea256d63c0365
Instruction ID: 1fce51368f76eb600062a1e878e49cf749de96192f7671c4da9e7cef5d0361e0
Opcode Fuzzy Hash: adff8b6602b683eecb763217cde7e0ccfa3a80c8f3106b84fa1ea256d63c0365
Instruction Fuzzy Hash: E6519C71900289EBCF228F95CE45EEF7FB9FB48750F205219F954A61A0D3B1AD90DB60

Function 005DD68A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 005DD6F7
GetStdHandle.KERNEL32(000000F4,00860CFC,00000000,00000000,00000000,?), ref: 005DD7CD
WriteFile.KERNEL32(00000000), ref: 005DD7D4

Strings

Runtime Error!Program: , xrefs: 005DD75D
<program name unknown>, xrefs: 005DD707
Microsoft Visual C++ Runtime Library, xrefs: 005DD7A3
..., xrefs: 005DD749

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 3477663a78481da2145b23645d776c95fe424290794b95652a2bcb580411782f
Instruction ID: 490313afeb54315750d49439658081c5b307ba026fe74bc99ab2ff5815c0e36c
Opcode Fuzzy Hash: 3477663a78481da2145b23645d776c95fe424290794b95652a2bcb580411782f
Instruction Fuzzy Hash: 6331E672A00218AFDF34E6A4CD49FAA3BBDFB81300F501597F544E6281E670AA848F61

Function 005E434A Relevance: 9.1, APIs: 6, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,00860F7C,00000001,?,74DEE860,009C00A4,?,?,005D942D,?,?,?,00000000,00000001), ref: 005E4389
GetStringTypeA.KERNEL32(00000000,00000001,00860F78,00000001,?,?,005D942D,?,?,?,00000000,00000001), ref: 005E43A3
GetStringTypeA.KERNEL32(?,?,?,?,005D942D,74DEE860,009C00A4,?,?,005D942D,?,?,?,00000000,00000001), ref: 005E43D7
MultiByteToWideChar.KERNEL32(?,009C00A5,?,?,00000000,00000000,74DEE860,009C00A4,?,?,005D942D,?,?,?,00000000,00000001), ref: 005E440F
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,005D942D,?), ref: 005E4465
GetStringTypeW.KERNEL32(?,?,00000000,005D942D,?,?,?,?,?,?,005D942D,?), ref: 005E4477

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: 5deb1587c8aa3ac978f4e12739704dd0cfc3abfd689b95beb43a99dfb15dda5e
Instruction ID: 394e11ce305d34699af0339132734e3aa4eeaaac1cb23251ffc25468070425e2
Opcode Fuzzy Hash: 5deb1587c8aa3ac978f4e12739704dd0cfc3abfd689b95beb43a99dfb15dda5e
Instruction Fuzzy Hash: BE416D72A40299EFCF209F95DC89AAF7FB9FB18750F10491AFA51D2290C3349950DBA0

Function 005FF810 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(009BBD84,009BBD74,00000000,?,009BBD84,?,005FFA78,009BBD74,00000000,?,00000000,005FF48F,005FED89,005FF4AB,005FA80A,005FBAAF), ref: 005FF81B
EnterCriticalSection.KERNEL32(009BBDA0,00000010,?,009BBD84,?,005FFA78,009BBD74,00000000,?,00000000,005FF48F,005FED89,005FF4AB,005FA80A,005FBAAF), ref: 005FF86A
LeaveCriticalSection.KERNEL32(009BBDA0,00000000,?,009BBD84,?,005FFA78,009BBD74,00000000,?,00000000,005FF48F,005FED89,005FF4AB,005FA80A,005FBAAF), ref: 005FF87D
LocalAlloc.KERNEL32(00000000,00000005,?,009BBD84,?,005FFA78,009BBD74,00000000,?,00000000,005FF48F,005FED89,005FF4AB,005FA80A,005FBAAF), ref: 005FF893
LocalReAlloc.KERNEL32(?,00000005,00000002,?,009BBD84,?,005FFA78,009BBD74,00000000,?,00000000,005FF48F,005FED89,005FF4AB,005FA80A,005FBAAF), ref: 005FF8A5
TlsSetValue.KERNEL32(009BBD84,00000000), ref: 005FF8E1

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: e1dca5834538845a6832ef52dd5ad30bd93259b6ae781085200fb12343fbce57
Instruction ID: d34c16330a939a668798d1364149905177e11a213c539be323633408254a3631
Opcode Fuzzy Hash: e1dca5834538845a6832ef52dd5ad30bd93259b6ae781085200fb12343fbce57
Instruction Fuzzy Hash: 74318C31500609EFE724CF54C899F6ABBA9FF84360F008629F616C7A50E734F905CBA0

Function 00600366 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00600397

Part of subcall function 00600483: lstrlenA.KERNEL32(00000104,00000000,?,006003C7), ref: 006004BA

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00600438
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00600465

Strings

.HLP, xrefs: 00600432
.INI, xrefs: 0060045F

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: 1a4bd1553bb18208485cb963076845060f068ef80e1d30a7f3b4df79ae0796a4
Instruction ID: ca9d46c6d654c8e0c68d7634694f7d9c9df430897e786ef552aa4c2374b1e95b
Opcode Fuzzy Hash: 1a4bd1553bb18208485cb963076845060f068ef80e1d30a7f3b4df79ae0796a4
Instruction Fuzzy Hash: EA317CB5844709DFEB24DB74D888BC7B7EDFB08300F10496AE299D3281DB74A9808B90

Function 005DD1F5 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 005DD253
GetFileType.KERNEL32(?,?,00000000), ref: 005DD2FE
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 005DD361
GetFileType.KERNEL32(00000000,?,00000000), ref: 005DD36F
SetHandleCount.KERNEL32 ref: 005DD3A6

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 61ac8dbe7b3e49b3282e4fe6dafd815620d22f25a7b6f6b2d0f7e8bd7d942488
Instruction ID: 05fd84a3848206fa4a9ec357fa2059fc16d0a78af726c087a73e38d92a0bf690
Opcode Fuzzy Hash: 61ac8dbe7b3e49b3282e4fe6dafd815620d22f25a7b6f6b2d0f7e8bd7d942488
Instruction Fuzzy Hash: E951D371908202CFC730CB2CC888B697FB0BB51364F298A6BD5A69B3E1D730D945C762

Function 005DD418 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,005D9A22,005DC2D8,00000000,?,?,00000000,00000001), ref: 005DD41A
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 005DD428
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 005DD474

Part of subcall function 005D9E16: RtlAllocateHeap.NTDLL(00000008,?,00000000,00000000,00000001,005DD43D,00000001,00000074,?,?,00000000,00000001), ref: 005D9F0C

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 005DD44C
GetCurrentThreadId.KERNEL32 ref: 005DD45D

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: ErrorLastValue$AllocateCurrentHeapThread
String ID:
API String ID: 2047054392-0
Opcode ID: 298ff72e5404d0feb93b0c30fef02af1e5626a445150cb8d07b75657c79bbe54
Instruction ID: 386ebc68ed5a8ef154abcd70a4e6158382be9351ea63529ae7c314bf4bd13e5a
Opcode Fuzzy Hash: 298ff72e5404d0feb93b0c30fef02af1e5626a445150cb8d07b75657c79bbe54
Instruction Fuzzy Hash: 50F0F032948722ABDB302F38BC0D65A3F61FF41B72B10461BF951962A0CF70A841A7A0

Function 005E19CC Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,0095D630,0095D630,?,?,005E1E98,00000000,00000010,00000000,00000009,00000009,?,005D9041,00000010,00000000), ref: 005E19ED
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,005E1E98,00000000,00000010,00000000,00000009,00000009,?,005D9041,00000010,00000000), ref: 005E1A11
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,005E1E98,00000000,00000010,00000000,00000009,00000009,?,005D9041,00000010,00000000), ref: 005E1A2B
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,005E1E98,00000000,00000010,00000000,00000009,00000009,?,005D9041,00000010,00000000,?), ref: 005E1AEC
HeapFree.KERNEL32(00000000,00000000,?,?,005E1E98,00000000,00000010,00000000,00000009,00000009,?,005D9041,00000010,00000000,?,00000000), ref: 005E1B03

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: ba81a3e1d532537e0d90a06d2c78681f1c5f2f3b36023a7d5f6fa9d71c76aec9
Instruction ID: 42f027b26e4ec1c66c6bdc23522626e8f7a632078cb100c2467eaba4925fc80d
Opcode Fuzzy Hash: ba81a3e1d532537e0d90a06d2c78681f1c5f2f3b36023a7d5f6fa9d71c76aec9
Instruction Fuzzy Hash: 8A310171643B46DBD334CF2ADC40B26BBE4FB44751F10463AE599972D0E770A884DB88

Function 005D7650 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 005D7676

Part of subcall function 005DD5F4: HeapCreate.KERNEL32(00000000,00001000,00000000,005D76AE,00000001), ref: 005DD605
Part of subcall function 005DD5F4: HeapDestroy.KERNEL32 ref: 005DD644

GetCommandLineA.KERNEL32 ref: 005D76D6
GetStartupInfoA.KERNEL32(?), ref: 005D7701
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 005D7724

Part of subcall function 005D777D: ExitProcess.KERNEL32 ref: 005D779A

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 4f90bdbaab5436fa3481b3a853eefced6ebebb898f9e995c062764fd17b0a8c9
Instruction ID: 28382f7c6ba52da0fc9470a6f1af113f0cbebce2947f8b77c1b73987b66654ba
Opcode Fuzzy Hash: 4f90bdbaab5436fa3481b3a853eefced6ebebb898f9e995c062764fd17b0a8c9
Instruction Fuzzy Hash: C42193B185860A9BD728AFAC9C49A6E7F79FB45711F10052BF801AA3A1EB744840CB61

Function 005DC579 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 005DC58D

Strings

, xrefs: 005DC5D6
, xrefs: 005DC5B2

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: fbf2d55d1992b2828341290ee368b2b0097591ab566d181a6b4a3f829bcea1c1
Instruction ID: 2c63d1f4cdd37fc31a6556ad44406ea7d4b948badd6e4a697e2d24fb48ba51b6
Opcode Fuzzy Hash: fbf2d55d1992b2828341290ee368b2b0097591ab566d181a6b4a3f829bcea1c1
Instruction Fuzzy Hash: 01413A314082999BEB26872CDC4DFFB7F99BB46704F1814D7E185D7293C2718A44DB62

Function 005E152A Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,005E12F2,00000000,00000000,00000000,005D8FE3,00000000,00000000,?,00000000,00000000,00000000), ref: 005E1552
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,005E12F2,00000000,00000000,00000000,005D8FE3,00000000,00000000,?,00000000,00000000,00000000), ref: 005E1586
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 005E15A0
HeapFree.KERNEL32(00000000,?), ref: 005E15B7

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: df78756c7a05a62308931e25ee23a5f4508a8533a6b5e18d90e139d77e79bd16
Instruction ID: e2a0f356ed66ca4fc86a221981e89018d853a520857c077296c063ecea21e913
Opcode Fuzzy Hash: df78756c7a05a62308931e25ee23a5f4508a8533a6b5e18d90e139d77e79bd16
Instruction Fuzzy Hash: BA115830A08700EFD764CF19EC85E227BB2FBC5720B114A1AE5A2C21F0C330A945EF10

Function 0060077F Relevance: 5.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(009BBF48,?,00000000,?,?,005FFABE,00000010,?,00000000,?,?,?,005FF4A5,005FF508,005FED89,005FF4AB), ref: 006007BA
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,005FFABE,00000010,?,00000000,?,?,?,005FF4A5,005FF508,005FED89,005FF4AB), ref: 006007CC
LeaveCriticalSection.KERNEL32(009BBF48,?,00000000,?,?,005FFABE,00000010,?,00000000,?,?,?,005FF4A5,005FF508,005FED89,005FF4AB), ref: 006007D5
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,005FFABE,00000010,?,00000000,?,?,?,005FF4A5,005FF508,005FED89,005FF4AB,005FA80A), ref: 006007E7

Part of subcall function 006006EC: GetVersion.KERNEL32(?,0060078F,?,005FFABE,00000010,?,00000000,?,?,?,005FF4A5,005FF508,005FED89,005FF4AB,005FA80A,005FBAAF), ref: 006006FF

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 61d0ed3ea336d5170fed718c0ebdc8c6f569a0c0c731bc1147ae36bf2bdedb18
Instruction ID: cdf30a1604c954d203961bd91cbc315bc7a298ca3c130c6cabe5229e7129eaf1
Opcode Fuzzy Hash: 61d0ed3ea336d5170fed718c0ebdc8c6f569a0c0c731bc1147ae36bf2bdedb18
Instruction Fuzzy Hash: 24F0AF7145820EDFDB14AF64ECC0AA7B3AEFB10326F00113AEA01921A1E774B455EFA0

Function 005DFC8B Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,005DD3B7,?,005D76C0), ref: 005DFC98
InitializeCriticalSection.KERNEL32(?,005DD3B7,?,005D76C0), ref: 005DFCA0
InitializeCriticalSection.KERNEL32(?,005DD3B7,?,005D76C0), ref: 005DFCA8
InitializeCriticalSection.KERNEL32(?,005DD3B7,?,005D76C0), ref: 005DFCB0

Memory Dump Source

Source File: 00000000.00000002.1800592084.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1800573964.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.0000000000607000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1800748036.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801070127.0000000000936000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801086705.0000000000938000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801105728.000000000093A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801139225.0000000000944000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801156606.0000000000945000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801173915.000000000094B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801190842.000000000094C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801213089.000000000095B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801231609.000000000095F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.0000000000960000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.000000000096C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009A9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009BA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801247691.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1801350616.00000000009C2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wRhEMj1swo.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 2bc9a27d71ab4e8de4f6aa7b1144a222d394af5d26f99d7cb11bfd8e037d7805
Instruction ID: 2e59d2f79542d63eef59b7d5057a635145d94a90fb1d99f76d98b8f866eeaf26
Opcode Fuzzy Hash: 2bc9a27d71ab4e8de4f6aa7b1144a222d394af5d26f99d7cb11bfd8e037d7805
Instruction Fuzzy Hash: D4C00231C2F2349BCF362B67FD0584A3F66EB442663011067A5045203096722D10FFD1

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wRhEMj1swo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\desktop.ini

C:\Users\user\Desktop\update.exe

C:\Users\user\Documents\19CAD721B59B09B208B5A7E2F6387843.ico

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
wRhEMj1swo.exe

Function 00401BFE Relevance: .5, Instructions: 534
COMMON

Function 005FF6A1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 99
memoryCOMMON

Function 00600303 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32
COMMON

Function 005DD5F4 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Function 005FA81A Relevance: 3.0, APIs: 2, Instructions: 27
threadCOMMON

Function 005D9E16 Relevance: 1.6, APIs: 1, Instructions: 99
memoryCOMMON

Function 005D8F95 Relevance: 1.6, APIs: 1, Instructions: 80
memoryCOMMON

Function 005D8E6E Relevance: 1.6, APIs: 1, Instructions: 75
memoryCOMMON

Function 005FB616 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON