Edit tour

Windows Analysis Report
leUmNO9XPu.exe

Overview

General Information

Sample name:	leUmNO9XPu.exe renamed because original name is a hash value
Original sample name:	db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exe
Analysis ID:	1588753
MD5:	46a4d09a8947dce0c60d1fb5e757ad02
SHA1:	5ee29ea5c51b3db66cf2ed4d6787aa44febc33d6
SHA256:	db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06
Tags:	exeHawkEyeuser-adrian__luca
Infos:

Detection

HawkEye, MailPassView

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected HawkEye Rat

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected HawkEye Keylogger

Yara detected MailPassView

AI detected suspicious sample

Allocates memory in foreign processes

Changes the view of files in windows explorer (hidden files and folders)

Deletes itself after installation

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses process hollowing technique

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected WebBrowserPassView password recovery tool

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May infect USB drives

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Outbound SMTP Connections

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

leUmNO9XPu.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\leUmNO9XPu.exe" MD5: 46A4D09A8947DCE0C60D1FB5E757AD02)

Windows Update.exe (PID: 7736 cmdline: "C:\Users\user\AppData\Roaming\Windows Update.exe" MD5: 46A4D09A8947DCE0C60D1FB5E757AD02)

dw20.exe (PID: 7928 cmdline: dw20.exe -x -s 2480 MD5: 89106D4D0BA99F770EAFE946EA81BB65)

vbc.exe (PID: 8172 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt" MD5: D881DE17AA8F2E2C08CBB7B265F928F9)

vbc.exe (PID: 7176 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt" MD5: D881DE17AA8F2E2C08CBB7B265F928F9)

WindowsUpdate.exe (PID: 5320 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 46A4D09A8947DCE0C60D1FB5E757AD02)

WindowsUpdate.exe (PID: 4476 cmdline: "C:\Users\user\AppData\Roaming\WindowsUpdate.exe" MD5: 46A4D09A8947DCE0C60D1FB5E757AD02)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
HawkEye Keylogger, HawkEye, HawkEye Reborn	HawKeye is a keylogger that is distributed since 2013. Discovered by IBM X-Force, it is currently spread over phishing campaigns targeting businesses on a worldwide scale. It is designed to steal credentials from numerous applications but, in the last observed versions, new "loader capabilities" have been spotted. It is sold by its development team on dark web markets and hacking forums.	No Attribution	http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://any.run/cybersecurity-blog/hawkeye-malware-technical-analysis/ https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/	https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger

Malware Configuration

Threatname: HawkEye

{"Protocol": "SMTP", "Username": "compensation@britishcrowncourt.net", "Password": "@Hustle007ky1", "Host": "mail.britishcrowncourt.net", "Port": "587"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
leUmNO9XPu.exe	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
leUmNO9XPu.exe	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
leUmNO9XPu.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
leUmNO9XPu.exe	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b914:$key: HawkEyeKeylogger 0x7dbdc:$salt: 099u787978786 0x7bfcf:$string1: HawkEye_Keylogger 0x7ce0e:$string1: HawkEye_Keylogger 0x7db3c:$string1: HawkEye_Keylogger 0x7c3a4:$string2: holdermail.txt 0x7c3c4:$string2: holdermail.txt 0x7c2e6:$string3: wallet.dat 0x7c2fe:$string3: wallet.dat 0x7c314:$string3: wallet.dat 0x7d700:$string4: Keylog Records 0x7da18:$string4: Keylog Records 0x7dc34:$string5: do not script --> 0x7b8fc:$string6: \pidloc.txt 0x7b98a:$string7: BSPLIT 0x7b99a:$string7: BSPLIT
leUmNO9XPu.exe	HawkEye	unknown	Kevin Breen <kevin@techanarchy.net>	0x7b914:$key: HawkEyeKeylogger 0x7dbdc:$salt: 099u787978786 0x7bfcf:$string1: HawkEye_Keylogger 0x7ce0e:$string1: HawkEye_Keylogger 0x7db3c:$string1: HawkEye_Keylogger 0x7c3a4:$string2: holdermail.txt 0x7c3c4:$string2: holdermail.txt 0x7c2e6:$string3: wallet.dat 0x7c2fe:$string3: wallet.dat 0x7c314:$string3: wallet.dat 0x7d700:$string4: Keylog Records 0x7da18:$string4: Keylog Records 0x7dc34:$string5: do not script --> 0x7b8fc:$string6: \pidloc.txt 0x7b98a:$string7: BSPLIT 0x7b99a:$string7: BSPLIT
leUmNO9XPu.exe	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7c027:$hawkstr1: HawkEye Keylogger 0x7ce54:$hawkstr1: HawkEye Keylogger 0x7d183:$hawkstr1: HawkEye Keylogger 0x7d2de:$hawkstr1: HawkEye Keylogger 0x7d441:$hawkstr1: HawkEye Keylogger 0x7d6d8:$hawkstr1: HawkEye Keylogger 0x7bb99:$hawkstr2: Dear HawkEye Customers! 0x7d1d6:$hawkstr2: Dear HawkEye Customers! 0x7d32d:$hawkstr2: Dear HawkEye Customers! 0x7d494:$hawkstr2: Dear HawkEye Customers! 0x7bcba:$hawkstr3: HawkEye Logger Details:
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\Windows Update.exe	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
C:\Users\user\AppData\Roaming\Windows Update.exe	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
C:\Users\user\AppData\Roaming\Windows Update.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
C:\Users\user\AppData\Roaming\Windows Update.exe	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b914:$key: HawkEyeKeylogger 0x7dbdc:$salt: 099u787978786 0x7bfcf:$string1: HawkEye_Keylogger 0x7ce0e:$string1: HawkEye_Keylogger 0x7db3c:$string1: HawkEye_Keylogger 0x7c3a4:$string2: holdermail.txt 0x7c3c4:$string2: holdermail.txt 0x7c2e6:$string3: wallet.dat 0x7c2fe:$string3: wallet.dat 0x7c314:$string3: wallet.dat 0x7d700:$string4: Keylog Records 0x7da18:$string4: Keylog Records 0x7dc34:$string5: do not script --> 0x7b8fc:$string6: \pidloc.txt 0x7b98a:$string7: BSPLIT 0x7b99a:$string7: BSPLIT
C:\Users\user\AppData\Roaming\Windows Update.exe	HawkEye	unknown	Kevin Breen <kevin@techanarchy.net>	0x7b914:$key: HawkEyeKeylogger 0x7dbdc:$salt: 099u787978786 0x7bfcf:$string1: HawkEye_Keylogger 0x7ce0e:$string1: HawkEye_Keylogger 0x7db3c:$string1: HawkEye_Keylogger 0x7c3a4:$string2: holdermail.txt 0x7c3c4:$string2: holdermail.txt 0x7c2e6:$string3: wallet.dat 0x7c2fe:$string3: wallet.dat 0x7c314:$string3: wallet.dat 0x7d700:$string4: Keylog Records 0x7da18:$string4: Keylog Records 0x7dc34:$string5: do not script --> 0x7b8fc:$string6: \pidloc.txt 0x7b98a:$string7: BSPLIT 0x7b99a:$string7: BSPLIT
C:\Users\user\AppData\Roaming\Windows Update.exe	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7c027:$hawkstr1: HawkEye Keylogger 0x7ce54:$hawkstr1: HawkEye Keylogger 0x7d183:$hawkstr1: HawkEye Keylogger 0x7d2de:$hawkstr1: HawkEye Keylogger 0x7d441:$hawkstr1: HawkEye Keylogger 0x7d6d8:$hawkstr1: HawkEye Keylogger 0x7bb99:$hawkstr2: Dear HawkEye Customers! 0x7d1d6:$hawkstr2: Dear HawkEye Customers! 0x7d32d:$hawkstr2: Dear HawkEye Customers! 0x7d494:$hawkstr2: Dear HawkEye Customers! 0x7bcba:$hawkstr3: HawkEye Logger Details:
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b914:$key: HawkEyeKeylogger 0x7dbdc:$salt: 099u787978786 0x7bfcf:$string1: HawkEye_Keylogger 0x7ce0e:$string1: HawkEye_Keylogger 0x7db3c:$string1: HawkEye_Keylogger 0x7c3a4:$string2: holdermail.txt 0x7c3c4:$string2: holdermail.txt 0x7c2e6:$string3: wallet.dat 0x7c2fe:$string3: wallet.dat 0x7c314:$string3: wallet.dat 0x7d700:$string4: Keylog Records 0x7da18:$string4: Keylog Records 0x7dc34:$string5: do not script --> 0x7b8fc:$string6: \pidloc.txt 0x7b98a:$string7: BSPLIT 0x7b99a:$string7: BSPLIT
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	HawkEye	unknown	Kevin Breen <kevin@techanarchy.net>	0x7b914:$key: HawkEyeKeylogger 0x7dbdc:$salt: 099u787978786 0x7bfcf:$string1: HawkEye_Keylogger 0x7ce0e:$string1: HawkEye_Keylogger 0x7db3c:$string1: HawkEye_Keylogger 0x7c3a4:$string2: holdermail.txt 0x7c3c4:$string2: holdermail.txt 0x7c2e6:$string3: wallet.dat 0x7c2fe:$string3: wallet.dat 0x7c314:$string3: wallet.dat 0x7d700:$string4: Keylog Records 0x7da18:$string4: Keylog Records 0x7dc34:$string5: do not script --> 0x7b8fc:$string6: \pidloc.txt 0x7b98a:$string7: BSPLIT 0x7b99a:$string7: BSPLIT
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7c027:$hawkstr1: HawkEye Keylogger 0x7ce54:$hawkstr1: HawkEye Keylogger 0x7d183:$hawkstr1: HawkEye Keylogger 0x7d2de:$hawkstr1: HawkEye Keylogger 0x7d441:$hawkstr1: HawkEye Keylogger 0x7d6d8:$hawkstr1: HawkEye Keylogger 0x7bb99:$hawkstr2: Dear HawkEye Customers! 0x7d1d6:$hawkstr2: Dear HawkEye Customers! 0x7d32d:$hawkstr2: Dear HawkEye Customers! 0x7d494:$hawkstr2: Dear HawkEye Customers! 0x7bcba:$hawkstr3: HawkEye Logger Details:
Click to see the 7 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000003.00000002.1682478375.0000000004371000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b714:$key: HawkEyeKeylogger 0x7d9dc:$salt: 099u787978786 0x7bdcf:$string1: HawkEye_Keylogger 0x7cc0e:$string1: HawkEye_Keylogger 0x7d93c:$string1: HawkEye_Keylogger 0x7c1a4:$string2: holdermail.txt 0x7c1c4:$string2: holdermail.txt 0x7c0e6:$string3: wallet.dat 0x7c0fe:$string3: wallet.dat 0x7c114:$string3: wallet.dat 0x7d500:$string4: Keylog Records 0x7d818:$string4: Keylog Records 0x7da34:$string5: do not script --> 0x7b6fc:$string6: \pidloc.txt 0x7b78a:$string7: BSPLIT 0x7b79a:$string7: BSPLIT
00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp	HawkEye	unknown	Kevin Breen <kevin@techanarchy.net>	0x7b714:$key: HawkEyeKeylogger 0x7d9dc:$salt: 099u787978786 0x7bdcf:$string1: HawkEye_Keylogger 0x7cc0e:$string1: HawkEye_Keylogger 0x7d93c:$string1: HawkEye_Keylogger 0x7c1a4:$string2: holdermail.txt 0x7c1c4:$string2: holdermail.txt 0x7c0e6:$string3: wallet.dat 0x7c0fe:$string3: wallet.dat 0x7c114:$string3: wallet.dat 0x7d500:$string4: Keylog Records 0x7d818:$string4: Keylog Records 0x7da34:$string5: do not script --> 0x7b6fc:$string6: \pidloc.txt 0x7b78a:$string7: BSPLIT 0x7b79a:$string7: BSPLIT
00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7be27:$hawkstr1: HawkEye Keylogger 0x7cc54:$hawkstr1: HawkEye Keylogger 0x7cf83:$hawkstr1: HawkEye Keylogger 0x7d0de:$hawkstr1: HawkEye Keylogger 0x7d241:$hawkstr1: HawkEye Keylogger 0x7d4d8:$hawkstr1: HawkEye Keylogger 0x7b999:$hawkstr2: Dear HawkEye Customers! 0x7cfd6:$hawkstr2: Dear HawkEye Customers! 0x7d12d:$hawkstr2: Dear HawkEye Customers! 0x7d294:$hawkstr2: Dear HawkEye Customers! 0x7baba:$hawkstr3: HawkEye Logger Details:
00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000003.00000002.1682478375.00000000043EF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x34150:$key: HawkEyeKeylogger 0x34b68:$salt: 099u787978786 0x4dc74:$string1: HawkEye_Keylogger 0x88128:$string1: HawkEye_Keylogger 0x757c0:$string2: holdermail.txt 0x757f0:$string2: holdermail.txt 0x7711e:$string2: holdermail.txt 0x7748a:$string2: holdermail.txt 0x7755e:$string2: holdermail.txt 0x77632:$string2: holdermail.txt 0x77706:$string2: holdermail.txt 0x777da:$string2: holdermail.txt 0x778ae:$string2: holdermail.txt 0x77982:$string2: holdermail.txt 0x77a56:$string2: holdermail.txt 0x77b2a:$string2: holdermail.txt 0x77bfe:$string2: holdermail.txt 0x77cd2:$string2: holdermail.txt 0x77da6:$string2: holdermail.txt 0x77e7a:$string2: holdermail.txt 0x77f4e:$string2: holdermail.txt
00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp	HawkEye	unknown	Kevin Breen <kevin@techanarchy.net>	0x34150:$key: HawkEyeKeylogger 0x34b68:$salt: 099u787978786 0x4dc74:$string1: HawkEye_Keylogger 0x88128:$string1: HawkEye_Keylogger 0x757c0:$string2: holdermail.txt 0x757f0:$string2: holdermail.txt 0x7711e:$string2: holdermail.txt 0x7748a:$string2: holdermail.txt 0x7755e:$string2: holdermail.txt 0x77632:$string2: holdermail.txt 0x77706:$string2: holdermail.txt 0x777da:$string2: holdermail.txt 0x778ae:$string2: holdermail.txt 0x77982:$string2: holdermail.txt 0x77a56:$string2: holdermail.txt 0x77b2a:$string2: holdermail.txt 0x77bfe:$string2: holdermail.txt 0x77cd2:$string2: holdermail.txt 0x77da6:$string2: holdermail.txt 0x77e7a:$string2: holdermail.txt 0x77f4e:$string2: holdermail.txt
00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x4dd04:$hawkstr1: HawkEye Keylogger 0x4fd58:$hawkstr1: HawkEye Keylogger 0x50144:$hawkstr1: HawkEye Keylogger 0x51930:$hawkstr1: HawkEye Keylogger 0x53fec:$hawkstr1: HawkEye Keylogger 0x88180:$hawkstr1: HawkEye Keylogger 0x4d750:$hawkstr2: Dear HawkEye Customers! 0x4f798:$hawkstr2: Dear HawkEye Customers! 0x4fdbc:$hawkstr2: Dear HawkEye Customers! 0x501a8:$hawkstr2: Dear HawkEye Customers! 0x4d882:$hawkstr3: HawkEye Logger Details: 0x4f8c2:$hawkstr3: HawkEye Logger Details:
Process Memory Space: leUmNO9XPu.exe PID: 7472	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: leUmNO9XPu.exe PID: 7472	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: leUmNO9XPu.exe PID: 7472	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: Windows Update.exe PID: 7736	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: Windows Update.exe PID: 7736	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
Process Memory Space: Windows Update.exe PID: 7736	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Process Memory Space: vbc.exe PID: 8172	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: vbc.exe PID: 7176	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
Click to see the 17 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.leUmNO9XPu.exe.5efa72.1.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
8.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
3.2.Windows Update.exe.4378020.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
8.2.vbc.exe.400000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
3.2.Windows Update.exe.4378020.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.0.leUmNO9XPu.exe.599c0d.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
3.2.Windows Update.exe.43efef0.3.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
9.2.vbc.exe.400000.0.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
9.2.vbc.exe.400000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
3.2.Windows Update.exe.43efef0.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.0.leUmNO9XPu.exe.5efa72.1.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.0.leUmNO9XPu.exe.5efa72.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.0.leUmNO9XPu.exe.5efa72.1.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x1dca2:$key: HawkEyeKeylogger 0x1ff6a:$salt: 099u787978786 0x1e35d:$string1: HawkEye_Keylogger 0x1f19c:$string1: HawkEye_Keylogger 0x1feca:$string1: HawkEye_Keylogger 0x1e732:$string2: holdermail.txt 0x1e752:$string2: holdermail.txt 0x1e674:$string3: wallet.dat 0x1e68c:$string3: wallet.dat 0x1e6a2:$string3: wallet.dat 0x1fa8e:$string4: Keylog Records 0x1fda6:$string4: Keylog Records 0x1ffc2:$string5: do not script --> 0x1dc8a:$string6: \pidloc.txt 0x1dd18:$string7: BSPLIT 0x1dd28:$string7: BSPLIT
0.0.leUmNO9XPu.exe.5efa72.1.raw.unpack	HawkEye	unknown	Kevin Breen <kevin@techanarchy.net>	0x1dca2:$key: HawkEyeKeylogger 0x1ff6a:$salt: 099u787978786 0x1e35d:$string1: HawkEye_Keylogger 0x1f19c:$string1: HawkEye_Keylogger 0x1feca:$string1: HawkEye_Keylogger 0x1e732:$string2: holdermail.txt 0x1e752:$string2: holdermail.txt 0x1e674:$string3: wallet.dat 0x1e68c:$string3: wallet.dat 0x1e6a2:$string3: wallet.dat 0x1fa8e:$string4: Keylog Records 0x1fda6:$string4: Keylog Records 0x1ffc2:$string5: do not script --> 0x1dc8a:$string6: \pidloc.txt 0x1dd18:$string7: BSPLIT 0x1dd28:$string7: BSPLIT
0.0.leUmNO9XPu.exe.5efa72.1.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1e3b5:$hawkstr1: HawkEye Keylogger 0x1f1e2:$hawkstr1: HawkEye Keylogger 0x1f511:$hawkstr1: HawkEye Keylogger 0x1f66c:$hawkstr1: HawkEye Keylogger 0x1f7cf:$hawkstr1: HawkEye Keylogger 0x1fa66:$hawkstr1: HawkEye Keylogger 0x1df27:$hawkstr2: Dear HawkEye Customers! 0x1f564:$hawkstr2: Dear HawkEye Customers! 0x1f6bb:$hawkstr2: Dear HawkEye Customers! 0x1f822:$hawkstr2: Dear HawkEye Customers! 0x1e048:$hawkstr3: HawkEye Logger Details:
0.0.leUmNO9XPu.exe.599c0d.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.0.leUmNO9XPu.exe.599c0d.3.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.0.leUmNO9XPu.exe.599c0d.3.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.0.leUmNO9XPu.exe.599c0d.3.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x73b07:$key: HawkEyeKeylogger 0x75dcf:$salt: 099u787978786 0x741c2:$string1: HawkEye_Keylogger 0x75001:$string1: HawkEye_Keylogger 0x75d2f:$string1: HawkEye_Keylogger 0x74597:$string2: holdermail.txt 0x745b7:$string2: holdermail.txt 0x744d9:$string3: wallet.dat 0x744f1:$string3: wallet.dat 0x74507:$string3: wallet.dat 0x758f3:$string4: Keylog Records 0x75c0b:$string4: Keylog Records 0x75e27:$string5: do not script --> 0x73aef:$string6: \pidloc.txt 0x73b7d:$string7: BSPLIT 0x73b8d:$string7: BSPLIT
0.0.leUmNO9XPu.exe.599c0d.3.raw.unpack	HawkEye	unknown	Kevin Breen <kevin@techanarchy.net>	0x73b07:$key: HawkEyeKeylogger 0x75dcf:$salt: 099u787978786 0x741c2:$string1: HawkEye_Keylogger 0x75001:$string1: HawkEye_Keylogger 0x75d2f:$string1: HawkEye_Keylogger 0x74597:$string2: holdermail.txt 0x745b7:$string2: holdermail.txt 0x744d9:$string3: wallet.dat 0x744f1:$string3: wallet.dat 0x74507:$string3: wallet.dat 0x758f3:$string4: Keylog Records 0x75c0b:$string4: Keylog Records 0x75e27:$string5: do not script --> 0x73aef:$string6: \pidloc.txt 0x73b7d:$string7: BSPLIT 0x73b8d:$string7: BSPLIT
0.0.leUmNO9XPu.exe.599c0d.3.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7421a:$hawkstr1: HawkEye Keylogger 0x75047:$hawkstr1: HawkEye Keylogger 0x75376:$hawkstr1: HawkEye Keylogger 0x754d1:$hawkstr1: HawkEye Keylogger 0x75634:$hawkstr1: HawkEye Keylogger 0x758cb:$hawkstr1: HawkEye Keylogger 0x73d8c:$hawkstr2: Dear HawkEye Customers! 0x753c9:$hawkstr2: Dear HawkEye Customers! 0x75520:$hawkstr2: Dear HawkEye Customers! 0x75687:$hawkstr2: Dear HawkEye Customers! 0x73ead:$hawkstr3: HawkEye Logger Details:
0.0.leUmNO9XPu.exe.598208.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.0.leUmNO9XPu.exe.598208.2.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.0.leUmNO9XPu.exe.598208.2.raw.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.0.leUmNO9XPu.exe.598208.2.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7550c:$key: HawkEyeKeylogger 0x777d4:$salt: 099u787978786 0x75bc7:$string1: HawkEye_Keylogger 0x76a06:$string1: HawkEye_Keylogger 0x77734:$string1: HawkEye_Keylogger 0x75f9c:$string2: holdermail.txt 0x75fbc:$string2: holdermail.txt 0x75ede:$string3: wallet.dat 0x75ef6:$string3: wallet.dat 0x75f0c:$string3: wallet.dat 0x772f8:$string4: Keylog Records 0x77610:$string4: Keylog Records 0x7782c:$string5: do not script --> 0x754f4:$string6: \pidloc.txt 0x75582:$string7: BSPLIT 0x75592:$string7: BSPLIT
0.0.leUmNO9XPu.exe.598208.2.raw.unpack	HawkEye	unknown	Kevin Breen <kevin@techanarchy.net>	0x7550c:$key: HawkEyeKeylogger 0x777d4:$salt: 099u787978786 0x75bc7:$string1: HawkEye_Keylogger 0x76a06:$string1: HawkEye_Keylogger 0x77734:$string1: HawkEye_Keylogger 0x75f9c:$string2: holdermail.txt 0x75fbc:$string2: holdermail.txt 0x75ede:$string3: wallet.dat 0x75ef6:$string3: wallet.dat 0x75f0c:$string3: wallet.dat 0x772f8:$string4: Keylog Records 0x77610:$string4: Keylog Records 0x7782c:$string5: do not script --> 0x754f4:$string6: \pidloc.txt 0x75582:$string7: BSPLIT 0x75592:$string7: BSPLIT
0.0.leUmNO9XPu.exe.598208.2.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x75c1f:$hawkstr1: HawkEye Keylogger 0x76a4c:$hawkstr1: HawkEye Keylogger 0x76d7b:$hawkstr1: HawkEye Keylogger 0x76ed6:$hawkstr1: HawkEye Keylogger 0x77039:$hawkstr1: HawkEye Keylogger 0x772d0:$hawkstr1: HawkEye Keylogger 0x75791:$hawkstr2: Dear HawkEye Customers! 0x76dce:$hawkstr2: Dear HawkEye Customers! 0x76f25:$hawkstr2: Dear HawkEye Customers! 0x7708c:$hawkstr2: Dear HawkEye Customers! 0x758b2:$hawkstr3: HawkEye Logger Details:
0.0.leUmNO9XPu.exe.590000.0.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.0.leUmNO9XPu.exe.590000.0.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
0.0.leUmNO9XPu.exe.590000.0.unpack	JoeSecurity_WebBrowserPassView	Yara detected WebBrowserPassView password recovery tool	Joe Security
0.0.leUmNO9XPu.exe.590000.0.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x7b914:$key: HawkEyeKeylogger 0x7dbdc:$salt: 099u787978786 0x7bfcf:$string1: HawkEye_Keylogger 0x7ce0e:$string1: HawkEye_Keylogger 0x7db3c:$string1: HawkEye_Keylogger 0x7c3a4:$string2: holdermail.txt 0x7c3c4:$string2: holdermail.txt 0x7c2e6:$string3: wallet.dat 0x7c2fe:$string3: wallet.dat 0x7c314:$string3: wallet.dat 0x7d700:$string4: Keylog Records 0x7da18:$string4: Keylog Records 0x7dc34:$string5: do not script --> 0x7b8fc:$string6: \pidloc.txt 0x7b98a:$string7: BSPLIT 0x7b99a:$string7: BSPLIT
0.0.leUmNO9XPu.exe.590000.0.unpack	HawkEye	unknown	Kevin Breen <kevin@techanarchy.net>	0x7b914:$key: HawkEyeKeylogger 0x7dbdc:$salt: 099u787978786 0x7bfcf:$string1: HawkEye_Keylogger 0x7ce0e:$string1: HawkEye_Keylogger 0x7db3c:$string1: HawkEye_Keylogger 0x7c3a4:$string2: holdermail.txt 0x7c3c4:$string2: holdermail.txt 0x7c2e6:$string3: wallet.dat 0x7c2fe:$string3: wallet.dat 0x7c314:$string3: wallet.dat 0x7d700:$string4: Keylog Records 0x7da18:$string4: Keylog Records 0x7dc34:$string5: do not script --> 0x7b8fc:$string6: \pidloc.txt 0x7b98a:$string7: BSPLIT 0x7b99a:$string7: BSPLIT
0.0.leUmNO9XPu.exe.590000.0.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x7c027:$hawkstr1: HawkEye Keylogger 0x7ce54:$hawkstr1: HawkEye Keylogger 0x7d183:$hawkstr1: HawkEye Keylogger 0x7d2de:$hawkstr1: HawkEye Keylogger 0x7d441:$hawkstr1: HawkEye Keylogger 0x7d6d8:$hawkstr1: HawkEye Keylogger 0x7bb99:$hawkstr2: Dear HawkEye Customers! 0x7d1d6:$hawkstr2: Dear HawkEye Customers! 0x7d32d:$hawkstr2: Dear HawkEye Customers! 0x7d494:$hawkstr2: Dear HawkEye Customers! 0x7bcba:$hawkstr3: HawkEye Logger Details:
3.2.Windows Update.exe.339ff18.1.raw.unpack	JoeSecurity_HawkEye	Yara detected HawkEye Keylogger	Joe Security
3.2.Windows Update.exe.339ff18.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.Windows Update.exe.339ff18.1.raw.unpack	RAT_HawkEye	Detects HawkEye RAT	Kevin Breen <kevin@techanarchy.net>	0x5238:$key: HawkEyeKeylogger 0x5c50:$salt: 099u787978786 0x1ed5c:$string1: HawkEye_Keylogger 0x59210:$string1: HawkEye_Keylogger 0x468a8:$string2: holdermail.txt 0x468d8:$string2: holdermail.txt 0x48206:$string2: holdermail.txt 0x48572:$string2: holdermail.txt 0x48646:$string2: holdermail.txt 0x4871a:$string2: holdermail.txt 0x487ee:$string2: holdermail.txt 0x488c2:$string2: holdermail.txt 0x48996:$string2: holdermail.txt 0x48a6a:$string2: holdermail.txt 0x48b3e:$string2: holdermail.txt 0x48c12:$string2: holdermail.txt 0x48ce6:$string2: holdermail.txt 0x48dba:$string2: holdermail.txt 0x48e8e:$string2: holdermail.txt 0x48f62:$string2: holdermail.txt 0x49036:$string2: holdermail.txt
3.2.Windows Update.exe.339ff18.1.raw.unpack	HawkEye	unknown	Kevin Breen <kevin@techanarchy.net>	0x5238:$key: HawkEyeKeylogger 0x5c50:$salt: 099u787978786 0x1ed5c:$string1: HawkEye_Keylogger 0x59210:$string1: HawkEye_Keylogger 0x468a8:$string2: holdermail.txt 0x468d8:$string2: holdermail.txt 0x48206:$string2: holdermail.txt 0x48572:$string2: holdermail.txt 0x48646:$string2: holdermail.txt 0x4871a:$string2: holdermail.txt 0x487ee:$string2: holdermail.txt 0x488c2:$string2: holdermail.txt 0x48996:$string2: holdermail.txt 0x48a6a:$string2: holdermail.txt 0x48b3e:$string2: holdermail.txt 0x48c12:$string2: holdermail.txt 0x48ce6:$string2: holdermail.txt 0x48dba:$string2: holdermail.txt 0x48e8e:$string2: holdermail.txt 0x48f62:$string2: holdermail.txt 0x49036:$string2: holdermail.txt
3.2.Windows Update.exe.339ff18.1.raw.unpack	Hawkeye	detect HawkEye in memory	JPCERT/CC Incident Response Group	0x1edec:$hawkstr1: HawkEye Keylogger 0x20e40:$hawkstr1: HawkEye Keylogger 0x2122c:$hawkstr1: HawkEye Keylogger 0x22a18:$hawkstr1: HawkEye Keylogger 0x250d4:$hawkstr1: HawkEye Keylogger 0x59268:$hawkstr1: HawkEye Keylogger 0x1e838:$hawkstr2: Dear HawkEye Customers! 0x20880:$hawkstr2: Dear HawkEye Customers! 0x20ea4:$hawkstr2: Dear HawkEye Customers! 0x21290:$hawkstr2: Dear HawkEye Customers! 0x1e96a:$hawkstr3: HawkEye Logger Details: 0x209aa:$hawkstr3: HawkEye Logger Details:
Click to see the 33 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Windows Update.exe, ProcessId: 7736, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DesusertionIp: 207.204.50.48, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Users\user\AppData\Roaming\Windows Update.exe, Initiated: true, ProcessId: 7736, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49822

Suricata Signatures

ETPRO MALWARE MSIL/Golroted.B or HawkEye External IP Check with minimal headers

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T05:05:02.593118+0100	2810703	2	Device Retrieving External IP Address Detected	192.168.2.9	49814	104.19.223.79	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: leUmNO9XPu.exe	Avira: detected
Source: leUmNO9XPu.exe	Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Avira: detection malicious, Label: SPR/Tool.MailPassView.473

Found malware configuration

Source: 0.0.leUmNO9XPu.exe.590000.0.unpack

Malware Configuration Extractor: HawkEye {"Protocol": "SMTP", "Username": "compensation@britishcrowncourt.net", "Password": "@Hustle007ky1", "Host": "mail.britishcrowncourt.net", "Port": "587"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: leUmNO9XPu.exe	Virustotal: Detection: 76%			Perma Link
Source: leUmNO9XPu.exe	ReversingLabs: Detection: 91%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: leUmNO9XPu.exe

Joe Sandbox ML: detected

Source: leUmNO9XPu.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\leUmNO9XPu.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: leUmNO9XPu.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\dll\mscorlib.pdbk/ source: Windows Update.exe, 00000003.00000002.1680177474.000000000188C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.1683588748.0000000006CBF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbO source: Windows Update.exe, 00000003.00000002.1683588748.0000000006D17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Runtime.Remoting.pdb source: Windows Update.exe, 00000003.00000002.1679368687.0000000001471000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iC:\Windows\System.Runtime.Remoting.pdbD{UwhWI source: Windows Update.exe, 00000003.00000002.1685097836.0000000007E5A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbD6=^6= P6=_CorDllMainmscoree.dll source: Windows Update.exe, 00000003.00000002.1680177474.000000000188C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb0 source: Windows Update.exe, 00000003.00000002.1680177474.0000000001880000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: Windows Update.exe, 00000003.00000002.1679368687.00000000013AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlibs\Microsoft.NET\Framework\SystemResources\dw20.exe.munsymbols\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.1685697096.000000000AAAA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.Runtime.Remoting.pdb source: Windows Update.exe, 00000003.00000002.1680177474.0000000001887000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: leUmNO9XPu.exe, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr
Source:	Binary string: System.Runtime.Remoting.pdb source: Windows Update.exe, 00000003.00000002.1685097836.0000000007E5A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: .pdbd source: Windows Update.exe, 00000003.00000002.1685697096.000000000AAAA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: Windows Update.exe, 00000003.00000002.1683588748.0000000006D17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbTwPC source: Windows Update.exe, 00000003.00000002.1685697096.000000000AAAA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: Windows Update.exe, 00000003.00000002.1683588748.0000000006CBF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ls\dll\System.Runtime.Remoting.pdb source: Windows Update.exe, 00000003.00000002.1680177474.0000000001887000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rlib.pdb source: Windows Update.exe, 00000003.00000002.1680177474.0000000001880000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: Windows Update.exe, 00000003.00000002.1680177474.0000000001887000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\Windows Update.PDBe] source: Windows Update.exe, 00000003.00000002.1679368687.0000000001471000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembl.pdb_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll source: Windows Update.exe, 00000003.00000002.1685097836.0000000007E5A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: Windows Update.exe, 00000003.00000002.1685697096.000000000AAAA000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 00000003.00000002.1680177474.000000000188C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.1683588748.0000000006D17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembl.pdb_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000003.00000002.1685697096.000000000AAAA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: indows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.1680177474.0000000001887000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbT source: Windows Update.exe, 00000003.00000002.1680177474.0000000001887000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb\AppData\Roaming\Windows Update.exe source: Windows Update.exe, 00000003.00000002.1680177474.000000000188C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdb source: Windows Update.exe, 00000003.00000002.1679368687.00000000013AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbt source: Windows Update.exe, 00000003.00000002.1679368687.00000000013AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: leUmNO9XPu.exe, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr
Source:	Binary string: symbols\dll\System.Runtime.Remoting.pdb source: Windows Update.exe, 00000003.00000002.1685097836.0000000007E5A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000003.00000002.1680177474.0000000001880000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: leUmNO9XPu.exe, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr
Source:	Binary string: \??\C:\Windows\System.Runtime.Remoting.pdbD source: Windows Update.exe, 00000003.00000002.1679368687.0000000001471000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb2d$7 source: Windows Update.exe, 00000003.00000002.1683588748.0000000006CBF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iC:\Windows\mscorlib.pdbD{Uw source: Windows Update.exe, 00000003.00000002.1685697096.000000000AAAA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Windows Update.exe, 00000003.00000002.1683588748.0000000006D17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbH source: Windows Update.exe, 00000003.00000002.1685697096.000000000AAAA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Runtime.Remoting.pdb2 source: Windows Update.exe, 00000003.00000002.1680177474.0000000001887000.00000004.00000020.00020000.00000000.sdmp

Source: leUmNO9XPu.exe, 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: autorun.inf
Source: leUmNO9XPu.exe, 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: [autorun]
Source: leUmNO9XPu.exe	Binary or memory string: autorun.inf
Source: leUmNO9XPu.exe	Binary or memory string: [autorun]
Source: Windows Update.exe.0.dr	Binary or memory string: autorun.inf
Source: Windows Update.exe.0.dr	Binary or memory string: [autorun]
Source: WindowsUpdate.exe.3.dr	Binary or memory string: autorun.inf
Source: WindowsUpdate.exe.3.dr	Binary or memory string: [autorun]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 8_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	8_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	9_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	9_2_00407E0E

Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Code function: 4x nop then jmp 011C1A73h	0_2_011C19B0
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	0_2_011C0728
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Code function: 4x nop then jmp 011C1A73h	0_2_011C19A0
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	0_2_011C14C0
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	0_2_011C17F8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	3_2_01857670
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 4x nop then jmp 01851A73h	3_2_018519A0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	3_2_0185C5A8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 4x nop then jmp 01851A73h	3_2_018519B0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	3_2_018517F8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	3_2_0185BF26
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	3_2_01850728
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 4x nop then call 01851B20h	3_2_0185A950
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	3_2_0185A950
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 4x nop then mov esp, ebp	3_2_018548B9
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	3_2_018514C0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	3_2_01855C11
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	3_2_01857661
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	12_2_04DD0728
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 4x nop then lea esp, dword ptr [ebp-0Ch]	13_2_01930728

Networking

Yara detected Generic Downloader

Source: Yara match

File source: 3.2.Windows Update.exe.339ff18.1.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.9:49822 -> 207.204.50.48:587

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: DEFENSE-NETUS DEFENSE-NETUS

Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com
Source: unknown	DNS query: name: whatismyipaddress.com

Source: Network traffic

Suricata IDS: 2810703 - Severity 2 - ETPRO MALWARE MSIL/Golroted.B or HawkEye External IP Check with minimal headers : 192.168.2.9:49814 -> 104.19.223.79:80

Source: global traffic

TCP traffic: 192.168.2.9:49822 -> 207.204.50.48:587

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

Code function: 3_2_012DA09A recv,

3_2_012DA09A

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive

Source: vbc.exe, 00000009.00000002.1530848627.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: vbc.exe, 00000009.00000002.1530848627.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: leUmNO9XPu.exe, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: leUmNO9XPu.exe, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr	String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: vbc.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: 169.241.9.0.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: whatismyipaddress.com
Source: global traffic	DNS traffic detected: DNS query: mail.britishcrowncourt.net

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sat, 11 Jan 2025 04:05:02 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveReferrer-Policy: same-originCache-Control: max-age=15Expires: Sat, 11 Jan 2025 04:05:17 GMTX-Frame-Options: SAMEORIGINServer: cloudflareCF-RAY: 900206b2d96f0fa9-EWRalt-svc: h3=":443"; ma=86400Data Raw: 31 31 61 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 27 63 66 5f 73 74 79 6c 65 73 2d 69 65 2d 63 73 73 27 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 Data

Source: leUmNO9XPu.exe, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: WindowsUpdate.exe, 0000000C.00000002.1585268730.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000D.00000002.1663932717.0000000003681000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://foo.com/fooT
Source: WindowsUpdate.exe, 0000000D.00000002.1663232323.00000000016C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.
Source: WindowsUpdate.exe, 0000000D.00000002.1663232323.00000000016C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.LinkId=42127
Source: leUmNO9XPu.exe, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: Windows Update.exe, 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://whatismyipaddress.com
Source: Windows Update.exe, 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://whatismyipaddress.com/
Source: leUmNO9XPu.exe, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr	String found in binary or memory: http://whatismyipaddress.com/-
Source: WindowsUpdate.exe.3.dr	String found in binary or memory: http://www.nirsoft.net/
Source: Windows Update.exe, 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.site.com/logs.php
Source: vbc.exe, 00000009.00000002.1530848627.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: vbc.exe, 00000009.00000002.1531150799.0000000002706000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: vbc.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: Windows Update.exe, 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: vbc.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected HawkEye Keylogger

Source: Yara match	File source: leUmNO9XPu.exe, type: SAMPLE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.5efa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.599c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.598208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Windows Update.exe.339ff18.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: leUmNO9XPu.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windows Update.exe PID: 7736, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Windows Update.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 8_2_0040AC8A GetTempPathA,GetWindowsDirectoryA,GetTempFileNameA,OpenClipboard,GetLastError,DeleteFileA,

8_2_0040AC8A

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 8_2_00406069 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	8_2_00406069
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 8_2_00405FC6 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	8_2_00405FC6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_004072FB EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,	9_2_004072FB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_00407363 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	9_2_00407363

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: leUmNO9XPu.exe, type: SAMPLE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: leUmNO9XPu.exe, type: SAMPLE	Matched rule: HawkEye Author: Kevin Breen <kevin@techanarchy.net>
Source: leUmNO9XPu.exe, type: SAMPLE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.leUmNO9XPu.exe.5efa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.leUmNO9XPu.exe.5efa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.leUmNO9XPu.exe.5efa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.leUmNO9XPu.exe.599c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.leUmNO9XPu.exe.599c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.leUmNO9XPu.exe.599c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.leUmNO9XPu.exe.598208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.leUmNO9XPu.exe.598208.2.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.leUmNO9XPu.exe.598208.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.leUmNO9XPu.exe.590000.0.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.leUmNO9XPu.exe.590000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.0.leUmNO9XPu.exe.590000.0.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.Windows Update.exe.339ff18.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Windows Update.exe.339ff18.1.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.Windows Update.exe.339ff18.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: HawkEye Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: HawkEye Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED	Matched rule: HawkEye Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED	Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED	Matched rule: HawkEye Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED	Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_05565712 NtQuerySystemInformation,	3_2_05565712
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_05565DE6 NtResumeThread,	3_2_05565DE6
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_05565E8E NtWriteVirtualMemory,	3_2_05565E8E

Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Code function: 0_2_011C1DA8	0_2_011C1DA8
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Code function: 0_2_011C1D98	0_2_011C1D98
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_012E6D6A	3_2_012E6D6A
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_018577A0	3_2_018577A0
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_01851DA8	3_2_01851DA8
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_0185A960	3_2_0185A960
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_01855C20	3_2_01855C20
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_0185C250	3_2_0185C250
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_01856C70	3_2_01856C70
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_01857790	3_2_01857790
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_01851D98	3_2_01851D98
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_0185A950	3_2_0185A950
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_01856C61	3_2_01856C61
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 8_2_00404DDB	8_2_00404DDB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 8_2_0040BD8A	8_2_0040BD8A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 8_2_00404E4C	8_2_00404E4C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 8_2_00404EBD	8_2_00404EBD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 8_2_00404F4E	8_2_00404F4E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_00404419	9_2_00404419
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_00404516	9_2_00404516
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_00413538	9_2_00413538
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_004145A1	9_2_004145A1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_0040E639	9_2_0040E639
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_004337AF	9_2_004337AF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_004399B1	9_2_004399B1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_0043DAE7	9_2_0043DAE7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_00405CF6	9_2_00405CF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_00403F85	9_2_00403F85
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_00411F99	9_2_00411F99

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413F8E appears 66 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00413E2D appears 34 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00442A90 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 004141D6 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: String function: 00411538 appears 35 times

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2480

Source: leUmNO9XPu.exe, 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs leUmNO9XPu.exe
Source: leUmNO9XPu.exe, 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs leUmNO9XPu.exe
Source: leUmNO9XPu.exe, 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemailpv.exe< vs leUmNO9XPu.exe
Source: leUmNO9XPu.exe, 00000000.00000002.1426593644.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemscorwks.dllT vs leUmNO9XPu.exe
Source: leUmNO9XPu.exe, 00000000.00000002.1428903153.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs leUmNO9XPu.exe
Source: leUmNO9XPu.exe, 00000000.00000000.1367443012.0000000000622000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebpaymentcopy.exe\ vs leUmNO9XPu.exe
Source: leUmNO9XPu.exe	Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs leUmNO9XPu.exe
Source: leUmNO9XPu.exe	Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs leUmNO9XPu.exe
Source: leUmNO9XPu.exe	Binary or memory string: OriginalFilenamemailpv.exe< vs leUmNO9XPu.exe
Source: leUmNO9XPu.exe	Binary or memory string: OriginalFilenamebpaymentcopy.exe\ vs leUmNO9XPu.exe

Source: leUmNO9XPu.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: leUmNO9XPu.exe, type: SAMPLE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: leUmNO9XPu.exe, type: SAMPLE	Matched rule: HawkEye date = 2015/06, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, ref = http://malwareconfig.com/stats/HawkEye
Source: leUmNO9XPu.exe, type: SAMPLE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.leUmNO9XPu.exe.5efa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.leUmNO9XPu.exe.5efa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye date = 2015/06, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, ref = http://malwareconfig.com/stats/HawkEye
Source: 0.0.leUmNO9XPu.exe.5efa72.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.leUmNO9XPu.exe.599c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.leUmNO9XPu.exe.599c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye date = 2015/06, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, ref = http://malwareconfig.com/stats/HawkEye
Source: 0.0.leUmNO9XPu.exe.599c0d.3.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.leUmNO9XPu.exe.598208.2.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.leUmNO9XPu.exe.598208.2.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye date = 2015/06, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, ref = http://malwareconfig.com/stats/HawkEye
Source: 0.0.leUmNO9XPu.exe.598208.2.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.leUmNO9XPu.exe.590000.0.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.0.leUmNO9XPu.exe.590000.0.unpack, type: UNPACKEDPE	Matched rule: HawkEye date = 2015/06, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, ref = http://malwareconfig.com/stats/HawkEye
Source: 0.0.leUmNO9XPu.exe.590000.0.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.Windows Update.exe.339ff18.1.raw.unpack, type: UNPACKEDPE	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 3.2.Windows Update.exe.339ff18.1.raw.unpack, type: UNPACKEDPE	Matched rule: HawkEye date = 2015/06, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, ref = http://malwareconfig.com/stats/HawkEye
Source: 3.2.Windows Update.exe.339ff18.1.raw.unpack, type: UNPACKEDPE	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: HawkEye date = 2015/06, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, ref = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: HawkEye date = 2015/06, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, ref = http://malwareconfig.com/stats/HawkEye
Source: 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED	Matched rule: HawkEye date = 2015/06, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, ref = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED	Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED	Matched rule: HawkEye date = 2015/06, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, ref = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED	Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@11/14@3/3

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 9_2_00415AFD GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,

9_2_00415AFD

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

Code function: 3_2_055641B6 AdjustTokenPrivileges,

3_2_055641B6

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 9_2_00415F87 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,

9_2_00415F87

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 9_2_00411196 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,free,Process32NextW,CloseHandle,

9_2_00411196

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 8_2_0040ED0B FindResourceA,SizeofResource,LoadResource,LockResource,

8_2_0040ED0B

Source: C:\Users\user\Desktop\leUmNO9XPu.exe

File created: C:\Users\user\AppData\Roaming\Windows Update.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\Desktop\leUmNO9XPu.exe

File created: C:\Users\user\AppData\Local\Temp\SysInfo.txt

Jump to behavior

Source: leUmNO9XPu.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: leUmNO9XPu.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.72%

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\leUmNO9XPu.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\leUmNO9XPu.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: leUmNO9XPu.exe, 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, Windows Update.exe, 00000003.00000002.1682478375.00000000043EF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: leUmNO9XPu.exe, 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, Windows Update.exe, 00000003.00000002.1682478375.00000000043EF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: leUmNO9XPu.exe, 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, Windows Update.exe, 00000003.00000002.1682478375.00000000043EF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: leUmNO9XPu.exe, 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, Windows Update.exe, 00000003.00000002.1682478375.00000000043EF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: leUmNO9XPu.exe, 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, Windows Update.exe, 00000003.00000002.1682478375.00000000043EF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: leUmNO9XPu.exe, 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, Windows Update.exe, 00000003.00000002.1682478375.00000000043EF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: vbc.exe, 00000009.00000002.1531068788.00000000026AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: leUmNO9XPu.exe, 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, Windows Update.exe, 00000003.00000002.1682478375.00000000043EF000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, vbc.exe, 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: leUmNO9XPu.exe	Virustotal: Detection: 76%
Source: leUmNO9XPu.exe	ReversingLabs: Detection: 91%

Source: leUmNO9XPu.exe

String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05

Source: C:\Users\user\Desktop\leUmNO9XPu.exe

File read: C:\Users\user\Desktop\leUmNO9XPu.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\leUmNO9XPu.exe "C:\Users\user\Desktop\leUmNO9XPu.exe"
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2480
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe "C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2480	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"	Jump to behavior

Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: pstorec.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Section loaded: cryptdll.dll	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\leUmNO9XPu.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts

Jump to behavior

Source: leUmNO9XPu.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\leUmNO9XPu.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: leUmNO9XPu.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Windows\dll\mscorlib.pdbk/ source: Windows Update.exe, 00000003.00000002.1680177474.000000000188C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.1683588748.0000000006CBF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdbO source: Windows Update.exe, 00000003.00000002.1683588748.0000000006D17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Runtime.Remoting.pdb source: Windows Update.exe, 00000003.00000002.1679368687.0000000001471000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iC:\Windows\System.Runtime.Remoting.pdbD{UwhWI source: Windows Update.exe, 00000003.00000002.1685097836.0000000007E5A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbD6=^6= P6=_CorDllMainmscoree.dll source: Windows Update.exe, 00000003.00000002.1680177474.000000000188C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: indows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb0 source: Windows Update.exe, 00000003.00000002.1680177474.0000000001880000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: Windows Update.exe, 00000003.00000002.1679368687.00000000013AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlibs\Microsoft.NET\Framework\SystemResources\dw20.exe.munsymbols\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.1685697096.000000000AAAA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.Runtime.Remoting.pdb source: Windows Update.exe, 00000003.00000002.1680177474.0000000001887000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: leUmNO9XPu.exe, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr
Source:	Binary string: System.Runtime.Remoting.pdb source: Windows Update.exe, 00000003.00000002.1685097836.0000000007E5A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: .pdbd source: Windows Update.exe, 00000003.00000002.1685697096.000000000AAAA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: Windows Update.exe, 00000003.00000002.1683588748.0000000006D17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbTwPC source: Windows Update.exe, 00000003.00000002.1685697096.000000000AAAA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.pdb source: Windows Update.exe, 00000003.00000002.1683588748.0000000006CBF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ls\dll\System.Runtime.Remoting.pdb source: Windows Update.exe, 00000003.00000002.1680177474.0000000001887000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rlib.pdb source: Windows Update.exe, 00000003.00000002.1680177474.0000000001880000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: Windows Update.exe, 00000003.00000002.1680177474.0000000001887000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Roaming\Windows Update.PDBe] source: Windows Update.exe, 00000003.00000002.1679368687.0000000001471000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembl.pdb_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll source: Windows Update.exe, 00000003.00000002.1685097836.0000000007E5A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: Windows Update.exe, 00000003.00000002.1685697096.000000000AAAA000.00000004.00000010.00020000.00000000.sdmp, Windows Update.exe, 00000003.00000002.1680177474.000000000188C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.1683588748.0000000006D17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembl.pdb_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: Windows Update.exe, 00000003.00000002.1685697096.000000000AAAA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: indows\symbols\dll\mscorlib.pdb source: Windows Update.exe, 00000003.00000002.1680177474.0000000001887000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbT source: Windows Update.exe, 00000003.00000002.1680177474.0000000001887000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb\AppData\Roaming\Windows Update.exe source: Windows Update.exe, 00000003.00000002.1680177474.000000000188C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Runtime.Remoting.pdb source: Windows Update.exe, 00000003.00000002.1679368687.00000000013AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbt source: Windows Update.exe, 00000003.00000002.1679368687.00000000013AE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: leUmNO9XPu.exe, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr
Source:	Binary string: symbols\dll\System.Runtime.Remoting.pdb source: Windows Update.exe, 00000003.00000002.1685097836.0000000007E5A000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: Windows Update.exe, 00000003.00000002.1680177474.0000000001880000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: leUmNO9XPu.exe, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr
Source:	Binary string: \??\C:\Windows\System.Runtime.Remoting.pdbD source: Windows Update.exe, 00000003.00000002.1679368687.0000000001471000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb2d$7 source: Windows Update.exe, 00000003.00000002.1683588748.0000000006CBF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iC:\Windows\mscorlib.pdbD{Uw source: Windows Update.exe, 00000003.00000002.1685697096.000000000AAAA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: Windows Update.exe, 00000003.00000002.1683588748.0000000006D17000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbH source: Windows Update.exe, 00000003.00000002.1685697096.000000000AAAA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Runtime.Remoting.pdb2 source: Windows Update.exe, 00000003.00000002.1680177474.0000000001887000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 8_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,

8_2_00403C3D

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_012E7F44 push eax; ret	3_2_012E7F45
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_012E8DF4 push cs; ret	3_2_012E8E06
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_012E8BC9 push cs; ret	3_2_012E8DE2
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_012E8E10 push cs; ret	3_2_012E8E2A
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_012E8E6F push cs; ret	3_2_012E8E72
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_012E8E4B push cs; ret	3_2_012E8E4E
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_012E8E97 push cs; ret	3_2_012E8EBA
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_012E8E93 push cs; ret	3_2_012E8E96
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 8_2_00411879 push ecx; ret	8_2_00411889
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 8_2_004118A0 push eax; ret	8_2_004118B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 8_2_004118A0 push eax; ret	8_2_004118DC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_00442871 push ecx; ret	9_2_00442881
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_00442A90 push eax; ret	9_2_00442AA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_00442A90 push eax; ret	9_2_00442ACC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_00446E54 push eax; ret	9_2_00446E61

Source: C:\Users\user\Desktop\leUmNO9XPu.exe	File created: C:\Users\user\AppData\Roaming\Windows Update.exe			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	File created: C:\Users\user\AppData\Roaming\WindowsUpdate.exe			Jump to dropped file

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Update			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Windows Update			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (132).png

Changes the view of files in windows explorer (hidden files and folders)

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden

Jump to behavior

Deletes itself after installation

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

File deleted: c:\users\user\desktop\leumno9xpu.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 8_2_0040F64B memset,strcpy,memset,strcpy,strcat,strcpy,strcat,GetModuleHandleA,LoadLibraryExA,GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

8_2_0040F64B

Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Memory allocated: FC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Memory allocated: 1000000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory allocated: 15B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory allocated: 3370000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory allocated: 5370000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: F10000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 18B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 3630000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Memory allocated: 5630000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\leUmNO9XPu.exe TID: 7536	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe TID: 7492	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7772	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7900	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7904	Thread sleep time: -140000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7912	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7920	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7920	Thread sleep time: -1000000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 7920	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe TID: 6244	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 7116	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 1980	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 5964	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe TID: 6272	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 8_2_00406EC3 FindFirstFileA,FindNextFileA,strlen,strlen,	8_2_00406EC3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_00408441 FindFirstFileW,FindNextFileW,wcslen,wcslen,	9_2_00408441
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: 9_2_00407E0E FindFirstFileW,FindNextFileW,FindClose,	9_2_00407E0E

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

Code function: 3_2_05566A0A GetSystemInfo,

3_2_05566A0A

Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 140000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Windows Update.exe, 00000003.00000002.1679368687.00000000013AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: leUmNO9XPu.exe, 00000000.00000002.1426593644.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000C.00000002.1584679802.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WindowsUpdate.exe, 0000000D.00000002.1663232323.00000000016C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: leUmNO9XPu.exe, 00000000.00000002.1426593644.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: leUmNO9XPu.exe, 00000000.00000002.1426593644.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

Code function: 3_2_01857D98 LdrInitializeThunk,

3_2_01857D98

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 8_2_00403C3D LoadLibraryA,GetProcAddress,strcpy,

8_2_00403C3D

Source: C:\Users\user\AppData\Roaming\Windows Update.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\leUmNO9XPu.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A			Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000	Jump to behavior

Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Process created: C:\Users\user\AppData\Roaming\Windows Update.exe "C:\Users\user\AppData\Roaming\Windows Update.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2480	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"	Jump to behavior

Source: Windows Update.exe, 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Windows Update.exe, 00000003.00000002.1680307199.0000000003524000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: [Program Manager - 10/01/2025 23:17:41]

Source: C:\Users\user\Desktop\leUmNO9XPu.exe

Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 9_2_0041604B GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,

9_2_0041604B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 8_2_0040724C memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,

8_2_0040724C

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Code function: 8_2_00406278 GetVersionExA,

8_2_00406278

Source: C:\Users\user\Desktop\leUmNO9XPu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\AppData\Roaming\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected HawkEye Keylogger

Source: Yara match	File source: leUmNO9XPu.exe, type: SAMPLE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.5efa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.599c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.598208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Windows Update.exe.339ff18.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: leUmNO9XPu.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windows Update.exe PID: 7736, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED

Yara detected MailPassView

Source: Yara match	File source: leUmNO9XPu.exe, type: SAMPLE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.5efa72.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Windows Update.exe.4378020.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Windows Update.exe.4378020.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.5efa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.599c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.598208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1682478375.0000000004371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: leUmNO9XPu.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windows Update.exe PID: 7736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 8172, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior

Tries to steal Instant Messenger accounts or passwords

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, PopPassword	8_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: strcpy,strcpy,strcpy,strcpy,RegCloseKey, SMTPPassword	8_2_00402D9A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	Code function: ESMTPPassword	8_2_004033D7

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: leUmNO9XPu.exe, type: SAMPLE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.599c0d.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Windows Update.exe.43efef0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Windows Update.exe.43efef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.599c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.598208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1682478375.00000000043EF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: leUmNO9XPu.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windows Update.exe PID: 7736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vbc.exe PID: 7176, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED

Remote Access Functionality

Detected HawkEye Rat

Source: leUmNO9XPu.exe, 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: leUmNO9XPu.exe, 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: leUmNO9XPu.exe, 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: leUmNO9XPu.exe, 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: leUmNO9XPu.exe, 00000000.00000002.1428903153.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: Windows Update.exe, 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HawkEyeKeylogger
Source: Windows Update.exe, 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -wl'&HawkEye_Keylogger_Execution_Confirmed_
Source: Windows Update.exe, 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -wl#"HawkEye_Keylogger_Stealer_Records_
Source: leUmNO9XPu.exe	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: leUmNO9XPu.exe	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: leUmNO9XPu.exe	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: leUmNO9XPu.exe	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: Windows Update.exe.0.dr	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: Windows Update.exe.0.dr	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: Windows Update.exe.0.dr	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: Windows Update.exe.0.dr	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: WindowsUpdate.exe.3.dr	String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: WindowsUpdate.exe.3.dr	String found in binary or memory: DisablenotifyMHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger \| Execution Confirmed \|
Source: WindowsUpdate.exe.3.dr	String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger \| Stealer Records \|
Source: WindowsUpdate.exe.3.dr	String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_

Yara detected HawkEye Keylogger

Source: Yara match	File source: leUmNO9XPu.exe, type: SAMPLE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.5efa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.599c0d.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.598208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.leUmNO9XPu.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.Windows Update.exe.339ff18.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: leUmNO9XPu.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Windows Update.exe PID: 7736, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Windows Update.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, type: DROPPED

Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Code function: 0_2_04E70E9E bind,	0_2_04E70E9E
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Code function: 0_2_04E70A06 listen,	0_2_04E70A06
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Code function: 0_2_04E709C8 listen,	0_2_04E709C8
Source: C:\Users\user\Desktop\leUmNO9XPu.exe	Code function: 0_2_04E70E6B bind,	0_2_04E70E6B
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_05560E9E bind,	3_2_05560E9E
Source: C:\Users\user\AppData\Roaming\Windows Update.exe	Code function: 3_2_05560E6B bind,	3_2_05560E6B
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 12_2_05220B06 listen,	12_2_05220B06
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 12_2_05220E9E bind,	12_2_05220E9E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 12_2_05220E6B bind,	12_2_05220E6B
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 12_2_05220AC8 listen,	12_2_05220AC8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 13_2_05C10B06 listen,	13_2_05C10B06
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 13_2_05C10E9E bind,	13_2_05C10E9E
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 13_2_05C10AC8 listen,	13_2_05C10AC8
Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe	Code function: 13_2_05C10E6B bind,	13_2_05C10E6B

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	21 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	11 Input Capture	1 Peripheral Device Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	Logon Script (Windows)	412 Process Injection	3 Obfuscated Files or Information	2 Credentials in Registry	1 Account Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Credentials In Files	2 File and Directory Discovery	Distributed Component Object Model	11 Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	18 System Information Discovery	SSH	3 Clipboard Data	3 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Masquerading	Cached Domain Credentials	141 Security Software Discovery	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	51 Virtualization/Sandbox Evasion	DCSync	51 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Access Token Manipulation	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
leUmNO9XPu.exe	76%	Virustotal		Browse
leUmNO9XPu.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Golroted
leUmNO9XPu.exe	100%	Avira	TR/AD.MExecute.lzrac
leUmNO9XPu.exe	100%	Avira	SPR/Tool.MailPassView.473
leUmNO9XPu.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Windows Update.exe	100%	Avira	TR/AD.MExecute.lzrac
C:\Users\user\AppData\Roaming\Windows Update.exe	100%	Avira	SPR/Tool.MailPassView.473
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	100%	Avira	TR/AD.MExecute.lzrac
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	100%	Avira	SPR/Tool.MailPassView.473
C:\Users\user\AppData\Roaming\Windows Update.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Windows Update.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Golroted
C:\Users\user\AppData\Roaming\WindowsUpdate.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Golroted

Source	Detection	Scanner	Label	Link
http://www.site.com/logs.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
whatismyipaddress.com	104.19.223.79	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
mail.britishcrowncourt.net	207.204.50.48	true	true	unknown
169.241.9.0.in-addr.arpa	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://whatismyipaddress.com/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://go.microsoft.	WindowsUpdate.exe, 0000000D.00000002.1663232323.00000000016C0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/accounts/servicelogin	vbc.exe	false		high
http://upx.sf.net	Amcache.hve.4.dr	false		high
http://whatismyipaddress.com	Windows Update.exe, 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp	false		high
https://login.yahoo.com/config/login	vbc.exe	false		high
http://www.site.com/logs.php	Windows Update.exe, 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nirsoft.net/	WindowsUpdate.exe.3.dr	false		high
http://go.microsoft.LinkId=42127	WindowsUpdate.exe, 0000000D.00000002.1663232323.00000000016C0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://foo.com/fooT	WindowsUpdate.exe, 0000000C.00000002.1585268730.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, WindowsUpdate.exe, 0000000D.00000002.1663932717.0000000003681000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.cloudflare.com/5xx-error-landing	Windows Update.exe, 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp	false		high
http://whatismyipaddress.com/-	leUmNO9XPu.exe, Windows Update.exe.0.dr, WindowsUpdate.exe.3.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.19.223.79	whatismyipaddress.com	United States		13335	CLOUDFLARENETUS	false
207.204.50.48	mail.britishcrowncourt.net	United States		55002	DEFENSE-NETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588753
Start date and time:	2025-01-11 05:03:55 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	leUmNO9XPu.exe renamed because original name is a hash value
Original Sample Name:	db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@11/14@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 328 Number of non-executed functions: 274
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 13.107.246.45, 184.28.90.27, 20.190.159.68, 52.149.20.212
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:05:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
04:05:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Windows Update C:\Users\user\AppData\Roaming\WindowsUpdate.exe
23:05:01	API Interceptor	65x Sleep call for process: Windows Update.exe modified
23:05:19	API Interceptor	1x Sleep call for process: dw20.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.19.223.79	fAzUnj6Djg.exe	Get hash	malicious	HawkEye, MailPassView	Browse	whatismyipaddress.com/
104.19.223.79	HqvlYZC7Gf.exe	Get hash	malicious	Unknown	Browse	whatismyipaddress.com/
207.204.50.48	bpaymentcopy.exe	Get hash	malicious	HawkEye, MailPassView, PredatorPainRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
whatismyipaddress.com	fAzUnj6Djg.exe	Get hash	malicious	HawkEye, MailPassView	Browse	104.19.223.79
	file.exe	Get hash	malicious	HawkEye, MailPassView, PureLog Stealer	Browse	104.19.222.79
	HqvlYZC7Gf.exe	Get hash	malicious	Unknown	Browse	104.19.223.79
s-part-0017.t-0009.t-msedge.net	2976587-987347589.08.exe	Get hash	malicious	Nitol	Browse	13.107.246.45
	of5HklY9qP.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	yMXFgPOdf2.exe	Get hash	malicious	GuLoader	Browse	13.107.246.45
	1dVtYIvfHz.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	FJRUb5lb9m.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	5hD3Yjf7xD.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
	02Eh1ah35H.exe	Get hash	malicious	GuLoader	Browse	13.107.246.45
	AJ5zYYsisA.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	suBpo1g13Q.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	1297823757234143258.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
mail.britishcrowncourt.net	bpaymentcopy.exe	Get hash	malicious	HawkEye, MailPassView, PredatorPainRAT	Browse	207.204.50.48

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ZeAX5i7cGB.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	jKqPSehspS.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	104.21.32.1
	A6AHI7Uk18.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Wru9ycO2MJ.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	iNFGd6bDZX.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	n2pGr8w21V.exe	Get hash	malicious	FormBook	Browse	104.18.73.116
	tNXl4XhgmV.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.48.1
	MyzWeEOlqb.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	02Eh1ah35H.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.67.167.146
DEFENSE-NETUS	OH6KO8NBy1.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	206.188.197.24
	7vP2IvNXqx.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	206.188.197.24
	DEMONS.spc.elf	Get hash	malicious	Unknown	Browse	107.162.185.251
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	170.158.166.84
	676556be12ac3.vbs	Get hash	malicious	Mint Stealer	Browse	206.188.197.242
	PKO_0019289289544_PDF_#U2463#U2466#U2465#U2462#U2461#U2466#U2464#U2462.hta	Get hash	malicious	Mint Stealer	Browse	206.188.197.242
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	107.162.185.253
	home.mips.elf	Get hash	malicious	Gafgyt, Mirai	Browse	170.158.122.12
	bpaymentcopy.exe	Get hash	malicious	HawkEye, MailPassView, PredatorPainRAT	Browse	207.204.50.48
	phish_alert_iocp_v1.4.48 (80).eml	Get hash	malicious	InvoiceScam	Browse	107.162.175.186

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_windows update.e_86e9c66347f43bd1a285997348975619ddefbb_00000000_f2fdebaa-a89b-43f3-8db9-4f424a0b138c\Report.wer

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3313611518509334
Encrypted:	false
SSDEEP:	192:lBexBRtsf7maRY9wHloFyHAm+vip4llZr8RE7JjwDwLzuiF6Z24IO8U:TexBRNacweDN7zuiF6Y4IO8
MD5:	2173B25DE45ACF63FBE59C5DF0178969
SHA1:	2550170995B08D92BF8F2CC0562B285BDB5B3833
SHA-256:	3297ADD8ED6B21442885889ABD2C9143AB281659B6295C6477273365FDD494AA
SHA-512:	9D6183B8AD93FEFBC3D6568EE9F70092CAFE0846BBC0E12D710D40CA366BA1B79CACCAE805814823D53C5B1DE7CC920FA10D08A0CC4293E18A59F5A6DB10399D
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.4.1.9.0.1.7.6.3.7.2.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.0.4.1.9.0.2.1.6.9.9.5.9.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.2.f.d.e.b.a.a.-.a.8.9.b.-.4.3.f.3.-.8.d.b.9.-.4.f.4.2.4.a.0.b.1.3.8.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.b.p.a.y.m.e.n.t.c.o.p.y...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.3.8.-.0.0.0.1.-.0.0.1.4.-.d.8.6.3.-.8.3.f.8.d.d.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.f.1.8.9.6.5.2.3.0.b.6.4.f.0.4.0.c.1.e.4.2.2.6.1.1.3.7.b.6.b.f.0.0.0.0.0.0.0.0.!.0.0.0.0.5.e.e.2.9.e.a.5.c.5.1.b.3.d.b.6.6.c.f.2.e.d.4.d.6.7.8.7.a.a.4.4.f.e.b.c.3.3.d.6.!.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.2././.0.3.:.0.0.:.3.8.:.1.4.!.0.!.W.i.n.d.o.w.s. .U.p.d.a.t.e...e.x.e.....B.o.o.t.I.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER997A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	5684
Entropy (8bit):	3.7243799846660903
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetb6t6rTYZpGvRSTG5aM1O01fXam:R6l7wVeJ6t6rTYZpGYTup1O01fXam
MD5:	32BD8E48DF1D969ACD7D2C4CDA3C40BB
SHA1:	A770AFEF4092F4CEB0D4ACD986511D1878B98225
SHA-256:	E0249ED17A6BD0FCF5C792BFEAD36EE6B6BD7877C10A44BFC3FB9003683826BF
SHA-512:	401BC712967943B5B4336CD0A191E7E1A08B9942EB1AD441600260222ABC68AB9C30D5A35860D91BD3546FEF964EC27E93A17ED27D27150E203ED8B7F34A9E22
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER999A.tmp.xml

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4721
Entropy (8bit):	4.458476527350048
Encrypted:	false
SSDEEP:	48:cvIwWl8zsZJg77aI93EWpW8VYmYm8M4JFKtYFx+q8vSK05dfoSd:uIjfrI7Zd7VCJFKKKB0joSd
MD5:	0F16EACE38FBA02DC79315C126031AF0
SHA1:	7931D9C01D7E81096A18283DD59CB3DA47ABD756
SHA-256:	0BD49C6B848E387B6757BE43835C6738F0D0EF45A2D1EC6072A10141C2B55B53
SHA-512:	8627B4DE9F6ED230CF2CD3CC82992A9615EB353C2A8AD70A10C9E3ABB6F2DDC010A6ED8F0794367EB69F3A73FC8F3BBD3B5D96D2591FA3F136F32243DDF02557
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670747" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WindowsUpdate.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	916
Entropy (8bit):	5.257493803038381
Encrypted:	false
SSDEEP:	24:MLF2CpI3zffup29Iz52VM2xAW2yAP26KTnKoO2+Z:MwQ6XuY9Izo9xAJyAO6Ux+Z
MD5:	504422683D3B31228DF0F2977612ECB1
SHA1:	997237919850FE676EAC1B6CC9F78FB2D4E759AE
SHA-256:	EB94143BDDD9A184A59B46CC9DBFE41C6276DC674EA440AAE773212EE12599FE
SHA-512:	D5EFF572DD6E251B3F8EAA20B41C019468D0DF4666D1509C01C88CBF29F7FF9B02F0A9A0EB3BEF7DBD206A000FAA2E6CA8691615BF6BD5FD4417F149BC80D1AF
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\850f3779d965bb8ff060698f13ee7ea0\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\53992d421e2c7ecf6609c62b3510a6f0\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\74774597e319a738b792e6a6c06d3559\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\leUmNO9XPu.exe.log

Download File

Process:	C:\Users\user\Desktop\leUmNO9XPu.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	916
Entropy (8bit):	5.257493803038381
Encrypted:	false
SSDEEP:	24:MLF2CpI3zffup29Iz52VM2xAW2yAP26KTnKoO2+Z:MwQ6XuY9Izo9xAJyAO6Ux+Z
MD5:	504422683D3B31228DF0F2977612ECB1
SHA1:	997237919850FE676EAC1B6CC9F78FB2D4E759AE
SHA-256:	EB94143BDDD9A184A59B46CC9DBFE41C6276DC674EA440AAE773212EE12599FE
SHA-512:	D5EFF572DD6E251B3F8EAA20B41C019468D0DF4666D1509C01C88CBF29F7FF9B02F0A9A0EB3BEF7DBD206A000FAA2E6CA8691615BF6BD5FD4417F149BC80D1AF
Malicious:	true
Preview:	1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\bec14584c93014efbc76285c35d1e891\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\7d443c6c007fe8696f9aa6ff1da53ef7\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\2cdaeaf53e3d49038cf7cb0ce9d805d3\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\d0e5535854cce87ea7f2d69d0594b7a8\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\850f3779d965bb8ff060698f13ee7ea0\System.Runtime.Remoting.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\53992d421e2c7ecf6609c62b3510a6f0\System.Configuration.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\74774597e319a738b792e6a6c06d3559\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Temp\SysInfo.txt

Download File

Process:	C:\Users\user\Desktop\leUmNO9XPu.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	36
Entropy (8bit):	4.382021446536748
Encrypted:	false
SSDEEP:	3:oNqLEJAwy1QkA:oNqLEOwJ
MD5:	F580CCAA0521EFFD5CF10E45DFAE0AB2
SHA1:	B7C51F836E029FA01204F8B4F625787AE4A4EDDC
SHA-256:	6BDCAABEA82262B6514FB8964E766BA66A1EFDE651B851BD60CCB5933D47CE19
SHA-512:	A2BD188D79BA691EBB1A1D7CFB550BF914E3B506505FD5C423450211954AAA6AC4FF4C23A84AAFE9FF763EC4DD7F4188F0714A51F1E2292739785205C6583445
Malicious:	false
Preview:	C:\Users\user\Desktop\leUmNO9XPu.exe

C:\Users\user\AppData\Local\Temp\holderwb.txt

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
File Type:	Unicode text, UTF-16, little-endian text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Windows Update.exe

Download File

Process:	C:\Users\user\Desktop\leUmNO9XPu.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	601600
Entropy (8bit):	6.329155030072119
Encrypted:	false
SSDEEP:	12288:pkuZ9DBQtqB5urTIoYWBQk1E+VF9mOx9zihEAmD:XQtqBorTlYWBhE+V3mOO
MD5:	46A4D09A8947DCE0C60D1FB5E757AD02
SHA1:	5EE29EA5C51B3DB66CF2ED4D6787AA44FEBC33D6
SHA-256:	DB3D98C97CFB274F58DE6EFC1739357371BCB8D006E02FF2857EF8D3605A9C06
SHA-512:	DD1C14160C1B30BA722F60F7C07CAED5B0F8454EA551089937EEC0DFB5A628ED442382B8F2911E8914AE9DB2960858626293984FB0456B112366D8A06D4002A1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: HawkEye, Description: unknown, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: JPCERT/CC Incident Response Group
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....RNg.....................>........... ........@.. ....................................@.................................`...K.... ..T;...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...T;... ...<..................@..@.reloc.......`.......,..............@..B........................H.......0}..0..............X...........................................2s..............0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(............................0.. .........(....(..........(.....o..........................(......(.......o.......o.......o.......o.......R..(....o....o......

C:\Users\user\AppData\Roaming\Windows Update.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\leUmNO9XPu.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\WindowsUpdate.exe

Download File

Process:	C:\Users\user\AppData\Roaming\Windows Update.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	601600
Entropy (8bit):	6.329155030072119
Encrypted:	false
SSDEEP:	12288:pkuZ9DBQtqB5urTIoYWBQk1E+VF9mOx9zihEAmD:XQtqBorTlYWBhE+V3mOO
MD5:	46A4D09A8947DCE0C60D1FB5E757AD02
SHA1:	5EE29EA5C51B3DB66CF2ED4D6787AA44FEBC33D6
SHA-256:	DB3D98C97CFB274F58DE6EFC1739357371BCB8D006E02FF2857EF8D3605A9C06
SHA-512:	DD1C14160C1B30BA722F60F7C07CAED5B0F8454EA551089937EEC0DFB5A628ED442382B8F2911E8914AE9DB2960858626293984FB0456B112366D8A06D4002A1
Malicious:	true
Yara Hits:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: HawkEye, Description: unknown, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: JPCERT/CC Incident Response Group
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....RNg.....................>........... ........@.. ....................................@.................................`...K.... ..T;...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...T;... ...<..................@..@.reloc.......`.......,..............@..B........................H.......0}..0..............X...........................................2s..............0...........~......(......~....o....~....o..........9.......~....o.........+G~.....o......o........,)...........,.~.....~.....o....o.......................1.~.....~....o......o.....~....~....o....o......~.....(....s....o..........(............................0.. .........(....(..........(.....o..........................(......(.......o.......o.......o.......o.......R..(....o....o......

C:\Users\user\AppData\Roaming\WindowsUpdate.exe:Zone.Identifier

Download File

Process:	C:\Users\user\AppData\Roaming\Windows Update.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\pid.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Windows Update.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:hU:2
MD5:	A3A8381281635A1926BD3EA09F29F4D9
SHA1:	FCE05725D6C820B2419AE65BCA09F76D49D1338A
SHA-256:	775E18068D6E30A3A6AC49F9B5868626C7B8FD053B0E8B3138FA0BAF2C819723
SHA-512:	260B48F944C8BFB55FAC565FD308785F8A6F842FD453F1386ECFA16EF5EE8D25B45CE3B9B046F6EEEB825129FBBFEA76D96CDCF5F8DEE978341B841DE6F7EAC2
Malicious:	false
Preview:	7736

C:\Users\user\AppData\Roaming\pidloc.txt

Download File

Process:	C:\Users\user\AppData\Roaming\Windows Update.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	48
Entropy (8bit):	4.314260032810928
Encrypted:	false
SSDEEP:	3:oNqLTVSREaKC59KYr4a:oNqLTwiaZ534a
MD5:	92A898B46F8EE40885DC4E40B7239B2A
SHA1:	8CBBC99A8A9E555EE694DEFBF01DD38A342D8429
SHA-256:	CCE9C016A769C85D1421EB29D6244F60D1694FC18C1FE5FB5E6A51979E07D695
SHA-512:	6F1758024C55D5C854D8425B3E5144EA3155422DEBB12BCF76C67F158542EA0BE0BEC28C415BC319075B5F17D6DF9F0E7EB24DB0A0731FC647DA6B270C28253B
Malicious:	false
Preview:	C:\Users\user\AppData\Roaming\Windows Update.exe

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.394107378138355
Encrypted:	false
SSDEEP:	6144:Ml4fiJoH0ncNXiUjt10qoG/gaocYGBoaUMMhA2NX4WABlBuNAsOBSqaC:E4vFoMYQUMM6VFYSsU
MD5:	31B565C798C181940AE9ADB8A7ABB9AB
SHA1:	C21F2A64B363378EF9F5A003B199B0E16642A68B
SHA-256:	A1C254F1A58AB82D81B322166622FA91A5093578E1433CD0C98DB1AD83A66BF5
SHA-512:	304F4E5355531B30B124FFC90FD4FABA10BFFCA5014AB26BBDA745BE3EB0E6429C3C44C7BD460E13C6386DAA0931ABA0E322E339C6E2EEAFEDFEF92A106CBBC4
Malicious:	false
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.z...c..............................................................................................................................................................................................................................................................................................................................................q...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.329155030072119
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.72% Win32 Executable (generic) a (10002005/4) 49.68% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% InstallShield setup (43055/19) 0.21% Generic Win/DOS Executable (2004/3) 0.01%
File name:	leUmNO9XPu.exe
File size:	601'600 bytes
MD5:	46a4d09a8947dce0c60d1fb5e757ad02
SHA1:	5ee29ea5c51b3db66cf2ed4d6787aa44febc33d6
SHA256:	db3d98c97cfb274f58de6efc1739357371bcb8d006e02ff2857ef8d3605a9c06
SHA512:	dd1c14160c1b30ba722f60f7c07caed5b0f8454ea551089937eec0dfb5a628ed442382b8f2911e8914ae9db2960858626293984fb0456b112366d8a06d4002a1
SSDEEP:	12288:pkuZ9DBQtqB5urTIoYWBQk1E+VF9mOx9zihEAmD:XQtqBorTlYWBhE+V3mOO
TLSH:	BAD49C43B2D18475D4BB06315A3757718ABABE204632C90B53E83D8A7FB2392B937747
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....RNg.....................>........... ........@.. ....................................@................................

File Icon


Icon Hash:	0fd88dc89ea7861b

Static PE Info

General

Entrypoint:	0x480cae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x674E52F6 [Tue Dec 3 00:38:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x80c60	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x82000	0x13b54	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x96000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x7ecb4	0x7ee00	ac31ec6b1214892b19dbcc1da9a80b46	False	0.5724176416256158	data	6.538779994532143	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x82000	0x13b54	0x13c00	78380b356f26934ce8f94335b3cbb490	False	0.14032832278481014	data	3.9634958367717537	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x96000	0xc	0x200	ad0043062e11e4c5a6a4ddcdf3d23ca1	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x822b0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 60472 x 60472 px/m	0.14468236129184905
RT_ICON	0x92ad8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	0.11559139784946236
RT_ICON	0x92dc0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	0.28040540540540543
RT_ICON	0x92ee8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.04016245487364621
RT_ICON	0x93790	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.05708092485549133
RT_ICON	0x93cf8	0x353	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.2608695652173913
RT_ICON	0x9404c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.020872420262664164
RT_ICON	0x950f4	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.05851063829787234
RT_GROUP_ICON	0x9555c	0x14	data	1.0
RT_GROUP_ICON	0x95570	0x68	data	0.7019230769230769
RT_VERSION	0x955d8	0x390	data	0.3980263157894737
RT_MANIFEST	0x95968	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T05:05:02.593118+0100	2810703	ETPRO MALWARE MSIL/Golroted.B or HawkEye External IP Check with minimal headers	2	192.168.2.9	49814	104.19.223.79	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:05:02.107136965 CET	49814	80	192.168.2.9	104.19.223.79
Jan 11, 2025 05:05:02.111964941 CET	80	49814	104.19.223.79	192.168.2.9
Jan 11, 2025 05:05:02.112896919 CET	49814	80	192.168.2.9	104.19.223.79
Jan 11, 2025 05:05:02.113285065 CET	49814	80	192.168.2.9	104.19.223.79
Jan 11, 2025 05:05:02.118138075 CET	80	49814	104.19.223.79	192.168.2.9
Jan 11, 2025 05:05:02.593038082 CET	80	49814	104.19.223.79	192.168.2.9
Jan 11, 2025 05:05:02.593054056 CET	80	49814	104.19.223.79	192.168.2.9
Jan 11, 2025 05:05:02.593071938 CET	80	49814	104.19.223.79	192.168.2.9
Jan 11, 2025 05:05:02.593086004 CET	80	49814	104.19.223.79	192.168.2.9
Jan 11, 2025 05:05:02.593099117 CET	80	49814	104.19.223.79	192.168.2.9
Jan 11, 2025 05:05:02.593117952 CET	49814	80	192.168.2.9	104.19.223.79
Jan 11, 2025 05:05:02.593156099 CET	49814	80	192.168.2.9	104.19.223.79
Jan 11, 2025 05:05:02.925839901 CET	49814	80	192.168.2.9	104.19.223.79
Jan 11, 2025 05:05:02.930752039 CET	80	49814	104.19.223.79	192.168.2.9
Jan 11, 2025 05:05:02.930809021 CET	49814	80	192.168.2.9	104.19.223.79
Jan 11, 2025 05:05:03.337827921 CET	49822	587	192.168.2.9	207.204.50.48
Jan 11, 2025 05:05:03.342713118 CET	587	49822	207.204.50.48	192.168.2.9
Jan 11, 2025 05:05:03.342792988 CET	49822	587	192.168.2.9	207.204.50.48
Jan 11, 2025 05:05:03.872458935 CET	587	49822	207.204.50.48	192.168.2.9
Jan 11, 2025 05:05:03.872724056 CET	49822	587	192.168.2.9	207.204.50.48
Jan 11, 2025 05:05:03.877537012 CET	587	49822	207.204.50.48	192.168.2.9
Jan 11, 2025 05:05:03.989329100 CET	587	49822	207.204.50.48	192.168.2.9
Jan 11, 2025 05:05:03.989685059 CET	49822	587	192.168.2.9	207.204.50.48
Jan 11, 2025 05:05:03.994805098 CET	587	49822	207.204.50.48	192.168.2.9
Jan 11, 2025 05:05:04.106218100 CET	587	49822	207.204.50.48	192.168.2.9
Jan 11, 2025 05:05:04.106451035 CET	49822	587	192.168.2.9	207.204.50.48
Jan 11, 2025 05:05:04.111226082 CET	587	49822	207.204.50.48	192.168.2.9
Jan 11, 2025 05:05:09.233002901 CET	587	49822	207.204.50.48	192.168.2.9
Jan 11, 2025 05:05:09.233273029 CET	49822	587	192.168.2.9	207.204.50.48
Jan 11, 2025 05:05:09.238152981 CET	587	49822	207.204.50.48	192.168.2.9
Jan 11, 2025 05:05:09.350543022 CET	587	49822	207.204.50.48	192.168.2.9
Jan 11, 2025 05:05:09.400588036 CET	49822	587	192.168.2.9	207.204.50.48
Jan 11, 2025 05:05:11.670696974 CET	49883	587	192.168.2.9	207.204.50.48
Jan 11, 2025 05:05:11.675560951 CET	587	49883	207.204.50.48	192.168.2.9
Jan 11, 2025 05:05:11.675636053 CET	49883	587	192.168.2.9	207.204.50.48
Jan 11, 2025 05:05:11.778395891 CET	49883	587	192.168.2.9	207.204.50.48
Jan 11, 2025 05:05:11.783257008 CET	587	49883	207.204.50.48	192.168.2.9
Jan 11, 2025 05:05:11.783320904 CET	49883	587	192.168.2.9	207.204.50.48
Jan 11, 2025 05:05:22.026581049 CET	49822	587	192.168.2.9	207.204.50.48

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 05:05:01.986402035 CET	54531	53	192.168.2.9	1.1.1.1
Jan 11, 2025 05:05:01.993944883 CET	53	54531	1.1.1.1	192.168.2.9
Jan 11, 2025 05:05:02.091037989 CET	57254	53	192.168.2.9	1.1.1.1
Jan 11, 2025 05:05:02.097887039 CET	53	57254	1.1.1.1	192.168.2.9
Jan 11, 2025 05:05:02.925720930 CET	52199	53	192.168.2.9	1.1.1.1
Jan 11, 2025 05:05:03.336644888 CET	53	52199	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 05:05:01.986402035 CET	192.168.2.9	1.1.1.1	0x7f02	Standard query (0)	169.241.9.0.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jan 11, 2025 05:05:02.091037989 CET	192.168.2.9	1.1.1.1	0xfa27	Standard query (0)	whatismyipaddress.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:02.925720930 CET	192.168.2.9	1.1.1.1	0x6bb4	Standard query (0)	mail.britishcrowncourt.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 05:04:45.830751896 CET	1.1.1.1	192.168.2.9	0x7834	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 05:04:45.830751896 CET	1.1.1.1	192.168.2.9	0x7834	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:01.993944883 CET	1.1.1.1	192.168.2.9	0x7f02	Name error (3)	169.241.9.0.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jan 11, 2025 05:05:02.097887039 CET	1.1.1.1	192.168.2.9	0xfa27	No error (0)	whatismyipaddress.com		104.19.223.79	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:02.097887039 CET	1.1.1.1	192.168.2.9	0xfa27	No error (0)	whatismyipaddress.com		104.19.222.79	A (IP address)	IN (0x0001)	false
Jan 11, 2025 05:05:03.336644888 CET	1.1.1.1	192.168.2.9	0x6bb4	No error (0)	mail.britishcrowncourt.net		207.204.50.48	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

whatismyipaddress.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49814	104.19.223.79	80	7736	C:\Users\user\AppData\Roaming\Windows Update.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 05:05:02.113285065 CET	71	OUT	GET / HTTP/1.1 Host: whatismyipaddress.com Connection: Keep-Alive
Jan 11, 2025 05:05:02.593038082 CET	1236	IN	HTTP/1.1 403 Forbidden Date: Sat, 11 Jan 2025 04:05:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Sat, 11 Jan 2025 04:05:17 GMT X-Frame-Options: SAMEORIGIN Server: cloudflare CF-RAY: 900206b2d96f0fa9-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 31 31 61 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 [TRUNCATED] Data Ascii: 11ab<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding
Jan 11, 2025 05:05:02.593054056 CET	224	IN	Data Raw: 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a Data Ascii: :0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElementById('cookie-alert'); cookieEl.sty
Jan 11, 2025 05:05:02.593071938 CET	1236	IN	Data Raw: 6c 65 2e 64 69 73 70 6c 61 79 20 3d 20 27 62 6c 6f 63 6b 27 3b 0a 20 20 20 20 7d 29 0a 20 20 7d 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 Data Ascii: le.display = 'block'; }) }</script>...<![endif]--></head><body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <d
Jan 11, 2025 05:05:02.593086004 CET	1236	IN	Data Raw: 54 68 65 20 61 63 74 69 6f 6e 20 79 6f 75 20 6a 75 73 74 20 70 65 72 66 6f 72 6d 65 64 20 74 72 69 67 67 65 72 65 64 20 74 68 65 20 73 65 63 75 72 69 74 79 20 73 6f 6c 75 74 69 6f 6e 2e 20 54 68 65 72 65 20 61 72 65 20 73 65 76 65 72 61 6c 20 61 Data Ascii: The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.</p> </div> <div class="
Jan 11, 2025 05:05:02.593099117 CET	965	IN	Data Raw: 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e Data Ascii: tton> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">•</span> </span> <span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jan 11, 2025 05:05:03.872458935 CET	587	49822	207.204.50.48	192.168.2.9	220 mailpod.hostingplatform.com ESMTP
Jan 11, 2025 05:05:03.872724056 CET	49822	587	192.168.2.9	207.204.50.48	EHLO 651689
Jan 11, 2025 05:05:03.989329100 CET	587	49822	207.204.50.48	192.168.2.9	250-mailpod.hostingplatform.com 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 65000000 250 AUTH LOGIN PLAIN CRAM-MD5
Jan 11, 2025 05:05:03.989685059 CET	49822	587	192.168.2.9	207.204.50.48	AUTH login Y29tcGVuc2F0aW9uQGJyaXRpc2hjcm93bmNvdXJ0Lm5ldA==
Jan 11, 2025 05:05:04.106218100 CET	587	49822	207.204.50.48	192.168.2.9	334 UGFzc3dvcmQ6
Jan 11, 2025 05:05:09.233002901 CET	587	49822	207.204.50.48	192.168.2.9	535 authentication failed (#5.7.1)
Jan 11, 2025 05:05:09.233273029 CET	49822	587	192.168.2.9	207.204.50.48	MAIL FROM:<compensation@britishcrowncourt.net>
Jan 11, 2025 05:05:09.350543022 CET	587	49822	207.204.50.48	192.168.2.9	503 you must authenticate first (#5.5.1)

Target ID:	0
Start time:	23:04:48
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\leUmNO9XPu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\leUmNO9XPu.exe"
Imagebase:	0x590000
File size:	601'600 bytes
MD5 hash:	46A4D09A8947DCE0C60D1FB5E757AD02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: HawkEye, Description: unknown, Source: 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000000.00000000.1367386384.0000000000592000.00000002.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	23:04:54
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\Windows Update.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Windows Update.exe"
Imagebase:	0xc80000
File size:	601'600 bytes
MD5 hash:	46A4D09A8947DCE0C60D1FB5E757AD02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000003.00000002.1682478375.0000000004371000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000003.00000002.1682478375.00000000043EF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: HawkEye, Description: unknown, Source: 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Hawkeye, Description: detect HawkEye in memory, Source: 00000003.00000002.1680307199.0000000003371000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: HawkEye, Description: unknown, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Roaming\Windows Update.exe, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	23:05:01
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
Wow64 process (32bit):	true
Commandline:	dw20.exe -x -s 2480
Imagebase:	0x10000000
File size:	36'264 bytes
MD5 hash:	89106D4D0BA99F770EAFE946EA81BB65
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	23:05:04
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holdermail.txt"
Imagebase:	0x400000
File size:	1'173'928 bytes
MD5 hash:	D881DE17AA8F2E2C08CBB7B265F928F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	23:05:04
Start date:	10/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\user\AppData\Local\Temp\holderwb.txt"
Imagebase:	0x400000
File size:	1'173'928 bytes
MD5 hash:	D881DE17AA8F2E2C08CBB7B265F928F9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	23:05:09
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Imagebase:	0x570000
File size:	601'600 bytes
MD5 hash:	46A4D09A8947DCE0C60D1FB5E757AD02
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security Rule: JoeSecurity_HawkEye, Description: Yara detected HawkEye Keylogger, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security Rule: JoeSecurity_WebBrowserPassView, Description: Yara detected WebBrowserPassView password recovery tool, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Joe Security Rule: RAT_HawkEye, Description: Detects HawkEye RAT, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: HawkEye, Description: unknown, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: Kevin Breen <kevin@techanarchy.net> Rule: Hawkeye, Description: detect HawkEye in memory, Source: C:\Users\user\AppData\Roaming\WindowsUpdate.exe, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	23:05:18
Start date:	10/01/2025
Path:	C:\Users\user\AppData\Roaming\WindowsUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\WindowsUpdate.exe"
Imagebase:	0xf60000
File size:	601'600 bytes
MD5 hash:	46A4D09A8947DCE0C60D1FB5E757AD02
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	8.3%
Total number of Nodes:	109
Total number of Limit Nodes:	8

Executed Functions

Function 011C1DA8 Relevance: 15.4, Strings: 11, Instructions: 1631COMMON

Download Yara Rule

Strings

2wl, xrefs: 011C29F6
2wl, xrefs: 011C28D3
2wl, xrefs: 011C2930
2wl, xrefs: 011C2C5D
2wl, xrefs: 011C298C
2wl, xrefs: 011C2BF0
2wl, xrefs: 011C278D
2wl, xrefs: 011C27F6
2wl, xrefs: 011C2B3A
2wl, xrefs: 011C3D52
2wl, xrefs: 011C2724

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID: 2wl$2wl$2wl$2wl$2wl$2wl$2wl$2wl$2wl$2wl$2wl
API String ID: 0-2732562055
Opcode ID: 9952fd1409008f038b28ef5e9f798e3b5a0e21011365e4e41b5a45df8e1cf2ca
Instruction ID: 006c2f7d1b09f957f6e476765c0d811f4ccc25c4a44fde18fb069fedf31d9d82
Opcode Fuzzy Hash: 9952fd1409008f038b28ef5e9f798e3b5a0e21011365e4e41b5a45df8e1cf2ca
Instruction Fuzzy Hash: 2003DE74A012288FDB69DF24C884BEEB7B6BB89304F1081EAD509A7355DB309EC5CF54

Function 04E709C8 Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

listen.WS2_32(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 04E70A5C

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: listen
String ID:
API String ID: 3257165821-0
Opcode ID: 35834ac6d529d8e9bab11a535b7b486798344e04ad84f0b6351e3e303124de0f
Instruction ID: 1326239b8015e4b4177e96148d8a993de0ca369674474437b5fb00a4be874275
Opcode Fuzzy Hash: 35834ac6d529d8e9bab11a535b7b486798344e04ad84f0b6351e3e303124de0f
Instruction Fuzzy Hash: 2221F4754083806FEB22CF11DC45FA2BFB8EF46324F1984DAE9848F193D364A905C7A5

Function 04E70E6B Relevance: 1.6, APIs: 1, Instructions: 81
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

bind.WS2_32(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 04E70EFF

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 99d94f09e50c065377b869c33a2859729fc1f09b934238332ef9791cbe593211
Instruction ID: e99499db1b75642b664872ef4b4b831cafcfc911fa3b7b4caad99eb29b3cdf57
Opcode Fuzzy Hash: 99d94f09e50c065377b869c33a2859729fc1f09b934238332ef9791cbe593211
Instruction Fuzzy Hash: E32180754093846FE7228F61CC84BA6BFB8EF46324F0984DAE944CF192D224A909CB75

Function 04E70E9E Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 04E70EFF

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: bad165683a2435047264c253d4418e8517e83adca061b34d836846ce537b85be
Instruction ID: 35967531142753621e1677867c5833bae6b3a2a250f20caead8d0abf0ef96f85
Opcode Fuzzy Hash: bad165683a2435047264c253d4418e8517e83adca061b34d836846ce537b85be
Instruction Fuzzy Hash: 8A119D75504204AEEB20CF51CC84BA6B7E8EF44724F08C4AAEA45CB241D774F544CAB6

Function 04E70A06 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

listen.WS2_32(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 04E70A5C

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: listen
String ID:
API String ID: 3257165821-0
Opcode ID: 471995e5912986761d890110ceccd0b687301297cdedf45acf0e569c7ee97a32
Instruction ID: 6f580901cc8ff2670936ef14d7ebdd5c5ce2c4d4ebead13f6fb7df763a0944f7
Opcode Fuzzy Hash: 471995e5912986761d890110ceccd0b687301297cdedf45acf0e569c7ee97a32
Instruction Fuzzy Hash: 9A11C275504204AFFB21CF11DC85BA6B7E8EF44724F1484AAEE448F241E374A504CAB6

Function 011C0898 Relevance: 2.7, Strings: 2, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

dSwl, xrefs: 011C0A20
:@Pl, xrefs: 011C09C8

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID: :@Pl$dSwl
API String ID: 0-3807183266
Opcode ID: 554c5625052adb910e911a0475a332dea5b8b0a167b3f26f0383ca5975ebc9f9
Instruction ID: b5ea770a3e0393b4e6ee8ddbf0e7919593d9d8d05e769c38277114021ae96904
Opcode Fuzzy Hash: 554c5625052adb910e911a0475a332dea5b8b0a167b3f26f0383ca5975ebc9f9
Instruction Fuzzy Hash: D4910574E05218CFEB18CFA9C894BADBBF2BF89314F118169E509AB361DB709941CF51

Function 00CFBBF3 Relevance: 1.6, APIs: 1, Instructions: 98
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00CFBCA9

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1063cfd3a5ad21097e02918fbb4e5bac66406c3f54978e38f5d58ac93454c310
Instruction ID: e8e0fda6b8cf851b4777979176e72a477d5fd43a17e552c85848557826688297
Opcode Fuzzy Hash: 1063cfd3a5ad21097e02918fbb4e5bac66406c3f54978e38f5d58ac93454c310
Instruction Fuzzy Hash: CB318FB1405384AFE722CF25CC45B62BFF8EF06314F08849AE9858B252D365E909CB71

Function 00CFAB26 Relevance: 1.6, APIs: 1, Instructions: 92
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00CFABD5

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 99ddb82265b2814a006ec25dde987dad5cf54dab9a2ad8b1739ef4d4fa7a255e
Instruction ID: 872d56dd72e8fbb8394c23a2d437849140b0d59b1409a0022973785fac8792f1
Opcode Fuzzy Hash: 99ddb82265b2814a006ec25dde987dad5cf54dab9a2ad8b1739ef4d4fa7a255e
Instruction Fuzzy Hash: 383186B15083846FE7228B51CC45FA7FFBCEF05710F09849AE9858B553D264E949CB72

Function 04E71109 Relevance: 1.6, APIs: 1, Instructions: 90
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

accept.WS2_32(?,?), ref: 04E711AD

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: accept
String ID:
API String ID: 3005279540-0
Opcode ID: 6d3affc5659d04685d505a20e461e046ce0ff7c8b15ed1815540ff1292d4c84d
Instruction ID: 2ccf7eb9e5b43c2b08fb612d1026550ba067c6b81b7d4d55ea8bafe53114d5c6
Opcode Fuzzy Hash: 6d3affc5659d04685d505a20e461e046ce0ff7c8b15ed1815540ff1292d4c84d
Instruction Fuzzy Hash: C731A4B54093806FE712CB25CC45BA2FFB8EF06314F0984DAE9848F293D365A509CB71

Function 00CFAC1D Relevance: 1.6, APIs: 1, Instructions: 89
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 00CFACD8

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: f4bce82752ef89d9fd57964d25857de53cb4cb239300e2a6373a04f5e9568479
Instruction ID: 6f042dc8ccaa1588b5d8edbfe9ddcda0575a042062544bd024d94442a5b03c3c
Opcode Fuzzy Hash: f4bce82752ef89d9fd57964d25857de53cb4cb239300e2a6373a04f5e9568479
Instruction Fuzzy Hash: 853181751097846FE722CB21CC44FA2BFB8EF06714F09849AE9498B153D264E949CB76

Function 04E70C90 Relevance: 1.6, APIs: 1, Instructions: 89
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessTimes.KERNELBASE(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 04E70D2D

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 8bb7cba7eb9dbd13a6a9693a1a44ddd508a88f996995069027218cad7e5f1b1c
Instruction ID: e344eca545d44b07c34d39e6474883ead0b582067ebc92d40e69f5eb85816454
Opcode Fuzzy Hash: 8bb7cba7eb9dbd13a6a9693a1a44ddd508a88f996995069027218cad7e5f1b1c
Instruction Fuzzy Hash: 6431D7764097806FE7228F61DC45FA6BFB8EF06324F0984DAE9848F193D325A509CB75

Function 04E71204 Relevance: 1.6, APIs: 1, Instructions: 88
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAEventSelect.WS2_32(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 04E712AA

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 85c554a6d58cd4338bfda481fdca62004c1d9c29988d4887e6dbde2e0647793d
Instruction ID: 08374e7ca79d78d818be47b7f87c8fd4675aa59334b8bbe791269139208f1773
Opcode Fuzzy Hash: 85c554a6d58cd4338bfda481fdca62004c1d9c29988d4887e6dbde2e0647793d
Instruction Fuzzy Hash: 5D3184B64093806FE722CB61DC85BA6BFB8EF46224F0984DBE584CF193D224A549C775

Function 00CFAFCF Relevance: 1.6, APIs: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTokenInformation.KERNELBASE(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 00CFB06C

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 8151768f93a3d513c3800ec8e2cbea04ffe86af60bc70a96f83551eb47566549
Instruction ID: 88c0c9499304ffaa974072b7ecd2a80cd108b031427fb7a51626a1cc59533993
Opcode Fuzzy Hash: 8151768f93a3d513c3800ec8e2cbea04ffe86af60bc70a96f83551eb47566549
Instruction Fuzzy Hash: 703180754097846FE7228B61DC45FA6BFB8EF06214F09849FE985CB152D224A908C776

Function 00CFB2F3 Relevance: 1.6, APIs: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LsaOpenPolicy.ADVAPI32(?,00000E24), ref: 00CFB38F

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 137ba3f7defa90b8ffe161d5becb5e2b7ca8607fc144275ef3032dc5a5eeefbb
Instruction ID: 33b5c5cb3b93e9ec0bcd975169c2512a92238049856a51aa594930e49889b975
Opcode Fuzzy Hash: 137ba3f7defa90b8ffe161d5becb5e2b7ca8607fc144275ef3032dc5a5eeefbb
Instruction Fuzzy Hash: 1E218271409344AFE721CF55DC85FA6BFF8EF49710F08889AE9449B152D364E908CB61

Function 04E708D1 Relevance: 1.6, APIs: 1, Instructions: 85
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04E70971

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 12a3d6f760e1deb9cbf0ba4b853e83c9587c08db544f652a1d9d2d32e8dfa751
Instruction ID: e4f0c3389b669bff18e00c0c32fe19a5d4febaf71c199f552a50551832bba2bf
Opcode Fuzzy Hash: 12a3d6f760e1deb9cbf0ba4b853e83c9587c08db544f652a1d9d2d32e8dfa751
Instruction Fuzzy Hash: 323184B1509380AFE721CF25CC85B66FFF8EF45224F08849AE9448B292D365E904CB61

Function 00CFBD00 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 00CFBD95

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 6ea6a897f9b44904b753bf5721109a14c85a9b6001fd31dfd8c6af50cd757e3c
Instruction ID: f84fb5934ab6a63ffc038ecd165c09a488e4040cfa5234400c018ec636c8620b
Opcode Fuzzy Hash: 6ea6a897f9b44904b753bf5721109a14c85a9b6001fd31dfd8c6af50cd757e3c
Instruction Fuzzy Hash: 4721F8B54097846FE7128B21DC45BB2BFACEF46724F0980DAE9848F193D364AD09C7B5

Function 04E70006 Relevance: 1.6, APIs: 1, Instructions: 79
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 04E70091

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 8c7901e024521cf3cbf3be6c679608aad0d54973e0f9659450b973d611dc0855
Instruction ID: 52f79982e9e88345b86c91727133bd552b0891d9e598f257998598e6325065a0
Opcode Fuzzy Hash: 8c7901e024521cf3cbf3be6c679608aad0d54973e0f9659450b973d611dc0855
Instruction Fuzzy Hash: A621C171405340AFE7228F51DC44FA6BFF8EF46724F0588AAF9448B152D265A809CB75

Function 00CFB82E Relevance: 1.6, APIs: 1, Instructions: 77
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 00CFB8BA

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 19cea8e164113fcb35c65771d6e448e8789be71d9e278fb06760134a3a91fe57
Instruction ID: f74a3e6c64d82df914a2bbb6a8dd95f82b5b2e45cee0505fe6e71ff8aacc5f31
Opcode Fuzzy Hash: 19cea8e164113fcb35c65771d6e448e8789be71d9e278fb06760134a3a91fe57
Instruction Fuzzy Hash: 53218271409384AFE721CF51DC45FA6FFB8EF05310F08889EEA858B192D375A908CB61

Function 04E70562 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04E705F6

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 50f3cecf548db94bd09beae84bc5096e61d337fb2c5f7c329960b4f515e13121
Instruction ID: 46115bc4a633fd1035fdbd60d3e04656729b9d7a5b33d7b46aaf18d31817df7b
Opcode Fuzzy Hash: 50f3cecf548db94bd09beae84bc5096e61d337fb2c5f7c329960b4f515e13121
Instruction Fuzzy Hash: 08219171409380AFE722CF55CC85FA6FBF8EF09224F04849EE9858B192D365A508CBB5

Function 00CFBC2A Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00CFBCA9

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: bf3f6f7012ae1d5c3302155db2d1b13c62747a32301f3f79ffae1bff1d98c889
Instruction ID: 6d1ef5498d84129ac8feb931c42c5b4ad4b4355b71df8ea0a97159741e4bd909
Opcode Fuzzy Hash: bf3f6f7012ae1d5c3302155db2d1b13c62747a32301f3f79ffae1bff1d98c889
Instruction Fuzzy Hash: 0921B071504244AFFB20CF66CC85BA6FBE8EF08324F0488ADEA458B251D771E904CB72

Function 04E702C6 Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 04E70358

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9ba7f31ab244a40ec9005819794fe6cd8d29752d63e0a070e029dd4f2aa2ce88
Instruction ID: 8207c51a9f6ff25727b58aa42ae3b6ab987a57c6aadadd9eda86867aedb44486
Opcode Fuzzy Hash: 9ba7f31ab244a40ec9005819794fe6cd8d29752d63e0a070e029dd4f2aa2ce88
Instruction Fuzzy Hash: C021BD76104384AFE722CF11CC44FA6FBF8EF05624F08849AE9458B292D364F548CB71

Function 00CFAB56 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,00000E24), ref: 00CFABD5

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d35e89e498a65066e59f150f399d48c9fc0fd7d4dd909c5b10fa3b3c9190f148
Instruction ID: ef3234c6428a2900774d4c068664cd53c59eaf77a225d7fc595c67ec374e1aa7
Opcode Fuzzy Hash: d35e89e498a65066e59f150f399d48c9fc0fd7d4dd909c5b10fa3b3c9190f148
Instruction Fuzzy Hash: DA219FB2504204AFF7209F51CC84FBAFBACEF08714F04845AEA45CB652D324E9488AB6

Function 04E70F5D Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 04E70FE3

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: 09824bfe5617457e2f156f59f1bef59a9ff3b7a168b239862600ab2bf4fca6ce
Instruction ID: 0603f8b4fd97e6b2ae3b51d4d8eb5a996b3f4fbb26388c4a1ef8828cfd5af969
Opcode Fuzzy Hash: 09824bfe5617457e2f156f59f1bef59a9ff3b7a168b239862600ab2bf4fca6ce
Instruction Fuzzy Hash: 1F2180755093846FE722CF51CC49FA6FFA8EF46624F08849AEA448F192D364A508CB75

Function 00CFB31E Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E24), ref: 00CFB38F

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 6f167b75e15340c5015910098e86be2ad1fcaa190e35bad79269680211722f67
Instruction ID: b620a24ae12f6c98f94ab43a4ec02ae13f9aa8881de177827d4c2790e0fed49e
Opcode Fuzzy Hash: 6f167b75e15340c5015910098e86be2ad1fcaa190e35bad79269680211722f67
Instruction Fuzzy Hash: 3921CF75504208AEF7209B55DC45BBABBACEF08724F14886AEA04CB251D774E9088AB2

Function 04E708FE Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNELBASE(?,?), ref: 04E70971

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: e680b5118ee37e9a32c24b5b14657917ab790c2e89d0c628ee443057d629f2e0
Instruction ID: 41fecd0cddbd11e8e47ecc91fe9057db7379c3ec0321e21484cbe60ee9371560
Opcode Fuzzy Hash: e680b5118ee37e9a32c24b5b14657917ab790c2e89d0c628ee443057d629f2e0
Instruction Fuzzy Hash: 46218071504244AFF720CF25DC85BA6FBE8EF45724F0484A9EA48CB282D775E504CA75

Function 04E71041 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 04E710BF

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: da7df3eb11b1f03105b7f1c2383157797d83372cf7f161225804dde993dafbfe
Instruction ID: 9bfeed224d5ad368a7fada0fc568ebf050a5b9de293f1732843fceadcc95b990
Opcode Fuzzy Hash: da7df3eb11b1f03105b7f1c2383157797d83372cf7f161225804dde993dafbfe
Instruction Fuzzy Hash: CD2192714093846FE722CF51DC45FA6BFB8EF46314F0884DAE9849F152D264A504C765

Function 00CFAC5E Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 00CFACD8

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: c146bbf47c60fcc21c111165283eb1279551d35ac6286ee31147093cd18043f8
Instruction ID: b47037d4027df6ee1f8d725c2a940d89b6e4f3f335b1e9879c1b5e6e7fbe7d63
Opcode Fuzzy Hash: c146bbf47c60fcc21c111165283eb1279551d35ac6286ee31147093cd18043f8
Instruction Fuzzy Hash: DA218CB5600608AFE760CF16CC84FB6F7ECEF04714F08845AEA49CB651D761E908CAB6

Function 00CFB002 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 00CFB06C

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 2dd35534206a02c1c1e73bbe93b2def1491df0ce4dcdb8c825c56df734e01e38
Instruction ID: 815f087741e124e11ca7b68feb95c2a19e6737c77f76ab9e2eff19bdcf9efa63
Opcode Fuzzy Hash: 2dd35534206a02c1c1e73bbe93b2def1491df0ce4dcdb8c825c56df734e01e38
Instruction Fuzzy Hash: 8111C0B1504204AFEB218F51CC84FB7B7ACEF04324F14846AEA45CB251D734E9048BB6

Function 04E71142 Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

accept.WS2_32(?,?), ref: 04E711AD

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: accept
String ID:
API String ID: 3005279540-0
Opcode ID: fbb928ecd8c9cbd2048882228cd5f87ae1e56caaeec0667d7cda0c309aa89686
Instruction ID: fa73223d1b8d8133fd90429f523e6e71fbafe0714ffcd31fcd75a7fdcb05a03a
Opcode Fuzzy Hash: fbb928ecd8c9cbd2048882228cd5f87ae1e56caaeec0667d7cda0c309aa89686
Instruction Fuzzy Hash: 54219FB4505240AFF720CF55CC85BA6FBE8EF05224F1484AAED488F242D775E504CA76

Function 00CFB84E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 00CFB8BA

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 61ece0e10b3b170de5a56cd157b876aea6c5f6f573a37ab621518bcb3bac7370
Instruction ID: 192ff8cb23f6dc512a5de04635fb87bebbc5743f5717c30d91326f3dd81df4b3
Opcode Fuzzy Hash: 61ece0e10b3b170de5a56cd157b876aea6c5f6f573a37ab621518bcb3bac7370
Instruction Fuzzy Hash: F021C671404244AFFB21CF65DC45BA6FBF8EF08324F14885EEA458B291D375A904CB76

Function 04E70582 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE ref: 04E705F6

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 911d7b7e57ffccc207cf52730c4a0bbc3cd3a01c6e0a3a273ce1c7ae26359a9a
Instruction ID: 674d5ea5779d1d1049f05609944fe67619848cda5536e99eced69f34371249bb
Opcode Fuzzy Hash: 911d7b7e57ffccc207cf52730c4a0bbc3cd3a01c6e0a3a273ce1c7ae26359a9a
Instruction Fuzzy Hash: D021AE71504200AFFB21CF55DC85FA6FBE8EF08228F04885DEA458B691E375B508CBB6

Function 04E702E6 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 04E70358

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: b2b7e32c94dacd534e6bef08cfc456fa02351d63c8d9dc2af0387fe5b5f4914d
Instruction ID: 01b874a82834a0cc161c11071f45a761b19afff55cd536c857f72369e94023bf
Opcode Fuzzy Hash: b2b7e32c94dacd534e6bef08cfc456fa02351d63c8d9dc2af0387fe5b5f4914d
Instruction Fuzzy Hash: AA11BE75600604AFEB20CF11CC84FB6F7E8EF04728F08859AEA45CB291D360F444CAB6

Function 04E70CCE Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNELBASE(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 04E70D2D

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 2275092ef96dc85f3da3ae9c65e375b31cdacad8f5c730f1b86a0b1829613b81
Instruction ID: 012e4aada81ab34e4351981e39665410c58e882b3b1ee07f1518cfe908ba35e9
Opcode Fuzzy Hash: 2275092ef96dc85f3da3ae9c65e375b31cdacad8f5c730f1b86a0b1829613b81
Instruction Fuzzy Hash: FE11DD76504700AFEB218F51DC85BAAFBA8EF04724F04C8AAEA458B251D374B404CBB6

Function 04E71246 Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 04E712AA

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: ba50887dd198d922addd91bec9d91807268042849c217fdca30caaeb57bd9ca3
Instruction ID: 086f76397e3aadd0a0df24f81d16c8016a9fd10fb78cadaaf17b3be0b5c29f2a
Opcode Fuzzy Hash: ba50887dd198d922addd91bec9d91807268042849c217fdca30caaeb57bd9ca3
Instruction Fuzzy Hash: F4119075504244AFE721CF51CC88FA6F7ECEF44624F14846AEA45CB241E774E5048ABA

Function 04E70F82 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 04E70FE3

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: bad165683a2435047264c253d4418e8517e83adca061b34d836846ce537b85be
Instruction ID: 1a5a0829674e30446f330b6bb9cfbcd697eebbadcb711db62b4d21edb802b256
Opcode Fuzzy Hash: bad165683a2435047264c253d4418e8517e83adca061b34d836846ce537b85be
Instruction Fuzzy Hash: 81119A75504240AEEB20CF51CC85BAAF7E8EF44724F0884AAEA059B281D774B508CAB6

Function 04E70032 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 04E70091

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f8a8f54e44fc26b4eb4f5b1546fc988041f31ece2877104554cbd7d41abbb716
Instruction ID: ebc1cce0ee9352576cdbb980f5603d4b42240b073c6a9d1ac769bd05d2a5d52e
Opcode Fuzzy Hash: f8a8f54e44fc26b4eb4f5b1546fc988041f31ece2877104554cbd7d41abbb716
Instruction Fuzzy Hash: 6A11CE71504200AFEB21CF51DC84FA6FBE8EF44728F0488AAEA458F291D375B404CBB6

Function 04E71066 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 04E710BF

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 43a6a2db4905cdce41e4a3724d845f4a5add122b9e906047dca72f21916949b9
Instruction ID: 26695db93f71e9c4d65d098479aa6ce27eacf8678e18e1e7f59bfd0833124d78
Opcode Fuzzy Hash: 43a6a2db4905cdce41e4a3724d845f4a5add122b9e906047dca72f21916949b9
Instruction Fuzzy Hash: 0911EC71504340AFFB20CF51DC85BA6FBA8EF44728F0888AAEA448F241D374A504CAB6

Function 011C0D21 Relevance: 1.6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

f`Ul, xrefs: 011C11E3

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID: f`Ul
API String ID: 0-4095096961
Opcode ID: a52916e086ded6513ee67f98bd043815b7895d0726fc9cc6a41843c204a462f6
Instruction ID: 6d709c64f40c8d8db146cd9f2d5df3ddf3f23b31be26f1e97829c5212858a262
Opcode Fuzzy Hash: a52916e086ded6513ee67f98bd043815b7895d0726fc9cc6a41843c204a462f6
Instruction Fuzzy Hash: 93E1EA34A0520ADFDB04DF64D494AEDBBB2BF49308F5585A8E505AB369CF316D4ACB80

Function 04E72D52 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNELBASE(?,?,?), ref: 04E72D9A

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: e4c15f63b9c7d01be5609fe261c9cda4949632fd2a5bd9d651d28e01a527623b
Instruction ID: 0e99a548ee6ba264f7ffea0dabada666af8eb8fd78ebe6d0938215052db5caab
Opcode Fuzzy Hash: e4c15f63b9c7d01be5609fe261c9cda4949632fd2a5bd9d651d28e01a527623b
Instruction Fuzzy Hash: D91182716006409FEB20CF55D885796FBE8EF05624F08C4AADE49CB282D775E444CA61

Function 00CFBD42 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNELBASE(?,00000E24,E9A47240,00000000,00000000,00000000,00000000), ref: 00CFBD95

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 2988ed69b0434f1b27f76e038c201936f7d218a691c8d5e5f5c43e583a5e6487
Instruction ID: 58fb91c1f977baa985aac00c5aaff1049eb2109093d23b296775195c4b7dd3e1
Opcode Fuzzy Hash: 2988ed69b0434f1b27f76e038c201936f7d218a691c8d5e5f5c43e583a5e6487
Instruction Fuzzy Hash: 8F01D275504244AEF760CF12DC85BB6F7A8EF44724F14849AEE048F245D374F9048AB7

Function 011C0D30 Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

f`Ul, xrefs: 011C11E3

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID: f`Ul
API String ID: 0-4095096961
Opcode ID: 2ff130bc06fb70e385fd43f375bb4305bb95c889d708c4d656676c613230bb9f
Instruction ID: 51f65261559ecf7ae2e4cc0dff6e2fa26bedc7386b9d672647e6d18d104636a6
Opcode Fuzzy Hash: 2ff130bc06fb70e385fd43f375bb4305bb95c889d708c4d656676c613230bb9f
Instruction Fuzzy Hash: EAE1B934A0520ADFDB04DF64D494EEDB7B2BF48308F5545A8E505AB369DF316D4ACB80

Function 04E72EC2 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 04E72EFC

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: be3603ff40e8a56668f4709b26a65c7edc591ac3ace0756b5d7c1ad441d5d50c
Instruction ID: 274c8d57d5af2ce3495f969f0567fb2d8e3ed08543e822b1824083d47d9a9a03
Opcode Fuzzy Hash: be3603ff40e8a56668f4709b26a65c7edc591ac3ace0756b5d7c1ad441d5d50c
Instruction Fuzzy Hash: 2A0192716042409FEB10CF55D8847A6FBE4EF45634F08C4EADE09CB682D774E444CBA2

Function 04E7141E Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNELBASE(?,00000E24,?,?), ref: 04E7146E

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 27880e27a4602d99c26a7c9454b55a7b906e13932702e51970fce4e8a3ac8439
Instruction ID: 2861464ff008f4542ddf85886b7a5c96b1e28ddc3ab0882184a9ddca52b4f3e1
Opcode Fuzzy Hash: 27880e27a4602d99c26a7c9454b55a7b906e13932702e51970fce4e8a3ac8439
Instruction Fuzzy Hash: 11017171500200ABD350DF16DC86B26FBE8FB88B20F14855AED099B741D735F915CBE5

Function 04E71A9E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 04E71AE9

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 1afa64157e9f28605ef974b8fae78c75d992952e63a7bd8f32ead05e7781cc53
Instruction ID: fd3e0a94d30059f06e1e2aa12d43e5b0fc4dc1e5e610f39fa558de0ef7fbb65c
Opcode Fuzzy Hash: 1afa64157e9f28605ef974b8fae78c75d992952e63a7bd8f32ead05e7781cc53
Instruction Fuzzy Hash: E1018C716047449FEB20CE1AD885B62FBE8EF44624F088199DD898B352E371F408CB62

Function 00CFA5D6 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CFA61A

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 389554401a06154fb0e612ed90f5d1fd59b9525c931b6d929641a21f6205eb4a
Instruction ID: e946ebb2f4d2aa517472891003416933a3635938ac485f0cbdb8de910dd77ee7
Opcode Fuzzy Hash: 389554401a06154fb0e612ed90f5d1fd59b9525c931b6d929641a21f6205eb4a
Instruction Fuzzy Hash: E0016D71404644AFEB618F55D844B62FBE0EF48720F18C8AAEE498B652D375A414DF63

Function 00CFB952 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 00CFB990

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 8107163855b560c417ac6e1c1d2d4252d93d32ca01999e24e0678f4261005929
Instruction ID: e8f5debb4e7ad3d047897b1575d5b8768370c0c33d45a53d5930640ee5737b36
Opcode Fuzzy Hash: 8107163855b560c417ac6e1c1d2d4252d93d32ca01999e24e0678f4261005929
Instruction Fuzzy Hash: 7F019E71404244DFEB60CF55D884B66FBF4EF08720F0888AADE498B652D375A918DFA2

Function 00CFB7B2 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 00CFB802

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5636d046f9ae52a8b0114c96408d8a5ebf7b87d36793eeab68dd1a3a350c7ed2
Instruction ID: 0c18320e7f5effda6ea5aafaa11e103b0d2a7e4006b9e9422886f1c515343aa5
Opcode Fuzzy Hash: 5636d046f9ae52a8b0114c96408d8a5ebf7b87d36793eeab68dd1a3a350c7ed2
Instruction Fuzzy Hash: 5101A271600200ABD260DF16CC86B26FBE8FB88B20F14815AED095B741D771F915CBE5

Function 04E714C6 Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 04E71504

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 4020163dc0ddea6d73f9f855e3f82f49fb4c77447fb223bd98e67e04265059df
Instruction ID: 22f66a1283a6f8715a1643a811dff936e868741cdf6a6a8393fd7756cd5bfe79
Opcode Fuzzy Hash: 4020163dc0ddea6d73f9f855e3f82f49fb4c77447fb223bd98e67e04265059df
Instruction Fuzzy Hash: 55019E71904340AFEB20CF55D884B62FBE4EF08724F08C8AADE468B652E375E414DB62

Function 04E7024E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?,00000E24,?,?), ref: 04E70299

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: eeec3bce10ed4840b3264554f4f31319ba28de6f17ffdd08f5a79aedda32d30a
Instruction ID: 23ec62bb68c4cb88d1f9bc186e0d5c18d79aa18864cc208dcaf5e990c20aaa70
Opcode Fuzzy Hash: eeec3bce10ed4840b3264554f4f31319ba28de6f17ffdd08f5a79aedda32d30a
Instruction Fuzzy Hash: C301A271600200ABD260DF16CC86B26FBE8FB88A20F148159ED085B741D735F915CBE5

Function 04E732FA Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04E73335

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: e31eed7834b9a77cb75f0e55ea0a4a38804e0a3100fe85fabb4821f36a668d24
Instruction ID: dedbc6164f05175e8a73b03d7ba5426f671502c26d0111d26208117eaf408f5e
Opcode Fuzzy Hash: e31eed7834b9a77cb75f0e55ea0a4a38804e0a3100fe85fabb4821f36a668d24
Instruction Fuzzy Hash: 4101B131504640EFEB608F15D884B65FBE4EF04634F08C0AEDD558B662D775E454DBA2

Function 00CFA8AE Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00CFA8E0

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 28c76fd9140cb4d3a955201ca24fbd91c00f3d3d82d3b65a9fe5674ec6bf823c
Instruction ID: 23eff7e1d964ca17a51264320e9eb197216758623f145353d7d32a89f4da7b82
Opcode Fuzzy Hash: 28c76fd9140cb4d3a955201ca24fbd91c00f3d3d82d3b65a9fe5674ec6bf823c
Instruction Fuzzy Hash: 8001A2B04042449FEB50CF15D884761FBE4EF45724F19C4EADE488F242D3B5A544CAA3

Function 04E7286E Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 04E728A9

Memory Dump Source

Source File: 00000000.00000002.1429198516.0000000004E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e70000_leUmNO9XPu.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 478c6cba1155eac5499f0dd3adbd0b1a7968c3d4aa0236b6ea8224ad63cf5447
Instruction ID: c1e5b869462929b3dee3b1d86a5dc207df2de869ad35df9273c2cf0973ff103b
Opcode Fuzzy Hash: 478c6cba1155eac5499f0dd3adbd0b1a7968c3d4aa0236b6ea8224ad63cf5447
Instruction Fuzzy Hash: 330178319046409FFB208F45D884B61FBA0EF08624F08849AEE494B662D37AA458DBA2

Function 00CFAA12 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 00CFAA4A

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b13c685590777d929fba41ee52c0eee41307b9ba33dac76382efbd3f49e2786a
Instruction ID: f46b4b65abea55e5b442fc547f8f440957c823fa6f698962c1220a308bd836d2
Opcode Fuzzy Hash: b13c685590777d929fba41ee52c0eee41307b9ba33dac76382efbd3f49e2786a
Instruction Fuzzy Hash: 7F01D1754046489FEB608F46D984B62FBE0EF04724F08C09ADE494B662D375A908EFB3

Function 00CFA69A Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(?), ref: 00CFA6CC

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 9ba1ed41950f4018daa8a7e6a5ea0c96ff0b504b45609292057c8d01e764cdb0
Instruction ID: 301451d0c1314ace355e5b88c67218cee712dd5d22f40a242b93379465196fb0
Opcode Fuzzy Hash: 9ba1ed41950f4018daa8a7e6a5ea0c96ff0b504b45609292057c8d01e764cdb0
Instruction Fuzzy Hash: ADF0AF744046449FEB608F06D885761FBE4EF49724F0CC09AEE098B252E375A944CEA3

Function 011C0889 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

:@Pl, xrefs: 011C09C8

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID: :@Pl
API String ID: 0-821508670
Opcode ID: b5658deb1d268120b5ae64aa5ca362a26c5e5509d3e5668ce8255c6a1e347319
Instruction ID: 363af719ae7b652e46900261e99389ba55a6cca029f0eaa21b468b25d04698d2
Opcode Fuzzy Hash: b5658deb1d268120b5ae64aa5ca362a26c5e5509d3e5668ce8255c6a1e347319
Instruction Fuzzy Hash: 3C711874E04218CFEB18CFA9C894BADBBF2BF89314F158169E509AB351DB709981CF51

Function 00CFA2FA Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?), ref: 00CFA32C

Memory Dump Source

Source File: 00000000.00000002.1427724216.0000000000CFA000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cfa000_leUmNO9XPu.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 652f665a3825e25fab42d43eb356eecb4e7d381783d5079c561116bc492e2c3d
Instruction ID: 35b1ed1df9508904f8a225582fc2b5401dc99388ce5842da80cd01916d33b035
Opcode Fuzzy Hash: 652f665a3825e25fab42d43eb356eecb4e7d381783d5079c561116bc492e2c3d
Instruction Fuzzy Hash: A201DFB19042449FEB508F16D884766FBE4EF05720F08C4AADE098B262D374E808CAA3

Function 011C02C0 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b65169d1cccf53f5e7791ee2cf6023527c0aa3a0a19989864834686e5511c4e
Instruction ID: 81f36e46dfe01354f7a2139e8c964dfb8aaa7f9876ec116a816f133551a3d3a5
Opcode Fuzzy Hash: 1b65169d1cccf53f5e7791ee2cf6023527c0aa3a0a19989864834686e5511c4e
Instruction Fuzzy Hash: F351BE78A04218DFDB04CFA9C880BADBBF1FB0D314F0154A9E602AB361D778A941EF55

Function 011C1C50 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42dbd31a60eeff14799253bf912030b0c88c2a3452533722376feae6ade24e1
Instruction ID: 1d29bbb099104adb0115ca76dba8e5affa2d78b645f84d25bca7db8d1cce0478
Opcode Fuzzy Hash: a42dbd31a60eeff14799253bf912030b0c88c2a3452533722376feae6ade24e1
Instruction Fuzzy Hash: 84415B30A46208CFCB19DBB4C8549DEBB72EF8A308F91947DD40177262CF369856DB56

Function 011C02D0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c8d1452e285ae8566feca4ed24d2c9681ff39df68b81483702d24b9fdd05675
Instruction ID: 5ae70343a52a7b3add6e26d10d9359368a32b0e4cbae8130f9f7224e90de722e
Opcode Fuzzy Hash: 1c8d1452e285ae8566feca4ed24d2c9681ff39df68b81483702d24b9fdd05675
Instruction Fuzzy Hash: 4B419D78A04218DFDB04DFA9C880BADBBF1BB0D314F0154A9E606AB361D778A940EF55

Function 011C1C60 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9ce1fe578ad3519ceb084cb311d061836008e32f6abaaeae83bff3f42e4006c
Instruction ID: a2cfb86d14b40fcadde7044779b4f8c49ee43c75d9830b7933be347a8cc56df9
Opcode Fuzzy Hash: b9ce1fe578ad3519ceb084cb311d061836008e32f6abaaeae83bff3f42e4006c
Instruction Fuzzy Hash: 2A314830A42208CFCB19DBB4C8449EEBB72FF8A308F91A469D50137351CF369856DB55

Function 00FF076C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428533025.0000000000FF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 772a2164f734119f500f78dcaf039df08175b3ddb4ccbb219248f62aa4217b2f
Instruction ID: 745bff50c2258c219efcfb5ef68cf0a5629dff6a95990a8ccce23e26f5db888a
Opcode Fuzzy Hash: 772a2164f734119f500f78dcaf039df08175b3ddb4ccbb219248f62aa4217b2f
Instruction Fuzzy Hash: 3C11C331648248DFD7119B10C980B25B791AF89718F24C59CEA4947663CB7AA803DA91

Function 011C0148 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b740ac37562e4ed15b899e7f4fc040459227c19955c7113cf4570138584bb9c1
Instruction ID: 57ef2add0312c78c81b5eab30e6a15543f6c340146effebf63ef55c44ec16124
Opcode Fuzzy Hash: b740ac37562e4ed15b899e7f4fc040459227c19955c7113cf4570138584bb9c1
Instruction Fuzzy Hash: 47214D30A0614AEFDB44EBB4D8546EDBBB1EB45305F154168E602E7266DF315E04EB42

Function 011C0158 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb91cddf442339943a776ed6cc497fd1dedc3b0e137f4be230245c6f2dd872c
Instruction ID: 3dd109bb6cadfd73d7b973ee8c86d240503a2a81cdc4de05a00faf8112c398c3
Opcode Fuzzy Hash: efb91cddf442339943a776ed6cc497fd1dedc3b0e137f4be230245c6f2dd872c
Instruction Fuzzy Hash: EE111930A0210EEFDB44EFA4E844AADB7B1FB44309F154168E602E725ADF315E44EB92

Function 00FF05DF Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428533025.0000000000FF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92c33ba43c458dc413165751885cb5121bbc404b85744c17b8d73fba8f9cbae
Instruction ID: 3aa525f592def464ae645ab1a160c343cbcd73addec55f26e045d173ecbf66b0
Opcode Fuzzy Hash: d92c33ba43c458dc413165751885cb5121bbc404b85744c17b8d73fba8f9cbae
Instruction Fuzzy Hash: 6701A77550D3806FD7118F169C40862FFA8DF86660709C4EFE8898B652D125B809CB72

Function 011C0438 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 163991a14c3d3a3020e9252a80747fc944e3e5966d1c810b961a31d1bd5aea10
Instruction ID: 8f69004921dd069b5d0ed25272e446d9e14279a6f1c686dae9f6bf4c62cecd63
Opcode Fuzzy Hash: 163991a14c3d3a3020e9252a80747fc944e3e5966d1c810b961a31d1bd5aea10
Instruction Fuzzy Hash: 98016D34A86208DFDB19CB70D551EAFB772EF86305F2164BD840227690CB7A8E41EB05

Function 011C0448 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58607ebb62234168585c430d5e73ac0f1fe79ceac48e207f5e18cbec467c4e89
Instruction ID: 842e6604cee33d7ffc0ab2b3b364abdcfda3ecdfc03559ec0c75a5167c529f33
Opcode Fuzzy Hash: 58607ebb62234168585c430d5e73ac0f1fe79ceac48e207f5e18cbec467c4e89
Instruction Fuzzy Hash: B1F0F934A82208DFDB18DB70D541BAFB372EF86309F2164AD840623750CB7A9F41EA05

Function 011C00B0 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0790f032aae1f26c03d9b83faec211b39ef3c7770922bc1f66953faace2a7a48
Instruction ID: 0a455ee090f2ef9aa0b1b7d13877952b6cace9b58a98e41ebd8b784df3c59773
Opcode Fuzzy Hash: 0790f032aae1f26c03d9b83faec211b39ef3c7770922bc1f66953faace2a7a48
Instruction Fuzzy Hash: B7F0F030C0A2489FD7199FB4C89ABEFBFF09B0A600F02446ED540B7291DBB44945CBE1

Function 00FF0736 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428533025.0000000000FF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8abcc2f5b2350cafedd57e0543080ea352ddc00b087540e9aea5666a9af23dcf
Instruction ID: f8325bb65205c0f291e336b3808c84c7ada97c90f1165edfd5c5a6851b863cd9
Opcode Fuzzy Hash: 8abcc2f5b2350cafedd57e0543080ea352ddc00b087540e9aea5666a9af23dcf
Instruction Fuzzy Hash: 64011E355486859FC702CB10D580B26FBE1EF89714F24C6EED9890B663C7369812DB91

Function 011C0821 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c91ea4e8a1080abdcabd57926051e9927616a36b7017f124de6a1007e50ca6
Instruction ID: 47a1c21d27c5d788b150ad78a9933eb66887db9c5caf1f3f0bccb6ad8595797a
Opcode Fuzzy Hash: 67c91ea4e8a1080abdcabd57926051e9927616a36b7017f124de6a1007e50ca6
Instruction Fuzzy Hash: 5E012438D09208DFDB05DFA8C98499DBFF1EF09200F1582EAD80997322D7309E00DB81

Function 011C1521 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 183eafdf4cbf95f518dcc2453deb31d36f8df4f66930502c91692740e9d3246b
Instruction ID: 15e4db1160a4e4df032ff463c053f0ca757504bdd22bb1705e6aa406c45fc350
Opcode Fuzzy Hash: 183eafdf4cbf95f518dcc2453deb31d36f8df4f66930502c91692740e9d3246b
Instruction Fuzzy Hash: 38F09070A49348DFC709EBB0C8599AD7F30DF47201F1610EAC4466B2A2DB344E44DB46

Function 011C00C0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86a012bae5ecbf80bc4387fa317dac470a90fd3daf094948912b4b0c6d41e1e9
Instruction ID: a323ddc81d3764d49df26e18c0a65ab17b905af2ffdd432aea4a10c25a928b7d
Opcode Fuzzy Hash: 86a012bae5ecbf80bc4387fa317dac470a90fd3daf094948912b4b0c6d41e1e9
Instruction Fuzzy Hash: 86F0B830C0120C9ADB589FA9C849BEFBAF4AB49A00F01182DD100B3280DBB448408BE0

Function 011C0270 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114b8c6a0a575a6767730f38e425833e7e0533fa3a803044ded116191656facc
Instruction ID: a36b679be572844b4a751dfe00b95dd1b40c0b67c3bf774c812b8819560a0e0e
Opcode Fuzzy Hash: 114b8c6a0a575a6767730f38e425833e7e0533fa3a803044ded116191656facc
Instruction Fuzzy Hash: ACF0F07880E288DFCB99CFB495816DC7F70EB16201F2445BEE881D7A02C3318A44DB02

Function 011C0738 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c609a81f61b2c093cad58575c46df1c9375d33a8b2adb91acaeba2308b27ed65
Instruction ID: baae6534e6c9d77fbbae833cee2b74e73ebaac0da8682cdfa3934e4b625279c8
Opcode Fuzzy Hash: c609a81f61b2c093cad58575c46df1c9375d33a8b2adb91acaeba2308b27ed65
Instruction Fuzzy Hash: 74F04474D06388DFCB06DFB498444ADBFB0EB06201F0199AEC450A3291D3358A40DB41

Function 00FF0828 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428533025.0000000000FF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd28dbf71d4ee8e62a83ed0e350296e777db5385feaa077aad4f21ddb999f8f
Instruction ID: 86cb791488b32659f2deffcf17b56e60fe43c0d7266cfbe2d03b65051ac8eb6a
Opcode Fuzzy Hash: 0bd28dbf71d4ee8e62a83ed0e350296e777db5385feaa077aad4f21ddb999f8f
Instruction Fuzzy Hash: 49F0FB35548644DFC315CB40D980B25FBA2EB89718F24C6A9E94907662C737E812EE81

Function 011C1530 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 827599f2c107c5c2f4aa7749c7595a0dff2034bf08db5dd31e21a1bfa70df9b1
Instruction ID: 272a3a9553849479fbd29b5cb620bf060d220402e0adc3205a5338e256b11443
Opcode Fuzzy Hash: 827599f2c107c5c2f4aa7749c7595a0dff2034bf08db5dd31e21a1bfa70df9b1
Instruction Fuzzy Hash: 62F03070A4120CEFC708EFB4D5559ADBB75EF47205F1161A8D50627361DF305E44DB46

Function 011C3E40 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85b650d17531f400b96830766e368d9a133d7a83ef564bb96f3372fd06472a50
Instruction ID: b37fe5c79f11d7700a58cc89846370b6ad9862474a5c528b22e78c63ac8178f0
Opcode Fuzzy Hash: 85b650d17531f400b96830766e368d9a133d7a83ef564bb96f3372fd06472a50
Instruction Fuzzy Hash: DDF0E53485A2488FCB05CFB8C6818ACBFB0AF07200F0552EED840A7762D7345944CF12

Function 00FF0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428533025.0000000000FF0000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d756ed319125787f9b31347e3b14029fd62e7345949daa507b552d2221f19c6e
Instruction ID: 913e3c059ef10678c0585461e8be756d6fa54f6ba06324cb4e186726030f6d23
Opcode Fuzzy Hash: d756ed319125787f9b31347e3b14029fd62e7345949daa507b552d2221f19c6e
Instruction Fuzzy Hash: 89E092B66046004B9650CF0BEC81462F7D8EB88630758C47FDC0D8B701E675B508CAA5

Function 011C0748 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e47e19470d44402e16841edac1dd7632f0cc1ca89cd51ed39f7d2a34564f8ab6
Instruction ID: 69feb34ed0e3f29b88e884eb3ecdc2ce7f0cc2f0327ce50441886d6633be56b1
Opcode Fuzzy Hash: e47e19470d44402e16841edac1dd7632f0cc1ca89cd51ed39f7d2a34564f8ab6
Instruction Fuzzy Hash: 52F0F278D4130CDFCB08DFB8D4445ADBBB0EB06205F1099A9C810A3350D7359A40DB40

Function 011C3E08 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0aeb20819326c90dfe485a863d2d5e0eea65bc5a2fd2a502a3b96907d23bebf
Instruction ID: b5fbaf705406c2e3c3b8a642ac0af67d84f8cb0dc120939db3e1e9ef2b706e89
Opcode Fuzzy Hash: c0aeb20819326c90dfe485a863d2d5e0eea65bc5a2fd2a502a3b96907d23bebf
Instruction Fuzzy Hash: 4DE086B184F2C89FC71A8B7499116A9BF709F13100F0651DED14497552D7764D46DB05

Function 011C3E50 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61d99b146b51a07e4fae94e48e51774a4777a942ccddfedc2c211e6c4fdc1c9
Instruction ID: c37168eb243dd1314ef09e682c23a80d69c1ce124fcfc76bffbdab87ede4b3e7
Opcode Fuzzy Hash: d61d99b146b51a07e4fae94e48e51774a4777a942ccddfedc2c211e6c4fdc1c9
Instruction Fuzzy Hash: 22E04638D4120CDFC704EFA8D6859ACBBB0EF06201F1051A8D80463360DB30AE80DB85

Function 011C0280 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bdb64d6ddcc75f97f33c06fc997361ddce8059195aceca16242906726b99ab7
Instruction ID: 4d9ae772139504b7f198646b4afc1d14370567ba2e4d6dd5875b4a60a2f0daa3
Opcode Fuzzy Hash: 5bdb64d6ddcc75f97f33c06fc997361ddce8059195aceca16242906726b99ab7
Instruction Fuzzy Hash: 8AE04F3890520CDFCB58DFE8E54469CBBB5EB49705F1091ADE84593354D7315E50DB41

Function 011C013E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 197579a60472d42e0796570cdcd1f96dcb3dc7b4c0431761ab5a21e093989aa9
Instruction ID: 24f9b5973c17f4ddf9fcf68300968886ad57abfbf2d7c4dc6d9d3345fcbb813d
Opcode Fuzzy Hash: 197579a60472d42e0796570cdcd1f96dcb3dc7b4c0431761ab5a21e093989aa9
Instruction Fuzzy Hash: 7CD01739D40208CFCB04CFA4E0452EDF770FB8A325F10942AC118B3200C33184458F55

Function 011C3E18 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d65fb25ccec599abc4c0d478059323bb1872365dbc5ea05b0ee290a7d52ebfde
Instruction ID: 23e9f1782ca962865c05f1562d0270c1f5058c7ac3bd764bb2ebfa5fbeb152e5
Opcode Fuzzy Hash: d65fb25ccec599abc4c0d478059323bb1872365dbc5ea05b0ee290a7d52ebfde
Instruction Fuzzy Hash: 20D0A97188220CDBC308DFA4A900AAAB339EB03605F0020ACC60423200CB769980DA88

Function 011C011D Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3499c1f4fc5a00b36f958eff0804a775d2557d674c0bfd66ddb4a373ba06707b
Instruction ID: 356240ed957a3ec633bd1b009b65ffe434241bf8646b0e17adf53b7d5196fdfc
Opcode Fuzzy Hash: 3499c1f4fc5a00b36f958eff0804a775d2557d674c0bfd66ddb4a373ba06707b
Instruction Fuzzy Hash: 39D0C93AE41208DF8B00CFB8E4400DCF775FB8A225F10A566C518B3310C7319415CF54

Function 00CF23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427698084.0000000000CF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf2000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2aef786ce693c3d126bd91b4d0eae3dcffcb0fe924688e22641edf619e9383d
Instruction ID: 206612e6800f8e3033cb5c33bee7ddd86c4c1310e2644acb879cec58fb5195a3
Opcode Fuzzy Hash: f2aef786ce693c3d126bd91b4d0eae3dcffcb0fe924688e22641edf619e9383d
Instruction Fuzzy Hash: 4AD05E792096914FE3179F1CC1A4BA53BD4AB51714F4B44FAA8408B763C7A8DA81E611

Function 00CF23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427698084.0000000000CF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CF2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_cf2000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70fc87ee2b636c064b6ad0cb9b0f30bea8c2d2b44495404c5e717f2ed12bc844
Instruction ID: 5ef86e148cb01a8a4edd5594e6cfe6acbb33b2bcf4bff684a5f8797f4be534ae
Opcode Fuzzy Hash: 70fc87ee2b636c064b6ad0cb9b0f30bea8c2d2b44495404c5e717f2ed12bc844
Instruction Fuzzy Hash: B8D05E746056854BD715DE0CC2D4F6933D8AB40714F0644E8AD208B272C7A8D9C4CA01

Non-executed Functions

Function 011C1D98 Relevance: 10.8, Strings: 8, Instructions: 769COMMON

Download Yara Rule

Strings

2wl, xrefs: 011C29F6
2wl, xrefs: 011C28D3
2wl, xrefs: 011C2930
2wl, xrefs: 011C298C
2wl, xrefs: 011C278D
2wl, xrefs: 011C27F6
2wl, xrefs: 011C2B3A
2wl, xrefs: 011C2724

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID: 2wl$2wl$2wl$2wl$2wl$2wl$2wl$2wl
API String ID: 0-968857612
Opcode ID: c69640e85e901477b4eb6ec90436bfdec036159897e4bb3f69fb8669092ebde1
Instruction ID: 9edf56b46aac06443136174b566efcf37932f4ed12298bbaa2feda29436adf03
Opcode Fuzzy Hash: c69640e85e901477b4eb6ec90436bfdec036159897e4bb3f69fb8669092ebde1
Instruction Fuzzy Hash: 3B82DF74A412288FDB69DF24C894BEEB7B6AB89304F1080EAE509A7354DB355FC5CF50

Function 011C19A0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57bab78124a894d1edc8b6da155c2c4ec19b42b9c8a7ec3f81a67d0df34d5d9d
Instruction ID: 30322c28594978edead9d0dc25d528f4f30465a91e21687661012db6e3a41d82
Opcode Fuzzy Hash: 57bab78124a894d1edc8b6da155c2c4ec19b42b9c8a7ec3f81a67d0df34d5d9d
Instruction Fuzzy Hash: 2C214830D49249EFDB04DFA8C484BEDBBF1AF46304F5185A9D405BB392CB349A85DB90

Function 011C19B0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde457cade08a49d303ac89523d285232f2ab55dfc1b9a2fa2e7b988435a1d05
Instruction ID: 734999ca1e1977e175f2e3c66306cb0e4bb4db5198f4ca43019f5a0792034d06
Opcode Fuzzy Hash: dde457cade08a49d303ac89523d285232f2ab55dfc1b9a2fa2e7b988435a1d05
Instruction Fuzzy Hash: 45211330D45209EFDB08EFA8C484BEDBBF2AF45304F5184A9D40577391CB349A84DB90

Function 011C0728 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
Instruction ID: 81177c2f544e247ef4b18a5032d2a2b06533e4f427452e88748a587fe969ea5c
Opcode Fuzzy Hash: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
Instruction Fuzzy Hash: 19B0923AE04108DADB088EC4B4413FCF770E786229F112067D21CB3540833182684A8A

Function 011C14C0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
Instruction ID: 423ecbcf06909067204682780ac92538cbe08342be3afa9294fe7a8286eb807d
Opcode Fuzzy Hash: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
Instruction Fuzzy Hash: 99B09236E44008EADB048EC4B4413FCF770F782229F152167C219B390283358268468A

Function 011C17F8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1428717898.00000000011C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11c0000_leUmNO9XPu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
Instruction ID: 87ca7ea0da2681a1f2543dcd719725a773b3514e5b44bf3a90ab629ba4f7d2af
Opcode Fuzzy Hash: 6f05c8a2bf2ccfa7098e7791fe1597f8093cffcd8f9d1c0d20381294cb12e732
Instruction Fuzzy Hash: 83B0923AE44108EADB048FC4B4413FCF7B4EB82229F112067C218B350183318268868A

Analysis Process: Windows Update.exePID: 7736, Parent PID: 7472COMMON

Execution Graph

Execution Coverage:	23%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	7.3%
Total number of Nodes:	315
Total number of Limit Nodes:	18

Executed Functions

Function 01857D98 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 465
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01857E09

Strings

dk, xrefs: 0185852F

Memory Dump Source

Source File: 00000003.00000002.1680087390.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1850000_Windows Update.jbxd

Similarity

API ID: InitializeThunk
String ID: dk
API String ID: 2994545307-213207733
Opcode ID: 8c9a1a35d0639b775e2bf87f423d0235eaee2af4f85762e5cfa9bcfd69b8a827
Instruction ID: 642a3f03011d39680dc0a1d8429cae26ba9fab7c50ddd67554cccbefa0948635
Opcode Fuzzy Hash: 8c9a1a35d0639b775e2bf87f423d0235eaee2af4f85762e5cfa9bcfd69b8a827
Instruction Fuzzy Hash: 3D329174941229CFDB65DF24C884BEEB7B2BF4A304F5085E9D809A7250DB75AE85CF80

Function 05560E6B Relevance: 1.6, APIs: 1, Instructions: 81networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05560EFF

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: f422427a5b4755d3a56fdd2dc97efdf04b505ed00d886cb9fe974555d87060ef
Instruction ID: 4e0c4270077a61d1cd86fdab7d9cccc65fb99520bf089550bac3d4d13068c487
Opcode Fuzzy Hash: f422427a5b4755d3a56fdd2dc97efdf04b505ed00d886cb9fe974555d87060ef
Instruction Fuzzy Hash: CE2174754097846FE722CB61CC48FA6BFB8EF06314F0984DBE945CF192D264A905CB75

Function 05560E9E Relevance: 1.6, APIs: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05560EFF

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: bind
String ID:
API String ID: 1187836755-0
Opcode ID: 9975060dc4b66c6a1a58b2295d4d974390380d6c7e180b9f709dfa372eba5324
Instruction ID: 8d723e789207058446ba914bfbc419e32e971f01a2c16c26264ea32cfbf29915
Opcode Fuzzy Hash: 9975060dc4b66c6a1a58b2295d4d974390380d6c7e180b9f709dfa372eba5324
Instruction Fuzzy Hash: 32118E75504244AEE720CB51CC88FA6F7A8FF04624F0488AAEA458B291D774E904CAB5

Function 055641B6 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.KERNELBASE(?,?,?,?,?,?), ref: 055641FF

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: AdjustPrivilegesToken
String ID:
API String ID: 2874748243-0
Opcode ID: 4d5ffde7deca4de11708c6c5870bf6f48957ba25ab38aa19a11438970905b464
Instruction ID: e3851d769b8c167d2b7250cf44441d316cc66edf34ab3a7e48d647850c07de9a
Opcode Fuzzy Hash: 4d5ffde7deca4de11708c6c5870bf6f48957ba25ab38aa19a11438970905b464
Instruction Fuzzy Hash: 60115A75504640DFEF21CF95D884B66FBE4FF08220F08C8AAEE468B652D335E454DBA2

Function 05565E8E Relevance: 1.5, APIs: 1, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,?,?,?,?), ref: 05565ECC

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 09e809f50800c52d9633c8e9cc7f7dc9b024128fc675bb317f14966cbf4e03bc
Instruction ID: 15c9a27067fb78e41c31d35ee70624e4886d2a3ef5e2fb573df3552007c9b9bf
Opcode Fuzzy Hash: 09e809f50800c52d9633c8e9cc7f7dc9b024128fc675bb317f14966cbf4e03bc
Instruction Fuzzy Hash: 2A019E71404640DFEB20CF55D844B66FBE0FF04320F0888AADE498B656E375E414CFA2

Function 012DA09A Relevance: 1.5, APIs: 1, Instructions: 42networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 012DA0D5

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 865e853a55bfa5a61256a61db7648c5fd484587eb0632b11fe2d2aafc9a6c774
Instruction ID: 99f4ff079e362e68bc47ad618f29aa358f679a7b6a2abd969e3f3ea96756900b
Opcode Fuzzy Hash: 865e853a55bfa5a61256a61db7648c5fd484587eb0632b11fe2d2aafc9a6c774
Instruction Fuzzy Hash: 0301B1714046409FEB21CF55D845B51FBE0FF04325F08C8AADE498B652D375E408CFA2

Function 05565DE6 Relevance: 1.5, APIs: 1, Instructions: 40nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 05565E1B

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 765f3030df7e5cdb5b44f5daa72c14b0d895828ff70d5090a7af22090e16b8fb
Instruction ID: 05be00440ebe64f617b414c759a70dc61ca60151e6e1e9dd671f8325d70493c9
Opcode Fuzzy Hash: 765f3030df7e5cdb5b44f5daa72c14b0d895828ff70d5090a7af22090e16b8fb
Instruction Fuzzy Hash: D0017C708042809FEF20CF55D884B65FBA4FF05624F4888EADE498F252E375A804CEA2

Function 05566A0A Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,1AA85BD5,00000000,?,?,?,?,?,?,?,?,6D003C58), ref: 05566A3C

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: a8170fd0901a80ee5268081e48f76da45c89e58891ce1245a054b70b90f7c705
Instruction ID: 4bdf21e0e9c4347f6fee648b9c5c519419a6a1ed0a17e4015aedc0efcd0e1c85
Opcode Fuzzy Hash: a8170fd0901a80ee5268081e48f76da45c89e58891ce1245a054b70b90f7c705
Instruction Fuzzy Hash: 2701D674404280DFEB10CF15D888B61FBE4FF05624F18C8AADD498F642D375A404CFA2

Function 05565712 Relevance: 1.5, APIs: 1, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(?,?,?,?), ref: 0556574D

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: InformationQuerySystem
String ID:
API String ID: 3562636166-0
Opcode ID: 02e06530a3af0c0d66e2bfb0bbf79058f5b255d6132b4808ab0d105139780f19
Instruction ID: d6183759ce0beba55110c9786769ac36647a879a52c458931d17dcf3af5092a2
Opcode Fuzzy Hash: 02e06530a3af0c0d66e2bfb0bbf79058f5b255d6132b4808ab0d105139780f19
Instruction Fuzzy Hash: 6C017835404640DFEB218F55D884B61FBA4FF09625F08849ADE894B662E375A418CFA2

Function 01857D88 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 464
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01857E09

Strings

dk, xrefs: 0185852F

Memory Dump Source

Source File: 00000003.00000002.1680087390.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1850000_Windows Update.jbxd

Similarity

API ID: InitializeThunk
String ID: dk
API String ID: 2994545307-213207733
Opcode ID: cd97cecbd7152dd01f6d8e8ef98ccd12f9bbb9b416585b79bdc98accc79ca39b
Instruction ID: 2c28fe4d82c582973955c76b8457aa2656e98dbe4cea54d27ec0062b14b80e08
Opcode Fuzzy Hash: cd97cecbd7152dd01f6d8e8ef98ccd12f9bbb9b416585b79bdc98accc79ca39b
Instruction Fuzzy Hash: 8732A274941229CFDB65DF24C884BEEB7B2BF4A304F5045E9D809A7250DB759E85CF80

Function 0185863C Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 438
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01857E09

Strings

dk, xrefs: 0185852F

Memory Dump Source

Source File: 00000003.00000002.1680087390.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_1850000_Windows Update.jbxd

Similarity

API ID: InitializeThunk
String ID: dk
API String ID: 2994545307-213207733
Opcode ID: 730f5ce6e071de784f3820c865584f7860ab1ee1e1a0c10f263017d0ecdbc8c7
Instruction ID: 0eaa3be4200b0fc9464a26efa99e1f71851b86b684b729159abda0c60439cfb0
Opcode Fuzzy Hash: 730f5ce6e071de784f3820c865584f7860ab1ee1e1a0c10f263017d0ecdbc8c7
Instruction Fuzzy Hash: 49229174941229CFCB65DF24C894BEDB7B2BF4A304F5045EAD809AB250DB75AE85CF80

Function 05563D04 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05563E33

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: ebf07a7c1171da665cf72421c4a89a9f009c6861d7a9949cb8acbc3f82a7f6c2
Instruction ID: 735b89dffefa149e39fac14ef7c011220366cee398e0aab7284092a767e50d53
Opcode Fuzzy Hash: ebf07a7c1171da665cf72421c4a89a9f009c6861d7a9949cb8acbc3f82a7f6c2
Instruction Fuzzy Hash: 96515B7140D3C46FE7238B208C65BA6BFB8AF07314F0A44DBE5848F1A3D6699909C772

Function 05565C28 Relevance: 1.6, APIs: 1, Instructions: 135
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,00000E24), ref: 05565D4C

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ab799bee972ceb8c6d5343589d7931b476ec07e6895299f1b5e46f52799e7509
Instruction ID: 5e4b0275ab1fa80d782d26c8c98a121aed42370068bf545a899232d150575641
Opcode Fuzzy Hash: ab799bee972ceb8c6d5343589d7931b476ec07e6895299f1b5e46f52799e7509
Instruction Fuzzy Hash: 0941AF711493806FE7238B60CC51FA2BFB8EF06710F0944DAE985CB1A3D264A949CB71

Function 055632C0 Relevance: 1.6, APIs: 1, Instructions: 127COMMON

Download Yara Rule

APIs

getnameinfo.WS2_32(?,00000E24), ref: 055633B1

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: getnameinfo
String ID:
API String ID: 1866240144-0
Opcode ID: 92827abba3903e9d7e3ae9dce94fa54a94abcbddd9f7a4f01e89999568ceb598
Instruction ID: c7e9147e829ebe76ab405883d6b2aa14855f487a6da4cfd2a376988a76b06b0d
Opcode Fuzzy Hash: 92827abba3903e9d7e3ae9dce94fa54a94abcbddd9f7a4f01e89999568ceb598
Instruction Fuzzy Hash: F04160754093846FE722CB618C55FA6BFB8AF06210F0A48DBE985CB0A3D6659509C771

Function 055655C0 Relevance: 1.6, APIs: 1, Instructions: 113registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 0556569C

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 729abb58312b9b11be8c9e346f2c4432c4d7c73c4c57254a1dfcc3aec58350c4
Instruction ID: a63ad182d52426dd2e594bc0219b82c8adad13e327c9ab0dd5c78c6dc1b31af5
Opcode Fuzzy Hash: 729abb58312b9b11be8c9e346f2c4432c4d7c73c4c57254a1dfcc3aec58350c4
Instruction Fuzzy Hash: F7416E7100D3C05FD7238B258C54BA2BFB8EF07620F0985DBD581CF5A3D268A849C766

Function 05564FA2 Relevance: 1.6, APIs: 1, Instructions: 103registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 0556506C

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 3f783da82ce54eb6f361764139c987515ca279d196d6026e43503a8a5c3b6378
Instruction ID: 37b47df8e515dc309fda67c7a76791be96694da97ff7b3fbf05b320c861a0982
Opcode Fuzzy Hash: 3f783da82ce54eb6f361764139c987515ca279d196d6026e43503a8a5c3b6378
Instruction Fuzzy Hash: EB31527500E7C05FD7238B618C54BA2BFB8AF07214F0985DBE585CF1A3D2689849C772

Function 055637F6 Relevance: 1.6, APIs: 1, Instructions: 100registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E24), ref: 055638AD

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: f56c9b7616575ce55feda2086cb6db2d6d818e9906cd7b09fd782c9270cb3972
Instruction ID: 4ee4933601bc67133197bebc2d62354a830b2a9b6174d1758790e53be462ff5d
Opcode Fuzzy Hash: f56c9b7616575ce55feda2086cb6db2d6d818e9906cd7b09fd782c9270cb3972
Instruction Fuzzy Hash: D73181B2409384AFE7228F51DC45FA7BBACFF45310F0588AEE9859B152D364A509CB71

Function 012DBBF3 Relevance: 1.6, APIs: 1, Instructions: 98fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 012DBCA9

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 807b000f194865e711cd5449e2e1222f9686b8b111694d548f1ce65218154581
Instruction ID: 3a322b024baa5e9b028cf90c499e3ecea96c163e8dc2af39b04bdabc3e022f07
Opcode Fuzzy Hash: 807b000f194865e711cd5449e2e1222f9686b8b111694d548f1ce65218154581
Instruction Fuzzy Hash: 833192B1505380AFEB22CB25DC45FA2BFF8EF06214F09849AE9858F192D375E509CB71

Function 0556600D Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

AcceptEx.MSWSOCK(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055660C4

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: Accept
String ID:
API String ID: 3029133314-0
Opcode ID: ce89f8bb980b1fa79f39b65ffc20d8d97aa4613f6129c277df951d86140ae491
Instruction ID: b715109394b2358a6ebd01f17ca14f6ec730bd4a50d8bf56fe41938d1f5974e8
Opcode Fuzzy Hash: ce89f8bb980b1fa79f39b65ffc20d8d97aa4613f6129c277df951d86140ae491
Instruction Fuzzy Hash: 4B31A2724097846FEB228B61DC44FA6BFBCFF06214F09889AE9858B152D624A508CB71

Function 05565C82 Relevance: 1.6, APIs: 1, Instructions: 97processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,00000E24), ref: 05565D4C

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9835107bd55091acd140fce33814f458bc5b0ca4346d83c55abd7259e5129595
Instruction ID: 7d7120f16c79c7e7f92027dfb6a0d919f85e2970ddd5c1f57248aeb344a1b7c4
Opcode Fuzzy Hash: 9835107bd55091acd140fce33814f458bc5b0ca4346d83c55abd7259e5129595
Instruction Fuzzy Hash: 1C316A71100205AFEB31DB65CC85FA6B7ECEF08714F04896AEA4ACB590E7B1E544CB61

Function 05563D63 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05563E33

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: 9fa1cf82cccb26a17663eb3abea9445318de8512a90fdc4aa717f9a48549d925
Instruction ID: a1091d1a1354dd37c913025dfa6c61f8f915b6ff25398df5e5f8abb50101ca08
Opcode Fuzzy Hash: 9fa1cf82cccb26a17663eb3abea9445318de8512a90fdc4aa717f9a48549d925
Instruction Fuzzy Hash: 7031B071408384BFE721CB60CC84FA6FBACEF05314F05489AFA489B192D375A908CB71

Function 05565F0C Relevance: 1.6, APIs: 1, Instructions: 95networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05565FC3

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 74dce263daca5b002d5c3ffd6fd265e49c9dd1981b6e46dfa2b8b700e4107afd
Instruction ID: 42fac66fc76104cfa75c44622d80427bcc025f3a5da46c3ca4bdf581fbf5943a
Opcode Fuzzy Hash: 74dce263daca5b002d5c3ffd6fd265e49c9dd1981b6e46dfa2b8b700e4107afd
Instruction Fuzzy Hash: 69315E7540E7C46FE7138B608C55BA2BFB8AF47214F0E84DBE9848F1A3D6245908C772

Function 0556670C Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 055667B8

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2e9c7728c2fe73f0ef7abe249d94793b36b69f982c8081b19588b3b66921f281
Instruction ID: 538138c8baa056ff7f899ce47d6a4d69f9692d8acabf27a98e71ec5a16c07a0d
Opcode Fuzzy Hash: 2e9c7728c2fe73f0ef7abe249d94793b36b69f982c8081b19588b3b66921f281
Instruction Fuzzy Hash: D831B9714047446FEB228B50DC45F66BFB8FF06314F09849EE9458F163D274A514CB71

Function 055639F6 Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E24), ref: 05563AA2

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: c97538dc699232f837a7f899db041dbb8e4a09d480c38a418ba78725021352f6
Instruction ID: 13ff349b7899213737ade1c23a9d10f3bc2270ed2d0b0cf6c0dd4840d8dabc7d
Opcode Fuzzy Hash: c97538dc699232f837a7f899db041dbb8e4a09d480c38a418ba78725021352f6
Instruction Fuzzy Hash: EC31A2B5409784AFE722CB61DC45FA6BFB8EF06314F0984DAE9858B153D224A909C771

Function 012DAB26 Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E24), ref: 012DABD5

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 6c4043ce2afd9a4098a92078980c0623c8e445d8219dc4368d3527e4f845c853
Instruction ID: 95b48130faf691c67c347dc8cd451f6822970834f74044260066cf000fb53c11
Opcode Fuzzy Hash: 6c4043ce2afd9a4098a92078980c0623c8e445d8219dc4368d3527e4f845c853
Instruction Fuzzy Hash: 1B31C8714083846FE7228B15CC45FA7BFBCEF05720F08849AEA858B153D364E509CB71

Function 0556331A Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

getnameinfo.WS2_32(?,00000E24), ref: 055633B1

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: getnameinfo
String ID:
API String ID: 1866240144-0
Opcode ID: 61ecb86d6744b0c22276b6dc818badce2318ac4e37a39ecdb6873fbeb05d78cc
Instruction ID: 58d827c222ca20bc23a2f41dcbc467f478fc9a3eb6cd11e6cf4de3beaa77d3b9
Opcode Fuzzy Hash: 61ecb86d6744b0c22276b6dc818badce2318ac4e37a39ecdb6873fbeb05d78cc
Instruction Fuzzy Hash: 5D218C72504248AEEB21CB65CC84FBAFBECFF04614F05896AEA45CB191DB61E504CBB1

Function 05561109 Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

accept.WS2_32(?,?), ref: 055611AD

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: accept
String ID:
API String ID: 3005279540-0
Opcode ID: 7f6923e4dd5da7ab4c96113feb76510b39057a298deb4f3f615f2b90c6c6e0a4
Instruction ID: cceb17df5dba2ccc91fef2145f3dc9dc20db533ea3478d9629b264a5f0f03aa0
Opcode Fuzzy Hash: 7f6923e4dd5da7ab4c96113feb76510b39057a298deb4f3f615f2b90c6c6e0a4
Instruction Fuzzy Hash: 913190B54097806FE712CB25DC45FA2BFB8EF06214F0984DAE9848F293D375A909CB71

Function 055631CE Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

GetPerAdapterInfo.IPHLPAPI(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05563283

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: AdapterInfo
String ID:
API String ID: 3405139893-0
Opcode ID: 4d312d2e55fa515af7a563a033a39c2334b1ce6f62e131042c3c72430d062bed
Instruction ID: 65ddec5f12634af85eada0c892275be76c58aef797940137a1d99c97e62aaefa
Opcode Fuzzy Hash: 4d312d2e55fa515af7a563a033a39c2334b1ce6f62e131042c3c72430d062bed
Instruction Fuzzy Hash: 3D316F7540E7C06FE7138B618C55BA6BFB4EF07614F0A84CBE9848F1A3D224A909C772

Function 05566816 Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055668CA

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: f8f17ff96feb00df6c46487eaaa464bd58dde3fe41200d95385fa0e0ef4d9f31
Instruction ID: c5038b8b4ea2fe7b3674694aa133ac492cad996e39fc31ab7064c6304e7edd02
Opcode Fuzzy Hash: f8f17ff96feb00df6c46487eaaa464bd58dde3fe41200d95385fa0e0ef4d9f31
Instruction Fuzzy Hash: 5B3172764097846FEB228B619C45FA6BFB8EF06214F0984DAE9858F153D224A508C7B1

Function 05560C90 Relevance: 1.6, APIs: 1, Instructions: 89timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05560D2D

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: 1de68eb23cbe2d97f3a67c7a591ff3ab0f36959eed7bba35a0faa196732fc58b
Instruction ID: 5e407d8085285257c656f5e67b52f8cbcbc9ecb7b6847aeac53bfdba65f41ae3
Opcode Fuzzy Hash: 1de68eb23cbe2d97f3a67c7a591ff3ab0f36959eed7bba35a0faa196732fc58b
Instruction Fuzzy Hash: 3131F7764097806FE7228F61DC45FA6BFB8EF06314F0984DAE9848F1A3D324A509CB75

Function 012DAC1D Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 012DACD8

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 7009b64245bccfa7764f35fc909a6bfdf57993611cbba2036104e08aa624da45
Instruction ID: a42cf7335580b355d0e4a1eff54e0e4a4b8b7a9a218f05f00aab89ca904aecba
Opcode Fuzzy Hash: 7009b64245bccfa7764f35fc909a6bfdf57993611cbba2036104e08aa624da45
Instruction Fuzzy Hash: C031B1751097846FE722CB25CC45FA2BFB8EF06224F18849AEA85CB193D360E508CB75

Function 05561204 Relevance: 1.6, APIs: 1, Instructions: 88networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055612AA

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: a4f858fdfd6e3d8a249495ef793af309fa4a550ea47b011dd5edeef74551298a
Instruction ID: a5926821a218a809733cf9a7e94a41a88fa8b35f5c6f1f6c6af95fede149715e
Opcode Fuzzy Hash: a4f858fdfd6e3d8a249495ef793af309fa4a550ea47b011dd5edeef74551298a
Instruction Fuzzy Hash: A53184B64097806FE712CB61DC85FA6BFB8EF06224F0984DBE984CF193D224A549C775

Function 0556424C Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055642E2

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 6ef89828269441ef32dfa395215d515718e707c965a03b9bec8e77feaf0061e7
Instruction ID: a66767d898c0135341567a03028596c27f104a38a4ad86cdd9fe94d924946a13
Opcode Fuzzy Hash: 6ef89828269441ef32dfa395215d515718e707c965a03b9bec8e77feaf0061e7
Instruction Fuzzy Hash: FE21A5755093C06FEB22CB60DC45FA6BFB8EF46314F1984DAE9848F152D264A548C771

Function 05566622 Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055666B9

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: cc2cda4835b0890a31e053db71908901a88f071d32592aeba787a9b2f2b82b7e
Instruction ID: 45b5e876be98fff234398f03bd0f8261555aa9c563722dc80708356bfdeb8f9c
Opcode Fuzzy Hash: cc2cda4835b0890a31e053db71908901a88f071d32592aeba787a9b2f2b82b7e
Instruction Fuzzy Hash: 8A31D775409380AFEB228B11DC45FA6BFB8FF46314F08849AE9458F192D364A508CBB6

Function 012DAFCF Relevance: 1.6, APIs: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 012DB06C

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 5ef84f4474eebf9905aab81d10aa5d48c983389f323498635b8b0b0cdd026a4d
Instruction ID: f2d3cdb9fd91876984dc991775711e82b171353c5964c254a3604f438cc65e9d
Opcode Fuzzy Hash: 5ef84f4474eebf9905aab81d10aa5d48c983389f323498635b8b0b0cdd026a4d
Instruction Fuzzy Hash: 9C31B4750093806FE722CB20CC45FA6BFB8EF06214F09849FE985CF153D224A508C776

Function 055608D1 Relevance: 1.6, APIs: 1, Instructions: 85synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 05560971

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 44f63ed65e6a26c9ff66b7f62077abaa9c7a26fe88f7e3e83a10d4ffd7729031
Instruction ID: 7e8615dde2d7567061ca01df08bef415810cca7d3607af0dfb2ecb060db74157
Opcode Fuzzy Hash: 44f63ed65e6a26c9ff66b7f62077abaa9c7a26fe88f7e3e83a10d4ffd7729031
Instruction Fuzzy Hash: 123175B15093806FE711CB25DC49F66FFF8EF05210F08849AE9448B292D365E904CB61

Function 012DB2F3 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E24), ref: 012DB38F

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: e558aeae6dbf5cd4945b8f2e060463c30e0b84bab85e22b25c595a885cb1db17
Instruction ID: 0c325cf4b1d6a4a05687aeafd7ac64c76d92d520172f01bdf7ff50bff38466be
Opcode Fuzzy Hash: e558aeae6dbf5cd4945b8f2e060463c30e0b84bab85e22b25c595a885cb1db17
Instruction Fuzzy Hash: 01218271409344AFE721CF65DC49FA6BFF8EF06210F09889AEE449B152D364E508CB61

Function 05563D8E Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000E24), ref: 05563E33

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: c34f6e56ff9149956d2a22ab27387d0de3c67c14b00013c061269fb15d8bc037
Instruction ID: 50786ff9358197a564fe2e8b96def36fd6172dad53dfea6961546bafc11542f9
Opcode Fuzzy Hash: c34f6e56ff9149956d2a22ab27387d0de3c67c14b00013c061269fb15d8bc037
Instruction Fuzzy Hash: AE219F71504204AFFB20DB60CC85FA6FBACEF04714F14485AFA489B181D7B5E9498BB1

Function 05563902 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegNotifyChangeKeyValue.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055639AC

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: ChangeNotifyValue
String ID:
API String ID: 3933585183-0
Opcode ID: dad08c3371e1f6e6e0d3fb3e9d9cc2707f7123c0fba1be20912ab50306979339
Instruction ID: 8d93326db2d602b7df01aab578312fc16240838fe3fdb1b40d38489c2dd31a6d
Opcode Fuzzy Hash: dad08c3371e1f6e6e0d3fb3e9d9cc2707f7123c0fba1be20912ab50306979339
Instruction Fuzzy Hash: 3731D5714093846FEB22CF50DC49FA6FFB8EF46314F09889AE9859F152D264A509CBB1

Function 05563708 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegOpenCurrentUser.KERNEL32(?,00000E24), ref: 055637A1

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: CurrentOpenUser
String ID:
API String ID: 1571386571-0
Opcode ID: f89593137d079b3afc944b2c91187ad3399a6cda41783f8af202e8a110a6dffc
Instruction ID: de887017cea50d66d5164d8d457b28cb4e459b515b7f3abac342073f2c098c5f
Opcode Fuzzy Hash: f89593137d079b3afc944b2c91187ad3399a6cda41783f8af202e8a110a6dffc
Instruction Fuzzy Hash: EE21D6B54093846FE7228B21DC45FA6BFB8EF06314F0984DBE9448F193D264A909CB71

Function 05564341 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055643D2

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 4081a5e75ec30bce34dd9c645b1fcdfca8b58d018a299ee5a97c9a5dc6175edd
Instruction ID: 0e3c0b5425e881a50a51508ca57b82308a134a0ad55c401b6232c9e67102225e
Opcode Fuzzy Hash: 4081a5e75ec30bce34dd9c645b1fcdfca8b58d018a299ee5a97c9a5dc6175edd
Instruction Fuzzy Hash: 3821B775509384AFEB22CB51CC45FA6BFBCEF06210F0884AAE945CF152D364E948CB71

Function 055609C8 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05560A5C

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 6c8c93bc7cb9c40f45bc6601dfbf12263ab6db8fce552b12e7447f846d7ed66d
Instruction ID: 7f26c39b2e6c0724d6cb9cb67f928d6f2bcf3b686c01c9c96a3c0be98ed2b17e
Opcode Fuzzy Hash: 6c8c93bc7cb9c40f45bc6601dfbf12263ab6db8fce552b12e7447f846d7ed66d
Instruction Fuzzy Hash: 352138B54043806FEB128B10DC45FB2BFA8FF02324F1984DAE9448F193D2749905C7B1

Function 012DBD00 Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 012DBD95

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: d2df8847ae06efe28caccf06d30740197a96676ebcb4d95777d119fddbd9de12
Instruction ID: f8fb6b23a4f072f8f6837c9ac8f9d0a7c8a078eac551495e495db9a9456617d8
Opcode Fuzzy Hash: d2df8847ae06efe28caccf06d30740197a96676ebcb4d95777d119fddbd9de12
Instruction Fuzzy Hash: 4321F8B54097806FE7138B25DC45BB2BFACEF07720F0980DAE9848F193D264A909C7B5

Function 0556382E Relevance: 1.6, APIs: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E24), ref: 055638AD

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d79f3bf8f7b36a1fc30074bfa014969931a295a16b781b3cc391255546e27400
Instruction ID: 6a5ac8b2a7f32176857ed5ebe522bf3b9ebda8e2010a51e879493502672f26c3
Opcode Fuzzy Hash: d79f3bf8f7b36a1fc30074bfa014969931a295a16b781b3cc391255546e27400
Instruction Fuzzy Hash: D921BEB2504244AEFB20DF55DC45FABFBECFF04224F14886AEA45CB251D734E4088AB2

Function 05560562 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 055605F6

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: f9cdb3db094f651af93d8db5d7a771c40f04d41e8ce0086191e4d9c9cc9a7403
Instruction ID: e874f676d38a7fca6b6d8d7514f03e2ce5e81377732fb8e73384dbe53c724ac0
Opcode Fuzzy Hash: f9cdb3db094f651af93d8db5d7a771c40f04d41e8ce0086191e4d9c9cc9a7403
Instruction Fuzzy Hash: F521A371409380AFE722CF55DC49FA6FFF8EF09224F04849EE9858B192D365A508CBB5

Function 05566046 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

AcceptEx.MSWSOCK(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055660C4

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: Accept
String ID:
API String ID: 3029133314-0
Opcode ID: f9d2da4293ef9c48fa0022e495e14cb989570166ac0ec6df1e55d44445e77fcf
Instruction ID: a8589b828a6c12d3f5fc22622b838522835db2259c1604a83f13a36cbc69e93b
Opcode Fuzzy Hash: f9d2da4293ef9c48fa0022e495e14cb989570166ac0ec6df1e55d44445e77fcf
Instruction Fuzzy Hash: 7C219D72504644AFEB21CF61CC49FA7B7ECFF08224F04896AEA46CB551E774E5088BB5

Function 0556362F Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

RasConnectionNotificationW.RASAPI32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055636CB

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: ConnectionNotification
String ID:
API String ID: 1402429939-0
Opcode ID: 6cfdb30fae75d0cb9dff0463c8ea4bf3cc337a4a1d136180fc316dc6d5d5f7c9
Instruction ID: 28e093cbba0fbf7ca6985f63b08187056bd5f8cc057a6f708956e6091baefcd1
Opcode Fuzzy Hash: 6cfdb30fae75d0cb9dff0463c8ea4bf3cc337a4a1d136180fc316dc6d5d5f7c9
Instruction Fuzzy Hash: 812181B54097C46FE7238B21DC55FA6BFB8EF06214F0984DBE9848F193D224A909CB75

Function 055630F9 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05563191

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: ac8495befbfdf02074c9cf5a82459492a3e78c4ee4dc170840f7677686bd7ae5
Instruction ID: 1154f18c344124e05133023d5558b558e84f1ee2e31d0c197d5a52fdba887666
Opcode Fuzzy Hash: ac8495befbfdf02074c9cf5a82459492a3e78c4ee4dc170840f7677686bd7ae5
Instruction Fuzzy Hash: 7E2183754097806FE7228B51DC49FA6FFB8EF06210F0984DBE9848F1A3D364A908CB75

Function 012DB82E Relevance: 1.6, APIs: 1, Instructions: 77networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 012DB8BA

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 5b7131a13ab5579fe16f9ca397cde354db6094c89d6645f3119cd8fb8b9c87c9
Instruction ID: 83fd5abef1a69c8eea4a906c4555de5cd5e3faf5227e9a3da051cf0df50ba713
Opcode Fuzzy Hash: 5b7131a13ab5579fe16f9ca397cde354db6094c89d6645f3119cd8fb8b9c87c9
Instruction Fuzzy Hash: 7F219471409380AFE722CF55DC45FA6FFF8EF05220F08849EEA858B192D375A408CB61

Function 012DBC2A Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,?,?,?), ref: 012DBCA9

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 789eb295a3c756ecc798a93383764eefeeeb869e12d6d7f3850af31fc9076388
Instruction ID: f4d90a2cacd935e186a631e334b54703a1627cdb594510f5cfbe856399b4d138
Opcode Fuzzy Hash: 789eb295a3c756ecc798a93383764eefeeeb869e12d6d7f3850af31fc9076388
Instruction Fuzzy Hash: 19218E75504200AFFB21CF65DD85BA6FBE8FF09224F048869EA458B692D771E504CB71

Function 05566746 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,00000E24), ref: 055667B8

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: d74b797769725dac6847158f8ae83937e093168c872b78bc2c54784ae31f910f
Instruction ID: 7d3839fb22330d878b92c01a22ddae51fbf049913578155c8276477d4664d634
Opcode Fuzzy Hash: d74b797769725dac6847158f8ae83937e093168c872b78bc2c54784ae31f910f
Instruction Fuzzy Hash: 8221CF72504204AFEB218F60DC45FBAFBE8FF04224F04886AEA458B651D374E508CBB2

Function 05560006 Relevance: 1.6, APIs: 1, Instructions: 75fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05560091

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: bd4672977a137bbeb534e214f45385c9b3fbebf55135f345700ddbadd07c2329
Instruction ID: da5c54f3296271ce2c33558e61179686abe5da63ba3c49599956c61cd1206512
Opcode Fuzzy Hash: bd4672977a137bbeb534e214f45385c9b3fbebf55135f345700ddbadd07c2329
Instruction Fuzzy Hash: 5821A475409380AFE722CF51DC48FA6BFB8EF05224F09849AE9859B192D265A408CB75

Function 055602C6 Relevance: 1.6, APIs: 1, Instructions: 75registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05560358

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5fe1d2360ebb593eaba5d62130a8f330705e526ee74844770845171b0febba3a
Instruction ID: 40afc156a26d6f4649e8dcf7e98199da6668362c54f6ac010289ad109ecb1e27
Opcode Fuzzy Hash: 5fe1d2360ebb593eaba5d62130a8f330705e526ee74844770845171b0febba3a
Instruction Fuzzy Hash: CB219075509784AFE722CF11CC48FA6BBF8EF05610F08849AE9458B2A2D364E548CB71

Function 05560F5D Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05560FE3

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: 7e311fa021ba78ec151e546f7812080e9a202e158fdac3aea29125625b0b708a
Instruction ID: 32190781a023c5f622024f8bc03ad066cf120895058310d43dc6a928db91794c
Opcode Fuzzy Hash: 7e311fa021ba78ec151e546f7812080e9a202e158fdac3aea29125625b0b708a
Instruction Fuzzy Hash: 822183755097846FE722CB51CC49FA6BFA8EF45220F08849AE9458F192D364A508CB75

Function 05564AA7 Relevance: 1.6, APIs: 1, Instructions: 74libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000E24), ref: 05564B47

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 37dbd68de0279356ca0c6c08babff3099501b38b5165037c7897e021e9fe37ef
Instruction ID: 83dfeb525418d09d45655c4637eed6fe918f5db98ad02725c63e8e9454e5b90b
Opcode Fuzzy Hash: 37dbd68de0279356ca0c6c08babff3099501b38b5165037c7897e021e9fe37ef
Instruction Fuzzy Hash: 95210A710093846FEB22CB10CC85FA2FFB8EF02720F0980DAE9448F193D264A948C7B5

Function 012DAB56 Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E24), ref: 012DABD5

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 0dafede419a4e7b7e1d95cd8b882027e32509c13810d16562c20b707ff01f2d1
Instruction ID: 938773097d2e27cf2a8e160853ffc879cc9a8053c0350054ad355bfaaa219091
Opcode Fuzzy Hash: 0dafede419a4e7b7e1d95cd8b882027e32509c13810d16562c20b707ff01f2d1
Instruction Fuzzy Hash: 9C21CF72504204AFF7219B15CC45FAAFBACEF08224F04845AEA458B652E360E5088BB6

Function 05563A2E Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(?,00000E24), ref: 05563AA2

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: be57130beb7a11d5973b77e0b253d9f609198ecb0cf7f88aa04b21d165a99b23
Instruction ID: 37e7f6e685fbb461115d5a55bc899de3e585fb885a911bcb55ed8b559d2b75e0
Opcode Fuzzy Hash: be57130beb7a11d5973b77e0b253d9f609198ecb0cf7f88aa04b21d165a99b23
Instruction Fuzzy Hash: 1F21AE75504244AFFB20DF51DC45FAAFBACFF04624F14886AEE458B651D374E408CAB2

Function 0556356A Relevance: 1.6, APIs: 1, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055635E5

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: Ioctl
String ID:
API String ID: 3041054344-0
Opcode ID: 19fee8ad5b533982ebe32bd888d05dfebd3e68a0deeb07ec3caf8a0ccfbb4cac
Instruction ID: 46705566fb8e0cdc776b3ea47c6eeb8b7c0e2d054317b24f244a5c76cb21d7e5
Opcode Fuzzy Hash: 19fee8ad5b533982ebe32bd888d05dfebd3e68a0deeb07ec3caf8a0ccfbb4cac
Instruction Fuzzy Hash: 4221A975104640AFEB21CF51CC84FA6BBE8FF08624F09886AEE458B661D331E804CBB1

Function 055608FE Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(?,?), ref: 05560971

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 12bdf40507f7fe438548a153b16ff4261b144c5d29cb5571cea3f249adf26b31
Instruction ID: 5d7ce80236089b29a65eccdf0214898be70e49efe38a99ac7cb7b6f513944f4d
Opcode Fuzzy Hash: 12bdf40507f7fe438548a153b16ff4261b144c5d29cb5571cea3f249adf26b31
Instruction Fuzzy Hash: BF21C271504240AFF720CF25DC89BA6FBE8FF05224F0484A9E949CF291D775E404CAB5

Function 012DB31E Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

LsaOpenPolicy.ADVAPI32(?,00000E24), ref: 012DB38F

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: OpenPolicy
String ID:
API String ID: 2030686058-0
Opcode ID: 4c4b5bc589901b696ad2b314255e9d36316a5396a6114e17d42701403bddfcd9
Instruction ID: 72e87c50ddae22c242dc925c1d448b62416d32e1a5614089c875d6bfa9989067
Opcode Fuzzy Hash: 4c4b5bc589901b696ad2b314255e9d36316a5396a6114e17d42701403bddfcd9
Instruction Fuzzy Hash: 1821CD71504204AFFB20DF65DC45FAAFBECEF05624F08886AEE44CB641D774E4088AB2

Function 05561041 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055610BF

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: dc94c716fa67e9edefafe8e5ec2802f9aae648d9535239b7f4e1f43d0933571e
Instruction ID: 439dab214297308f8a51ae769b1a6865f9c95ec1a9a88f8f2a1c40d3f4c94b7f
Opcode Fuzzy Hash: dc94c716fa67e9edefafe8e5ec2802f9aae648d9535239b7f4e1f43d0933571e
Instruction Fuzzy Hash: 0F21A4714097846FEB22CB50CC49FA6BFB8EF46310F08849AE9849F192D274A504CB75

Function 012DB002 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 012DB06C

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: a03c51fd9854e655f206f46f48d45536a5e5009e24d0a45a5c6d59c584558354
Instruction ID: 9538f9aa394c427b858ce9fcbe949c71875b3587e05bc64aa49e88a29fc9f5ee
Opcode Fuzzy Hash: a03c51fd9854e655f206f46f48d45536a5e5009e24d0a45a5c6d59c584558354
Instruction Fuzzy Hash: 0311A275504204AFEB21CF65DC49FAAB7ECEF05224F04846AEA45CB251E774A504CBB6

Function 012DAC5E Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 012DACD8

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4501dfc6314f13e7801cf9aba0ccd8da8cf6392c4a54890cabf4560ca3b9730f
Instruction ID: 624fedd080c9080624ae1cdab458e7c7e4a649ee30404a5cba9d5c94fdc54885
Opcode Fuzzy Hash: 4501dfc6314f13e7801cf9aba0ccd8da8cf6392c4a54890cabf4560ca3b9730f
Instruction Fuzzy Hash: BB21AF75614604AFFB21CF15CC85FA6FBECEF04624F08846AEA45CB651D760E908CBB6

Function 05561142 Relevance: 1.6, APIs: 1, Instructions: 68networkCOMMON

Download Yara Rule

APIs

accept.WS2_32(?,?), ref: 055611AD

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: accept
String ID:
API String ID: 3005279540-0
Opcode ID: f473eb8ce4cd318a6c206bc31edca2ddd629c7c096ccde844a7a1e4673d2e92f
Instruction ID: 5807c699a56cf6e31ca7bb9d2528322a380a32c7b894a877168e1d6427fec9dd
Opcode Fuzzy Hash: f473eb8ce4cd318a6c206bc31edca2ddd629c7c096ccde844a7a1e4673d2e92f
Instruction Fuzzy Hash: FC21D1B0504640AFF720CF65CC45FB6FBE8FF04224F04886AEE498B281D775A404CAB2

Function 05562F56 Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05562FD4

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: 2c2dc3761af0cb1d1b06a7af57f634754f04b527eb26ee9e3958b7b5519d4f6d
Instruction ID: ab6e236887667458eac2a854d52e596272df0135cbfa8eaaed720f56f963b1d3
Opcode Fuzzy Hash: 2c2dc3761af0cb1d1b06a7af57f634754f04b527eb26ee9e3958b7b5519d4f6d
Instruction Fuzzy Hash: B221A8754097846FE7228B51CC48FA6FFB8EF46224F0984DBE9449F192D364A508C776

Function 0556436E Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

K32GetModuleInformation.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055643D2

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: InformationModule
String ID:
API String ID: 3425974696-0
Opcode ID: 925cee3d112918e002f755b51ae8cd0540141277a20ac265ee533b65fc0c04ca
Instruction ID: cb3dcf021522ff4e14ffa85fae6012e9379560915ea70b7f0b6e65663c7f6647
Opcode Fuzzy Hash: 925cee3d112918e002f755b51ae8cd0540141277a20ac265ee533b65fc0c04ca
Instruction Fuzzy Hash: 4711E175204240AFEB20CF51CC85FB6B7E8FF04224F14846AEE05CB641E330E404CAB1

Function 05560582 Relevance: 1.6, APIs: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32 ref: 055605F6

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: ab7f26cab478229ddea027a084dbacd165941c5deeb56bad0f8f9b35715af878
Instruction ID: 65eb8e12ca67dcb514cebcd47df32398d34e7040072b47f109f64950c6182a10
Opcode Fuzzy Hash: ab7f26cab478229ddea027a084dbacd165941c5deeb56bad0f8f9b35715af878
Instruction Fuzzy Hash: A321C071404240AFFB21CF55DC49FA6FBE8FF08228F04845EEA858B291D775A508CBB6

Function 0556685A Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSARecv.WS2_32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055668CA

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: Recv
String ID:
API String ID: 4192927123-0
Opcode ID: 0dafd65064f2547360ce5ebcf37aa3b820d29f7e15873b91f396a8505d3219a2
Instruction ID: 96294355e8dc592a2d1314ca80eb3ef484448a1844565fbed19576fdbde8b492
Opcode Fuzzy Hash: 0dafd65064f2547360ce5ebcf37aa3b820d29f7e15873b91f396a8505d3219a2
Instruction Fuzzy Hash: 08119D71404644AFEB21CF51DC48FA6BBE8FF04224F04886AEA858F651D334E548CBB5

Function 012DB84E Relevance: 1.6, APIs: 1, Instructions: 67networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 012DB8BA

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: 70be3cea7616bd5f675a9cc228399a447d8743e8b32a0063c571afa5618e680c
Instruction ID: 9471a677feacf02f48b6354e3571fa034f5a4379e1f03608844b49def44062f5
Opcode Fuzzy Hash: 70be3cea7616bd5f675a9cc228399a447d8743e8b32a0063c571afa5618e680c
Instruction Fuzzy Hash: D821C671404240AFFB21CF55DC45FA6FBE4EF05324F14886EEA458B251D375A404CB76

Function 0556373E Relevance: 1.6, APIs: 1, Instructions: 66registryCOMMON

Download Yara Rule

APIs

RegOpenCurrentUser.KERNEL32(?,00000E24), ref: 055637A1

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: CurrentOpenUser
String ID:
API String ID: 1571386571-0
Opcode ID: 159b8206b530579fbb8270da57a5ea2a004d6b3972a66e4b1ba4f730aa10d6cb
Instruction ID: c6f909af66055ffd6dbac461cec76ce86d86faf9048532c2ab2d0e19ddae5a7a
Opcode Fuzzy Hash: 159b8206b530579fbb8270da57a5ea2a004d6b3972a66e4b1ba4f730aa10d6cb
Instruction Fuzzy Hash: 141181B5404244AEFB209F55DC45FBAFBA8EF04624F15886AEE449B241D374A5088AB6

Function 05563942 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegNotifyChangeKeyValue.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055639AC

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: ChangeNotifyValue
String ID:
API String ID: 3933585183-0
Opcode ID: 4f0fe10ff1e7825efe173fd96acd5c5ef62d4fe04dbe7b64a64d6b20753d3b19
Instruction ID: d4137b2e199c93a709c130fcca8083004f1e06d60c21258e14c207354aa759bf
Opcode Fuzzy Hash: 4f0fe10ff1e7825efe173fd96acd5c5ef62d4fe04dbe7b64a64d6b20753d3b19
Instruction Fuzzy Hash: F411BE71404244AFEB21CF51DC49FAAFBECFF04624F05886AEA458B255D734A508CBB6

Function 0556562A Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 0556569C

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: bcfe0c6dbd965c8f631811dc20550790c927c9a495f4d55fab927bd4f875ea3e
Instruction ID: 5542834d6bb825e2359105c56354a215927ece6ec902f56adcbd98d4603b9a54
Opcode Fuzzy Hash: bcfe0c6dbd965c8f631811dc20550790c927c9a495f4d55fab927bd4f875ea3e
Instruction Fuzzy Hash: FA118EB5504644AFEB318E11CC45FA6BBE8FF04624F08885AEE468B651E760E408CAB6

Function 055602E6 Relevance: 1.6, APIs: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05560358

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: a8c70b8ed1cee12c4bd0ab8c7c8b0e0dd86d7ba4ce17c392896db8010587d394
Instruction ID: 1c9e9e294058af730f743c3bc4d6d7531c58fac41c83f421873c2955f3824a9c
Opcode Fuzzy Hash: a8c70b8ed1cee12c4bd0ab8c7c8b0e0dd86d7ba4ce17c392896db8010587d394
Instruction Fuzzy Hash: D911B175604644AFEB21CF15CC48FA6F7E8FF04625F08845AEA458B6A1D760E444CAB2

Function 0556665A Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055666B9

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: a3749e9266483ae38aaa9a8d61393a66a6f1157cad37c0d2ecc9838cd1eca1ec
Instruction ID: f7c48a96d009c54d2aa638d572b1d9092791fa7d318a64c021636c439acd5230
Opcode Fuzzy Hash: a3749e9266483ae38aaa9a8d61393a66a6f1157cad37c0d2ecc9838cd1eca1ec
Instruction Fuzzy Hash: 1E11D075504240AFFB218F51DC49FBAFBA8FF04224F04886AEE458B651D774A404CBB2

Function 05560CCE Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON

Download Yara Rule

APIs

GetProcessTimes.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05560D2D

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: ProcessTimes
String ID:
API String ID: 1995159646-0
Opcode ID: efff6d4cec6b91e02eed10c7edb1bd16f5b07e0f795712e023e5672dc34b0c17
Instruction ID: cd05a331038356f528d3a16dedb1e21c9eb75f4f09fcbb5e07b21065a68416cf
Opcode Fuzzy Hash: efff6d4cec6b91e02eed10c7edb1bd16f5b07e0f795712e023e5672dc34b0c17
Instruction Fuzzy Hash: 4911D075504640AFEB21CF51DC49FB6FBA8FF04324F04896AEA458F2A1D374A404CBB2

Function 05561246 Relevance: 1.6, APIs: 1, Instructions: 63networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055612AA

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: a7037166a26288700c4127753b257d6dc878b3a1781927b2b698660387192153
Instruction ID: 435778426aafe968aadc81afd1a360fc5d9a435fb90d52f2f14e9b439f3a5ec8
Opcode Fuzzy Hash: a7037166a26288700c4127753b257d6dc878b3a1781927b2b698660387192153
Instruction Fuzzy Hash: A4119075404644AFE721CB91CC88FB6B7ECFF04224F14886AEA45CF241D774A504CABA

Function 05564286 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

K32EnumProcessModules.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055642E2

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: EnumModulesProcess
String ID:
API String ID: 1082081703-0
Opcode ID: 3a06745e0962f2f226aad037cd0dfb7a3d262c547c9d50c05927d01bc665e21b
Instruction ID: 704640899c2a8f63dae3b7872b13f6fd738f8447285713c085e8c379c895f089
Opcode Fuzzy Hash: 3a06745e0962f2f226aad037cd0dfb7a3d262c547c9d50c05927d01bc665e21b
Instruction Fuzzy Hash: E811D075504240AFEB21CF55DC85FA6BBA8FF04624F14886AEE45CB241D374A404CBB6

Function 05560F82 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

getsockname.WS2_32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05560FE3

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: getsockname
String ID:
API String ID: 3358416759-0
Opcode ID: 9975060dc4b66c6a1a58b2295d4d974390380d6c7e180b9f709dfa372eba5324
Instruction ID: d4438434fe0077221ee7d44dd7e4a69f51829b62a4716b38e0777a506135da38
Opcode Fuzzy Hash: 9975060dc4b66c6a1a58b2295d4d974390380d6c7e180b9f709dfa372eba5324
Instruction Fuzzy Hash: D1119075504240AFEB20CF51CC49FA6F7E8FF04624F04846AEE459F291D774A504CAB5

Function 05565002 Relevance: 1.6, APIs: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 0556506C

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 80d86edf6cd4fddef77145c9f554bd829b57bdfb83e9c05e08b9b3354873aecc
Instruction ID: 0d3a8d3a284be494376e2d6df4c74a2ae2f616c2ce505869e28fac6888e3086b
Opcode Fuzzy Hash: 80d86edf6cd4fddef77145c9f554bd829b57bdfb83e9c05e08b9b3354873aecc
Instruction Fuzzy Hash: E2119D76504640AFEB218F11CC48FA6FBE8FF04724F08845AEA468B651E364F508CAB6

Function 05560032 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05560091

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ef2ed25b37bc649061d5871eebf9270142f2dffa99a2ff8a333138233c3221a6
Instruction ID: a69493b774774d9a6586a62f2abbae91e7af204fcbf4b3da3afef42c52a03b0f
Opcode Fuzzy Hash: ef2ed25b37bc649061d5871eebf9270142f2dffa99a2ff8a333138233c3221a6
Instruction Fuzzy Hash: 4011BC75404240AFEB21CF51DC48FA6FBE8FF04724F0488AAEA458F691E375A404CBB6

Function 05565F6A Relevance: 1.6, APIs: 1, Instructions: 58networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05565FC3

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: EventSelect
String ID:
API String ID: 31538577-0
Opcode ID: 1dce9f7cddf8052611908a04efc5655273e71613dd204d58662664b383325aac
Instruction ID: bfc53420c949d6e72fb561a916063fe22ebf26dcf77a8f24e548ca826c417a2a
Opcode Fuzzy Hash: 1dce9f7cddf8052611908a04efc5655273e71613dd204d58662664b383325aac
Instruction Fuzzy Hash: F311A3B5404244AFEB21CF55DC45FA6FBA8FF04724F14886AEE458F241E374A504CBB6

Function 05561066 Relevance: 1.6, APIs: 1, Instructions: 58COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055610BF

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: ioctlsocket
String ID:
API String ID: 3577187118-0
Opcode ID: 1dce9f7cddf8052611908a04efc5655273e71613dd204d58662664b383325aac
Instruction ID: 5d52a7de6a91c3d375ba5fe36bdcb193b1ddf275ba737d2ab00e0249542536b5
Opcode Fuzzy Hash: 1dce9f7cddf8052611908a04efc5655273e71613dd204d58662664b383325aac
Instruction Fuzzy Hash: 4411C175404640AFEB21CF51CC45FB6BBA8FF04324F04886AEE458F241D374A504CAB6

Function 05560A06 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05560A5C

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: shutdown
String ID:
API String ID: 2510479042-0
Opcode ID: 2d109ff65c28e945769b1e68c4b4b0546037b0f3b787d1a368adf1093155fe29
Instruction ID: 6a1ed2f0f1b2b7bab6d5808d6ce13be2c64f0e6fe83538b801c350ad9fa9b9f3
Opcode Fuzzy Hash: 2d109ff65c28e945769b1e68c4b4b0546037b0f3b787d1a368adf1093155fe29
Instruction Fuzzy Hash: 2511C275505244AFFB21CF11DC49FBABBE8FF04624F1488AAEE448F691D374A504CAB6

Function 05563132 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05563191

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: AdaptersAddresses
String ID:
API String ID: 2506852604-0
Opcode ID: 09884264674fb1f9139ef630828cc8fdd0072398ceb3155a18c76f58914cb016
Instruction ID: d5d8ad61a71f3fafd03a87fd8527733a44d7e621515c86cf66f60404917a1f4b
Opcode Fuzzy Hash: 09884264674fb1f9139ef630828cc8fdd0072398ceb3155a18c76f58914cb016
Instruction Fuzzy Hash: 7611CE75404644AFFB218F51DC48FB6FBA8FF04724F05885AEE458B651D374A508CAB6

Function 05564ADE Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000E24), ref: 05564B47

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7271f2f7b4bdfcecd165456b469e8177d52d5351382e5ef4410906cfed0230fc
Instruction ID: 5ed8053a79efc337982f5119259b53b4abbe937d67cf69efe38990e64973c3d1
Opcode Fuzzy Hash: 7271f2f7b4bdfcecd165456b469e8177d52d5351382e5ef4410906cfed0230fc
Instruction Fuzzy Hash: 31110471504244AFFF20DB15DC85FB6FBA8EF04724F14849AEE048F291D3B5A548CAB6

Function 05563672 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RasConnectionNotificationW.RASAPI32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 055636CB

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: ConnectionNotification
String ID:
API String ID: 1402429939-0
Opcode ID: 5164408ddbe59f05641f5ff629340778c04fb00ba9b25fbefeee4d1bdffe97d4
Instruction ID: dac601a60f3d1e625e60fef8c5cd844ddf92d8ffc67925de7d6bed9c43a64f89
Opcode Fuzzy Hash: 5164408ddbe59f05641f5ff629340778c04fb00ba9b25fbefeee4d1bdffe97d4
Instruction Fuzzy Hash: B411E1B5504644AFFB218B11CC89FB6FBA8FF04728F04889AEE458F251D374A504CAB6

Function 0556322A Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetPerAdapterInfo.IPHLPAPI(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05563283

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: AdapterInfo
String ID:
API String ID: 3405139893-0
Opcode ID: 5164408ddbe59f05641f5ff629340778c04fb00ba9b25fbefeee4d1bdffe97d4
Instruction ID: 35a1f129e8077544073fe5aa934731862e33c4f02faa251d455fe53e165277b1
Opcode Fuzzy Hash: 5164408ddbe59f05641f5ff629340778c04fb00ba9b25fbefeee4d1bdffe97d4
Instruction Fuzzy Hash: AB11E1B5404744AFFB218B51CC48FB6FBA8FF04728F04885AEE458F281D374A508CAB6

Function 05562F7E Relevance: 1.6, APIs: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

GetNetworkParams.IPHLPAPI(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 05562FD4

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: NetworkParams
String ID:
API String ID: 2134775280-0
Opcode ID: eb3a8090bd6ebfa3a0d8d8ce77635826ac2467b4ffdf8d24e2ad8bce6ebb71a5
Instruction ID: 868eec6b153b69f8400e88316e8a752319a0091f17a634c1f85410bcdc112b68
Opcode Fuzzy Hash: eb3a8090bd6ebfa3a0d8d8ce77635826ac2467b4ffdf8d24e2ad8bce6ebb71a5
Instruction Fuzzy Hash: F301C475504644AFFB21CB11DC49FB6FBA8FF04728F04849AEE459F251D374A508CAB6

Function 05565446 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,?,1AA85BD5,00000000,?,?,?,?,?,?,?,?,6D003C58), ref: 0556548E

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: CopyFile
String ID:
API String ID: 1304948518-0
Opcode ID: 067daaef95b100b7adb6f131114534744f898b08f8aab3792a9f34a99224e661
Instruction ID: 6a8554e14b4f98ded53ae810f9a144123a1fb7ddbfc72740094b282b8389d42b
Opcode Fuzzy Hash: 067daaef95b100b7adb6f131114534744f898b08f8aab3792a9f34a99224e661
Instruction Fuzzy Hash: A811A1716042409FEB20CF69DC85B66FBE8FF05226F0888AADD49CB645E734E404CB72

Function 012DBD42 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,00000E24,1AA85BD5,00000000,00000000,00000000,00000000), ref: 012DBD95

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: aafa0bf96bcb13484a19415059e8edf954adcc793d6239d935b26d1373e2b643
Instruction ID: 5bba8a8dce9296b28496ffaf62aa40e63e00e15dbf468d3ccd74b1e0b5b32486
Opcode Fuzzy Hash: aafa0bf96bcb13484a19415059e8edf954adcc793d6239d935b26d1373e2b643
Instruction Fuzzy Hash: 90012275504200AEF721CF15CC89BB6FBA8EF05624F08809AEE048F285D374A404CAB6

Function 05563F6E Relevance: 1.5, APIs: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAConnect.WS2_32(?,?,?,?,?,?,?), ref: 05563FBA

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: Connect
String ID:
API String ID: 3144859779-0
Opcode ID: 048d1284e5474505cb4353290a3d2ac4ea150fc87943c7532c75b8d3e9cfcf9d
Instruction ID: c1eb9f37fa681343ba273bc66d26e91b92a1e820a90e61eb735e3c16670bbab7
Opcode Fuzzy Hash: 048d1284e5474505cb4353290a3d2ac4ea150fc87943c7532c75b8d3e9cfcf9d
Instruction Fuzzy Hash: C71170715046419FEB20CF55D844B62FBF5FF04220F0988AAEE468B651D335E418CF62

Function 055650E2 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNEL32(?,?,1AA85BD5,00000000,?,?,?,?,?,?,?,?,6D003C58), ref: 0556511F

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 2a6a33f2a8e324bf7a7f2d6035d9a11595ac4d99bec4f1311a073b4c707b92e8
Instruction ID: 9344813b4a14028153c1edfe0cc2078f5f153f89abe96a23491b52f4422ce4c0
Opcode Fuzzy Hash: 2a6a33f2a8e324bf7a7f2d6035d9a11595ac4d99bec4f1311a073b4c707b92e8
Instruction Fuzzy Hash: 240192B15052419FEB10CF25DC85B66FBD4FF05224F4888AADD49CB742F674E404CAA2

Function 0556194A Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

SetWindowsHookExA.USER32(?,00000E24,?,?), ref: 0556199A

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: 5b7a70be99562b9c6af63233144655db25ab81d166ceb36939f7f07453c49d43
Instruction ID: 7e648f1df7f60aafd7070d04417e25de1ebf684c9092f5208b9f96cd3d512164
Opcode Fuzzy Hash: 5b7a70be99562b9c6af63233144655db25ab81d166ceb36939f7f07453c49d43
Instruction Fuzzy Hash: 7101B171500200ABD350DF16DC46B66FBE8FB88A20F14856AED099B741D735B915CBE5

Function 0556141E Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNELBASE(?,00000E24,?,?), ref: 0556146E

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 3c00be2981149cdbab9e7b0d534b3bdd5ff6d00125791273ccced5eee793be1e
Instruction ID: dcd32110ca428a7bb084cb2faef3e8e2bfa7e934aa6947029e75572677c2a9bc
Opcode Fuzzy Hash: 3c00be2981149cdbab9e7b0d534b3bdd5ff6d00125791273ccced5eee793be1e
Instruction Fuzzy Hash: D3017171500200ABD350DF16DC46B66FBE8FB88A20F14856AED099B741D735B915CBE5

Function 0556448E Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

K32GetModuleBaseNameW.KERNEL32(?,00000E24,?,?), ref: 055644DE

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: BaseModuleName
String ID:
API String ID: 595626670-0
Opcode ID: a0e0f04fccd7887cb6f84d2406b49de99eb5c225eb25ae420acaf546bb1153bc
Instruction ID: baa3bb9d5f8f90798c51f1b4953a2635e62c9ac0b6730cf890db99969170bcec
Opcode Fuzzy Hash: a0e0f04fccd7887cb6f84d2406b49de99eb5c225eb25ae420acaf546bb1153bc
Instruction Fuzzy Hash: 0D017171500200ABD350DF16DC46B66FBE8FB88A20F14856AED099B741D735B915CBE5

Function 0556348A Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(?,00000E24,?,?), ref: 055634DA

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: FormatMessage
String ID:
API String ID: 1306739567-0
Opcode ID: 8c83473228db848737a07ab0cc2773a28c53b7eadab0333728da1ffc50e24503
Instruction ID: e698d56084b66f189b4e14dc411885f64b6d02998a2f3a985721d8d0136a3c2b
Opcode Fuzzy Hash: 8c83473228db848737a07ab0cc2773a28c53b7eadab0333728da1ffc50e24503
Instruction Fuzzy Hash: 37017171500200ABD350DF16DC46B66FBE8FB88A20F14856AED099B741D735B915CBE5

Function 05562EAA Relevance: 1.5, APIs: 1, Instructions: 47fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,1AA85BD5,00000000,?,?,?,?,?,?,?,?,6D003C58), ref: 05562EE4

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 2ae30e1f6b14b30d683df8ec039557de0d41ef2c75cba1a56c89db71c34db1da
Instruction ID: 7063fa444bedc55bd483503bf83bce78faa8417affd6019bb7a5e86c10e8617d
Opcode Fuzzy Hash: 2ae30e1f6b14b30d683df8ec039557de0d41ef2c75cba1a56c89db71c34db1da
Instruction Fuzzy Hash: 1A019E755042419FEB10CF25D8857A6FBE8FF01220F0888AADD09CB242D674E844CFA2

Function 012DA172 Relevance: 1.5, APIs: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(?,00000E24,?,?), ref: 012DA1C2

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: gethostname
String ID:
API String ID: 144339138-0
Opcode ID: 7e1ae0e175677539cc9e8b2dac41bb02d8a393732ebb70b5fbbf795831214d4b
Instruction ID: b4f3771180ca7bae08ebe2e76443e3c022d3db68055d7e9d15014054cd202b6e
Opcode Fuzzy Hash: 7e1ae0e175677539cc9e8b2dac41bb02d8a393732ebb70b5fbbf795831214d4b
Instruction Fuzzy Hash: DB01D471500200AFD350DF16DC46B66FBE8FB88A20F14856AED099B741D735F911CBE5

Function 055651C2 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(?,?,?,?), ref: 0556520D

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: a3a55d1a5101356f291e682cf09130d5c3b8dc1762e1b9bdd64a5ef739014a2e
Instruction ID: 6fad96dc673acc4ceeb4883bded4c77f4879abc2f36ed4c1108ffaa4343ab9fa
Opcode Fuzzy Hash: a3a55d1a5101356f291e682cf09130d5c3b8dc1762e1b9bdd64a5ef739014a2e
Instruction Fuzzy Hash: F2019E755446809FEB20CF55CC84B66FBE8FF05620F4884A9DE468B752E371E404CEB2

Function 05561A9E Relevance: 1.5, APIs: 1, Instructions: 46libraryCOMMON

Download Yara Rule

APIs

LoadLibraryShim.MSCOREE(?,?,?,?), ref: 05561AE9

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: LibraryLoadShim
String ID:
API String ID: 1475914169-0
Opcode ID: 88e2100740eb937ceb06dd94e607d3f557e31cfbb6cf1d9123377aca9afd3052
Instruction ID: ff29fceb06285f73e6df73d945338f06113d22174bc7bf7596818a16ca1d7281
Opcode Fuzzy Hash: 88e2100740eb937ceb06dd94e607d3f557e31cfbb6cf1d9123377aca9afd3052
Instruction Fuzzy Hash: 6B019E75604B409FEB20CF16D885B62FBE8FF44621F088499DD498B752E371E404CBB2

Function 012DA5D6 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012DA61A

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2520dfa82ce88cf9de11b7df5ede9f26e5eb985983150568f2cfc00d07fc20be
Instruction ID: 6b96d4078a91d3ea8fb8626b707dc9eb4f58ed1c3555fb7436d82a9f30aeaddd
Opcode Fuzzy Hash: 2520dfa82ce88cf9de11b7df5ede9f26e5eb985983150568f2cfc00d07fc20be
Instruction Fuzzy Hash: 40018071414600EFEF218F55D845B52FFE0EF48720F08C8AADE898B656D375A414DFA2

Function 0556590E Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,?,?,?), ref: 0556594C

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: MessagePeek
String ID:
API String ID: 2222842502-0
Opcode ID: 0d891c10a25a2aa1ceaeeba4364509e9e62c80390603383f9cbb03b1a4609b35
Instruction ID: d34345dc48d2988743785b88afa590ff45920e7937f227662a063327e0b47e20
Opcode Fuzzy Hash: 0d891c10a25a2aa1ceaeeba4364509e9e62c80390603383f9cbb03b1a4609b35
Instruction Fuzzy Hash: A001B1715046409FEB218F55D884B62FBE1FF05230F08C4AEEE468B661E371E418DFA2

Function 0556210A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

RasEnumConnectionsW.RASAPI32(?,00000E24,?,?), ref: 0556215A

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: ConnectionsEnum
String ID:
API String ID: 3832085198-0
Opcode ID: fc82108b5a82ac053737518a25a0d1bd0738d8b91c9e08015fb3fe12664e1303
Instruction ID: 94768aae9558b0f672f8cc64138adfcf18f99535b3b50b7399359e226e689a1e
Opcode Fuzzy Hash: fc82108b5a82ac053737518a25a0d1bd0738d8b91c9e08015fb3fe12664e1303
Instruction Fuzzy Hash: D501D671600200ABD350DF16DC46B26FBE8FB88B20F14812AED095B741D731F915CBE5

Function 0556024E Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetIfEntry.IPHLPAPI(?,00000E24,?,?), ref: 05560299

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: Entry
String ID:
API String ID: 3940594292-0
Opcode ID: 0f1f2aa0649538d36f096ea8cb1f58d36fdbef9c0621fc0508a9e1f8748023ed
Instruction ID: 8d1cc8fca5c4a244616cdef75e44adb3b4dc0a3106d4c810e08a88e1e5cc2487
Opcode Fuzzy Hash: 0f1f2aa0649538d36f096ea8cb1f58d36fdbef9c0621fc0508a9e1f8748023ed
Instruction Fuzzy Hash: 1401D671600200ABD350DF16DC46B26FBE8FB88A20F148159ED095B741D735F915CBE5

Function 055614C6 Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32(?,?,?,?,?,1AA85BD5,00000000,?,?,?,?,?,?,?,?,6D003C58), ref: 05561504

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 37a7a0b6592518e11ac5a32cc02114d5e9b5c8eda3fb1d7b9ba1189d8c218743
Instruction ID: e288e13cdc8ad40a644510c608b69b0470dfea45a8152609115ab8ca9ad59a84
Opcode Fuzzy Hash: 37a7a0b6592518e11ac5a32cc02114d5e9b5c8eda3fb1d7b9ba1189d8c218743
Instruction Fuzzy Hash: 060192714046409FEB20CF55E844B61FBE0FF04321F08C8AADE468B651D375A414CFA2

Function 012DB7B2 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNEL32(?,00000E24,?,?), ref: 012DB802

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 3b7a4453aedd54521db97c898e85e4d2bbb110cfa1546f304422614376512309
Instruction ID: eb0a4ab00a69afb00b5284385f40bfb5ad38acd192d682b0c7759b6df54018f1
Opcode Fuzzy Hash: 3b7a4453aedd54521db97c898e85e4d2bbb110cfa1546f304422614376512309
Instruction Fuzzy Hash: 7701D671600200ABD350DF16DC46B26FBE8FB88B20F14811AED095B781D771F915CBE5

Function 012DAD7A Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000E24,?,?), ref: 012DADC5

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 02ed7164879b4f951efbf4d4e88b62948a1a526ebd8a47f0f573f268437c462b
Instruction ID: ec7170ec45b3c09fd3a0783c09360b4d101aa92489174fc71a6dd179c4bf5629
Opcode Fuzzy Hash: 02ed7164879b4f951efbf4d4e88b62948a1a526ebd8a47f0f573f268437c462b
Instruction Fuzzy Hash: 3D01D671600200ABD350DF16DC46B26FBE8FB88B20F14811AED095B741D731F915CBE5

Function 012DB952 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,?,?,?,?), ref: 012DB990

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: setsockopt
String ID:
API String ID: 3981526788-0
Opcode ID: 4c21d6ba5bf94cbd86b52671a4d2d574adf584d224fe242e59d150caf95cfdac
Instruction ID: ae8ca6c8c1b38708cb28d54578291f0007ce855a3a0a6c8bdc783f23823f18b3
Opcode Fuzzy Hash: 4c21d6ba5bf94cbd86b52671a4d2d574adf584d224fe242e59d150caf95cfdac
Instruction Fuzzy Hash: 12019E71404240DFEB21CF55D845B96FBE0EF05321F0888AADE898B656D375A418CFA2

Function 0556585A Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 05565895

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 0238b42c7b357f224b2345b46eb0d263170a23e57c403938eea2df709a2cdc10
Instruction ID: 3f757c9deee4978a48bd18eeaf37252a4e20e31e77a7fd1ea97e1a2ebde653a0
Opcode Fuzzy Hash: 0238b42c7b357f224b2345b46eb0d263170a23e57c403938eea2df709a2cdc10
Instruction Fuzzy Hash: B801D4315047409FEB208F55D884B65FBE0FF04220F08C4AEDE468BA61E371E418CFA2

Function 055657BA Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,1AA85BD5,00000000,?,?,?,?,?,?,?,?,6D003C58), ref: 055657EC

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 80570078d4e7c1f5c6d1f70b09fb906c22ada5c335cfed15901183c8ae1d248f
Instruction ID: 72e85c07956f2436a11571b4ddf4de6b186ed1ab4242825c2c483a82e9276f52
Opcode Fuzzy Hash: 80570078d4e7c1f5c6d1f70b09fb906c22ada5c335cfed15901183c8ae1d248f
Instruction Fuzzy Hash: 7E0162755046409FEB10CF15D885B61FBE4FF05625F18C0AADD498B651E275A448CAA2

Function 012DA8AE Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 012DA8E0

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 8ec647eba21b238c29886f20cf184d6717df560f3086d87b93e58411da8a749e
Instruction ID: 8f3a11e0cbacc1a512ca4d29b7c51e7782a701ca5be8a047ab5a67c880a3fda9
Opcode Fuzzy Hash: 8ec647eba21b238c29886f20cf184d6717df560f3086d87b93e58411da8a749e
Instruction Fuzzy Hash: EA01D1748142409FEB10CF15D889BA2FBE4EF05324F08C8EADE498F242D379A504CFA2

Function 0556286E Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 055628A9

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 10d932ac92715322a83dc83508bf555bd87b6401862e3e942f2c6f5ecd25d503
Instruction ID: 36213d93179450cdbec4ca656b895c05cec3a011e94ff5c1bfb88a455b94b031
Opcode Fuzzy Hash: 10d932ac92715322a83dc83508bf555bd87b6401862e3e942f2c6f5ecd25d503
Instruction Fuzzy Hash: 810178358047409FEB208F45DC84B61FBA0FF08225F08889ADE494B666D375A458CBA2

Function 012DAA12 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 012DAA4A

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: f6559c751aa82fea92d73cc313ffd04890baa096b9ef1b94cfcbf789807f7a60
Instruction ID: 611f261e4272c0edf48f766f72f0c759ea25a45d7b49415d660668c8bb7089e0
Opcode Fuzzy Hash: f6559c751aa82fea92d73cc313ffd04890baa096b9ef1b94cfcbf789807f7a60
Instruction Fuzzy Hash: AC01DC314146409FEB218F49D989B62FBF0EF04724F08C1AADE4A4B652D3B5A408CFA3

Function 05565A7A Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?), ref: 05565AAC

Memory Dump Source

Source File: 00000003.00000002.1683003753.0000000005560000.00000040.00000800.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_5560000_Windows Update.jbxd

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 6210d545fe025864646503759ac4ea4daead9150130eae204409ffa4861cbbed
Instruction ID: 389e35b32f33a826cc8f8131ec5e68a99141f352787fbd623e7a35e69426fca4
Opcode Fuzzy Hash: 6210d545fe025864646503759ac4ea4daead9150130eae204409ffa4861cbbed
Instruction Fuzzy Hash: 4DF0A4744442449FEB10CF05D884B61FBE0FF05625F48C49ADD454B752E375A404CEA2

Function 012DA69A Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(?,1AA85BD5,00000000,?,?,?,?,?,?,?,?,6D003C58), ref: 012DA6CC

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 7916cf2a5beecd0cc0dee42e37b7ee7607d33d1a7861b7ece6d2a56dfd6decf2
Instruction ID: 77ee3ba1b17ba94381aa574d092cfa02ff2ae1b0c1157365d5ad5e175714d3ec
Opcode Fuzzy Hash: 7916cf2a5beecd0cc0dee42e37b7ee7607d33d1a7861b7ece6d2a56dfd6decf2
Instruction Fuzzy Hash: 3CF0AF74414640DFEF108F15D889B61FBE0EF45635F08C0AADE494B656E3B5A444CEA2

Function 012DA2FA Relevance: 1.3, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,1AA85BD5,00000000,?,?,?,?,?,?,?,?,6D003C58), ref: 012DA32C

Memory Dump Source

Source File: 00000003.00000002.1678950357.00000000012DA000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12da000_Windows Update.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: fd26276f0a814bf834fe439fd589f8c96958635f871e2a30c1ed91a1ff2b3b8b
Instruction ID: 783da07f10054edf8a2d8e9352378b33c320b6f2f7f11c7ab59c5345668c9778
Opcode Fuzzy Hash: fd26276f0a814bf834fe439fd589f8c96958635f871e2a30c1ed91a1ff2b3b8b
Instruction Fuzzy Hash: 7601F2719043409FEB50CF19D885BA6FBE4EF01620F08C4AADE09CF642D7B4A404CEA2

Function 016F0734 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1679934255.00000000016F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_16f0000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e5701dcdb6cd5cdb7d164ba2b4f471374cd3c94c2a823c2dff235680f3efa2c
Instruction ID: 336ab67a385545e65735d1af55abe8527fe7243410ab3e63cb234de8e4b2cb25
Opcode Fuzzy Hash: 9e5701dcdb6cd5cdb7d164ba2b4f471374cd3c94c2a823c2dff235680f3efa2c
Instruction Fuzzy Hash: D0216A3110D3C48FDB17CB64C990B65BFA2AF47604F1985DED5858F6A3C73A8816CB62

Function 016F5076 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1679934255.00000000016F4000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_16f4000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61eded7a3906a055681b5b3758f047d132caceff4072c2e8f882a52c98814dc
Instruction ID: bc4d402833bfe1fc7cb563543ea22450bf147946b6d96662f75bc92a35bf191a
Opcode Fuzzy Hash: c61eded7a3906a055681b5b3758f047d132caceff4072c2e8f882a52c98814dc
Instruction Fuzzy Hash: 57117C301492C08FCB13CB24C990B15BFB1AF47704F1885DED5854F6A3C33A9816CB51

Function 07A81746 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1684829779.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a80000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f2392611fd138785d921368d56e12139ceb46b062e6d40d5c36b6a5fc9c9cc
Instruction ID: 4bf6141d63507071543d09d7a75348260cf9f787721c9d43a73045a98f3cee0f
Opcode Fuzzy Hash: 63f2392611fd138785d921368d56e12139ceb46b062e6d40d5c36b6a5fc9c9cc
Instruction Fuzzy Hash: B121E5B5908341AFD341CF19D844A5BFBE4FF89664F04896EF988D7311E234E9088FA2

Function 07A821B8 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1684829779.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a80000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 741931721dad9d6f428d2f618789c1cee2b95d89f6e2c70105420a9a5c9ee041
Instruction ID: a496cb1044fd3b2e1b76316e8cfe19eb1cf64820d6aa81a667041795d4c8c463
Opcode Fuzzy Hash: 741931721dad9d6f428d2f618789c1cee2b95d89f6e2c70105420a9a5c9ee041
Instruction Fuzzy Hash: CA11B7B5908341AFD340CF19D880A5BFBE4FB98664F04896EF998D7311E235E9048FA2

Function 016F076C Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1679934255.00000000016F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_16f0000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 513d11e83f9c2f2a2a4f229c746b75ec8122f9c3b376e5d8ab4129f51c307785
Instruction ID: 437ebc313d0b227714a61f2a50ba3d1f022fe12b4977578698642becc21c9a22
Opcode Fuzzy Hash: 513d11e83f9c2f2a2a4f229c746b75ec8122f9c3b376e5d8ab4129f51c307785
Instruction Fuzzy Hash: 8E11A230248244EFD715CB14DD80B26BBD6EB89718F24C5DCEA495B753C77B9813CA91

Function 016F50B4 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1679934255.00000000016F4000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_16f4000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1dcfdaaa15e72c7440a6b7f9ce75c614d96f22f4fa16b50dc2e43532c89d39d2
Instruction ID: 61ea18e593ce1dd4e0c87bf131eac31724d3520a9cc059bb1e5f05a405b4f97f
Opcode Fuzzy Hash: 1dcfdaaa15e72c7440a6b7f9ce75c614d96f22f4fa16b50dc2e43532c89d39d2
Instruction Fuzzy Hash: 9311D630208340DFD715CB14DD40B26BB95AB8A709F28C59CEA4A4B753C77B9C03C651

Function 016F05E0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1679934255.00000000016F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_16f0000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d27e2c57a6d380316e9b57ca037b370e546f18eb33540845aa92cf8dbfb4216
Instruction ID: 83f32dead73dc9d2e5c9364e57fbe17a458ec66db9a599a4592ff373f01faa51
Opcode Fuzzy Hash: 3d27e2c57a6d380316e9b57ca037b370e546f18eb33540845aa92cf8dbfb4216
Instruction Fuzzy Hash: CB012DB600D3805FD312CF15AC00C63FFE8EF8622070984EFE849CB253D225A804C765

Function 07A8205C Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1684829779.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a80000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1f403c9f8e895aed2904f870efbc5fbbe8731f19bf37bb5d0d94e3234593ae3
Instruction ID: b1e9c224873b7d8a0c1e2ebb4d2c9bdc2f025780d646c2871b3254b767b1ae7b
Opcode Fuzzy Hash: f1f403c9f8e895aed2904f870efbc5fbbe8731f19bf37bb5d0d94e3234593ae3
Instruction Fuzzy Hash: 8F11BEB5908301AFD350CF19DC45E57FBE8EB88660F14891EF95997311D275E9048FA2

Function 012EB340 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1678991890.00000000012E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12e2000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59cd305899a4b2f58d142ee3f7e2eed535ae46b39c9b405dbfdcc47f5f902080
Instruction ID: dd164d6da4cd104022f10f80605e93465160d156b690bcb329f81722238e608a
Opcode Fuzzy Hash: 59cd305899a4b2f58d142ee3f7e2eed535ae46b39c9b405dbfdcc47f5f902080
Instruction Fuzzy Hash: 8811ECB5908301AFD350CF09DC44E57FBE8EB88660F04891EF95997311E231E9048FA2

Function 016F0710 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1679934255.00000000016F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_16f0000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ca6409fa0740f499678a7a34371a9e470972e22aec9e8e0aeb7c5ac4eb0872c
Instruction ID: 471ca2304438358e8b9218f5899f4ae5d1d01570ccb208aa2a07cbbed8c0f8d9
Opcode Fuzzy Hash: 3ca6409fa0740f499678a7a34371a9e470972e22aec9e8e0aeb7c5ac4eb0872c
Instruction Fuzzy Hash: E3F019351486459FC606CF44D980B25FBA2EB89718F24C6ADE95907752C3369813DE81

Function 016F0828 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1679934255.00000000016F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_16f0000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd28dbf71d4ee8e62a83ed0e350296e777db5385feaa077aad4f21ddb999f8f
Instruction ID: d1d741699a8a155e50138811277b4a1dcc7db55db53f779900c8760cc9dbbdd4
Opcode Fuzzy Hash: 0bd28dbf71d4ee8e62a83ed0e350296e777db5385feaa077aad4f21ddb999f8f
Instruction Fuzzy Hash: 43F0FB35148644DFC616CB44D980B25FBA2EB89718F24C6ADE94907753C737D813DE81

Function 016F516C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1679934255.00000000016F4000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_16f4000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c640d7ccd9cd4f235cfff354f2c358f3fe6b0b18706a2395619e2d58eafbb15
Instruction ID: 686622bd8a20d50dd4b248f2789954773c4ac3f9fcd0113e6734bf62552a1de8
Opcode Fuzzy Hash: 8c640d7ccd9cd4f235cfff354f2c358f3fe6b0b18706a2395619e2d58eafbb15
Instruction Fuzzy Hash: 26F0EC35148644DFC316CB04D980B26FBA2FB89718F24C6ADE9490B752C737E813DA91

Function 016F0606 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1679934255.00000000016F0000.00000040.00000020.00020000.00000000.sdmp, Offset: 016F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_16f0000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd26dac23e139fa0387eb8a82a82e366a3149d200a320aa7bb1b6cfa4ab4bcc3
Instruction ID: 7d51061b9c917694694b508fbd9791fc4e27ee17514ea68aaba77346a90c10df
Opcode Fuzzy Hash: cd26dac23e139fa0387eb8a82a82e366a3149d200a320aa7bb1b6cfa4ab4bcc3
Instruction Fuzzy Hash: B3E092B66046004B9650CF0BEC45492F7D8EB84631718C47FDD4D8B701E675B508CEA5

Function 07A820AB Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1684829779.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a80000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444e112ee91216517e3e58ea1dafccbab4814c7e74471d6a26475ec62fe90ed9
Instruction ID: 84402b2f1d63873acca5ca0c6d25f523768aa679b3ace81c2cb72c683bb6ed61
Opcode Fuzzy Hash: 444e112ee91216517e3e58ea1dafccbab4814c7e74471d6a26475ec62fe90ed9
Instruction Fuzzy Hash: E5E0D8B29003046BE2509F069C45F53FBD8EB44931F04C467EE095B742E176750489F1

Function 07A817BB Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1684829779.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a80000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ef3014fa972da3cb7a3d1952ad25b183c9cb411291b1a0a66d56894a0cad83
Instruction ID: 5af9445ec054549f46d05d86a66dd685facfe131b6c64c96bc2a0d87d0330643
Opcode Fuzzy Hash: 69ef3014fa972da3cb7a3d1952ad25b183c9cb411291b1a0a66d56894a0cad83
Instruction Fuzzy Hash: BDE0D8B290030067E2108F069C49F52FB98EB84A31F04C467EE085F742E171751489E1

Function 07A81ACF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1684829779.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a80000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996a2f300ca9eb5e143f39191695f5b73b35142f13f94d882b0a5f86c7c53e5c
Instruction ID: d7a2d413376f43aa139f8b31f0035fd91bbdbc4af9f5129e2dc0127747f5bc3c
Opcode Fuzzy Hash: 996a2f300ca9eb5e143f39191695f5b73b35142f13f94d882b0a5f86c7c53e5c
Instruction Fuzzy Hash: B1E0D8B290020067E2109F069C49F53FBD8EB84931F04C467EE095B741E1727514CDE1

Function 07A82223 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1684829779.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_7a80000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a63645396d7b19ef909704d3ecf068bd93307bc71fb078feb59d2e380dbd0e8
Instruction ID: a485c1c69172461b33e88a890bc79e177df2205a048aa74ea8990ef384d7884a
Opcode Fuzzy Hash: 0a63645396d7b19ef909704d3ecf068bd93307bc71fb078feb59d2e380dbd0e8
Instruction Fuzzy Hash: 46E0D8F294030067E2108F069C45F52FBD8EB94931F04C467ED085F741E171751489E1

Function 012EB38F Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1678991890.00000000012E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 012E2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12e2000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 365b5c3021bebb1d81c75fe55196bf4e9a18ec423b52da997d1d501918a96a21
Instruction ID: 3894f659084cb9fecdbdc9b365a04a01269c4b68f1c22bbdb64a233e962055d0
Opcode Fuzzy Hash: 365b5c3021bebb1d81c75fe55196bf4e9a18ec423b52da997d1d501918a96a21
Instruction Fuzzy Hash: D9E0D8B294020467D2508F069C45F52FB98EB54931F04C567EE095B741E171750489F1

Function 012D23F4 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1678926690.00000000012D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d2000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fc35d9a06a35f66a5252daac7ab300f15d679b43a81b9885407b33831fc678b
Instruction ID: aa7fbb92085fd09f7c323537eae4be4f29e30abeae4b353d36a6ed392950105f
Opcode Fuzzy Hash: 1fc35d9a06a35f66a5252daac7ab300f15d679b43a81b9885407b33831fc678b
Instruction Fuzzy Hash: AAD05E7921A6A28FE3179F1CC1A4B953BE4EB51714F4B44F9AD408B763C768D581D600

Function 012D23BC Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1678926690.00000000012D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 012D2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_12d2000_Windows Update.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9083fbbda75e015fd5255da56af5653829868ca0c975e2064fbf9fe4c293358c
Instruction ID: 0be067e6575b5ca5017bb2568a938ba0a4f39de97d9e3ae24f95461967a57d6b
Opcode Fuzzy Hash: 9083fbbda75e015fd5255da56af5653829868ca0c975e2064fbf9fe4c293358c
Instruction Fuzzy Hash: F2D05E342052828BE715DF0CC2D4F5937D4AB80714F0644E8BD108B262CBA4D8C0CA00

Analysis Process: vbc.exePID: 8172, Parent PID: 7736COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.7%
Total number of Nodes:	1477
Total number of Limit Nodes:	45

Executed Functions

Function 0040724C Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004072AE
memset.MSVCRT ref: 004072C2
memset.MSVCRT ref: 004072DC
memset.MSVCRT ref: 004072F1
GetComputerNameA.KERNEL32(?,?), ref: 00407313
GetUserNameA.ADVAPI32(?,?), ref: 00407327
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407346
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040735B
strlen.MSVCRT ref: 00407364
strlen.MSVCRT ref: 00407373
memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407385

Strings

O, xrefs: 00407298
H, xrefs: 004072A4
b, xrefs: 0040727C
5, xrefs: 00407290
}, xrefs: 00407294
}, xrefs: 004072A0
i, xrefs: 00407274

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$ByteCharMulusermeWidestrlen$ComputerUsermemcpy
String ID: 5$H$O$b$i$}$}
API String ID: 1832431107-3760989150
Opcode ID: 892f1d25977d50633ddef969ddbe2b4ff3cde350e5ee45bf306cc9825cca91de
Instruction ID: 8a8033fc9206e0c4c361a826d49ab5f0cafd1e40d7200dcd25d3d532c5214641
Opcode Fuzzy Hash: 892f1d25977d50633ddef969ddbe2b4ff3cde350e5ee45bf306cc9825cca91de
Instruction Fuzzy Hash: AC510871C0025DBEDB11CBA8CC41AEEBBBDEF49314F0442EAE955E6191D3389B84CB65

Function 00403C3D Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 170
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040E894: FreeLibrary.KERNELBASE(?,0040E8C8,?,?,?,?,?,?,0040421D), ref: 0040E8A0

LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C5C
GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C71
strcpy.MSVCRT(?,?), ref: 00403E45

Strings

Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CFD
www.google.com/Please log in to your Google Account, xrefs: 00403CC1
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403D22
PStoreCreateInstance, xrefs: 00403C6B
www.google.com:443/Please log in to your Gmail account, xrefs: 00403CB7
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D69
www.google.com/Please log in to your Gmail account, xrefs: 00403CAD
pstorec.dll, xrefs: 00403C57
www.google.com:443/Please log in to your Google Account, xrefs: 00403CCB
Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D62
Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D95

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProcstrcpy
String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
API String ID: 2884822230-961845771
Opcode ID: 736501e530afa2727e5d55e5ce378ede5b836f248ef61c614794b5a243445e0a
Instruction ID: d05da07ce2d894a49ef5f331cfc6c83e82fbb8602fa7f27bb7646818df223e42
Opcode Fuzzy Hash: 736501e530afa2727e5d55e5ce378ede5b836f248ef61c614794b5a243445e0a
Instruction Fuzzy Hash: 9B51D771600605B6D714BF72CD46BEABB6CAF00709F10053FF905B61C2DBBCAA5587A9

Function 00406EC3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE(?,?,?,?,00410CA1,*.oeaccount,rA,?,00000104), ref: 00406ED9
FindNextFileA.KERNELBASE(?,?,?,?,00410CA1,*.oeaccount,rA,?,00000104), ref: 00406EF7
strlen.MSVCRT ref: 00406F27
strlen.MSVCRT ref: 00406F2F

Strings

rA, xrefs: 00406F12

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileFindstrlen$FirstNext
String ID: rA
API String ID: 379999529-474049127
Opcode ID: 9a66d1681466aca7d0b3f0cd3a87e00f7da5b3e9059264b02d426353c7cea173
Instruction ID: 479c8733b6b08075922562257f7174063dbd0ea9e1486761d8d5d3546bede414
Opcode Fuzzy Hash: 9a66d1681466aca7d0b3f0cd3a87e00f7da5b3e9059264b02d426353c7cea173
Instruction Fuzzy Hash: 00118272005205AFD714DB34E844ADBB3D9DF44324F21493FF55AD21D0EB38A9548758

Function 0040ED0B Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceA.KERNEL32(?,?,?), ref: 0040ED18
SizeofResource.KERNEL32(?,00000000), ref: 0040ED29
LoadResource.KERNEL32(?,00000000), ref: 0040ED39
LockResource.KERNEL32(00000000), ref: 0040ED44

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: 4124c9c16d571b3a6a6dda8a6002e2ff58418d98f6681f6753ff1314487d049b
Instruction ID: 6bf1e5af94a697a74b0619517749427008784a8e56cd275cc50dd62f01ccc87b
Opcode Fuzzy Hash: 4124c9c16d571b3a6a6dda8a6002e2ff58418d98f6681f6753ff1314487d049b
Instruction Fuzzy Hash: 450104367002126BCB185F66CD4599B7FAAFF852903488536AD09DA360D770C921C688

Function 00401E8B Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00401EAD
strlen.MSVCRT ref: 00401EC6
strlen.MSVCRT ref: 00401ED4
strlen.MSVCRT ref: 00401F1A
strlen.MSVCRT ref: 00401F28
memset.MSVCRT ref: 00401FD3
atoi.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00402002
memset.MSVCRT ref: 00402025
sprintf.MSVCRT ref: 00402052

Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA

memset.MSVCRT ref: 004020A8
memset.MSVCRT ref: 004020BD
strlen.MSVCRT ref: 004020C3
strlen.MSVCRT ref: 004020D1
strlen.MSVCRT ref: 00402104
strlen.MSVCRT ref: 00402112
memset.MSVCRT ref: 0040203A

Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4

strcpy.MSVCRT(?,00000000), ref: 00402199
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004021A3
ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004021BE

Part of subcall function 0040614B: GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F

Strings

Thunderbird\Profiles, xrefs: 00401F0F, 00401F3D
Install Directory, xrefs: 0040205F
nss3.dll, xrefs: 004020FF, 00402127
%programfiles%\Mozilla Thunderbird, xrefs: 004021B9
Mozilla\Profiles, xrefs: 00401EC0, 00401EC5, 00401EED
%s\Main, xrefs: 0040204C
sqlite3.dll, xrefs: 00401FF6, 004020C2, 004020E7
Software\Qualcomm\Eudora\CommandLine, xrefs: 00401F66
Software\Classes\Software\Qualcomm\Eudora\CommandLine\current, xrefs: 00401F8C
Software\Mozilla\Mozilla Thunderbird, xrefs: 00401FA8
current, xrefs: 00401F61

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strlen$memset$Closestrcpy$AttributesEnvironmentExpandFileStringsatoisprintfstrcat
String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
API String ID: 2492260235-4223776976
Opcode ID: ac5e96ee30ae2dd9ced97f1bdc4fbeb635d430268e29e54df0797c77c4e8013e
Instruction ID: fcae88f02dbfb35d0bd4b12665d2d891c1e7b320b053452542e36e55e3802549
Opcode Fuzzy Hash: ac5e96ee30ae2dd9ced97f1bdc4fbeb635d430268e29e54df0797c77c4e8013e
Instruction Fuzzy Hash: C891E472904158BADB21E765CC46FDA77AC9F44308F1004BBF609F2182EB789BD58B5D

Function 0040B9AD Relevance: 43.9, APIs: 19, Strings: 6, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404837: LoadLibraryA.KERNEL32(comctl32.dll,76F90A60,?,00000000,?,?,?,0040B9C9,76F90A60), ref: 00404856
Part of subcall function 00404837: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404868
Part of subcall function 00404837: FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040B9C9,76F90A60), ref: 0040487C
Part of subcall function 00404837: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004048A7

??3@YAXPAX@Z.MSVCRT(?), ref: 0040BBF8
DeleteObject.GDI32(?), ref: 0040BC0E

Strings

, xrefs: 0040B9E7
Failed to load the executable file !, xrefs: 0040BA9F
/savelangfile, xrefs: 0040BA1F
/deleteregkey, xrefs: 0040BA4D
Software\NirSoft\MailPassView, xrefs: 0040BA5B
Error, xrefs: 0040BA9A

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !$Software\NirSoft\MailPassView
API String ID: 745651260-414181363
Opcode ID: 16f53dabeb4a883268802abd1063420dcaf51a14d4cbe642e390ff1ea210f197
Instruction ID: 29be9d14b742f54cd69d53bb86675b71f99c80547e1740e7b57482248bd42427
Opcode Fuzzy Hash: 16f53dabeb4a883268802abd1063420dcaf51a14d4cbe642e390ff1ea210f197
Instruction Fuzzy Hash: 9D518D71108345ABC7209F61DD09A9BBBF8FF84705F00483FF685A22A1DB789914CB5E

Function 0040D9F9 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E70,?), ref: 0040DA2A
RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E70,?), ref: 0040DA44
RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E70,?), ref: 0040DA6F
RegCloseKey.ADVAPI32(?,?,?,?,?,00403E70,?), ref: 0040DB20

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,76DBEC10), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

memcpy.MSVCRT(?,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,00001000,?,?,?,?,?,00403E70,?), ref: 0040DADD
memcpy.MSVCRT(?,?,?), ref: 0040DAF2

Part of subcall function 0040D6FB: RegOpenKeyExA.ADVAPI32(0040DB12,Creds,00000000,00020019,0040DB12,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040DB12,?,?,?,?), ref: 0040D725
Part of subcall function 0040D6FB: memset.MSVCRT ref: 0040D743
Part of subcall function 0040D6FB: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040D847
Part of subcall function 0040D6FB: RegCloseKey.ADVAPI32(?), ref: 0040D858

LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E70,?), ref: 0040DB16
RegCloseKey.KERNELBASE(?,?,?,?,?,00403E70,?), ref: 0040DB2A

Strings

Dynamic Salt, xrefs: 0040DA3B
Value, xrefs: 0040DA5E
Software\Microsoft\IdentityCRL, xrefs: 0040DA20
%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd, xrefs: 0040DAB4, 0040DADB

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Dynamic Salt$Software\Microsoft\IdentityCRL$Value
API String ID: 2768085393-1693574875
Opcode ID: 2702e5b6582a814fc20eadb9384ec418d8613a8c7f334e4e23fc0615c867cd5e
Instruction ID: 6117dd664a6da5d1700893ef21bfd696e4846e6baba0a559227c27352822965f
Opcode Fuzzy Hash: 2702e5b6582a814fc20eadb9384ec418d8613a8c7f334e4e23fc0615c867cd5e
Instruction Fuzzy Hash: 95316D72504344AFD700DF55DC40D9BBBECEB88358F40493EFA84E2160E774DA188B6A

Function 00411654 Relevance: 18.1, APIs: 12, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,004123E0,00000070), ref: 00411669
__set_app_type.MSVCRT ref: 004116C2
__p__fmode.MSVCRT ref: 004116D7
__p__commode.MSVCRT ref: 004116E5
__setusermatherr.MSVCRT ref: 00411711
_initterm.MSVCRT ref: 00411727
__getmainargs.MSVCRT ref: 0041174A
_initterm.MSVCRT ref: 0041175D
GetStartupInfoA.KERNEL32(?), ref: 0041179C
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004117C0
exit.KERNELBASE ref: 004117D3
_cexit.MSVCRT ref: 004117D9

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
String ID:
API String ID: 3662548030-0
Opcode ID: 41bf5769df4a83a18def14d6c53a8daf24d942208a748090405ecb1c565cbbc5
Instruction ID: d7daaed26df3896bd014a213398510a4c94beeaf1e1b2d32e797684dc565bfa8
Opcode Fuzzy Hash: 41bf5769df4a83a18def14d6c53a8daf24d942208a748090405ecb1c565cbbc5
Instruction Fuzzy Hash: 60416DB0D40218DFCB209FA4D984AED7BB4AB08314F24857BE661D72A1D77D99C2CB5C

Function 00410D1B Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00410D3C

Part of subcall function 00406734: strlen.MSVCRT ref: 00406736
Part of subcall function 00406734: strlen.MSVCRT ref: 00406741
Part of subcall function 00406734: strcat.MSVCRT(00000000,dA,0000001C,00410D64,\Microsoft\Windows Mail,?,?,?), ref: 00406758

Part of subcall function 0040EE59: memset.MSVCRT ref: 0040EEAE
Part of subcall function 0040EE59: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040EF17
Part of subcall function 0040EE59: strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040EF25

memset.MSVCRT ref: 00410DAA
memset.MSVCRT ref: 00410DC5

Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA

ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 00410DFE
strlen.MSVCRT ref: 00410E0C
_stricmp.MSVCRT(?,?,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?,?), ref: 00410E32

Strings

Software\Microsoft\Windows Live Mail, xrefs: 00410DDB
\Microsoft\Windows Mail, xrefs: 00410D5A
\Microsoft\Windows Live Mail, xrefs: 00410D81
Store Root, xrefs: 00410DD6

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$strlen$Close$EnvironmentExpandStrings_stricmpstrcatstrcpy
String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
API String ID: 4071991895-2578778931
Opcode ID: 446d342accadaa8f5357ef9c7141ad4d55f165afb8774a5b515e9d11a0344459
Instruction ID: 656a87abbde68b626b6b67706479efffa51c3f1aad4b8967eb2d69b922da332e
Opcode Fuzzy Hash: 446d342accadaa8f5357ef9c7141ad4d55f165afb8774a5b515e9d11a0344459
Instruction Fuzzy Hash: 3D318DB2548348ABD324E799DC46FCB77DC9BC4318F04482FF649D7182E678D68487AA

Function 004037B1 Relevance: 12.1, APIs: 7, Strings: 1, Instructions: 86
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004037D2
memset.MSVCRT ref: 004037E6

Part of subcall function 00410F79: memset.MSVCRT ref: 00410F9B
Part of subcall function 00410F79: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00411007

Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
Part of subcall function 004060D0: memcpy.MSVCRT(?,00401D07,00000000,00000000,00401D07,00000001,00000104,?,?,?,?,?,00000000), ref: 004060EA

strchr.MSVCRT ref: 00403855
strcpy.MSVCRT(?,?,?,?,?), ref: 00403872
strlen.MSVCRT ref: 0040387E
sprintf.MSVCRT ref: 0040389E
strcpy.MSVCRT(?,?,?,?,?), ref: 004038B4

Strings

%s@yahoo.com, xrefs: 00403898

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$strcpystrlen$Closememcpysprintfstrchr
String ID: %s@yahoo.com
API String ID: 1649821605-3288273942
Opcode ID: d756cc4bb234ca8bd2adb7c792dfa1259f1477984d05252a8ea6bc4bb60e6678
Instruction ID: 59c64947ec9ad5e5fa7ad27033647646f0aae9e06f6053b7dc62ef58ab254070
Opcode Fuzzy Hash: d756cc4bb234ca8bd2adb7c792dfa1259f1477984d05252a8ea6bc4bb60e6678
Instruction Fuzzy Hash: 592184B3D0412C6EDB21EB55DD41FDA77AC9F85308F0404EBB64DE6041E6B8AB848BA5

Function 004034CB Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004034EB
memset.MSVCRT ref: 00403501

Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA

strcpy.MSVCRT(00000000,00000000), ref: 0040353C

Part of subcall function 00405F1F: strlen.MSVCRT ref: 00405F20
Part of subcall function 00405F1F: strcat.MSVCRT(00000000,00413044,004062BF,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 00405F37

strcat.MSVCRT(00000000,fb.dat,00000000,00000000), ref: 00403554

Strings

Software\Group Mail, xrefs: 00403517
fb.dat, xrefs: 0040354E
InstallPath, xrefs: 00403512

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetstrcat$Closestrcpystrlen
String ID: InstallPath$Software\Group Mail$fb.dat
API String ID: 1387626053-966475738
Opcode ID: b4206de9c90982f9c66f6cfc9dc9c0c880768121677d473e1c5bd2e45b33c8fe
Instruction ID: 7ff2b4ee0b8a45595852750e2855a272ac8b2b1e575441dca18af6517dfb7442
Opcode Fuzzy Hash: b4206de9c90982f9c66f6cfc9dc9c0c880768121677d473e1c5bd2e45b33c8fe
Instruction Fuzzy Hash: 2E01FC72D8012C75D720E6669C46FDA766C8F64745F0004A6BA4AF20C2DAFCABD48B69

Function 0040754D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040724C: memset.MSVCRT ref: 004072AE
Part of subcall function 0040724C: memset.MSVCRT ref: 004072C2
Part of subcall function 0040724C: memset.MSVCRT ref: 004072DC
Part of subcall function 0040724C: memset.MSVCRT ref: 004072F1
Part of subcall function 0040724C: GetComputerNameA.KERNEL32(?,?), ref: 00407313
Part of subcall function 0040724C: GetUserNameA.ADVAPI32(?,?), ref: 00407327
Part of subcall function 0040724C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407346
Part of subcall function 0040724C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 0040735B
Part of subcall function 0040724C: strlen.MSVCRT ref: 00407364
Part of subcall function 0040724C: strlen.MSVCRT ref: 00407373
Part of subcall function 0040724C: memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407385

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

memset.MSVCRT ref: 0040759B

Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28

memset.MSVCRT ref: 004075EC
RegCloseKey.ADVAPI32(?,?,?), ref: 0040762A
RegCloseKey.ADVAPI32(?), ref: 00407651

Strings

Software\Google\Google Talk\Accounts, xrefs: 0040756C

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$ByteCharCloseMulusermeWidestrlen$ComputerEnumOpenUsermemcpy
String ID: Software\Google\Google Talk\Accounts
API String ID: 2959138223-1079885057
Opcode ID: a9382395aa04bc6a2dd49f4cc28a46152cbaa1b62cfbf9a84d5181dec9838710
Instruction ID: 125b9810afc719f5725a34431a69a8fbc80fc1372edd2e7206a69bc0ee1a9f38
Opcode Fuzzy Hash: a9382395aa04bc6a2dd49f4cc28a46152cbaa1b62cfbf9a84d5181dec9838710
Instruction Fuzzy Hash: 6A21887150820A6FD610EF51DC42DEBB7ECDF94344F00083AF945E1191E635D96D9BA7

Function 0040A5AC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_mbsicmp.MSVCRT ref: 0040A5CD
qsort.MSVCRT ref: 0040A676
SetCursor.USER32(/nosort,?,0040BAC6), ref: 0040A684

Strings

/nosort, xrefs: 0040A62A
/sort, xrefs: 0040A5C8

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Cursor_mbsicmpqsort
String ID: /nosort$/sort
API String ID: 882979914-1578091866
Opcode ID: 37bac6c9d6653dd70bdeecbb298df2510de2a0ce3a9ae5c3ad425128252b2c66
Instruction ID: 1813cf3d9500be1981e9bba0c11058464626672cad6922460886ab76c06e8bc1
Opcode Fuzzy Hash: 37bac6c9d6653dd70bdeecbb298df2510de2a0ce3a9ae5c3ad425128252b2c66
Instruction Fuzzy Hash: 4921B071304601EFC719AF75C880A99B7A9BF08314B10017EF429A7291CB39A9628B8A

Function 0040EE59 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040EDAC: LoadLibraryA.KERNEL32(shell32.dll,0040B9D8,76F90A60,?,00000000), ref: 0040EDBA
Part of subcall function 0040EDAC: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040EDCF

memset.MSVCRT ref: 0040EEAE
RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,00000104), ref: 0040EF17
strcpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 0040EF25

Part of subcall function 00406278: GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 0040EEC9, 0040EED9

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressCloseLibraryLoadProcVersionmemsetstrcpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 181880968-2036018995
Opcode ID: f36eb23c2dc7077338fc74569912d0170d623695a7104f0b3b9fc9f5b09292aa
Instruction ID: b4f7ca4f0d473bdd6f3573a0ab4a655380742daec172f7a18688454dd959f7ad
Opcode Fuzzy Hash: f36eb23c2dc7077338fc74569912d0170d623695a7104f0b3b9fc9f5b09292aa
Instruction Fuzzy Hash: D711D871800219FADB24A656DC89DEF77BCDB04309F1008B7F91572191D63D9FA886DD

Function 0040396C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MSNMessenger,00000000,00020019,?), ref: 004039C5

Part of subcall function 0040D5DB: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040D6A7
Part of subcall function 0040D5DB: strlen.MSVCRT ref: 0040D6B7
Part of subcall function 0040D5DB: strcpy.MSVCRT(?,?), ref: 0040D6C8
Part of subcall function 0040D5DB: LocalFree.KERNEL32(?), ref: 0040D6D5

RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\MessengerService,00000000,00020019,?), ref: 004039F7

Strings

Software\Microsoft\MessengerService, xrefs: 004039F1
Software\Microsoft\MSNMessenger, xrefs: 004039BF

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Openstrcpy$ByteCharFreeLocalMultiWidestrlen
String ID: Software\Microsoft\MSNMessenger$Software\Microsoft\MessengerService
API String ID: 1910562259-1741179510
Opcode ID: a042053f0881545de1053e7963e322542f87d6f2c27a3a690180a3307b8871c0
Instruction ID: e1373b66f94ab8684edf5be4eb08dc620599410c0cc400d8dd4f2e2a864aae35
Opcode Fuzzy Hash: a042053f0881545de1053e7963e322542f87d6f2c27a3a690180a3307b8871c0
Instruction Fuzzy Hash: 4F11F6B1608345AEC320DF5188819ABBBEC9B84355F50893FF584A2081D338DA09CAAB

Function 0040EA72 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040EA9A

Part of subcall function 00406763: sprintf.MSVCRT ref: 0040679B
Part of subcall function 00406763: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 004067AE

WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 0040EABE
memset.MSVCRT ref: 0040EAD5
GetPrivateProfileStringA.KERNEL32(?,?,Function_00012466,?,00002000,?), ref: 0040EAF3

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PrivateProfileStringmemset$Writememcpysprintf
String ID:
API String ID: 3143880245-0
Opcode ID: 55a900beb3324ae435e234628281be75478a67a5b39370e1d0f1c50bd7ccf1f7
Instruction ID: dd976746f5256500085d4a95e5c89bc7782f2e7a6919953fe2ebae93c0a04965
Opcode Fuzzy Hash: 55a900beb3324ae435e234628281be75478a67a5b39370e1d0f1c50bd7ccf1f7
Instruction Fuzzy Hash: 6F01A172800219BFEF12AF51DC89DDB3B79EF04344F0044A6B609A2062D6359A64CB68

Function 0040B785 Relevance: 6.1, APIs: 4, Instructions: 51windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040BA04), ref: 0040B7A3
??2@YAPAXI@Z.MSVCRT(00000F38,00000000,?,0040BA04), ref: 0040B7C1
DeleteObject.GDI32(?), ref: 0040B7FF
LoadIconA.USER32(00000065,00000000), ref: 0040B82E

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@$DeleteIconLoadObject
String ID:
API String ID: 1986663749-0
Opcode ID: 5f5a747c87eaa1aeb5cd63e0915bac848b59c27e35686337973b5baa3b83aa76
Instruction ID: 38da8263615bef274e7c21802c355ecfe582676222a25676d72b73c1d19d8401
Opcode Fuzzy Hash: 5f5a747c87eaa1aeb5cd63e0915bac848b59c27e35686337973b5baa3b83aa76
Instruction Fuzzy Hash: 8C1151B09056509BCF519F259C887C53BA4EB84B41F1804BBFD08EF3A6DBB845418BAC

Function 00411932 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?), ref: 0041193C
??3@YAXPAX@Z.MSVCRT(?), ref: 0041194C
??3@YAXPAX@Z.MSVCRT(?), ref: 0041195C
??3@YAXPAX@Z.MSVCRT(?), ref: 0041196C

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 91c60f5c1f6e7dd8e91e3fe6036ebb2df298eb5d5c74a2e7dfa5f35f51adb5a0
Instruction ID: d6dbe33ea61767d3fff50222484a645f5af73bc96bc71b3580d13e53834dfd00
Opcode Fuzzy Hash: 91c60f5c1f6e7dd8e91e3fe6036ebb2df298eb5d5c74a2e7dfa5f35f51adb5a0
Instruction Fuzzy Hash: E0E012B0319201A68E20AB7BBD40A9323AE2A44310354806FF206D2AB1DE38D8C0C63C

Function 0040787D Relevance: 5.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00008000,0040790D,00408822,?,?,?,?,?,00000000,76F90A60), ref: 004078A5
??2@YAPAXI@Z.MSVCRT(00000000,00008000,0040790D,00408822,?,?,?,?,?,00000000,76F90A60), ref: 004078C3
??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,0040790D,00408822,?,?,?,?,?,00000000,76F90A60), ref: 004078E1
??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,0040790D,00408822,?,?,?,?,?,00000000,76F90A60), ref: 004078F1

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: e7dbc0ef46db47a5b5499b4ecfc17c41b9b5310e7ca2ac67ab4a857369e887a1
Instruction ID: 98653883aa4781a1616f5f21c4e99a92f1a36013e955d8e4b32a99e29624f39b
Opcode Fuzzy Hash: e7dbc0ef46db47a5b5499b4ecfc17c41b9b5310e7ca2ac67ab4a857369e887a1
Instruction Fuzzy Hash: E6F012B1589210BFDB549B39ED067A53AB2A748394F10917EE207CA6F5FB7454408B4C

Function 004060FA Relevance: 3.8, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00406116
memcpy.MSVCRT(00000000,00000000,00000000,00000000,76F90A60,00406B49,00000001,?,00000000,76F90A60,00406D88,00000000,?,?), ref: 0040612E
free.MSVCRT ref: 00406137

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: freemallocmemcpy
String ID:
API String ID: 3056473165-0
Opcode ID: c16869745dd056c7ef743fb7ed117d9ff76353dfe782dc17f391ee5363500ee0
Instruction ID: d153bd7f556b54fa1e8e463c7175d954409fdcf13f6af5892cc53e784d19f72a
Opcode Fuzzy Hash: c16869745dd056c7ef743fb7ed117d9ff76353dfe782dc17f391ee5363500ee0
Instruction Fuzzy Hash: 9DF0E9726052219FC7089F79B98145BB3DDAF84324B11482FF546D7292D7389C50C798

Function 0040B8D7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00401E8B: memset.MSVCRT ref: 00401EAD
Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401EC6
Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401ED4
Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401F1A
Part of subcall function 00401E8B: strlen.MSVCRT ref: 00401F28

_stricmp.MSVCRT(/stext,00412466,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B92B

Strings

/stext, xrefs: 0040B926

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strlen$_stricmpmemset
String ID: /stext
API String ID: 3575250601-3817206916
Opcode ID: ba91a629983a4474272755d1190fe0abc20447847f5b5280d74d03c064ef9f45
Instruction ID: 7d69c3f5364ef88ad9e24340ba35af89a1d621815374fdce2acadc9eabf4c73c
Opcode Fuzzy Hash: ba91a629983a4474272755d1190fe0abc20447847f5b5280d74d03c064ef9f45
Instruction Fuzzy Hash: 45213EB1614111DFC35C9B29C881D65B3A8FB45314B1582BFF91AA7292C738ED518BCD

Function 00406252 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 00406191: memset.MSVCRT ref: 0040619B
Part of subcall function 00406191: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406269,Arial,0000000E,00000000), ref: 004061DB

CreateFontIndirectA.GDI32(?), ref: 00406270

Strings

Arial, xrefs: 0040625C

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateFontIndirectmemsetstrcpy
String ID: Arial
API String ID: 3275230829-493054409
Opcode ID: 7d2b7ca13242ecb95fba35a4d161325a02a1357963518cd5c2775a7b681f11d7
Instruction ID: 9d865b7f43533acfebf3b00b6ce8d331e43bccbbf35dbaed0a6f3a0435680c9f
Opcode Fuzzy Hash: 7d2b7ca13242ecb95fba35a4d161325a02a1357963518cd5c2775a7b681f11d7
Instruction Fuzzy Hash: B3D0C970E4020D76E600BAA0FD07B897BAC5B00605F508421BA41F51E2FAE8A15586A9

Function 004047A0 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004047F1: FreeLibrary.KERNELBASE(?,?), ref: 00404806

LoadLibraryA.KERNELBASE(?,0040D60E,80000001,76DBEC10), ref: 004047A8
GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID:
API String ID: 145871493-0
Opcode ID: cbabdfec5215e458202f737861f40a15f802b817f3ec498c61102a043c0cc1ea
Instruction ID: bd92e302f737a6b7e7c2aa8ed3bd721d1bcdfa8038008227cdd2def65d6b9a1b
Opcode Fuzzy Hash: cbabdfec5215e458202f737861f40a15f802b817f3ec498c61102a043c0cc1ea
Instruction Fuzzy Hash: F1F039B02007028BD7209F39D84879B77E8BF85700F00853EF266E3281EB78A951CB28

Function 0040EB0E Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 0040EB35

Part of subcall function 0040EA26: memset.MSVCRT ref: 0040EA44
Part of subcall function 0040EA26: _itoa.MSVCRT ref: 0040EA5B
Part of subcall function 0040EA26: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 0040EA6A

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PrivateProfile$StringWrite_itoamemset
String ID:
API String ID: 4165544737-0
Opcode ID: 41fbf1d09f89329d89d85b9c1c83700b09fa1e2b362e37a4bb4b326ca53279f5
Instruction ID: f55a197cdd86fa31c53d12907dd8f70643f2484b8232c3448506387801693677
Opcode Fuzzy Hash: 41fbf1d09f89329d89d85b9c1c83700b09fa1e2b362e37a4bb4b326ca53279f5
Instruction Fuzzy Hash: F2E0B632000109FBCF125F95EC01AAA7F76FF08314F148869FD5855161D332A570EF55

Function 004047F1 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?), ref: 00404806

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 44cb22c5a6e339dc322f31723d6313ec8e4e2f7ef4db3de4f35608b5b7650eec
Instruction ID: 9a892a7b4d94419058e15305363ecf1fbcdc16662e35282e5c511663eadef616
Opcode Fuzzy Hash: 44cb22c5a6e339dc322f31723d6313ec8e4e2f7ef4db3de4f35608b5b7650eec
Instruction Fuzzy Hash: 90D012721003118FD7705F14EC0CBE133E8AF40312F2584B8EA55E7155C3749584CA58

Function 00405EE4 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,00000000,00000000,00409B54,00000000,00000000,00000000,00412466,00412466,?,0040B99D,00412466), ref: 00405EF6

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 5f03ab8047931506169ca7aa38a5df993ced9b6cd9a6d4ef42b8e6b291ce57f8
Instruction ID: 5973f86ffe51395cbbea2b6db375788de2bc2c82441068c359f9d196895a4387
Opcode Fuzzy Hash: 5f03ab8047931506169ca7aa38a5df993ced9b6cd9a6d4ef42b8e6b291ce57f8
Instruction Fuzzy Hash: F7C092B0290201BEFF208A10AD0AF77295DE780700F10C4207A00E40E0D2A14C109A24

Function 0040E894 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,0040E8C8,?,?,?,?,?,?,0040421D), ref: 0040E8A0

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 4be415d56670eca266e1e771d593f986771612930e6043792484bc2d1f3df44a
Instruction ID: 5028da6d49437ecb3f89885db84a6a431b650c8c1a4919c17fb61c23058b4b99
Opcode Fuzzy Hash: 4be415d56670eca266e1e771d593f986771612930e6043792484bc2d1f3df44a
Instruction Fuzzy Hash: 80C04C31110B018FE7219B12C949753B7E4BF00317F44C868955BD58A4D77CE4A4CE18

Function 0040ED91 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

EnumResourceNamesA.KERNEL32(?,?,0040ED0B,00000000), ref: 0040EDA0

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: 8d1524d9c285d25282b74650c2e98e28a06c4412789f7c986a027f2826179987
Instruction ID: b68387c5c0e4344f5c23b4f6c0320e636f75da40900f583e81955e3ef688938f
Opcode Fuzzy Hash: 8d1524d9c285d25282b74650c2e98e28a06c4412789f7c986a027f2826179987
Instruction Fuzzy Hash: 11C09B31594342D7C7119F109D09F1B7A95FF58701F158C3D7251D40E0C7614034D605

Function 00406F5B Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,00406E75,?,?,00000000,rA,00410C7E,*.oeaccount,rA,?,00000104), ref: 00406F65

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 29a0a411e84d7c5badd8bde6db7469c3766740cb6e366e0fff699bb7c3a5e544
Instruction ID: b31b0b49456476ea20311e3f3804ac2d10f8d6de1d59c17087b16cfdac6e9e38
Opcode Fuzzy Hash: 29a0a411e84d7c5badd8bde6db7469c3766740cb6e366e0fff699bb7c3a5e544
Instruction Fuzzy Hash: 67C048351145029AD22C9B38AA5942A77A2AA493303B50B6CB1F3D20E0E77884628A04

Function 0040614B Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: e54bea251bae5a778522ddcd773e5ba5f40eb5ac82a352d16be9d7832b5142d7
Instruction ID: f3b66c96cd424dd7ad3beae2567feb80d20b4231abd0f1b127a655f441aacc1c
Opcode Fuzzy Hash: e54bea251bae5a778522ddcd773e5ba5f40eb5ac82a352d16be9d7832b5142d7
Instruction Fuzzy Hash: CAB012752100005BCB0807349D4608E75505F45631720873CB033D00F0D730CC71BB01

Function 0040EB3F Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b46f2f1118fe08c26f7697601471cbdaa0b1b95653fa9af9082cd2e3fcf7fc30
Instruction ID: fbac0a3e3d82dbf35b582ab386aad6bc4faf60f338d600bbfef3ad5534bed626
Opcode Fuzzy Hash: b46f2f1118fe08c26f7697601471cbdaa0b1b95653fa9af9082cd2e3fcf7fc30
Instruction Fuzzy Hash: 60C09B35544301BFDE118F40EE05F09BF62BB88B01F104814B394740B1C3718424FB17

Non-executed Functions

Function 0040F64B Relevance: 56.1, APIs: 20, Strings: 12, Instructions: 127libraryloaderstringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F674
strcpy.MSVCRT(?,?,?,?,00000000), ref: 0040F68B
memset.MSVCRT ref: 0040F6B8
strcpy.MSVCRT(?,?,?,00000000,00000104,?,?,00000000), ref: 0040F6CB
strcat.MSVCRT(?,\sqlite3.dll,?,?,?,00000000,00000104,?,?,00000000), ref: 0040F6DC
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F702
strcat.MSVCRT(?,\mozsqlite3.dll,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F713
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F722
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F739
GetModuleHandleA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040F747
LoadLibraryA.KERNEL32(sqlite3.dll,?,?,00000000), ref: 0040F755
GetProcAddress.KERNEL32(?,sqlite3_open), ref: 0040F775
GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 0040F781
GetProcAddress.KERNEL32(?,sqlite3_step), ref: 0040F78E
GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 0040F79B
GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 0040F7A8
GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 0040F7B5
GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 0040F7C2
GetProcAddress.KERNEL32(?,sqlite3_close), ref: 0040F7CF
GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 0040F7DC

Strings

\sqlite3.dll, xrefs: 0040F6D6
sqlite3_column_text, xrefs: 0040F790
sqlite3_step, xrefs: 0040F783
sqlite3_open, xrefs: 0040F76F
sqlite3_finalize, xrefs: 0040F7B7
sqlite3_column_int, xrefs: 0040F79D
sqlite3_column_int64, xrefs: 0040F7AA
\mozsqlite3.dll, xrefs: 0040F70D
sqlite3_close, xrefs: 0040F7C4
sqlite3.dll, xrefs: 0040F741, 0040F746, 0040F754
sqlite3_prepare, xrefs: 0040F777
sqlite3_exec, xrefs: 0040F7D1

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$strcpy$HandleLibraryLoadModulememsetstrcat
String ID: \mozsqlite3.dll$\sqlite3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
API String ID: 3567885941-2042458128
Opcode ID: bd0ce2e375925359ec1219c205f3dbe1c8e580fb1eb91f69f3ac3bcbec633a35
Instruction ID: 8fd3bcd04759d815ffa5d5b817f34976dc276f641444eb2ebd63b60ef60fef8a
Opcode Fuzzy Hash: bd0ce2e375925359ec1219c205f3dbe1c8e580fb1eb91f69f3ac3bcbec633a35
Instruction Fuzzy Hash: C9416571940308AACB30AF718D85DCBBBF9AB58705F10497BE246E3550E778E685CF58

Function 00402D9A Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B

Part of subcall function 0040EB59: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402945,?,?,?,?,00402945,?,?), ref: 0040EB78

Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9

strcpy.MSVCRT(?,?), ref: 00402EB1
strcpy.MSVCRT(?,?,?,?), ref: 00402EC4
strcpy.MSVCRT(?,?), ref: 00402F51
strcpy.MSVCRT(?,?,?,?), ref: 00402F5E
RegCloseKey.ADVAPI32(?), ref: 00402FB8

Strings

PopPassword, xrefs: 00402E8B
PopServer, xrefs: 00402E4C
SMTPServer, xrefs: 00402EE6
SMTPAccount, xrefs: 00402ED0
PopAccount, xrefs: 00402E36
SMTPPassword, xrefs: 00402F2B
SMTPLogSecure, xrefs: 00402F10
PopLogSecure, xrefs: 00402E70
PopPort, xrefs: 00402E5F
DisplayName, xrefs: 00402DF3
EmailAddress, xrefs: 00402E20
SMTPPort, xrefs: 00402EFC

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcpy$QueryValue$CloseOpen
String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
API String ID: 4127491968-1534328989
Opcode ID: 230cedb7557afc89ff87b7a07133d539cd397bf30d1a568f7adca2b7a7a96a6c
Instruction ID: 43883d4594eb94b0077ee0611f04b7cce421852a2964d1822423da303833eb9e
Opcode Fuzzy Hash: 230cedb7557afc89ff87b7a07133d539cd397bf30d1a568f7adca2b7a7a96a6c
Instruction Fuzzy Hash: 5D514AB1A0021CBADB11EB56CD41FDE777CAF04354F1084A7BA08B2191D7B8ABA5CF58

Function 00405FC6 Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00405FD0

Part of subcall function 00405ECB: CreateFileA.KERNEL32(00410C96,80000000,00000001,00000000,00000003,00000000,00000000,00410BD2,?,rA,00410C96,?,?,*.oeaccount,rA,?), ref: 00405EDD

GetFileSize.KERNEL32(00000000,00000000), ref: 00405FED
GlobalAlloc.KERNEL32(00002000,00000001), ref: 00405FFE
GlobalLock.KERNEL32(00000000), ref: 0040600B
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040601E
GlobalUnlock.KERNEL32(00000000), ref: 0040602D
SetClipboardData.USER32(00000001,00000000), ref: 00406036
GetLastError.KERNEL32 ref: 0040603E
CloseHandle.KERNEL32(?), ref: 0040604A
GetLastError.KERNEL32 ref: 00406055
CloseClipboard.USER32 ref: 0040605E

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
String ID:
API String ID: 3604893535-0
Opcode ID: 5804eb7593f705abb245538e10f585bb03ca14e3a9190401cfadc2aaba18f8ee
Instruction ID: 732aa9399b2cd23c9d945101f46e029b0eae2bee8c87a14991e63b5ea8a72c25
Opcode Fuzzy Hash: 5804eb7593f705abb245538e10f585bb03ca14e3a9190401cfadc2aaba18f8ee
Instruction Fuzzy Hash: 6A113371900205FBDB109BB4DE4DBDE7F78EB08351F118176F606E1190DBB48A20DB69

Function 00406069 Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00406071
strlen.MSVCRT ref: 0040607E
GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040AEA7,?), ref: 0040608D
GlobalLock.KERNEL32(00000000), ref: 0040609A
memcpy.MSVCRT(00000000,?,00000001,?,?,?,?,0040AEA7,?), ref: 004060A3
GlobalUnlock.KERNEL32(00000000), ref: 004060AC
SetClipboardData.USER32(00000001,00000000), ref: 004060B5
CloseClipboard.USER32 ref: 004060C5

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
String ID:
API String ID: 3116012682-0
Opcode ID: e5bd8c8a43ca7d2c4db01fa4e1da57243b9996234b951f9bb1286513fb8d9efd
Instruction ID: 7816216ade6a299d8ea944e6e9fe2aa84d769726faeb140b6a28ec5125b6acba
Opcode Fuzzy Hash: e5bd8c8a43ca7d2c4db01fa4e1da57243b9996234b951f9bb1286513fb8d9efd
Instruction Fuzzy Hash: 0DF0B4375402296BC3102BA0AD4CEDB7B6CEBC8B557028139FB0AD3151EA78592487B9

Function 0040AC8A Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000104,?), ref: 0040ACA4
GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040ACB6
GetTempFileNameA.KERNEL32(?,0041341C,00000000,?), ref: 0040ACD8
OpenClipboard.USER32(?), ref: 0040ACF8
GetLastError.KERNEL32 ref: 0040AD11
DeleteFileA.KERNEL32(00000000), ref: 0040AD2E

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
String ID:
API String ID: 2014771361-0
Opcode ID: 04f759ef316dfc5a7bfb4e8c49b84bbeab9ff02a57951bdc03c1b9a7e5f51390
Instruction ID: 1632bef886f39339d389646b63a05c30f7573d4ca20e624e383ab74febbb07e7
Opcode Fuzzy Hash: 04f759ef316dfc5a7bfb4e8c49b84bbeab9ff02a57951bdc03c1b9a7e5f51390
Instruction Fuzzy Hash: E0118272504318ABDB209B60DD49FDB77BC9F14701F0001B6F689E2091DBB8DAD4CB29

Function 004033D7 Relevance: 7.6, Strings: 6, Instructions: 61COMMON

Download Yara Rule

Strings

ESMTPUsername, xrefs: 0040342F
POP3Server, xrefs: 00403453
SMTPServer, xrefs: 00403413
POP3Password, xrefs: 00403477
POP3Username, xrefs: 00403465
ESMTPPassword, xrefs: 00403441

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PrivateProfileString_mbscmpstrlen
String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
API String ID: 3963849919-1658304561
Opcode ID: a1e27bd18c60c19633001e89eabf5a28a20170ba59de575fff79d49308c97fe4
Instruction ID: 83b6c818750e3233ea62b9214f8e154f1c79117fabd3a6fe6fd9d90b5f1d4615
Opcode Fuzzy Hash: a1e27bd18c60c19633001e89eabf5a28a20170ba59de575fff79d49308c97fe4
Instruction Fuzzy Hash: DA21E271844218A9DB61EB11CD86BED7B7C9F44709F0000EBAA08B60D2DBBC5BD58F59

Function 00406278 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 0048191c24760b141b6f0d3a59878a03bd3f353eaae137afec5afafb810283da
Instruction ID: e834d2f23b9aa43ef3af26d4b93615f57df44b07edf01049b3dc0679de2eed13
Opcode Fuzzy Hash: 0048191c24760b141b6f0d3a59878a03bd3f353eaae137afec5afafb810283da
Instruction Fuzzy Hash: 7DC08C34548220BBC3105F28BC09BC136B8AB0A3A2F01C876E904E6352C3B80C41CBEC

Function 0040F808 Relevance: 189.3, APIs: 8, Strings: 100, Instructions: 307stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040FC27
strncmp.MSVCRT ref: 0040FC37
memcpy.MSVCRT(?,00000002,00000000,?,?,?,?), ref: 0040FCB3
atoi.MSVCRT(00000000,?,00000002,00000000,?,?,?,?), ref: 0040FCC4
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0040FCF0

Strings

shy;, xrefs: 0040F8CD
Acirc;, xrefs: 0040F99F
amp;, xrefs: 0040F813
ordm;, xrefs: 0040F94F
agrave;, xrefs: 0040FACB
eacute;, xrefs: 0040FB32
Iacute;, xrefs: 0040FA0D
Ograve;, xrefs: 0040FA3F
ouml;, xrefs: 0040FBB1
sup2;, xrefs: 0040F8FF
frac14;, xrefs: 0040F963
cent;, xrefs: 0040F85F
frac34;, xrefs: 0040F977
micro;, xrefs: 0040F91D
reg;, xrefs: 0040F8D7
auml;, xrefs: 0040FB00
curren;, xrefs: 0040F873
Uacute;, xrefs: 0040FA8F
yacute;, xrefs: 0040FBE2
THORN;, xrefs: 0040FAB7
apos;, xrefs: 0040F836
Auml;, xrefs: 0040F9B3
otilde;, xrefs: 0040FBAA
Aring;, xrefs: 0040F9BD
brvbar;, xrefs: 0040F887
szlig;, xrefs: 0040FAC1
aacute;, xrefs: 0040FAD5
Igrave;, xrefs: 0040FA03
Icirc;, xrefs: 0040FA17
Otilde;, xrefs: 0040FA5D
euml;, xrefs: 0040FB46
Atilde;, xrefs: 0040F9A9
quot;, xrefs: 0040F828
sup3;, xrefs: 0040F909
ucirc;, xrefs: 0040FBD4
eth;, xrefs: 0040FB78
yen;, xrefs: 0040F87D
iacute;, xrefs: 0040FB5A
uuml;, xrefs: 0040FBDB
Ocirc;, xrefs: 0040FA53
ocirc;, xrefs: 0040FBA0
Uuml;, xrefs: 0040FAA3
iexcl;, xrefs: 0040F855
iuml;, xrefs: 0040FB6E
Yacute;, xrefs: 0040FAAD
oacute;, xrefs: 0040FB96
nbsp;, xrefs: 0040F82F
oslash;, xrefs: 0040FBBF
frac12;, xrefs: 0040F96D
AElig;, xrefs: 0040F9C7
icirc;, xrefs: 0040FB64
Egrave;, xrefs: 0040F9DB
sup1;, xrefs: 0040F945
Ugrave;, xrefs: 0040FA85
Ucirc;, xrefs: 0040FA99
Eacute;, xrefs: 0040F9E5
ntilde;, xrefs: 0040FB82
Ccedil;, xrefs: 0040F9D1
Euml;, xrefs: 0040F9F9
aring;, xrefs: 0040FB0A
uml;, xrefs: 0040F89B
Agrave;, xrefs: 0040F98B
Ouml;, xrefs: 0040FA67
yuml;, xrefs: 0040FBF0
thorn;, xrefs: 0040FBE9
Aacute;, xrefs: 0040F995
ccedil;, xrefs: 0040FB1E
macr;, xrefs: 0040F8E1
laquo;, xrefs: 0040F8B9
middot;, xrefs: 0040F931
copy;, xrefs: 0040F8A5
uacute;, xrefs: 0040FBCD
divide;, xrefs: 0040FBB8
igrave;, xrefs: 0040FB50
acirc;, xrefs: 0040FADF
atilde;, xrefs: 0040FAE9
ETH;, xrefs: 0040FA2B
raquo;, xrefs: 0040F959
Iuml;, xrefs: 0040FA21
Ntilde;, xrefs: 0040FA35
ograve;, xrefs: 0040FB8C
lt;, xrefs: 0040F81A
cedil;, xrefs: 0040F93B
sect;, xrefs: 0040F891
para;, xrefs: 0040F927
ecirc;, xrefs: 0040FB3C
ugrave;, xrefs: 0040FBC6
egrave;, xrefs: 0040FB28
plusmn;, xrefs: 0040F8F5
deg;, xrefs: 0040F8EB
Ecirc;, xrefs: 0040F9EF
times;, xrefs: 0040FA71
aelig;, xrefs: 0040FB14
gt;, xrefs: 0040F821
not;, xrefs: 0040F8C3
Oslash;, xrefs: 0040FA7B
iquest;, xrefs: 0040F981
acute;, xrefs: 0040F913
ordf;, xrefs: 0040F8AF
Oacute;, xrefs: 0040FA49

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
API String ID: 1895597112-3255492765
Opcode ID: e32dadd6ea65d4380dfb3bd6d4dee2632db13c381429c7de7dc985ffcf152ca1
Instruction ID: 7b61ab7fda62f62168f3ac6a9ee0746413b6f8a7e258cbbb94e4f4552fbd63bc
Opcode Fuzzy Hash: e32dadd6ea65d4380dfb3bd6d4dee2632db13c381429c7de7dc985ffcf152ca1
Instruction Fuzzy Hash: 49F139B08012589EDB21CF95D8487DEBFB0AF96308F5481EAD5593B241C7B94BC9CF98

Function 004106BE Relevance: 80.8, APIs: 23, Strings: 23, Instructions: 309stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 004106D0
strcmp.MSVCRT ref: 0041071C
strcmp.MSVCRT ref: 00410745
strcmp.MSVCRT ref: 0041076E
strcmp.MSVCRT ref: 00410797
strcmp.MSVCRT ref: 004107C0
strcmp.MSVCRT ref: 004107F3
strcmp.MSVCRT ref: 00410826
strcmp.MSVCRT ref: 0041088C
strcmp.MSVCRT ref: 004108B5
strcmp.MSVCRT ref: 004108DE
strcmp.MSVCRT ref: 00410907
strcmp.MSVCRT ref: 00410930
strcmp.MSVCRT ref: 00410959
strcmp.MSVCRT ref: 00410859

Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
Part of subcall function 004060D0: memcpy.MSVCRT(?,00401D07,00000000,00000000,00401D07,00000001,00000104,?,?,?,?,?,00000000), ref: 004060EA

_stricmp.MSVCRT(?,SMTP_Port), ref: 004109A0
_stricmp.MSVCRT(?,NNTP_Port), ref: 004109C9
_stricmp.MSVCRT(?,IMAP_Port), ref: 004109DA
_stricmp.MSVCRT(?,POP3_Port), ref: 004109EB
_stricmp.MSVCRT(?,SMTP_Secure_Connection), ref: 00410A14
_stricmp.MSVCRT(?,NNTP_Secure_Connection), ref: 00410A3D
_stricmp.MSVCRT(?,IMAP_Secure_Connection), ref: 00410A4E
_stricmp.MSVCRT(?,POP3_Secure_Connection), ref: 00410A5F

Strings

IMAP_Password2, xrefs: 004108AF
NNTP_Secure_Connection, xrefs: 00410A37
POP3_Secure_Connection, xrefs: 00410A59
NNTP_Password2, xrefs: 004108D8
NNTP_Email_Address, xrefs: 0041092A
NNTP_Port, xrefs: 004109C3
SMTP_Secure_Connection, xrefs: 00410A0E
IMAP_User_Name, xrefs: 004107ED
NNTP_User_Name, xrefs: 00410820
NNTP_Server, xrefs: 00410768
POP3_Password2, xrefs: 00410886
IMAP_Server, xrefs: 0041073F
IMAP_Secure_Connection, xrefs: 00410A48
POP3_Server, xrefs: 00410710
SMTP_Port, xrefs: 00410994
SMTP_Email_Address, xrefs: 00410953
IMAP_Port, xrefs: 004109D4
Account_Name, xrefs: 004106CA
SMTP_User_Name, xrefs: 00410853
SMTP_Password2, xrefs: 00410901
POP3_User_Name, xrefs: 004107BA
POP3_Port, xrefs: 004109E5
SMTP_Server, xrefs: 00410791

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcmp$_stricmp$memcpystrlen
String ID: Account_Name$IMAP_Password2$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP_Email_Address$NNTP_Password2$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3_Password2$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP_Email_Address$SMTP_Password2$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
API String ID: 1113949926-2499304436
Opcode ID: 0c75f3a23bfcbdff00a9aa801863508d09b02361048c6915a7d59a784447564f
Instruction ID: 03d5d7842382467f3947e80262f6a1f2e973b0058f56c731c8fd5b97bb90a946
Opcode Fuzzy Hash: 0c75f3a23bfcbdff00a9aa801863508d09b02361048c6915a7d59a784447564f
Instruction Fuzzy Hash: D391517220870569E624B7329C02FD773E8AF9032DF21052FF55BE61D2EEADB981465C

Function 0040C7CF Relevance: 61.5, APIs: 21, Strings: 14, Instructions: 232stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C7F4
strlen.MSVCRT ref: 0040C7FF
strncmp.MSVCRT ref: 0040C80C
_stricmp.MSVCRT(00000000,server), ref: 0040C849
_stricmp.MSVCRT(00000000,identities), ref: 0040C86B
strlen.MSVCRT ref: 0040C88B
strncmp.MSVCRT ref: 0040C898
_stricmp.MSVCRT(00000000,username,00000000), ref: 0040C8E1
_stricmp.MSVCRT(00000000,type,00000000), ref: 0040C903
_stricmp.MSVCRT(00000000,hostname,00000000), ref: 0040C925
_stricmp.MSVCRT(00000000,port,00000000), ref: 0040C947
atoi.MSVCRT(?,00000000), ref: 0040C955

Part of subcall function 0040C748: memset.MSVCRT ref: 0040C77E
Part of subcall function 0040C748: memcpy.MSVCRT(00000000,?,00000000), ref: 0040C7A0
Part of subcall function 0040C748: atoi.MSVCRT(00000000,00000000,?,00000000), ref: 0040C7B4

_stricmp.MSVCRT(00000000,useSecAuth,00000000), ref: 0040C969
_stricmp.MSVCRT(?,true,00000000), ref: 0040C97C
strlen.MSVCRT ref: 0040C997
strncmp.MSVCRT ref: 0040C9A4
_stricmp.MSVCRT(00000000,useremail,00000000), ref: 0040C9E9
_stricmp.MSVCRT(00000000,fullname,00000000), ref: 0040CA0B
_stricmp.MSVCRT(?,signon.signonfilename), ref: 0040CA2A
strlen.MSVCRT ref: 0040CA45
strlen.MSVCRT ref: 0040CA4F

Strings

mail.identity, xrefs: 0040C991, 0040C996, 0040C99F
mail.account.account, xrefs: 0040C7F9, 0040C807
username, xrefs: 0040C8D7
mail.server, xrefs: 0040C885, 0040C88A, 0040C893
useSecAuth, xrefs: 0040C961
fullname, xrefs: 0040CA03
signon.signonfilename, xrefs: 0040CA22
useremail, xrefs: 0040C9DF
true, xrefs: 0040C974
port, xrefs: 0040C93F
server, xrefs: 0040C83F
type, xrefs: 0040C8FB
hostname, xrefs: 0040C91D
identities, xrefs: 0040C863

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _stricmp$strlen$strncmp$atoimemset$memcpy
String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$port$server$signon.signonfilename$true$type$useSecAuth$useremail$username
API String ID: 736090197-593045482
Opcode ID: fa6975b133b13f5067aa23c0df6e7e68559b1782356a0831ed68d1fdd542dc29
Instruction ID: 8e23c8f9271997a3be880b93158be8956f510041fead3e1da2e0ecaa9a645c54
Opcode Fuzzy Hash: fa6975b133b13f5067aa23c0df6e7e68559b1782356a0831ed68d1fdd542dc29
Instruction Fuzzy Hash: E271C972504204FADF10EB65CC42BDE77A6DF50329F20426BF506B21E1EB79AF819A5C

Function 0040E4A4 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0040E4D1
GetDlgItem.USER32(?,000003E8), ref: 0040E4DD
GetWindowLongA.USER32(00000000,000000F0), ref: 0040E4EC
GetWindowLongA.USER32(?,000000F0), ref: 0040E4F8
GetWindowLongA.USER32(00000000,000000EC), ref: 0040E501
GetWindowLongA.USER32(?,000000EC), ref: 0040E50D
GetWindowRect.USER32(00000000,?), ref: 0040E51F
GetWindowRect.USER32(?,?), ref: 0040E52A
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040E53E
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040E54C
GetDC.USER32 ref: 0040E585
strlen.MSVCRT ref: 0040E5C5
GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 0040E5D6
ReleaseDC.USER32(?,?), ref: 0040E623
sprintf.MSVCRT ref: 0040E6E3
SetWindowTextA.USER32(?,?), ref: 0040E6F7
SetWindowTextA.USER32(?,00000000), ref: 0040E715
GetDlgItem.USER32(?,00000001), ref: 0040E74B
GetWindowRect.USER32(00000000,?), ref: 0040E75B
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040E769
GetClientRect.USER32(?,?), ref: 0040E780
GetWindowRect.USER32(?,?), ref: 0040E78A
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0040E7D0
GetClientRect.USER32(?,?), ref: 0040E7DA
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0040E812

Strings

STATIC, xrefs: 0040E687
EDIT, xrefs: 0040E6BE
%s:, xrefs: 0040E6DD

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
String ID: %s:$EDIT$STATIC
API String ID: 1703216249-3046471546
Opcode ID: 63f961038f13364f7976eadaedf26f00b3f2f6ee041d7cedeb7d286e156d3b6f
Instruction ID: 2f6da9a5868e125b8128a3bf626dfa5428397bb468519cd7ccc35e9b597c58da
Opcode Fuzzy Hash: 63f961038f13364f7976eadaedf26f00b3f2f6ee041d7cedeb7d286e156d3b6f
Instruction Fuzzy Hash: C9B1DE71108341AFD710DFA8C985A6BBBE9FF88704F008A2DF699D2260D775E814CF16

Function 004010E5 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EC), ref: 0040113D
ChildWindowFromPoint.USER32(?,?,?), ref: 0040114F
GetDlgItem.USER32(?,000003EE), ref: 00401184
ChildWindowFromPoint.USER32(?,?,?), ref: 00401191
GetDlgItem.USER32(?,000003EC), ref: 004011BF
ChildWindowFromPoint.USER32(?,?,?), ref: 004011D1
LoadCursorA.USER32(00000067), ref: 004011E0
SetCursor.USER32(00000000,?,?), ref: 004011E7
GetDlgItem.USER32(?,000003EE), ref: 00401207
ChildWindowFromPoint.USER32(?,?,?), ref: 00401214
GetDlgItem.USER32(?,000003EC), ref: 0040122E
SetBkMode.GDI32(?,00000001), ref: 0040123A
SetTextColor.GDI32(?,00C00000), ref: 00401248
GetSysColorBrush.USER32(0000000F), ref: 00401250
GetDlgItem.USER32(?,000003EE), ref: 00401270
EndDialog.USER32(?,00000001), ref: 0040129B
DeleteObject.GDI32(?), ref: 004012A7
GetDlgItem.USER32(?,000003ED), ref: 004012CB
ShowWindow.USER32(00000000), ref: 004012D4
GetDlgItem.USER32(?,000003EE), ref: 004012E0
ShowWindow.USER32(00000000), ref: 004012E3
SetDlgItemTextA.USER32(?,000003EE,00417348), ref: 004012F4
SetWindowTextA.USER32(?,Mail PassView), ref: 00401302
SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040131A
SetDlgItemTextA.USER32(?,000003EC,?), ref: 0040132B

Strings

Mail PassView, xrefs: 004012FA

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObject
String ID: Mail PassView
API String ID: 3628558512-272225179
Opcode ID: 8369354600cb7b80dd2c736e043661f8d54616cc87117d1ac6397b61caa72165
Instruction ID: a5e01e197ecdabf9e6bdb75eaf1794657044b10619e6b9182d208ef804a260cb
Opcode Fuzzy Hash: 8369354600cb7b80dd2c736e043661f8d54616cc87117d1ac6397b61caa72165
Instruction Fuzzy Hash: 68518130044248BFEB259F60DE85EAE7BB5EB04700F10853AFA56E65F0C7759D61EB08

Function 0040CE28 Relevance: 42.3, APIs: 21, Strings: 3, Instructions: 311stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DEEE: memset.MSVCRT ref: 0040DF0F
Part of subcall function 0040DEEE: GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040DF3E
Part of subcall function 0040DEEE: SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040DF4B
Part of subcall function 0040DEEE: memset.MSVCRT ref: 0040DF62
Part of subcall function 0040DEEE: strlen.MSVCRT ref: 0040DF6C
Part of subcall function 0040DEEE: strlen.MSVCRT ref: 0040DF7A
Part of subcall function 0040DEEE: GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040DFB3
Part of subcall function 0040DEEE: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFCF
Part of subcall function 0040DEEE: LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFE7
Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040DFFC
Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E008
Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E014
Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E020
Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E02C
Part of subcall function 0040DEEE: GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E038

memset.MSVCRT ref: 0040CEA6
memset.MSVCRT ref: 0040CEBF
MultiByteToWideChar.KERNEL32(00000000,00000000,0040D314,000000FF,?,00000104,?,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040CED6
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040CEF5
memset.MSVCRT ref: 0040CF68
memset.MSVCRT ref: 0040CF7A
strcpy.MSVCRT(?,00000000,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040CFED
strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D003
strcpy.MSVCRT(?,00000000,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D019
strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D02F
strcpy.MSVCRT(?,?,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D045
strcpy.MSVCRT(?,0040D314,0040D314,00000002,0040D314,00000005,0040D314,00000004,0040D314,00000007,0040D314,00000006,0040D314,00000001), ref: 0040D05B
memset.MSVCRT ref: 0040D076
memset.MSVCRT ref: 0040D08A
memset.MSVCRT ref: 0040D0ED
memset.MSVCRT ref: 0040D101
sprintf.MSVCRT ref: 0040D119
sprintf.MSVCRT ref: 0040D12B
_stricmp.MSVCRT(?,?,?,imap://%s,00000104,?,mailbox://%s,00000104,?,00000000,00000261,?,00000000,00000261,?,?), ref: 0040D13E
_stricmp.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040D158
SetCurrentDirectoryA.KERNEL32(?,?,?,?,00000000,?,0040D314,?,00000000,?,?,?), ref: 0040D1DD

Strings

SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 0040CF2B
mailbox://%s, xrefs: 0040D113
imap://%s, xrefs: 0040D125

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$AddressProcstrcpy$CurrentDirectory$ByteCharLibraryLoadMultiWide_stricmpsprintfstrlen$HandleModule
String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins$imap://%s$mailbox://%s
API String ID: 4276617627-3913509535
Opcode ID: 93cdc50bd840dfc44d83282a7c9c7e4a4c6f33fe3d7da29804190475922260c9
Instruction ID: 531ad7aca3640aed267cd003a13377454315b37e4b42da830508d09ae9ff7478
Opcode Fuzzy Hash: 93cdc50bd840dfc44d83282a7c9c7e4a4c6f33fe3d7da29804190475922260c9
Instruction Fuzzy Hash: 58B10A72C00219ABDB20EFA5CC819DEB7BDEF04315F1445BBE619B2191DB38AB858F54

Function 0040A774 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 285windowregistrystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407BB9: LoadMenuA.USER32(00000000), ref: 00407BC1
Part of subcall function 00407BB9: sprintf.MSVCRT ref: 00407BE4

SetMenu.USER32(?,00000000), ref: 0040A8A7
#6.COMCTL32(50000000,Function_00012466,?,00000101), ref: 0040A8C2
SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040A8DA
LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040A8F0
CreateToolbarEx.COMCTL32(?,50010900,00000102,00000007,00000000,00000000,?,00000008,00000010,00000010,00000070,00000010,00000014), ref: 0040A91A
CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040A950
LoadIconA.USER32(00000066,00000000), ref: 0040A9BF
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 0040A9CD
_stricmp.MSVCRT(Function_00012466,/noloadsettings), ref: 0040AA17
RegDeleteKeyA.ADVAPI32(80000001,Software\NirSoft\MailPassView), ref: 0040AA2C
SetFocus.USER32(?,00000000), ref: 0040AA52
GetFileAttributesA.KERNEL32(00417660), ref: 0040AA6B
GetTempPathA.KERNEL32(00000104,00417660), ref: 0040AA7B
strlen.MSVCRT ref: 0040AA82
strlen.MSVCRT ref: 0040AA90
RegisterWindowMessageA.USER32(commdlg_FindReplace,?,00000001), ref: 0040AAEC

Part of subcall function 00404925: strlen.MSVCRT ref: 00404942
Part of subcall function 00404925: SendMessageA.USER32(00000000,0000101B,00000000,?), ref: 00404966

SendMessageA.USER32(?,00000404,00000002,?), ref: 0040AB37
SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040AB4A

Strings

commdlg_FindReplace, xrefs: 0040AAE7
SysListView32, xrefs: 0040A94A
`vA, xrefs: 0040AA5E
Software\NirSoft\MailPassView, xrefs: 0040AA22
report.html, xrefs: 0040AA89, 0040AAA1
/noloadsettings, xrefs: 0040AA11

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Message$Send$Loadstrlen$CreateIconImageMenuWindow$AttributesDeleteFileFocusList_PathRegisterReplaceTempToolbar_stricmpsprintf
String ID: /noloadsettings$Software\NirSoft\MailPassView$SysListView32$`vA$commdlg_FindReplace$report.html
API String ID: 873469642-860065374
Opcode ID: a4e7fbf76496b0a5143eb8d44d5c426d23ad41d46f34e9c279854c8240868147
Instruction ID: ca2bded9840d9beafebaacef77bacb5142d556b3fd29cdc4ce09694084a06bb6
Opcode Fuzzy Hash: a4e7fbf76496b0a5143eb8d44d5c426d23ad41d46f34e9c279854c8240868147
Instruction Fuzzy Hash: 82B12271644388FFEB16CF74CC45BDABBA5BF14304F00406AFA44A7292C7B5A954CB5A

Function 0040DB39 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowstringCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 0040DB81
GetDlgItem.USER32(?,000003EA), ref: 0040DB99
SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040DBB8
SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040DBC5
SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040DBCE
memset.MSVCRT ref: 0040DBF6
memset.MSVCRT ref: 0040DC16
memset.MSVCRT ref: 0040DC34
memset.MSVCRT ref: 0040DC4D
memset.MSVCRT ref: 0040DC6B
memset.MSVCRT ref: 0040DC84
GetCurrentProcess.KERNEL32 ref: 0040DC8C
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040DCB1
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040DCE7
memset.MSVCRT ref: 0040DD3E
GetCurrentProcessId.KERNEL32 ref: 0040DD4C
memcpy.MSVCRT(?,00416FF0,00000118), ref: 0040DD7B
strcpy.MSVCRT(?,00000000), ref: 0040DD9D
sprintf.MSVCRT ref: 0040DE08
SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040DE21
GetDlgItem.USER32(?,000003EA), ref: 0040DE2B
SetFocus.USER32(00000000), ref: 0040DE32

Strings

{Unknown}, xrefs: 0040DBFB
Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040DE02

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusTextmemcpysprintfstrcpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
API String ID: 138940113-3474136107
Opcode ID: a83a35a4c36da605d140adb83b4774888d9d4a076b757738f8a3eb1b01500df5
Instruction ID: 36e6f19d437acde9dae1843bd1f228cb1d7049f577ea92cd8b51c55dddb48a69
Opcode Fuzzy Hash: a83a35a4c36da605d140adb83b4774888d9d4a076b757738f8a3eb1b01500df5
Instruction Fuzzy Hash: 6D711C72844244BFD721EF51DC41EEB3BEDEF94344F00843EF649921A0DA399A58CBA9

Function 0040DEEE Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 113libraryloaderstringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040DF0F
GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,00000000), ref: 0040DF3E
SetCurrentDirectoryA.KERNEL32(00000000,?,?,00000000), ref: 0040DF4B
memset.MSVCRT ref: 0040DF62
strlen.MSVCRT ref: 0040DF6C
strlen.MSVCRT ref: 0040DF7A
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,00000000), ref: 0040DFB3
LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFCF
LoadLibraryExA.KERNEL32(00000000,00000000,00000008,?,?,?,?,?,?,?,00000000), ref: 0040DFE7
GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040DFFC
GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040E008
GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040E014
GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040E020
GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040E02C
GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040E038
GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 0040E044

Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
Part of subcall function 004060D0: memcpy.MSVCRT(?,00401D07,00000000,00000000,00401D07,00000001,00000104,?,?,?,?,?,00000000), ref: 004060EA

Strings

PK11_FreeSlot, xrefs: 0040E016
nss3.dll, xrefs: 0040DF67, 0040DF90
PK11_Authenticate, xrefs: 0040E02E
NSS_Init, xrefs: 0040DFF5
PK11_CheckUserPassword, xrefs: 0040E022
NSS_Shutdown, xrefs: 0040DFFE
PK11_GetInternalKeySlot, xrefs: 0040E00A
PK11SDR_Decrypt, xrefs: 0040E03A

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$strlen$CurrentDirectoryLibraryLoadmemset$HandleModulememcpy
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
API String ID: 1296682400-4029219660
Opcode ID: bee48e1ba3e59cf5a7585e4159a10cf2e8eb6bd81037002e4d6a425fcc2e4864
Instruction ID: fea3831f464983b0eef39fbf9020f470c327cc413978f8e1f023dd725517e53d
Opcode Fuzzy Hash: bee48e1ba3e59cf5a7585e4159a10cf2e8eb6bd81037002e4d6a425fcc2e4864
Instruction Fuzzy Hash: 2A4187B1940309AACB20AF75CC49FC6BBF8AF64704F10496AE185E2191E7B996D4CF58

Function 00402606 Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 127stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004026AE

Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B

strcpy.MSVCRT(?,?,?,?,?,76DBEB20,?,00000000), ref: 004026EC
strcpy.MSVCRT(?,?), ref: 004027A9

Strings

SMTP Email Address, xrefs: 00402736
POP3 Secure Connection, xrefs: 00402684
POP3 User Name, xrefs: 00402614
POP3 Password2, xrefs: 0040264C
HTTPMail Port, xrefs: 00402676
SMTP Password2, xrefs: 00402661
SMTP USer Name, xrefs: 00402629
IMAP Port, xrefs: 0040266F
HTTPMail Password2, xrefs: 0040265A
SMTP Server, xrefs: 00402645, 00402753
HTTPMail Secure Connection, xrefs: 00402692
HTTPMail Server, xrefs: 0040263E
IMAP User Name, xrefs: 0040261B
HTTPMail User Name, xrefs: 00402622
SMTP Secure Connection, xrefs: 00402699
POP3 Server, xrefs: 00402630
SMTP Port, xrefs: 0040267D
IMAP Password2, xrefs: 00402653
IMAP Secure Connection, xrefs: 0040268B
POP3 Port, xrefs: 00402668
IMAP Server, xrefs: 00402637
SMTP Display Name, xrefs: 00402721

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcpy$QueryValuememset
String ID: HTTPMail Password2$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP Password2$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3 Password2$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$SMTP Display Name$SMTP Email Address$SMTP Password2$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
API String ID: 3373037483-1627711381
Opcode ID: 5eb0fa372559596e0b4073e661d7cf54bc2e6271f7b91ab53abef14ebe38c6bd
Instruction ID: d93c2979c5964ee18a3e8d610d8756237e52e0a5809c5516356d8c5187ea57d6
Opcode Fuzzy Hash: 5eb0fa372559596e0b4073e661d7cf54bc2e6271f7b91ab53abef14ebe38c6bd
Instruction Fuzzy Hash: E04186B190021CAADB10DF91DE49ADE37B8EF04348F10446BFD18E7191D3B89699CF98

Function 004027D0 Relevance: 37.6, APIs: 3, Strings: 22, Instructions: 118stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00402878

Part of subcall function 004029A7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004029E9

strcpy.MSVCRT(?,?,76DBEB20,?,00000000), ref: 004028B2
strcpy.MSVCRT(?,?,?,?,?,?,?,?,76DBEB20,?,00000000), ref: 00402980

Part of subcall function 0040EB59: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402945,?,?,?,?,00402945,?,?), ref: 0040EB78

Strings

Email, xrefs: 004028F6
POP3 Use SPA, xrefs: 0040284E
IMAP Password, xrefs: 004027E5
HTTP Password, xrefs: 004027EC
IMAP Use SPA, xrefs: 00402855
POP3 Password, xrefs: 004027DE
HTTPMail Use SSL, xrefs: 0040285C
SMTP Use SSL, xrefs: 00402863
IMAP Port, xrefs: 00402839
SMTP Server, xrefs: 0040282B, 0040290E
POP3 User, xrefs: 004027FA
POP3 Server, xrefs: 00402816
SMTP Port, xrefs: 00402847, 00402925
HTTP User, xrefs: 00402808
SMTP User, xrefs: 0040280F
HTTP Server URL, xrefs: 00402824
POP3 Port, xrefs: 00402832
HTTP Port, xrefs: 00402840
IMAP Server, xrefs: 0040281D
IMAP User, xrefs: 00402801
SMTP Password, xrefs: 004027F3
Display Name, xrefs: 004028E3

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcpy$ByteCharMultiQueryValueWidememset
String ID: Display Name$Email$HTTP Password$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP Password$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3 Password$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$SMTP Password$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
API String ID: 2416467034-4086712241
Opcode ID: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
Instruction ID: 2a04afc1b401ca52673312b513a052c1616a462ab9372f8060d899744f0eb97e
Opcode Fuzzy Hash: 1dd3c48cf87e824894ac796b353b11c003e09e2c1ffeee2d2140970bcd4911b6
Instruction Fuzzy Hash: FF513EB150025DABCF24DF61DE499DD7BB8FF04308F10416AF924A6191D3B999A9CF88

Function 0040F435 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 168stringregistryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F459
memset.MSVCRT ref: 0040F471

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

memset.MSVCRT ref: 0040F4A9

Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28

_mbsnbicmp.MSVCRT ref: 0040F4D7
memset.MSVCRT ref: 0040F4F6
memset.MSVCRT ref: 0040F50E
_snprintf.MSVCRT ref: 0040F52B
_mbsrchr.MSVCRT ref: 0040F555
_mbsicmp.MSVCRT ref: 0040F589
strcpy.MSVCRT(?,?,?), ref: 0040F5A2
strcpy.MSVCRT(?,?,?,?,?), ref: 0040F5B5
RegCloseKey.ADVAPI32(0040F699), ref: 0040F5E0
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F5EE
ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104,?,?,?,?,?,?,?,?,00000000), ref: 0040F600
GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040F62D

Strings

%s\bin, xrefs: 0040F51A
%programfiles%\Mozilla Thunderbird, xrefs: 0040F5FB
mozilla, xrefs: 0040F4D1
SOFTWARE\Mozilla, xrefs: 0040F47A
PathToExe, xrefs: 0040F538

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$strcpy$CloseCurrentDirectoryEnumEnvironmentExpandOpenStrings_mbsicmp_mbsnbicmp_mbsrchr_snprintf
String ID: %programfiles%\Mozilla Thunderbird$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
API String ID: 3269028891-3267283505
Opcode ID: 53b4df83feeff12aad6ea8c9c33e414d6f76a23fb296a6d720f7d1efbd9f2591
Instruction ID: bd4ffbb0b4c73fbe97c341744dc0c87608cd01b58ef3e3991875b3aaf34b88fb
Opcode Fuzzy Hash: 53b4df83feeff12aad6ea8c9c33e414d6f76a23fb296a6d720f7d1efbd9f2591
Instruction Fuzzy Hash: 5251A77284425DBADB31D7A18C46EDA7ABC9F14344F0404FBF645E2152EA788FC98B68

Function 0040F126 Relevance: 27.1, APIs: 12, Strings: 6, Instructions: 101stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F147
memset.MSVCRT ref: 0040F15B
strcpy.MSVCRT(?,<font,?,?,?,?,?), ref: 0040F188
sprintf.MSVCRT ref: 0040F1A3
strcat.MSVCRT(?,?,?, size="%d",?,?,?,?,?,?), ref: 0040F1B0
sprintf.MSVCRT ref: 0040F1DA
strcat.MSVCRT(?,?,?, color="#%s",00000000,?,?,?,?,?,?,?), ref: 0040F1E7
strcat.MSVCRT(?,00413DF4,?,?,?,?,?), ref: 0040F1F5
strcat.MSVCRT(?,<b>,?,?,?,?,?), ref: 0040F207
strcat.MSVCRT(?,00409631,?,?,?,?,?), ref: 0040F212
strcat.MSVCRT(?,</b>,?,?,?,?,?), ref: 0040F224
strcat.MSVCRT(?,</font>,?,?,?,?,?), ref: 0040F236

Strings

</font>, xrefs: 0040F230
color="#%s", xrefs: 0040F1D4
<b>, xrefs: 0040F201
size="%d", xrefs: 0040F19D
<font, xrefs: 0040F182
</b>, xrefs: 0040F21E

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcat$memsetsprintf$strcpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 1662040868-1996832678
Opcode ID: 7011e04130d48b63dca1ce687a5e40637fab1df2285b26d08083567b97ca835c
Instruction ID: 418722c3eca89b157b40b8f143ba28d640e3e929850bbea17599129c1cdb8299
Opcode Fuzzy Hash: 7011e04130d48b63dca1ce687a5e40637fab1df2285b26d08083567b97ca835c
Instruction Fuzzy Hash: 3F31D5B2841615BAC720AB55ED82DCAB36C9F10364F6041BFF215B31C2DA7C9FC48B98

Function 0040AF17 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 110stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AF3C
GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040AF4D
strrchr.MSVCRT ref: 0040AF5C
strcat.MSVCRT(00000000,.cfg), ref: 0040AF76
strcpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040AFAA
strcpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040AFBB
GetWindowPlacement.USER32(?,?), ref: 0040B051

Strings

.cfg, xrefs: 0040AF70
AddExportHeaderLine, xrefs: 0040B006
ShowGridLines, xrefs: 0040AFD4
0@, xrefs: 0040AF92
WinPos, xrefs: 0040B065
General, xrefs: 0040AFB5
MarkOddEvenRows, xrefs: 0040B01F
SaveFilterIndex, xrefs: 0040AFED

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcpy$FileModuleNamePlacementWindowmemsetstrcatstrrchr
String ID: .cfg$0@$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
API String ID: 1301239246-2014360536
Opcode ID: eb541b8388b74fc04471e90b9f59632c9d2ea6da41be0549b214623736a651a6
Instruction ID: 2fe98fd5fda5e8878426aecce951da02ffd08f2862891724b98557ab80592e30
Opcode Fuzzy Hash: eb541b8388b74fc04471e90b9f59632c9d2ea6da41be0549b214623736a651a6
Instruction Fuzzy Hash: 3A413972940118ABCB61DB54CC88FDAB7BCEB58304F4441AAF509E7191DB74ABC5CBA4

Function 00409482 Relevance: 25.7, APIs: 10, Strings: 7, Instructions: 182stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004094A2
memset.MSVCRT ref: 004094C5
memset.MSVCRT ref: 004094DB
memset.MSVCRT ref: 004094EB
sprintf.MSVCRT ref: 0040951F
strcpy.MSVCRT(00000000, nowrap), ref: 00409566
sprintf.MSVCRT ref: 004095ED
strcat.MSVCRT(?, ), ref: 0040961C

Part of subcall function 0040F071: sprintf.MSVCRT ref: 0040F090

strcpy.MSVCRT(?,?), ref: 00409601
sprintf.MSVCRT ref: 00409650

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,76F90A60,00000000,?,?,004092ED,00000001,00412B1C,76F90A60), ref: 00405F17

Strings

<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 004094AA
<table border="1" cellpadding="5">, xrefs: 00409527
 , xrefs: 00409616
nowrap, xrefs: 00409560
</table><p>, xrefs: 00409672
bgcolor="%s", xrefs: 00409519
<font color="%s">%s</font>, xrefs: 004095E5

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetsprintf$strcpy$FileWritestrcatstrlen
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 2822972341-601624466
Opcode ID: ca9a12e501fe1fbd997685680bd2bfae0b12254e9316b678fa6584ad6f8df2c7
Instruction ID: 52fdeb1f016046010361db54033fcb762b78bd0ac31642afda0bfecd98a661c0
Opcode Fuzzy Hash: ca9a12e501fe1fbd997685680bd2bfae0b12254e9316b678fa6584ad6f8df2c7
Instruction Fuzzy Hash: 2C619E32900218AFCF15EF59CC86EDE7B79EF04314F1005AAF905AB1E2DB399A85DB54

Function 00409EC4 Relevance: 25.6, APIs: 17, Instructions: 108windowCOMMON

Download Yara Rule

APIs

ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409EF1
ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409EFC
SendMessageA.USER32(?,00001003,00000001,?), ref: 00409F11
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 00409F26
ImageList_SetImageCount.COMCTL32(00000000,00000001), ref: 00409F31
SendMessageA.USER32(?,00001003,00000000,?), ref: 00409F46
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 00409F52
ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409F5D
LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 00409F7B
LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 00409F97
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 00409FA3
GetSysColor.USER32(0000000F), ref: 00409FA7
ImageList_AddMasked.COMCTL32(?,?,00000000), ref: 00409FC2
ImageList_AddMasked.COMCTL32(?,00000000,?), ref: 00409FCF
DeleteObject.GDI32(?), ref: 00409FDB
DeleteObject.GDI32(00000000), ref: 00409FDE
SendMessageA.USER32(00000000,00001208,00000000,?), ref: 00409FFC

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Image$List_$Count$CreateMessageSend$DeleteLoadMaskedObject$Color
String ID:
API String ID: 3411798969-0
Opcode ID: 467695da83f3f8742914b6257f9d468e5ea1cf314c2a89caacd0f02629d38904
Instruction ID: 9f66d34d320d782a5b10da91aa20dc2822d11362667953dcc3c6c241c584b6d3
Opcode Fuzzy Hash: 467695da83f3f8742914b6257f9d468e5ea1cf314c2a89caacd0f02629d38904
Instruction Fuzzy Hash: E23150716803087FFA316B70DC47FD67B95EB48B00F114829F395AA1E1CAF279909B18

Function 0040B841 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_stricmp.MSVCRT(/shtml,00412466,0040B940,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B847
_stricmp.MSVCRT(/sverhtml,00412466,0040B940,?,00000000,00000000,?,?,?,0040BAC6), ref: 0040B85C

Strings

/sverhtml, xrefs: 0040B857
/sxml, xrefs: 0040B86C
/stab, xrefs: 0040B881
/shtml, xrefs: 0040B842
/scomma, xrefs: 0040B896
/stabular, xrefs: 0040B8AB
/skeepass, xrefs: 0040B8C0

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _stricmp
String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
API String ID: 2884411883-1959339147
Opcode ID: 045e389345d67b823dfff1935a382fcf458878b8cd1f840f130b7354828c5bc8
Instruction ID: 4e6abd9895fa0fe71fc14c80fe1cf8958250247b4a97c707517fcc1bdd8d2f83
Opcode Fuzzy Hash: 045e389345d67b823dfff1935a382fcf458878b8cd1f840f130b7354828c5bc8
Instruction Fuzzy Hash: AD011A7328931038F82925662C17FC30A8ACBD1BBBF30856BF606E41E5EF5DA5C0506D

Function 0040F243 Relevance: 24.1, APIs: 10, Strings: 6, Instructions: 114stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F264
memset.MSVCRT ref: 0040F278
memset.MSVCRT ref: 0040F28C
sprintf.MSVCRT ref: 0040F2B6
sprintf.MSVCRT ref: 0040F2E0
strcpy.MSVCRT(?,</font>,?,<font color="%s">,00000000,000000FF,?,?,?,?,?,?,?,?,?,00000006), ref: 0040F2F1
sprintf.MSVCRT ref: 0040F30C
memset.MSVCRT ref: 0040F347
sprintf.MSVCRT ref: 0040F362
sprintf.MSVCRT ref: 0040F396

Part of subcall function 0040F071: sprintf.MSVCRT ref: 0040F090

Strings

</font>, xrefs: 0040F2EB
<font color="%s">, xrefs: 0040F2DA
width="%s", xrefs: 0040F35C
bgcolor="%s", xrefs: 0040F2B0
<th%s>%s%s%s, xrefs: 0040F390
<table border="1" cellpadding="5"><tr%s>, xrefs: 0040F306

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: sprintf$memset$strcpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 898937289-3842416460
Opcode ID: ecad5a273c195f4d907ec2c98c3fcd712bb439ffa37f8c8a1398ed03aac76e31
Instruction ID: 9a5c5c5b7b50b61a4e5f96e5236d764a10b70f2cfe31ee2b12760fde8c14bfcc
Opcode Fuzzy Hash: ecad5a273c195f4d907ec2c98c3fcd712bb439ffa37f8c8a1398ed03aac76e31
Instruction Fuzzy Hash: C3415FB284021D7ADF21EB55DC41FEB776CAF44344F0401FBBA09A2152E6389F988FA5

Function 0040E0DA Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(psapi.dll,?,0040DD12), ref: 0040E0ED
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0040E106
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0040E117
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0040E128
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0040E139
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0040E14A
FreeLibrary.KERNEL32(00000000), ref: 0040E16A

Strings

GetModuleBaseNameA, xrefs: 0040E100
EnumProcessModules, xrefs: 0040E111
psapi.dll, xrefs: 0040E0E8
GetModuleInformation, xrefs: 0040E144
GetModuleFileNameExA, xrefs: 0040E122
EnumProcesses, xrefs: 0040E133

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
API String ID: 2449869053-232097475
Opcode ID: ce59c7be58069c2add821b7db74a10a85a70ad25a6d5f1115d61fb7aecc40683
Instruction ID: ee37d54ff12c00b719d991246764d0af3e5b6fb2a2d0f9e8910a6c9c4b0fdd5c
Opcode Fuzzy Hash: ce59c7be58069c2add821b7db74a10a85a70ad25a6d5f1115d61fb7aecc40683
Instruction Fuzzy Hash: F0015E31740311EAC711EB266D40FE73EB85B48B91B11843BE544E52A4D778C5928A6C

Function 00410525 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,76DBEC10), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

strlen.MSVCRT ref: 0041054C
??2@YAPAXI@Z.MSVCRT(00000001), ref: 0041055C
memset.MSVCRT ref: 004105A8
memset.MSVCRT ref: 004105C5
strcpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 004105F3
RegCloseKey.ADVAPI32(?), ref: 00410637
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00410688
LocalFree.KERNEL32(?), ref: 0041069D
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 004106A6

Part of subcall function 00406512: strtoul.MSVCRT ref: 0040651A

Strings

Software\Microsoft\Windows Live Mail, xrefs: 004105E7
Software\Microsoft\Windows Mail, xrefs: 004105DB
Salt, xrefs: 00410621

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetstrcpy$??2@??3@AddressByteCharCloseFreeLibraryLoadLocalMultiProcWidestrlenstrtoul
String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
API String ID: 1673043434-2687544566
Opcode ID: e26968150b8c48349edd6a01877549271a53a2337486a96049ecb3a108515df3
Instruction ID: 7afd7cd9a60bb03764dcbc3854d87102a14f95683297c5d7d0928fc071fa2b2b
Opcode Fuzzy Hash: e26968150b8c48349edd6a01877549271a53a2337486a96049ecb3a108515df3
Instruction Fuzzy Hash: D14186B2C0011CAECB11DBA5DC81ADEBBBCAF48344F1041ABE645F3251DA349A95CB68

Function 0040CBA7 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 129COMMON

Download Yara Rule

APIs

_strnicmp.MSVCRT ref: 0040CBD6
_strnicmp.MSVCRT ref: 0040CBFB
memset.MSVCRT ref: 0040CC44
memset.MSVCRT ref: 0040CC5A
sprintf.MSVCRT ref: 0040CC79
sprintf.MSVCRT ref: 0040CC98
_stricmp.MSVCRT(00000000,00000000), ref: 0040CCB7
_stricmp.MSVCRT(00000000,00000000), ref: 0040CCD9

Part of subcall function 00401380: strlen.MSVCRT ref: 0040138D

Strings

mailbox://, xrefs: 0040CBD0
mailbox://%s@%s, xrefs: 0040CC73
imap://%s@%s, xrefs: 0040CC92
imap://, xrefs: 0040CBF5

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _stricmp_strnicmpmemsetsprintf$strlen
String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
API String ID: 4281260487-2229823034
Opcode ID: e9e02f881341a7f68f4078179dffa19dbd3d5546575d598c2616a551df887c2f
Instruction ID: 9e102a0fb77db954c7e66e430d6901f6f24083c0ab16dd7aca32eaa7b9d40139
Opcode Fuzzy Hash: e9e02f881341a7f68f4078179dffa19dbd3d5546575d598c2616a551df887c2f
Instruction Fuzzy Hash: B84163B1604205EFD724DB69C881F96B7E8AF04344F144A7BEA4AE7281D738FA448B58

Function 0040CBA5 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_strnicmp.MSVCRT ref: 0040CBD6
_strnicmp.MSVCRT ref: 0040CBFB
memset.MSVCRT ref: 0040CC44
memset.MSVCRT ref: 0040CC5A
sprintf.MSVCRT ref: 0040CC79
sprintf.MSVCRT ref: 0040CC98
_stricmp.MSVCRT(00000000,00000000), ref: 0040CCB7
_stricmp.MSVCRT(00000000,00000000), ref: 0040CCD9

Strings

mailbox://, xrefs: 0040CBD0
mailbox://%s@%s, xrefs: 0040CC73
imap://%s@%s, xrefs: 0040CC92
imap://, xrefs: 0040CBF5

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _stricmp_strnicmpmemsetsprintf
String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
API String ID: 2822975062-2229823034
Opcode ID: b6ee68a00b14a896bd5f4a1625b3665dec952f704790df008a5e90175c698e8f
Instruction ID: 56d5f4bbafa72d85e66e322173295d9522024af121689b7315c9fa9ceefdefbd
Opcode Fuzzy Hash: b6ee68a00b14a896bd5f4a1625b3665dec952f704790df008a5e90175c698e8f
Instruction Fuzzy Hash: 754150B1604605EFD724DB69C8C1F96B7E8AF04304F14466BEA4AE7281D738FA45CB58

Function 0040D6FB Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 118registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(0040DB12,Creds,00000000,00020019,0040DB12,%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd,00000040,?,?,0040DB12,?,?,?,?), ref: 0040D725
memset.MSVCRT ref: 0040D743
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040D770
RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040D799
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040D812
LocalFree.KERNEL32(?), ref: 0040D825
RegCloseKey.ADVAPI32(?), ref: 0040D830
RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040D847
RegCloseKey.ADVAPI32(?), ref: 0040D858

Strings

ps:password, xrefs: 0040D78A
%GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd, xrefs: 0040D710
Creds, xrefs: 0040D71D

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
String ID: %GKP$^%^&LL(%^$^O&TR$^%^GV6;lxzd$Creds$ps:password
API String ID: 551151806-1288872324
Opcode ID: d3552b054e42a9a62031a540664540df19a8533d219857e9c55738ce323a5c80
Instruction ID: ba0b8c8cecfa7ea512c31dd79fcda3fb233e403caecda4e29e00fc0c4110e127
Opcode Fuzzy Hash: d3552b054e42a9a62031a540664540df19a8533d219857e9c55738ce323a5c80
Instruction Fuzzy Hash: 864129B2900209AFDB11DF95DD84EEFBBBCEB48344F0041A6FA15E2150DA749A94CB64

Function 004080A3 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON

Download Yara Rule

APIs

sprintf.MSVCRT ref: 004080C4
LoadMenuA.USER32(?,?), ref: 004080D2

Part of subcall function 00407EFB: GetMenuItemCount.USER32(?), ref: 00407F10
Part of subcall function 00407EFB: memset.MSVCRT ref: 00407F31
Part of subcall function 00407EFB: GetMenuItemInfoA.USER32 ref: 00407F6C
Part of subcall function 00407EFB: strchr.MSVCRT ref: 00407F83

DestroyMenu.USER32(00000000), ref: 004080F0
sprintf.MSVCRT ref: 00408134
CreateDialogParamA.USER32(?,00000000,00000000,0040809E,00000000), ref: 00408149
memset.MSVCRT ref: 00408165
GetWindowTextA.USER32(00000000,?,00001000), ref: 00408176
EnumChildWindows.USER32(00000000,Function_00007FEB,00000000), ref: 0040819E
DestroyWindow.USER32(00000000), ref: 004081A5

Strings

menu_%d, xrefs: 004080BA
caption, xrefs: 0040818B
dialog_%d, xrefs: 0040812A

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
String ID: caption$dialog_%d$menu_%d
API String ID: 3259144588-3822380221
Opcode ID: 6243cf7790bf93336ac36a7af399e3403135f66e693ef013e884cab4c931bc33
Instruction ID: 30012a8f5e5a5bdbe68f816da8837f1ba63c4ed8b40bd3c0dd12f77501d21500
Opcode Fuzzy Hash: 6243cf7790bf93336ac36a7af399e3403135f66e693ef013e884cab4c931bc33
Instruction Fuzzy Hash: 14212172544248BBDB22AF60DD41EEF3B78EF05305F00407AFA41A2190DABC9DA58B6D

Function 0040E056 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040DD19), ref: 0040E065
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0040E07E
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0040E08F
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0040E0A0
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0040E0B1
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0040E0C2

Strings

Module32Next, xrefs: 0040E09A
CreateToolhelp32Snapshot, xrefs: 0040E078
kernel32.dll, xrefs: 0040E060
Process32First, xrefs: 0040E0AB
Process32Next, xrefs: 0040E0BC
Module32First, xrefs: 0040E089

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 5922207fa155356ca208c5dc00e328b28cc838d796c506d44ffc4ba24ef585aa
Instruction ID: 921299a9b586d994e9bf5e85ab2a2688844625279e80e39ff2614b99c2d6d575
Opcode Fuzzy Hash: 5922207fa155356ca208c5dc00e328b28cc838d796c506d44ffc4ba24ef585aa
Instruction Fuzzy Hash: 8DF06D70A45222A9C320CB266D00FFA3DA85A44B81B15843BE900F1694DBF8D5528B7C

Function 00404647 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004046C2: FreeLibrary.KERNEL32(?,0040464F,?,0040D601,80000001,76DBEC10), ref: 004046C9

LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,76DBEC10), ref: 00404654
GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D

Strings

advapi32.dll, xrefs: 0040464F
CredFree, xrefs: 0040466F
CredReadA, xrefs: 00404667
CredEnumerateW, xrefs: 00404693
CredDeleteA, xrefs: 0040467B
CredEnumerateA, xrefs: 00404687

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
API String ID: 2449869053-4258758744
Opcode ID: 1dbd091348eef99b9c60bfcaa5dda145de35d3414d0ae1ecd7a3a02af1b4a616
Instruction ID: 1c6fa8d05b29e269fad2443f962c2e8eb3052cc88d23d174a3c6f0c0958544ff
Opcode Fuzzy Hash: 1dbd091348eef99b9c60bfcaa5dda145de35d3414d0ae1ecd7a3a02af1b4a616
Instruction Fuzzy Hash: 380121705447009AC730AF75CD08B46BAF4EF85704F218D2EE281A3690E7BE9491DF88

Function 00411015 Relevance: 19.7, APIs: 12, Strings: 1, Instructions: 202stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041103A

Part of subcall function 00410E8A: strlen.MSVCRT ref: 00410E97

strlen.MSVCRT ref: 00411056
memset.MSVCRT ref: 00411090
memset.MSVCRT ref: 004110A4
memset.MSVCRT ref: 004110B8
memset.MSVCRT ref: 004110DE

Part of subcall function 0040BC6D: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,0041142A,?,?,?,00000008,?,00000000,00000000), ref: 0040BCFE

Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD2A
Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD40
Part of subcall function 0040BD0B: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,00403801,00000000), ref: 0040BD77
Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD81

memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 00411115

Part of subcall function 0040BC6D: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,0041142A,?,?,?,00000008,?,00000000,00000000), ref: 0040BCB0
Part of subcall function 0040BC6D: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,0041142A,?,?,?,00000008,?,00000000,00000000), ref: 0040BCDA

Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD52

memcpy.MSVCRT(?,?,00000010,?,?), ref: 00411151
memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 00411163
strcpy.MSVCRT(?,?), ref: 0041123A
memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 0041126B
memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 0041127D

Strings

salu, xrefs: 00411071

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpymemset$strlen$strcpy
String ID: salu
API String ID: 2660478486-4177317985
Opcode ID: ae1d07347fa3aa89f5fcc6141a6fc90f028ff7b9ab687112944546eff88cf5b8
Instruction ID: 480a48fc981763c339c301d1addb7ab339a070bf665ce532ed27993edd9122c1
Opcode Fuzzy Hash: ae1d07347fa3aa89f5fcc6141a6fc90f028ff7b9ab687112944546eff88cf5b8
Instruction Fuzzy Hash: A4717F7190011DAADB10EBA9CC819DEB7BDFF08348F1445BAF609E7151DB749B888F94

Function 00403E87 Relevance: 19.6, APIs: 7, Strings: 6, Instructions: 98stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,76F90A60,00000000,?,?,004092ED,00000001,00412B1C,76F90A60), ref: 00405F17

memset.MSVCRT ref: 00403EBF
memset.MSVCRT ref: 00403ED3
memset.MSVCRT ref: 00403EE7
sprintf.MSVCRT ref: 00403F08
strcpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 00403F24
sprintf.MSVCRT ref: 00403F5B
sprintf.MSVCRT ref: 00403F8C

Strings

<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F86
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403E97
<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F36
<table dir="rtl"><tr><td>, xrefs: 00403F1E
Mail PassView, xrefs: 00403F72
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F02

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetsprintf$FileWritestrcpystrlen
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$Mail PassView
API String ID: 1043021993-495024357
Opcode ID: 9ab723875cfdb90570c6b26727e8dc31f2cea9ea6bbea43a89162690f7ebea04
Instruction ID: b86957a5e19b08f75c710fe46d40d6f019605627493d012667a382a844d4f915
Opcode Fuzzy Hash: 9ab723875cfdb90570c6b26727e8dc31f2cea9ea6bbea43a89162690f7ebea04
Instruction Fuzzy Hash: A93196B2C40118BADB11EB55DC82EDE7BACEF44304F0045A7B60DA3151DE786FC88BA8

Function 00404288 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON

Download Yara Rule

APIs

wcsstr.MSVCRT ref: 004042BD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404304
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00404318
strcpy.MSVCRT(?,?), ref: 00404328
strcpy.MSVCRT(?,?,?,?), ref: 0040433B
strchr.MSVCRT ref: 00404349
strlen.MSVCRT ref: 0040435D
sprintf.MSVCRT ref: 0040437E
strchr.MSVCRT ref: 0040438F

Strings

www.google.com, xrefs: 004042B7
%s@gmail.com, xrefs: 00404378

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWidestrchrstrcpy$sprintfstrlenwcsstr
String ID: %s@gmail.com$www.google.com
API String ID: 1359934567-4070641962
Opcode ID: 8108c03dee5360a7f6a3e2f925f6b83e3505abd913d650f45db378c2ca998167
Instruction ID: 90bd0330eeb49ee3a27dc93359d6b9986b282e86ae315167fefd13048bcd18fc
Opcode Fuzzy Hash: 8108c03dee5360a7f6a3e2f925f6b83e3505abd913d650f45db378c2ca998167
Instruction Fuzzy Hash: 793188B290021D7FDB21D791DD81FDAB3ACDB44354F1005A7F709E2181D678AF858A58

Function 0040827A Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(004171B8,00000000,00000000,00000000,?,?,004083AB,00000000,?,00000000,00000104,?), ref: 00408292
strcpy.MSVCRT(004172C0,general,004171B8,00000000,00000000,00000000,?,?,004083AB,00000000,?,00000000,00000104,?), ref: 004082A2

Part of subcall function 00407E55: memset.MSVCRT ref: 00407E7A
Part of subcall function 00407E55: GetPrivateProfileStringA.KERNEL32(004172C0,00000104,00412466,?,00001000,004171B8), ref: 00407E9E
Part of subcall function 00407E55: WritePrivateProfileStringA.KERNEL32(004172C0,?,?,004171B8), ref: 00407EB5

EnumResourceNamesA.KERNEL32(00000104,00000004,004080A3,00000000), ref: 004082D8
EnumResourceNamesA.KERNEL32(00000104,00000005,004080A3,00000000), ref: 004082E2
strcpy.MSVCRT(004172C0,strings,?,004083AB,00000000,?,00000000,00000104,?), ref: 004082EA
memset.MSVCRT ref: 00408306
LoadStringA.USER32(00000104,00000000,?,00001000), ref: 0040831A

Part of subcall function 00407EC3: _itoa.MSVCRT ref: 00407EE4

Strings

general, xrefs: 00408297
strings, xrefs: 004082E4
TranslatorName, xrefs: 004082AD
TranslatorURL, xrefs: 004082B8

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Stringstrcpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
String ID: TranslatorName$TranslatorURL$general$strings
API String ID: 1060401815-3647959541
Opcode ID: acaf4a6ca7367b184f6fdf17ade1074e09c73fb74d797c334c49b365d943b025
Instruction ID: d5eae57ffc3fdd8f11c9b4c351fac369e1a37aafa95eb04bb89d09d1e585c4c7
Opcode Fuzzy Hash: acaf4a6ca7367b184f6fdf17ade1074e09c73fb74d797c334c49b365d943b025
Instruction Fuzzy Hash: 6E1104319802543AD7212B56DC06FCB3E6DCF85B59F1040BBB708B6191C9BC9EC087AD

Function 0040D1EC Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 128stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406C2F: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040D205,?,?,?,?), ref: 00406C48
Part of subcall function 00406C2F: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00406C74

Part of subcall function 0040462E: free.MSVCRT ref: 00404635

Part of subcall function 004061FF: strcpy.MSVCRT(?,?,0040D228,?,?,?,?,?), ref: 00406204
Part of subcall function 004061FF: strrchr.MSVCRT ref: 0040620C

Part of subcall function 0040C530: memset.MSVCRT ref: 0040C551
Part of subcall function 0040C530: memset.MSVCRT ref: 0040C565
Part of subcall function 0040C530: memset.MSVCRT ref: 0040C579
Part of subcall function 0040C530: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040C646
Part of subcall function 0040C530: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040C6A6

strlen.MSVCRT ref: 0040D241
strlen.MSVCRT ref: 0040D24F

Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4

memset.MSVCRT ref: 0040D28F
strlen.MSVCRT ref: 0040D29E
strlen.MSVCRT ref: 0040D2AC
_stricmp.MSVCRT(00000504,none,?,?,?), ref: 0040D339
strcpy.MSVCRT(00000004,00000204,?,?,?), ref: 0040D354

Strings

none, xrefs: 0040D333
signons.txt, xrefs: 0040D248, 0040D266
signons.sqlite, xrefs: 0040D2A5, 0040D2C3

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetstrlen$strcpy$memcpy$CloseFileHandleSize_stricmpfreestrcatstrrchr
String ID: none$signons.sqlite$signons.txt
API String ID: 2681923396-1088577317
Opcode ID: 320e3f5b2275387b9dd69f73878994cc1174bc0b0e146de94454896ca0fe85a1
Instruction ID: 747294efef189d2a86bae337d02489a359e47e35f4212505bb9232dde5c11721
Opcode Fuzzy Hash: 320e3f5b2275387b9dd69f73878994cc1174bc0b0e146de94454896ca0fe85a1
Instruction Fuzzy Hash: 3041E3B1508246AAD710EBB1CC81BDAB798AF40305F10057FE596E21C2EB7CE9C9876D

Function 00402C44 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

memset.MSVCRT ref: 00402C84

Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28

RegCloseKey.ADVAPI32(?), ref: 00402D86

Part of subcall function 0040EBC1: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 0040EBFA

memset.MSVCRT ref: 00402CDE
sprintf.MSVCRT ref: 00402CF7
sprintf.MSVCRT ref: 00402D35

Part of subcall function 00402BB8: memset.MSVCRT ref: 00402BD8
Part of subcall function 00402BB8: RegCloseKey.ADVAPI32 ref: 00402C3C

Strings

Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00402CE3
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00402D21
Identities, xrefs: 00402C52
Username, xrefs: 00402CB7
%s\%s, xrefs: 00402CA6, 00402CF5, 00402D33

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Closememset$sprintf$EnumOpen
String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
API String ID: 1831126014-3814494228
Opcode ID: e558669e5098f51d47a130cd26e8095db06e1949dd15f7d6cacb61a667ea587b
Instruction ID: 6c0256c292ffb55b53f7a2730c4bcad7d13cefd93b753116a94389aae211c0df
Opcode Fuzzy Hash: e558669e5098f51d47a130cd26e8095db06e1949dd15f7d6cacb61a667ea587b
Instruction Fuzzy Hash: 25315C72D0011DBADB11EA96CD46EEFB77CAF04344F0405BABA19F2091E6B49F988F54

Function 0040B53C Relevance: 16.6, APIs: 11, Instructions: 133windowCOMMON

Download Yara Rule

APIs

SetBkMode.GDI32(?,00000001), ref: 0040B5B5
SetTextColor.GDI32(?,00FF0000), ref: 0040B5C3
SelectObject.GDI32(?,?), ref: 0040B5D8
DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040B60D
SelectObject.GDI32(00000014,?), ref: 0040B619

Part of subcall function 0040B372: GetCursorPos.USER32(?), ref: 0040B37F
Part of subcall function 0040B372: GetSubMenu.USER32(?,00000000), ref: 0040B38D
Part of subcall function 0040B372: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040B3BA

LoadCursorA.USER32(00000067), ref: 0040B63A
SetCursor.USER32(00000000), ref: 0040B641
PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040B663
SetFocus.USER32(?), ref: 0040B69E
SetFocus.USER32(?), ref: 0040B6EF

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
String ID:
API String ID: 1416211542-0
Opcode ID: ada7ac9db0802c40b78b434d5b067a752f7538f931aaa86afb59dd9be5820f54
Instruction ID: 8f05fcf81e8b57b2917fe7890bba9475612e1218cdf4c3fdd04c744704700eb5
Opcode Fuzzy Hash: ada7ac9db0802c40b78b434d5b067a752f7538f931aaa86afb59dd9be5820f54
Instruction Fuzzy Hash: E741A271100605EFCB119F64CD89EEE7775FB08300F104936E615A62A1CB799D91DBDE

Function 0040EDDB Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(?,Common Programs,0040EEF9,?,?,?,?,?,00000104), ref: 0040EE4E

Strings

Programs, xrefs: 0040EE14
Startup, xrefs: 0040EE06
Favorites, xrefs: 0040EE0D
Common Start Menu, xrefs: 0040EE1B
Common Programs, xrefs: 0040EE48
Start Menu, xrefs: 0040EDFF
Common Startup, xrefs: 0040EE41
Desktop, xrefs: 0040EDF8
Common Desktop, xrefs: 0040EE3A
AppData, xrefs: 0040EE33

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcpy
String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
API String ID: 3177657795-318151290
Opcode ID: 69181002a60778507a3d541a40da82393cbcfb54362146d699c3396572d884a2
Instruction ID: 838bbb5fcb7671a25bd4d31fd75230584a1d4f3c41bb848f6a939ae912ddcdf8
Opcode Fuzzy Hash: 69181002a60778507a3d541a40da82393cbcfb54362146d699c3396572d884a2
Instruction Fuzzy Hash: 66F0BDB32A878EF0D429496BCD4AEB744429151B46B7C4D37A002B46D5E87D8AF260DF

Function 0040765B Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

Part of subcall function 00404647: LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,76DBEC10), ref: 00404654
Part of subcall function 00404647: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D

wcslen.MSVCRT ref: 004076C5
wcsncmp.MSVCRT ref: 00407709
memset.MSVCRT ref: 0040779D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 004077C1
wcschr.MSVCRT ref: 00407815
LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 0040783F

Part of subcall function 004047F1: FreeLibrary.KERNELBASE(?,?), ref: 00404806

Strings

Microsoft_WinInet, xrefs: 004076B9
hyA, xrefs: 0040774B
J, xrefs: 00407743

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$FreeLibrary$LoadLocalmemcpymemsetwcschrwcslenwcsncmp
String ID: J$Microsoft_WinInet$hyA
API String ID: 2413121283-319027496
Opcode ID: 3dbe31861b291603ba55481dc935e5bf9676d9bb6e305c4de7996f9a1c48bd4b
Instruction ID: ab6451454baefbc6762688e22d5ebab6c31fbbbf8d38218599acfc9a6d4ef790
Opcode Fuzzy Hash: 3dbe31861b291603ba55481dc935e5bf9676d9bb6e305c4de7996f9a1c48bd4b
Instruction Fuzzy Hash: 2751E4B1908345AFC710EF65C88495AB7E8FF89304F00492EFA99D3250E778E955CB57

Function 00402FC2 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

memset.MSVCRT ref: 00403005

Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28

memset.MSVCRT ref: 00403052
sprintf.MSVCRT ref: 0040306A
memset.MSVCRT ref: 0040309B
RegCloseKey.ADVAPI32(?), ref: 004030E3
RegCloseKey.ADVAPI32(?), ref: 0040310C

Strings

%s\Accounts, xrefs: 00403064
Identity, xrefs: 0040302B
Software\IncrediMail\Identities, xrefs: 00402FD3

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$Close$EnumOpensprintf
String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
API String ID: 3672803090-3168940695
Opcode ID: 0cf548ca034e9c156653f3b1dbb9e895c43ca7fac2608918d84bd2d804a0d0b2
Instruction ID: 2ec2bfd25db4f87ede08292043277b4916c0dadc31aa5cf960337fea200e46ca
Opcode Fuzzy Hash: 0cf548ca034e9c156653f3b1dbb9e895c43ca7fac2608918d84bd2d804a0d0b2
Instruction Fuzzy Hash: D6314EB290021CBADB11EB95CC81EEEBB7CAF14344F0041B6B909A1051E7799F948F64

Function 00407A64 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 00407A7A
memset.MSVCRT ref: 00407A9E
GetMenuItemInfoA.USER32(?), ref: 00407AD4
memset.MSVCRT ref: 00407B01
strchr.MSVCRT ref: 00407B0D
strcat.MSVCRT(?,?,?,?,?,00000001,?), ref: 00407B68
ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00407B84

Strings

6, xrefs: 00407AC4
0, xrefs: 00407AB9

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Menu$Itemmemset$CountInfoModifystrcatstrchr
String ID: 0$6
API String ID: 1757351179-3849865405
Opcode ID: 0312b36b69dc19ec32793f3e1a4e0bacee62623ae2581f679c82ae12aac676fd
Instruction ID: 1677788af10e21d8d50b2ad3b046da146c202dfcbfc60db105475917acddfa9f
Opcode Fuzzy Hash: 0312b36b69dc19ec32793f3e1a4e0bacee62623ae2581f679c82ae12aac676fd
Instruction Fuzzy Hash: 1A316D71808385AFD7109F55D84099BBBF9EB84358F14883FFA9492250D378EA44CF6B

Function 0040E988 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON

Download Yara Rule

APIs

UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9A5
UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9B9
UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040E9C6
memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 0040EA04
CoTaskMemFree.OLE32(00000000,00000000), ref: 0040EA13

Strings

220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9B4
220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9AD
220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 0040E9A0
417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0040E9C1

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FromStringUuid$FreeTaskmemcpy
String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
API String ID: 1640410171-2022683286
Opcode ID: 1c07360da451655baf40f8404e5edb4d1d178eda86dac3c95faae550bb755c51
Instruction ID: a0dda8305716182b94471eb279f6daf9a8f1529c8f3e89cbb35285eb134eabf6
Opcode Fuzzy Hash: 1c07360da451655baf40f8404e5edb4d1d178eda86dac3c95faae550bb755c51
Instruction Fuzzy Hash: 3811607251412DAACB11EEA5DD40EEB37ECAB48354F044837FD12F3241F674E9248BA5

Function 00404837 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(comctl32.dll,76F90A60,?,00000000,?,?,?,0040B9C9,76F90A60), ref: 00404856
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404868
FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,0040B9C9,76F90A60), ref: 0040487C
#17.COMCTL32(?,00000000,?,?,?,0040B9C9,76F90A60), ref: 0040488A
MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 004048A7

Strings

Error: Cannot load the common control classes., xrefs: 004048A1
comctl32.dll, xrefs: 0040483F
Error, xrefs: 0040489C
InitCommonControlsEx, xrefs: 00404862

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: d22177ebd0c61848c13c07c1ee885c4d1d7d21c72c3c38fe6be86b3f4f770b99
Instruction ID: 848b23aeb75660b77c3c697252adc3032e5e70f3caa3a854567a53d2e3e71345
Opcode Fuzzy Hash: d22177ebd0c61848c13c07c1ee885c4d1d7d21c72c3c38fe6be86b3f4f770b99
Instruction Fuzzy Hash: 3E0126723102017FD7156BA08D48BAF7AACEB84749F008139F602E21C0EBF8C912D6AC

Function 004081B5 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 42stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040614B: GetFileAttributesA.KERNELBASE(?,004081BE,?,00408274,00000000,?,00000000,00000104,?), ref: 0040614F

strcpy.MSVCRT(004171B8,00000000,00000000,00000000,00408274,00000000,?,00000000,00000104,?), ref: 004081CF
strcpy.MSVCRT(004172C0,general,004171B8,00000000,00000000,00000000,00408274,00000000,?,00000000,00000104,?), ref: 004081DF
GetPrivateProfileIntA.KERNEL32(004172C0,rtl,00000000,004171B8), ref: 004081F0

Part of subcall function 00407DC1: GetPrivateProfileStringA.KERNEL32(004172C0,?,00412466,00417308,?,004171B8), ref: 00407DDC

Strings

rtl, xrefs: 004081EA
general, xrefs: 004081D4
HsA, xrefs: 00408219
TranslatorName, xrefs: 00408214
charset, xrefs: 004081FE
TranslatorURL, xrefs: 00408228

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PrivateProfilestrcpy$AttributesFileString
String ID: HsA$TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 185930432-2094606381
Opcode ID: 61c3254355be24366bef669af6bb7bd6cca1bcece2790ae3e2dc5a409b7b51f7
Instruction ID: cb939eedfd3a0989361dc9c28bcf1dbf68e7932df9513b818d47ffc3c6ffa7d5
Opcode Fuzzy Hash: 61c3254355be24366bef669af6bb7bd6cca1bcece2790ae3e2dc5a409b7b51f7
Instruction Fuzzy Hash: 07F0F631ED821532DB113A622C03FEA39248FA2B16F04407FBC04B72C3DA7C4A81929E

Function 0040DEA9 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(nss3.dll,76F91620,?,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEB8
GetModuleHandleA.KERNEL32(sqlite3.dll,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEC1
GetModuleHandleA.KERNEL32(mozsqlite3.dll,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DECA
FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DED9
FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEE0
FreeLibrary.KERNEL32(00000000,?,00000104,0040DFDC,?,?,?,?,?,?,?,00000000), ref: 0040DEE7

Strings

mozsqlite3.dll, xrefs: 0040DEC3
nss3.dll, xrefs: 0040DEB3
sqlite3.dll, xrefs: 0040DEBA

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FreeHandleLibraryModule
String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
API String ID: 662261464-3550686275
Opcode ID: 86c3fc2903f606d4177665fb0a5e8ba99052a5cd3e374b4e3edda1da98f7fed5
Instruction ID: d16a25c46baa9326af0e84a0bffbb5276bbaca378281f61e1b061e0aef5cb77a
Opcode Fuzzy Hash: 86c3fc2903f606d4177665fb0a5e8ba99052a5cd3e374b4e3edda1da98f7fed5
Instruction Fuzzy Hash: 72E0DF62F4132D67892066F19E84DABBE5CC895AE13150033AA00F3240DDE89C058AF8

Function 0040E172 Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 81stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 0040E18A
strcpy.MSVCRT(?,-00000001), ref: 0040E198

Part of subcall function 004069D2: strlen.MSVCRT ref: 004069E4
Part of subcall function 004069D2: strlen.MSVCRT ref: 004069EC
Part of subcall function 004069D2: _memicmp.MSVCRT ref: 00406A0A

strcpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E1E8
strcat.MSVCRT(?,0000000B,?,00000000,00000000,?,00000000,00000104,00000104), ref: 0040E1F3
memset.MSVCRT ref: 0040E1CF

Part of subcall function 00406325: GetWindowsDirectoryA.KERNEL32(00417550,00000104,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040633A
Part of subcall function 00406325: strcpy.MSVCRT(00000000,00417550,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040634A

memset.MSVCRT ref: 0040E217
memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0040E232
strcat.MSVCRT(?,?,?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0040E23D

Strings

\systemroot, xrefs: 0040E1A5

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcpy$memsetstrcatstrlen$DirectoryWindows_memicmpmemcpystrchr
String ID: \systemroot
API String ID: 1680921474-1821301763
Opcode ID: 5187f8535ecd07f80173756fca004a5de43faed2157158ac4ad04829d081b859
Instruction ID: c94fb6c7bd1247ab7199cb5b48e8c216c8115a4167fd8e2fb1b5c3c0fa66e4da
Opcode Fuzzy Hash: 5187f8535ecd07f80173756fca004a5de43faed2157158ac4ad04829d081b859
Instruction Fuzzy Hash: 7021F97554C20879E720A3635C82FEA77DC9F55348F5008AFF6CAA10C1EABC96D5862A

Function 00405BE4 Relevance: 15.1, APIs: 10, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00405BFB
GetWindow.USER32(?,00000005), ref: 00405C13
GetWindow.USER32(00000000), ref: 00405C16

Part of subcall function 00401657: GetWindowRect.USER32(?,?), ref: 00401666
Part of subcall function 00401657: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 00401681

GetWindow.USER32(00000000,00000002), ref: 00405C22
GetDlgItem.USER32(?,000003ED), ref: 00405C39
GetDlgItem.USER32(?,00000000), ref: 00405C4B
GetDlgItem.USER32(?,00000000), ref: 00405C5D
GetDlgItem.USER32(?,00000000), ref: 00405C6F
GetDlgItem.USER32(?,000003ED), ref: 00405C7D
SetFocus.USER32(00000000), ref: 00405C80

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ItemWindow$Rect$ClientFocusPoints
String ID:
API String ID: 2187283481-0
Opcode ID: d2f13065a0daf7b94e2d6602c1ebad63a970ca7fe2c26cba6661fff7476f23c3
Instruction ID: 7666b00b3ddace13e8d54cd994e266c410995bf231072ec337e33f1596805ccb
Opcode Fuzzy Hash: d2f13065a0daf7b94e2d6602c1ebad63a970ca7fe2c26cba6661fff7476f23c3
Instruction Fuzzy Hash: 1A115471500304ABDB116F25CD49E6BBFADDF41758F05843AF544AB591CB79D8028A68

Function 00401A50 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00401A5C
abs.MSVCRT ref: 00401B5C
abs.MSVCRT ref: 00401B93
log.MSVCRT ref: 00401C42
log.MSVCRT ref: 00401C54
free.MSVCRT ref: 00401C75
free.MSVCRT ref: 00401C89

Strings

, xrefs: 00401A8A

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free$strlen
String ID:
API String ID: 667451143-3916222277
Opcode ID: 37bb09f8b96ce6c60aa0d5a3bd89c5871ef181f1a1b83bd216632f6d31a5aab6
Instruction ID: 06eee62d74eb4b55ebb23f84067d794473d6c8b6021198aa51b9bcc42ccbae70
Opcode Fuzzy Hash: 37bb09f8b96ce6c60aa0d5a3bd89c5871ef181f1a1b83bd216632f6d31a5aab6
Instruction Fuzzy Hash: DA6178704083859FDB249F26948046BBBF1FB85315F54997FF5D2A22A1E738E8468B0B

Function 0040D4A6 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 94registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,Password.NET Messenger Service,00000000,00000000,?,?,80000001,76DBEC10), ref: 0040D4D5
RegQueryValueExA.ADVAPI32(?,User.NET Messenger Service,00000000,00000000,?,?), ref: 0040D5AA

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,76DBEC10), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

memcpy.MSVCRT(00000020,?,?,?,00000000,?), ref: 0040D546
LocalFree.KERNEL32(?,?,00000000,?), ref: 0040D558
RegCloseKey.ADVAPI32(?), ref: 0040D5CC

Strings

, xrefs: 0040D4ED
User.NET Messenger Service, xrefs: 0040D5A0
Password.NET Messenger Service, xrefs: 0040D4C3

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: QueryValue$AddressCloseFreeLibraryLoadLocalProcmemcpystrcpy
String ID: $Password.NET Messenger Service$User.NET Messenger Service
API String ID: 3289975857-105384665
Opcode ID: d83e2ebe096d5bcd78dc6c5e473717e98c5fc49575dad68c24a229f0531786f0
Instruction ID: 7f1cec63b8765f81c3836bbc11e71f1516ceea0880c28a2d93855dc55ce36bd3
Opcode Fuzzy Hash: d83e2ebe096d5bcd78dc6c5e473717e98c5fc49575dad68c24a229f0531786f0
Instruction Fuzzy Hash: AE314DB1D01219AFDB11DF94CC44BDEBBB9AF48318F1040B6E905B7290D6789B94CF99

Function 0040706C Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 90COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040708D

Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,76DBEC10), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

WideCharToMultiByte.KERNEL32(00000000,00000000,?,!r@,?,000000FD,00000000,00000000,?,00000000,!r@,?,?,?,?,00000000), ref: 00407128
LocalFree.KERNEL32(?,?,?,?,?,00000000,76DBEB20,?), ref: 00407138

Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B

Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
Part of subcall function 004060D0: memcpy.MSVCRT(?,00401D07,00000000,00000000,00401D07,00000001,00000104,?,?,?,?,?,00000000), ref: 004060EA

Strings

!r@, xrefs: 004070FB, 0040711D, 004070FE, 00407122
POP3_host, xrefs: 00407160
!r@, xrefs: 0040716F
POP3_credentials, xrefs: 0040709D
POP3_name, xrefs: 00407145

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWidememcpymemsetstrcpystrlen
String ID: !r@$!r@$POP3_credentials$POP3_host$POP3_name
API String ID: 604216836-250559020
Opcode ID: 88d4546f94300e18eb63e1a28018ddb3fc5fe9f294d301ab42fb72424ac45106
Instruction ID: f8ca724a3b3a12fba31c48434a973b8369f3aae8d57bdfed2f45406e53e98f37
Opcode Fuzzy Hash: 88d4546f94300e18eb63e1a28018ddb3fc5fe9f294d301ab42fb72424ac45106
Instruction Fuzzy Hash: C331707194021CAFDB11EB698C81ADE7BBCEF19344F0084B6FA05A2281D6389B598F65

Function 00405E46 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52stringlibrarywindowCOMMON

Download Yara Rule

APIs

LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,00405F65,?,?), ref: 00405E6B
FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,?,00000000,?,?,00405F65,?,?), ref: 00405E89
strlen.MSVCRT ref: 00405E96
strcpy.MSVCRT(?,?,?,?,00405F65,?,?), ref: 00405EA6
LocalFree.KERNEL32(?,?,?,00405F65,?,?), ref: 00405EB0
strcpy.MSVCRT(?,Unknown Error,?,?,00405F65,?,?), ref: 00405EC0

Strings

Unknown Error, xrefs: 00405EB8
netmsg.dll, xrefs: 00405E66

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcpy$FormatFreeLibraryLoadLocalMessagestrlen
String ID: Unknown Error$netmsg.dll
API String ID: 3198317522-572158859
Opcode ID: be691a346cef5d5e24c515aac1ca35402bb88184c6041fe02f13b1b1e364655c
Instruction ID: 3a45a8761f4bc18c8cc8ce1e33cdf84813ecacbbbbff7bb38409c5e389e3efd7
Opcode Fuzzy Hash: be691a346cef5d5e24c515aac1ca35402bb88184c6041fe02f13b1b1e364655c
Instruction Fuzzy Hash: A901B131604118BAE7155B61ED46EDF7E6DDB14792B20443AF602F00A0DA785F409A98

Function 0040875C Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 0040857E
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 0040858C
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 0040859D
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 004085B4
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 004085BD

??2@YAPAXI@Z.MSVCRT(00000000,?,?,00000000,76F90A60,?,00000000), ref: 00408793
??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,00000000,76F90A60,?,00000000), ref: 004087AF
memcpy.MSVCRT(?,hA,00000014,?,?,00000000,76F90A60), ref: 004087D7
memcpy.MSVCRT(?,hA,00000010,?,hA,00000014,?,?,00000000,76F90A60), ref: 004087F4
??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,00000000,76F90A60), ref: 0040887D
??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,?,?,?,?,00000000,76F90A60), ref: 00408887
??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,00000000,76F90A60), ref: 004088BF

Part of subcall function 004078FF: LoadStringA.USER32(00000000,0000000D,?,?), ref: 004079C8
Part of subcall function 004078FF: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,76F90A60), ref: 00407A07

Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,76F90A60), ref: 0040797A
Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998

Strings

hA, xrefs: 004087C0, 004087DC, 00408847, 004087CD, 004087E7
d, xrefs: 0040889E

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@??3@$memcpy$LoadStringstrcpystrlen
String ID: d$hA
API String ID: 3781940870-4030989184
Opcode ID: 5e50d2b62f6993c86ffac77c026433a38f7ee8811e4eb043570a690e7a3712a1
Instruction ID: 2ee817cab8fb9d662dc1fdc17dcda2a390100e1008d8253a008a3d74f0a2914d
Opcode Fuzzy Hash: 5e50d2b62f6993c86ffac77c026433a38f7ee8811e4eb043570a690e7a3712a1
Instruction Fuzzy Hash: 76518D72A01704AFDB24DF2AC582B9AB7E5FF48354F10852EE54ADB391EB74E940CB44

Function 0040314D Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040311F: GetPrivateProfileStringA.KERNEL32(00000000,?,Function_00012466,?,?,?), ref: 00403143

strchr.MSVCRT ref: 00403262

Strings

PopServer, xrefs: 004031AF
PopAccount, xrefs: 0040324D
LoginName, xrefs: 004031CB
ReturnAddress, xrefs: 004031FA
UsesIMAP, xrefs: 0040316F
RealName, xrefs: 004031E1
1, xrefs: 00403190
SavePasswordText, xrefs: 00403212

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PrivateProfileStringstrchr
String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
API String ID: 1348940319-1729847305
Opcode ID: cc26f5bc1b7aaf2e570deba64efa3e2944f8347bda1c61efbd6a62b24a137412
Instruction ID: 1cfb9ddeec5dd782170234712f417fe000b4b626ad5f21becf6162a2306db812
Opcode Fuzzy Hash: cc26f5bc1b7aaf2e570deba64efa3e2944f8347bda1c61efbd6a62b24a137412
Instruction Fuzzy Hash: 7631B370A04209BEEF119F20CC06FD97F6CAF14318F10816AF95C7A1D2C7B95B958B54

Function 0040F09D Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,",00000006,?,?,00000000,004096EC,?,?), ref: 0040F0CD
memcpy.MSVCRT(?,&,00000005,?,?,00000000,004096EC,?,?), ref: 0040F0F3
memcpy.MSVCRT(?,<,00000004,?,?,00000000,004096EC,?,?), ref: 0040F10B

Strings

", xrefs: 0040F0C7
>, xrefs: 0040F0BA
&, xrefs: 0040F0ED
°, xrefs: 0040F0E0
<, xrefs: 0040F0AE
<br>, xrefs: 0040F105

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: eb0853a178c78b5e5dae4962a3b0185fc54ec5424429a466571b96bdadbff949
Instruction ID: 3259d816fa1e591736f6461b451ad75962e4f861ee845343ab42ffe8f3feec31
Opcode Fuzzy Hash: eb0853a178c78b5e5dae4962a3b0185fc54ec5424429a466571b96bdadbff949
Instruction Fuzzy Hash: 450171B2E852A4B5DA350905AC07FA70B865BA6B11F350037F58639AC2E1AD0D8F516F

Function 0040D865 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 00406278: GetVersionExA.KERNEL32(00417118,0000001A,0040EE77,00000104), ref: 00406292

memset.MSVCRT ref: 0040D917
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040D92E
_strnicmp.MSVCRT ref: 0040D948
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040D974
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040D994

Strings

WindowsLive:name=*, xrefs: 0040D88C, 0040D8C3
windowslive:name=, xrefs: 0040D942

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$Version_strnicmpmemset
String ID: WindowsLive:name=*$windowslive:name=
API String ID: 945165440-3589380929
Opcode ID: 3f9da4edc47d2955fd47475458a514ae76322f65be24e3d720485981fdfd18bc
Instruction ID: 27d6d704735a973bd95cec350459a8e2137e61d4893fa240fc9d50cc053063f8
Opcode Fuzzy Hash: 3f9da4edc47d2955fd47475458a514ae76322f65be24e3d720485981fdfd18bc
Instruction Fuzzy Hash: FD4183B1904345AFC720EF54D9849ABBBECEB84344F044A3EF995A3291D734DD48CB66

Function 00407FEB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00408011
GetDlgCtrlID.USER32(?), ref: 0040801C
GetWindowTextA.USER32(?,?,00001000), ref: 0040802F
memset.MSVCRT ref: 00408055
GetClassNameA.USER32(?,?,000000FF), ref: 00408068
_stricmp.MSVCRT(?,sysdatetimepick32), ref: 0040807A

Part of subcall function 00407EC3: _itoa.MSVCRT ref: 00407EE4

Strings

sysdatetimepick32, xrefs: 00408074

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$ClassCtrlNameTextWindow_itoa_stricmp
String ID: sysdatetimepick32
API String ID: 896699463-4169760276
Opcode ID: 2e87e3ae20d77166e7272aa9ea6a9449553f890dc716fe518baf187b76836374
Instruction ID: 1a4d9fd07e56cfca2567f2ea4562d04845e15f14fd3b0b17285a92413f4c7fe9
Opcode Fuzzy Hash: 2e87e3ae20d77166e7272aa9ea6a9449553f890dc716fe518baf187b76836374
Instruction Fuzzy Hash: 8811E3728040187EDB119B64DC81DEB7BACEF58355F0440BBFB49E2151EA789FC88B69

Function 00405715 Relevance: 12.2, APIs: 8, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 004057BD
GetDlgItem.USER32(?,000003E9), ref: 004057D0
GetDlgItem.USER32(?,000003E9), ref: 004057E5
GetDlgItem.USER32(?,000003E9), ref: 004057FD
EndDialog.USER32(?,00000002), ref: 00405819
EndDialog.USER32(?,00000001), ref: 0040582C

Part of subcall function 004054C6: GetDlgItem.USER32(?,000003E9), ref: 004054D4
Part of subcall function 004054C6: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 004054E9
Part of subcall function 004054C6: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405505

SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405844
SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405950

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Item$DialogMessageSend
String ID:
API String ID: 2485852401-0
Opcode ID: c39d939c89ad9df75a692a1ffb268d4e722a9ad13e3cbed9f2235f7ec5d84e36
Instruction ID: 996ad43d7974a89766dbed28e3aed2d7518275209d6347d70af2c8e68d8db374
Opcode Fuzzy Hash: c39d939c89ad9df75a692a1ffb268d4e722a9ad13e3cbed9f2235f7ec5d84e36
Instruction Fuzzy Hash: 8361BE31600A05AFDB21AF25C986A2BB3A5EF40724F04C13EF915A76D1D778A960CF59

Function 00405960 Relevance: 12.1, APIs: 8, Instructions: 103windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00405971
??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040598D
??2@YAPAXI@Z.MSVCRT(00000000), ref: 004059B4
memset.MSVCRT ref: 004059C5
??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 004059F4
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405A41
SetFocus.USER32(?,?,?,?), ref: 00405A4A
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00405A58

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@$??3@$FocusInvalidateRectmemset
String ID:
API String ID: 2313361498-0
Opcode ID: 6b93eb81a39c48deb163be1aa812a1225973fe05519ee775c3dac3ae0dcb2c41
Instruction ID: c71b172428599a8aed3dd41af9edf36fe528ac6939486576e3287dd5c50b91d7
Opcode Fuzzy Hash: 6b93eb81a39c48deb163be1aa812a1225973fe05519ee775c3dac3ae0dcb2c41
Instruction Fuzzy Hash: 9931C6B2600605BFDB149F29D88591AF7A5FF44354B10863FF54AE72A0DB78EC408F98

Function 0040A698 Relevance: 12.1, APIs: 8, Instructions: 76COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0040A6B7
GetWindowRect.USER32(?,?), ref: 0040A6CD
GetWindowRect.USER32(?,?), ref: 0040A6E0
BeginDeferWindowPos.USER32(00000003), ref: 0040A6FD
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040A71A
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040A73A
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040A761
EndDeferWindowPos.USER32(?), ref: 0040A76A

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Window$Defer$Rect$BeginClient
String ID:
API String ID: 2126104762-0
Opcode ID: 7346dcf7e22bd518b4d0e96dfafb7fac3e60ecb16f258d456982d784f7109538
Instruction ID: 87e3885615821b4149b7d1c90d618f2f4546f2004ccbdac015d6c62594ca92fd
Opcode Fuzzy Hash: 7346dcf7e22bd518b4d0e96dfafb7fac3e60ecb16f258d456982d784f7109538
Instruction Fuzzy Hash: 1E21A771A00209FFDB11CFA8DE89FEEBBB9FB08710F104465F655E2160C771AA519B24

Function 0040C530 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C551
memset.MSVCRT ref: 0040C565
memset.MSVCRT ref: 0040C579

Part of subcall function 004069D2: strlen.MSVCRT ref: 004069E4
Part of subcall function 004069D2: strlen.MSVCRT ref: 004069EC
Part of subcall function 004069D2: _memicmp.MSVCRT ref: 00406A0A

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040C646
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040C689
memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040C6A6

Strings

user_pref(", xrefs: 0040C5AF

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpymemset$strlen$_memicmp
String ID: user_pref("
API String ID: 765841271-2487180061
Opcode ID: 982af1ce4df36f9e7f27790100b248c040b5dee6bd91ee0204a86cb4ecdb3b86
Instruction ID: b5bbfaa39c0e48752cfa6ff41fc25d90fc637c7d31dd27b270ce5155e9a91379
Opcode Fuzzy Hash: 982af1ce4df36f9e7f27790100b248c040b5dee6bd91ee0204a86cb4ecdb3b86
Instruction Fuzzy Hash: A74168B2904118AADB10DB95DCC0EDA77AD9F44314F1046BBE605F7181EA389F49CFA8

Function 0040559F Relevance: 10.6, APIs: 7, Instructions: 126windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 004055B6
SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 004055CF
SendMessageA.USER32(?,00001036,00000000,00000026), ref: 004055DC
SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 004055E8
memset.MSVCRT ref: 00405652
SendMessageA.USER32(?,00001019,?,?), ref: 00405683
SetFocus.USER32(?), ref: 00405708

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: MessageSend$FocusItemmemset
String ID:
API String ID: 4281309102-0
Opcode ID: 373d2b268ded57f609baf290f43656ad992e230c838bd3448275ee254fe81e2e
Instruction ID: c9ec69d2b7f122f2474fbd4df523f5fea2365e5f162f49a3354b930d279265bd
Opcode Fuzzy Hash: 373d2b268ded57f609baf290f43656ad992e230c838bd3448275ee254fe81e2e
Instruction Fuzzy Hash: 304126B5D00109AFDB209F99DC81DAEBBB9FF04348F00846AE918B7291D7759E50CFA4

Function 0040D5DB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 97stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004046D7: strcpy.MSVCRT ref: 00404726

Part of subcall function 00404647: LoadLibraryA.KERNEL32(advapi32.dll,?,0040D601,80000001,76DBEC10), ref: 00404654
Part of subcall function 00404647: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 0040466D
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredFree), ref: 00404679
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404685
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404691
Part of subcall function 00404647: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 0040469D

Part of subcall function 004047A0: LoadLibraryA.KERNELBASE(?,0040D60E,80000001,76DBEC10), ref: 004047A8
Part of subcall function 004047A0: GetProcAddress.KERNEL32(00000000,?), ref: 004047C0

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,000000FF,00000000,00000000,?,?,00000001), ref: 0040D6A7
strlen.MSVCRT ref: 0040D6B7
strcpy.MSVCRT(?,?), ref: 0040D6C8
LocalFree.KERNEL32(?), ref: 0040D6D5

Strings

hwA, xrefs: 0040D680
Passport.Net\*, xrefs: 0040D61D

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoadstrcpy$ByteCharFreeLocalMultiWidestrlen
String ID: Passport.Net\*$hwA
API String ID: 3335197805-2625321100
Opcode ID: 681d14a731c87845a5ac1aff75d07a7c211cae895baa553a1b5e579bb43f8a69
Instruction ID: 2e6419ae4a5a1056fcde8d8ccc48918818cbcf4cd0f285746335566170a6875e
Opcode Fuzzy Hash: 681d14a731c87845a5ac1aff75d07a7c211cae895baa553a1b5e579bb43f8a69
Instruction Fuzzy Hash: D4315C76D00109ABCB10EF96D9449EEB7BDEF84300F10047AF605E7291DB399A45CB68

Function 00407EFB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 00407F10
memset.MSVCRT ref: 00407F31
GetMenuItemInfoA.USER32 ref: 00407F6C
strchr.MSVCRT ref: 00407F83

Strings

0, xrefs: 00407F4C
6, xrefs: 00407F54

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ItemMenu$CountInfomemsetstrchr
String ID: 0$6
API String ID: 2300387033-3849865405
Opcode ID: d1119da1829f27f5b6955e53606e2fca4aef30ff8dacb709f4e7d2ab8ff52e08
Instruction ID: e6a74f55cf859b5146a282672b091174d688b167a10cd96a0b5acbf0203f559b
Opcode Fuzzy Hash: d1119da1829f27f5b6955e53606e2fca4aef30ff8dacb709f4e7d2ab8ff52e08
Instruction Fuzzy Hash: B821917190C381AFD7109F21D88199BBBE8FB84348F44897FF68496290E779E944CB5B

Function 004044DA Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

Part of subcall function 004060D0: strlen.MSVCRT ref: 004060D5
Part of subcall function 004060D0: memcpy.MSVCRT(?,00401D07,00000000,00000000,00401D07,00000001,00000104,?,?,?,?,?,00000000), ref: 004060EA

_stricmp.MSVCRT(?,pop3,?,?,?,?,?), ref: 0040456B
_stricmp.MSVCRT(?,imap), ref: 00404589

Strings

imap, xrefs: 00404583
pop3, xrefs: 00404565
smtp, xrefs: 004045A0

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _stricmp$memcpystrlen
String ID: imap$pop3$smtp
API String ID: 445763297-821077329
Opcode ID: e0dbfd60aaecd0c77e478752a73cf595843bbe096482dfa5d8f178f066783ef1
Instruction ID: 85134e65636b23d23915c58aa006eeb0f313b09a76600224a93e2cbe40a0dcf5
Opcode Fuzzy Hash: e0dbfd60aaecd0c77e478752a73cf595843bbe096482dfa5d8f178f066783ef1
Instruction Fuzzy Hash: 8F2174B2500318ABC711DB61CD41BDBB3FDAF50314F10056BE64AB3181DBB87B858B9A

Function 004036CC Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 67stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040E906: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040E91D
Part of subcall function 0040E906: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040E92A
Part of subcall function 0040E906: memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040E966
Part of subcall function 0040E906: CoTaskMemFree.OLE32(?,?), ref: 0040E975

strchr.MSVCRT ref: 00403706
strcpy.MSVCRT(?,00000001,?,?,?), ref: 0040372F
strcpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 0040373F
strlen.MSVCRT ref: 0040375F
sprintf.MSVCRT ref: 00403783
strcpy.MSVCRT(?,?), ref: 00403799

Strings

%s@gmail.com, xrefs: 0040377D

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
String ID: %s@gmail.com
API String ID: 2649369358-4097000612
Opcode ID: 54903d80b682238d7ebfd218583c1774319c6b1be4d607b0d7699df45f23e7c9
Instruction ID: 7e171057c748ab9e8bd63aa8a265ef6dac548e8f33c4ed25ddb9a168741e2a8b
Opcode Fuzzy Hash: 54903d80b682238d7ebfd218583c1774319c6b1be4d607b0d7699df45f23e7c9
Instruction Fuzzy Hash: B221ABF294411C6EDB11DB55DC85FDA77ACAB54308F4004BBE609E2081EA789BC48B69

Function 0040684D Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040686D
sprintf.MSVCRT ref: 0040689A
strlen.MSVCRT ref: 004068A6
memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 004068BB
strlen.MSVCRT ref: 004068C9
memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 004068D9

Strings

%s (%s), xrefs: 00406894

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpystrlen$memsetsprintf
String ID: %s (%s)
API String ID: 3756086014-1363028141
Opcode ID: 2fac32cc3f4e238a8d54a0630ee4b758ae70e84b84dd66d59e7312a43b943eb6
Instruction ID: 70c58cdfc2d4abbd805528426562f63df61edbbac87544aa2a0c8fc412f19922
Opcode Fuzzy Hash: 2fac32cc3f4e238a8d54a0630ee4b758ae70e84b84dd66d59e7312a43b943eb6
Instruction Fuzzy Hash: 371193B2800158BFDF21DF58CC44BD9BBEDEF41308F00856AEA49EB112D674EA55CB98

Function 0040E906 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0040E91D
UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 0040E92A
memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 0040E966
CoTaskMemFree.OLE32(?,?), ref: 0040E975

Strings

5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 0040E918
00000000-0000-0000-0000-000000000000, xrefs: 0040E925

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FromStringUuid$FreeTaskmemcpy
String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
API String ID: 1640410171-3316789007
Opcode ID: f3252fd9cfa063382862d0ae5d3914fc22746c740fb9b30eff228657135c0efe
Instruction ID: cd3b670b1268c91d98ef63b10095ff511f923cb8a4afa2e2ee491a09b7572d99
Opcode Fuzzy Hash: f3252fd9cfa063382862d0ae5d3914fc22746c740fb9b30eff228657135c0efe
Instruction Fuzzy Hash: AD01ADB350011CBADF01ABA6CD40DEB7BACAF08354F004833FD45E6150E634EA198BA4

Function 00410BC7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

Part of subcall function 00405ECB: CreateFileA.KERNEL32(00410C96,80000000,00000001,00000000,00000003,00000000,00000000,00410BD2,?,rA,00410C96,?,?,*.oeaccount,rA,?), ref: 00405EDD

GetFileSize.KERNEL32(00000000,00000000,?,00000000,rA,00410C96,?,?,*.oeaccount,rA,?,00000104), ref: 00410BE1
??2@YAPAXI@Z.MSVCRT(00000002,?), ref: 00410BF3
SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 00410C02

Part of subcall function 004066F6: ReadFile.KERNEL32(00000000,?,00410C15,00000000,00000000,?,?,00410C15,?,00000000), ref: 0040670D

Part of subcall function 00410A8A: wcslen.MSVCRT ref: 00410A9D
Part of subcall function 00410A8A: ??2@YAPAXI@Z.MSVCRT(00000001,00410C2C,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410AA6
Part of subcall function 00410A8A: WideCharToMultiByte.KERNEL32(00000000,00000000,00410C2C,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410ABF
Part of subcall function 00410A8A: strlen.MSVCRT ref: 00410B02
Part of subcall function 00410A8A: memcpy.MSVCRT(?,00000000,00410C2C), ref: 00410B1C
Part of subcall function 00410A8A: ??3@YAXPAX@Z.MSVCRT(00000000,00410C2C,?,00000000), ref: 00410BAF

??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 00410C2D
CloseHandle.KERNEL32(?), ref: 00410C37

Strings

rA, xrefs: 00410BC7

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
String ID: rA
API String ID: 1886237854-474049127
Opcode ID: 211283d2fc670f5901c0f7876466260a577e4cfe0cc3df3f6eb0d2a5b0cdbf91
Instruction ID: e5b0438d6bc675850ae5605026c1b4582ede65e06839efbb6018c27a8e90e269
Opcode Fuzzy Hash: 211283d2fc670f5901c0f7876466260a577e4cfe0cc3df3f6eb0d2a5b0cdbf91
Instruction Fuzzy Hash: 4E01B532400248BEDB206B75EC4ECDB7B6CEF55364B10812BF91486261EA758D54CB68

Function 00409E32 Relevance: 10.5, APIs: 7, Instructions: 43windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A00B: SendMessageA.USER32(?,00001037,00000000,00000000), ref: 0040A026
Part of subcall function 0040A00B: SendMessageA.USER32(?,00001036,00000000,00000000), ref: 0040A040

ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409E57
ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409E66
LoadIconA.USER32(000000CE), ref: 00409E7D
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409E8E
LoadIconA.USER32(000000CF), ref: 00409E9B
ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00409EA6
SendMessageA.USER32(?,00001003,00000002,?), ref: 00409EBB

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
String ID:
API String ID: 3673709545-0
Opcode ID: 5410ace1bcb9ce3ecfd17fbb561b86d7ddab7c6c2c1515389eccb8c098e49f00
Instruction ID: 438777344fc2c20ac6f2013a54106063ce42bca0c095daa55fabf7fed0819ee6
Opcode Fuzzy Hash: 5410ace1bcb9ce3ecfd17fbb561b86d7ddab7c6c2c1515389eccb8c098e49f00
Instruction Fuzzy Hash: 4E013C71280304BFFA325B60EE4BFD67AA6EB48B01F004425F349A90E1C7F56C61DA18

Function 00409E33 Relevance: 10.5, APIs: 7, Instructions: 42windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A00B: SendMessageA.USER32(?,00001037,00000000,00000000), ref: 0040A026
Part of subcall function 0040A00B: SendMessageA.USER32(?,00001036,00000000,00000000), ref: 0040A040

ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001,00000001), ref: 00409E57
ImageList_SetImageCount.COMCTL32(00000000,00000002), ref: 00409E66
LoadIconA.USER32(000000CE), ref: 00409E7D
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00409E8E
LoadIconA.USER32(000000CF), ref: 00409E9B
ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00409EA6
SendMessageA.USER32(?,00001003,00000002,?), ref: 00409EBB

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Image$IconList_$MessageSend$LoadReplace$CountCreate
String ID:
API String ID: 3673709545-0
Opcode ID: 20c5cb9973f99a89e878d6eee6cca72c3a181af6a96d535eb3513ac49921a140
Instruction ID: f483db5831cad9889e7f207d848437a4a82f195d6e7bb7359e2425aa16285a4b
Opcode Fuzzy Hash: 20c5cb9973f99a89e878d6eee6cca72c3a181af6a96d535eb3513ac49921a140
Instruction Fuzzy Hash: 98011971281304BFFA321B60EE47FD97BA6EB48B00F014425F749A90E2CBF16860DA18

Function 00407D0A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407D35
sprintf.MSVCRT ref: 00407D4A

Part of subcall function 00407DE5: memset.MSVCRT ref: 00407E09
Part of subcall function 00407DE5: GetPrivateProfileStringA.KERNEL32(004172C0,0000000A,00412466,?,00001000,004171B8), ref: 00407E2B
Part of subcall function 00407DE5: strcpy.MSVCRT(?,?), ref: 00407E45

SetWindowTextA.USER32(?,?), ref: 00407D71
EnumChildWindows.USER32(?,Function_00007CAD,00000000), ref: 00407D81

Strings

caption, xrefs: 00407D56
dialog_%d, xrefs: 00407D40

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$ChildEnumPrivateProfileStringTextWindowWindowssprintfstrcpy
String ID: caption$dialog_%d
API String ID: 246480800-4161923789
Opcode ID: 9cc970e277697b76041602e023995f54401f13df9d738430129227da823c9158
Instruction ID: 1b9ef3c80e7b29f71c03deb4ce56ff4662aaf0b85baafec8cd622ba642293ebf
Opcode Fuzzy Hash: 9cc970e277697b76041602e023995f54401f13df9d738430129227da823c9158
Instruction Fuzzy Hash: 40F02B305482887EEB12AB91DC06FE83B685F08786F0040B6BB44E11E0D7F85AC0C71E

Function 0040E255 Relevance: 9.1, APIs: 6, Instructions: 142stringCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040DD5F,00000000,00000000), ref: 0040E28C
memset.MSVCRT ref: 0040E2E9
memset.MSVCRT ref: 0040E2FB

Part of subcall function 0040E172: strcpy.MSVCRT(?,-00000001), ref: 0040E198

memset.MSVCRT ref: 0040E3E2
strcpy.MSVCRT(?,?,?,00000000,00000118), ref: 0040E407
CloseHandle.KERNEL32(00000000,0040DD5F,?), ref: 0040E451

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$strcpy$CloseHandleOpenProcess
String ID:
API String ID: 3799309942-0
Opcode ID: 090a920ccff3a4e303efb007cbafe5d1b02941aedbce4837af1c52a6e7a2511d
Instruction ID: 14fca006082a3f7ea55a807dd49808cd12c96cdbdfea8439eb00a9ee5a281ce1
Opcode Fuzzy Hash: 090a920ccff3a4e303efb007cbafe5d1b02941aedbce4837af1c52a6e7a2511d
Instruction Fuzzy Hash: A2512DB1900218ABDB10DF95DC85ADEBBB8FF44304F1045AAF609B6291D7749F90CF69

Function 00409369 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 106stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,76F90A60,00000000,?,?,004092ED,00000001,00412B1C,76F90A60), ref: 00405F17

strcat.MSVCRT(?, ), ref: 0040942E
sprintf.MSVCRT ref: 00409450

Strings

<tr>, xrefs: 0040938E
<td bgcolor=#%s nowrap>%s, xrefs: 00409374
 , xrefs: 00409428
<td bgcolor=#%s>%s, xrefs: 00409380

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileWritesprintfstrcatstrlen
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 3813295786-4153097237
Opcode ID: de7b970c7ee51d784ccd368963446ea6545f22e24ac9db830538cbfa5b1be59e
Instruction ID: 5cc8281df9b45005db58bfc05dfa6f470ea1610febbae0d5d066e94f32a410cd
Opcode Fuzzy Hash: de7b970c7ee51d784ccd368963446ea6545f22e24ac9db830538cbfa5b1be59e
Instruction Fuzzy Hash: 0C316B31900208AFCF15DF94C8869DE7BB6FF44310F1041AAFD11AB2E2D776AA55DB84

Function 00410A8A Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00410A9D
??2@YAPAXI@Z.MSVCRT(00000001,00410C2C,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410AA6
WideCharToMultiByte.KERNEL32(00000000,00000000,00410C2C,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,00410C2C,?,00000000), ref: 00410ABF

Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FE1A
Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FE38
Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FE53
Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FE7C
Part of subcall function 0040FE05: ??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FEA0

strlen.MSVCRT ref: 00410B02

Part of subcall function 0040FF76: ??3@YAXPAX@Z.MSVCRT(?,?,00410B10), ref: 0040FF81
Part of subcall function 0040FF76: ??2@YAPAXI@Z.MSVCRT(00000001,?,00410B10), ref: 0040FF90

memcpy.MSVCRT(?,00000000,00410C2C), ref: 00410B1C
??3@YAXPAX@Z.MSVCRT(00000000,00410C2C,?,00000000), ref: 00410BAF

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
String ID:
API String ID: 577244452-0
Opcode ID: 584188bec913278fc047c89b290e140bf37b0e2a195c06d1a8000b4b9f09aa03
Instruction ID: 5b66efc9566b80317fa540751e9ebc59d69584110078b55da7be64cca713082c
Opcode Fuzzy Hash: 584188bec913278fc047c89b290e140bf37b0e2a195c06d1a8000b4b9f09aa03
Instruction Fuzzy Hash: 44317672804219AFCF21EFA1C8809EDBBB5AF44314F1440AAE508A3251DB796FC4CF98

Function 0040AB54 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AB74

Part of subcall function 004078FF: LoadStringA.USER32(00000000,0000000D,?,?), ref: 004079C8
Part of subcall function 004078FF: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,76F90A60), ref: 00407A07

Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,76F90A60), ref: 0040797A
Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998

Part of subcall function 0040684D: memset.MSVCRT ref: 0040686D
Part of subcall function 0040684D: sprintf.MSVCRT ref: 0040689A
Part of subcall function 0040684D: strlen.MSVCRT ref: 004068A6
Part of subcall function 0040684D: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 004068BB
Part of subcall function 0040684D: strlen.MSVCRT ref: 004068C9
Part of subcall function 0040684D: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 004068D9

Part of subcall function 00406680: GetSaveFileNameA.COMDLG32(?), ref: 004066CF
Part of subcall function 00406680: strcpy.MSVCRT(?,?), ref: 004066E6

Strings

*.csv, xrefs: 0040ABEF
*.txt, xrefs: 0040AB8D
*.htm;*.html, xrefs: 0040ABBA
txt, xrefs: 0040AC24, 0040AC27
*.xml, xrefs: 0040ABE3

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpystrlen$memsetstrcpy$FileLoadNameSaveStringsprintf
String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
API String ID: 4021364944-3614832568
Opcode ID: 47d6f0de7c66cadcf7d9a44beb2654d42ee3cfb16f185572a55cd809b74eca63
Instruction ID: 4d38638b85bcf07ffefc140bede2392a268d493de89ddae44be4c2da79bd640a
Opcode Fuzzy Hash: 47d6f0de7c66cadcf7d9a44beb2654d42ee3cfb16f185572a55cd809b74eca63
Instruction Fuzzy Hash: B62101B2D442589ECB01FF99D8857DDBBB4BB04304F10417BE619B7282D7381A45CB5A

Function 00406491 Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0040649C
GetDeviceCaps.GDI32(00000000,00000008), ref: 004064AD
GetDeviceCaps.GDI32(00000000,0000000A), ref: 004064B4
ReleaseDC.USER32(00000000,00000000), ref: 004064BC
GetWindowRect.USER32(?,?), ref: 004064C9
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00406507

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CapsDeviceWindow$MoveRectRelease
String ID:
API String ID: 3197862061-0
Opcode ID: 69bb305ff33d1457d4484e576323a0ef66f31560397ccb35d966ff8f0e758d9b
Instruction ID: 542b186de9fc11de55873c3549d90df3c6ab5362d14aa96611489808ae4c73e2
Opcode Fuzzy Hash: 69bb305ff33d1457d4484e576323a0ef66f31560397ccb35d966ff8f0e758d9b
Instruction Fuzzy Hash: FC117C31A0011AAFDB009BB9CE4DEEFBFB8EB84711F014165E901E7250D6B0AD01CBA0

Function 00403A8D Relevance: 9.1, APIs: 6, Instructions: 56filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00403AB2
memset.MSVCRT ref: 00403ACB
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AE2
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403B01
strlen.MSVCRT ref: 00403B13
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403B24

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWidememset$FileWritestrlen
String ID:
API String ID: 1786725549-0
Opcode ID: f625be7e6fa724cc13b0b56902c1b33cd6369ef039f23dbe168f1e8392359ec1
Instruction ID: d8056d974a042835a8b53dd5956248081512f57f3cb7fafeec888b91cb2496ed
Opcode Fuzzy Hash: f625be7e6fa724cc13b0b56902c1b33cd6369ef039f23dbe168f1e8392359ec1
Instruction Fuzzy Hash: 6A1161B244012CBEFB009B94DD85DEB77ADEF08354F0041A6B70AD2091D6349F94CB78

Function 00406585 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 53stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004065A4
sprintf.MSVCRT ref: 004065C5
strcat.MSVCRT(?,00413078), ref: 004065D7
strcat.MSVCRT(?,00413084,00000000), ref: 004065F4
strcat.MSVCRT(?,00000000), ref: 00406603

Strings

%2.2X, xrefs: 004065BF

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcat$memsetsprintf
String ID: %2.2X
API String ID: 582077193-791839006
Opcode ID: f03ef531f1dceed6107a024529effe878a92871925f9b5c2fb8bf99f2bcc600c
Instruction ID: 9ba21b13147b7bc42f3eaeb5b708c7057566a78b4f06b3a82068ff28b5e275af
Opcode Fuzzy Hash: f03ef531f1dceed6107a024529effe878a92871925f9b5c2fb8bf99f2bcc600c
Instruction Fuzzy Hash: 54014C7294421476D7315725ED03BEA379C9B84704F10407FF986A61C5EABCDBD48798

Function 0040FEED Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,00410BC0,00410C2C,?,00000000), ref: 0040FEFB
??3@YAXPAX@Z.MSVCRT(?,?,00410BC0,00410C2C,?,00000000), ref: 0040FF16
??3@YAXPAX@Z.MSVCRT(?,?,00410BC0,00410C2C,?,00000000), ref: 0040FF2C
??3@YAXPAX@Z.MSVCRT(?,?,00410BC0,00410C2C,?,00000000), ref: 0040FF42
??3@YAXPAX@Z.MSVCRT(?,?,00410BC0,00410C2C,?,00000000), ref: 0040FF58
??3@YAXPAX@Z.MSVCRT(?,?,00410BC0,00410C2C,?,00000000), ref: 0040FF6E

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: ea111159704be43e2a104ffdb8d509d36bb5885e2519feaa300ca6788f6abc2c
Instruction ID: b81094b12df4fb27198692459327ff2c1ceec6e662cd9000025ff3e54110b63d
Opcode Fuzzy Hash: ea111159704be43e2a104ffdb8d509d36bb5885e2519feaa300ca6788f6abc2c
Instruction Fuzzy Hash: B0015E72A029322AC5257B26680178AA3557F41B14B06013FFA0577B824F7C799246ED

Function 0040173B Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0040174A
GetSystemMetrics.USER32(00000015), ref: 00401758
GetSystemMetrics.USER32(00000014), ref: 00401764
BeginPaint.USER32(?,?), ref: 0040177E
DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 0040178D
EndPaint.USER32(?,?), ref: 0040179A

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
String ID:
API String ID: 19018683-0
Opcode ID: 42458483af95651e2167a539795fde663e6d8f5d0ac71463485711cad55c201f
Instruction ID: a11a87b208587c0640a8feba78a21dda7633aea5bad1576310b301da0c27fea9
Opcode Fuzzy Hash: 42458483af95651e2167a539795fde663e6d8f5d0ac71463485711cad55c201f
Instruction Fuzzy Hash: B6014B72900218FFDF08DFA8DD489FE7BB9FB44301F004469EE11EA194DAB1AA14CB64

Function 00411366 Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411387
memset.MSVCRT ref: 004113A0
memset.MSVCRT ref: 004113B4

Part of subcall function 00410E8A: strlen.MSVCRT ref: 00410E97

strlen.MSVCRT ref: 004113D0
memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00403801,00000000), ref: 004113F5
memcpy.MSVCRT(?,?,00000008,?,00000000,00000000,?,?,?,?,?,?,00000000,00403801,00000000), ref: 0041140B

Part of subcall function 0040BC6D: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,0041142A,?,?,?,00000008,?,00000000,00000000), ref: 0040BCFE

Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD2A
Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD40
Part of subcall function 0040BD0B: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,00403801,00000000), ref: 0040BD77
Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD81

memcpy.MSVCRT(?,?,00000008,?,?,?,?,00000008,?,00000000,00000000), ref: 0041144B

Part of subcall function 0040BC6D: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,0041142A,?,?,?,00000008,?,00000000,00000000), ref: 0040BCB0
Part of subcall function 0040BC6D: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,0041142A,?,?,?,00000008,?,00000000,00000000), ref: 0040BCDA

Part of subcall function 0040BD0B: memset.MSVCRT ref: 0040BD52

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpymemset$strlen
String ID:
API String ID: 2142929671-0
Opcode ID: 0caf23c9b80619e2a6bbbc2ceb5d7559ea51fa806e827c69c16e75f74dc5ea3d
Instruction ID: c39f5f8930626063bf72b6da9320efac153577eb3bd573588316f9f93fa8d4dc
Opcode Fuzzy Hash: 0caf23c9b80619e2a6bbbc2ceb5d7559ea51fa806e827c69c16e75f74dc5ea3d
Instruction Fuzzy Hash: C4515C7290011DABCB10EF55CC819EEB7A9BF44308F5445BAE609A7151EB34AB898F94

Function 004078FF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,76F90A60), ref: 0040797A

Part of subcall function 00407D89: _itoa.MSVCRT ref: 00407DAA

strlen.MSVCRT ref: 00407998
LoadStringA.USER32(00000000,0000000D,?,?), ref: 004079C8
memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,76F90A60), ref: 00407A07

Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT(00008000,0040790D,00408822,?,?,?,?,?,00000000,76F90A60), ref: 004078A5
Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT(00000000,00008000,0040790D,00408822,?,?,?,?,?,00000000,76F90A60), ref: 004078C3
Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,0040790D,00408822,?,?,?,?,?,00000000,76F90A60), ref: 004078E1
Part of subcall function 0040787D: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00008000,0040790D,00408822,?,?,?,?,?,00000000,76F90A60), ref: 004078F1

Strings

strings, xrefs: 00407970

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@$LoadString_itoamemcpystrcpystrlen
String ID: strings
API String ID: 1748916193-3030018805
Opcode ID: bf392a6dacac5d0c9eb1169d992c8844a823b81d6c84b2abf61d961779fc3ee1
Instruction ID: bfec9983b2359add980c5e43b0d452c2fda20e15e3ba6c634c10b5a9b6e313b6
Opcode Fuzzy Hash: bf392a6dacac5d0c9eb1169d992c8844a823b81d6c84b2abf61d961779fc3ee1
Instruction Fuzzy Hash: F73189B1A8C101BFD7159B59FD80DB63377EB84304710807AE902A7AB1E639B851CF9D

Function 0040329E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040314D: strchr.MSVCRT ref: 00403262

memset.MSVCRT ref: 004032F2
GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 0040330C
strchr.MSVCRT ref: 00403341

Part of subcall function 00402407: _mbsicmp.MSVCRT ref: 0040243F

strlen.MSVCRT ref: 00403383

Part of subcall function 00402407: _mbscmp.MSVCRT ref: 0040241B

Strings

Personalities, xrefs: 00403307

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
String ID: Personalities
API String ID: 2103853322-4287407858
Opcode ID: e3fa63d939a05486987fea06324786367eab17663f8cebe7d255cc1b6eb769cc
Instruction ID: ece583472a64ba9cf1aca627ef0740b0f3020b1d2d3fce26046d940835a048de
Opcode Fuzzy Hash: e3fa63d939a05486987fea06324786367eab17663f8cebe7d255cc1b6eb769cc
Instruction Fuzzy Hash: 8C21BA72A00108AADB119F69DD81ADE7F6C9F50349F0040BBEA45F3181DA38EF86866D

Function 00410F79 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410F9B

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

Part of subcall function 0040EB80: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,0040EF11,?,?,?,?,0040EF11,00000000,?,?), ref: 0040EB9B

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 00411007

Strings

Software\Yahoo\Pager, xrefs: 00410FA4
Yahoo! User ID, xrefs: 00410FBF
EOptions string, xrefs: 00410FDA

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValuememset
String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
API String ID: 1830152886-1703613266
Opcode ID: eea9cffd790e45d2014a53520a97df09f09eacd0c9e47dd03152d544afa7cf5a
Instruction ID: 4a1c6cf285358ebc60a306e6e4607d202acce7e44454db846991f846a9516d87
Opcode Fuzzy Hash: eea9cffd790e45d2014a53520a97df09f09eacd0c9e47dd03152d544afa7cf5a
Instruction Fuzzy Hash: 820184B5A00118BBDB10A6569D02FDE7A6C9B94399F004076FF08F2251E2389F95C698

Function 00405F41 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?), ref: 00405F51
sprintf.MSVCRT ref: 00405F79
MessageBoxA.USER32(00000000,?,Error,00000030), ref: 00405F92

Strings

Error %d: %s, xrefs: 00405F73
Error, xrefs: 00405F83

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLastMessagesprintf
String ID: Error$Error %d: %s
API String ID: 1670431679-1552265934
Opcode ID: 9a2ad0e70752bb447b178d956355c706b7f152369d8ca83d74a421e60f1b41e3
Instruction ID: dfdfd8ae3da356d4892d02c8fdfc7d0b76dc1d64d686e07e92b09a376f71314b
Opcode Fuzzy Hash: 9a2ad0e70752bb447b178d956355c706b7f152369d8ca83d74a421e60f1b41e3
Instruction Fuzzy Hash: 9BF0A7B640010876CB10A764DC05FDA76BCAB44704F1440B6BA05E2141EAB4DB458FAC

Function 0040F037 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(shlwapi.dll,000003ED,753D8FB0,00405C41,00000000), ref: 0040F040
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040F04E
FreeLibrary.KERNEL32(00000000), ref: 0040F066

Strings

shlwapi.dll, xrefs: 0040F039
SHAutoComplete, xrefs: 0040F048

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHAutoComplete$shlwapi.dll
API String ID: 145871493-1506664499
Opcode ID: 00be263e50752a8f479fbc1a88640afc62a4183cc8ad6fe6345b1c509fc360a9
Instruction ID: e435a3077eadc7ffcc94e3fda903fcc6a6103b68d0c251917c13f6f883115a60
Opcode Fuzzy Hash: 00be263e50752a8f479fbc1a88640afc62a4183cc8ad6fe6345b1c509fc360a9
Instruction Fuzzy Hash: 70D0C2323002106B96605B326C0CAEB2D55EBC47527048032F505E1250EB648A86C1A8

Function 00407406 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 104stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00407415
memset.MSVCRT ref: 0040744D
memcpy.MSVCRT(?,00000000,?,?,?,?,76DBEB20,?,00000000), ref: 0040750A
LocalFree.KERNEL32(?,?,?,?,?,76DBEB20,?,00000000), ref: 00407535

Strings

&v@, xrefs: 0040750F

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FreeLocalmemcpymemsetstrlen
String ID: &v@
API String ID: 3110682361-3426253984
Opcode ID: 9a1ef4ca1be38dacd8a40183f10fd2ba3c83eed1e3cc7d309a54d2d6fc5753ae
Instruction ID: 0225f7a5d6cb17f6a7661d1d380ab710e59dbb599c3936da0c6da93344c8566d
Opcode Fuzzy Hash: 9a1ef4ca1be38dacd8a40183f10fd2ba3c83eed1e3cc7d309a54d2d6fc5753ae
Instruction Fuzzy Hash: B731F772D0411DABDB10DB68CC81BDEBBB8EF45318F1001B6E645B3281DA78AE858B95

Function 00409695 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,76F90A60,00000000,?,?,004092ED,00000001,00412B1C,76F90A60), ref: 00405F17

memset.MSVCRT ref: 004096CB

Part of subcall function 0040F09D: memcpy.MSVCRT(?,<,00000004,?,?,00000000,004096EC,?,?), ref: 0040F10B

Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060

sprintf.MSVCRT ref: 00409710

Strings

</item>, xrefs: 0040972A
<item>, xrefs: 0040969F
<%s>%s</%s>, xrefs: 00409708

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileWrite_strlwrmemcpymemsetsprintfstrcpystrlen
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 3200591283-2769808009
Opcode ID: 07c18c0e4a87831351b3b02fe01daf5ffa13d64f31dc98592b1a2e626d7dc146
Instruction ID: f0c093cdac9801847eaa7418f237768de61d650e358e632480a4b045718b8cde
Opcode Fuzzy Hash: 07c18c0e4a87831351b3b02fe01daf5ffa13d64f31dc98592b1a2e626d7dc146
Instruction Fuzzy Hash: FE11E731500515BFC711AF25CC42E967B64FF04318F10006AF549369A2EB76BA64DFD8

Function 00407BF9 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00407C0B
GetWindowRect.USER32(?,?), ref: 00407C18
GetClientRect.USER32(00000000,?), ref: 00407C23
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 00407C33
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00407C4F

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: 7bea04c1b6e52cb4f5c6b6cbc8acbaaab4948e977a1f04226da639ece1b7c51f
Instruction ID: 06ac4e87c023cdd11bbb76a881eefb098f7857fbb12a9e12d40a619b69e20d01
Opcode Fuzzy Hash: 7bea04c1b6e52cb4f5c6b6cbc8acbaaab4948e977a1f04226da639ece1b7c51f
Instruction Fuzzy Hash: A7014C32800129BBDB119BA5DD89EFF7FBCEF46750F048129F901E2150D7B89541CBA9

Function 0040A4C8 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040A4F5

Part of subcall function 00405E2C: LoadCursorA.USER32(00000000,00007F02), ref: 00405E33
Part of subcall function 00405E2C: SetCursor.USER32(00000000,?,0040BAC6), ref: 00405E3A

SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040A518

Part of subcall function 0040A437: sprintf.MSVCRT ref: 0040A45D
Part of subcall function 0040A437: sprintf.MSVCRT ref: 0040A487
Part of subcall function 0040A437: strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A49A
Part of subcall function 0040A437: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040A4C0

SetCursor.USER32(?,?,0040B6B6), ref: 0040A53D
SetFocus.USER32(?,?,?,0040B6B6), ref: 0040A54F
SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040A566

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: MessageSend$Cursor$sprintf$FocusLoadstrcat
String ID:
API String ID: 2210206837-0
Opcode ID: d04c02dfd2683b57df494b0aa3d26c888530678e73924bd562102cacfecd4f7b
Instruction ID: 5ceab2a0550c6f7be61398745e2f8fe4621b0361104972d0b8848fcf02267a2c
Opcode Fuzzy Hash: d04c02dfd2683b57df494b0aa3d26c888530678e73924bd562102cacfecd4f7b
Instruction Fuzzy Hash: 12116DB1200600EFD722AB74DC85FAA77EDFF48344F0644B9F1599B2B1CA716D018B10

Function 00409867 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040988A
memset.MSVCRT ref: 004098A0

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,76F90A60,00000000,?,?,004092ED,00000001,00412B1C,76F90A60), ref: 00405F17

Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060

sprintf.MSVCRT ref: 004098D7

Strings

<?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 004098A5
<%s>, xrefs: 004098D1

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
API String ID: 3202206310-1998499579
Opcode ID: 51e994947d23847d28837b494a86f4ec5d5778f6c6bb559d4411b981ab6fcacc
Instruction ID: 66925a684df18266fce8bb701fa3a75b356ea9bacad4fe0319972b489c667c97
Opcode Fuzzy Hash: 51e994947d23847d28837b494a86f4ec5d5778f6c6bb559d4411b981ab6fcacc
Instruction Fuzzy Hash: BC01A77290011976D721A759CC46FDA7B6C9F44304F0400FAB509B3192DB789F858BA8

Function 00408572 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 0040857E
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 0040858C
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 0040859D
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 004085B4
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 004085BD

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
Instruction ID: 0a64c6e0650ef7a992325d71cca8afebdafc0e64b7e6075a64aa0ecb46f153ec
Opcode Fuzzy Hash: adc8f632b908da7283220df0e2c160d15a0e9bb9cd04da95c42ed7d64d4f577a
Instruction Fuzzy Hash: C2F0F4725057016FDB209F6A99C0497B7D6BB48714B64083FF18AD3741CF78AD818A18

Function 004085D8 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 0040857E
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 0040858C
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 0040859D
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 004085B4
Part of subcall function 00408572: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040876C,?,?,00000000,76F90A60,?,00000000), ref: 004085BD

??3@YAXPAX@Z.MSVCRT(?,?,00404244), ref: 004085F3
??3@YAXPAX@Z.MSVCRT(?,?,00404244), ref: 00408606
??3@YAXPAX@Z.MSVCRT(?,?,00404244), ref: 00408619
??3@YAXPAX@Z.MSVCRT(?,?,00404244), ref: 0040862C
free.MSVCRT ref: 00408640

Part of subcall function 00406B5B: free.MSVCRT ref: 00406B62

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: 0216321c22edde0e428b6460b65a4d9d3fdf50d22b04996e8803d6d71622e83e
Instruction ID: 9ddd328a78e70669a2f2a4495a49ad6ad9a3331e0dda25fcf26d4743fc91c851
Opcode Fuzzy Hash: 0216321c22edde0e428b6460b65a4d9d3fdf50d22b04996e8803d6d71622e83e
Instruction Fuzzy Hash: E3F0F6729028306BC9213B275011A8EB3657D4171431B056FF946BB7A28F3C6E9246FD

Function 0040E81A Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 004062D1: memset.MSVCRT ref: 004062F1
Part of subcall function 004062D1: GetClassNameA.USER32(?,00000000,000000FF), ref: 00406304
Part of subcall function 004062D1: _stricmp.MSVCRT(00000000,edit), ref: 00406316

SetBkMode.GDI32(?,00000001), ref: 0040E841
GetSysColor.USER32(00000005), ref: 0040E849
SetBkColor.GDI32(?,00000000), ref: 0040E853
SetTextColor.GDI32(?,00C00000), ref: 0040E861
GetSysColorBrush.USER32(00000005), ref: 0040E869

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Color$BrushClassModeNameText_stricmpmemset
String ID:
API String ID: 1869857563-0
Opcode ID: fa2efa1d352e815f872068aeb743c84bb0f55ba64056062ab12fb6989f15ddc0
Instruction ID: 70d3a7b2db974a4d4567ef1bfe72cf66993607b5e30e9ab541cb73924f0fe55d
Opcode Fuzzy Hash: fa2efa1d352e815f872068aeb743c84bb0f55ba64056062ab12fb6989f15ddc0
Instruction Fuzzy Hash: 8CF01D32100205BBDF152FA6DD09E9E3F25EF08711F10C53AFA19A51E1CAB5D970DB58

Function 0040B105 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 0040B13E
SetFocus.USER32(?,?,?), ref: 0040B1E4
InvalidateRect.USER32(?,00000000,00000000), ref: 0040B2E1

Strings

`5A, xrefs: 0040B1EA

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: DestroyFocusInvalidateRectWindow
String ID: `5A
API String ID: 3502187192-343712130
Opcode ID: 4c3d990881eba3cf74bda8571d7f9b3248234962b7985cf1d53a89f59e718e54
Instruction ID: 7dc3b259c8ef6dbe6f4b6ee630ad47b8a618685bd7b93527759b10f323b3e488
Opcode Fuzzy Hash: 4c3d990881eba3cf74bda8571d7f9b3248234962b7985cf1d53a89f59e718e54
Instruction Fuzzy Hash: 2B519130A043019BCB25BF658845E9AB3E0EF54724F44C57FF4696F2E1CB7999818B8E

Function 00405CEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

BeginDeferWindowPos.USER32(0000000B), ref: 00405D07

Part of subcall function 0040169B: GetDlgItem.USER32(?,?), ref: 004016AB
Part of subcall function 0040169B: GetClientRect.USER32(?,?), ref: 004016BD
Part of subcall function 0040169B: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00401727

EndDeferWindowPos.USER32(?), ref: 00405DD8
InvalidateRect.USER32(?,?,00000001), ref: 00405DE3

Strings

$, xrefs: 00405DEF

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: DeferWindow$Rect$BeginClientInvalidateItem
String ID: $
API String ID: 2498372239-3993045852
Opcode ID: eed8279c3271f2b27814900a34917ae49580b819969905b4e3b00ee4e388fd63
Instruction ID: 46e20a5f719da2480e3b09a58904212cef45bdfb275aa5f1a4c21840a4711c1e
Opcode Fuzzy Hash: eed8279c3271f2b27814900a34917ae49580b819969905b4e3b00ee4e388fd63
Instruction Fuzzy Hash: EB316D30641254BBCB216F13DD49D9F3F7CEF86BA4F10483DB409762A1C6798E10DAA8

Function 0040719C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040EB3F: RegOpenKeyExA.KERNELBASE(80000002,80000002,00000000,00020019,80000002,0040EEE8,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,?,?,00000104), ref: 0040EB52

memset.MSVCRT ref: 004071D7

Part of subcall function 0040EC05: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 0040EC28

RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 00407225
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 00407242

Strings

Software\Google\Google Desktop\Mailboxes, xrefs: 004071AF

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Close$EnumOpenmemset
String ID: Software\Google\Google Desktop\Mailboxes
API String ID: 2255314230-2212045309
Opcode ID: 452db49ed067e6e6e63c10348168c8f88923fb1a9b6aea3e0d2cfe22e4762b25
Instruction ID: abca04dfe3767426288f52b4a512d9ce3e2bfadbcd13eaa8a3c626f28e0c8a54
Opcode Fuzzy Hash: 452db49ed067e6e6e63c10348168c8f88923fb1a9b6aea3e0d2cfe22e4762b25
Instruction Fuzzy Hash: A71142728083456BD710EE52DC01EAB7BECEB84344F04093EF995E1191E735E628DAA7

Function 0040B70A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegisterClassA.USER32(?), ref: 0040B74B
CreateWindowExA.USER32(00000000,MailPassView,Mail PassView,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,?), ref: 0040B776

Strings

MailPassView, xrefs: 0040B770
Mail PassView, xrefs: 0040B76B

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ClassCreateRegisterWindow
String ID: Mail PassView$MailPassView
API String ID: 3469048531-1277648965
Opcode ID: 7d9b3190e156b9bfff027be3e0f607fb910863f17b47cbf685ca248547ef7640
Instruction ID: f223c9819260e0b75888b36d0bfde8daf7ba5992c102a2aca34afaaeb944facf
Opcode Fuzzy Hash: 7d9b3190e156b9bfff027be3e0f607fb910863f17b47cbf685ca248547ef7640
Instruction Fuzzy Hash: 3601ECB5D01248ABDB10CF96CD45ADFFFF8EB99B00F10812AE555F2250D7B46544CB68

Function 00401085 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00406191: memset.MSVCRT ref: 0040619B
Part of subcall function 00406191: strcpy.MSVCRT(?,00000000,?,00000000,0000003C,00000000,?,00406269,Arial,0000000E,00000000), ref: 004061DB

CreateFontIndirectA.GDI32(?), ref: 004010A4
SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 004010C3
SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 004010E0

Strings

MS Sans Serif, xrefs: 00401090

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ItemMessageSend$CreateFontIndirectmemsetstrcpy
String ID: MS Sans Serif
API String ID: 4251605573-168460110
Opcode ID: a5c1b06fa8ac567c51537cce04f23f48b3e0294f7b0701913d9bb68d384747bd
Instruction ID: 11d026e54a5ae2454c64c325e08d9e616df03e05f7163fa19ba200447038793b
Opcode Fuzzy Hash: a5c1b06fa8ac567c51537cce04f23f48b3e0294f7b0701913d9bb68d384747bd
Instruction Fuzzy Hash: 73F0A775A8034877E72167A0ED47F8A7BACAB40B00F10C135FB61B51E1D6F47554DB58

Function 0040DE43 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00416E70,?,00000050,?,004014FF,?), ref: 0040DE5D
memcpy.MSVCRT(00416BA0,?,000002CC,00416E70,?,00000050,?,004014FF,?), ref: 0040DE6F
DialogBoxParamA.USER32(0000006B,?,Function_0000DB39,00000000), ref: 0040DE93

Strings

V7, xrefs: 0040DE6F

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy$DialogParam
String ID: V7
API String ID: 392721444-2959985473
Opcode ID: 5e9eade56f70dddb9201fe9d43162507361263185449feca73d32e9d96fafbc6
Instruction ID: 1a8743d5fef8bbef7923f2c95fec7d45d4f15d0a806a7122114c86eec2fd18b9
Opcode Fuzzy Hash: 5e9eade56f70dddb9201fe9d43162507361263185449feca73d32e9d96fafbc6
Instruction Fuzzy Hash: 93F0A7716843207BD7116F54AC06BC63BF2B704B5AF114926F149E40E1D3F56550CBCC

Function 004062D1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004062F1
GetClassNameA.USER32(?,00000000,000000FF), ref: 00406304
_stricmp.MSVCRT(00000000,edit), ref: 00406316

Strings

edit, xrefs: 00406310

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ClassName_stricmpmemset
String ID: edit
API String ID: 3665161774-2167791130
Opcode ID: f6364a9e82c342bcd76c39a965b38e05be617d7d52f0a224c2f99095176bc218
Instruction ID: 6efc07277a00def775dca084f59963aaad452a70fda198cb5006c56c80a8bddd
Opcode Fuzzy Hash: f6364a9e82c342bcd76c39a965b38e05be617d7d52f0a224c2f99095176bc218
Instruction Fuzzy Hash: 75E09BB3C4412A7ADB21A764DC05FE53BAC9F59305F0001B6BD46E10D5E5B497C887A5

Function 0040EDAC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(shell32.dll,0040B9D8,76F90A60,?,00000000), ref: 0040EDBA
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 0040EDCF

Strings

SHGetSpecialFolderPathA, xrefs: 0040EDC9
shell32.dll, xrefs: 0040EDB5

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetSpecialFolderPathA$shell32.dll
API String ID: 2574300362-543337301
Opcode ID: 8c8e9a4ff32791e3d6bd34cb9d8ce11c35f1ef255cc83771f6bc322d1b4004da
Instruction ID: 9298da647e7f97f850720a93b521a1101e1548fa407b312faad19db7241a3124
Opcode Fuzzy Hash: 8c8e9a4ff32791e3d6bd34cb9d8ce11c35f1ef255cc83771f6bc322d1b4004da
Instruction Fuzzy Hash: 4BD0C970649202EFC7008F21AE097813ABABB18703F10C537A506E1AA0F7B88190CF5C

Function 0040FE05 Relevance: 6.3, APIs: 5, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 00406549: memset.MSVCRT ref: 00406557

??2@YAPAXI@Z.MSVCRT(00000020,?,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FE1A
??2@YAPAXI@Z.MSVCRT(00000020,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FE38
??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FE53
??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FE7C
??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,00410AD0,?,00410C2C,?,00000000), ref: 0040FEA0

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: 1f0eb692bf4756200005e253d6c900365ae8e51c0a9d530db6412e15fefa842e
Instruction ID: d938b1c2a289ef47e5423cea375f2860c04713c819a512dfc676868f3ea794ac
Opcode Fuzzy Hash: 1f0eb692bf4756200005e253d6c900365ae8e51c0a9d530db6412e15fefa842e
Instruction Fuzzy Hash: CC3146B0A107008FD7609F3AD845666FBE4EF80355F25887FD20ADB6B2E7B8D4448B59

Function 0040BD0B Relevance: 6.3, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BD2A
memset.MSVCRT ref: 0040BD40
memset.MSVCRT ref: 0040BD52
memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,00403801,00000000), ref: 0040BD77
memset.MSVCRT ref: 0040BD81

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: 4c1dce2a3317b4880715cd557b1b90e7212d21989bb675327cb4115bdd69e9ea
Instruction ID: 14e83d3a51f9c3b731822f35bbce0da2433a64988b134a744f8d54487411a0b4
Opcode Fuzzy Hash: 4c1dce2a3317b4880715cd557b1b90e7212d21989bb675327cb4115bdd69e9ea
Instruction Fuzzy Hash: 6F01F5B1680B0026D2356B26CC02F9A77A5AFA0714F000B1EF643666D1D7ACE244869C

Function 0040246C Relevance: 6.1, APIs: 4, Instructions: 127COMMON

Download Yara Rule

APIs

Part of subcall function 0040EBA3: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,004024A0,?), ref: 0040EBB9

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 0040252C
memset.MSVCRT ref: 004024F5

Part of subcall function 0040E988: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 0040E9A5
Part of subcall function 0040E988: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 0040E9C6
Part of subcall function 0040E988: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 0040EA04
Part of subcall function 0040E988: CoTaskMemFree.OLE32(00000000,00000000), ref: 0040EA13

WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 004025E4
LocalFree.KERNEL32(?), ref: 004025EE

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
String ID:
API String ID: 3503910906-0
Opcode ID: bb52322aa56186edb046b50904625ef5fe77f2ed0f2dccde0d18aa7e90448571
Instruction ID: 8b275e149f62785490509d2466391155d2af3f8991a5b00387cc308873e1222d
Opcode Fuzzy Hash: bb52322aa56186edb046b50904625ef5fe77f2ed0f2dccde0d18aa7e90448571
Instruction Fuzzy Hash: 7041B4B1408384BFD711DB608D44AEBBBDCBB48308F44493EFA98A21D1D678DA54DB5A

Function 0040B3C4 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040B42E
SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040B472
GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040B48C
PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040B52F

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Message$MenuPostSendStringmemset
String ID:
API String ID: 3798638045-0
Opcode ID: c3aa6ddd336313682f51672c6081f6f8049648b04dcffedc212cd8d1236b5249
Instruction ID: e99ea3cd5ae45d968ce1bb78ba156cefd6297a3afaf0c32d246f8b1269deedf3
Opcode Fuzzy Hash: c3aa6ddd336313682f51672c6081f6f8049648b04dcffedc212cd8d1236b5249
Instruction Fuzzy Hash: 5041F430600611EBCB25DF24CC85A96B7A4FF14324F1482B6E958AB2C6C378DE91CBDC

Function 0040A119 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040892D: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000), ref: 0040894E
Part of subcall function 0040892D: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 00408A15

strlen.MSVCRT ref: 0040A13F
atoi.MSVCRT(?,00000000,?,76F90A60,?,00000000), ref: 0040A14D
_mbsicmp.MSVCRT ref: 0040A1A0
_mbsicmp.MSVCRT ref: 0040A1B3

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _mbsicmp$??2@??3@atoistrlen
String ID:
API String ID: 4107816708-0
Opcode ID: 04d0626d4e34a8bed9540d47d501c89c47d505d3d6eba4bb40819434c6ba53c8
Instruction ID: ad5e67b725479cd3c0fe98911646f79d6f4c04cefe3616236e53ea043d5b2769
Opcode Fuzzy Hash: 04d0626d4e34a8bed9540d47d501c89c47d505d3d6eba4bb40819434c6ba53c8
Instruction Fuzzy Hash: 24414B75900304AFCB10DFA9C580A9ABBF5FB48308F1084BEEC05AB392D7399A51CB59

Function 00410E8A Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00410E97

Strings

>, xrefs: 00410EBD
>, xrefs: 00410EF8
>, xrefs: 00410ED2

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strlen
String ID: >$>$>
API String ID: 39653677-3911187716
Opcode ID: cc9d2e4949e9ff96ebc93a83fa171427e13732e23a33d014681ceaf85bfc699f
Instruction ID: 69dee6f6c2e5f632f5f5b053a668a00b89048f502478ac4f4f3cd81ce8891ac8
Opcode Fuzzy Hash: cc9d2e4949e9ff96ebc93a83fa171427e13732e23a33d014681ceaf85bfc699f
Instruction Fuzzy Hash: D331D5318097C49ED7218B6980563EFFFA14F26304F188ADAD0E557343D2EC96CAC75A

Function 0040BC6D Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,0041142A,?,?,?,00000008,?,00000000,00000000), ref: 0040BCB0
memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,0041142A,?,?,?,00000008,?,00000000,00000000), ref: 0040BCDA
memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,0041142A,?,?,?,00000008,?,00000000,00000000), ref: 0040BCFE

Strings

@, xrefs: 0040BCEC

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: @
API String ID: 3510742995-2766056989
Opcode ID: 72109dd3c061e5e7965399845177051784b2c116136a58e32e92d3e3a8f21608
Instruction ID: cecad1072309209c94eeb2778a75b30bbc980c70aaade9bdc77468b7d13379ad
Opcode Fuzzy Hash: 72109dd3c061e5e7965399845177051784b2c116136a58e32e92d3e3a8f21608
Instruction Fuzzy Hash: 8B112BB29003056BDB288F16D8809AA77EAEF50344700063FFD0796291FB39DE55C6DC

Function 00406F6F Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,?,?,004014BB,?,?,?,?,00414588,0000000C), ref: 00406FA4
memset.MSVCRT ref: 00406FB5
memcpy.MSVCRT(00416AC0,?,00000000,00000000,00000000,00000000,00000000,?,?,004014BB,?,?,?,?,00414588,0000000C), ref: 00406FC1
??3@YAXPAX@Z.MSVCRT ref: 00406FCE

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 28b3a4642f3a3c0ced8ee47f767df9dcead146173574c86910ac67de2723ebda
Instruction ID: 30667c860212afb2fcb1bf0ba773cc68d22997902d766bb0abd15f5aaececc89
Opcode Fuzzy Hash: 28b3a4642f3a3c0ced8ee47f767df9dcead146173574c86910ac67de2723ebda
Instruction Fuzzy Hash: 81118F71204601AFD328DF1DD881A27F7E6FFD8340B21892EE59B87391DA35E841CB54

Function 0040EFAE Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 0040EFBE
SHBrowseForFolderA.SHELL32(?), ref: 0040EFF0
SHGetPathFromIDListA.SHELL32(00000000,?), ref: 0040F004
strcpy.MSVCRT(?,?), ref: 0040F017

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: BrowseFolderFromListMallocPathstrcpy
String ID:
API String ID: 409945605-0
Opcode ID: 363e444f0183eb3209581039a296e9ed2a0e0cb40b9c5b89ec9b93d888cfbacc
Instruction ID: 0bece651b4572a5d25d0fced66708dfb83f65978f11dfbdadd7c1eadd6bf4f14
Opcode Fuzzy Hash: 363e444f0183eb3209581039a296e9ed2a0e0cb40b9c5b89ec9b93d888cfbacc
Instruction Fuzzy Hash: DD11F7B5900208AFCB10DFA9D9889EEBBFCFB49310F10447AEA05E7241D779DA458B64

Function 0040A437 Relevance: 6.0, APIs: 4, Instructions: 45stringwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004078FF: LoadStringA.USER32(00000000,0000000D,?,?), ref: 004079C8
Part of subcall function 004078FF: memcpy.MSVCRT(00000000,00000001,?,?,?,?,?,00000000,76F90A60), ref: 00407A07

sprintf.MSVCRT ref: 0040A45D
SendMessageA.USER32(?,00000401,00000000,?), ref: 0040A4C0

Part of subcall function 004078FF: strcpy.MSVCRT(004172C0,strings,?,?,00408822,?,?,?,?,?,00000000,76F90A60), ref: 0040797A
Part of subcall function 004078FF: strlen.MSVCRT ref: 00407998

sprintf.MSVCRT ref: 0040A487
strcat.MSVCRT(?,?,?,00000000,00000000), ref: 0040A49A

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: sprintf$LoadMessageSendStringmemcpystrcatstrcpystrlen
String ID:
API String ID: 919693953-0
Opcode ID: 90207433884269e3a26f13c39c42963f5ff8dc1025de2d2684d4a636a9e51624
Instruction ID: 75288aada6eb4f7a447a9cf13bdf828529425e42ebb21a5188d22772f738aad9
Opcode Fuzzy Hash: 90207433884269e3a26f13c39c42963f5ff8dc1025de2d2684d4a636a9e51624
Instruction Fuzzy Hash: 2601DBB250030466D721B775DD86FEB73AC6F00304F40447BB74AF6082DABCE9808B29

Function 0040F3BA Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F3DC
strlen.MSVCRT ref: 0040F3E4
strlen.MSVCRT ref: 0040F3F1

Part of subcall function 004062AD: strcpy.MSVCRT(00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062B5
Part of subcall function 004062AD: strcat.MSVCRT(00000000,00000000,00000000,00000000,sqlite3.dll,00402138,00000000,nss3.dll), ref: 004062C4

Strings

sqlite3.dll, xrefs: 0040F3E9, 0040F3EE, 0040F401

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strlen$memsetstrcatstrcpy
String ID: sqlite3.dll
API String ID: 1581230619-1155512374
Opcode ID: 3cb808dc3fd31d135458d717301fbb3bbf110c950f4aa8e177593d82486e3e62
Instruction ID: fec7c4afce47c381fe657df57b8ff367c384fd882de8837a2d08c6e6e293e1f2
Opcode Fuzzy Hash: 3cb808dc3fd31d135458d717301fbb3bbf110c950f4aa8e177593d82486e3e62
Instruction Fuzzy Hash: 4BF02D3144C1286ADB10E769DC45FCA7BAC8FA1318F1040B7F586E60D2D9B89AC98668

Function 004098F4 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409917
memset.MSVCRT ref: 0040992D

Part of subcall function 00409018: strcpy.MSVCRT(00000000,?,00409701,?,?,?), ref: 0040901D
Part of subcall function 00409018: _strlwr.MSVCRT ref: 00409060

sprintf.MSVCRT ref: 00409957

Part of subcall function 00405EFD: strlen.MSVCRT ref: 00405F0A
Part of subcall function 00405EFD: WriteFile.KERNEL32(00412B1C,00000001,00000000,76F90A60,00000000,?,?,004092ED,00000001,00412B1C,76F90A60), ref: 00405F17

Strings

</%s>, xrefs: 00409951

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$FileWrite_strlwrsprintfstrcpystrlen
String ID: </%s>
API String ID: 3202206310-259020660
Opcode ID: 8cbe72e2fc2d9776a491eb44f024350a6eb65ee3e03a862d51b3af92fd5e6b23
Instruction ID: adbfc7571eef3522ba50f6b4148bdf50dea618c8f0168b60c77ad4ff43fabaf4
Opcode Fuzzy Hash: 8cbe72e2fc2d9776a491eb44f024350a6eb65ee3e03a862d51b3af92fd5e6b23
Instruction Fuzzy Hash: B201D1729001297AD720A719CC45FDA7AACAF84304F0400FAB60AF3182DA749F848BA8

Function 00406734 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00406736
strlen.MSVCRT ref: 00406741
strcat.MSVCRT(00000000,dA,0000001C,00410D64,\Microsoft\Windows Mail,?,?,?), ref: 00406758

Strings

dA, xrefs: 00406751

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strlen$strcat
String ID: dA
API String ID: 2335785903-82490789
Opcode ID: 8b0d949a9835eed74c78f3475c18959fb5a6152aa5369579c15a011cca720fff
Instruction ID: 8adb96eafe51badce5d1f431fd236154b3227263db9247bb640c15329514921a
Opcode Fuzzy Hash: 8b0d949a9835eed74c78f3475c18959fb5a6152aa5369579c15a011cca720fff
Instruction Fuzzy Hash: EFD05E3350852036C5152316BC429DE5B82CBC037CB15445FF609921A1E93D84D1859D

Function 00402221 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

_ultoa.MSVCRT ref: 00402286
sprintf.MSVCRT ref: 004022FA

Strings

%s %s %s, xrefs: 004022F4

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _ultoasprintf
String ID: %s %s %s
API String ID: 432394123-3850900253
Opcode ID: 7ea893eb970b9f9c330beb309c0cc5b8cf8f56ebc8930b7fcefd01bde23561b2
Instruction ID: d9c328b9b741649d7ae815da5d558f3ae5f994b92098e95e7c9169487fd3f945
Opcode Fuzzy Hash: 7ea893eb970b9f9c330beb309c0cc5b8cf8f56ebc8930b7fcefd01bde23561b2
Instruction Fuzzy Hash: C4410932504B15C7C636956487CCBEBA264A742304F6508BFEC5AF72D1C2FCAD41976B

Function 0040D37A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

Strings

*.*, xrefs: 0040D3A3
prefs.js, xrefs: 0040D3E6

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strlen$FileFindFirst
String ID: *.*$prefs.js
API String ID: 2516927864-1592826420
Opcode ID: 3e701ac251ef0c92007320573df48c8a58c02c849dde9726d81be77e97480d08
Instruction ID: f0fdac10561689b7590a9d658f3f63ad40faf00aab35cef1d8d79f75c7dff1a2
Opcode Fuzzy Hash: 3e701ac251ef0c92007320573df48c8a58c02c849dde9726d81be77e97480d08
Instruction Fuzzy Hash: 2711E731408349AAD720EAA5C8019DB77DC9F85324F00493FF869E21C1DB38E61E87AB

Function 00406680 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44stringCOMMON

Download Yara Rule

APIs

GetSaveFileNameA.COMDLG32(?), ref: 004066CF
strcpy.MSVCRT(?,?), ref: 004066E6

Strings

L, xrefs: 004066B4

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileNameSavestrcpy
String ID: L
API String ID: 1182090483-2909332022
Opcode ID: 60ad435b05b414f2b30048372afc6468a300e5fb370a7e0e1bfb6bb36773f123
Instruction ID: a38c0b8f1c2b7ba0f1b8aa2faef71ae79cae630a3543d59e66951d479f2b4fd1
Opcode Fuzzy Hash: 60ad435b05b414f2b30048372afc6468a300e5fb370a7e0e1bfb6bb36773f123
Instruction Fuzzy Hash: 7F0125B1E102199FDF00CFA9D8807AEBBF8FF08319F10442AE915E6280DBB88915CF44

Function 0040ADB3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040ADD3
SetFocus.USER32(?,?), ref: 0040AE5B

Part of subcall function 0040AD9D: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040ADAC

Strings

l, xrefs: 0040AE03

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FocusMessagePostmemset
String ID: l
API String ID: 3436799508-2517025534
Opcode ID: aeb443fdb5aee6ef7c028d3e89b28528cc274f3a7ebb19c8f17c9a74365f91d9
Instruction ID: a3aa1947760d1632b5ff20bf1b11b778d92a779fff19439862dc3abef3b95f30
Opcode Fuzzy Hash: aeb443fdb5aee6ef7c028d3e89b28528cc274f3a7ebb19c8f17c9a74365f91d9
Instruction Fuzzy Hash: 1011A1719002589BDF21AB14CC047CA7BAAAF80308F0804F5A94C7B292C7B55B88CFA9

Function 00408441 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040845A
SendMessageA.USER32(?,00001019,00000000,?), ref: 00408488

Strings

", xrefs: 00408481

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: MessageSendmemset
String ID: "
API String ID: 568519121-123907689
Opcode ID: 34401dede8e385bb68c53d7b6caaa6400c7ccd3c24b43ec3f913943d5d854be5
Instruction ID: 3d4b9897b9e590d379032152458179bae83636b6f0047c21005e3f982915147a
Opcode Fuzzy Hash: 34401dede8e385bb68c53d7b6caaa6400c7ccd3c24b43ec3f913943d5d854be5
Instruction Fuzzy Hash: 4F01D635900205AFDB20CF95C941EAFB7F8FF84759F10842EE891AA240E738DA85CB75

Function 00406618 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35stringCOMMON

Download Yara Rule

APIs

GetOpenFileNameA.COMDLG32(?), ref: 00406662
strcpy.MSVCRT(?,?), ref: 00406670

Strings

L, xrefs: 0040663C

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileNameOpenstrcpy
String ID: L
API String ID: 812585365-2909332022
Opcode ID: 005d7a4cd57d0344050e2e978546a456973b8179e79084affb1262c5eec5662a
Instruction ID: 13dc2997c8553d865726dff807e233ea18e6c60b58d53e24b26ad6de5975139e
Opcode Fuzzy Hash: 005d7a4cd57d0344050e2e978546a456973b8179e79084affb1262c5eec5662a
Instruction Fuzzy Hash: 5201B2B1D10218AFCF40DFA9D8456CEBFF8BB08308F00812AE519E6240E7B886458F98

Function 00407BB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON

Download Yara Rule

APIs

LoadMenuA.USER32(00000000), ref: 00407BC1
sprintf.MSVCRT ref: 00407BE4

Part of subcall function 00407A64: GetMenuItemCount.USER32(?), ref: 00407A7A
Part of subcall function 00407A64: memset.MSVCRT ref: 00407A9E
Part of subcall function 00407A64: GetMenuItemInfoA.USER32(?), ref: 00407AD4
Part of subcall function 00407A64: memset.MSVCRT ref: 00407B01
Part of subcall function 00407A64: strchr.MSVCRT ref: 00407B0D
Part of subcall function 00407A64: strcat.MSVCRT(?,?,?,?,?,00000001,?), ref: 00407B68
Part of subcall function 00407A64: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 00407B84

Strings

menu_%d, xrefs: 00407BDA

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Menu$Itemmemset$CountInfoLoadModifysprintfstrcatstrchr
String ID: menu_%d
API String ID: 3671758413-2417748251
Opcode ID: e0b27bc8312c4869803a1ee04920a3f9795f2512d2491c73ec6fe14da36cbe17
Instruction ID: 3be60505ea2565ef11dfa3f51dd36ce0e69a3f53bb310b440500eec60165980c
Opcode Fuzzy Hash: e0b27bc8312c4869803a1ee04920a3f9795f2512d2491c73ec6fe14da36cbe17
Instruction Fuzzy Hash: 9FD01D71A4D14037D72033356D09FCF19794BD3B15F5440A9F200722D1D57C5755857D

Function 00406325 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(00417550,00000104,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040633A
strcpy.MSVCRT(00000000,00417550,?,0040E228,00000000,?,00000000,00000104,00000104), ref: 0040634A

Strings

PuA, xrefs: 0040632D

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: DirectoryWindowsstrcpy
String ID: PuA
API String ID: 531766897-3228437271
Opcode ID: b1972f0ba22637c8055687d42c6acbfd742ac988b9f6313726f8896cebb56ee7
Instruction ID: dc620c75b08fae7ca861cc569808ec9e0c9c78cdcec5c9dc17d9b47d99426002
Opcode Fuzzy Hash: b1972f0ba22637c8055687d42c6acbfd742ac988b9f6313726f8896cebb56ee7
Instruction Fuzzy Hash: D2D0A77184E2907FE3015728BC45AC63FB5DB05330F10807BF508A25A0E7741C90879C

Function 00408348 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406160: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,0040834E,00000000,0040826C,?,00000000,00000104,?), ref: 0040616B

strrchr.MSVCRT ref: 00408351
strcat.MSVCRT(00000000,_lng.ini,00000000,00000104,?), ref: 00408366

Strings

_lng.ini, xrefs: 00408360

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileModuleNamestrcatstrrchr
String ID: _lng.ini
API String ID: 3097366151-1948609170
Opcode ID: d4342e7cf2f2cd7acb0c5595099143b60559064a13119ecfeb2f3085bb136c0c
Instruction ID: a8d2890f819e62600bf11f9c0364550bfc67884382c2ab22ce71db24782b6e2f
Opcode Fuzzy Hash: d4342e7cf2f2cd7acb0c5595099143b60559064a13119ecfeb2f3085bb136c0c
Instruction Fuzzy Hash: 37C01275686A5438D11622355E03B8F01454F52745F24409BF903391D6DE5D569141AE

Function 00403397 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(Server Details,?,Function_00012466,(4@,0000007F,?), ref: 004033AF

Strings

Server Details, xrefs: 004033AA
(4@, xrefs: 0040339D

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PrivateProfileString
String ID: (4@$Server Details
API String ID: 1096422788-3984282551
Opcode ID: 7bf2893a727a8b250936425436c2602b2102234e3c58862608b198b8383da292
Instruction ID: 5387a3ffe087b7673ef104c15d829f3f0df010b9e50aa15a0af8b6122c5a167a
Opcode Fuzzy Hash: 7bf2893a727a8b250936425436c2602b2102234e3c58862608b198b8383da292
Instruction Fuzzy Hash: A0C04031544301FAC5114F909F05E4D7F516B54B40F118415B24450065C1E54574DB26

Function 004084CE Relevance: 5.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00406549: memset.MSVCRT ref: 00406557

??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,?,0040401F,00000000,?,0040B7D2,00000000,?,0040BA04), ref: 004084E3
??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040401F,00000000,?,0040B7D2,00000000,?,0040BA04), ref: 0040850C
??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040401F,00000000,?,0040B7D2,00000000,?,0040BA04), ref: 0040852D
??2@YAPAXI@Z.MSVCRT(00000014,00000000,?,0040401F,00000000,?,0040B7D2,00000000,?,0040BA04), ref: 0040854E

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: e0b7386c77e7a01b56b751958be04bef72ccb72ccdbc98b166978a9f85b8d0ac
Instruction ID: 33d46294e57da76ea2c08804649fae6184d1477937e8cd9eb119e1572679ad16
Opcode Fuzzy Hash: e0b7386c77e7a01b56b751958be04bef72ccb72ccdbc98b166978a9f85b8d0ac
Instruction Fuzzy Hash: F321B3B0A01300AED7518F2B9945955FBE4FF94355B2AC8AFD149DB2B2EBB8C8408F14

Function 00406A74 Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00406A80
free.MSVCRT ref: 00406AA0

Part of subcall function 004060FA: malloc.MSVCRT ref: 00406116
Part of subcall function 004060FA: memcpy.MSVCRT(00000000,00000000,00000000,00000000,76F90A60,00406B49,00000001,?,00000000,76F90A60,00406D88,00000000,?,?), ref: 0040612E
Part of subcall function 004060FA: free.MSVCRT ref: 00406137

free.MSVCRT ref: 00406AC3
memcpy.MSVCRT(?,?,?,00000001,?,00000000,?,?,00406DCF,?,00000000,?,?), ref: 00406AE3

Memory Dump Source

Source File: 00000008.00000002.1525434057.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.1525434057.0000000000418000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free$memcpy$mallocstrlen
String ID:
API String ID: 3669619086-0
Opcode ID: 5eb856daf9b2f55e9999836f5936cf74f251c15999897e978b7d5133cb55aa44
Instruction ID: e46d755c35f7a0493bef025674ad9543d325b8c94dab604409744cdcda2aebf9
Opcode Fuzzy Hash: 5eb856daf9b2f55e9999836f5936cf74f251c15999897e978b7d5133cb55aa44
Instruction Fuzzy Hash: 70116D71200700EFC730EF18D8819AAB7F5EF45328B108A2EF957A7691DB35F9658B54

Analysis Process: vbc.exePID: 7176, Parent PID: 7736COMMON

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.1%
Total number of Nodes:	1583
Total number of Limit Nodes:	48

Executed Functions

Function 00408441 Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000103,0000038B,00000000,?,00410790,?), ref: 00408457
FindNextFileW.KERNELBASE(000000FF,0000038B,00000000,?,00410790,?), ref: 00408475
wcslen.MSVCRT ref: 004084A5
wcslen.MSVCRT ref: 004084AD

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileFindwcslen$FirstNext
String ID:
API String ID: 2163959949-0
Opcode ID: 80c24c4a0fd4be1e088faab584ff479ea008bcf4405b994ad439e2c2ad98ac31
Instruction ID: 6e3c8222864954d55df90d51b8e56744ea09e2897b7152e8bd6019cb1af30d80
Opcode Fuzzy Hash: 80c24c4a0fd4be1e088faab584ff479ea008bcf4405b994ad439e2c2ad98ac31
Instruction Fuzzy Hash: E5118272515706AFD7149B24D984A9B73DCAF04725F604A3FF09AD31C0FF78A9448B29

Function 00415F87 Relevance: 4.6, APIs: 3, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00415EAF: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00415EDB
Part of subcall function 00415EAF: malloc.MSVCRT ref: 00415EE6
Part of subcall function 00415EAF: free.MSVCRT ref: 00415EF6

Part of subcall function 00414BCA: GetVersionExW.KERNEL32(?), ref: 00414BED

GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 00416001
GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 00416029
free.MSVCRT ref: 00416032

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
String ID:
API String ID: 1355100292-0
Opcode ID: 6d9bbb2232084d268bbffa8b88e6344bd84b9c6ec403a6433ede71687f16327b
Instruction ID: 7d405d749a0edc351a3ddf496a078fe72cac754ac47b8191c628d3d1323914f3
Opcode Fuzzy Hash: 6d9bbb2232084d268bbffa8b88e6344bd84b9c6ec403a6433ede71687f16327b
Instruction Fuzzy Hash: 45219276804108EEEB21EBA4C8849EF7BBCEF09304F1100ABE641D7141E778CEC597A5

Function 00410168 Relevance: 56.4, APIs: 23, Strings: 9, Instructions: 441
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004101DA
wcsrchr.MSVCRT ref: 004101F2
memset.MSVCRT ref: 004102D9
ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Sea Monkey,00000000,00000104), ref: 00410326

Part of subcall function 00409A34: _wcslwr.MSVCRT ref: 00409AFC
Part of subcall function 00409A34: wcslen.MSVCRT ref: 00409B11

Part of subcall function 00408619: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 00408652
Part of subcall function 00408619: wcslen.MSVCRT ref: 00408678
Part of subcall function 00408619: wcsncmp.MSVCRT ref: 004086AE
Part of subcall function 00408619: memset.MSVCRT ref: 00408725
Part of subcall function 00408619: memcpy.MSVCRT(?,?,?,?,00000001,?,?,00000000,?), ref: 00408746

Part of subcall function 00409EB8: LoadLibraryW.KERNELBASE(pstorec.dll,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 00409EC9
Part of subcall function 00409EB8: GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00409EDC

Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F309
Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F31E
Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F333
Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F348
Part of subcall function 0040F2E6: memset.MSVCRT ref: 0040F35D
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F383
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F394
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F3CC
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F3DA
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F413
Part of subcall function 0040F2E6: wcslen.MSVCRT ref: 0040F421

memset.MSVCRT ref: 004103AA
memset.MSVCRT ref: 004103C6
memset.MSVCRT ref: 004103E2
memset.MSVCRT ref: 004104F9

Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E17
Part of subcall function 00406DD9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 00406E30
Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E69
Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E81
Part of subcall function 00406DD9: memset.MSVCRT ref: 00406E99
Part of subcall function 00406DD9: memset.MSVCRT ref: 00406EB1
Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406EBC
Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406ECA
Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406EF9
Part of subcall function 00406DD9: wcslen.MSVCRT ref: 00406F07

wcslen.MSVCRT ref: 00410437
wcslen.MSVCRT ref: 00410446
wcslen.MSVCRT ref: 0041048B
wcslen.MSVCRT ref: 0041049A
memset.MSVCRT ref: 00410562
memset.MSVCRT ref: 0041057A
wcslen.MSVCRT ref: 00410593
wcslen.MSVCRT ref: 004105A1
wcslen.MSVCRT ref: 004105FC
wcslen.MSVCRT ref: 0041060A
memset.MSVCRT ref: 0041068A
wcslen.MSVCRT ref: 00410699
wcslen.MSVCRT ref: 00410720
wcslen.MSVCRT ref: 0041072E
wcslen.MSVCRT ref: 004106A7

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Part of subcall function 0040839D: wcscmp.MSVCRT ref: 004083BC
Part of subcall function 0040839D: wcscmp.MSVCRT ref: 004083CD

Strings

Opera\Opera7\profile\wand.dat, xrefs: 00410603, 00410621
Google\Chrome SxS\User Data, xrefs: 00410486, 004104B1
wand.dat, xrefs: 00410727, 00410745
%programfiles%\Sea Monkey, xrefs: 00410321
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe, xrefs: 004102E6
Opera\Opera\wand.dat, xrefs: 0041059A, 004105B8
Opera, xrefs: 004106A0, 004106BE
Google\Chrome\User Data, xrefs: 00410432, 0041045D
Path, xrefs: 004102E1

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcslen$memset$wcscmp$AddressByteCharCredEnumerateEnvironmentExpandLibraryLoadMultiProcStringsWide_wcslwrmemcpywcscatwcscpywcsncmpwcsrchr
String ID: %programfiles%\Sea Monkey$Google\Chrome SxS\User Data$Google\Chrome\User Data$Opera$Opera\Opera7\profile\wand.dat$Opera\Opera\wand.dat$Path$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe$wand.dat
API String ID: 3717286792-109336846
Opcode ID: f13f96fbde304a81fdc24d66a109aaecf4b7903a0817bb42302798235a986fce
Instruction ID: 5236af18994b30efd903e1d9b734594bd5ee8d83944705dbeea0fe3cf72f0f99
Opcode Fuzzy Hash: f13f96fbde304a81fdc24d66a109aaecf4b7903a0817bb42302798235a986fce
Instruction Fuzzy Hash: A0F17771901218ABDB20EB51DD85ADEB378AF04714F5444ABF508A7181E7B8AFC4CF9E

Function 0040FAFF Relevance: 42.1, APIs: 16, Strings: 8, Instructions: 124
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040FB20
GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 0040FB69
SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 0040FB76
memset.MSVCRT ref: 0040FB90
wcslen.MSVCRT ref: 0040FB9D
wcslen.MSVCRT ref: 0040FBAC
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040FBE7
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC03
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC1A
GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040FC2F
GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040FC3B
GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040FC47
GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040FC53
GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040FC5F
GetProcAddress.KERNEL32(?,PK11_Authenticate), ref: 0040FC6B
GetProcAddress.KERNEL32(?,PK11SDR_Decrypt), ref: 0040FC77

Part of subcall function 0040648C: memset.MSVCRT ref: 004064AD
Part of subcall function 0040648C: memset.MSVCRT ref: 004064FA
Part of subcall function 0040648C: RegCloseKey.ADVAPI32(0040FB38), ref: 00406634
Part of subcall function 0040648C: wcscpy.MSVCRT ref: 00406642
Part of subcall function 0040648C: ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406659
Part of subcall function 0040648C: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406695

Strings

PK11_Authenticate, xrefs: 0040FC61
PK11_CheckUserPassword, xrefs: 0040FC55
NSS_Shutdown, xrefs: 0040FC31
PK11SDR_Decrypt, xrefs: 0040FC6D
nss3.dll, xrefs: 0040FB98, 0040FBC0
PK11_GetInternalKeySlot, xrefs: 0040FC3D
PK11_FreeSlot, xrefs: 0040FC49
NSS_Init, xrefs: 0040FC28

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$memset$CurrentDirectory$LibraryLoadwcslen$CloseEnvironmentExpandHandleModuleStringswcscpy
String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
API String ID: 2554026968-4029219660
Opcode ID: 7b5db3b0d5bf1743c32fccddbb21aa02e391161234974de8ca04521cdbb317a2
Instruction ID: eeb2f36212a21d3aa086fe7dd3a0485c0e35c5a93e030d286215ed8b11f998db
Opcode Fuzzy Hash: 7b5db3b0d5bf1743c32fccddbb21aa02e391161234974de8ca04521cdbb317a2
Instruction Fuzzy Hash: 15418371940309ABEB209F61CC85E9AB7F8BF58744F10087EE58593191EBB999848F58

Function 0040E2F1 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00403926: LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040E305,00000000), ref: 00403945
Part of subcall function 00403926: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403957
Part of subcall function 00403926: FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040E305,00000000), ref: 0040396B
Part of subcall function 00403926: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403996

SetErrorMode.KERNELBASE(00008001,00000000,?,00000002), ref: 0040E319
GetModuleHandleW.KERNEL32(00000000,00411F7E,00000000,?,00000002), ref: 0040E332
EnumResourceTypesW.KERNEL32(00000000,?,00000002), ref: 0040E339
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,/deleteregkey,/savelangfile,?,?), ref: 0040E4CB
DeleteObject.GDI32(?), ref: 0040E4E1

Strings

/savelangfile, xrefs: 0040E385
, xrefs: 0040E34D
/deleteregkey, xrefs: 0040E3B3

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$??3@AddressDeleteEnumErrorFreeHandleLoadMessageModeModuleObjectProcResourceTypes
String ID: $/deleteregkey$/savelangfile
API String ID: 3591293073-28296030
Opcode ID: c7f6c6ad16e89a48cb0e0d64ac08aa0b3efbd1f5f4a19e75b38d6438d40399e7
Instruction ID: 121834c48f7c844bba9a1922674ad86b62a86fe916e360ab8a1a69ef7a5829fa
Opcode Fuzzy Hash: c7f6c6ad16e89a48cb0e0d64ac08aa0b3efbd1f5f4a19e75b38d6438d40399e7
Instruction Fuzzy Hash: 5451B171408345ABD720AFA2DD4895FB7A8FF84709F000D3EF640A3191DB79D9158B2A

Function 00406DD9 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040FAFF: memset.MSVCRT ref: 0040FB20
Part of subcall function 0040FAFF: GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 0040FB69
Part of subcall function 0040FAFF: SetCurrentDirectoryW.KERNEL32(?,?,?,00000000), ref: 0040FB76
Part of subcall function 0040FAFF: memset.MSVCRT ref: 0040FB90
Part of subcall function 0040FAFF: wcslen.MSVCRT ref: 0040FB9D
Part of subcall function 0040FAFF: wcslen.MSVCRT ref: 0040FBAC
Part of subcall function 0040FAFF: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040FBE7
Part of subcall function 0040FAFF: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC03
Part of subcall function 0040FAFF: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,00000000), ref: 0040FC1A
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,NSS_Init), ref: 0040FC2F
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,NSS_Shutdown), ref: 0040FC3B
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,PK11_GetInternalKeySlot), ref: 0040FC47
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,PK11_FreeSlot), ref: 0040FC53
Part of subcall function 0040FAFF: GetProcAddress.KERNEL32(?,PK11_CheckUserPassword), ref: 0040FC5F

memset.MSVCRT ref: 00406E17
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000,?,00000000,?), ref: 00406E30
memset.MSVCRT ref: 00406E69
memset.MSVCRT ref: 00406E81
memset.MSVCRT ref: 00406E99
memset.MSVCRT ref: 00406EB1
wcslen.MSVCRT ref: 00406EBC
wcslen.MSVCRT ref: 00406ECA
wcslen.MSVCRT ref: 00406EF9
wcslen.MSVCRT ref: 00406F07
wcslen.MSVCRT ref: 00406F36
wcslen.MSVCRT ref: 00406F44
wcslen.MSVCRT ref: 00406F73
wcslen.MSVCRT ref: 00406F81
SetCurrentDirectoryW.KERNEL32(?), ref: 00407074

Part of subcall function 0040697E: memset.MSVCRT ref: 004069BD
Part of subcall function 0040697E: memset.MSVCRT ref: 00406A3C
Part of subcall function 0040697E: memset.MSVCRT ref: 00406A51

Strings

signons.txt, xrefs: 00406EC3, 00406ED8
signons2.txt, xrefs: 00406F00, 00406F15
signons3.txt, xrefs: 00406F3D, 00406F52
signons.sqlite, xrefs: 00406F7A, 00406F8F

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetwcslen$AddressProc$CurrentDirectory$LibraryLoad$ByteCharHandleModuleMultiWide
String ID: signons.sqlite$signons.txt$signons2.txt$signons3.txt
API String ID: 1908949080-2435954524
Opcode ID: 00d903caa4eb60a1b1d619f3f2ea5d5f954a86edb9cfa0049ad989ed505ac937
Instruction ID: 8f96e2222c77d76af5181fd0f533d019f0899d465181413e0b466bd376840954
Opcode Fuzzy Hash: 00d903caa4eb60a1b1d619f3f2ea5d5f954a86edb9cfa0049ad989ed505ac937
Instruction Fuzzy Hash: 8871B07180461AABDB21EF61DC41A9E77BCFF04318F1004AEF909F2181E779AE548F69

Function 0040648C Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 173
registrytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004064AD

Part of subcall function 00411B67: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00412303,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00411B7A

_wcsnicmp.MSVCRT ref: 00406520
memset.MSVCRT ref: 00406544
memset.MSVCRT ref: 00406560
_snwprintf.MSVCRT ref: 00406580
wcsrchr.MSVCRT ref: 004065A7
CompareFileTime.KERNEL32(?,?,00000000), ref: 004065DA
wcscpy.MSVCRT ref: 004065FC
memset.MSVCRT ref: 004064FA

Part of subcall function 00411BFE: RegEnumKeyExW.ADVAPI32(00000000,0040FB38,0040FB38,?,00000000,00000000,00000000,0040FB38,0040FB38,00000000), ref: 00411C21

RegCloseKey.ADVAPI32(0040FB38), ref: 00406634
wcscpy.MSVCRT ref: 00406642
ExpandEnvironmentStringsW.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104,?,?,?,?,00000000,?), ref: 00406659
GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000000,?), ref: 00406695

Strings

SOFTWARE\Mozilla, xrefs: 004064C9
%programfiles%\Mozilla Firefox, xrefs: 00406654
mozilla, xrefs: 0040651A
PathToExe, xrefs: 00406585
%s\bin, xrefs: 0040656F

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$wcscpy$CloseCompareCurrentDirectoryEnumEnvironmentExpandFileOpenStringsTime_snwprintf_wcsnicmpwcsrchr
String ID: %programfiles%\Mozilla Firefox$%s\bin$PathToExe$SOFTWARE\Mozilla$mozilla
API String ID: 1094916163-2797892316
Opcode ID: 6fc1e2e3a791b033bf776d6d93ccb5a8b208ad6747335505a9b79a97a3079406
Instruction ID: 63e98d9b0590a06fe0611c8d8f76d67a06a86b9579f74a21c863053dc4382b5e
Opcode Fuzzy Hash: 6fc1e2e3a791b033bf776d6d93ccb5a8b208ad6747335505a9b79a97a3079406
Instruction Fuzzy Hash: F5515472D00218BAEF20EB61DC45ADFB7BCAF04354F0104A6F905F2191EB799B94CB99

Function 00408D9D Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004059F7: _wcsicmp.MSVCRT ref: 00405A28

Part of subcall function 00405CF6: memset.MSVCRT ref: 00405DF2

free.MSVCRT ref: 00408F8C

Part of subcall function 00408801: _wcsicmp.MSVCRT ref: 0040881A

memset.MSVCRT ref: 00408E72

Part of subcall function 0040805C: wcslen.MSVCRT ref: 0040806F
Part of subcall function 0040805C: memcpy.MSVCRT(?,?,00000000,00000001,00401A18,Function_000434FC,?,00000001,00401A71,?,00401E44), ref: 0040808E

wcschr.MSVCRT ref: 00408EAA
memcpy.MSVCRT(?,-00000121,00000008,Function_000434FC,00000000,00000000,76F92EE0), ref: 00408EDE
memcpy.MSVCRT(?,-00000121,00000008,Function_000434FC,00000000,00000000,76F92EE0), ref: 00408EF9
memcpy.MSVCRT(?,-00000220,00000008,Function_000434FC,00000000,00000000,76F92EE0), ref: 00408F14
memcpy.MSVCRT(?,-00000220,00000008,Function_000434FC,00000000,00000000,76F92EE0), ref: 00408F2F

Strings

AccessedTime, xrefs: 00408E35
Url, xrefs: 00408E4F
AccessCount, xrefs: 00408E0E
, xrefs: 00408DCF
ExpiryTime, xrefs: 00408E28
EntryID, xrefs: 00408E5C
CreationTime, xrefs: 00408E1B
ModifiedTime, xrefs: 00408E42

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
API String ID: 3849927982-2252543386
Opcode ID: 3968a81090f0c90a0f1d759d5c6f86966b5d18dba44d1eb1d150c3d2a019c511
Instruction ID: 190f3b00b4426260eb01f26a53b79380eacfea7d83453a492e965ac02b193b52
Opcode Fuzzy Hash: 3968a81090f0c90a0f1d759d5c6f86966b5d18dba44d1eb1d150c3d2a019c511
Instruction Fuzzy Hash: 64510C72E00309AAEF10EFA5DD45A9EB7B9AF54314F14403FA544F7281EA78AA048F58

Function 004422C7 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(vaultcli.dll,?,00000000,00442385,?,00000000,?), ref: 004422D4
GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 004422E9
GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 004422F6
GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 00442303
GetProcAddress.KERNEL32(00000000,VaultFree), ref: 00442310
GetProcAddress.KERNEL32(00000000,VaultGetInformation), ref: 0044231D
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 0044232B
GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 00442334

Strings

VaultOpenVault, xrefs: 004422E0
VaultGetInformation, xrefs: 00442312
VaultCloseVault, xrefs: 004422EB
VaultEnumerateItems, xrefs: 004422F8
VaultFree, xrefs: 00442305
vaultcli.dll, xrefs: 004422CF
VaultGetItem, xrefs: 0044231F, 00442324, 0044232D

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetInformation$VaultGetItem$VaultOpenVault$vaultcli.dll
API String ID: 2238633743-2107673790
Opcode ID: 963817e17c3864fb71b6f00927cb3e5fc30341a44c0b645a38e795921616907a
Instruction ID: a68d3860b1f677998bacfaa0c7abd00484677722be3dbe7bb4ba7aced869f3e7
Opcode Fuzzy Hash: 963817e17c3864fb71b6f00927cb3e5fc30341a44c0b645a38e795921616907a
Instruction Fuzzy Hash: CB012874941B04AEEB306F728E88E07BEF4EF94B017108D2EE49A92A10D779A800CE14

Function 00402846 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040286E
CreateFileW.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00402882
CopyFileW.KERNEL32(?,?,00000000,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004028A3
CloseHandle.KERNELBASE(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 004028AE
memset.MSVCRT ref: 004028C7
DeleteFileW.KERNEL32(?,?,?,?,?,00000003,00000000,00000000), ref: 00402B1A

Part of subcall function 004074C6: GetTempPathW.KERNEL32(00000104,?), ref: 004074DD
Part of subcall function 004074C6: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004074EF
Part of subcall function 004074C6: GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00407506

memset.MSVCRT ref: 0040293C

Part of subcall function 004027D7: SystemTimeToFileTime.KERNEL32(?,?), ref: 0040280F
Part of subcall function 004027D7: FileTimeToLocalFileTime.KERNEL32(?), ref: 0040283C

Part of subcall function 00407DF5: MultiByteToWideChar.KERNEL32(00000000,00000000,004029BE,000000FF,?,?,004029BE,?,?,000003FF), ref: 00407E07

Part of subcall function 00403853: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004026AC,?,00000090,00000000,?), ref: 00403862
Part of subcall function 00403853: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403874
Part of subcall function 00403853: FreeLibrary.KERNEL32(00000000), ref: 00403897

memset.MSVCRT ref: 00402A95
memcpy.MSVCRT(?,00000000,00000003,00000000,00000000,00000003), ref: 00402AA8
LocalFree.KERNEL32(00000000,?,?,000000FF,?,?,?,00000000,00000000,00000003), ref: 00402AD2

Strings

chp, xrefs: 0040288D
SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins , xrefs: 00402908

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$Timememset$FreeLibraryLocalTemp$AddressByteCharCloseCopyCreateDeleteDirectoryHandleLoadMulusermePathProcSystemWideWindowsmemcpy
String ID: SELECT origin_url, action_url, username_element, username_value, password_element, password_value, signon_realm, date_created from logins $chp
API String ID: 3056168783-1844170479
Opcode ID: c551c8ead9241b310b8bcb9c6efc278ae78950a419ddbbe9be8331bb2a37ce42
Instruction ID: e637edadd966e00c71b87c8ff6cc297e5f4b8f19ec80fc414d035a4907c068e8
Opcode Fuzzy Hash: c551c8ead9241b310b8bcb9c6efc278ae78950a419ddbbe9be8331bb2a37ce42
Instruction Fuzzy Hash: 37815172D001186BDB11EBA59D46BEEB7BCAF04304F5404BAF509F7281EB786F448B69

Function 0040F0D5 Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040F0F8
memset.MSVCRT ref: 0040F10D
memset.MSVCRT ref: 0040F122
memset.MSVCRT ref: 0040F137
memset.MSVCRT ref: 0040F14C

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E

wcslen.MSVCRT ref: 0040F172
wcslen.MSVCRT ref: 0040F183
wcslen.MSVCRT ref: 0040F1BB
wcslen.MSVCRT ref: 0040F1C9
wcslen.MSVCRT ref: 0040F202
wcslen.MSVCRT ref: 0040F210
memset.MSVCRT ref: 0040F296

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Mozilla\SeaMonkey\Profiles, xrefs: 0040F16D, 0040F19A, 0040F1B6, 0040F1E1
Mozilla\SeaMonkey, xrefs: 0040F1FD, 0040F228

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
API String ID: 2775653040-2068335096
Opcode ID: 18f6131305a60b3f130847a1eef602165254ae3e8930c32a00b7771f504cc504
Instruction ID: ad2d2467b554b91bbb49091aa47d9e820c56345a74be7af74479530b55ef6358
Opcode Fuzzy Hash: 18f6131305a60b3f130847a1eef602165254ae3e8930c32a00b7771f504cc504
Instruction Fuzzy Hash: 2A514472905219AADB20E751DD86ECF73BC9F44344F5004FBF109F6181EBB96B888B69

Function 0040F2E6 Relevance: 21.2, APIs: 12, Strings: 2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040F309
memset.MSVCRT ref: 0040F31E
memset.MSVCRT ref: 0040F333
memset.MSVCRT ref: 0040F348
memset.MSVCRT ref: 0040F35D

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E

wcslen.MSVCRT ref: 0040F383
wcslen.MSVCRT ref: 0040F394
wcslen.MSVCRT ref: 0040F3CC
wcslen.MSVCRT ref: 0040F3DA
wcslen.MSVCRT ref: 0040F413
wcslen.MSVCRT ref: 0040F421
memset.MSVCRT ref: 0040F4A7

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Mozilla\Firefox, xrefs: 0040F40E, 0040F439
Mozilla\Firefox\Profiles, xrefs: 0040F37E, 0040F3AB, 0040F3C7, 0040F3F2

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$wcslen$wcscpy$CloseFolderPathSpecialwcscat
String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
API String ID: 2775653040-3369679110
Opcode ID: ac2960c7c8775963d9ae5b6668c4b7d17b3d9d294ecd60d63349e7bf8572b4d3
Instruction ID: 627aa7309af3ce9e50a65207db29ad7cec2a96110015b88e099c10597549be0d
Opcode Fuzzy Hash: ac2960c7c8775963d9ae5b6668c4b7d17b3d9d294ecd60d63349e7bf8572b4d3
Instruction Fuzzy Hash: B15174729052196ADB20EB51CD85ECF73BC9F54304F5004FBF508F2081EBB96B888B69

Function 00408619 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004037C3: LoadLibraryW.KERNEL32(advapi32.dll,00000000,00408635,?,00000000,?), ref: 004037D0
Part of subcall function 004037C3: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004037E9
Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredFree), ref: 004037F5
Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403801
Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040380D
Part of subcall function 004037C3: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403819

CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 00408652
wcslen.MSVCRT ref: 00408678
wcsncmp.MSVCRT ref: 004086AE
memset.MSVCRT ref: 00408725
memcpy.MSVCRT(?,?,?,?,00000001,?,?,00000000,?), ref: 00408746
_wcsnicmp.MSVCRT ref: 0040878B
wcschr.MSVCRT ref: 004087B3
LocalFree.KERNEL32(?,?,?,?,?,00000001,?,?,00000000,?), ref: 004087D7

Strings

J, xrefs: 004086F6
Microsoft_WinInet, xrefs: 0040866A
Microsoft_WinInet_, xrefs: 00408785

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$CredEnumerateFreeLibraryLoadLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
String ID: J$Microsoft_WinInet$Microsoft_WinInet_
API String ID: 1313344744-1864008983
Opcode ID: 212f3f294c9ab8b83a3dc136b78cffcc3e5b2f11c9e98eede468f190287508d3
Instruction ID: ae9214853af189039b11f9ecdcfbf9e5a6a1e8940f9aa775dff38fc8017bd4cb
Opcode Fuzzy Hash: 212f3f294c9ab8b83a3dc136b78cffcc3e5b2f11c9e98eede468f190287508d3
Instruction Fuzzy Hash: E45129B5D00209AFDB20DFA4C981A9EB7F8FF08304F14446EE959F7241EB34A945CB19

Function 00442628 Relevance: 18.1, APIs: 12, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00443490,00000070), ref: 00442637
__set_app_type.MSVCRT ref: 00442696
__p__fmode.MSVCRT ref: 004426AB
__p__commode.MSVCRT ref: 004426B9
__setusermatherr.MSVCRT ref: 004426E5
_initterm.MSVCRT ref: 004426FB
__wgetmainargs.KERNELBASE ref: 0044271E
_initterm.MSVCRT ref: 00442731
GetStartupInfoW.KERNEL32(?), ref: 0044278E
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 004427B4
exit.KERNELBASE ref: 004427CB
_cexit.MSVCRT ref: 004427D1

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
String ID:
API String ID: 2827331108-0
Opcode ID: 2058148763841eb6e814cfbd421e32e46215803419e112ecbbbfb28c93f0ce14
Instruction ID: 706d3d187beade5fd8be42c29aa928e65c4a76933a7b40434c1f532ca5c4ff1d
Opcode Fuzzy Hash: 2058148763841eb6e814cfbd421e32e46215803419e112ecbbbfb28c93f0ce14
Instruction Fuzzy Hash: 1E51C674C00305DFEB21AF64DA44AADB7B4FB05B15FA0422BF811A7291D7B84982CF5C

Function 00409508 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 0040952C

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

Part of subcall function 004090DF: memset.MSVCRT ref: 00409102
Part of subcall function 004090DF: memset.MSVCRT ref: 0040911A
Part of subcall function 004090DF: wcslen.MSVCRT ref: 00409136
Part of subcall function 004090DF: wcslen.MSVCRT ref: 00409145
Part of subcall function 004090DF: wcslen.MSVCRT ref: 0040918C
Part of subcall function 004090DF: wcslen.MSVCRT ref: 0040919B

Part of subcall function 004085EB: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401DDF), ref: 004085F4

FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 004095A1
wcschr.MSVCRT ref: 004095B8
wcschr.MSVCRT ref: 004095D8
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 004095FD
GetLastError.KERNEL32 ref: 00409607
FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 00409633
FindCloseUrlCache.WININET(?), ref: 00409644

Strings

visited:, xrefs: 0040959C

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CacheFindwcslen$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
String ID: visited:
API String ID: 615219573-1702587658
Opcode ID: 8f876ec4458d3f1ed4e4dc218a1084821821df0a90adecac85d6e07ab5b1aeff
Instruction ID: 77a6c5406e07bb2a3f369751b76910ce3bd9900599f044f3c0855e39104cf3e1
Opcode Fuzzy Hash: 8f876ec4458d3f1ed4e4dc218a1084821821df0a90adecac85d6e07ab5b1aeff
Instruction Fuzzy Hash: 7F417F72D00219BBDB11DF95CD85A9EBBB8EF05714F10406AE505F7281DB38AF41CBA8

Function 00408C67 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004059F7: _wcsicmp.MSVCRT ref: 00405A28

memset.MSVCRT ref: 00408CAF

Part of subcall function 00405CF6: memset.MSVCRT ref: 00405DF2

free.MSVCRT ref: 00408D7D

Part of subcall function 00408801: _wcsicmp.MSVCRT ref: 0040881A

Part of subcall function 00408116: wcslen.MSVCRT ref: 00408125
Part of subcall function 00408116: _memicmp.MSVCRT ref: 00408153

_snwprintf.MSVCRT ref: 00408D49

Part of subcall function 00407EDE: wcslen.MSVCRT ref: 00407EF0
Part of subcall function 00407EDE: free.MSVCRT ref: 00407F16
Part of subcall function 00407EDE: free.MSVCRT ref: 00407F39
Part of subcall function 00407EDE: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F5D

Strings

Name, xrefs: 00408CFB
Containers, xrefs: 00408C87
, xrefs: 00408CCA
Container_%I64d, xrefs: 00408D38
ContainerId, xrefs: 00408CEE

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
String ID: $ContainerId$Container_%I64d$Containers$Name
API String ID: 2804212203-2982631422
Opcode ID: 09aae5b0b0c39f723feed05769d2c33e4e37e3ecce69608b47f5a2af3b34356b
Instruction ID: ce292a4a65043f2a6a20625204029b960355a9169e5f8c073e361fa6e4a76ec5
Opcode Fuzzy Hash: 09aae5b0b0c39f723feed05769d2c33e4e37e3ecce69608b47f5a2af3b34356b
Instruction Fuzzy Hash: 1E313E72D00219AADF50EFA5DD85ADEB7B8AF04354F50017FA508B21C1DE78AE458F68

Function 00409A34 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00407EB8: free.MSVCRT ref: 00407EBB
Part of subcall function 00407EB8: free.MSVCRT ref: 00407EC3

Part of subcall function 00408037: free.MSVCRT ref: 0040803E

Part of subcall function 00409508: memset.MSVCRT ref: 0040952C
Part of subcall function 00409508: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 004095A1
Part of subcall function 00409508: wcschr.MSVCRT ref: 004095B8
Part of subcall function 00409508: wcschr.MSVCRT ref: 004095D8
Part of subcall function 00409508: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 004095FD
Part of subcall function 00409508: GetLastError.KERNEL32 ref: 00409607

Part of subcall function 00409657: memset.MSVCRT ref: 004096C7
Part of subcall function 00409657: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,?,?,?,?,00000000,?), ref: 004096F5
Part of subcall function 00409657: _wcsupr.MSVCRT ref: 0040970F
Part of subcall function 00409657: memset.MSVCRT ref: 0040975E
Part of subcall function 00409657: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,80000001,?,000000FF,?,?,?,?,00000000), ref: 00409789

Part of subcall function 004038C4: LoadLibraryW.KERNEL32(advapi32.dll,?,00409AAA,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,0041018E,?,?), ref: 004038CF
Part of subcall function 004038C4: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004038E3
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004038EF
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 004038FB
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403907
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403913
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 0040391F

_wcslwr.MSVCRT ref: 00409AFC
wcslen.MSVCRT ref: 00409B11

Strings

/, xrefs: 00409B1D
https://www.google.com/accounts/servicelogin, xrefs: 00409A76
http://www.facebook.com/, xrefs: 00409A83
/, xrefs: 00409B31
https://login.yahoo.com/config/login, xrefs: 00409A90

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$freememset$CacheEntryEnumFindValuewcschr$ErrorFirstLastLibraryLoadNext_wcslwr_wcsuprwcslen
String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
API String ID: 4091582287-4196376884
Opcode ID: 3dd2327b6272305899ca924f4fa588c8789c804827c02355519b96a796539c20
Instruction ID: 093a45ac9553ae88d2071121675ee446b985e814abadd75c8d2b77a0ae050712
Opcode Fuzzy Hash: 3dd2327b6272305899ca924f4fa588c8789c804827c02355519b96a796539c20
Instruction Fuzzy Hash: F731D872A1015466CB20BB6ACC4599F77A8AF80344B25087AF804B72C3CBBCEE45D699

Function 004090DF Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00409102
memset.MSVCRT ref: 0040911A

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

wcslen.MSVCRT ref: 00409136
wcslen.MSVCRT ref: 00409145
wcslen.MSVCRT ref: 0040918C
wcslen.MSVCRT ref: 0040919B

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 00409187, 004091AF
Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00409130, 00409135, 0040915E

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcslen$memset$FolderPathSpecialwcscatwcscpy
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
API String ID: 2036768262-2114579845
Opcode ID: 9b210f72750b98862afc15587b3a75268b6b997e6569292da8b093e0b4a2481a
Instruction ID: 077c1189ed55963ee46c09665a9aee7869ceb3b17950e6b23e47196ee9b08e55
Opcode Fuzzy Hash: 9b210f72750b98862afc15587b3a75268b6b997e6569292da8b093e0b4a2481a
Instruction Fuzzy Hash: 0B21D972A4411D66E710E651DC85DDF73ACAF14354F5008BFF505E2082FAB89F844A6D

Function 00441683 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 219COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000048,00446E40,0000002C), ref: 00441734

Strings

NOCASE, xrefs: 004417F7
temp, xrefs: 00441876
RTRIM, xrefs: 004417C6
no such vfs: %s, xrefs: 0044177E
main, xrefs: 00441866
BINARY, xrefs: 0044179D, 004417A2, 004417AE, 004417BA, 004417DF

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
API String ID: 3510742995-2641926074
Opcode ID: 12bdf7202536433b73b7b7e7b2d6f63e6cc165494f09a719a239059ada246e86
Instruction ID: 3c8b5220aebea45aa68cfe54a9ecef019ebf38e5b75abdf02c998a5d3c6681b4
Opcode Fuzzy Hash: 12bdf7202536433b73b7b7e7b2d6f63e6cc165494f09a719a239059ada246e86
Instruction Fuzzy Hash: 8E71D4B1600301BFF310AF16DCC1A6ABB98BB45318F14452FF459DB252D7B9A8D18B99

Function 0040320A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 00402778: free.MSVCRT ref: 0040277F

Part of subcall function 00410168: memset.MSVCRT ref: 004101DA
Part of subcall function 00410168: wcsrchr.MSVCRT ref: 004101F2
Part of subcall function 00410168: memset.MSVCRT ref: 004102D9

Part of subcall function 0040FF51: SetCurrentDirectoryW.KERNEL32(?,?,?,00403292,?), ref: 0040FF9E

memset.MSVCRT ref: 0040330A
memcpy.MSVCRT(?,00000000,00001002), ref: 0040331C
wcscmp.MSVCRT ref: 00403348
_wcsicmp.MSVCRT ref: 00403385

Strings

J/@, xrefs: 004032EC
, xrefs: 00403235

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$CurrentDirectory_wcsicmpfreememcpywcscmpwcsrchr
String ID: $J/@
API String ID: 1763786148-830378395
Opcode ID: 3e2635990ef3ae62cb2be14a81d094d65f482a135f1bd9a19b0151f057080487
Instruction ID: 978c6ac20941b4c482f16f8c8dbf1af5ea5d331337d981433e161efedc4cfbbc
Opcode Fuzzy Hash: 3e2635990ef3ae62cb2be14a81d094d65f482a135f1bd9a19b0151f057080487
Instruction Fuzzy Hash: 36416B71A083819AD730DF61C945A9BB7E8AF85315F004C3FE88D93681EB7896498B5B

Function 0040EDFA Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 0040F026: memset.MSVCRT ref: 0040F042
Part of subcall function 0040F026: memset.MSVCRT ref: 0040F057
Part of subcall function 0040F026: wcscat.MSVCRT ref: 0040F080
Part of subcall function 0040F026: wcscat.MSVCRT ref: 0040F0A9

memset.MSVCRT ref: 0040EE42
wcslen.MSVCRT ref: 0040EE59
wcslen.MSVCRT ref: 0040EE61
wcslen.MSVCRT ref: 0040EEBC
wcslen.MSVCRT ref: 0040EECA

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

history.dat, xrefs: 0040EE22, 0040EE5E, 0040EE70
places.sqlite, xrefs: 0040EEC3, 0040EED8

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcslen$memsetwcscat$wcscpy
String ID: history.dat$places.sqlite
API String ID: 2541527827-467022611
Opcode ID: aa9bc2c37030d368e81c4810d71f0128bb751f7763ce2d8d4360e2c5eeceedff
Instruction ID: 5a7552f2f2193819142f663f69cd0b376b18013dc8e05bcebec127321fadfdaa
Opcode Fuzzy Hash: aa9bc2c37030d368e81c4810d71f0128bb751f7763ce2d8d4360e2c5eeceedff
Instruction Fuzzy Hash: AD315232D0411DAADF10EBA6D845ACDB3B8AF00319F6048BBE514F21C1E77CAA45CF59

Function 00410075 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410097
wcslen.MSVCRT ref: 004100A2
wcslen.MSVCRT ref: 004100B0
wcslen.MSVCRT ref: 00410105
wcslen.MSVCRT ref: 00410113

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Login Data, xrefs: 0041010B, 00410110, 00410121
Web Data, xrefs: 004100A8, 004100AD, 004100C3

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcslen$memsetwcscatwcscpy
String ID: Login Data$Web Data
API String ID: 3932597654-4228647177
Opcode ID: 350975586496b093848a9f674fd33517dd62bead458e0c7f943732b3c3b83fa5
Instruction ID: 391ffb8f75831278f4964df5f57522d74f6eb7522eeef9a3bb7e860aca09f0fd
Opcode Fuzzy Hash: 350975586496b093848a9f674fd33517dd62bead458e0c7f943732b3c3b83fa5
Instruction Fuzzy Hash: 3621B83294411C7BDB10AB55DC89ACA73ACAF10368F10487BF418E6181EBF9AEC48A5C

Function 00415BAE Relevance: 9.1, APIs: 6, Instructions: 140fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,-7FBEAA6E,00000003,00000000,?,?,00000000), ref: 00415C86
CreateFileA.KERNEL32(?,-7FBEAA6E,00000003,00000000,00415512,00415512,00000000), ref: 00415C9E
GetLastError.KERNEL32 ref: 00415CAD
free.MSVCRT ref: 00415CBA

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateFile$ErrorLastfree
String ID:
API String ID: 77810686-0
Opcode ID: d3d8bbc7ba5a79f8a342b38920b53c153f9ef9857e0a0710124ad1068db44a69
Instruction ID: e414679dc355763f7cb5844f7b2dc3c916de6b309c6ec43d815c5638ef366406
Opcode Fuzzy Hash: d3d8bbc7ba5a79f8a342b38920b53c153f9ef9857e0a0710124ad1068db44a69
Instruction Fuzzy Hash: 7741D0B1508701EFE7109F25EC4169BBBE5EFC4324F14892EF49596290E378D9848B96

Function 0040F026 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F042
memset.MSVCRT ref: 0040F057

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

Part of subcall function 0040719A: wcslen.MSVCRT ref: 0040719B
Part of subcall function 0040719A: wcscat.MSVCRT ref: 004071B3

wcscat.MSVCRT ref: 0040F080

Part of subcall function 00412270: memset.MSVCRT ref: 004122C9
Part of subcall function 00412270: RegCloseKey.ADVAPI32(?), ref: 00412330
Part of subcall function 00412270: wcscpy.MSVCRT ref: 0041233E

wcscat.MSVCRT ref: 0040F0A9

Strings

Mozilla\Profiles, xrefs: 0040F07A
Mozilla\Firefox\Profiles, xrefs: 0040F0A3

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
API String ID: 1534475566-1174173950
Opcode ID: b40f1a29007ee88b205eab30251de60a7177f83a5dcce95581a050599bf5dc33
Instruction ID: 125a097a9f26af6413fbc01dcc411eb2579d6a3fd62fad3348166db73649eeaa
Opcode Fuzzy Hash: b40f1a29007ee88b205eab30251de60a7177f83a5dcce95581a050599bf5dc33
Instruction Fuzzy Hash: BF018EB294021C75DB207B668C86ECF732CDF45358F1044BEB504E7182D9B88E888AA9

Function 00412270 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004121C3: LoadLibraryW.KERNEL32(shell32.dll,0040E314,00000000,?,00000002), ref: 004121D1
Part of subcall function 004121C3: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004121E6

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA
memset.MSVCRT ref: 004122C9
RegCloseKey.ADVAPI32(?), ref: 00412330
wcscpy.MSVCRT ref: 0041233E

Part of subcall function 00407674: GetVersionExW.KERNEL32(00450DA8,0000001A,00412291), ref: 0040768E

Strings

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 004122E4, 004122F4

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressCloseFolderLibraryLoadPathProcSpecialVersionmemsetwcscpy
String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
API String ID: 2699640517-2036018995
Opcode ID: c9c64e8e2f051e8caefe2aaada980519e2fc3c71178caf599d8c015b906c46d2
Instruction ID: c2720df25ff2a98c700ebd4409fa2125fd2182e4a6debc52b8ada4298b6a052e
Opcode Fuzzy Hash: c9c64e8e2f051e8caefe2aaada980519e2fc3c71178caf599d8c015b906c46d2
Instruction Fuzzy Hash: 29110831800114BAEB24E7599E4EEEF737CEB05304F5100E7F914E2151E6B85FE5969E

Function 00411A13 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00411A2D
_snwprintf.MSVCRT ref: 00411A52
WritePrivateProfileStringW.KERNEL32(?,?,?,004495A0), ref: 00411A70
GetPrivateProfileStringW.KERNEL32(?,?,0040F73A,?,00000000,004495A0), ref: 00411A88

Strings

"%s", xrefs: 00411A41

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PrivateProfileString$Write_snwprintfwcschr
String ID: "%s"
API String ID: 1343145685-3297466227
Opcode ID: 1379250297118e4f09543b187cbc7d5db4505a0d7fe81e2b8f9beab2005c4772
Instruction ID: ae5f1e9df6cd2f4a0780795b96407545f38e06b3c9618b8e9942ee44aab69889
Opcode Fuzzy Hash: 1379250297118e4f09543b187cbc7d5db4505a0d7fe81e2b8f9beab2005c4772
Instruction Fuzzy Hash: 2101283240521ABAEF219F81EC05FDA3A6AFF04785F104066BA1960161D779C661EB98

Function 0041C9D5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,00000007,00000004,00000007,?), ref: 0041CA32
memcmp.MSVCRT(?,SQLite format 3,00000010,00000007,?), ref: 0041CA5D
memcmp.MSVCRT(?,@ ,00000003,?,00000007,?), ref: 0041CAC9

Strings

@ , xrefs: 0041CAC3
SQLite format 3, xrefs: 0041CA50

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcmp
String ID: @ $SQLite format 3
API String ID: 1475443563-3708268960
Opcode ID: 321c330f537f46145afcffa81e667367735ed72d1b124427cbcabdf079f64c68
Instruction ID: bd67d5102a3eb66ea4de4e64a8b31fca419cb069452d494a6197ab8253893597
Opcode Fuzzy Hash: 321c330f537f46145afcffa81e667367735ed72d1b124427cbcabdf079f64c68
Instruction Fuzzy Hash: D351D1719442149FDF10DF69C8827EAB7F4AF44314F14019BE804EB346E778EA85CB99

Function 0040E0AC Relevance: 7.6, APIs: 5, Instructions: 64windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000A68,00000000,?,?,00000000,0040E36A), ref: 0040E0CE
??2@YAPAXI@Z.MSVCRT(000002DC,00000000,?,?,00000000,0040E36A), ref: 0040E0F7
DeleteObject.GDI32(?), ref: 0040E129
GetModuleHandleW.KERNEL32(00000000,00000000,?,?,00000000,0040E36A), ref: 0040E171
LoadIconW.USER32(00000000,00000065), ref: 0040E17A

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@$DeleteHandleIconLoadModuleObject
String ID:
API String ID: 659443934-0
Opcode ID: 8011550206ddb2dc108774534a209f3a3ccfe9b7d84422505c829ce805c5916c
Instruction ID: 1cba439d4a63bd06fd13ecdd31e81b6a0d9710d4e5327182bdbee0994cb59d35
Opcode Fuzzy Hash: 8011550206ddb2dc108774534a209f3a3ccfe9b7d84422505c829ce805c5916c
Instruction Fuzzy Hash: 322193B19012989FDB30EF768C496DEB7A9AF84715F10863BF80CDB241DF794A118B58

Function 00408FA4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00408B10: OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00408B85
Part of subcall function 00408B10: GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00408BA4
Part of subcall function 00408B10: DuplicateHandle.KERNEL32(00000000,00000104,00000000), ref: 00408BB1
Part of subcall function 00408B10: GetFileSize.KERNEL32(00000000,00000000), ref: 00408BC6
Part of subcall function 00408B10: CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00408BF0
Part of subcall function 00408B10: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 00408C05
Part of subcall function 00408B10: WriteFile.KERNEL32(?,00000000,00000104,004091EB,00000000), ref: 00408C20
Part of subcall function 00408B10: UnmapViewOfFile.KERNEL32(00000000), ref: 00408C27
Part of subcall function 00408B10: CloseHandle.KERNEL32(?), ref: 00408C30

CloseHandle.KERNELBASE(000000FF,000000FF,00000000,?,004091EB,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409074

Part of subcall function 00408D9D: memset.MSVCRT ref: 00408E72
Part of subcall function 00408D9D: wcschr.MSVCRT ref: 00408EAA
Part of subcall function 00408D9D: memcpy.MSVCRT(?,-00000121,00000008,Function_000434FC,00000000,00000000,76F92EE0), ref: 00408EDE

DeleteFileW.KERNEL32(?,?,004091EB,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00409095
CloseHandle.KERNEL32(000000FF,?,004091EB,000000FF,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 004090BC

Part of subcall function 00408C67: memset.MSVCRT ref: 00408CAF
Part of subcall function 00408C67: _snwprintf.MSVCRT ref: 00408D49
Part of subcall function 00408C67: free.MSVCRT ref: 00408D7D

Strings

Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00408FB4

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat
API String ID: 1979745280-1514811420
Opcode ID: 296897d7b9fc56a1ed802aa42710325314df0d67c48e9c21b811ee4e31976f5b
Instruction ID: f61eabc5127fffa0127996e1b9e76e3c42d0daca9916cdcd83e0194a9dfe4be1
Opcode Fuzzy Hash: 296897d7b9fc56a1ed802aa42710325314df0d67c48e9c21b811ee4e31976f5b
Instruction Fuzzy Hash: 10314CB1C006289BCF60DFA5CD855CEFBB8AF40315F1002ABA518B31A2DB756E85CF59

Function 0040CFDE Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040CFFF
qsort.MSVCRT ref: 0040D0A9

Strings

/nosort, xrefs: 0040D05F
/sort, xrefs: 0040CFFA

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _wcsicmpqsort
String ID: /nosort$/sort
API String ID: 1579243037-1578091866
Opcode ID: b8bcc0ce675c29f22b0227198f2ab65a41989cf9845e13ce1ccf23b6e43e1f16
Instruction ID: 426287280b2395c37d482f654794667c251e21b6a2c3e86ec69022cc6db77350
Opcode Fuzzy Hash: b8bcc0ce675c29f22b0227198f2ab65a41989cf9845e13ce1ccf23b6e43e1f16
Instruction Fuzzy Hash: 4821F8317006019FD714AB75C981E55B3A9FF95318F01053EF519A72D2CB7ABC11CB9A

Function 00409EB8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 004117E3: FreeLibrary.KERNELBASE(?,00409EC4,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 004117EF

LoadLibraryW.KERNELBASE(pstorec.dll,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 00409EC9
GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00409EDC

Strings

PStoreCreateInstance, xrefs: 00409ED6
pstorec.dll, xrefs: 00409EC4

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: PStoreCreateInstance$pstorec.dll
API String ID: 145871493-2881415372
Opcode ID: 0c221e4a7068c4d6934d41343829b8b78c46c2a8619205bb2734fd8b0e3e91f3
Instruction ID: b7b877f0cca51cf4ed89ca0d343beedc6eb81d3109fbfde12955c258fb57ec89
Opcode Fuzzy Hash: 0c221e4a7068c4d6934d41343829b8b78c46c2a8619205bb2734fd8b0e3e91f3
Instruction Fuzzy Hash: 4DF0E2713047035BE7206BB99C45B9776E85F40715F10842EB126D16E2DBBCD9808BA9

Function 00411EF8 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

FindResourceW.KERNELBASE(?,?,?), ref: 00411F05
SizeofResource.KERNEL32(?,00000000), ref: 00411F16
LoadResource.KERNEL32(?,00000000), ref: 00411F26
LockResource.KERNEL32(00000000), ref: 00411F31

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: adc4f220f09edc5477cff5d460e3159a0013e7b06a0f572b2b282906cd572301
Instruction ID: cfb809c5d0a350ba8a2f28afb84d758f7034e38599ab5d81eab5ea4ee58a4c6c
Opcode Fuzzy Hash: adc4f220f09edc5477cff5d460e3159a0013e7b06a0f572b2b282906cd572301
Instruction Fuzzy Hash: 140192367042156BCB295FA5DC4999BBFAEFF867917088036F909C7331DB30D941C688

Function 0043800C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 967COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0043804F
memset.MSVCRT ref: 004383F8

Strings

only a single result allowed for a SELECT that is part of an expression, xrefs: 004380DE

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset
String ID: only a single result allowed for a SELECT that is part of an expression
API String ID: 2221118986-1725073988
Opcode ID: fea911689c87fcb8dadeea6a797f322e67ae447bf2e03149324d6587d0a0c1b4
Instruction ID: 9afff8ac9fdfbc15a9c7ae9a6e2295b57ef319e934304d2411a679509b53bb08
Opcode Fuzzy Hash: fea911689c87fcb8dadeea6a797f322e67ae447bf2e03149324d6587d0a0c1b4
Instruction Fuzzy Hash: 36826971A00318AFDF25DF69C881AAEBBA1EF08318F14511EFD1597292DB79E841CB94

Function 00409F53 Relevance: 5.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,0040A003,0040B09A,?,0040E241,00000000,00000000,?), ref: 00409F8D
??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040A003,0040B09A,?,0040E241,00000000,00000000,?), ref: 00409FAB
??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040A003,0040B09A,?,0040E241,00000000,00000000,?), ref: 00409FC9
??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040A003,0040B09A,?,0040E241,00000000,00000000,?), ref: 00409FE7

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 6aa46ae1d8c9445a9210858e0e2028d810c6148e0e2ef15dbc7156f8f0a2735d
Instruction ID: 97910a1e78d05b4995072b8892bf30812772bdb2f497aa37043254e3fee4362a
Opcode Fuzzy Hash: 6aa46ae1d8c9445a9210858e0e2028d810c6148e0e2ef15dbc7156f8f0a2735d
Instruction Fuzzy Hash: AB01DEB16523406FEB58DB39EE67B2A66949B58351F48453EF207C91F6EAB4C840CA08

Function 0041C702 Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 174COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041C7B0

Strings

BINARY, xrefs: 0041C70E
5lA, xrefs: 0041C8A3

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset
String ID: 5lA$BINARY
API String ID: 2221118986-2383938406
Opcode ID: 5c1320cbab28b8c6fe770ef48558482079ba1b310d7c10d9b0a426fab7bf5df3
Instruction ID: bfb3245fc00688105b1f81726e77846e409aff0e69a2cb21cfce066b793b8303
Opcode Fuzzy Hash: 5c1320cbab28b8c6fe770ef48558482079ba1b310d7c10d9b0a426fab7bf5df3
Instruction Fuzzy Hash: 52519C719443459FDB21DF68C8C1AEA7BE4AF08351F14446FE859CB381D778D980CBA9

Function 00414E1C Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00414D9F: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00414DC0
Part of subcall function 00414D9F: GetLastError.KERNEL32 ref: 00414DD1
Part of subcall function 00414D9F: GetLastError.KERNEL32 ref: 00414DD7

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 00414E4C
GetLastError.KERNEL32 ref: 00414E56

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLast$File$PointerRead
String ID:
API String ID: 839530781-0
Opcode ID: 3b8e0b6f2cdf357378df206a5466dbf18c64a2966c614271076d748b4fcb6fba
Instruction ID: 78f6fc62e556ae6391f2b7d02d7635eeebb8002b3cc976368f6d55ef40470767
Opcode Fuzzy Hash: 3b8e0b6f2cdf357378df206a5466dbf18c64a2966c614271076d748b4fcb6fba
Instruction Fuzzy Hash: 20016D36244305BBEB108F65EC45BEB7B6CFB95761F100427F908D6240E774ED908AE9

Function 00414D9F Relevance: 4.5, APIs: 3, Instructions: 30COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00414DC0
GetLastError.KERNEL32 ref: 00414DD1
GetLastError.KERNEL32 ref: 00414DD7

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLast$FilePointer
String ID:
API String ID: 1156039329-0
Opcode ID: 77788fb3081b482f24613af2ac918d7e659f5b9ca52062a4a7545bad1632a255
Instruction ID: ce6d17c8e1bf95b997c08e1a60c9ed70337bd99ba9d8843779863386e1f48c80
Opcode Fuzzy Hash: 77788fb3081b482f24613af2ac918d7e659f5b9ca52062a4a7545bad1632a255
Instruction Fuzzy Hash: 16F03936A10119BBCF009F74EC019EA7BA8EB45760B104726E822E6690EB30EA409AD4

Function 0040797A Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,0040EDAE,00000000,?,00000000,?,00000000), ref: 00407992
GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 004079A6
CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004101ED), ref: 004079AF

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 041c31d9e9407fe9e03cbdecb7ea826a160ca95df4d7bd98ee38a75b77e0e8fe
Instruction ID: e6bbff5c08a4198af29315d7d42b7ef31a127eb680a29a9dbd76eb9c303c227a
Opcode Fuzzy Hash: 041c31d9e9407fe9e03cbdecb7ea826a160ca95df4d7bd98ee38a75b77e0e8fe
Instruction Fuzzy Hash: 17E04F3620025077E7311B26AC0DF4B6EA9EBC7F22F250629FA11A21E0D6604A11C678

Function 00407475 Relevance: 3.8, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00407491
memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,00408025,00000002,?,00000000,?,004082EE,00000000,?,00000000), ref: 004074A9
free.MSVCRT ref: 004074B2

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: freemallocmemcpy
String ID:
API String ID: 3056473165-0
Opcode ID: a552214b4f396ffe3b978ec953857254dfa688d2005ab474b6786e0315961ce8
Instruction ID: e360d5709d2f3202c1ca25caae3d4aa805c65bf3858a1f44a91d23c9b12a71fe
Opcode Fuzzy Hash: a552214b4f396ffe3b978ec953857254dfa688d2005ab474b6786e0315961ce8
Instruction Fuzzy Hash: FFF0E972A082229FD708EB75A94180B779DAF44364710442FF404E3281D738AC40C7A9

Function 0044233C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,?,0040FF66,?,?,00403292,?), ref: 0044234D

Strings

Lh@, xrefs: 00442344

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: Lh@
API String ID: 3664257935-1564020105
Opcode ID: 9d0562313ed05c1077c8e865d76b3287021ad506fa066eb96027120c77a5f393
Instruction ID: 76fd25b73cfe59c43d76c33e9e0e0ec1b0c89da13299cefcee144e01fa2b623b
Opcode Fuzzy Hash: 9d0562313ed05c1077c8e865d76b3287021ad506fa066eb96027120c77a5f393
Instruction Fuzzy Hash: 33E0F6B5900B008F93308F2BE944407FBF9BFE56113108E1FE4AAC2A24C3B4A6458F54

Function 00407B93 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA

Strings

5"D, xrefs: 00407BA1

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: 5"D
API String ID: 2738559852-199376320
Opcode ID: ff886d5e1a4997402200634e3e0df398fd9a7f66ba8de1bb0dfe65b9a394ad27
Instruction ID: b1f5ca1499e8e2fa5163bdfa5e58581682f5a8fdc606d8935362a09f0a3b37d8
Opcode Fuzzy Hash: ff886d5e1a4997402200634e3e0df398fd9a7f66ba8de1bb0dfe65b9a394ad27
Instruction Fuzzy Hash: 46D0923501020DBBDF018F80DC06B997B6DEB0575AF108054BA0095060C7759A10AB64

Function 004349F1 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

d, xrefs: 00434BB1

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 517c0493c2b8c096f9ee19803c23be0c64cd4e098d133ab64b39e574cf884c8f
Instruction ID: 01fd0a19dca965820be780cd5e1a180e940d32085fcd4292c33d665daa4a4ca3
Opcode Fuzzy Hash: 517c0493c2b8c096f9ee19803c23be0c64cd4e098d133ab64b39e574cf884c8f
Instruction Fuzzy Hash: B7819D716083519FCB10EF1AC84169FBBE0AFC8318F15592FF88497251D778EA85CB9A

Function 0040E227 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040E274

Strings

/stext, xrefs: 0040E26F

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _wcsicmp
String ID: /stext
API String ID: 2081463915-3817206916
Opcode ID: e7410df3178ec06b149dd267b323e01f272d5e4eb36cc30877f85b29a899849a
Instruction ID: 5da650caeba3f583edd317abe6dc9e2273d49bc4fc560570e2d9775ed52fc578
Opcode Fuzzy Hash: e7410df3178ec06b149dd267b323e01f272d5e4eb36cc30877f85b29a899849a
Instruction Fuzzy Hash: 37218170B00105AFD704FFAA89C1A9DB7A9BF94304F1045BEE415F7382DB79AD218B59

Function 0040946C Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

index.dat, xrefs: 004094CB

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcslen$FileFindFirst
String ID: index.dat
API String ID: 1858513025-427268347
Opcode ID: b5a9187b74a8ffb00ae391732f5c189a4998f68d39988537941cb2dcf05d029e
Instruction ID: ea6e303a67c95597c7ba2300e155a691c3aaaa96276431a044c3ae834a976286
Opcode Fuzzy Hash: b5a9187b74a8ffb00ae391732f5c189a4998f68d39988537941cb2dcf05d029e
Instruction Fuzzy Hash: 8601527180526999EB20E662CD426DE727CAF00314F1041BBA858F21D2EB3CDF868F4D

Function 004161B0 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004161BB
GetSystemInfo.KERNELBASE(00451CE0,?,00000000,00440C34,00000000,?,?,00000003,00000000,00000000), ref: 004161C4

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: InfoSystemmemset
String ID:
API String ID: 3558857096-0
Opcode ID: b2614796881ddab84da0c6407dc57915020354a4b010b0c78962ddc3b3495293
Instruction ID: 01e0680712ac90f889d23e176cd2934d89dbbab4f1fad96818c53916f6f4ffc6
Opcode Fuzzy Hash: b2614796881ddab84da0c6407dc57915020354a4b010b0c78962ddc3b3495293
Instruction Fuzzy Hash: D6E02230A0062067E3217732BE07FCF22848F02348F00403BFA00DA366F6AC881506ED

Function 00412B2E Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 00412B3D

Strings

failed to allocate %u bytes of memory, xrefs: 00412B57

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: malloc
String ID: failed to allocate %u bytes of memory
API String ID: 2803490479-1168259600
Opcode ID: 5b5a248cf51c062ed88202fa4447692d12f7a24d46f4087129949bf54e3fefc0
Instruction ID: 83e647f58a001b4b33716092e1dc9084e7a57e1649cb419fd0ecfe0012ae2b1c
Opcode Fuzzy Hash: 5b5a248cf51c062ed88202fa4447692d12f7a24d46f4087129949bf54e3fefc0
Instruction Fuzzy Hash: B1E026B7F4561267C2004F1AEC019866790AFC032171A063BF92CD7380D678E9A683A9

Function 0041946A Relevance: 2.7, APIs: 2, Instructions: 195COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041960E
memcmp.MSVCRT(0000006B,?,00000010,?,?,?,?,?,?,?,?,0041C9E4,00000007,?), ref: 00419620

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcmpmemset
String ID:
API String ID: 1065087418-0
Opcode ID: 025fdd92005a470daeaaf52f40e6be84491494a20acb6a1a3520ba0441d5af98
Instruction ID: 09c6ddd7a7fbafff04f5e46546a8ec227a467f18660dcb1fea67ae87f7adc2a4
Opcode Fuzzy Hash: 025fdd92005a470daeaaf52f40e6be84491494a20acb6a1a3520ba0441d5af98
Instruction Fuzzy Hash: EB6170B1E05205FFDB11EFA489A09EEB7B8AB04308F14806FE108E3241D7789ED5DB59

Function 0040C5B3 Relevance: 2.6, APIs: 2, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 0040B1B3: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,0040CBD1,?), ref: 0040B1D4
Part of subcall function 0040B1B3: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,0040CBD1,?), ref: 0040B29B

GetStdHandle.KERNEL32(000000F5,?,00000000,00000001,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040C5DC
CloseHandle.KERNELBASE(00000000,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000), ref: 0040C6E9

Part of subcall function 0040715D: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040C5D7,?,?,00000000,00000001,?,?,?,0040E2DC), ref: 0040716F

Part of subcall function 004071BD: GetLastError.KERNEL32(00000000,?,0040C6FE,00000000,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004071D1
Part of subcall function 004071BD: _snwprintf.MSVCRT ref: 004071FE
Part of subcall function 004071BD: MessageBoxW.USER32(?,?,Error,00000030), ref: 00407217

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
String ID:
API String ID: 1381354015-0
Opcode ID: 437b4ee2f0eb5be7c77dedbcd6cde51050b7bc30ff96baad5e2726301dc593ae
Instruction ID: 8008e0f7e2c68a0a7dbf7afa260ddf7c08443fea941bd9d01fd0dc6d198c04cd
Opcode Fuzzy Hash: 437b4ee2f0eb5be7c77dedbcd6cde51050b7bc30ff96baad5e2726301dc593ae
Instruction Fuzzy Hash: 82415F31B00100EBCB359F69C8C9E5E76A5AF45710F215A2BF406A73D1CB7AAD80CA5D

Function 004098C2 Relevance: 2.6, APIs: 2, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 004038C4: LoadLibraryW.KERNEL32(advapi32.dll,?,00409AAA,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,0041018E,?,?), ref: 004038CF
Part of subcall function 004038C4: GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004038E3
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004038EF
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 004038FB
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403907
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403913
Part of subcall function 004038C4: GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 0040391F

wcslen.MSVCRT ref: 00409901
memset.MSVCRT ref: 00409980

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoadmemsetwcslen
String ID:
API String ID: 1960736289-0
Opcode ID: 4e256b32b087a2d54a013736d5ec90ac317bbbafb522d715d277fbd7e177f48e
Instruction ID: eeeebaecff14eb5a2c3d0f3031068d4b6d2ebef8e1bb4496a3092dc18c5c1f6a
Opcode Fuzzy Hash: 4e256b32b087a2d54a013736d5ec90ac317bbbafb522d715d277fbd7e177f48e
Instruction Fuzzy Hash: C0318172510249BBCF11EFA5CCC19EE77B9AF48304F14887EF505B7282D638AE499B64

Function 0042D857 Relevance: 2.6, APIs: 2, Instructions: 103COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0042D91C
memcpy.MSVCRT(000001A8,?,00000020,?,00000000,00000000,0044102C,00000000,00000000,00000000,00000000,?,?,00000003,00000000,00000000), ref: 0042D93C

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID:
API String ID: 1297977491-0
Opcode ID: 86320a4430fdaa62a7cfe41e17bad7842192f66c2505b9b7b6a14f4601f4776d
Instruction ID: 8924df9a0b73475da4b238d73e0a6e7a22eb6b5713ba87d11c8eaeba374ce509
Opcode Fuzzy Hash: 86320a4430fdaa62a7cfe41e17bad7842192f66c2505b9b7b6a14f4601f4776d
Instruction Fuzzy Hash: CD319072E00215EBDB00DF59D981A9DB7B4FF40314F6484AAE815AF242D774EA81CBA8

Function 00414DE6 Relevance: 2.5, APIs: 2, Instructions: 24sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064), ref: 00414DFF
CloseHandle.KERNELBASE(0CC483FF,00000000,00000000,0045162C,00415453,00000008,00000000,00000000,?,00415610,?,00000000), ref: 00414E08

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseHandleSleep
String ID:
API String ID: 252777609-0
Opcode ID: bdd47c3b9fe514102062cbc93d8af5e804c2569a959601c5796dc848db78b9f9
Instruction ID: a5fc701692feba82469beb2995ebf65a4cce15204005db1f3291e32cb0673270
Opcode Fuzzy Hash: bdd47c3b9fe514102062cbc93d8af5e804c2569a959601c5796dc848db78b9f9
Instruction Fuzzy Hash: 95E0CD372006155FD7005B7CDCC09D77399AF85734725032AF261C3190C665D4424664

Function 00407EB8 Relevance: 2.5, APIs: 2, Instructions: 14COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00407EBB
free.MSVCRT ref: 00407EC3

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: db2564747f6c9b0ce10efe63d809efe4206ca8195b6051940f8a726424b803a7
Instruction ID: 678242c8279a805cd99e0fe810509e5398187bdd4f5249f6459e69a2283f8bf1
Opcode Fuzzy Hash: db2564747f6c9b0ce10efe63d809efe4206ca8195b6051940f8a726424b803a7
Instruction Fuzzy Hash: 6AD042B0404B009FE7B1DF39D901602BBF0AB083103108D2EA0AAD2A50E775A1049F04

Function 0040ED6C Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0040EDFA: memset.MSVCRT ref: 0040EE42
Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EE59
Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EE61
Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EEBC
Part of subcall function 0040EDFA: wcslen.MSVCRT ref: 0040EECA

Part of subcall function 0040797A: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,0040EDAE,00000000,?,00000000,?,00000000), ref: 00407992
Part of subcall function 0040797A: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 004079A6
Part of subcall function 0040797A: CloseHandle.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004101ED), ref: 004079AF

CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 0040EDB8

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcslen$File$Time$CloseCompareCreateHandlememset
String ID:
API String ID: 4204647287-0
Opcode ID: eeb16535b7e8d9903344e6e4fc87394a79dd4b2724dffbbd49d7f28440978fac
Instruction ID: 7375e5b5c48a3cf746583bdb812c6cb833081a8f043ffb24ec2f547d3e817a13
Opcode Fuzzy Hash: eeb16535b7e8d9903344e6e4fc87394a79dd4b2724dffbbd49d7f28440978fac
Instruction Fuzzy Hash: 58114C72C00219ABCF11EBA5D9419DEBBB9EF44300F20047BE801F3280D634AF44CB96

Function 00405149 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(0040511F,?,?,00000000,00000000,000000FF,0040571F,000000FF,000000FF,?,00000000,0040511F,?,?,?,0040566C), ref: 00405165

Part of subcall function 00407B93: ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$PointerRead
String ID:
API String ID: 3154509469-0
Opcode ID: 8e3300ccc99ceaafd88bf63aedabe6f8cf4ec2b06029cc1f8c5137446a6ac1ce
Instruction ID: 13fe659266928e09ca291fdb8c13dcfe3ff2a23a31d494a2ddaccb8188200d23
Opcode Fuzzy Hash: 8e3300ccc99ceaafd88bf63aedabe6f8cf4ec2b06029cc1f8c5137446a6ac1ce
Instruction Fuzzy Hash: 5CE0C736100100FFE6208F08CC06F6BBBF9EBC4B00F10883EB2A49A0B1C2326812CB24

Function 00411B36 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00411B5D

Part of subcall function 004119C6: memset.MSVCRT ref: 004119E5
Part of subcall function 004119C6: _itow.MSVCRT ref: 004119FC
Part of subcall function 004119C6: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00411A0B

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PrivateProfile$StringWrite_itowmemset
String ID:
API String ID: 4232544981-0
Opcode ID: 4eb565fe38f19d9fcd3ef397b8be022b0e8b2ee90877df68a8cf7ef72faf0ee1
Instruction ID: e4974885a9e011c02de9f8347c72c3dce1736aa6ad634daf2893e710d343c839
Opcode Fuzzy Hash: 4eb565fe38f19d9fcd3ef397b8be022b0e8b2ee90877df68a8cf7ef72faf0ee1
Instruction Fuzzy Hash: ABE0B672000149AFDF125F80EC01AA97BA6FF04315F248459FA5805631D73695B0EB95

Function 00407BB2 Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,0040C605,00000000,00448B84,00000002,?,?,?,0040E2DC,00000000), ref: 00407BC9

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d369bb92ad7c49a717be8c21899150b55a2c28b5f26bff8a5462d106715fcbd8
Instruction ID: 7a92458e03063ade3ff171a8f73d1b131da45bdd434acd56d38c8090c64c1cda
Opcode Fuzzy Hash: d369bb92ad7c49a717be8c21899150b55a2c28b5f26bff8a5462d106715fcbd8
Instruction Fuzzy Hash: 47D0C93511020DFBDF01CF80DC06FDD7B7DEB04759F108054BA1495060D7B59B14AB54

Function 00407144 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9a929023f2c627b70a1d779166e782d06c126c11e9800125383b8a94db93c5c6
Instruction ID: 81d2dec17d2b84b4128be66cdd24e97b0dbf61b8fa3bcd6fd5fd384be9d73f32
Opcode Fuzzy Hash: 9a929023f2c627b70a1d779166e782d06c126c11e9800125383b8a94db93c5c6
Instruction Fuzzy Hash: E4C092B0240201BEFF228B10ED16F36695CD740B01F2044247E00E40E0D1A04F108924

Function 0040715D Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040C5D7,?,?,00000000,00000001,?,?,?,0040E2DC), ref: 0040716F

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b3d4b136a85312aa723e3c9e2acb5816e1c60966b2ab5dba606afdc82e084c94
Instruction ID: 6739adb68e03e12f7f7c1d8ccdc83ffe2e18cb8bef7d19e3acfe4a72d1b5eace
Opcode Fuzzy Hash: b3d4b136a85312aa723e3c9e2acb5816e1c60966b2ab5dba606afdc82e084c94
Instruction Fuzzy Hash: 49C092F02502017EFF208B10AD0AF37695DD780B01F2084207E00E40E0D2A14C008924

Function 00408604 Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00000000,00401A20,Function_000434FC,?,00000001,00401A71,?,00401E44), ref: 0040860B

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 7a03e879792b5fe31c33d7af5755a579040ef1194e7f819d695dad1928dde993
Instruction ID: b86fd1081c12c971c14e25096d529e9df9055785cb1c99d48f6af2a57df14557
Opcode Fuzzy Hash: 7a03e879792b5fe31c33d7af5755a579040ef1194e7f819d695dad1928dde993
Instruction Fuzzy Hash: D3C09BB15127015BFB345E15D50571273E45F50727F354C1DB4D1D24C2DB7CD4408518

Function 004084DA Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,004083EE,?,00000000,00000000,?,00410708,?), ref: 004084E4

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: ce138f875d3acdc4bfbe17b30e16d53cb8f2c6707e5d1d9850a648f01b786906
Instruction ID: a26663696ee19f03613d77843e46d9f39b2dea1a9069363f3edb82d48ea13a69
Opcode Fuzzy Hash: ce138f875d3acdc4bfbe17b30e16d53cb8f2c6707e5d1d9850a648f01b786906
Instruction Fuzzy Hash: FFC092346205028BE23C5F38AD5A82A77E0BF4A3313B40F6CA0F3D20F0EB3884428A04

Function 004117E3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,00409EC4,00000000,004101A5,?,?,?,?,?,0040328B,?), ref: 004117EF

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 0e5244a652f8a00c19ee35b2b6df8d293c0f8fc24debe18f1969453427d3ee92
Instruction ID: 28a9858cfff7e6e2b1914a1c804994c03dcb5394f8963e6e43683e707f81cfe3
Opcode Fuzzy Hash: 0e5244a652f8a00c19ee35b2b6df8d293c0f8fc24debe18f1969453427d3ee92
Instruction Fuzzy Hash: 83C04C351107028BE7218B12C849753B7F8BB00717F40C818A566859A0D77CE454CE18

Function 00411F7E Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

EnumResourceNamesW.KERNELBASE(?,?,00411EF8,00000000), ref: 00411F8D

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: EnumNamesResource
String ID:
API String ID: 3334572018-0
Opcode ID: ad90743229005492c5e374903a2f61f35334675862818203282ec323c157130c
Instruction ID: 6c621939844f31da33ced499d0f7f7abb962291178acb537878d9391fa7c1b50
Opcode Fuzzy Hash: ad90743229005492c5e374903a2f61f35334675862818203282ec323c157130c
Instruction Fuzzy Hash: C8C09B32194342BBD7019F508C05F1B7A95BB55703F104C297561940B0C75140549605

Function 00407548 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0040A987,?,0040AA3E,00000000,?,00000000,00000208,?), ref: 0040754C

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 201396fe258989d033aef496f9219e0ec37e2295b66c2c7cdc95f8b8143fc0af
Instruction ID: 786af1a6681fc588f4ed673612d44b37cd66a9ddadc6b0c90f2aca86fde3c3ed
Opcode Fuzzy Hash: 201396fe258989d033aef496f9219e0ec37e2295b66c2c7cdc95f8b8143fc0af
Instruction Fuzzy Hash: 41B012792100404BCB080B349C4504D75506F46B32B20473CB073C00F0DB30CD70BA00

Function 00411B67 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00412303,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00411B7A

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: d8bfda6a3cd3cbaaac1923a92569980932abdf526a58af7fc260ebb20eba954b
Instruction ID: 8fd1618fdc001f910610ea30bed12e65be45571f6aff6d2ea6de46bc6098db87
Opcode Fuzzy Hash: d8bfda6a3cd3cbaaac1923a92569980932abdf526a58af7fc260ebb20eba954b
Instruction Fuzzy Hash: F8C09B35544301BFDE114F40FD05F09BF71BB84F05F004414B244640B1C2714414EB17

Function 00419681 Relevance: 1.3, APIs: 1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71768e3b57be439b0f9ce1a84ee98f19883832beed36a2a3ef83e6d3b54edd1a
Instruction ID: 4be01e504a1dbe863e5cd1883b5f47abe9c308d3627063d178914d84215e5ed1
Opcode Fuzzy Hash: 71768e3b57be439b0f9ce1a84ee98f19883832beed36a2a3ef83e6d3b54edd1a
Instruction Fuzzy Hash: 32319E31614206EFDF14AF15D9517DAB3A0FF00364F11412BF8259B290EB38EDE09BA9

Function 004059F7 Relevance: 1.3, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00405A28

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _wcsicmp
String ID:
API String ID: 2081463915-0
Opcode ID: 47d81a72ba5e86c6c08ea2f576f41ce6956625c552654a9f8307a541cecd461b
Instruction ID: a3dc623871aa55e9e138b6aa735e1cfc4d22eb4fa3c35538bc996f6fefcd79cf
Opcode Fuzzy Hash: 47d81a72ba5e86c6c08ea2f576f41ce6956625c552654a9f8307a541cecd461b
Instruction Fuzzy Hash: 65113A75600A05AFCB14DF69C9C19ABB7F8FF04314B10463EA456E7241DB34E9458F68

Function 004050B7 Relevance: 1.3, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00405137: CloseHandle.KERNEL32(000000FF,004050C7,00000000,?,00408B2E,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat,?,?,?,00409013,?,004091EB,000000FF), ref: 0040513F

Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156

GetLastError.KERNEL32(00000000,?,00408B2E,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat,?,?,?,00409013,?,004091EB,000000FF,00000000,00000104), ref: 00405124

Part of subcall function 00407B93: ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastRead
String ID:
API String ID: 2136311172-0
Opcode ID: e1fa86938fa3109ce0b7763a12cdd910979c4d4d9c688e98096abe29a5a3520b
Instruction ID: 849b43cde7c86ee220a2fa92f028283b8c7de21471a02e191cd59f19f3ad1342
Opcode Fuzzy Hash: e1fa86938fa3109ce0b7763a12cdd910979c4d4d9c688e98096abe29a5a3520b
Instruction Fuzzy Hash: DD0181B1815A008AD720AB65DC057A776E8DF11319F10893FE5A5EF2C2EB7C94408E6E

Function 004085EB Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

Part of subcall function 00408604: ??3@YAXPAX@Z.MSVCRT(00000000,00401A20,Function_000434FC,?,00000001,00401A71,?,00401E44), ref: 0040860B

??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401DDF), ref: 004085F4

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@??3@
String ID:
API String ID: 1936579350-0
Opcode ID: c4c244ccb30b183d3550635b452a5d4afba6a495f05b66f96448f990385c2ccf
Instruction ID: 922d8024f7c410ba2bf811e6c001bae8f16a2ee087a1061d919dd730706e44d9
Opcode Fuzzy Hash: c4c244ccb30b183d3550635b452a5d4afba6a495f05b66f96448f990385c2ccf
Instruction Fuzzy Hash: 36C02B3241D2101FD764FFB4360205722D4CE822383014C2FF0C0D3100DD3884014B4C

Function 00408037 Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040803E

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b8cd1effcdf29b95293438428d1a83d87b736904a3019313e09548ab324a0620
Instruction ID: b2304b4461d9917b15a132db01dd128865174dbe20628525ae7b4e3248e143f9
Opcode Fuzzy Hash: b8cd1effcdf29b95293438428d1a83d87b736904a3019313e09548ab324a0620
Instruction Fuzzy Hash: 17C08CB24107018FF7308F11C905322B3E4AF0073BFA08C0EA0D0914C2DBBCD084CA08

Function 00402778 Relevance: 1.3, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040277F

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 12e10aa5a455c2b2122ca5546f3d5514bdec465a3aa4be4c1af19d6b195196c9
Instruction ID: cac01d1bc301b84fbdbddb48431dcac5afc2edf88536e2650f831a4bf4b80b8a
Opcode Fuzzy Hash: 12e10aa5a455c2b2122ca5546f3d5514bdec465a3aa4be4c1af19d6b195196c9
Instruction Fuzzy Hash: 7AC00272550B019FF7609F15C94A762B3E4AF5077BF918C1DA4A5924C1E7BCD4448A18

Function 00412B6F Relevance: 1.3, APIs: 1, Instructions: 5COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00412B73

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: b450fec74f7795ac9fca528e737bf449a82a962f0464f52a5a7c386dc31c5c02
Instruction ID: 46b4f55e9d8111901284769a6e1cf788246b5727949f953e2d9518689c8df02f
Opcode Fuzzy Hash: b450fec74f7795ac9fca528e737bf449a82a962f0464f52a5a7c386dc31c5c02
Instruction Fuzzy Hash: AC900282455501216C4522755D1750511080851176374074A7032A59D1DE688150601C

Non-executed Functions

Function 00411196 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 143processlibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00402778: free.MSVCRT ref: 0040277F

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00001000,?,00000000), ref: 004111B6
memset.MSVCRT ref: 004111CB
Process32FirstW.KERNEL32(?,?), ref: 004111E7
OpenProcess.KERNEL32(00000410,00000000,?,00001000,?,00000000), ref: 0041122C
memset.MSVCRT ref: 00411253
GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00411288
GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 004112A2
CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 004112F4
free.MSVCRT ref: 0041130D
Process32NextW.KERNEL32(?,0000022C), ref: 00411356
CloseHandle.KERNEL32(?,?,0000022C), ref: 00411366

Strings

QueryFullProcessImageNameW, xrefs: 00411292
kernel32.dll, xrefs: 00411283

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Handle$CloseProcess32freememset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
String ID: QueryFullProcessImageNameW$kernel32.dll
API String ID: 1344430650-1740548384
Opcode ID: d60c901128d51a1a9a941b54c9a38706e9a618f48074c361322ebbbca8af7aa2
Instruction ID: bbba850b15206e26884db202d857e323fd936e243bbe251c85cc099381913945
Opcode Fuzzy Hash: d60c901128d51a1a9a941b54c9a38706e9a618f48074c361322ebbbca8af7aa2
Instruction Fuzzy Hash: 7E51AF72840258ABDB21DF55CC84EDEB7B9EF94304F1001ABFA18E3261DB759A84CF54

Function 00407363 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 0040736D

Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156

GetFileSize.KERNEL32(00000000,00000000), ref: 0040738A
GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040739B
GlobalLock.KERNEL32(00000000), ref: 004073A8
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 004073BB
GlobalUnlock.KERNEL32(00000000), ref: 004073CD
SetClipboardData.USER32(0000000D,00000000), ref: 004073D6
GetLastError.KERNEL32 ref: 004073DE
CloseHandle.KERNEL32(?), ref: 004073EA
GetLastError.KERNEL32 ref: 004073F5
CloseClipboard.USER32 ref: 004073FE

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
String ID:
API String ID: 3604893535-0
Opcode ID: ff4ef1d92d1a290ea301bbc8eaca8dcb04474945f762c75d88d1861bbfd53786
Instruction ID: 70226e125eefff96fe42492f97b8668800667adb6f1e94a7dd2fd5f696112ff0
Opcode Fuzzy Hash: ff4ef1d92d1a290ea301bbc8eaca8dcb04474945f762c75d88d1861bbfd53786
Instruction Fuzzy Hash: E311423A904204FBE7105FB5EC4DA5E7F78EB06B52F204176FD02E5290DB749A01DB69

Function 0041604B Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00416065
memcpy.MSVCRT(?,?,00000010), ref: 00416074
GetCurrentProcessId.KERNEL32 ref: 00416085
memcpy.MSVCRT(?,?,00000004), ref: 00416098
GetTickCount.KERNEL32 ref: 004160AC
memcpy.MSVCRT(?,?,00000004), ref: 004160BF
QueryPerformanceCounter.KERNEL32(?), ref: 004160D5
memcpy.MSVCRT(?,?,00000008), ref: 004160E5

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
String ID:
API String ID: 4218492932-0
Opcode ID: 91481d4031c4b0f89b54af3f497fb88c2307565dbaae607565dd24303698038d
Instruction ID: b821822af8fa1f08beba458ee4fa97db6355aebb6f9a48b4278dc6bbcb45c8c8
Opcode Fuzzy Hash: 91481d4031c4b0f89b54af3f497fb88c2307565dbaae607565dd24303698038d
Instruction Fuzzy Hash: 601163F3900118ABDB00EFA4DC899DAB7ACEF19710F454536FA09DB144E674E748C7A9

Function 004072FB Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON

Download Yara Rule

APIs

EmptyClipboard.USER32 ref: 00407303
wcslen.MSVCRT ref: 00407310
GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,0040D79F,-00000210), ref: 00407320
GlobalLock.KERNEL32(00000000), ref: 0040732D
memcpy.MSVCRT(00000000,?,00000002,?,?,?,0040D79F,-00000210), ref: 00407336
GlobalUnlock.KERNEL32(00000000), ref: 0040733F
SetClipboardData.USER32(0000000D,00000000), ref: 00407348
CloseClipboard.USER32 ref: 00407358

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
String ID:
API String ID: 1213725291-0
Opcode ID: 5ed3c7ed2292a9e609788bd9d251ea61b7faa26044294d95fe65c060bebd8173
Instruction ID: e9f640a6ba64593c4f3b5e3a0a2b414f675f529f5a9edaa6aa7e0ad5043136ba
Opcode Fuzzy Hash: 5ed3c7ed2292a9e609788bd9d251ea61b7faa26044294d95fe65c060bebd8173
Instruction Fuzzy Hash: 14F0B43B5002187BD2102FE5AC4DE1B772CEB86F97B050179FA09D2251DE749E0486B9

Function 00415AFD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00415B06

Part of subcall function 00414BCA: GetVersionExW.KERNEL32(?), ref: 00414BED

FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00415B2D
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00415B56
LocalFree.KERNEL32(?), ref: 00415B71
free.MSVCRT ref: 00415B9F

Part of subcall function 00414C63: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76F8DF80,?,00414D8E,?), ref: 00414C81
Part of subcall function 00414C63: malloc.MSVCRT ref: 00414C88

Strings

OsError 0x%x (%u), xrefs: 00415B83

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
String ID: OsError 0x%x (%u)
API String ID: 2360000266-2664311388
Opcode ID: b92bfb85b135c96f8b850ddecf84185ea98de4423d487b3975f43b970985a80a
Instruction ID: b695a5953d892c14765524e538430075cec87daac3f875befcc4cde39e80dde6
Opcode Fuzzy Hash: b92bfb85b135c96f8b850ddecf84185ea98de4423d487b3975f43b970985a80a
Instruction Fuzzy Hash: 5F118E34A00218BBDB21AFA19C49CDFBF78EF85B51B104067F405A2250D6795B809BA9

Function 00407E0E Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,nss3.dll,00000000), ref: 00407E26
FindNextFileW.KERNEL32(00000000,?), ref: 00407E45
FindClose.KERNEL32(00000000), ref: 00407E65

Strings

ld@, xrefs: 00407E51
., xrefs: 00407E33
nss3.dll, xrefs: 00407E18

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: .$ld@$nss3.dll
API String ID: 3541575487-3654816495
Opcode ID: cc7230da910be55964706480e184fd4a449cc4274279a5797c2cb2fba6568da8
Instruction ID: 78963b1eb2bf7b5f8aa15039180698213c9a680973a94e339c68aae197af375e
Opcode Fuzzy Hash: cc7230da910be55964706480e184fd4a449cc4274279a5797c2cb2fba6568da8
Instruction Fuzzy Hash: CEF0BB75901528ABDB206BB4DC8C9ABB7ACEB45765F0401B2ED06E3180D334AE458AD9

Function 004021D9 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 282COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00402201
_wcsicmp.MSVCRT ref: 00402231
_wcsicmp.MSVCRT ref: 0040225E
_wcsicmp.MSVCRT ref: 0040228B

Part of subcall function 0040805C: wcslen.MSVCRT ref: 0040806F
Part of subcall function 0040805C: memcpy.MSVCRT(?,?,00000000,00000001,00401A18,Function_000434FC,?,00000001,00401A71,?,00401E44), ref: 0040808E

memset.MSVCRT ref: 0040262F
memcpy.MSVCRT(?,?,00000011,?,00000000,00000080), ref: 00402664

Part of subcall function 00403853: LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004026AC,?,00000090,00000000,?), ref: 00403862
Part of subcall function 00403853: GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403874
Part of subcall function 00403853: FreeLibrary.KERNEL32(00000000), ref: 00403897

memcpy.MSVCRT(?,?,0000001C,?,00000090,00000000,?), ref: 004026C0
LocalFree.KERNEL32(?,?,?,00000000,?,00000090,00000000,?), ref: 0040271E
FreeLibrary.KERNEL32(00000000,?,00000090,00000000,?), ref: 0040272D

Strings

), xrefs: 004025AA
O, xrefs: 00402360
H, xrefs: 004022DB
=, xrefs: 0040251E
#, xrefs: 004025CD
w, xrefs: 004024D8
t, xrefs: 0040261A
!, xrefs: 00402525
`, xrefs: 004024A1
/, xrefs: 004024DF
&, xrefs: 0040230C
', xrefs: 004023D7
Account, xrefs: 00402253
g, xrefs: 0040231A
y, xrefs: 00402469
A, xrefs: 0040236E
y, xrefs: 00402352
0, xrefs: 0040240E
8, xrefs: 0040249A
X, xrefs: 00402605
q, xrefs: 004024AF
h, xrefs: 004024BD
Data, xrefs: 00402280
u, xrefs: 0040244D
>, xrefs: 004022D4
Path, xrefs: 00402226
I, xrefs: 004023F3
t, xrefs: 0040252C
@, xrefs: 00402533
F, xrefs: 004023A6
&, xrefs: 004025C6
~, xrefs: 00402579
{, xrefs: 00402383
\, xrefs: 00402510
b, xrefs: 004022F7
u, xrefs: 004023DE
com.apple.Safari, xrefs: 00402634
2, xrefs: 00402580
>, xrefs: 004022E9
^, xrefs: 004025FE
com.apple.WebKit2WebProcess, xrefs: 00402656
S, xrefs: 004024D1
$, xrefs: 0040259C
z, xrefs: 0040255D
t, xrefs: 004025F7
L, xrefs: 004025E9
K, xrefs: 0040239F
n, xrefs: 0040258E
a, xrefs: 004024ED
}, xrefs: 004022E2
n, xrefs: 0040254F
H, xrefs: 004022CD
server, xrefs: 004021ED
K, xrefs: 0040253A

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _wcsicmp$FreeLibrarymemcpy$AddressLoadLocalProcmemsetwcslen
String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
API String ID: 462158748-1134094380
Opcode ID: 67cf4eee38665e4ec1be56c90270dd44ce6e0e009cbb4a5b7d9f17bd5b1e0b61
Instruction ID: cc44404655acc20b5533cc0c34fbbab0c7f11d0fd0cfcd5d05bb593c6a12ed59
Opcode Fuzzy Hash: 67cf4eee38665e4ec1be56c90270dd44ce6e0e009cbb4a5b7d9f17bd5b1e0b61
Instruction Fuzzy Hash: C9F1FF208087E9C9DB32D7788D097CEBE645B23324F0443D9E1E87A2D2D7B55B85CB66

Function 00441975 Relevance: 66.7, APIs: 23, Strings: 15, Instructions: 152libraryloaderCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004419A0
wcscpy.MSVCRT ref: 004419B7
memset.MSVCRT ref: 004419EA
wcscpy.MSVCRT ref: 00441A00
wcscat.MSVCRT ref: 00441A11
wcscpy.MSVCRT ref: 00441A37
wcscat.MSVCRT ref: 00441A48
wcscpy.MSVCRT ref: 00441A6F
wcscat.MSVCRT ref: 00441A80
GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441A8F
LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441AA6
LoadLibraryW.KERNEL32(sqlite3.dll,?,00000104,00000000), ref: 00441AB9
LoadLibraryW.KERNEL32(mozsqlite3.dll,?,00000104,00000000), ref: 00441AC7
LoadLibraryW.KERNEL32(nss3.dll,?,00000104,00000000), ref: 00441AD7
GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00441AF3
GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00441AFF
GetProcAddress.KERNEL32(?,sqlite3_step), ref: 00441B0C
GetProcAddress.KERNEL32(?,sqlite3_column_text), ref: 00441B19
GetProcAddress.KERNEL32(?,sqlite3_column_int), ref: 00441B26
GetProcAddress.KERNEL32(?,sqlite3_column_int64), ref: 00441B33
GetProcAddress.KERNEL32(?,sqlite3_finalize), ref: 00441B40
GetProcAddress.KERNEL32(?,sqlite3_close), ref: 00441B4D
GetProcAddress.KERNEL32(?,sqlite3_exec), ref: 00441B5A

Strings

sqlite3_column_text, xrefs: 00441B0E
sqlite3_column_int64, xrefs: 00441B28
sqlite3_step, xrefs: 00441B01
nss3.dll, xrefs: 00441AD2
sqlite3_exec, xrefs: 00441B4F
sqlite3_column_int, xrefs: 00441B1B
\mozsqlite3.dll, xrefs: 00441A42
mozsqlite3.dll, xrefs: 00441AC2
sqlite3.dll, xrefs: 00441AB4
sqlite3_prepare, xrefs: 00441AF5
sqlite3_finalize, xrefs: 00441B35
\sqlite3.dll, xrefs: 00441A0B
sqlite3_open, xrefs: 00441AED
sqlite3_close, xrefs: 00441B42
\nss3.dll, xrefs: 00441A7A

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoadwcscpy$wcscat$memset$HandleModule
String ID: \mozsqlite3.dll$\nss3.dll$\sqlite3.dll$mozsqlite3.dll$nss3.dll$sqlite3.dll$sqlite3_close$sqlite3_column_int$sqlite3_column_int64$sqlite3_column_text$sqlite3_exec$sqlite3_finalize$sqlite3_open$sqlite3_prepare$sqlite3_step
API String ID: 2522319644-522817110
Opcode ID: 8848e67c20b1512477d94237df3342a95449e5598eedc60463cf29981b84716b
Instruction ID: 320c17c5e6ace6947bedab1e2bf77c9c6d077df099d9b5840aba930edb5fc244
Opcode Fuzzy Hash: 8848e67c20b1512477d94237df3342a95449e5598eedc60463cf29981b84716b
Instruction Fuzzy Hash: 855165B1901709BADB20FFB18D49A4BB7F8AF08704F5008ABE54AE2551E778E644CF18

Function 00409B6A Relevance: 59.8, APIs: 27, Strings: 7, Instructions: 275stringCOMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00409B82
_wcsicmp.MSVCRT ref: 00409B97
_wcsnicmp.MSVCRT ref: 00409BB1
_wcsnicmp.MSVCRT ref: 00409BC5
wcslen.MSVCRT ref: 00409BD6
_wcsicmp.MSVCRT ref: 00409BF8
memset.MSVCRT ref: 00409C3D
wcscpy.MSVCRT ref: 00409C4A
wcslen.MSVCRT ref: 00409C6B
wcslen.MSVCRT ref: 00409C83
_wcsicmp.MSVCRT ref: 00409CC8
_wcsicmp.MSVCRT ref: 00409CDB
_wcsnicmp.MSVCRT ref: 00409CF2
memset.MSVCRT ref: 00409D38
wcschr.MSVCRT ref: 00409D40
wcslen.MSVCRT ref: 00409D48
wcscpy.MSVCRT ref: 00409D66
wcschr.MSVCRT ref: 00409D74
_wcsnicmp.MSVCRT ref: 00409DA4
memset.MSVCRT ref: 00409DD8
strlen.MSVCRT ref: 00409DDE
memcpy.MSVCRT(?,?,00000000), ref: 00409DFA
strchr.MSVCRT ref: 00409E0F
memset.MSVCRT ref: 00409E39
memset.MSVCRT ref: 00409E4E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00409E6F
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00409E82

Strings

internet explorer, xrefs: 00409B76, 00409B7B, 00409B93
ftp://, xrefs: 00409CEC
dpapi:, xrefs: 00409D9E
http://, xrefs: 00409BAB
wininetcachecredentials, xrefs: 00409CBF, 00409CC4, 00409CD7
:stringdata, xrefs: 00409BF2
https://, xrefs: 00409BBF

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
String ID: :stringdata$dpapi:$ftp://$http://$https://$internet explorer$wininetcachecredentials
API String ID: 2787044678-1843504584
Opcode ID: cb6674861b630e023730bc8514c911496a266ea8c7e3a43a84e29182814d6b93
Instruction ID: bbe16b9e6473d86cc6eed57c0ed50d6d6787e5e5d2f3b2995f82d19aea11410f
Opcode Fuzzy Hash: cb6674861b630e023730bc8514c911496a266ea8c7e3a43a84e29182814d6b93
Instruction Fuzzy Hash: 2891A571940209BFEF20EF55CD41EDF77A8AF54314F10006AF848A3292EB79EE508B68

Function 004113F4 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00411421
GetDlgItem.USER32(?,000003E8), ref: 0041142D
GetWindowLongW.USER32(00000000,000000F0), ref: 0041143C
GetWindowLongW.USER32(?,000000F0), ref: 00411448
GetWindowLongW.USER32(00000000,000000EC), ref: 00411451
GetWindowLongW.USER32(?,000000EC), ref: 0041145D
GetWindowRect.USER32(00000000,?), ref: 0041146F
GetWindowRect.USER32(?,?), ref: 0041147A
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041148E
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041149C
GetDC.USER32 ref: 004114D5
wcslen.MSVCRT ref: 00411515
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00411526
ReleaseDC.USER32(?,?), ref: 00411573
_snwprintf.MSVCRT ref: 00411636
SetWindowTextW.USER32(?,?), ref: 0041164A
SetWindowTextW.USER32(?,00000000), ref: 00411668
GetDlgItem.USER32(?,00000001), ref: 0041169E
GetWindowRect.USER32(00000000,?), ref: 004116AE
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004116BC
GetClientRect.USER32(?,?), ref: 004116D3
GetWindowRect.USER32(?,?), ref: 004116DD
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00411723
GetClientRect.USER32(?,?), ref: 0041172D
SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00411765

Strings

EDIT, xrefs: 0041160B
%s:, xrefs: 0041162B
STATIC, xrefs: 004115D5

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
String ID: %s:$EDIT$STATIC
API String ID: 2080319088-3046471546
Opcode ID: 82769fcda4aee539b94f7460eafa85e4f9ca3f83dedf5f01e4882f05d4beebf3
Instruction ID: 8ff438caca04d900f401a49fee0f0db12add2221ca5be9c1dac879361ae65e4d
Opcode Fuzzy Hash: 82769fcda4aee539b94f7460eafa85e4f9ca3f83dedf5f01e4882f05d4beebf3
Instruction Fuzzy Hash: E3B1B071108341AFD720DF68C985E6BBBF9FB88704F004A2DF69692261DB75E944CF16

Function 0040109F Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003EC), ref: 004010F7
ChildWindowFromPoint.USER32(?,?,?), ref: 00401109
GetDlgItem.USER32(?,000003EE), ref: 0040113F
ChildWindowFromPoint.USER32(?,?,?), ref: 0040114C
GetDlgItem.USER32(?,000003EC), ref: 0040117A
ChildWindowFromPoint.USER32(?,?,?), ref: 0040118C
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00401195
LoadCursorW.USER32(00000000,00000067), ref: 0040119E
SetCursor.USER32(00000000,?,?), ref: 004011A5
GetDlgItem.USER32(?,000003EE), ref: 004011C6
ChildWindowFromPoint.USER32(?,?,?), ref: 004011D3
GetDlgItem.USER32(?,000003EC), ref: 004011ED
SetBkMode.GDI32(?,00000001), ref: 004011F9
SetTextColor.GDI32(?,00C00000), ref: 00401207
GetSysColorBrush.USER32(0000000F), ref: 0040120F
GetDlgItem.USER32(?,000003EE), ref: 00401230
EndDialog.USER32(?,?), ref: 00401265
DeleteObject.GDI32(?), ref: 00401271
GetDlgItem.USER32(?,000003ED), ref: 00401296
ShowWindow.USER32(00000000), ref: 0040129F
GetDlgItem.USER32(?,000003EE), ref: 004012AB
ShowWindow.USER32(00000000), ref: 004012AE
SetDlgItemTextW.USER32(?,000003EE,004511E0), ref: 004012BF
SetWindowTextW.USER32(?,WebBrowserPassView), ref: 004012CD
SetDlgItemTextW.USER32(?,000003EA,?), ref: 004012E5
SetDlgItemTextW.USER32(?,000003EC,?), ref: 004012F6

Strings

WebBrowserPassView, xrefs: 004012C5

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
String ID: WebBrowserPassView
API String ID: 829165378-2171583229
Opcode ID: 9528d28c6aa400cf950dedba09aaaf40a629cdba61218975bccd681405960fd9
Instruction ID: 8d9c6eba8ddb3a7c26c98eaf12cf57faa7ce2db5dd3d1d54ce32cd9ff2fd20fc
Opcode Fuzzy Hash: 9528d28c6aa400cf950dedba09aaaf40a629cdba61218975bccd681405960fd9
Instruction Fuzzy Hash: 8C517E35500308BBDB22AF64DC45E6E7BB5FB04742F104A7AF952A66F0C774AE50EB18

Function 0040F767 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 0040F7AC
GetDlgItem.USER32(?,000003EA), ref: 0040F7C4
SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040F7E2
SendMessageW.USER32(?,00000301,00000000,00000000), ref: 0040F7EE
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0040F7F6
memset.MSVCRT ref: 0040F81D
memset.MSVCRT ref: 0040F83F
memset.MSVCRT ref: 0040F858
memset.MSVCRT ref: 0040F86C
memset.MSVCRT ref: 0040F886
memset.MSVCRT ref: 0040F89B
GetCurrentProcess.KERNEL32 ref: 0040F8A3
ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040F8C6
ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040F8F8
memset.MSVCRT ref: 0040F94B
GetCurrentProcessId.KERNEL32 ref: 0040F959
memcpy.MSVCRT(?,004509D0,0000021C), ref: 0040F987
wcscpy.MSVCRT ref: 0040F9AA
_snwprintf.MSVCRT ref: 0040FA19
SetDlgItemTextW.USER32(?,000003EA,?), ref: 0040FA31
GetDlgItem.USER32(?,000003EA), ref: 0040FA3B
SetFocus.USER32(00000000), ref: 0040FA42

Strings

Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 0040FA0E
{Unknown}, xrefs: 0040F831

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
API String ID: 4111938811-1819279800
Opcode ID: 4192c38ce99e2e5d3a4b6b431755b06133974f066cfd60dedb09103ebde27fd1
Instruction ID: 69e9f0bde0ef3093fe47e3bafb281a214b560c7f74f151c34d98b156b899ddfd
Opcode Fuzzy Hash: 4192c38ce99e2e5d3a4b6b431755b06133974f066cfd60dedb09103ebde27fd1
Instruction Fuzzy Hash: F7719FB680121DBEEF219B50DC45EDA7B6CEF08355F0000B6F508A21A1DA799E88CF69

Function 0040F4F7 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 171COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040F51A
wcslen.MSVCRT ref: 0040F522
wcslen.MSVCRT ref: 0040F52E
wcscpy.MSVCRT ref: 0040F5A5
wcscpy.MSVCRT ref: 0040F5B6
memset.MSVCRT ref: 0040F5CF
memset.MSVCRT ref: 0040F5E4
_snwprintf.MSVCRT ref: 0040F5FE
memset.MSVCRT ref: 0040F63D
wcslen.MSVCRT ref: 0040F64D
wcslen.MSVCRT ref: 0040F65B
wcscpy.MSVCRT ref: 0040F611

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

wcscpy.MSVCRT ref: 0040F6A2
memset.MSVCRT ref: 0040F6D1
memset.MSVCRT ref: 0040F6E6
_snwprintf.MSVCRT ref: 0040F702
wcscpy.MSVCRT ref: 0040F715

Strings

Profile%d, xrefs: 0040F5EA, 0040F6F4
IsRelative, xrefs: 0040F745
General, xrefs: 0040F5B0
profiles.ini, xrefs: 0040F527, 0040F543
Path, xrefs: 0040F72A

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetwcscpy$wcslen$_snwprintf$wcscat
String ID: General$IsRelative$Path$Profile%d$profiles.ini
API String ID: 3014334669-2600475665
Opcode ID: c5dfa419d5e156fd18e38bb9fe1657a50580db14dfc2297f0345cb0c168ef583
Instruction ID: ca42eae1a8a54deb15ae60d9a008fbbac9316f2c57223d03809256618168ca92
Opcode Fuzzy Hash: c5dfa419d5e156fd18e38bb9fe1657a50580db14dfc2297f0345cb0c168ef583
Instruction Fuzzy Hash: F151627290021CBADB20EB55CD45ECEB7BCAF14744F5044B7B10DA2091EB789B888F6A

Function 0040D1D0 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 254windowregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A2C8: LoadMenuW.USER32(00000000), ref: 0040A2D0

SetMenu.USER32(?,00000000), ref: 0040D2E0
CreateStatusWindowW.COMCTL32(50000000,Function_000434FC,?,00000101), ref: 0040D2FB
SendMessageW.USER32(00000000,00000404,00000001,?), ref: 0040D313
GetModuleHandleW.KERNEL32(00000000), ref: 0040D322
LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 0040D32F
CreateToolbarEx.COMCTL32(?,50010900,00000102,00000006,00000000,00000000,?,00000007,00000010,00000010,00000060,00000010,00000014), ref: 0040D359
GetModuleHandleW.KERNEL32(00000000), ref: 0040D366
CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 0040D38D
GetFileAttributesW.KERNEL32(004518A8,?,00000000,/nosaveload,00000000,00000001), ref: 0040D468
GetTempPathW.KERNEL32(00000104,004518A8,?,00000000,/nosaveload,00000000,00000001), ref: 0040D478
wcslen.MSVCRT ref: 0040D47F
wcslen.MSVCRT ref: 0040D48D
RegisterWindowMessageW.USER32(commdlg_FindReplace,00000001,?,00000000,/nosaveload,00000000,00000001), ref: 0040D4DA
SendMessageW.USER32(?,00000404,00000002,?), ref: 0040D515
SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 0040D528

Part of subcall function 00403A14: wcslen.MSVCRT ref: 00403A31
Part of subcall function 00403A14: SendMessageW.USER32(?,00001061,?,?), ref: 00403A55

Strings

/nosaveload, xrefs: 0040D412
commdlg_FindReplace, xrefs: 0040D4D5
report.html, xrefs: 0040D486, 0040D49E
SysListView32, xrefs: 0040D387

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Message$Send$CreateWindowwcslen$HandleLoadMenuModule$AttributesFileImagePathRegisterStatusTempToolbar
String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html
API String ID: 1638525581-2103577948
Opcode ID: 09239095896d852bc9637f75337da0b8f677ca08e5855ea8ee30249aa1057c49
Instruction ID: 7a0d9eec849a31f4480aab016bccc9be6ec6f6c883519ecda8bf5f9757aa8271
Opcode Fuzzy Hash: 09239095896d852bc9637f75337da0b8f677ca08e5855ea8ee30249aa1057c49
Instruction Fuzzy Hash: D7A1A171500388AFEB11DF68CC89BCA7FA5AF55704F04447DFA486B292C7B59908CB69

Function 00441C15 Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 139COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(0040AAB8,?,00000000), ref: 00441C2B
??2@YAPAXI@Z.MSVCRT(?,00000000,0040AAB8,?,00000000), ref: 00441C46
GetFileVersionInfoW.VERSION(0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C56
VerQueryValueW.VERSION(00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C69
VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441CA6
_snwprintf.MSVCRT ref: 00441CC6
wcscpy.MSVCRT ref: 00441CF0
??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00441DA0

Strings

FileDescription, xrefs: 00441D09
\VarFileInfo\Translation, xrefs: 00441CA0
ProductVersion, xrefs: 00441D33
ProductName, xrefs: 00441CF7
LegalCopyright, xrefs: 00441D72
%4.4X%4.4X, xrefs: 00441CBB
FileVersion, xrefs: 00441D1E
OriginalFileName, xrefs: 00441D87
InternalName, xrefs: 00441D5D
040904E4, xrefs: 00441CEA
CompanyName, xrefs: 00441D48

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileInfoQueryValueVersion$??2@??3@Size_snwprintfwcscpy
String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
API String ID: 1223191525-1542517562
Opcode ID: 9897178d094dfd97b061ac7dac744c392fa480436af166b1c163587981a405ce
Instruction ID: 5dc843b0b2888ef0cde47c2e58fd974eed7f8edc5a370bbe46a7031584b3d011
Opcode Fuzzy Hash: 9897178d094dfd97b061ac7dac744c392fa480436af166b1c163587981a405ce
Instruction Fuzzy Hash: 044143B2940618BAE704EFA1EC82DDEB7BCFF08744B400557B505A3151DB78BA85CBE8

Function 0040C8CF Relevance: 33.1, APIs: 22, Instructions: 137windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C912
memset.MSVCRT ref: 0040C927
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040C939
SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040C957
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040C970
ImageList_SetImageCount.COMCTL32(00000000,00000006), ref: 0040C97B
SendMessageW.USER32(?,00001003,00000001,?), ref: 0040C994
ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040C9A8
ImageList_SetImageCount.COMCTL32(00000000,00000006), ref: 0040C9B3
SendMessageW.USER32(?,00001003,00000000,?), ref: 0040C9CB
ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040C9D7
GetModuleHandleW.KERNEL32(00000000), ref: 0040C9E6
LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 0040C9F8
GetModuleHandleW.KERNEL32(00000000), ref: 0040CA03
LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 0040CA15
ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040CA26
GetSysColor.USER32(0000000F), ref: 0040CA2E
ImageList_AddMasked.COMCTL32(?,00000000,00000000), ref: 0040CA49
ImageList_AddMasked.COMCTL32(?,?,?), ref: 0040CA59
DeleteObject.GDI32(?), ref: 0040CA65
DeleteObject.GDI32(?), ref: 0040CA6B
SendMessageW.USER32(00000000,00001208,00000000,?), ref: 0040CA88

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Image$List_$CountCreateMessageSend$DeleteHandleLoadMaskedModuleObjectmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 304928396-0
Opcode ID: 45911c1970665382fa90db5d41abc719a2ef46b241cbde3be6a9b9b2f588298f
Instruction ID: 0a3ff62ab3886bf523a191411b010267208ec01492d8cd9208f2635b8a46902f
Opcode Fuzzy Hash: 45911c1970665382fa90db5d41abc719a2ef46b241cbde3be6a9b9b2f588298f
Instruction Fuzzy Hash: A541B871640304BFE7209F70CC8AF97B7ACFB09B45F000929F399A51D1C6B5A9408B29

Function 00408836 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 234fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040885E

Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 00408885

Part of subcall function 004085EB: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401DDF), ref: 004085F4

Part of subcall function 0040FC89: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,004088B3,?,000000FF,00000000,00000104), ref: 0040FC9C
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 0040FCB3
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0040FCC5
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0040FCD7
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0040FCE9
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0040FCFB
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtQueryObject), ref: 0040FD0D
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 0040FD1F
Part of subcall function 0040FC89: GetProcAddress.KERNEL32(NtResumeProcess), ref: 0040FD31

CloseHandle.KERNEL32(C0000004,?,000000FF,00000000,00000104), ref: 004088EF
GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 004088FA
_wcsicmp.MSVCRT ref: 0040898B
_wcsicmp.MSVCRT ref: 0040899E
_wcsicmp.MSVCRT ref: 004089B1
OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,000000FF,00000000,00000104), ref: 004089C5
GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 00408A0B
DuplicateHandle.KERNEL32(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 00408A1A
memset.MSVCRT ref: 00408A38
CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 00408A6B
_wcsicmp.MSVCRT ref: 00408A8B
CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 00408ACB
FreeLibrary.KERNEL32(?,?,?,000000FF,00000000,00000104), ref: 00408AED

Strings

taskhostex.exe, xrefs: 004089A9
dllhost.exe, xrefs: 00408982
taskhost.exe, xrefs: 00408996

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateFreeLibraryNameOpen
String ID: dllhost.exe$taskhost.exe$taskhostex.exe
API String ID: 814719012-3398334509
Opcode ID: 4d8f3214a43bd04c3f84bf4d7629163f604b80433559b2a465285cddf8bf93b4
Instruction ID: ac6d74245de41f4a68afaf46936feeb9e4215e23a81ac82868d75cf9687b4f7b
Opcode Fuzzy Hash: 4d8f3214a43bd04c3f84bf4d7629163f604b80433559b2a465285cddf8bf93b4
Instruction Fuzzy Hash: FB9115B1D00209AFDB10EF95C985AAEBBB5FF04305F60447FE949B6291DB399E40CB58

Function 004125BA Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004125DC
memset.MSVCRT ref: 004125F1
wcscpy.MSVCRT ref: 00412623
_snwprintf.MSVCRT ref: 00412643
wcscat.MSVCRT ref: 00412650
_snwprintf.MSVCRT ref: 0041267F
wcscat.MSVCRT ref: 0041268C
wcscat.MSVCRT ref: 0041269A
wcscat.MSVCRT ref: 004126AC
wcscat.MSVCRT ref: 004126B7
wcscat.MSVCRT ref: 004126C9
wcscat.MSVCRT ref: 004126DB

Strings

color="#%s", xrefs: 0041266E
size="%d", xrefs: 00412632
</b>, xrefs: 004126C3
<font, xrefs: 0041261D
<b>, xrefs: 004126A6
</font>, xrefs: 004126D5

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcscat$_snwprintfmemset$wcscpy
String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
API String ID: 3143752011-1996832678
Opcode ID: 2ff61e6e61c45a42ec8a536e31393f15904b361fc50918dfd7b37e2d26dac3f0
Instruction ID: 1bdd15307226dc02cd036ffdab734ce65306a7f25c134a46d7f370f8b7d92746
Opcode Fuzzy Hash: 2ff61e6e61c45a42ec8a536e31393f15904b361fc50918dfd7b37e2d26dac3f0
Instruction Fuzzy Hash: 2C31E9B2900305BEEB20AA559E82DBF73BCDF41715F60405FF214E21C2DABC9E859A1C

Function 0040FC89 Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,004088B3,?,000000FF,00000000,00000104), ref: 0040FC9C
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 0040FCB3
GetProcAddress.KERNEL32(NtLoadDriver), ref: 0040FCC5
GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0040FCD7
GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0040FCE9
GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 0040FCFB
GetProcAddress.KERNEL32(NtQueryObject), ref: 0040FD0D
GetProcAddress.KERNEL32(NtSuspendProcess), ref: 0040FD1F
GetProcAddress.KERNEL32(NtResumeProcess), ref: 0040FD31

Strings

NtQuerySystemInformation, xrefs: 0040FCA8
NtUnloadDriver, xrefs: 0040FCC7
NtResumeProcess, xrefs: 0040FD21
NtQuerySymbolicLinkObject, xrefs: 0040FCEB
ntdll.dll, xrefs: 0040FC97
NtSuspendProcess, xrefs: 0040FD0F
NtLoadDriver, xrefs: 0040FCB5
NtQueryObject, xrefs: 0040FCFD
NtOpenSymbolicLinkObject, xrefs: 0040FCD9

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
API String ID: 667068680-2887671607
Opcode ID: d01a7573c8c1d70ed52b2f6ff8626cb2949720c0675fde4b879603f159105d12
Instruction ID: df14504fdc59ccf6a8c55cbe4aacceea24f9204784c5926a31105bf4aba29bc2
Opcode Fuzzy Hash: d01a7573c8c1d70ed52b2f6ff8626cb2949720c0675fde4b879603f159105d12
Instruction Fuzzy Hash: 8E018478D40314BBEB119F71AC09B563EA9F7187967180977F41862272DBB98810EE8C

Function 0040BEB4 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 184COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BED5
memset.MSVCRT ref: 0040BEFF
memset.MSVCRT ref: 0040BF15
memset.MSVCRT ref: 0040BF2B
_snwprintf.MSVCRT ref: 0040BF64
wcscpy.MSVCRT ref: 0040BFAF
_snwprintf.MSVCRT ref: 0040C03C
wcscat.MSVCRT ref: 0040C06E

Part of subcall function 0041248F: _snwprintf.MSVCRT ref: 004124B3

wcscpy.MSVCRT ref: 0040C050
_snwprintf.MSVCRT ref: 0040C0AD

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

Strings

bgcolor="%s", xrefs: 0040BF56
 , xrefs: 0040C068
nowrap, xrefs: 0040BFA9
<font color="%s">%s</font>, xrefs: 0040C02F
</table><p>, xrefs: 0040C0CF
<table border="1" cellpadding="5">, xrefs: 0040BF6C
<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s, xrefs: 0040BEDD

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _snwprintfmemset$wcscpy$FileWritewcscatwcslen
String ID: bgcolor="%s"$ nowrap$ $</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
API String ID: 1277802453-601624466
Opcode ID: afbe44f23bf8ba0960694767798beca720d6b7b0fa1b1000d23084d0d272dd1b
Instruction ID: c023c2c05774347514c90e9c4a79a5fc261e79551634f2018d74b142c4ca0a41
Opcode Fuzzy Hash: afbe44f23bf8ba0960694767798beca720d6b7b0fa1b1000d23084d0d272dd1b
Instruction Fuzzy Hash: 6B619E31900208EFEF14EF94CC86EAEBB79EF44314F50419AF905AA1D2DB75AA51CF58

Function 004126E8 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 120COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041270E
memset.MSVCRT ref: 00412723
memset.MSVCRT ref: 00412738
_snwprintf.MSVCRT ref: 00412767
_snwprintf.MSVCRT ref: 00412796
wcscpy.MSVCRT ref: 004127A7
_snwprintf.MSVCRT ref: 004127C7
memset.MSVCRT ref: 00412803
_snwprintf.MSVCRT ref: 00412824
_snwprintf.MSVCRT ref: 0041285E

Part of subcall function 0041248F: _snwprintf.MSVCRT ref: 004124B3

Strings

<table border="1" cellpadding="5"><tr%s>, xrefs: 004127B6
bgcolor="%s", xrefs: 00412756
<font color="%s">, xrefs: 00412785
width="%s", xrefs: 00412813
<th%s>%s%s%s, xrefs: 0041284D
</font>, xrefs: 004127A1

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _snwprintf$memset$wcscpy
String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
API String ID: 2000436516-3842416460
Opcode ID: 226d5b028e445a7516cf64f8fc5c05c3ce0576dee2713dde24e27e7b686f1b2e
Instruction ID: df620ac0873104ba588d68bc57a3bc16e82c0a505241d1212890b0a23309d9f4
Opcode Fuzzy Hash: 226d5b028e445a7516cf64f8fc5c05c3ce0576dee2713dde24e27e7b686f1b2e
Instruction Fuzzy Hash: 03418371D402197AEB20EB55DD41EFB727CFF04304F4401AAB509E2181EB749B948F6A

Function 004035E2 Relevance: 27.1, APIs: 18, Instructions: 66windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040C8CF: memset.MSVCRT ref: 0040C912
Part of subcall function 0040C8CF: memset.MSVCRT ref: 0040C927
Part of subcall function 0040C8CF: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040C939
Part of subcall function 0040C8CF: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 0040C957
Part of subcall function 0040C8CF: SendMessageW.USER32(?,00001003,00000001,?), ref: 0040C994
Part of subcall function 0040C8CF: ImageList_Create.COMCTL32(00000020,00000020,00000019,00000001,00000001), ref: 0040C9A8
Part of subcall function 0040C8CF: ImageList_SetImageCount.COMCTL32(00000000,00000006), ref: 0040C9B3
Part of subcall function 0040C8CF: SendMessageW.USER32(?,00001003,00000000,?), ref: 0040C9CB
Part of subcall function 0040C8CF: ImageList_Create.COMCTL32(00000010,00000010,00000019,00000001,00000001), ref: 0040C9D7
Part of subcall function 0040C8CF: GetModuleHandleW.KERNEL32(00000000), ref: 0040C9E6
Part of subcall function 0040C8CF: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 0040C9F8
Part of subcall function 0040C8CF: GetModuleHandleW.KERNEL32(00000000), ref: 0040CA03
Part of subcall function 0040C8CF: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 0040CA15
Part of subcall function 0040C8CF: ImageList_SetImageCount.COMCTL32(?,00000000), ref: 0040CA26
Part of subcall function 0040C8CF: GetSysColor.USER32(0000000F), ref: 0040CA2E

GetModuleHandleW.KERNEL32(00000000), ref: 004035F4
LoadIconW.USER32(00000000,00000072), ref: 004035FF
ImageList_ReplaceIcon.COMCTL32(?,00000000,00000000), ref: 00403610
GetModuleHandleW.KERNEL32(00000000), ref: 00403614
LoadIconW.USER32(00000000,00000074), ref: 00403619
ImageList_ReplaceIcon.COMCTL32(?,00000001,00000000), ref: 00403624
GetModuleHandleW.KERNEL32(00000000), ref: 00403628
LoadIconW.USER32(00000000,00000073), ref: 0040362D
ImageList_ReplaceIcon.COMCTL32(?,00000002,00000000), ref: 00403638
GetModuleHandleW.KERNEL32(00000000), ref: 0040363C
LoadIconW.USER32(00000000,00000075), ref: 00403641
ImageList_ReplaceIcon.COMCTL32(?,00000003,00000000), ref: 0040364C
GetModuleHandleW.KERNEL32(00000000), ref: 00403650
LoadIconW.USER32(00000000,0000006F), ref: 00403655
ImageList_ReplaceIcon.COMCTL32(?,00000004,00000000), ref: 00403660
GetModuleHandleW.KERNEL32(00000000), ref: 00403664
LoadIconW.USER32(00000000,00000076), ref: 00403669
ImageList_ReplaceIcon.COMCTL32(?,00000005,00000000), ref: 00403674

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Image$Icon$List_$HandleLoadModule$Replace$CountCreateMessageSendmemset$ColorDirectoryFileInfoWindows
String ID:
API String ID: 792915304-0
Opcode ID: cc435ca99fa3c831c04f4257ae775a7279f3e83e44ba77ecb565717d4c2bd910
Instruction ID: 62ec96a61e35675a05b55f01cd8090f0511f6faf4d41b9404683e1d7d0c62212
Opcode Fuzzy Hash: cc435ca99fa3c831c04f4257ae775a7279f3e83e44ba77ecb565717d4c2bd910
Instruction Fuzzy Hash: 6901E1A17957087AF53137B2EC4BF6B7B5EDF81F4AF214414F30C990E0C9A6AD105928

Function 00406B9F Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 174stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156

GetFileSize.KERNEL32(00000000,00000000,00000104,00000001,00000000,?,00407052,?,?,?,0000001E), ref: 00406BC8
??2@YAPAXI@Z.MSVCRT(00000001,?,00407052,?,?,?,0000001E), ref: 00406BDC

Part of subcall function 00407B93: ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA

memset.MSVCRT ref: 00406C0B
memset.MSVCRT ref: 00406C2B
memset.MSVCRT ref: 00406C40
strcmp.MSVCRT ref: 00406C64
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00406DC3
CloseHandle.KERNEL32(Rp@,?,00407052,?,?,?,0000001E), ref: 00406DCC

Strings

Rp@, xrefs: 00406DC9, 00406BE6
---, xrefs: 00406D8E

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Filememset$??2@??3@CloseCreateHandleReadSizestrcmp
String ID: ---$Rp@
API String ID: 2784192885-2834202798
Opcode ID: 70cd323bbf40a81e325ac6262686482494a3ddf5a15bdc79bf31f8763e8c2fcd
Instruction ID: 5360a5981a47af023619c2d52a4e150b55de9ab2e9c88b676a0c17dd944fe9c5
Opcode Fuzzy Hash: 70cd323bbf40a81e325ac6262686482494a3ddf5a15bdc79bf31f8763e8c2fcd
Instruction Fuzzy Hash: 2E51817290815DAAEF21DB558C819DEBBBCEF14304F1040FBE50AA3141DA389FD5DBA9

Function 00408B10 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 120fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00408836: memset.MSVCRT ref: 0040885E
Part of subcall function 00408836: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 00408885
Part of subcall function 00408836: CloseHandle.KERNEL32(C0000004,?,000000FF,00000000,00000104), ref: 004088EF
Part of subcall function 00408836: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 004088FA

Part of subcall function 004085EB: ??2@YAPAXI@Z.MSVCRT(00000001,00000001,00401DDF), ref: 004085F4

OpenProcess.KERNEL32(00000040,00000000,?,00000104,00000000,?,00000104,00000000,00000000,00000104,Microsoft\Windows\WebCache\WebCacheV01.dat), ref: 00408B85
GetCurrentProcess.KERNEL32(00000000,80000000,00000000,00000000), ref: 00408BA4
DuplicateHandle.KERNEL32(00000000,00000104,00000000), ref: 00408BB1
GetFileSize.KERNEL32(00000000,00000000), ref: 00408BC6

Part of subcall function 004074C6: GetTempPathW.KERNEL32(00000104,?), ref: 004074DD
Part of subcall function 004074C6: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004074EF
Part of subcall function 004074C6: GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00407506

Part of subcall function 0040715D: CreateFileW.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040C5D7,?,?,00000000,00000001,?,?,?,0040E2DC), ref: 0040716F

CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00408BF0
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000104), ref: 00408C05
WriteFile.KERNEL32(?,00000000,00000104,004091EB,00000000), ref: 00408C20
UnmapViewOfFile.KERNEL32(00000000), ref: 00408C27
CloseHandle.KERNEL32(?), ref: 00408C30
CloseHandle.KERNEL32(?), ref: 00408C35
CloseHandle.KERNEL32(00000000), ref: 00408C3A
CloseHandle.KERNEL32(00000000), ref: 00408C3F

Strings

Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 00408B16
bhv, xrefs: 00408BCF

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateMappingNameOpenPathSizeUnmapWindowsWritememset
String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$bhv
API String ID: 4205445468-4002013007
Opcode ID: 605df682aca1a4ff42ceeac8dd6110a0503dbbb848fd46321c54b31420e585a4
Instruction ID: 68c5544b499915da94545e51db83da674be7fd43246ed759ba52d344f26358cd
Opcode Fuzzy Hash: 605df682aca1a4ff42ceeac8dd6110a0503dbbb848fd46321c54b31420e585a4
Instruction Fuzzy Hash: CD412775901218BBDF11AF95CD899DFBFB9EF09751F10802AF608A6250DB349A40CFA9

Function 0040AA44 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AA6A
memset.MSVCRT ref: 0040AA86

Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585

Part of subcall function 00441C15: GetFileVersionInfoSizeW.VERSION(0040AAB8,?,00000000), ref: 00441C2B
Part of subcall function 00441C15: ??2@YAPAXI@Z.MSVCRT(?,00000000,0040AAB8,?,00000000), ref: 00441C46
Part of subcall function 00441C15: GetFileVersionInfoW.VERSION(0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C56
Part of subcall function 00441C15: VerQueryValueW.VERSION(00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441C69
Part of subcall function 00441C15: VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,00000000,004482D0,0040AAB8,?,0040AAB8,00000000,?,00000000,00000000,0040AAB8,?,00000000), ref: 00441CA6
Part of subcall function 00441C15: _snwprintf.MSVCRT ref: 00441CC6
Part of subcall function 00441C15: wcscpy.MSVCRT ref: 00441CF0

wcscpy.MSVCRT ref: 0040AACA
wcscpy.MSVCRT ref: 0040AAD9
wcscpy.MSVCRT ref: 0040AAE9
EnumResourceNamesW.KERNEL32(0040ABE8,00000004,0040A818,00000000), ref: 0040AB4E
EnumResourceNamesW.KERNEL32(0040ABE8,00000005,0040A818,00000000), ref: 0040AB58
wcscpy.MSVCRT ref: 0040AB60

Strings

RTL, xrefs: 0040AB2F
TranslatorURL, xrefs: 0040AB06
general, xrefs: 0040AADE
strings, xrefs: 0040AB5A
Version, xrefs: 0040AB1C
TranslatorName, xrefs: 0040AAF5

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcscpy$File$EnumInfoNamesQueryResourceValueVersionmemset$??2@ModuleNameSize_snwprintf
String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
API String ID: 3037099051-517860148
Opcode ID: 42bb3ddbac911a4f98fdd80fc46cc1bb05b8c334879e2c61fbf0dcf740b73ed1
Instruction ID: 9c0725b1fda07d439eb4652870f5b63d7404026a1df9010dc4cb7dda8e53314a
Opcode Fuzzy Hash: 42bb3ddbac911a4f98fdd80fc46cc1bb05b8c334879e2c61fbf0dcf740b73ed1
Instruction Fuzzy Hash: 6D21807294021875E720B7529C46ECF7A6CAF40755F90447BF60CB20D2EAB85B948AAE

Function 004038C4 Relevance: 24.5, APIs: 7, Strings: 7, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(advapi32.dll,?,00409AAA,?,https://login.yahoo.com/config/login,00000000,http://www.facebook.com/,00000000,https://www.google.com/accounts/servicelogin,00000000,?,00000000,?,0041018E,?,?), ref: 004038CF
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004038E3
GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 004038EF
GetProcAddress.KERNEL32(?,CryptCreateHash), ref: 004038FB
GetProcAddress.KERNEL32(?,CryptGetHashParam), ref: 00403907
GetProcAddress.KERNEL32(?,CryptHashData), ref: 00403913
GetProcAddress.KERNEL32(?,CryptDestroyHash), ref: 0040391F

Strings

CryptAcquireContextA, xrefs: 004038DB
CryptReleaseContext, xrefs: 004038E5
CryptGetHashParam, xrefs: 004038FD
CryptHashData, xrefs: 00403909
CryptDestroyHash, xrefs: 00403915
CryptCreateHash, xrefs: 004038F1
advapi32.dll, xrefs: 004038CA

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$advapi32.dll
API String ID: 2238633743-1621422469
Opcode ID: 1f0e41ba9439715e20e962f0f0f69e7cffe4c0714adecff32c833d06c54dafe9
Instruction ID: 1a4948e4bf817cd33749cdf205c6c1bb7532e39c1774f91cd0a649ea1cfd5687
Opcode Fuzzy Hash: 1f0e41ba9439715e20e962f0f0f69e7cffe4c0714adecff32c833d06c54dafe9
Instruction Fuzzy Hash: 18F0F475940744AAEB30AF769D49E06BEF0EFA8B027218D2EE1C1A3651D7B99240CE44

Function 00410D5D Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(psapi.dll,?,0040F921), ref: 00410D70
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00410D89
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410D9A
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 00410DAB
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410DBC
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00410DCD
FreeLibrary.KERNEL32(00000000), ref: 00410DED

Strings

GetModuleFileNameExW, xrefs: 00410DA5
EnumProcesses, xrefs: 00410DB6
psapi.dll, xrefs: 00410D6B
EnumProcessModules, xrefs: 00410D94
GetModuleInformation, xrefs: 00410DC7
GetModuleBaseNameW, xrefs: 00410D83

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2449869053-70141382
Opcode ID: 03c5cb85ec8565a209b0338e2b218e2b3a1591461e747cd833f82df10bd978eb
Instruction ID: 1ed5449ad40e57d8b224171af96504b1ffda3ff1f81db88aadee6c58e1c1cdad
Opcode Fuzzy Hash: 03c5cb85ec8565a209b0338e2b218e2b3a1591461e747cd833f82df10bd978eb
Instruction Fuzzy Hash: BB01B574A45312AEE7109B64FC40BFB2EA4B781B42B20403BE400D1396DBBCD8C29A6C

Function 0040E191 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 0040E197
_wcsicmp.MSVCRT ref: 0040E1AC

Strings

/sverhtml, xrefs: 0040E1A7
/skeepass, xrefs: 0040E210
/stabular, xrefs: 0040E1E6
/sxml, xrefs: 0040E1BC
/stab, xrefs: 0040E1D1
/scomma, xrefs: 0040E1FB
/shtml, xrefs: 0040E192

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _wcsicmp
String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
API String ID: 2081463915-1959339147
Opcode ID: b616bea398b4ca2207bf7c5dde01c93d20d234ad121985eea5c1f5da2cadd933
Instruction ID: 054bd0190cb9dfc881084e553ec7e2e67fad8357780775fa0482b63ba5cfd284
Opcode Fuzzy Hash: b616bea398b4ca2207bf7c5dde01c93d20d234ad121985eea5c1f5da2cadd933
Instruction Fuzzy Hash: 7101DE72ACA31138F83851672D17F971A598FA1B7AF70196FF514D81C6EEAC9000709D

Function 00410CD9 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,0040F928), ref: 00410CE8
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00410D01
GetProcAddress.KERNEL32(00000000,Module32First), ref: 00410D12
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00410D23
GetProcAddress.KERNEL32(00000000,Process32First), ref: 00410D34
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 00410D45

Strings

Module32First, xrefs: 00410D0C
Process32Next, xrefs: 00410D3F
Module32Next, xrefs: 00410D1D
CreateToolhelp32Snapshot, xrefs: 00410CFB
Process32First, xrefs: 00410D2E
kernel32.dll, xrefs: 00410CE3

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
API String ID: 667068680-3953557276
Opcode ID: 620f7fb1875e6c1fe369c72aee23538108181ed26fa9b0cca4b6b71503556dd6
Instruction ID: 16f3a03532fd71bf7b987582fee040d1dd7fa58dea07b6b8c7b27d1037cf047a
Opcode Fuzzy Hash: 620f7fb1875e6c1fe369c72aee23538108181ed26fa9b0cca4b6b71503556dd6
Instruction Fuzzy Hash: 92F0F474605321A9A3108BA8BD00BA72FF86781F52B10013BED00D1266DBBCD8C29F7E

Function 004037C3 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0040383E: FreeLibrary.KERNEL32(?,004037CB,00000000,00408635,?,00000000,?), ref: 00403845

LoadLibraryW.KERNEL32(advapi32.dll,00000000,00408635,?,00000000,?), ref: 004037D0
GetProcAddress.KERNEL32(00000000,CredReadA), ref: 004037E9
GetProcAddress.KERNEL32(?,CredFree), ref: 004037F5
GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00403801
GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 0040380D
GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00403819

Strings

CredFree, xrefs: 004037EB
CredEnumerateA, xrefs: 00403803
CredReadA, xrefs: 004037E3
CredDeleteA, xrefs: 004037F7
advapi32.dll, xrefs: 004037CB
CredEnumerateW, xrefs: 0040380F

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$Library$FreeLoad
String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
API String ID: 2449869053-4258758744
Opcode ID: cb87cb7b44b35881c8e04de2777173e0b76236c73d0c14512c4dcac4629ff988
Instruction ID: c94656deef6b20b6b745ef32668947add9de3545ed3fb2bb9f52e7e7eb3e89f2
Opcode Fuzzy Hash: cb87cb7b44b35881c8e04de2777173e0b76236c73d0c14512c4dcac4629ff988
Instruction Fuzzy Hash: D9012C355007809AD730AF6AC809F06BEE4EF54B02B21886FF091A3791D7B9E240CF48

Function 0041139E Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(psapi.dll,00000000,0041137E,00000000,0041126B,00000000,?), ref: 004113A9
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004113BD
GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 004113C9
GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 004113D5
GetProcAddress.KERNEL32(?,EnumProcesses), ref: 004113E1
GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 004113ED

Strings

GetModuleFileNameExW, xrefs: 004113CB
EnumProcesses, xrefs: 004113D7
psapi.dll, xrefs: 004113A4
EnumProcessModules, xrefs: 004113BF
GetModuleInformation, xrefs: 004113E3
GetModuleBaseNameW, xrefs: 004113B5

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
API String ID: 2238633743-70141382
Opcode ID: 7d64db311815f5693af3cb75c4746d4d82b2a24bf7d3ef9ccff621f71f8c2f2c
Instruction ID: b0fa25657284a8e9196716ee499a251a0e3e908d4b843c37df8f242eb1d66817
Opcode Fuzzy Hash: 7d64db311815f5693af3cb75c4746d4d82b2a24bf7d3ef9ccff621f71f8c2f2c
Instruction Fuzzy Hash: A3F03478988704AEEB30AF75DC08E07BEF0EFA8B11721892EE0C593650D7799441EF58

Function 004033DF Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

memset.MSVCRT ref: 00403415
memset.MSVCRT ref: 0040342A
memset.MSVCRT ref: 0040343F
_snwprintf.MSVCRT ref: 00403467
wcscpy.MSVCRT ref: 00403483
_snwprintf.MSVCRT ref: 004034C6

Strings

<table dir="rtl"><tr><td>, xrefs: 0040347D
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 004033EF
WebBrowserPassView, xrefs: 004034AB
<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 004034B9
<meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 0040345A

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$_snwprintf$FileWritewcscpywcslen
String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>$WebBrowserPassView
API String ID: 2731979376-1376879643
Opcode ID: f8e001787c2363cba2026e3d3c8ba2c251a00b45d532011988efd28241eb9acd
Instruction ID: ae32d01ec2d3a7685ec326ba9a70c170c8059c8ae6e66fa8bd15e07dd33865c2
Opcode Fuzzy Hash: f8e001787c2363cba2026e3d3c8ba2c251a00b45d532011988efd28241eb9acd
Instruction Fuzzy Hash: 2E217672D002187ADB21AF55DC41FEA76BCEB08785F0040AFF509A6191DA799F848F69

Function 0040DE35 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 153windowCOMMON

Download Yara Rule

APIs

SetBkMode.GDI32(?,00000001), ref: 0040DE90
SetTextColor.GDI32(?,00FF0000), ref: 0040DE9E
SelectObject.GDI32(?,?), ref: 0040DEB3
DrawTextExW.USER32(?,?,000000FF,?,00000004,?), ref: 0040DEE9
SelectObject.GDI32(00000014,00000000), ref: 0040DEF3
GetModuleHandleW.KERNEL32(00000000), ref: 0040DF0E
LoadCursorW.USER32(00000000,00000067), ref: 0040DF17
SetCursor.USER32(00000000), ref: 0040DF1E
PostMessageW.USER32(?,00000428,00000000,00000000), ref: 0040DF64

Strings

WebBrowserPassView, xrefs: 0040DF2C

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CursorObjectSelectText$ColorDrawHandleLoadMessageModeModulePost
String ID: WebBrowserPassView
API String ID: 101102110-2171583229
Opcode ID: d30b9dbd8ebc4ebaeb5335cce5274ca5fb8e94d47e078bea0be9f04dbaba8f28
Instruction ID: 5844c3f8be721e5f4358c4987d475350c1bb70f51af30b4dfd416207439779ca
Opcode Fuzzy Hash: d30b9dbd8ebc4ebaeb5335cce5274ca5fb8e94d47e078bea0be9f04dbaba8f28
Instruction Fuzzy Hash: D451D431A00206ABDB10AFA4C845F6AB7A6BF44315F20853AF507B72E0C779AD15DB99

Function 0040931D Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,004094E9,?,?,00409553,00000000), ref: 0040933D

Part of subcall function 00407BD1: SetFilePointer.KERNEL32(00409553,?,00000000,00000000,?,0040935E,00000000,00000000,?,00000020,?,004094E9,?,?,00409553,00000000), ref: 00407BDE

GetFileSize.KERNEL32(00000000,00000000), ref: 0040936D

Part of subcall function 0040928C: _memicmp.MSVCRT ref: 004092A6
Part of subcall function 0040928C: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,00409553,00000000), ref: 004092BD

memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 004093B4
strchr.MSVCRT ref: 004093D9
strchr.MSVCRT ref: 004093EA
_strlwr.MSVCRT ref: 004093F8
memset.MSVCRT ref: 00409413
CloseHandle.KERNEL32(00000000), ref: 00409460

Strings

h, xrefs: 004093C5
4, xrefs: 00409361

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
String ID: 4$h
API String ID: 4066021378-1856150674
Opcode ID: 5c9b1e76fbe1022800f84db5655dab790c3d9ef423dba09cd133e7d04b6bc347
Instruction ID: cde85974a53443ad19b2097b399cb4fe7e1f14935bf37b0ef0624c00476b394c
Opcode Fuzzy Hash: 5c9b1e76fbe1022800f84db5655dab790c3d9ef423dba09cd133e7d04b6bc347
Instruction Fuzzy Hash: 333186B1900118BEEB11EB54CC85BEE77ACEF04358F10406AFA08E6181D7789F558B69

Function 00411C63 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411C91
memset.MSVCRT ref: 00411CA6
_snwprintf.MSVCRT ref: 00411CC0
_snwprintf.MSVCRT ref: 00411CDF
memset.MSVCRT ref: 00411D11
memset.MSVCRT ref: 00411D26
memset.MSVCRT ref: 00411D3B
_snwprintf.MSVCRT ref: 00411D55
_snwprintf.MSVCRT ref: 00411D72

Strings

%%0.%df, xrefs: 00411CB3, 00411D48

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$_snwprintf
String ID: %%0.%df
API String ID: 3473751417-763548558
Opcode ID: 4b41fd37f03522ed39b57e73efbb1f6ad9b07295744d2b5ffc828d63613b1bc3
Instruction ID: 8dc9084977ea8e099579ef4c9ca95b08d60ceca6feee4e1064a0b0e4f5e47a8f
Opcode Fuzzy Hash: 4b41fd37f03522ed39b57e73efbb1f6ad9b07295744d2b5ffc828d63613b1bc3
Instruction Fuzzy Hash: 79313E71800229BAEB20DF55DC85FEBBBBCFF49308F4000EAB609A2151D7749B94CB65

Function 00410DF5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 00410E0E
wcscpy.MSVCRT ref: 00410E1E

Part of subcall function 00407278: wcslen.MSVCRT ref: 00407287
Part of subcall function 00407278: wcslen.MSVCRT ref: 00407291
Part of subcall function 00407278: _memicmp.MSVCRT ref: 004072AC

wcscpy.MSVCRT ref: 00410E6D
wcscat.MSVCRT ref: 00410E78
memset.MSVCRT ref: 00410E54

Part of subcall function 00407723: GetWindowsDirectoryW.KERNEL32(00451698,00000104,?,00410EAD,?,?,00000000,00000208,?), ref: 00407739
Part of subcall function 00407723: wcscpy.MSVCRT ref: 00407749

memset.MSVCRT ref: 00410E9C
memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00410EB7
wcscat.MSVCRT ref: 00410EC3

Strings

\systemroot, xrefs: 00410E2B

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
String ID: \systemroot
API String ID: 4173585201-1821301763
Opcode ID: a0bd60bd2b0e165453e177ad0a7c90215dc3e7af33d93e9088b0359243bc96d3
Instruction ID: 1a8d2db1a324573a28d88b24eeb1ed9c65cf0fc221c6a4ee7099d5d8ca3d40a6
Opcode Fuzzy Hash: a0bd60bd2b0e165453e177ad0a7c90215dc3e7af33d93e9088b0359243bc96d3
Instruction Fuzzy Hash: B121F9B280530479E621E7628D86EEB63EC9F05754F60455FF119E2082FABCA6C58B1E

Function 0040697E Relevance: 16.7, APIs: 10, Strings: 1, Instructions: 187stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00441975: memset.MSVCRT ref: 004419A0
Part of subcall function 00441975: wcscpy.MSVCRT ref: 004419B7
Part of subcall function 00441975: memset.MSVCRT ref: 004419EA
Part of subcall function 00441975: wcscpy.MSVCRT ref: 00441A00
Part of subcall function 00441975: wcscat.MSVCRT ref: 00441A11
Part of subcall function 00441975: wcscpy.MSVCRT ref: 00441A37
Part of subcall function 00441975: wcscat.MSVCRT ref: 00441A48
Part of subcall function 00441975: wcscpy.MSVCRT ref: 00441A6F
Part of subcall function 00441975: wcscat.MSVCRT ref: 00441A80
Part of subcall function 00441975: GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441A8F
Part of subcall function 00441975: LoadLibraryExW.KERNEL32(?,00000000,00000008,?,?,?,?,?,?,?,?,?,00000104,00000000), ref: 00441AA6
Part of subcall function 00441975: GetProcAddress.KERNEL32(?,sqlite3_open), ref: 00441AF3
Part of subcall function 00441975: GetProcAddress.KERNEL32(?,sqlite3_prepare), ref: 00441AFF

memset.MSVCRT ref: 004069BD

Part of subcall function 00407DC0: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,004028DC,?,?,00000003,00000000,00000000), ref: 00407DD9

memset.MSVCRT ref: 00406A3C
memset.MSVCRT ref: 00406A51
strcpy.MSVCRT(?,00000000,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406AC4
strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406ADA
strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406AF0
strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406B06
strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406B1C
strcpy.MSVCRT(?,?,?,00000002,?,00000005,?,00000004,?,00000007,?,00000006,?,00000001), ref: 00406B32
memset.MSVCRT ref: 00406B48

Strings

SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins, xrefs: 00406A03

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetstrcpy$wcscpy$wcscat$AddressProc$ByteCharHandleLibraryLoadModuleMultiWide
String ID: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins
API String ID: 2096775815-1740008135
Opcode ID: 8192c0fe8ba549a976583856fdff13a2ed89254f8bdc8aa75337d2af27a32240
Instruction ID: 0d09ea3875aa138d6f02baa8234f1932a31c53e7e6ecd19b10853a161b4d72d0
Opcode Fuzzy Hash: 8192c0fe8ba549a976583856fdff13a2ed89254f8bdc8aa75337d2af27a32240
Instruction Fuzzy Hash: 6D61E9B2C0421EEEDF11AF91DC419DEBBB8EF04314F10406BF505B2191EA79AA94CF69

Function 00415EAF Relevance: 16.6, APIs: 11, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00414BCA: GetVersionExW.KERNEL32(?), ref: 00414BED

GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00415EDB
malloc.MSVCRT ref: 00415EE6
free.MSVCRT ref: 00415EF6
GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00415F0A
free.MSVCRT ref: 00415F0F
GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 00415F25
malloc.MSVCRT ref: 00415F2D
GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00415F40
free.MSVCRT ref: 00415F45
free.MSVCRT ref: 00415F59
free.MSVCRT ref: 00415F78

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free$FullNamePath$malloc$Version
String ID:
API String ID: 3356672799-0
Opcode ID: 921d0a7259a897f213f630380232b9b221bbaa70b4d2ef9e6fc0aaee11bddb4f
Instruction ID: 788494e2a8c2de429da1840323bde4c0a518de2f45811afbb62912a9d7d550b6
Opcode Fuzzy Hash: 921d0a7259a897f213f630380232b9b221bbaa70b4d2ef9e6fc0aaee11bddb4f
Instruction Fuzzy Hash: F321CB71900108FFEB117FA5DD46CDFBBA9DF80368B20007BF404A2160EA785F809568

Function 004121F2 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 00412265

Strings

AppData, xrefs: 0041224A
Favorites, xrefs: 00412224
Common Start Menu, xrefs: 00412232
Desktop, xrefs: 0041220F
Common Programs, xrefs: 0041225F
Common Desktop, xrefs: 00412251
Common Startup, xrefs: 00412258
Programs, xrefs: 0041222B
Startup, xrefs: 0041221D
Start Menu, xrefs: 00412216

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcscpy
String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
API String ID: 1284135714-318151290
Opcode ID: 765507c601b4d8d2ba7194c2d8328fe19790b608763020fa3010f04483565392
Instruction ID: 454bece2ea24cac32075296694d9d3cbfc4d611bf65854eebe1c10393ee0200f
Opcode Fuzzy Hash: 765507c601b4d8d2ba7194c2d8328fe19790b608763020fa3010f04483565392
Instruction Fuzzy Hash: 46F01D3329C746A0383D09680B06AFF1001E2127497B585D3A882E06D5C8FDCEF2F81F

Function 0040A16C Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 0040A182
memset.MSVCRT ref: 0040A1A6
GetMenuItemInfoW.USER32 ref: 0040A1E1
memset.MSVCRT ref: 0040A210
wcschr.MSVCRT ref: 0040A21C
wcscat.MSVCRT ref: 0040A277
ModifyMenuW.USER32(?,?,00000400,?,?), ref: 0040A293

Strings

0, xrefs: 0040A1C1
6, xrefs: 0040A1CC

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
String ID: 0$6
API String ID: 4066108131-3849865405
Opcode ID: 1d39bbd5ff858052ee02b08f17fe13160222b35be18e4d09e9b30479f4b91e1d
Instruction ID: 34000a492db7a65727c4d20bf870b817f1c48c155544aae5e12c30b4e9d7c158
Opcode Fuzzy Hash: 1d39bbd5ff858052ee02b08f17fe13160222b35be18e4d09e9b30479f4b91e1d
Instruction Fuzzy Hash: 64318B72408340AFDB20DF91D845A9BB7E8FF84354F00497EF948A2291E37ADA14CB5B

Function 00403926 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 52libraryloaderwindowCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(comctl32.dll,00000000,?,00000002,?,?,?,0040E305,00000000), ref: 00403945
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00403957
FreeLibrary.KERNEL32(00000000,?,00000002,?,?,?,0040E305,00000000), ref: 0040396B
#17.COMCTL32(?,00000002,?,?,?,0040E305,00000000), ref: 00403979
MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00403996

Strings

InitCommonControlsEx, xrefs: 00403951
Error, xrefs: 0040398B
Error: Cannot load the common control classes., xrefs: 00403990
comctl32.dll, xrefs: 0040392E

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadMessageProc
String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
API String ID: 2780580303-317687271
Opcode ID: 60c968a06818d841dc3f94f16557b2d6df9d0dbd22d8837fd1ebe6fbdb2c419c
Instruction ID: dc7e95600dee0bf6daca19896d95929b9e7fb1f9fe7c184dfd563e32ea829a14
Opcode Fuzzy Hash: 60c968a06818d841dc3f94f16557b2d6df9d0dbd22d8837fd1ebe6fbdb2c419c
Instruction Fuzzy Hash: 8501D1B67502117BE3111FB49C89B6B7EACDB42F4BB100139B502F2280DBB8CF05869C

Function 0040FABA Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(nss3.dll,00000000,?,?,76F8F3A0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAC9
GetModuleHandleW.KERNEL32(sqlite3.dll,?,76F8F3A0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAD2
GetModuleHandleW.KERNEL32(mozsqlite3.dll,?,76F8F3A0,0040FC10,?,?,?,?,?,00000000), ref: 0040FADB
FreeLibrary.KERNEL32(00000000,?,76F8F3A0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAEA
FreeLibrary.KERNEL32(00000000,?,76F8F3A0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAF1
FreeLibrary.KERNEL32(00000000,?,76F8F3A0,0040FC10,?,?,?,?,?,00000000), ref: 0040FAF8

Strings

mozsqlite3.dll, xrefs: 0040FAD4
sqlite3.dll, xrefs: 0040FACB
nss3.dll, xrefs: 0040FAC4

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FreeHandleLibraryModule
String ID: mozsqlite3.dll$nss3.dll$sqlite3.dll
API String ID: 662261464-3550686275
Opcode ID: d0d754f8fa980613d90b85c052ffa4ec5d0d6696dd4c8834489f6bf69c2357b0
Instruction ID: c5d69885cf2e3d5474ff6b38c23ba8038bf1212ac087c8b68f6824d90ef94812
Opcode Fuzzy Hash: d0d754f8fa980613d90b85c052ffa4ec5d0d6696dd4c8834489f6bf69c2357b0
Instruction Fuzzy Hash: 1AE0D816B0132E669E2067F16C44D1B7E5CC892AE53150037A904A32408DEC5C0599F8

Function 00441FDC Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON

Download Yara Rule

APIs

memchr.MSVCRT ref: 00442017
memcpy.MSVCRT(?,00443D7C,0000000B,?,?,?,00000000,00000000,00000000), ref: 004420BB
memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004420CD
memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004420F5
memcpy.MSVCRT(?,00443D7C,0000000B), ref: 00442107
memcpy.MSVCRT(?,00000001,00000008), ref: 00442119
memcpy.MSVCRT(G"D,?,00000008,?,?), ref: 00442168
memset.MSVCRT ref: 004421B6

Strings

G"D, xrefs: 00442164, 00442170, 00442167, 00442173
G"D, xrefs: 00442009, 004421D0, 0044203F, 00442089, 00442011

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy$memchrmemset
String ID: G"D$G"D
API String ID: 1581201632-2001841848
Opcode ID: 7575a319fd1e5a0cf748581ae524368e3baf011f309bc42e4df5649906151b93
Instruction ID: 18be241936230d761fb3e4c1ab226db0ef0f42d77396bda2a3194a4a2a5a8e65
Opcode Fuzzy Hash: 7575a319fd1e5a0cf748581ae524368e3baf011f309bc42e4df5649906151b93
Instruction Fuzzy Hash: CE51E671900219ABDB10EF65CD85EEEB7BCAF44304F44446BFA49D7141E778EA48CB64

Function 00407890 Relevance: 15.1, APIs: 10, Instructions: 103COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000011), ref: 004078A9
GetSystemMetrics.USER32(00000010), ref: 004078AF
GetDC.USER32(00000000), ref: 004078BC
GetDeviceCaps.GDI32(00000000,00000008), ref: 004078CD
GetDeviceCaps.GDI32(00000000,0000000A), ref: 004078D4
ReleaseDC.USER32(00000000,00000000), ref: 004078DB
GetWindowRect.USER32(?,?), ref: 004078EE
GetParent.USER32(?), ref: 004078F3
GetWindowRect.USER32(00000000,00000000), ref: 00407910
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040796F

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
String ID:
API String ID: 2163313125-0
Opcode ID: 27c47932f92ae397c529d5322f361d1abbe154fe8b4fd6afae4dd3e0e48430fe
Instruction ID: 40da1e460122d0dbc2375826a99d02d2520f98ce936ed6642694246a0da552c1
Opcode Fuzzy Hash: 27c47932f92ae397c529d5322f361d1abbe154fe8b4fd6afae4dd3e0e48430fe
Instruction Fuzzy Hash: D3318176A00209AFDB04DFB8CC85AEEBBB9FB48351F150175E901F3290DA70AE418B50

Function 0040684F Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 96stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00406878
memset.MSVCRT ref: 0040688C
strcpy.MSVCRT(?), ref: 004068A6
strcpy.MSVCRT(?,?,?,?,?,?), ref: 004068EB
strcpy.MSVCRT(?,00001000,?,?,?,?,?,?), ref: 004068FF
strcpy.MSVCRT(?,?,?,00001000,?,?,?,?,?,?), ref: 00406912
wcscpy.MSVCRT ref: 00406921
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,Rp@,00406D64), ref: 00406948
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,?,?,?,?,?,?,?,?,Rp@,00406D64), ref: 0040695E

Strings

Rp@, xrefs: 0040684F

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: strcpy$ByteCharMultiWidememset$wcscpy
String ID: Rp@
API String ID: 4248099071-3382320042
Opcode ID: 671e59c8fe4c17755a702227dbfb0f671c225521712c780855f09c1fc1980107
Instruction ID: 073529020724e05d4964247b7c64433db30515fb9166064be710f6d7ccb76f44
Opcode Fuzzy Hash: 671e59c8fe4c17755a702227dbfb0f671c225521712c780855f09c1fc1980107
Instruction Fuzzy Hash: 653141B290011DBFDB20DA55CC84FEA77BCFF09358F0445AAB919E3141DA74AA588F68

Function 00402B99 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00402BA5
abs.MSVCRT ref: 00402C95
abs.MSVCRT ref: 00402CC5
log.MSVCRT ref: 00402D61
log.MSVCRT ref: 00402D72
free.MSVCRT ref: 00402D8E
free.MSVCRT ref: 00402DA0

Strings

, xrefs: 00402BCB

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free$wcslen
String ID:
API String ID: 3592753638-3916222277
Opcode ID: a6abcb691fd1dabd2973f99fa54c7fcc296b45a854174555a7bdb068922a3314
Instruction ID: 27dbad6a18cb5119fe9557e6abee58e32c1211c22f38b2cca10356837960f856
Opcode Fuzzy Hash: a6abcb691fd1dabd2973f99fa54c7fcc296b45a854174555a7bdb068922a3314
Instruction Fuzzy Hash: DA615770C0811AEBEF189F95E6895AEB771FF04305F60847FE442B62E0DBB84981CB59

Function 0040A818 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83windowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32(?,?), ref: 0040A83F

Part of subcall function 0040A668: GetMenuItemCount.USER32(?), ref: 0040A67E
Part of subcall function 0040A668: memset.MSVCRT ref: 0040A69D
Part of subcall function 0040A668: GetMenuItemInfoW.USER32 ref: 0040A6D9
Part of subcall function 0040A668: wcschr.MSVCRT ref: 0040A6F1

DestroyMenu.USER32(00000000), ref: 0040A85D
CreateDialogParamW.USER32(?,?,00000000,0040A813,00000000), ref: 0040A8AB
memset.MSVCRT ref: 0040A8C7
GetWindowTextW.USER32(00000000,?,00001000), ref: 0040A8DC
EnumChildWindows.USER32(00000000,Function_0000A759,00000000), ref: 0040A907
DestroyWindow.USER32(00000000), ref: 0040A90E

Part of subcall function 0040A497: _snwprintf.MSVCRT ref: 0040A4BC

Strings

caption, xrefs: 0040A8F3

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Menu$DestroyItemWindowmemset$ChildCountCreateDialogEnumInfoLoadParamTextWindows_snwprintfwcschr
String ID: caption
API String ID: 1928666178-4135340389
Opcode ID: 2a735e7d3e9f25f5000f535f47a02417f98db50f76fb95be89fb06d3c5800170
Instruction ID: 1ee1ed61ad6e464c94b1b5c04ceaba47984998c4c5bccbb9cf540d7a9e91c68f
Opcode Fuzzy Hash: 2a735e7d3e9f25f5000f535f47a02417f98db50f76fb95be89fb06d3c5800170
Instruction Fuzzy Hash: 4C21B472100314BBDB11AF50DC49BAF3B78FF45751F148436F905A5191D7788AA0CB6A

Function 00407CFE Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407D1F
_snwprintf.MSVCRT ref: 00407D52
wcslen.MSVCRT ref: 00407D5E
memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 00407D76
wcslen.MSVCRT ref: 00407D84
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 00407D97

Strings

%s (%s), xrefs: 00407D47
G@, xrefs: 00407D24, 00407D7B, 00407D9C

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpywcslen$_snwprintfmemset
String ID: %s (%s)$G@
API String ID: 3979103747-4021399728
Opcode ID: f04d55ffe867956f13ff29a0b22ee26a635b57cfc1c306c95c53cfde12d0b5a1
Instruction ID: 7020ae682d4dad294ec7254b180182bae2c538f47323e789ebcab58d633c0506
Opcode Fuzzy Hash: f04d55ffe867956f13ff29a0b22ee26a635b57cfc1c306c95c53cfde12d0b5a1
Instruction Fuzzy Hash: 58215E72900219BBDF21DF95CD4599BB7B8BF04358F40846AF948AB201EB74EA188BD4

Function 004070BF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,00000000,?,?,004071E5,?,00000000,?,0040C6FE,00000000), ref: 004070E4
FormatMessageW.KERNEL32(00001100,00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004071E5,?,00000000,?,0040C6FE), ref: 00407102
wcslen.MSVCRT ref: 0040710F
wcscpy.MSVCRT ref: 0040711F
LocalFree.KERNEL32(00000000,?,00000400,00000000,00000000,00000000,?,00000000,?,?,004071E5,?,00000000,?,0040C6FE,00000000), ref: 00407129
wcscpy.MSVCRT ref: 00407139

Strings

Unknown Error, xrefs: 00407131
netmsg.dll, xrefs: 004070DF

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
String ID: Unknown Error$netmsg.dll
API String ID: 2767993716-572158859
Opcode ID: 26114b79388437db0e90dde86d0aa8455aeff93cef19d95b112ae8d9efa36594
Instruction ID: 89f566b746906e4e3228774242dd749435861e54522ca67c51f24cfbd45377e0
Opcode Fuzzy Hash: 26114b79388437db0e90dde86d0aa8455aeff93cef19d95b112ae8d9efa36594
Instruction Fuzzy Hash: 2301F231A08114BBEB145B61EC46E9FBB68EB05BA1F20007AF606F41D0DEB96F00969C

Function 0040A97E Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00407548: GetFileAttributesW.KERNELBASE(?,0040A987,?,0040AA3E,00000000,?,00000000,00000208,?), ref: 0040754C

wcscpy.MSVCRT ref: 0040A998
wcscpy.MSVCRT ref: 0040A9A8
GetPrivateProfileIntW.KERNEL32(004510D8,rtl,00000000,00450EC8), ref: 0040A9B9

Part of subcall function 0040A51E: GetPrivateProfileStringW.KERNEL32(004510D8,?,004434FC,00451160,?,00450EC8), ref: 0040A53A

Strings

TranslatorURL, xrefs: 0040A9F1
rtl, xrefs: 0040A9B3
charset, xrefs: 0040A9C7
general, xrefs: 0040A99D
TranslatorName, xrefs: 0040A9DD

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PrivateProfilewcscpy$AttributesFileString
String ID: TranslatorName$TranslatorURL$charset$general$rtl
API String ID: 3176057301-2039793938
Opcode ID: 1673debe331e7a8ca134e50d5334904a3cc19ce9f9385a73b99b164dd8d493e6
Instruction ID: f715108fd1d236bc9ad6a323193eaeb919362f53399fbb1b2bc2ef5a739791b1
Opcode Fuzzy Hash: 1673debe331e7a8ca134e50d5334904a3cc19ce9f9385a73b99b164dd8d493e6
Instruction Fuzzy Hash: 33F0CD22EC035536E61176221D07F3E25088BA1B66F95447FBD08BA2D3DE7C4A14869E

Function 0042CD7E Relevance: 13.7, APIs: 2, Strings: 7, Instructions: 245COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000000,?,00000020), ref: 0042CE42
memset.MSVCRT ref: 0042CE7D

Strings

database is already attached, xrefs: 0042CEA8
cannot ATTACH database within transaction, xrefs: 0042CDED
database %s is already in use, xrefs: 0042CE4F
attached databases must use the same text encoding as main database, xrefs: 0042CEF6
out of memory, xrefs: 0042CFEC
unable to open database: %s, xrefs: 0042CFD5
too many attached databases - max %d, xrefs: 0042CDD7

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
API String ID: 1297977491-2001300268
Opcode ID: 9031da780ff69da590ffb3ad1101421015f0ee0ff19cf333b8a9ef6fce115eea
Instruction ID: 266062839a895961ad217d8ef2c4278de09ba8d71166d49c3bc68db0563119ae
Opcode Fuzzy Hash: 9031da780ff69da590ffb3ad1101421015f0ee0ff19cf333b8a9ef6fce115eea
Instruction Fuzzy Hash: BE91C171B00315AFDB20DF69D981B9EBBF1AF04308F64845FE8159B282D778EA41CB59

Function 0040AFDA Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040AFF3,?,?,?,00403027,?,?,0040E241,00000000,00000000,?,00000000), ref: 0040ADC7
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040AFF3,?,?,?,00403027,?,?,0040E241,00000000,00000000,?,00000000), ref: 0040ADD5
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040AFF3,?,?,?,00403027,?,?,0040E241,00000000,00000000,?,00000000), ref: 0040ADE6
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040AFF3,?,?,?,00403027,?,?,0040E241,00000000,00000000,?,00000000), ref: 0040ADFD
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040AFF3,?,?,?,00403027,?,?,0040E241,00000000,00000000,?,00000000), ref: 0040AE06

??2@YAPAXI@Z.MSVCRT(00000000,?,?,?,00403027,?,?,0040E241,00000000,00000000,?,00000000,?,?,?,00000002), ref: 0040B01A
??2@YAPAXI@Z.MSVCRT(00000000,00000000,?,?,?,00403027,?,?,0040E241,00000000,00000000,?,00000000,?,?), ref: 0040B036
memcpy.MSVCRT(?,00450238,00000014,?,?,?,00403027,?,?,0040E241,00000000,00000000,?), ref: 0040B05B
memcpy.MSVCRT(?,00450224,00000014,?,00450238,00000014,?,?,?,00403027,?,?,0040E241,00000000,00000000,?), ref: 0040B06F
??2@YAPAXI@Z.MSVCRT(00000000,?,0040E241,00000000,00000000,?), ref: 0040B0F2
??2@YAPAXI@Z.MSVCRT(0000000C,00000000,?,0040E241,00000000,00000000,?), ref: 0040B0FC
??2@YAPAXI@Z.MSVCRT(00000000,?,0040E241,00000000,00000000,?), ref: 0040B134

Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
Part of subcall function 00409FF5: memcpy.MSVCRT(00000000,00000002), ref: 0040A10D

Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2

Strings

d, xrefs: 0040B113
(, xrefs: 0040B0BC

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
String ID: ($d
API String ID: 1140211610-1915259565
Opcode ID: a1b8d91b40b9a9641280c8899b3b71ba829c77a87678312fcc7e8bf1b420e006
Instruction ID: 8a5fa3be38e8e11f26e8e9502e5dff09d3bfeaf4ce2a81799fe883ad29a31388
Opcode Fuzzy Hash: a1b8d91b40b9a9641280c8899b3b71ba829c77a87678312fcc7e8bf1b420e006
Instruction Fuzzy Hash: 50517872601700AFE728DF2AC586A5AB7E4FF48358F10852EE55ACB791DB74E940CB48

Function 004150B6 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON

Download Yara Rule

APIs

LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 0041510E
Sleep.KERNEL32(00000001), ref: 00415118
GetLastError.KERNEL32 ref: 0041512A
UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 00415202

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$ErrorLastLockSleepUnlock
String ID:
API String ID: 3015003838-0
Opcode ID: 9f8ed0d04d3051dd5d2585b6ab40f83052c279f07ad27e494029b12bda0602be
Instruction ID: 880e68434f8ef122057b7821066ce039c6a6aeb50982fb6198a036ab3cbbf4dd
Opcode Fuzzy Hash: 9f8ed0d04d3051dd5d2585b6ab40f83052c279f07ad27e494029b12bda0602be
Instruction Fuzzy Hash: 7641F379504B42EFE3228F219C05BEBB7E0EFC0B15F20492FF59556240CBB9D9858E1A

Function 00415D4D Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,00000000,00000000,00000080,0045162C,00415469,00000000,?,00000000,00000000), ref: 00415D77
GetFileAttributesW.KERNEL32(00000000), ref: 00415D7E
GetLastError.KERNEL32 ref: 00415D8B
Sleep.KERNEL32(00000064), ref: 00415DA0
DeleteFileA.KERNEL32(00000000,00000000,00000000,00000080,0045162C,00415469,00000000,?,00000000,00000000), ref: 00415DA9
GetFileAttributesA.KERNEL32(00000000), ref: 00415DB0
GetLastError.KERNEL32 ref: 00415DBD
Sleep.KERNEL32(00000064), ref: 00415DD2
free.MSVCRT ref: 00415DDB

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$AttributesDeleteErrorLastSleep$free
String ID:
API String ID: 2802642348-0
Opcode ID: 6ec6a6250f4bc7cdf171a96923757e46c1f9deb9adab3d10569e0c4ca2454acf
Instruction ID: 389b81331b8195f66de6fade72418799adbb9e1ccdce19076b3e4dce97b88e29
Opcode Fuzzy Hash: 6ec6a6250f4bc7cdf171a96923757e46c1f9deb9adab3d10569e0c4ca2454acf
Instruction Fuzzy Hash: 13118A39500E10DBC6203B747C8D6FF36249BD7B37B21832BF963952D1DA5948C2566A

Function 004124C0 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,",0000000C,?,?,00000000,0040C14A,?,?), ref: 004124F7
memcpy.MSVCRT(?,&,0000000A,?,?,00000000,0040C14A,?,?), ref: 00412523
memcpy.MSVCRT(?,<,00000008,?,?,00000000,0040C14A,?,?), ref: 0041253D

Strings

>, xrefs: 004124E2
°, xrefs: 0041250E
<br>, xrefs: 00412537
", xrefs: 004124F1
&, xrefs: 0041251D
<, xrefs: 004124D4

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: &$°$>$<$"$<br>
API String ID: 3510742995-3273207271
Opcode ID: 449b515319a675a2a0fe7de20888cf946b50a79f9f1d785cd6ce0af7e4c5c8d6
Instruction ID: 1d27d4cf7977f40543be0eb13b72094ec5c0409efe485552fd301264f6eb4def
Opcode Fuzzy Hash: 449b515319a675a2a0fe7de20888cf946b50a79f9f1d785cd6ce0af7e4c5c8d6
Instruction Fuzzy Hash: 570145B6E54260F2FA3024058EE6FF30145CB62754FA40027F88AA02C0A1CD0EE3A29F

Function 00409657 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 107registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00407EB8: free.MSVCRT ref: 00407EBB
Part of subcall function 00407EB8: free.MSVCRT ref: 00407EC3

Part of subcall function 00411B67: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00412303,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,?), ref: 00411B7A

Part of subcall function 00408001: free.MSVCRT ref: 00408010

memset.MSVCRT ref: 004096C7
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,?,?,?,?,00000000,?), ref: 004096F5
_wcsupr.MSVCRT ref: 0040970F

Part of subcall function 00407EDE: wcslen.MSVCRT ref: 00407EF0
Part of subcall function 00407EDE: free.MSVCRT ref: 00407F16
Part of subcall function 00407EDE: free.MSVCRT ref: 00407F39
Part of subcall function 00407EDE: memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F5D

memset.MSVCRT ref: 0040975E
RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,80000001,80000001,?,000000FF,?,?,?,?,00000000), ref: 00409789
RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 00409796

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 00409674

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 4131475296-680441574
Opcode ID: 61904c526cf53957fd16323c1f6e0e8fade1d8a510b8a6cc6f8339011a263633
Instruction ID: ced938f56f23152dc4036b8c9c372f29a7907612beabbfd18841790b2154e098
Opcode Fuzzy Hash: 61904c526cf53957fd16323c1f6e0e8fade1d8a510b8a6cc6f8339011a263633
Instruction Fuzzy Hash: F84118B6D4011DABCB10EF99DD85AEFB7BCAF18304F1040AAB504F2191D7749B458BA4

Function 00409FF5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
wcscpy.MSVCRT ref: 0040A076

Part of subcall function 0040A4E7: memset.MSVCRT ref: 0040A4FA
Part of subcall function 0040A4E7: _itow.MSVCRT ref: 0040A508

wcslen.MSVCRT ref: 0040A094
GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2
LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
memcpy.MSVCRT(00000000,00000002), ref: 0040A10D

Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT(00000000,0040A003,0040B09A,?,0040E241,00000000,00000000,?), ref: 00409F8D
Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,0040A003,0040B09A,?,0040E241,00000000,00000000,?), ref: 00409FAB
Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,0040A003,0040B09A,?,0040E241,00000000,00000000,?), ref: 00409FC9
Part of subcall function 00409F53: ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000,0040A003,0040B09A,?,0040E241,00000000,00000000,?), ref: 00409FE7

Strings

strings, xrefs: 0040A06C

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
String ID: strings
API String ID: 3166385802-3030018805
Opcode ID: 87213f91dec3db501add7610991c2df7427240ace99253c04b166c5a9059b18a
Instruction ID: f88dad89c8a087f2027bd78e20ebd55682c2f8a720c3c381d0e8595ecd4ac891
Opcode Fuzzy Hash: 87213f91dec3db501add7610991c2df7427240ace99253c04b166c5a9059b18a
Instruction Fuzzy Hash: 84419A792003059BD7149F18EC91F323365F76430AB99053AE802A73B2DB79EC22CB1E

Function 0040A759 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A77E
GetDlgCtrlID.USER32(?), ref: 0040A789
GetWindowTextW.USER32(?,?,00001000), ref: 0040A7A0
memset.MSVCRT ref: 0040A7C7
GetClassNameW.USER32(?,?,000000FF), ref: 0040A7DE
_wcsicmp.MSVCRT ref: 0040A7F0

Part of subcall function 0040A62F: memset.MSVCRT ref: 0040A642
Part of subcall function 0040A62F: _itow.MSVCRT ref: 0040A650

Strings

sysdatetimepick32, xrefs: 0040A7EA

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
String ID: sysdatetimepick32
API String ID: 1028950076-4169760276
Opcode ID: 690b26e669973beaba76962047fb40553a53b69d8850747cc34062e580a6b82a
Instruction ID: 9d6a1000cc6d846fb7caa7b95204278ebeb8f13d5a9664e287c5e204bace7976
Opcode Fuzzy Hash: 690b26e669973beaba76962047fb40553a53b69d8850747cc34062e580a6b82a
Instruction Fuzzy Hash: E21177325002197AEB24EB91DD4AE9F77BCEF04750F4040B6F508E1192E7745A51CB69

Function 00419008 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041C796,00000000,00000000), ref: 00419140
memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041C796,00000000,00000000), ref: 00419152
memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041C796,00000000,00000000), ref: 0041916A
memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041C796,00000000,00000000), ref: 00419187
memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041919F
memset.MSVCRT ref: 0041926C

Strings

-journal, xrefs: 00419164
-wal, xrefs: 00419199

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID: -journal$-wal
API String ID: 438689982-2894717839
Opcode ID: 3fb32538101a96232d471ca328e00ad1292916094483904f8e7d4fc59e84f921
Instruction ID: 551b55634523189e5c53bd135c739114fe40c1c2f7e89174430398bb56853e76
Opcode Fuzzy Hash: 3fb32538101a96232d471ca328e00ad1292916094483904f8e7d4fc59e84f921
Instruction Fuzzy Hash: 54A1DEB1A00606BFDB14CFA4C8517DEBBB0BF04314F14856EE468D7381D778AA95CB99

Function 00404D3C Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00404DE0
GetDlgItem.USER32(?,000003E9), ref: 00404DF3
GetDlgItem.USER32(?,000003E9), ref: 00404E08
GetDlgItem.USER32(?,000003E9), ref: 00404E20
EndDialog.USER32(?,00000002), ref: 00404E3C
EndDialog.USER32(?,00000001), ref: 00404E51

Part of subcall function 00404AFB: GetDlgItem.USER32(?,000003E9), ref: 00404B08
Part of subcall function 00404AFB: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00404B1D

SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00404E69
SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00404F7A

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Item$Dialog$MessageSend
String ID:
API String ID: 3975816621-0
Opcode ID: 9463777c25d7b60e80699a536a719800608f97c85c6655884db1f8f9bc34b99a
Instruction ID: 9cc36a3a9081561078e880a2f522ad53539937229c5c78969c314d16862aa257
Opcode Fuzzy Hash: 9463777c25d7b60e80699a536a719800608f97c85c6655884db1f8f9bc34b99a
Instruction Fuzzy Hash: DE61D570100705ABDB31AF25C885A2A73B9FF90724F04C63EF615A66E1D778ED50CB99

Function 00441DE1 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00441E61
_wcsicmp.MSVCRT ref: 00441E76
_wcsicmp.MSVCRT ref: 00441E8B

Part of subcall function 00407278: wcslen.MSVCRT ref: 00407287
Part of subcall function 00407278: wcslen.MSVCRT ref: 00407291
Part of subcall function 00407278: _memicmp.MSVCRT ref: 004072AC

Strings

.save, xrefs: 00441E5B
log profile, xrefs: 00441DEF
http://, xrefs: 00441E18
https://, xrefs: 00441E23
signIn, xrefs: 00441E85

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _wcsicmp$wcslen$_memicmp
String ID: .save$http://$https://$log profile$signIn
API String ID: 1214746602-2708368587
Opcode ID: 7c97f00c0957198ec044a334814b20feb48abd6bee8cf84da93a3bd7193c5eb8
Instruction ID: 7a979a8a07820355720b76b8412d60638824142cd7e99aea4044fab4cdb489ca
Opcode Fuzzy Hash: 7c97f00c0957198ec044a334814b20feb48abd6bee8cf84da93a3bd7193c5eb8
Instruction Fuzzy Hash: A34146755487014AF7309A65898177773E8CB04329F308A2FF86BE26E2EB7CB4C6551E

Function 00404F8A Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(0000000C), ref: 00404F9A
??3@YAXPAX@Z.MSVCRT(00000000), ref: 00404FB6
??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 00404FDC
memset.MSVCRT ref: 00404FEC
??2@YAPAXI@Z.MSVCRT(00000000,?), ref: 0040501B
InvalidateRect.USER32(?,00000000,00000000,?,?,?,?), ref: 00405068
SetFocus.USER32(?,?,?,?), ref: 00405071
??3@YAXPAX@Z.MSVCRT(?,?), ref: 00405081

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@$??3@$FocusInvalidateRectmemset
String ID:
API String ID: 2313361498-0
Opcode ID: d7c0a7721a31805c69d97cf261503aa6b1f1ba47b90a3da7f912ba5fa534be44
Instruction ID: ba4bb41810d6ea78f7103a52efe52e464eccc4a9d5620aafabcd38e7c3fa5a1e
Opcode Fuzzy Hash: d7c0a7721a31805c69d97cf261503aa6b1f1ba47b90a3da7f912ba5fa534be44
Instruction Fuzzy Hash: 2331D3B1501601BFDB24AF69D94692AF7B8FF04304B10813EF145EB291D778EC90CB94

Function 0040D0C3 Relevance: 12.1, APIs: 8, Instructions: 76COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0040D0E2
GetWindowRect.USER32(?,?), ref: 0040D0F8
GetWindowRect.USER32(?,?), ref: 0040D10B
BeginDeferWindowPos.USER32(00000003), ref: 0040D128
DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040D145
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040D165
DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040D18C
EndDeferWindowPos.USER32(?), ref: 0040D195

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Window$Defer$Rect$BeginClient
String ID:
API String ID: 2126104762-0
Opcode ID: 3e059de2c2a39fa097f99da28ed46862c9af8e23a81d8ce39be14bc790b9e9d0
Instruction ID: 1b30ad45943261d114c7945feb8e2d934b1f0a15928f611d2c59e033839f0f44
Opcode Fuzzy Hash: 3e059de2c2a39fa097f99da28ed46862c9af8e23a81d8ce39be14bc790b9e9d0
Instruction Fuzzy Hash: 5F21D875900209FFDB11DFA8CD89FEEBBB9FB48701F104164F655A2160C771AA519B24

Function 00404BC7 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00404BDE
SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00404BF7
SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00404C04
SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00404C10
memset.MSVCRT ref: 00404C74
SendMessageW.USER32(?,0000105F,?,?), ref: 00404CA9
SetFocus.USER32(?), ref: 00404D2F

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: MessageSend$FocusItemmemset
String ID:
API String ID: 4281309102-0
Opcode ID: b5c774997c69c828c2af66cc8dd4e73b805abc013e05c1adb9cb4e53f9af2a7c
Instruction ID: e15596ac8dd535375262745d85448c61c7cc278dece76afc2af43b7580886122
Opcode Fuzzy Hash: b5c774997c69c828c2af66cc8dd4e73b805abc013e05c1adb9cb4e53f9af2a7c
Instruction Fuzzy Hash: 8B417C70901219BBDB20DF95CD85DAFBFB8FF08755F10406AF509A6291D3749E40CBA4

Function 0040BD8C Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 104COMMON

Download Yara Rule

APIs

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

wcscat.MSVCRT ref: 0040BE5B
_snwprintf.MSVCRT ref: 0040BE82

Strings

<tr>, xrefs: 0040BDB4
 , xrefs: 0040BE55
<td bgcolor=#%s>%s, xrefs: 0040BDAA
<td bgcolor=#%s nowrap>%s, xrefs: 0040BD9C

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileWrite_snwprintfwcscatwcslen
String ID:  $<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
API String ID: 2451617256-4153097237
Opcode ID: 69f2f7e6d8aec51d3960e337bc25a82fe45133c58c4b8b76eb8eb5bfe9207b33
Instruction ID: be6843ca6d8e3427859c99e4dc5891dee3dff4c22b8a3cb8274265ecf8740657
Opcode Fuzzy Hash: 69f2f7e6d8aec51d3960e337bc25a82fe45133c58c4b8b76eb8eb5bfe9207b33
Instruction Fuzzy Hash: BC31A031900208EFDF04AF55CC86EEE7B75FF44320F10416AE905AB1E2DB75AA51DB98

Function 0040A668 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 0040A67E
memset.MSVCRT ref: 0040A69D
GetMenuItemInfoW.USER32 ref: 0040A6D9
wcschr.MSVCRT ref: 0040A6F1

Strings

0, xrefs: 0040A6B8
6, xrefs: 0040A6C0

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ItemMenu$CountInfomemsetwcschr
String ID: 0$6
API String ID: 2029023288-3849865405
Opcode ID: 5536c3878cefa137b9e834622b73aa06c1352d4f7dca5f5f14b9808a57972f50
Instruction ID: 6379b183058c7bfcb2c9996af6a46f5bf8fbaffb9494aead0661b6c96fd4ce8b
Opcode Fuzzy Hash: 5536c3878cefa137b9e834622b73aa06c1352d4f7dca5f5f14b9808a57972f50
Instruction Fuzzy Hash: FF219A72505340ABD721DF55C84599BB7F8FB84745F044A3FFA84A2280E7B6CA10CB9A

Function 00407A1C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407A3C
_snwprintf.MSVCRT ref: 00407A63
wcscat.MSVCRT ref: 00407A75
wcscat.MSVCRT ref: 00407A92
wcscat.MSVCRT ref: 00407AA1

Strings

%2.2X, xrefs: 00407A52

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcscat$_snwprintfmemset
String ID: %2.2X
API String ID: 2521778956-791839006
Opcode ID: 23fbd524af4de12edaef0e362b86099d5f7adf1057b4181ed4aaf7bf29872c53
Instruction ID: ec6d441468c88601e944e5005585d56a697b1d5e2a610cd326798869af21cd90
Opcode Fuzzy Hash: 23fbd524af4de12edaef0e362b86099d5f7adf1057b4181ed4aaf7bf29872c53
Instruction Fuzzy Hash: 0F012D72E4431575F720AB519C46BBF73A89F40B19F10407FFC14A50C2EABCEA444A99

Function 00441B86 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 00441B9B
wcscat.MSVCRT ref: 00441BAA
wcscat.MSVCRT ref: 00441BBB
wcscat.MSVCRT ref: 00441BCA
VerQueryValueW.VERSION(?,?,00000000,?), ref: 00441BE4

Part of subcall function 00407447: wcslen.MSVCRT ref: 0040744E
Part of subcall function 00407447: memcpy.MSVCRT(?,?,000000FF,?,00441C01,00000000,?,?,?,00000000,?), ref: 00407464

Part of subcall function 00407511: lstrcpyW.KERNEL32(?,?,00441C09,?,?,?,00000000,?), ref: 00407526
Part of subcall function 00407511: lstrlenW.KERNEL32(?), ref: 0040752D

Strings

\StringFileInfo\, xrefs: 00441B95

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcscat$QueryValuelstrcpylstrlenmemcpywcscpywcslen
String ID: \StringFileInfo\
API String ID: 393120378-2245444037
Opcode ID: cb6593bce41ce7101ed3919308bda3c7e7c8e8e4aeb4a4d700e0b9c8d6b6edb1
Instruction ID: a565dbaf5ef1236623e3a457584e7ee1bc303587053621a732091bcd91b9d386
Opcode Fuzzy Hash: cb6593bce41ce7101ed3919308bda3c7e7c8e8e4aeb4a4d700e0b9c8d6b6edb1
Instruction Fuzzy Hash: 27017C7290020CB6EF51EAA1CD45EDF77BCAF04308F4005A7B514E2052EB78DB86AB59

Function 0040A497 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040A4BC
wcscpy.MSVCRT ref: 0040A4DF

Strings

dialog_%d, xrefs: 0040A4B0
general, xrefs: 0040A4D5
strings, xrefs: 0040A4CA
menu_%d, xrefs: 0040A4A0

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _snwprintfwcscpy
String ID: dialog_%d$general$menu_%d$strings
API String ID: 999028693-502967061
Opcode ID: 8becf3e9218155cd2e90e25ed978c4695a92d6ded04a6fa8cdd08c494461b467
Instruction ID: 8e174b2d8d79018ad6e296a97c01706163ed31911536b8ede193c50f01e1bc5f
Opcode Fuzzy Hash: 8becf3e9218155cd2e90e25ed978c4695a92d6ded04a6fa8cdd08c494461b467
Instruction Fuzzy Hash: CBE0B679A8830079F96025861E4BB2E61508774F59FB0886FF50AB05D1E9FE95A8710F

Function 00412BDF Relevance: 10.5, APIs: 2, Strings: 5, Instructions: 21COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(a,A,a,A,00000008,?,00440B33,?,?,?,00000000,?,0044169D,?,?,?,00000000), ref: 00412C04
memcpy.MSVCRT(!-A,?,00000018,a,A,a,A,00000008,?,00440B33,?,?,?,00000000,?,0044169D), ref: 00412C14

Strings

,A, xrefs: 00412BDF, 00412C1F
a,A, xrefs: 00412BFF, 00412C25
Y,A, xrefs: 00412BF7, 00412BFE
a,A, xrefs: 00412BF0
!-A, xrefs: 00412C0F

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: !-A$Y,A$a,A$a,A$,A
API String ID: 3510742995-194831239
Opcode ID: 222890697f8a5ff6857447b5b90ef297a0c92120cc092e5eca8f4e6b223797c7
Instruction ID: c1edbe63f0487e6d5a9ef4690cfcbd933ff0b0d7cc0200e8d9d6566c39fc0ab4
Opcode Fuzzy Hash: 222890697f8a5ff6857447b5b90ef297a0c92120cc092e5eca8f4e6b223797c7
Instruction Fuzzy Hash: C8E04F35980610EAF330DB459C07B863394A796756F50C43BF508A6193C6FC599C8B9D

Function 00428591 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00428610

Strings

8, xrefs: 00428728
GROUP, xrefs: 004287CD
a GROUP BY clause is required before HAVING, xrefs: 0042883F
aggregate functions are not allowed in the GROUP BY clause, xrefs: 00428853
ORDER, xrefs: 0042879B

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset
String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
API String ID: 2221118986-1606337402
Opcode ID: 46f26c3fdd6910b4d7312f8d71752383c86baf733d40e003e56e3ea4decbe60e
Instruction ID: a56ed1d78848c17894bc611d03527086a745bd119e00672256ad5f5daa2e3940
Opcode Fuzzy Hash: 46f26c3fdd6910b4d7312f8d71752383c86baf733d40e003e56e3ea4decbe60e
Instruction Fuzzy Hash: 93818E706093619FDB10DF15E88161FB7E0BF98354F94885FE8849B252EB78EC44CB9A

Function 00410EDB Relevance: 9.1, APIs: 6, Instructions: 141COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000,?,00000000,00000000,?,0040F96C,00000000,00000000), ref: 00410F16
memset.MSVCRT ref: 00410F78
memset.MSVCRT ref: 00410F88

Part of subcall function 00410DF5: wcscpy.MSVCRT ref: 00410E1E

memset.MSVCRT ref: 00411073
wcscpy.MSVCRT ref: 00411094
CloseHandle.KERNEL32(?,0040F96C,?,?,?,0040F96C,00000000,00000000), ref: 004110EA

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$wcscpy$CloseHandleOpenProcess
String ID:
API String ID: 3300951397-0
Opcode ID: b54469c95767e19cd25d0ac2b448a79aecc0fd22ddb34440915382161dbe33e5
Instruction ID: ff77c4a4bb0d76b6113ba9f034b07e179d87586f5f3f4fadb46fa2bb0041fc85
Opcode Fuzzy Hash: b54469c95767e19cd25d0ac2b448a79aecc0fd22ddb34440915382161dbe33e5
Instruction Fuzzy Hash: CB5170B0508381AFD720DF55DC85A9BBBE8FBC8305F00492EF68882261DB74D985CB66

Function 0040D53E Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 78COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D560

Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
Part of subcall function 00409FF5: memcpy.MSVCRT(00000000,00000002), ref: 0040A10D

Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2

Part of subcall function 00407CFE: memset.MSVCRT ref: 00407D1F
Part of subcall function 00407CFE: _snwprintf.MSVCRT ref: 00407D52
Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D5E
Part of subcall function 00407CFE: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 00407D76
Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D84
Part of subcall function 00407CFE: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 00407D97

Part of subcall function 00407B1D: GetSaveFileNameW.COMDLG32(?), ref: 00407B6C
Part of subcall function 00407B1D: wcscpy.MSVCRT ref: 00407B83

Strings

*.csv, xrefs: 0040D5B1
*.xml, xrefs: 0040D5ED
*.txt, xrefs: 0040D582
*.htm;*.html, xrefs: 0040D5C6
txt, xrefs: 0040D565

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameSaveString_snwprintf
String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
API String ID: 1392923015-3614832568
Opcode ID: 380410c26e3291804c03af3795505405ed94cd18fa0364bdc388fa92e87f834b
Instruction ID: 456ec3227f593179f02471f626d387f8bd8a0122acdd439c58b7a13f613657e4
Opcode Fuzzy Hash: 380410c26e3291804c03af3795505405ed94cd18fa0364bdc388fa92e87f834b
Instruction Fuzzy Hash: 6131FAB1D002599BDB50EFA9D8C1AEDBBB4FF09314F10417AF508B7282DF385A458B99

Function 00415DF9 Relevance: 9.1, APIs: 6, Instructions: 78COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00415E2B
GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 00415E39
free.MSVCRT ref: 00415E7F

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AttributesFilefreememset
String ID:
API String ID: 2507021081-0
Opcode ID: e3e327bc7edfa6d214c9f68350b0f1db51016015cf148b15bb91f804a777c83b
Instruction ID: de39e7dabe3dcffc9507685f2d24beb71d21f2267e90135c35d9c9407e9ebe28
Opcode Fuzzy Hash: e3e327bc7edfa6d214c9f68350b0f1db51016015cf148b15bb91f804a777c83b
Instruction Fuzzy Hash: B111A236D04B05EBDB106FB498C06FF7368AA85754B54013BF911E6280D7789F8195AA

Function 00414D24 Relevance: 9.1, APIs: 6, Instructions: 61COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 00414D2B
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00414D49
malloc.MSVCRT ref: 00414D53
MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 00414D6A
free.MSVCRT ref: 00414D73
free.MSVCRT ref: 00414D91

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWidefree$ApisFilemalloc
String ID:
API String ID: 4131324427-0
Opcode ID: fcdf128664d182e83d2fd65dada33940b5d141c4db74cea0fb43d282e6a1fb2b
Instruction ID: 75ff5f127907765bac19b59c8f0cf631f86937604d45831965c424c16304f1b7
Opcode Fuzzy Hash: fcdf128664d182e83d2fd65dada33940b5d141c4db74cea0fb43d282e6a1fb2b
Instruction Fuzzy Hash: 3501D4725041257BAF225BB6AC41DFF369CDF857B4721022AFC04E3280EA288E4141EC

Function 004159C6 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(000000E6,?,?,00415592), ref: 00415A0A
GetTempPathA.KERNEL32(000000E6,?,?,00415592), ref: 00415A32
free.MSVCRT ref: 00415A5A

Strings

etilqs_, xrefs: 00415A62
%s\etilqs_, xrefs: 00415AB1

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PathTemp$free
String ID: %s\etilqs_$etilqs_
API String ID: 924794160-1420421710
Opcode ID: c9ef72f7e900502d242bf52f2b84dfc3543ee2498ca2d646e121c62c04ad21fe
Instruction ID: 407cf19e3f66aff666bf3235626637e86bc259e86a40955958787b48e693a0c3
Opcode Fuzzy Hash: c9ef72f7e900502d242bf52f2b84dfc3543ee2498ca2d646e121c62c04ad21fe
Instruction Fuzzy Hash: 80316831A44645DAE720EB61DCC1BFB739C9FA4348F1405BFE841D6182FE6C8EC54A19

Function 0040C0F2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON

Download Yara Rule

APIs

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

memset.MSVCRT ref: 0040C129

Part of subcall function 004124C0: memcpy.MSVCRT(?,<,00000008,?,?,00000000,0040C14A,?,?), ref: 0041253D

Part of subcall function 0040B9C3: wcscpy.MSVCRT ref: 0040B9C8
Part of subcall function 0040B9C3: _wcslwr.MSVCRT ref: 0040BA03

_snwprintf.MSVCRT ref: 0040C173

Strings

<%s>%s</%s>, xrefs: 0040C166
</item>, xrefs: 0040C18D
<item>, xrefs: 0040C0FC

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileWrite_snwprintf_wcslwrmemcpymemsetwcscpywcslen
String ID: <%s>%s</%s>$</item>$<item>
API String ID: 2236007434-2769808009
Opcode ID: 438c6ceffbcd68a890abf2b9136991ccf46c150bae825d1d06f9ba09c855681a
Instruction ID: bd8afa7c54c2b984639c4d8fb182e53c6b214fce1ab7be0445daf1b4a409d2ac
Opcode Fuzzy Hash: 438c6ceffbcd68a890abf2b9136991ccf46c150bae825d1d06f9ba09c855681a
Instruction Fuzzy Hash: 82119132904615BFEB11AF65DC82E99BB74FF04318F10402AF9046A5E2DB75B960CBD8

Function 0040D83C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040D86C

Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585

wcsrchr.MSVCRT ref: 0040D886
wcscat.MSVCRT ref: 0040D8A2

Strings

.cfg, xrefs: 0040D89C
General, xrefs: 0040D8AC

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileModuleNamememsetwcscatwcsrchr
String ID: .cfg$General
API String ID: 776488737-1188829934
Opcode ID: e11df5378bc83a8aaf871442e4d8661d85e0e936ac587c009724adb380b412fa
Instruction ID: b769b6074c2bbd437ee926744873151467191c08e4afcaaf49059e595a4f98b4
Opcode Fuzzy Hash: e11df5378bc83a8aaf871442e4d8661d85e0e936ac587c009724adb380b412fa
Instruction Fuzzy Hash: 34119877901318AADB10EF55DC45ECE7378AF48314F1041F6F518A7182DB78AA848F9D

Function 0040E030 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000000), ref: 0040E051
RegisterClassW.USER32(?), ref: 0040E076
GetModuleHandleW.KERNEL32(00000000), ref: 0040E07D
CreateWindowExW.USER32(00000000,WebBrowserPassView,WebBrowserPassView,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000,?), ref: 0040E09C

Strings

WebBrowserPassView, xrefs: 0040E094, 0040E099, 0040E09A

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: HandleModule$ClassCreateRegisterWindow
String ID: WebBrowserPassView
API String ID: 2678498856-2171583229
Opcode ID: 968ab77318ecbfefce790601fd2619178d52abf01415595e0110a8aaad309429
Instruction ID: d6937ed4ed068f8a41babfbfc400960a7e9d41ce1fcf29d78c1aeb4d070e2d0f
Opcode Fuzzy Hash: 968ab77318ecbfefce790601fd2619178d52abf01415595e0110a8aaad309429
Instruction Fuzzy Hash: 5301C4B1901629ABDB019F998D89ADFBFBCFF09B50F10421AF514A2240D7B45A408BE9

Function 0040C2C7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C2EB
memset.MSVCRT ref: 0040C302

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

Part of subcall function 0040B9C3: wcscpy.MSVCRT ref: 0040B9C8
Part of subcall function 0040B9C3: _wcslwr.MSVCRT ref: 0040BA03

_snwprintf.MSVCRT ref: 0040C33E

Strings

<?xml version="1.0" ?>, xrefs: 0040C307
<%s>, xrefs: 0040C32D

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$FileWrite_snwprintf_wcslwrwcscpywcslen
String ID: <%s>$<?xml version="1.0" ?>
API String ID: 168708657-3296998653
Opcode ID: a73eef4ca532f3c806c8f7c4fb546103b4f23db77d3a0b99a33ba88c35d7e7d6
Instruction ID: 826567bfe222e6a97a7157a9ef984588091dd6de8d25c20f5ec279ce0d2f683a
Opcode Fuzzy Hash: a73eef4ca532f3c806c8f7c4fb546103b4f23db77d3a0b99a33ba88c35d7e7d6
Instruction Fuzzy Hash: 780167F2D401297AEB20A755CC46FEE767CEF44308F0000B6BB09B61D1DB78AA458A9D

Function 00403853 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(crypt32.dll,?,00000000,004026AC,?,00000090,00000000,?), ref: 00403862
GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00403874
FreeLibrary.KERNEL32(00000000), ref: 00403897

Strings

CryptUnprotectData, xrefs: 0040386E
crypt32.dll, xrefs: 0040385D

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptUnprotectData$crypt32.dll
API String ID: 145871493-1827663648
Opcode ID: 2c4a40dc8dba4f0dc647d95a29ca81113139f6a9c6e20ee821370f4bbf0a04ed
Instruction ID: e5a88ed766aaa6e52f35248584035ac6595561cae6bd6684aeb1aa38a92ec81b
Opcode Fuzzy Hash: 2c4a40dc8dba4f0dc647d95a29ca81113139f6a9c6e20ee821370f4bbf0a04ed
Instruction Fuzzy Hash: 0A011A32500611ABC6219F158C4881BFEEAEBA1B42724887FF1C5E2660C3748A80CB54

Function 00411DB2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON

Download Yara Rule

APIs

wcscpy.MSVCRT ref: 00411DC1
wcscpy.MSVCRT ref: 00411DDC
CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000000,00000000,0040D8DB,00000000,?,0040D8DB,?,General,?), ref: 00411E03
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000001), ref: 00411E0A

Strings

General, xrefs: 00411DD6

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcscpy$CloseCreateFileHandle
String ID: General
API String ID: 999786162-26480598
Opcode ID: cadc9dc89eee371cf065a8da49e6c42cc2605fbbb286be73d28d450c39e40844
Instruction ID: 9a0facac0be4658f1d28dd1d6e0b9c096870c14066d41f215ae7e32982aabb00
Opcode Fuzzy Hash: cadc9dc89eee371cf065a8da49e6c42cc2605fbbb286be73d28d450c39e40844
Instruction Fuzzy Hash: 9AF024B2508301BFF3109B90AC85EAF769CDB10799F20842FF20591061DA396D50825D

Function 004071BD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,0040C6FE,00000000,?,?,?,0040E2DC,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 004071D1
_snwprintf.MSVCRT ref: 004071FE
MessageBoxW.USER32(?,?,Error,00000030), ref: 00407217

Strings

Error, xrefs: 00407208
Error %d: %s, xrefs: 004071ED

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ErrorLastMessage_snwprintf
String ID: Error$Error %d: %s
API String ID: 313946961-1552265934
Opcode ID: 61e844944dbca76b68da5b3baf56ea9390605b233e584b109607b5eb60119b4a
Instruction ID: 3b05860ebe56c522f2c5ab20428fa68284bb982c16b5ab54bfd07cc8ba07ffa8
Opcode Fuzzy Hash: 61e844944dbca76b68da5b3baf56ea9390605b233e584b109607b5eb60119b4a
Instruction Fuzzy Hash: 74F0E23680021867DB11AB94CC02FDA72ACBB54B82F0400AAB905F2180EAF4EB404A69

Function 00412455 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shlwapi.dll,753D8FB0,?,004048E6,00000000), ref: 0041245E
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0041246C
FreeLibrary.KERNEL32(00000000,?,004048E6,00000000), ref: 00412484

Strings

shlwapi.dll, xrefs: 00412457
SHAutoComplete, xrefs: 00412466

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SHAutoComplete$shlwapi.dll
API String ID: 145871493-1506664499
Opcode ID: 0600c3fa923ac600481c4c27bdc763d37aac4bb3cec4cb789f1cecb2c3029c00
Instruction ID: b7e45597e31c4a606350929a185ef34a25fe7475720eeaf8429eabe2a59cceae
Opcode Fuzzy Hash: 0600c3fa923ac600481c4c27bdc763d37aac4bb3cec4cb789f1cecb2c3029c00
Instruction Fuzzy Hash: 6BD05B393502206BA7116F35BC48EAF2E65EFC6F537150031F501D1260CB544E429669

Function 0043310B Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 390COMMON

Download Yara Rule

Strings

new, xrefs: 00433199
foreign key constraint failed, xrefs: 004333AB
oid, xrefs: 004331D5
old, xrefs: 0043318F

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID:
String ID: foreign key constraint failed$new$oid$old
API String ID: 0-1953309616
Opcode ID: 62ebdc269ebb98b136c9f16b4865919ffe4bf71bf72261f46eacdebf5a67e72f
Instruction ID: 956c7fa9d19c0f39a897be9568c0d7cc0038550a6314a583777b8070e5951de7
Opcode Fuzzy Hash: 62ebdc269ebb98b136c9f16b4865919ffe4bf71bf72261f46eacdebf5a67e72f
Instruction Fuzzy Hash: 90E18F71E00208EFDF14DFA5D881AAEBBB5FF48304F14846EE805AB251DB79AE41CB55

Function 0042EDD2 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?), ref: 0042EED2
memcpy.MSVCRT(?,?,00000000), ref: 0042EFE9

Strings

unknown column "%s" in foreign key definition, xrefs: 0042EFB9
foreign key on %s should reference only one column of table %T, xrefs: 0042EE2E
number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 0042EE56

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
API String ID: 3510742995-272990098
Opcode ID: 26b123652edab92ce6a15b49f3ba4f50a5fd80d5e605533ee84f76b45fb6fb0c
Instruction ID: 495bb5eb18a6352e4e4c54452741b55d9a16d19d8a312fbbfa639f366bc90293
Opcode Fuzzy Hash: 26b123652edab92ce6a15b49f3ba4f50a5fd80d5e605533ee84f76b45fb6fb0c
Instruction Fuzzy Hash: 72914C71A0021ADFCB10CF5AD580A9EBBF1FF58314B55856AE809AB302D735E945CF98

Function 004063C1 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004063E2
wcslen.MSVCRT ref: 004063ED
wcslen.MSVCRT ref: 004063FB
memset.MSVCRT ref: 00406451

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

nss3.dll, xrefs: 004063F3, 004063F8, 0040640C

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memsetwcslen$wcscatwcscpy
String ID: nss3.dll
API String ID: 1250441359-2492180550
Opcode ID: 539cc7b2b5a1ca4a5cded3f0901bcdf604bea04d283746a690f02e85a837d118
Instruction ID: 7e6fc29c8000acf8dfdc2cef167c58109b3e52db234c734628f4c22aee9d38d0
Opcode Fuzzy Hash: 539cc7b2b5a1ca4a5cded3f0901bcdf604bea04d283746a690f02e85a837d118
Instruction Fuzzy Hash: E711ECB2D0421DAADB10E750DD45BCA73EC9F10314F1004B7F60CE20C2F778AA548A9D

Function 0040AE21 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040AFF3,?,?,?,00403027,?,?,0040E241,00000000,00000000,?,00000000), ref: 0040ADC7
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040AFF3,?,?,?,00403027,?,?,0040E241,00000000,00000000,?,00000000), ref: 0040ADD5
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040AFF3,?,?,?,00403027,?,?,0040E241,00000000,00000000,?,00000000), ref: 0040ADE6
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040AFF3,?,?,?,00403027,?,?,0040E241,00000000,00000000,?,00000000), ref: 0040ADFD
Part of subcall function 0040ADBB: ??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040AFF3,?,?,?,00403027,?,?,0040E241,00000000,00000000,?,00000000), ref: 0040AE06

??3@YAXPAX@Z.MSVCRT(?,00000000,0040DA08,?,0040E2EA,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040AE3C
??3@YAXPAX@Z.MSVCRT(?,00000000,0040DA08,?,0040E2EA,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040AE4F
??3@YAXPAX@Z.MSVCRT(?,00000000,0040DA08,?,0040E2EA,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040AE62
??3@YAXPAX@Z.MSVCRT(?,00000000,0040DA08,?,0040E2EA,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0040AE75
free.MSVCRT ref: 0040AEAE

Part of subcall function 00408037: free.MSVCRT ref: 0040803E

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??3@$free
String ID:
API String ID: 2241099983-0
Opcode ID: 0b66915f84970c8dee2b815cea6b5dfc4349602c711738901fa1bf88fce7501e
Instruction ID: 5cedf5899733f7fd452d28a3e5974aab2a3b061775a7969347507653aae84efd
Opcode Fuzzy Hash: 0b66915f84970c8dee2b815cea6b5dfc4349602c711738901fa1bf88fce7501e
Instruction Fuzzy Hash: 13010832946A20ABC6367B2AD50251FB368BE91B90306457FF445BB3818F3C7C5186DF

Function 00414CBE Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

AreFileApisANSI.KERNEL32 ref: 00414CC6
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 00414CE6
malloc.MSVCRT ref: 00414CEC
WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 00414D0A
free.MSVCRT ref: 00414D13

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ApisFilefreemalloc
String ID:
API String ID: 4053608372-0
Opcode ID: 812cbb7add7f674ff0468623c6e7b50f355b1e49695ec4f29896983211f76786
Instruction ID: 44ea64674f021cea2031e16b60495934b5371f4db2927085d3abb6a650cf4446
Opcode Fuzzy Hash: 812cbb7add7f674ff0468623c6e7b50f355b1e49695ec4f29896983211f76786
Instruction Fuzzy Hash: 6601F4B140011DBEAF115FA9DCC5CAF7EACDA457E8720036AF810E2190E6344E4056B8

Function 0040A302 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040A314
GetWindowRect.USER32(?,?), ref: 0040A321
GetClientRect.USER32(00000000,?), ref: 0040A32C
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040A33C
SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040A358

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Window$Rect$ClientParentPoints
String ID:
API String ID: 4247780290-0
Opcode ID: 08c57ff735731e7da7a27fa3f9b2ad0737e344cc782b350b7b638dd860d33b4b
Instruction ID: 816d64d46c4b910dad83cc5cff1f19606824cbaca0e9d5d20ff5cebd8420fa85
Opcode Fuzzy Hash: 08c57ff735731e7da7a27fa3f9b2ad0737e344cc782b350b7b638dd860d33b4b
Instruction Fuzzy Hash: 06014836800129BBDB11AFA59C49EFFBFBCFF46B15F044169F901A2190D77896028BA5

Function 004421EB Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00407144: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,004421F7,00000000,?,00000000,00000000,00410671,?,?), ref: 00407156

GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000000,00410671,?,?), ref: 00442202
??2@YAPAXI@Z.MSVCRT(0000000A), ref: 00442216
memset.MSVCRT ref: 00442225

Part of subcall function 00407B93: ReadFile.KERNELBASE(?,?,5"D,00000000,00000000,?,?,00442235,00000000,00000000), ref: 00407BAA

??3@YAXPAX@Z.MSVCRT(00000000), ref: 00442248

Part of subcall function 00441FDC: memchr.MSVCRT ref: 00442017
Part of subcall function 00441FDC: memcpy.MSVCRT(?,00443D7C,0000000B,?,?,?,00000000,00000000,00000000), ref: 004420BB
Part of subcall function 00441FDC: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 004420CD
Part of subcall function 00441FDC: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004420F5

CloseHandle.KERNEL32(00000000), ref: 0044224F

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
String ID:
API String ID: 1471605966-0
Opcode ID: 8d684c0203be65d6cee86c411987c92c8a6445e23ddedbadec83ee29d411de9b
Instruction ID: 5cd116c641245c85bcd5bad65d9d69835b0888748ca48550e443bbafd66aa86b
Opcode Fuzzy Hash: 8d684c0203be65d6cee86c411987c92c8a6445e23ddedbadec83ee29d411de9b
Instruction Fuzzy Hash: 3DF0FC325041007AE21077329D4AF6B7B9CDF85761F10053FF515911D2EA789904C179

Function 0040ADBB Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040AFF3,?,?,?,00403027,?,?,0040E241,00000000,00000000,?,00000000), ref: 0040ADC7
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040AFF3,?,?,?,00403027,?,?,0040E241,00000000,00000000,?,00000000), ref: 0040ADD5
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040AFF3,?,?,?,00403027,?,?,0040E241,00000000,00000000,?,00000000), ref: 0040ADE6
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040AFF3,?,?,?,00403027,?,?,0040E241,00000000,00000000,?,00000000), ref: 0040ADFD
??3@YAXPAX@Z.MSVCRT(?,?,00000000,0040AFF3,?,?,?,00403027,?,?,0040E241,00000000,00000000,?,00000000), ref: 0040AE06

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: bb5b54d35ac9345d4f67fd1f43b9bd0339cc6982e71662365849d1d3c181b2be
Instruction ID: 7485fa72425b52f9fdb5b203d173836123891f19866e380edd82503d68adac07
Opcode Fuzzy Hash: bb5b54d35ac9345d4f67fd1f43b9bd0339cc6982e71662365849d1d3c181b2be
Instruction Fuzzy Hash: D8F0FF72509701AFD720AF6999D991BB7F9BF943147A0493FF049D3A41CB78A8904A18

Function 0040C35B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C37F
memset.MSVCRT ref: 0040C396

Part of subcall function 0040B9C3: wcscpy.MSVCRT ref: 0040B9C8
Part of subcall function 0040B9C3: _wcslwr.MSVCRT ref: 0040BA03

_snwprintf.MSVCRT ref: 0040C3C5

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

Strings

</%s>, xrefs: 0040C3B4

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$FileWrite_snwprintf_wcslwrwcscpywcslen
String ID: </%s>
API String ID: 168708657-259020660
Opcode ID: ed3ca334932eb13030ad141ea1100de8b1267ec76abb3a8f7f71a50922ffdfbd
Instruction ID: 40532074a48dce177473b235f1db1661615fe75cb863f0afecc7fe9ed9b88556
Opcode Fuzzy Hash: ed3ca334932eb13030ad141ea1100de8b1267ec76abb3a8f7f71a50922ffdfbd
Instruction Fuzzy Hash: 910136F3D4012976EB20A755DC45FEE76BCEF45308F4000B6BB09B7181DB78AA458AA8

Function 0040A414 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040A44E
SetWindowTextW.USER32(?,?), ref: 0040A47E
EnumChildWindows.USER32(?,Function_0000A3B6,00000000), ref: 0040A48E

Strings

caption, xrefs: 0040A463

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ChildEnumTextWindowWindowsmemset
String ID: caption
API String ID: 1523050162-4135340389
Opcode ID: 0770d01bbebb907716830064d8bced7af567b4e8952be56cced1b648d4788750
Instruction ID: f5bb4e3483ddd063dbb45333af41605001ac6cd66b5ccbc099165aa82e617e5a
Opcode Fuzzy Hash: 0770d01bbebb907716830064d8bced7af567b4e8952be56cced1b648d4788750
Instruction Fuzzy Hash: 44F0C83690031466FB20EB51DD4EB9A3768AB04755F5000B6FF04B61D2DBF89E50CBAE

Function 0040103E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004075AD: memset.MSVCRT ref: 004075B7
Part of subcall function 004075AD: wcscpy.MSVCRT ref: 004075F7

CreateFontIndirectW.GDI32(?), ref: 0040105D
SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040107C
SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 0040109A

Strings

MS Sans Serif, xrefs: 00401049

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
String ID: MS Sans Serif
API String ID: 210187428-168460110
Opcode ID: 9567ec9b2f0dc6d22a5446aca1e43186409379ab266c501c72e5b3238589e89f
Instruction ID: b86dbe1d582a7894089203107e7a1e4413fc3d6f7e8de8594febed0b37e93160
Opcode Fuzzy Hash: 9567ec9b2f0dc6d22a5446aca1e43186409379ab266c501c72e5b3238589e89f
Instruction Fuzzy Hash: 56F05E75A4030877E621ABA0DC06F8A7BB9B740B01F000935B711B51E0D7E4A285C658

Function 00411140 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,004112EE,?,?,?,?,?,00000000,?), ref: 00411151
GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 0041116B

Strings

GetProcessTimes, xrefs: 0041115B
kernel32.dll, xrefs: 0041114C

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetProcessTimes$kernel32.dll
API String ID: 1646373207-3385500049
Opcode ID: 464f22052b3d8a0ba402789ad02750f959a9c2b374b1230dcbafe23b26c1554b
Instruction ID: be5b0e9885743e8d30da273d8ef78610b28524ab18dcfae55e11e98fa027414b
Opcode Fuzzy Hash: 464f22052b3d8a0ba402789ad02750f959a9c2b374b1230dcbafe23b26c1554b
Instruction Fuzzy Hash: 4FF01C35104308AFEB128FA0EC04B967BA9BB08749F048425F608C1671C775C9A0DF58

Function 004076CD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004076EC
GetClassNameW.USER32(?,00000000,000000FF), ref: 00407703
_wcsicmp.MSVCRT ref: 00407715

Strings

edit, xrefs: 0040770F

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ClassName_wcsicmpmemset
String ID: edit
API String ID: 2747424523-2167791130
Opcode ID: 5d550bad1fc3d430151135b806da61cbea55bdd82f1e1fbc5f53ec133c7d6f5f
Instruction ID: 51a03c7d5923a90201923a44b10f324a390683a0d3b2f84b2934c4bf373e0ab9
Opcode Fuzzy Hash: 5d550bad1fc3d430151135b806da61cbea55bdd82f1e1fbc5f53ec133c7d6f5f
Instruction Fuzzy Hash: A9E04872D8031E7AFB14ABA0DC4BFA977BCBB04704F5001F5B615E10D2EBB4A6454A5C

Function 004121C3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32.dll,0040E314,00000000,?,00000002), ref: 004121D1
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 004121E6

Strings

shell32.dll, xrefs: 004121CC
SHGetSpecialFolderPathW, xrefs: 004121E0

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetSpecialFolderPathW$shell32.dll
API String ID: 2574300362-880857682
Opcode ID: 881f98a91457903b94e991739f1253563cd1b946a507866072d03daf316dbad8
Instruction ID: 4b50289c71ca44835333f785f02b611be4b8370b72da6f54bb0e40a9521e89f3
Opcode Fuzzy Hash: 881f98a91457903b94e991739f1253563cd1b946a507866072d03daf316dbad8
Instruction Fuzzy Hash: 86D0C774600313BADB108F209D48B4239746712743F251036F430D1771DF7895C49A1C

Function 0041B0C3 Relevance: 6.3, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041B0D6
memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041B0EC
memcmp.MSVCRT(?,?,00000030,?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041B0FB
memcmp.MSVCRT(00000000,?,00000030,?,?,?,?,?,?,?,?,00000000), ref: 0041B143
memcpy.MSVCRT(00000000,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041B15E

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy$memcmp
String ID:
API String ID: 3384217055-0
Opcode ID: c21ad6a5d3121964cfee4e4549eeaad2127827bfa0247cfb1633fe6ae368a6b9
Instruction ID: 295c5a0bc2866328f8dcc37ada2a4d99e769f04d629d2bea2717987aff5dfa66
Opcode Fuzzy Hash: c21ad6a5d3121964cfee4e4549eeaad2127827bfa0247cfb1633fe6ae368a6b9
Instruction Fuzzy Hash: 01217C72E10248BBDB18DAA5DC56E9F73ECEB44740F50042AB512D7281EB78E644C765

Function 0040E5BA Relevance: 6.3, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E5D9
memset.MSVCRT ref: 0040E5EF
memset.MSVCRT ref: 0040E601
memcpy.MSVCRT(?,?,00000010, D,?,00443D7C), ref: 0040E626
memset.MSVCRT ref: 0040E630

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$memcpy
String ID:
API String ID: 368790112-0
Opcode ID: ef22b1934ad2d52127aca45cd93deb21b3ee899ba2995d0c9766137b2d6f5093
Instruction ID: 5db9a22820b402d4d4dd4a010236648e296a7231ae54e5ee969484aed16c8927
Opcode Fuzzy Hash: ef22b1934ad2d52127aca45cd93deb21b3ee899ba2995d0c9766137b2d6f5093
Instruction Fuzzy Hash: D301F0B174070077D335AA35CC03F1A73E49FA1714F400E1DF152666C2D7F8A105866D

Function 00415494 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 167COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004154B8
memset.MSVCRT ref: 004154E8

Part of subcall function 0041538D: memset.MSVCRT ref: 004153AA
Part of subcall function 0041538D: UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 004153CA

Part of subcall function 00414EFE: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414F2A
Part of subcall function 00414EFE: SetEndOfFile.KERNEL32(?), ref: 00414F54
Part of subcall function 00414EFE: GetLastError.KERNEL32 ref: 00414F5E

Strings

,A, xrefs: 00415560
%s-shm, xrefs: 004154FC

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset$File$ErrorLastUnlockUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: %s-shm$,A
API String ID: 1271386063-2158068007
Opcode ID: e97150ecd3292b0c1fc6f67ffbb4081b9a3a76a2bb60b8d44e9283291b6bd327
Instruction ID: 8012e8fd2c705de7aa363bc2bd32bd15ad04531b7aa24a5a7ab2fd91cc4b7507
Opcode Fuzzy Hash: e97150ecd3292b0c1fc6f67ffbb4081b9a3a76a2bb60b8d44e9283291b6bd327
Instruction Fuzzy Hash: B1510671504B05FFD710AF21DC02BDB77A6AF80754F10481FF9299A282EBB9E5908B9D

Function 00415804 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004158E7
MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 00415912
GetLastError.KERNEL32 ref: 00415939
CloseHandle.KERNEL32(00000000), ref: 0041594F

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastMappingView
String ID:
API String ID: 1661045500-0
Opcode ID: e54a1143c91b2cced6003210cc0bcdbeb5c1320b0c8b584585a67ef015de7640
Instruction ID: 02e61587b06ba7d058713df3830c0e33945dcb010177779d6ae1e8dc7ea6695b
Opcode Fuzzy Hash: e54a1143c91b2cced6003210cc0bcdbeb5c1320b0c8b584585a67ef015de7640
Instruction Fuzzy Hash: B6518EB4214B02DFD724DF25C981AA7B7E9FB84315F10492FE88286651E734E854CB59

Function 0042C345 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004132EA: memset.MSVCRT ref: 00413304

memcpy.MSVCRT(?,?,?), ref: 0042C42D

Strings

sqlite_altertab_%s, xrefs: 0042C3FE
virtual tables may not be altered, xrefs: 0042C384
Cannot add a column to a view, xrefs: 0042C39A

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
API String ID: 1297977491-2063813899
Opcode ID: 73f7123a41afc254934908830e0006766df9d40b851d17961e81b3466ae4c6b7
Instruction ID: 3e8a37011c5d834ac6e6d4f8fd11fd3d4e87e0ccd438cada7bf19ffd6667b676
Opcode Fuzzy Hash: 73f7123a41afc254934908830e0006766df9d40b851d17961e81b3466ae4c6b7
Instruction Fuzzy Hash: 03419D71A00615AFDB10DF69D881A5EB7F0FF08314F24856BE8489B352D778EA51CB88

Function 0042E398 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00000000,?,00000000,00000000,00000000,0044B2E0), ref: 0042E4D8

Strings

, , xrefs: 0042E415
CREATE TABLE , xrefs: 0042E44D
, xrefs: 0042E40E

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: $, $CREATE TABLE
API String ID: 3510742995-3459038510
Opcode ID: 9c967c3a06afb765e02c907f2e49235dd04f948cd2abf78a2709aa5cc33f4167
Instruction ID: 75c0c8dac0447bb43292008ef446c40d7ab48a9469891862f1914eead86e2b05
Opcode Fuzzy Hash: 9c967c3a06afb765e02c907f2e49235dd04f948cd2abf78a2709aa5cc33f4167
Instruction Fuzzy Hash: C3518171E00219DFCF10DF9AD4856AEB7B5FF44309F64809BE841AB205D778AA45CB98

Function 0040475A Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004047A1

Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
Part of subcall function 00409FF5: memcpy.MSVCRT(00000000,00000002), ref: 0040A10D

Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2

Part of subcall function 00407CFE: memset.MSVCRT ref: 00407D1F
Part of subcall function 00407CFE: _snwprintf.MSVCRT ref: 00407D52
Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D5E
Part of subcall function 00407CFE: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 00407D76
Part of subcall function 00407CFE: wcslen.MSVCRT ref: 00407D84
Part of subcall function 00407CFE: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 00407D97

Part of subcall function 00407AB6: GetOpenFileNameW.COMDLG32(?), ref: 00407AFF
Part of subcall function 00407AB6: wcscpy.MSVCRT ref: 00407B0D

Strings

wand.dat, xrefs: 004047C7
*.*, xrefs: 004047E2
dat, xrefs: 004047A6

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpywcslen$HandleModulememsetwcscpy$FileLoadNameOpenString_snwprintf
String ID: *.*$dat$wand.dat
API String ID: 3589925243-1828844352
Opcode ID: ee95740454303ceeab932a838ec3e971a5e4e933b383f4235399895267209d19
Instruction ID: 6d0f55f818233349c8d1636aac4371a0276c995c789a620d4a51b657e5e4e923
Opcode Fuzzy Hash: ee95740454303ceeab932a838ec3e971a5e4e933b383f4235399895267209d19
Instruction Fuzzy Hash: 6F419971A04206AFDB14EF61D885AAE77B4FF40314F10C42BFA05A71C2EF79A9958BD4

Function 0040CBC1 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

Part of subcall function 0040B1B3: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,0040CBD1,?), ref: 0040B1D4
Part of subcall function 0040B1B3: ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000,?,0040CBD1,?), ref: 0040B29B

wcslen.MSVCRT ref: 0040CBEF
_wtoi.MSVCRT(?,?,00000000,00000000,00000000,?,00000000,?,?), ref: 0040CBFB
_wcsicmp.MSVCRT ref: 0040CC49
_wcsicmp.MSVCRT ref: 0040CC5A

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _wcsicmp$??2@??3@_wtoiwcslen
String ID:
API String ID: 1549203181-0
Opcode ID: 567ae35796e479033978641934fe8efa79e81af9abf3b8ba23fb9af2cd80c235
Instruction ID: 2e88af878a7a0ebae712eab1be6a0374a06ab0ac9bbd2c3eb3becf244d067ed8
Opcode Fuzzy Hash: 567ae35796e479033978641934fe8efa79e81af9abf3b8ba23fb9af2cd80c235
Instruction Fuzzy Hash: C3416D31900204EBEF21DF59C5C4A9DBBB4EF45319F1546BAEC09EB3A6D638D940CB58

Function 0040E51C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000040,00000001,00443D7C,?,?,0040ED5A,?,00443D7C), ref: 0040E55F
memcpy.MSVCRT(?,?,00000040,00000001,00443D7C,?,?,0040ED5A,?,00443D7C), ref: 0040E589
memcpy.MSVCRT(?,?,00000013,00000001,00443D7C,?,?,0040ED5A,?,00443D7C), ref: 0040E5AD

Strings

@|=D, xrefs: 0040E5A6

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: @|=D
API String ID: 3510742995-4242725666
Opcode ID: df00fe4d456d847bcc816d9924c913a63d4017986857a83741e135789728a0a6
Instruction ID: e04d1c669876fac24280ac48723ffca9e388da4b41f072ca806e7767fffd92f4
Opcode Fuzzy Hash: df00fe4d456d847bcc816d9924c913a63d4017986857a83741e135789728a0a6
Instruction Fuzzy Hash: 19113BF29003047BDB348E66DC84C5A77A8EB603987000E3EF90696291F675DF69C6D8

Function 00412D4A Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 65COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00412D6B

Strings

-+A, xrefs: 00412D55
-+A, xrefs: 00412D4D
Y,A, xrefs: 00412E25

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memset
String ID: -+A$-+A$Y,A
API String ID: 2221118986-4154596189
Opcode ID: e10b50a88832c8eca0fe984cc6704273a4110daab6733b6ac7d2fab50901f5f0
Instruction ID: 1dfdef816599cc938eba6c7f1cf8632c899ce6bbbbec6bb0dc4dd89a5a59c02f
Opcode Fuzzy Hash: e10b50a88832c8eca0fe984cc6704273a4110daab6733b6ac7d2fab50901f5f0
Instruction Fuzzy Hash: 482156799417008FD3268F0AFE0565AB7E5FBE2702724413FE201D62B2D7B4489A8F8C

Function 004084EE Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,?,?,004014B8,?,?,?,?,0044CD68,0000000C), ref: 00408523
memset.MSVCRT ref: 00408534
memcpy.MSVCRT(004503EC,?,00000000,00000000,00000000,00000000,00000000,?,?,004014B8,?,?,?,?,0044CD68,0000000C), ref: 00408540
??3@YAXPAX@Z.MSVCRT ref: 0040854D

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@??3@memcpymemset
String ID:
API String ID: 1865533344-0
Opcode ID: 006f3b584c6a23bdda7a4d338d7a1bb9511f2f472f5785237822146c56e0ee29
Instruction ID: d20edd04bd2483e58964879576c48f2ebc5a647496c0cba51e85d391a6ad2c86
Opcode Fuzzy Hash: 006f3b584c6a23bdda7a4d338d7a1bb9511f2f472f5785237822146c56e0ee29
Instruction Fuzzy Hash: 0D118C71204601AFD328DF2DCA91A26F7E5FFD8340B60892EE4DAC7385EA75E801CB14

Function 00411A90 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00411ABC

Part of subcall function 00407BF7: _snwprintf.MSVCRT ref: 00407C3C
Part of subcall function 00407BF7: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 00407C4C

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00411AE5
memset.MSVCRT ref: 00411AEF
GetPrivateProfileStringW.KERNEL32(?,?,Function_000434FC,?,00002000,?), ref: 00411B11

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
String ID:
API String ID: 1127616056-0
Opcode ID: d6b06db8244673818a3f3970d82af9b7ba7535b9122898fd49e4c505e6d5cf51
Instruction ID: 7dd1a1e3bfb09d1cc1018fb107044e1a6d1141f919409e292c6c821828e7f11b
Opcode Fuzzy Hash: d6b06db8244673818a3f3970d82af9b7ba7535b9122898fd49e4c505e6d5cf51
Instruction Fuzzy Hash: 48118271500119BFEF11AF61DD02EDE7BB9EF04741F100066FF05B2060E675AA608BAD

Function 004123CC Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 004123DC
SHBrowseForFolderW.SHELL32(?), ref: 0041240E
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00412422
wcscpy.MSVCRT ref: 00412435

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: BrowseFolderFromListMallocPathwcscpy
String ID:
API String ID: 3917621476-0
Opcode ID: 9e530e736623199f8d1c4572649b675cce8d33ce20fed77073f00f2ac51ce3c2
Instruction ID: 5cda3e6a61a15ee9057d47663b3b2e0c0e874c437a77379260a47c7555d96391
Opcode Fuzzy Hash: 9e530e736623199f8d1c4572649b675cce8d33ce20fed77073f00f2ac51ce3c2
Instruction Fuzzy Hash: C5110CB5A00208AFDB00DFA9D9889EEB7F8FF49714F10406AE905E7200D779EB45CB64

Function 0042D603 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042D63E
memset.MSVCRT ref: 0042D648
memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,00000000,?,00000000,00000068,?,?,00000068), ref: 0042D673

Strings

sqlite_master, xrefs: 0042D616

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID: sqlite_master
API String ID: 438689982-3163232059
Opcode ID: cbab1ddc9ac3410ad1cf84db35b40c80d29ec42151ab6fd04210e0215871e9bd
Instruction ID: ee6e5cfbbe52718914f41d47f1c84030a85cc49ac4fd556a51d86816da10b362
Opcode Fuzzy Hash: cbab1ddc9ac3410ad1cf84db35b40c80d29ec42151ab6fd04210e0215871e9bd
Instruction Fuzzy Hash: 6901B972900218BAEB11EFB18D42FDDB77DFF04315F50405AF60462142D77A9B15C7A4

Function 0040CECE Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A034
Part of subcall function 00409FF5: LoadStringW.USER32(00000000,00000007,00000FFF,?), ref: 0040A0CD
Part of subcall function 00409FF5: memcpy.MSVCRT(00000000,00000002), ref: 0040A10D

_snwprintf.MSVCRT ref: 0040CEFB
SendMessageW.USER32(?,0000040B,00000000,?), ref: 0040CF60

Part of subcall function 00409FF5: wcscpy.MSVCRT ref: 0040A076
Part of subcall function 00409FF5: wcslen.MSVCRT ref: 0040A094
Part of subcall function 00409FF5: GetModuleHandleW.KERNEL32(00000000,?,?,?,0040B09A,?,0040E241,00000000,00000000,?), ref: 0040A0A2

_snwprintf.MSVCRT ref: 0040CF26
wcscat.MSVCRT ref: 0040CF39

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
String ID:
API String ID: 822687973-0
Opcode ID: da7172e30ee21136588dfdb1db0da8cff5898300858bdeb9120db96eb62abdf4
Instruction ID: 10942a5e8a652da15fc5691646fc128facbf295aae85401a998ce48512d7e6da
Opcode Fuzzy Hash: da7172e30ee21136588dfdb1db0da8cff5898300858bdeb9120db96eb62abdf4
Instruction Fuzzy Hash: 8F0184B19403057AE720E775DC8AFBB73ACAF40709F04046AB719F21C3DA79A9454A6D

Function 00414C63 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,76F8DF80,?,00414D8E,?), ref: 00414C81
malloc.MSVCRT ref: 00414C88
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,76F8DF80,?,00414D8E,?), ref: 00414CA7
free.MSVCRT ref: 00414CAE

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: e1cd2b73c96639b283147803c5e2f0a2299dd018b03378eaee566884a8c47b85
Instruction ID: 08e12ed7d8240a3e2c5be9bdce3f46534c50a62d4f36ceba048af803e5c5c189
Opcode Fuzzy Hash: e1cd2b73c96639b283147803c5e2f0a2299dd018b03378eaee566884a8c47b85
Instruction Fuzzy Hash: CBF0E9B260A21D7E76006FB59CC0C3B7B9CD7863FDB21072FF510A2180F9659C0116B5

Function 0041538D Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004153AA
UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 004153CA
LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 004153D6
GetLastError.KERNEL32 ref: 004153E4

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: File$ErrorLastLockUnlockmemset
String ID:
API String ID: 3727323765-0
Opcode ID: 0612512dbcb25e72840826b50eff5f9555e3619a56fe643e0148ba0517731135
Instruction ID: b4c6314a975e1eba122d49f899d78a16df92238a1a9f5a4b2f2908291fae13bb
Opcode Fuzzy Hash: 0612512dbcb25e72840826b50eff5f9555e3619a56fe643e0148ba0517731135
Instruction Fuzzy Hash: 7201D131100608FFDB219FA4EC848EBBBB8FB80785F20442AF912D6050D6B09A44CF25

Function 00401B06 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401B27

Part of subcall function 00412270: SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000), ref: 004122AA

wcslen.MSVCRT ref: 00401B40
wcslen.MSVCRT ref: 00401B4E

Part of subcall function 004076A9: wcscpy.MSVCRT ref: 004076B1
Part of subcall function 004076A9: wcscat.MSVCRT ref: 004076C0

Strings

Apple Computer\Preferences\keychain.plist, xrefs: 00401B3A, 00401B3F, 00401B67

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcslen$FolderPathSpecialmemsetwcscatwcscpy
String ID: Apple Computer\Preferences\keychain.plist
API String ID: 3183857889-296063946
Opcode ID: 8006b7ae7f5b9b2d5e72903c8d65ba76eb4ffe7052016a765288ea2a00793178
Instruction ID: 16ca9930086f175389a7ca6d9dd60f6601f6a2e2e4035c9292d9b79f31a3f5d2
Opcode Fuzzy Hash: 8006b7ae7f5b9b2d5e72903c8d65ba76eb4ffe7052016a765288ea2a00793178
Instruction Fuzzy Hash: F8F0FE7290531476E720A7559C89FDA736C9F00318F6005B7F514E10C3F77CAA5446AD

Function 00403081 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004030A6
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 004030C3
strlen.MSVCRT ref: 004030D5
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 004030E6

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: c176ff0dcd1864958a99801ca3c2895d6322cf952761f758445de8014ee40b91
Instruction ID: e51875297eda531c80c3ec5ec415ee795d437164a5b9689062039e3667910632
Opcode Fuzzy Hash: c176ff0dcd1864958a99801ca3c2895d6322cf952761f758445de8014ee40b91
Instruction Fuzzy Hash: 56F04FB680022CBEFB15AB949DC5DEB776CDB04254F0001A2B709E2041E5749F448B78

Function 0040BA53 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040BA78
WideCharToMultiByte.KERNEL32(00000000,00000000,00000001,000000FF,?,00001FFF,00000000,00000000,00000001,00443980,00000000,00000000,00000000,?,00000000,00000000), ref: 0040BA91
strlen.MSVCRT ref: 0040BAA3
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040BAB4

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharFileMultiWideWritememsetstrlen
String ID:
API String ID: 2754987064-0
Opcode ID: 75b273bda8818eb1e049dc1d4f8bf93ad7451d7bf5c27d1061f7569d94d81c1b
Instruction ID: f1b04ddda804f0d23e85d9b3a1a681265272c1a7bd8491b11875ee0cd1c6d5d4
Opcode Fuzzy Hash: 75b273bda8818eb1e049dc1d4f8bf93ad7451d7bf5c27d1061f7569d94d81c1b
Instruction Fuzzy Hash: 7CF06DB780022CBEFB059B94DDC9DEB77ACDB04258F0001A2B709E2042E6749F44CB78

Function 0041176D Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 004076CD: memset.MSVCRT ref: 004076EC
Part of subcall function 004076CD: GetClassNameW.USER32(?,00000000,000000FF), ref: 00407703
Part of subcall function 004076CD: _wcsicmp.MSVCRT ref: 00407715

SetBkMode.GDI32(?,00000001), ref: 00411794
SetBkColor.GDI32(?,00FFFFFF), ref: 004117A2
SetTextColor.GDI32(?,00C00000), ref: 004117B0
GetStockObject.GDI32(00000000), ref: 004117B8

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
String ID:
API String ID: 764393265-0
Opcode ID: 5fbb731d4b6b530c812bc277fef4d25e3eb5586c38ca31f5bfd49ebc1fc19f48
Instruction ID: 4524e9a356975b07e10c0673c8b36924071ef161512cc5bea393be377801c3c3
Opcode Fuzzy Hash: 5fbb731d4b6b530c812bc277fef4d25e3eb5586c38ca31f5bfd49ebc1fc19f48
Instruction Fuzzy Hash: 9AF0A435100209BBDF112F64DC05BDD3F61AF05B25F104636FA25541F5CF769990D648

Function 0040FA51 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(00450748,?,00000050,?,004014FF,?), ref: 0040FA6B
memcpy.MSVCRT(00450478,?,000002CC,00450748,?,00000050,?,004014FF,?), ref: 0040FA7D
GetModuleHandleW.KERNEL32(00000000), ref: 0040FA90
DialogBoxParamW.USER32(00000000,0000006B,?,Function_0000F767,00000000), ref: 0040FAA4

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy$DialogHandleModuleParam
String ID:
API String ID: 1386444988-0
Opcode ID: 5af77e421d670d3e9d53a45b82afc890927493f23d8260cf4e85c54301f9f1bc
Instruction ID: 350a086b8d7ad7ad16c9f4c49a9849c7d3de4f0e2d0f3119e9b48998a0ebe44a
Opcode Fuzzy Hash: 5af77e421d670d3e9d53a45b82afc890927493f23d8260cf4e85c54301f9f1bc
Instruction Fuzzy Hash: 49F0A731680310BBEB70AFA4BD4AF163A919705F57F20043AF644A60E2C7B585558B9D

Function 004048C7 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F6), ref: 004048DE

Part of subcall function 00412455: LoadLibraryW.KERNEL32(shlwapi.dll,753D8FB0,?,004048E6,00000000), ref: 0041245E
Part of subcall function 00412455: GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0041246C
Part of subcall function 00412455: FreeLibrary.KERNEL32(00000000,?,004048E6,00000000), ref: 00412484

GetDlgItem.USER32(?,00000000), ref: 004048F0
GetDlgItem.USER32(?,00000000), ref: 00404902
GetDlgItem.USER32(?,00000000), ref: 00404914

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: Item$Library$AddressFreeLoadProc
String ID:
API String ID: 2406072140-0
Opcode ID: a8f7eca7071bb80bc984f3ec153cc5aff345bc84215bcc68ba7b850d09515bab
Instruction ID: 27d5e7a410d711f85fb169ee5f4284aad0304eb1bf7711d039073b83f91ac3c5
Opcode Fuzzy Hash: a8f7eca7071bb80bc984f3ec153cc5aff345bc84215bcc68ba7b850d09515bab
Instruction Fuzzy Hash: 33F01CB18043026BCB313F72DC09D6FBAADEF84310B010D2EA1D1D61A1CFBE94618A98

Function 00442D7A Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(02260048), ref: 00442D84
??3@YAXPAX@Z.MSVCRT(02270050), ref: 00442D94
??3@YAXPAX@Z.MSVCRT(00A14E38), ref: 00442DA4
??3@YAXPAX@Z.MSVCRT(02270458), ref: 00442DB4

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 44d13ece2455e6bf70e94478653814ebefdf6deeb09379604d67fc2da5a05fd3
Instruction ID: 4d75bcbf83e2a718e0a773ad5cf6a383805f84e699810b963ae7674306c23c36
Opcode Fuzzy Hash: 44d13ece2455e6bf70e94478653814ebefdf6deeb09379604d67fc2da5a05fd3
Instruction Fuzzy Hash: 05E080A1705301777A105B36BE55B0313EC3A703423D8041FF40AC3255DEBCC840441C

Function 0040DA3A Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0040DA6F
InvalidateRect.USER32(?,00000000,00000000), ref: 0040DABB

Strings

<M@, xrefs: 0040DC3B

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: InvalidateMessageRectSend
String ID: <M@
API String ID: 909852535-3778786622
Opcode ID: 34262e1ccb1ccbcc0d13218f904e640cd746ad35dcac150ad02d22c2cfc9d8bc
Instruction ID: 05eea1ce1b03382e5db893e26ff0cd35ef39184770bc15fe2d13ad66f6086966
Opcode Fuzzy Hash: 34262e1ccb1ccbcc0d13218f904e640cd746ad35dcac150ad02d22c2cfc9d8bc
Instruction Fuzzy Hash: 89518430E003049ADB20AFA5C845F9EB3A5AF44324F51853BF4197B1E2CAB99D89CB5D

Function 0040BABE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

wcschr.MSVCRT ref: 0040BB00
wcschr.MSVCRT ref: 0040BB0E

Part of subcall function 004080BF: wcslen.MSVCRT ref: 004080DB
Part of subcall function 004080BF: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040BB56), ref: 004080FE

Strings

", xrefs: 0040BB4A

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: wcschr$memcpywcslen
String ID: "
API String ID: 1983396471-123907689
Opcode ID: 8e9dacec36b22f36b3d6a2c9acf4b3c337cfe9fd3fa69281ad6b0cf09b24f830
Instruction ID: 425732c6536ade4c189e7d45363e94d8349111ce0189a23fa1b0a907d348dab1
Opcode Fuzzy Hash: 8e9dacec36b22f36b3d6a2c9acf4b3c337cfe9fd3fa69281ad6b0cf09b24f830
Instruction Fuzzy Hash: D2317E31904204ABDF04EFA5C8419EEB7F8EF44364B20816BE855B72D5DB78AA41CADC

Function 0040928C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00407BD1: SetFilePointer.KERNEL32(00409553,?,00000000,00000000,?,0040935E,00000000,00000000,?,00000020,?,004094E9,?,?,00409553,00000000), ref: 00407BDE

_memicmp.MSVCRT ref: 004092A6
memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,?,00409553,00000000), ref: 004092BD

Strings

URL , xrefs: 004092A0

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FilePointer_memicmpmemcpy
String ID: URL
API String ID: 2108176848-3574463123
Opcode ID: cd6c5101a0353fed1380e8074d20d0c9319d1f79348dd7d2e07b117509aaf2a7
Instruction ID: 33b3fc867a4e2474f07ea88972ed825a8fcb80c5477311fdb059a6d734a7dbfa
Opcode Fuzzy Hash: cd6c5101a0353fed1380e8074d20d0c9319d1f79348dd7d2e07b117509aaf2a7
Instruction Fuzzy Hash: 8411A031604208BBEB11DF29CC05F5F7BA8AF85348F054066F904AB2D2E775EE10CBA5

Function 00407BF7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 00407C3C
memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 00407C4C

Strings

%2.2X , xrefs: 00407C31

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _snwprintfmemcpy
String ID: %2.2X
API String ID: 2789212964-323797159
Opcode ID: 67cc605bc3185a31bfa90e7c216e456876c101feb6316f2713b0a5e7acf2aabe
Instruction ID: 0f19ce75f7d61601c6dcaf4457f6717ff276ffca2b35b3dd887d371e09c964f6
Opcode Fuzzy Hash: 67cc605bc3185a31bfa90e7c216e456876c101feb6316f2713b0a5e7acf2aabe
Instruction Fuzzy Hash: 87117C32908209BEEB10DFE8C9C69AE73A8BB45714F108436ED15E7141D678AA158BA6

Function 004153F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(?,00000000,00000000,?,00415610,?,00000000), ref: 0041542C
CloseHandle.KERNEL32(?), ref: 00415438

Strings

!-A, xrefs: 00415417

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: CloseFileHandleUnmapView
String ID: !-A
API String ID: 2381555830-3879722540
Opcode ID: e8c78a8d6966c789a432285f25c1a97e3c9752e60e4576fb47e50e48bcd826d3
Instruction ID: 6c5ed3bf8746cf55bcd37c1067f9027f6bc59eb5530dee428a664ff8177fa162
Opcode Fuzzy Hash: e8c78a8d6966c789a432285f25c1a97e3c9752e60e4576fb47e50e48bcd826d3
Instruction Fuzzy Hash: 5611BF35500B10DFCB319F25E945BD777E0FF84712B00492EE4929A662C738F8C48B48

Function 0040BD10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_snwprintf.MSVCRT ref: 0040BD3E
_snwprintf.MSVCRT ref: 0040BD5E

Part of subcall function 00407176: wcslen.MSVCRT ref: 00407183
Part of subcall function 00407176: WriteFile.KERNEL32(00000001,00000000,00000000,00000000,00000000,?,?,0040BC47,00000000,00443980,00000000,0040C656,00000000), ref: 00407192

Strings

%%-%d.%ds , xrefs: 0040BD33

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _snwprintf$FileWritewcslen
String ID: %%-%d.%ds
API String ID: 889019245-2008345750
Opcode ID: 0621875c29823bfdd60080e68f211d35d61c8b83eb007e49ef2e77d3973846ff
Instruction ID: f6bde454874e3f12fe5a715dcb314e2825e8b387052435345983f70e28f49e73
Opcode Fuzzy Hash: 0621875c29823bfdd60080e68f211d35d61c8b83eb007e49ef2e77d3973846ff
Instruction Fuzzy Hash: 1D01D871500604BFD7109F69CC82D6AB7F9FF48318B10442EF946AB2A2DB75F841DB64

Function 00408116 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00408125
_memicmp.MSVCRT ref: 00408153

Strings

History, xrefs: 0040811F, 00408124, 00408151

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: _memicmpwcslen
String ID: History
API String ID: 1872909662-3892791767
Opcode ID: bae70ed05e2484058d162cab4743c52f8bd5b62447447ec07eacc4e847ca5ebf
Instruction ID: 2715e0f5b76d9e8bf3bfa22bf35e41ec2dcc8bed56e6222f305abdff7d2b472d
Opcode Fuzzy Hash: bae70ed05e2484058d162cab4743c52f8bd5b62447447ec07eacc4e847ca5ebf
Instruction Fuzzy Hash: 7BF0A4721046029BD210EA299D41A2BB7E8DF813A8F11093FF4D196282DF79DC5646A9

Function 00407B1D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSaveFileNameW.COMDLG32(?), ref: 00407B6C
wcscpy.MSVCRT ref: 00407B83

Strings

X, xrefs: 00407B51

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileNameSavewcscpy
String ID: X
API String ID: 3080202770-3081909835
Opcode ID: 24396636a29f1ce25200a1500eee54acd60350c694163d5da58a3a079e5601d4
Instruction ID: df6fc214ccc966a4ef74be52ccb1fa8de01b9f2d97edd1d3ec6f174b54628a36
Opcode Fuzzy Hash: 24396636a29f1ce25200a1500eee54acd60350c694163d5da58a3a079e5601d4
Instruction Fuzzy Hash: C801E5B1E002499FDF00DFE9D8847AEBBF4AF08319F10402AE815E6280DB78A949CF55

Function 0040AC82 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040AC9A
SendMessageW.USER32(?,0000105F,00000000,?), ref: 0040ACC9

Strings

", xrefs: 0040ACC2

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: MessageSendmemset
String ID: "
API String ID: 568519121-123907689
Opcode ID: 25315a415076cbab8121a395ef60f2b275a5e49d8e8cab10b2ef02e751b77d98
Instruction ID: c9b4fa4cd35477e261f68ac5278df415403352ef960fa58aa17ae8539a272808
Opcode Fuzzy Hash: 25315a415076cbab8121a395ef60f2b275a5e49d8e8cab10b2ef02e751b77d98
Instruction Fuzzy Hash: 4E01D635800304EBEB20DF5AC841AEFB7F8FF84745F01802AE854A6281D3349955CF79

Function 004017B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetWindowPlacement.USER32(?,?,?,?,?,0040D8F3,?,General,?,?,?,?,?,00000000,00000001), ref: 004017E0
memset.MSVCRT ref: 004017F3

Strings

WinPos, xrefs: 00401806

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: PlacementWindowmemset
String ID: WinPos
API String ID: 4036792311-2823255486
Opcode ID: ebc0bb48f8a97b617363729f7cf0900b593d1d2e388969c7686af9c2b4b0c1d2
Instruction ID: 403492ab1ae1e8e085d1b686bd15613ed323b870b3f74ac0ef6546771a88dbd4
Opcode Fuzzy Hash: ebc0bb48f8a97b617363729f7cf0900b593d1d2e388969c7686af9c2b4b0c1d2
Instruction Fuzzy Hash: BDF0FF71600204ABEB14EFA5D989F6E73E8AF04700F544479E9099B1D1D7B899008B69

Function 00407AB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00407AFF
wcscpy.MSVCRT ref: 00407B0D

Strings

X, xrefs: 00407AE0

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileNameOpenwcscpy
String ID: X
API String ID: 3246554996-3081909835
Opcode ID: 7dbed658630cd8f1005308aafbad7de56d353a569406e82a8f6fc1bcbb586f5c
Instruction ID: 22468463e432baa7279a8bf0e718ba1534ae3331c134da9758c07f59fbfd6832
Opcode Fuzzy Hash: 7dbed658630cd8f1005308aafbad7de56d353a569406e82a8f6fc1bcbb586f5c
Instruction Fuzzy Hash: 6601B2B1D0024CAFCB40DFE9D8856CEBBF8AF09708F10802AE819F6240EB7495458F54

Function 0040AB7D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 0040757A: GetModuleFileNameW.KERNEL32(00000000,00000208,00000104,0040AB83,00000000,0040AA36,?,00000000,00000208,?), ref: 00407585

wcsrchr.MSVCRT ref: 0040AB86
wcscat.MSVCRT ref: 0040AB9C

Strings

_lng.ini, xrefs: 0040AB96

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: FileModuleNamewcscatwcsrchr
String ID: _lng.ini
API String ID: 383090722-1948609170
Opcode ID: d99e0c1e210eb6d30fbb9606f358fc75cd7c920557a2e7d7f41dfd12b806f831
Instruction ID: faf96e17328b6cfe7fea8df6c793311bae4d5162fb77f626620ffa022952bc65
Opcode Fuzzy Hash: d99e0c1e210eb6d30fbb9606f358fc75cd7c920557a2e7d7f41dfd12b806f831
Instruction Fuzzy Hash: E6C0125394672070F52233226E13B8F17696F22306F60002FF901280C3EFAC631180AF

Function 0042917D Relevance: 5.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,00000000,?), ref: 0042921F
memcpy.MSVCRT(?,?,?,?), ref: 00429258
memset.MSVCRT ref: 0042926E
memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 004292A7

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID:
API String ID: 438689982-0
Opcode ID: 8de3b15170db9a09aff60384115cf250075a5608c27ba135c8b23c8b853ebfd7
Instruction ID: 8c22702d92a242b4074cdc0308f2d59ea0ad553ae454c6356856be76eef94a8a
Opcode Fuzzy Hash: 8de3b15170db9a09aff60384115cf250075a5608c27ba135c8b23c8b853ebfd7
Instruction Fuzzy Hash: 2551A775A0021AFBEF15DF95DC81AEEB775FF04340F54849AF805A6241E7389E50CBA8

Function 00407EDE Relevance: 5.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00407EF0

Part of subcall function 00407475: malloc.MSVCRT ref: 00407491
Part of subcall function 00407475: memcpy.MSVCRT(00000000,00000000,00000000,00000000,?,00408025,00000002,?,00000000,?,004082EE,00000000,?,00000000), ref: 004074A9
Part of subcall function 00407475: free.MSVCRT ref: 004074B2

free.MSVCRT ref: 00407F16
free.MSVCRT ref: 00407F39
memcpy.MSVCRT(?,?,000000FF,00000001,?,00000000,?,?,0040833F,?,000000FF), ref: 00407F5D

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: free$memcpy$mallocwcslen
String ID:
API String ID: 726966127-0
Opcode ID: 53bb7909089ec0eedd8dd5e24e0ed79610a14058f15925bc4f6bfad5848592c5
Instruction ID: 7e4f8ba4ba14ff744b1d1ae1a3210968bf085ae1c99a6b147d894c05d7fb7a00
Opcode Fuzzy Hash: 53bb7909089ec0eedd8dd5e24e0ed79610a14058f15925bc4f6bfad5848592c5
Instruction Fuzzy Hash: 9E21AC71504605EFD720DF18C880C9AB7F4EF443247108A2EF866AB6A1D734F916CB54

Function 0040AD07 Relevance: 5.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 004079E0: memset.MSVCRT ref: 004079EE

??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,00000000,0040E108,00000000,?,?,00000000,0040E36A), ref: 0040AD2E
??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0040E108,00000000,?,?,00000000,0040E36A), ref: 0040AD55
??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0040E108,00000000,?,?,00000000,0040E36A), ref: 0040AD76
??2@YAPAXI@Z.MSVCRT(00000014,00000000,00000000,0040E108,00000000,?,?,00000000,0040E36A), ref: 0040AD97

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ??2@$memset
String ID:
API String ID: 1860491036-0
Opcode ID: 6c9a8a4ea2f174229b1bc5670035406f337b1ba6748cfb04f428cb3fb1efcbd4
Instruction ID: 8f402eb808e7ad555a909232128954833d185930e872f23c51b71e42452eb786
Opcode Fuzzy Hash: 6c9a8a4ea2f174229b1bc5670035406f337b1ba6748cfb04f428cb3fb1efcbd4
Instruction Fuzzy Hash: B121F7B0A017009FD7258F6A8545A52FBE5FF90311B29C9AFE108CBAB2D7B8C800CF15

Function 00414C13 Relevance: 5.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,004159A7,000000FF,00000000,00000000,00415592,?,?,00415592,004159A7,00000000,?,00415C14,?,00000000), ref: 00414C2E
malloc.MSVCRT ref: 00414C36
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,004159A7,000000FF,00000000,00000000,?,00415592,004159A7,00000000,?,00415C14,?,00000000,00000000,?), ref: 00414C4D
free.MSVCRT ref: 00414C54

Memory Dump Source

Source File: 00000009.00000002.1530326446.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_400000_vbc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: 62b04034a6b45e285efb8e28dd2072d8972627255b60333d693d9c35b4441962
Instruction ID: ac963edc179c34f330cc22ede2b288a34a1f5b158d5d5a2152ff40f2e70c1069
Opcode Fuzzy Hash: 62b04034a6b45e285efb8e28dd2072d8972627255b60333d693d9c35b4441962
Instruction Fuzzy Hash: 9AF0A77220521E3BE61026A55C40D7B778CEB86375B10072BB910E21C1FD59D80006B4

Analysis Process: WindowsUpdate.exePID: 5320, Parent PID: 3504COMMON

Executed Functions

Function 00B9B82E Relevance: 1.6, APIs: 1, Instructions: 77
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketW.WS2_32(?,?,?,?,?), ref: 00B9B8BA

Memory Dump Source

Source File: 0000000C.00000002.1584223543.0000000000B9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b9a000_WindowsUpdate.jbxd

Similarity

API ID: Socket
String ID:
API String ID: 38366605-0
Opcode ID: eac4279856de4445b7704da40b804d53b065fd58299f9bdc6bb4893636e55f67
Instruction ID: 175331bdeee2262281340416a32cb2f33819d300c8716d1ce07779dc98d60486
Opcode Fuzzy Hash: eac4279856de4445b7704da40b804d53b065fd58299f9bdc6bb4893636e55f67
Instruction Fuzzy Hash: B9217171409384AFEB21CF55DC45FA6FFF8EF05210F08849EE9858B292D365A408CB61

Function 00B9BC2A Relevance: 1.6, APIs: 1, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?), ref: 00B9BCA9

Memory Dump Source

Source File: 0000000C.00000002.1584223543.0000000000B9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b9a000_WindowsUpdate.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: fd50dea89b7ee12d43f3182557ec0105ae542e37dbc8930090f20726d1e86d65
Instruction ID: bc56706618cf5103500b5583a6dbbf09f2216f2a6b4aff297fdfb3a62b989a03
Opcode Fuzzy Hash: fd50dea89b7ee12d43f3182557ec0105ae542e37dbc8930090f20726d1e86d65
Instruction Fuzzy Hash: 6121AE71504200AFEB20CF65DD85FA6FBF8EF04324F1488A9EA458B251D771E804CB72

Function 00B9B7B2 Relevance: 1.5, APIs: 1, Instructions: 43registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000E24,?,?), ref: 00B9B802

Memory Dump Source

Source File: 0000000C.00000002.1584223543.0000000000B9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b9a000_WindowsUpdate.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5aa7c2268e1f7eaf50f50d2f49538c1e4a32500b36a9ffbf7a3964ce24ce3f16
Instruction ID: 4de12575b28cd7633411d3baca594759bcc4a61e6af4bbfec6106a6ecd7862a2
Opcode Fuzzy Hash: 5aa7c2268e1f7eaf50f50d2f49538c1e4a32500b36a9ffbf7a3964ce24ce3f16
Instruction Fuzzy Hash: 4B018F71600200AFD250DF16CC46B26FBE8FB88A20F14811AED095B741D771B915CAE6

Function 00B9A8AE Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 00B9A8E0

Memory Dump Source

Source File: 0000000C.00000002.1584223543.0000000000B9A000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B9A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_b9a000_WindowsUpdate.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: a9fe75017fcbe3a870709153201b4fbb5bd490650ef8aaf914ddc39715263741
Instruction ID: 953c4a75dba62662694cbd897da01b7773d270ff178741cb2f0fcdaacd540937
Opcode Fuzzy Hash: a9fe75017fcbe3a870709153201b4fbb5bd490650ef8aaf914ddc39715263741
Instruction Fuzzy Hash: 7E014B749042409FEF10CF55D889766FBE4EF05724F18C4EADD498B252D379A944CAA2

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report leUmNO9XPu.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: HawkEye

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_windows update.e_86e9c66347f43bd1a285997348975619ddefbb_00000000_f2fdebaa-a89b-43f3-8db9-4f424a0b138c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER997A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER999A.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\WindowsUpdate.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\leUmNO9XPu.exe.log

C:\Users\user\AppData\Local\Temp\SysInfo.txt

C:\Users\user\AppData\Local\Temp\holderwb.txt

C:\Users\user\AppData\Roaming\Windows Update.exe

Windows Analysis Report
leUmNO9XPu.exe

Function 04E709C8 Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Function 04E70E6B Relevance: 1.6, APIs: 1, Instructions: 81
networkCOMMON

Function 011C0898 Relevance: 2.7, Strings: 2, Instructions: 204
COMMON

Function 00CFBBF3 Relevance: 1.6, APIs: 1, Instructions: 98
fileCOMMON

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre