Edit tour

Windows Analysis Report
SAMPLE_5.exe.bin.exe

Overview

General Information

Sample name:	SAMPLE_5.exe.bin.exe
Analysis ID:	1589201
MD5:	9257746613b453f9e58797bcdf604bf3
SHA1:	7105aa28f9d501b5ce04dbde25c9a98907ee6761
SHA256:	acaaf2f5f88f9d877d5a35f384bc8cb962561366007613aa3f91304ddbf77354
Tags:	diablonetexeuser-notscamguru
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Queries the volume information (name, serial number etc) of a device

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SAMPLE_5.exe.bin.exe (PID: 5500 cmdline: "C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe" MD5: 9257746613B453F9E58797BCDF604BF3)

javaw.exe (PID: 7192 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe" MD5: 6E0F4F812AE02FBCB744A929E74A04B8)

icacls.exe (PID: 7552 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 7572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SAMPLE_5.exe.bin.exe	ReversingLabs: Detection: 75%
Source: SAMPLE_5.exe.bin.exe	Virustotal: Detection: 52%			Perma Link

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Code function: 4x nop then cmp eax, dword ptr [ecx+04h]

1_2_02CDF818

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: s3.timeweb.cloud

Source: javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTP://WWW.CHAMBERSIGN.ORG
Source: javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 00000001.00000002.1337741540.000000000A3FF000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A39A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: javaw.exe, 00000001.00000002.1337741540.000000000A39A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: javaw.exe, 00000001.00000002.1337741540.000000000A3FF000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A39A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: javaw.exe, 00000001.00000002.1337741540.000000000A369000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: javaw.exe, 00000001.00000002.1337741540.000000000A3FF000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A39A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: javaw.exe, 00000001.00000002.1337741540.000000000A39A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificat
Source: javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: javaw.exe, 00000001.00000002.1337741540.000000000A51A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: javaw.exe, 00000001.00000002.1337741540.000000000A409000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A39A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: javaw.exe, 00000001.00000002.1337741540.000000000A39A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: javaw.exe, 00000001.00000002.1337741540.000000000A409000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A39A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: javaw.exe, 00000001.00000002.1337741540.000000000A369000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A39A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: javaw.exe, 00000001.00000002.1337741540.000000000A409000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A39A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: javaw.exe, 00000001.00000002.1337741540.000000000A39A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A39A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: javaw.exe, 00000001.00000002.1337741540.000000000A51A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1339127798.00000000154A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: javaw.exe, 00000001.00000002.1339127798.00000000154A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/B
Source: javaw.exe, 00000001.00000002.1337741540.000000000A3FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: javaw.exe, 00000001.00000002.1337741540.000000000A39A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: javaw.exe, 00000001.00000002.1337741540.000000000A39A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: javaw.exe, 00000001.00000002.1337741540.000000000A369000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A39A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1339444828.00000000158F5000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/;
Source: javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/k
Source: javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm#
Source: javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu
Source: javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu#
Source: javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: javaw.exe, 00000001.00000002.1337098125.0000000005082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s3.timeweb.cloud
Source: javaw.exe, 00000001.00000002.1337741540.000000000A424000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337098125.0000000005082000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://s3.timeweb.cloud/dfd5ba43-9bd2500b-6a85-46a4-9e9c-1edaaf0ff6b9/latest.jar

Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726

Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe

Code function: 0_2_004B8FD0

0_2_004B8FD0

Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe

Code function: String function: 004BB758 appears 40 times

Source: classification engine

Classification label: mal48.winEXE@6/3@1/1

Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe

Code function: 0_2_004B1F36 GetLastError,fprintf,FormatMessageA,fprintf,strcat,strcat,LocalFree,fprintf,ShellExecuteA,

0_2_004B1F36

Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe

Code function: 0_2_004B206E fprintf,FindResourceExA,LoadResource,LockResource,fprintf,SetLastError,fputs,

0_2_004B206E

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7572:120:WilError_03

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SAMPLE_5.exe.bin.exe	ReversingLabs: Detection: 75%
Source: SAMPLE_5.exe.bin.exe	Virustotal: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe "C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe"
Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior

Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe	Code function: 0_2_004B1803 push edi; mov dword ptr [esp], ebx	0_2_004B1842
Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe	Code function: 0_2_004B1803 push eax; mov dword ptr [esp], 00000000h	0_2_004B1A6A
Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe	Code function: 0_2_004B1803 push ebx; mov dword ptr [esp], eax	0_2_004B1AEB
Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe	Code function: 0_2_004B1803 push esi; mov dword ptr [esp], ebx	0_2_004B1BC8
Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe	Code function: 0_2_004BE827 push esi; ret	0_2_004BE83A
Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe	Code function: 0_2_004BF96A push ebx; ret	0_2_004BF96B
Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe	Code function: 0_2_004B15D0 push eax; mov dword ptr [esp], 00000000h	0_2_004B16BB
Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe	Code function: 0_2_004BDB23 push es; iretd	0_2_004BDC34
Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe	Code function: 0_2_004B1F36 push ecx; mov dword ptr [esp], 004C9168h	0_2_004B1FF7
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_02CD8EBB push es; retn 0001h	1_2_02CD8FBF
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_02CDC24A push eax; ret	1_2_02CDC24D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_02CDC246 push eax; ret	1_2_02CDC249
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_02CDC9C8 pushad ; retf	1_2_02CDC9D5
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_02CDC9D7 pushad ; retf	1_2_02CDC9DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_02CDC1EC push eax; ret	1_2_02CDC245
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_02CE11F2 push esp; ret	1_2_02CE11F9
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_02CDE548 push es; retn 0024h	1_2_02CDE54B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_02C3D8F7 push 00000000h; mov dword ptr [esp], esp	1_2_02C3D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_02C3A20A push ecx; ret	1_2_02C3A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_02C3A21B push ecx; ret	1_2_02C3A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_02C3B3B7 push 00000000h; mov dword ptr [esp], esp	1_2_02C3B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_02C3BB67 push 00000000h; mov dword ptr [esp], esp	1_2_02C3BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_02C3D8E0 push 00000000h; mov dword ptr [esp], esp	1_2_02C3D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_02C3B947 push 00000000h; mov dword ptr [esp], esp	1_2_02C3B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_02C3C477 push 00000000h; mov dword ptr [esp], esp	1_2_02C3C49D

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: javaw.exe, 00000001.00000003.1306657494.0000000015261000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000001.00000003.1306657494.0000000015261000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000001.00000002.1336306752.00000000011D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: javaw.exe, 00000001.00000003.1306657494.0000000015261000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: javaw.exe, 00000001.00000002.1336306752.00000000011D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: javaw.exe, 00000001.00000003.1306657494.0000000015261000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: javaw.exe, 00000001.00000002.1336306752.00000000011D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe

Code function: 0_2_004B1180 SetUnhandledExceptionFilter,GetCommandLineA,_iob,_setmode,_setmode,_setmode,__p__fmode,__p__environ,_cexit,ExitProcess,__getmainargs,

0_2_004B1180

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Memory protected: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe"			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M			Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Code function: 1_2_02C303C0 cpuid

1_2_02C303C0

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7192 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Services File Permissions Weakness	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Services File Permissions Weakness	1 Disable or Modify Tools	LSASS Memory	22 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Services File Permissions Weakness	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SAMPLE_5.exe.bin.exe	75%	ReversingLabs	Win32.Trojan.Generic
SAMPLE_5.exe.bin.exe	53%	Virustotal		Browse

Source	Detection	Scanner	Label
https://repository.luxtrust.lu#	0%	Avira URL Cloud	safe
http://null.oracle.com/B	0%	Avira URL Cloud	safe
http://repository.swisssign.com/k	0%	Avira URL Cloud	safe
http://repository.swisssign.com/;	0%	Avira URL Cloud	safe
http://www.quovadis.bm#	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high
s3.timeweb.cloud	217.78.234.243	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.xrampsecurity.com/XGCA.crl	javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.chambersign.org/chambersroot.crl0	javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lu0	javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://bugreport.sun.com/bugreport/	javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html0	javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://s3.timeweb.cloud	javaw.exe, 00000001.00000002.1337098125.0000000005082000.00000004.00000800.00020000.00000000.sdmp	false		high
http://java.oracle.com/	javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A39A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://null.oracle.com/	javaw.exe, 00000001.00000002.1337741540.000000000A51A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1339127798.00000000154A8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/0	javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
HTTP://WWW.CHAMBERSIGN.ORG	javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com	javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lu#	javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com	javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps	javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html	javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/;	javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm#	javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/STCA.crl	javaw.exe, 00000001.00000002.1337741540.000000000A51A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lu	javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://null.oracle.com/B	javaw.exe, 00000001.00000002.1339127798.00000000154A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://s3.timeweb.cloud/dfd5ba43-9bd2500b-6a85-46a4-9e9c-1edaaf0ff6b9/latest.jar	javaw.exe, 00000001.00000002.1337741540.000000000A424000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337098125.0000000005082000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/k	javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm	javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.chambersign.org/chambersroot.crl	javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/	javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org	javaw.exe, 00000001.00000002.1337098125.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com0	javaw.exe, 00000001.00000002.1337098125.00000000052AB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1339444828.00000000158F5000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.1337741540.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
217.78.234.243	s3.timeweb.cloud	Russian Federation		197349	SKYLINEWIMAXRU	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589201
Start date and time:	2025-01-11 16:25:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SAMPLE_5.exe.bin.exe
Detection:	MAL
Classification:	mal48.winEXE@6/3@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 90% Number of executed functions: 39 Number of non-executed functions: 46
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net
Execution Graph export aborted for target javaw.exe, PID 7192 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
217.78.234.243	https://zapp-p.com/qouta/#test@test.com	Get hash	malicious	Unknown	Browse
	https://tas-pe.com/ahowe@europait.net#ahowe@europait.net	Get hash	malicious	HTMLPhisher	Browse
	https://s3.timeweb.cloud/d2247a8d-ceb09c71-57ee-4411-a590-e4de8ca5cf86/Contract/contract.htm#andrew.wise@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	drW0xB3OBb.dll	Get hash	malicious	Unknown	Browse	13.107.246.45
	FEdTp2g4xD.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	305861283730376077.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	1274320496157183071.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	944924352317221058.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	kzQ25HVUbf.exe	Get hash	malicious	Lokibot	Browse	13.107.246.45
	huuG7N3jOv.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	13.107.246.45
	4287eV6mBc.exe	Get hash	malicious	AgentTesla	Browse	13.107.246.45
	Yv24LkKBY6.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
s3.timeweb.cloud	SAMPLE_1.exe.bin.exe	Get hash	malicious	STRRAT	Browse	217.78.234.244
	https://s3.timeweb.cloud/8df544ea-67s89du678we90alkfdxzmndeoiewzxcfd/unlimitedscalabilitypossibilities%20/staff-payroll-review.html#sbarnes@clc.org.au	Get hash	malicious	Unknown	Browse	217.78.234.244
	https://zapp-p.com/qouta/#test@test.com	Get hash	malicious	Unknown	Browse	217.78.234.243
	https://tas-pe.com/ahowe@europait.net#ahowe@europait.net	Get hash	malicious	HTMLPhisher	Browse	217.78.234.243
	https://s3.timeweb.cloud/d2247a8d-ceb09c71-57ee-4411-a590-e4de8ca5cf86/Contract/contract.htm#andrew.wise@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	217.78.234.243

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKYLINEWIMAXRU	SAMPLE_1.exe.bin.exe	Get hash	malicious	STRRAT	Browse	217.78.234.244
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	91.105.196.145
	https://s3.timeweb.cloud/8df544ea-67s89du678we90alkfdxzmndeoiewzxcfd/unlimitedscalabilitypossibilities%20/staff-payroll-review.html#sbarnes@clc.org.au	Get hash	malicious	Unknown	Browse	217.78.234.244
	https://zapp-p.com/qouta/#test@test.com	Get hash	malicious	Unknown	Browse	217.78.234.243
	https://tas-pe.com/ahowe@europait.net#ahowe@europait.net	Get hash	malicious	HTMLPhisher	Browse	217.78.234.243
	https://s3.timeweb.cloud/d2247a8d-ceb09c71-57ee-4411-a590-e4de8ca5cf86/Contract/contract.htm#andrew.wise@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	217.78.234.243
	http://storage.googleapis.com/dfg153erh35ef1gdr/dfgremjflmgr.html#file.html?cbbbbcccXBYFczBrVcdc9kc8cJhS7ckzFcbbbbc	Get hash	malicious	Unknown	Browse	217.78.233.205
	http://decreesling.com	Get hash	malicious	Unknown	Browse	217.78.233.53
	fps-booster.exe	Get hash	malicious	StormKitty	Browse	217.78.239.114
	gO6RAJaFXe.elf	Get hash	malicious	Mirai	Browse	91.105.196.153

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.7652629780816556
Encrypted:	false
SSDEEP:	3:oFj4I5vpm4USqv:oJ5bqv
MD5:	C4F25E2F0AED63D02A14C1CA6E509A1C
SHA1:	39C64A0BBC08770C7C80B124B2F2339740220DE8
SHA-256:	361E599E1C12BE96A67C017DF99199B94B44170E0F84570A47099F4612AD72FA
SHA-512:	FD722D24B91F372C1F9A38869C95F0CC18C502C4C772E363E3D3AE81CFD1E746168D4563C8B31A1C5CFA7198485F9F39C455D7415A14B4D2FDCBDED5D9AC69B3
Malicious:	false
Reputation:	low
Preview:	C:\Program Files (x86)\Java\jre-1.8..1736609168836..

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7192

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2856878153717106
Encrypted:	false
SSDEEP:	96:f/rrrd8GegqLZq5FuX6ohwOg4p/v2k3SCLHG1bowUt:f/Z8Geg4ZyFuX6H4ATuHGd
MD5:	722B89CFE25271A816F932B268B5B437
SHA1:	68ED6155919EF3648E71CCB245F4FD2CFF94CBC0
SHA-256:	8FEAB07D09C2DE3921E70E366FB77C797C9CDDA97A7B6D8940356682050BDC43
SHA-512:	8D9D7F18FDB01BF89C192BFF400790A8952F9CBA0D6251370FE6451915028714D9B441BC8FC5A8F99DAB2EEC1E4C6EFDA1101E209A4E1CA5F165BD529816CA2C
Malicious:	false
Reputation:	low
Preview:	.........9......+.9..... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
SSDEEP:	3:/lwlt7n:WNn
MD5:	C8366AE350E7019AEFC9D1E6E6A498C6
SHA1:	5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
SHA-256:	11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
SHA-512:	33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................J2SE.

Static File Info

General

File type:
Entropy (8bit):	6.384286201146826
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SAMPLE_5.exe.bin.exe
File size:	69'878 bytes
MD5:	9257746613b453f9e58797bcdf604bf3
SHA1:	7105aa28f9d501b5ce04dbde25c9a98907ee6761
SHA256:	acaaf2f5f88f9d877d5a35f384bc8cb962561366007613aa3f91304ddbf77354
SHA512:	f14fc77098bbf08e9e455a90f631e3e464f842bdf35ad6f60ef9980ff0be85da28e2a564c9f6cc7557f3f6b77dc1ee69939a8f6ef3429b1d3f2a2070d5dd108a
SSDEEP:	1536:Hr3rob4nqB6veqHnq+Pgm5NN9vbDTc+1vIQ/E0xEHc:L7PEg3qcv5PvB/EnHc
TLSH:	E2636D0AF607A0F6EF37513545CFE67F8638A612C421DD6AFF0E6B5AF9235426818213
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'..g...............".....R....................@.................................=G....@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 16:26:11.174632072 CET	49726	443	192.168.2.10	217.78.234.243
Jan 11, 2025 16:26:11.174669027 CET	443	49726	217.78.234.243	192.168.2.10
Jan 11, 2025 16:26:11.174742937 CET	49726	443	192.168.2.10	217.78.234.243
Jan 11, 2025 16:26:11.281903982 CET	49726	443	192.168.2.10	217.78.234.243
Jan 11, 2025 16:26:11.281939983 CET	443	49726	217.78.234.243	192.168.2.10
Jan 11, 2025 16:26:11.982682943 CET	443	49726	217.78.234.243	192.168.2.10
Jan 11, 2025 16:26:11.982759953 CET	49726	443	192.168.2.10	217.78.234.243
Jan 11, 2025 16:26:12.002583981 CET	49726	443	192.168.2.10	217.78.234.243
Jan 11, 2025 16:26:12.002604961 CET	443	49726	217.78.234.243	192.168.2.10
Jan 11, 2025 16:26:12.079730034 CET	49726	443	192.168.2.10	217.78.234.243
Jan 11, 2025 16:26:12.079742908 CET	443	49726	217.78.234.243	192.168.2.10
Jan 11, 2025 16:26:12.080001116 CET	49726	443	192.168.2.10	217.78.234.243
Jan 11, 2025 16:26:12.080045938 CET	443	49726	217.78.234.243	192.168.2.10
Jan 11, 2025 16:26:12.080107927 CET	49726	443	192.168.2.10	217.78.234.243

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 16:26:11.164783001 CET	56369	53	192.168.2.10	1.1.1.1
Jan 11, 2025 16:26:11.171895027 CET	53	56369	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 16:26:11.164783001 CET	192.168.2.10	1.1.1.1	0xc4eb	Standard query (0)	s3.timeweb.cloud	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 16:26:05.483741999 CET	1.1.1.1	192.168.2.10	0x16bf	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 16:26:05.483741999 CET	1.1.1.1	192.168.2.10	0x16bf	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 11, 2025 16:26:11.171895027 CET	1.1.1.1	192.168.2.10	0xc4eb	No error (0)	s3.timeweb.cloud		217.78.234.243	A (IP address)	IN (0x0001)	false
Jan 11, 2025 16:26:11.171895027 CET	1.1.1.1	192.168.2.10	0xc4eb	No error (0)	s3.timeweb.cloud		217.78.234.244	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	10:26:08
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe"
Imagebase:	0x4b0000
File size:	69'878 bytes
MD5 hash:	9257746613B453F9E58797BCDF604BF3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:26:08
Start date:	11/01/2025
Path:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe"
Imagebase:	0x3f0000
File size:	257'664 bytes
MD5 hash:	6E0F4F812AE02FBCB744A929E74A04B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:26:08
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Imagebase:	0xa60000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:26:08
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.2%
Total number of Nodes:	1371
Total number of Limit Nodes:	40

Executed Functions

Function 004B1180 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 004B11B5
GetCommandLineA.KERNEL32 ref: 004B11D4

Strings

", xrefs: 004B14E0
OK, xrefs: 004B1189

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: CommandExceptionFilterLineUnhandled
String ID: "$OK
API String ID: 3189701131-3985578168
Opcode ID: a47ec0c93a8f58f0517f5f6b2eacf7f667387b1ad1b148506963a9ef6d15f978
Instruction ID: 04f04734af0cbb6200f13a640ca917f791f611e2ee0452db7db881ed83922399
Opcode Fuzzy Hash: a47ec0c93a8f58f0517f5f6b2eacf7f667387b1ad1b148506963a9ef6d15f978
Instruction Fuzzy Hash: 9991CF70E08304CFDB24DF79D8947DEBBE1AB99318F49852AD844D7361E37C98418B6A

Function 004B1803 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 258
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShowWindow.USER32 ref: 004B183B
SetForegroundWindow.USER32(00000000), ref: 004B1845

Part of subcall function 004B1D21: fclose.MSVCRT ref: 004B1D33

strstr.MSVCRT ref: 004B187E
strstr.MSVCRT ref: 004B18C7
CreateWindowExA.USER32 ref: 004B1945
atoi.MSVCRT ref: 004B1985
strstr.MSVCRT ref: 004B19CD
LoadImageA.USER32 ref: 004B1A1B

Strings

@, xrefs: 004B19EB
STATIC, xrefs: 004B1936
--l4j-dont-wait, xrefs: 004B18BC
Exit code:%d, restarting the application!, xrefs: 004B1BF3
d, xrefs: 004B1B16
--l4j-no-splash, xrefs: 004B1873
Exit code:0, xrefs: 004B1B7B
Exit code:%d, xrefs: 004B1C2D
--l4j-no-splash-err, xrefs: 004B19C2

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: Windowstrstr$CreateForegroundImageLoadShowatoifclose
String ID: --l4j-dont-wait$--l4j-no-splash$--l4j-no-splash-err$@$Exit code:%d$Exit code:%d, restarting the application!$Exit code:0$STATIC$d
API String ID: 326098631-3010709316
Opcode ID: bb50326811ba3d1e273142be6419f1ac37e2b8b636d1cf87d794e94f936fd581
Instruction ID: efa6f94cf001294ed7e640645aa56e62fca939c4a5d5cb77d5fbeae9a2649865
Opcode Fuzzy Hash: bb50326811ba3d1e273142be6419f1ac37e2b8b636d1cf87d794e94f936fd581
Instruction Fuzzy Hash: 3AB15DB0508305DFE700AF66D99579FBBE4EB84308F41882EE48487261D7BD9944DFAA

Function 004B449F Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 160
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputs.MSVCRT ref: 004B44CE
fputs.MSVCRT ref: 004B4512
fprintf.MSVCRT ref: 004B457B
strtok.MSVCRT(00000001,00000000,000000B7,?,004B4874,?,?,00000000,?,004B1822), ref: 004B4591
strrchr.MSVCRT ref: 004B45B6
strrchr.MSVCRT ref: 004B45C8
_stricmp.MSVCRT(00000001,00000000,000000B7,?,004B4874,?,?,00000000,?,004B1822), ref: 004B45E2
_stricmp.MSVCRT(00000001,00000000,000000B7,?,004B4874,?,?,00000000,?,004B1822), ref: 004B4608
strncpy.MSVCRT ref: 004B4624
strcpy.MSVCRT(00000001,00000000,000000B7,?,004B4874,?,?,00000000,?,004B1822), ref: 004B4632
strcpy.MSVCRT(00000001,00000000,000000B7,?,004B4874,?,?,00000000,?,004B1822), ref: 004B4669
strncpy.MSVCRT ref: 004B4685
strcpy.MSVCRT ref: 004B46F2
strtok.MSVCRT(00000001,00000000,000000B7,?,004B4874,?,?,00000000,?,004B1822), ref: 004B470D

Strings

:, xrefs: 004B4655
", xrefs: 004B4637
JRE:Cannot use 64-bit runtime on 32-bit OS., xrefs: 004B450B
JRE paths:%s, xrefs: 004B4570
/bin, xrefs: 004B45FD
C:\Program Files (x86)\Java\jre-1.8, xrefs: 004B46DD
\bin, xrefs: 004B45D7
pathJreSearch(), xrefs: 004B44C7

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: strcpy$_stricmpfputsstrncpystrrchrstrtok$fprintf
String ID: "$/bin$:$C:\Program Files (x86)\Java\jre-1.8$JRE paths:%s$JRE:Cannot use 64-bit runtime on 32-bit OS.$\bin$pathJreSearch()
API String ID: 851780383-1987966701
Opcode ID: 7aa31a3a92d95a2af09b93d4be87ec9d65f3349bfa3e548c18c7ea5fc6aaa049
Instruction ID: 9374b3d422e50824c0b20226db93dc54babd0515794800cc79579aa959234275
Opcode Fuzzy Hash: 7aa31a3a92d95a2af09b93d4be87ec9d65f3349bfa3e548c18c7ea5fc6aaa049
Instruction Fuzzy Hash: 2E612EB0909704AFDB50AF65D5446DABBE0AF84748F01C86FE4C887301DBBC9945DB6A

Function 004B5880 Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 448
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 004B5894
memcpy.MSVCRT ref: 004B58B8

Part of subcall function 004B5F50: setlocale.MSVCRT ref: 004B5F6B
Part of subcall function 004B5F50: _strdup.MSVCRT ref: 004B5F79
Part of subcall function 004B5F50: setlocale.MSVCRT ref: 004B5F8F
Part of subcall function 004B5F50: wcstombs.MSVCRT ref: 004B5FB4
Part of subcall function 004B5F50: realloc.MSVCRT ref: 004B5FC8
Part of subcall function 004B5F50: wcstombs.MSVCRT ref: 004B5FE1
Part of subcall function 004B5F50: setlocale.MSVCRT ref: 004B5FF1
Part of subcall function 004B5F50: free.MSVCRT ref: 004B5FF9

Part of subcall function 004B54D0: malloc.MSVCRT ref: 004B54ED

strlen.MSVCRT ref: 004B5944
_strdup.MSVCRT ref: 004B598C

Strings

\, xrefs: 004B5E43

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: setlocale$_strdupstrlenwcstombs$freemallocmemcpyrealloc
String ID: \
API String ID: 1024038994-2967466578
Opcode ID: 635461fa9cb70f27255b1a02c0e126d6185405f16f3458d9672664c2f9204f4a
Instruction ID: d4fff53e13fb685c496ce6507869baf3351be9ce1d8fdd2e151e6293defe9723
Opcode Fuzzy Hash: 635461fa9cb70f27255b1a02c0e126d6185405f16f3458d9672664c2f9204f4a
Instruction Fuzzy Hash: 4A027D71A04B588FCB14DFA9D4857EEFBF1AF49304F18852ED885AB341E7389841CB69

Function 004B5F50 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setlocale.MSVCRT ref: 004B5F6B
_strdup.MSVCRT ref: 004B5F79
setlocale.MSVCRT ref: 004B5F8F
wcstombs.MSVCRT ref: 004B5FB4
realloc.MSVCRT ref: 004B5FC8
wcstombs.MSVCRT ref: 004B5FE1
setlocale.MSVCRT ref: 004B5FF1
free.MSVCRT ref: 004B5FF9

Strings

/, xrefs: 004B630C

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: setlocale$wcstombs$_strdupfreerealloc
String ID: /
API String ID: 2293806352-2043925204
Opcode ID: bd78d9fd7b7b4ebe79aad9702dee96c1f27c38f1306bc01305ff032ab7447d1f
Instruction ID: a249ed98255d9e5f81dac8e0820fdd7acc11b4ef8fb23df0ca5cf6cbdf253902
Opcode Fuzzy Hash: bd78d9fd7b7b4ebe79aad9702dee96c1f27c38f1306bc01305ff032ab7447d1f
Instruction Fuzzy Hash: A2B14771904219CACB24EFA9C4456EEB7F1FF58304F46846FE485A7351E37C9C818BAA

Function 004B4890 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004B1C58: GetModuleHandleA.KERNEL32 ref: 004B1C6D
Part of subcall function 004B1C58: strcpy.MSVCRT ref: 004B1C8B

fprintf.MSVCRT ref: 004B4920
fprintf.MSVCRT ref: 004B498C

Strings

JNI:%s, xrefs: 004B490E
Yes, xrefs: 004B4904
-jar "C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe", xrefs: 004B4A04, 004B4A37, 004B4A84, 004B4AA6
Args length:%d/32768 chars, xrefs: 004B4AB2
Startup error message not defined., xrefs: 004B4979
Error:%s, xrefs: 004B4981
Launcher:%s, xrefs: 004B4A6B
Launcher args:%s, xrefs: 004B4A8C

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: fprintf$HandleModulestrcpy
String ID: -jar "C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe"$Args length:%d/32768 chars$Error:%s$JNI:%s$Launcher args:%s$Launcher:%s$Startup error message not defined.$Yes
API String ID: 3713479259-2217183246
Opcode ID: b44727b6f0b5367cd99728045f3d0550404f996490ecdcb20d9ae4a21aba9fa8
Instruction ID: ae2ec3c149d1a69571df5a76c4e8cf02a7d3c56069ad1d8582bd62bffd8badd4
Opcode Fuzzy Hash: b44727b6f0b5367cd99728045f3d0550404f996490ecdcb20d9ae4a21aba9fa8
Instruction Fuzzy Hash: 5F515DB49087009AD750BF36C5856AEBAE4EF84744F11C82FE48887342DBBDC945CB6A

Function 004B3E88 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 128
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fprintf.MSVCRT ref: 004B3ECC
RegOpenKeyExA.ADVAPI32 ref: 004B3EFC
RegEnumKeyExA.ADVAPI32 ref: 004B3F83
strcpy.MSVCRT ref: 004B3FA3
fprintf.MSVCRT ref: 004B3FCC
strcpy.MSVCRT ref: 004B401D
fprintf.MSVCRT ref: 004B4042
fprintf.MSVCRT ref: 004B4067
RegCloseKey.ADVAPI32 ref: 004B408A

Strings

%s-bit search:%s..., xrefs: 004B3EC1
Check:%s, xrefs: 004B3FC1
Match:%s, xrefs: 004B4037
Ignore:%s, xrefs: 004B405C

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: fprintf$strcpy$CloseEnumOpen
String ID: %s-bit search:%s...$Check:%s$Ignore:%s$Match:%s
API String ID: 3338988320-103288940
Opcode ID: 960e523f689437cada4d7ae4aa69871949e53db0fa435e1935412167641aea6e
Instruction ID: 8d11746ae01428443a792ea50d80efabc13af8ed582d6ad36b8fc9e1e79baeb2
Opcode Fuzzy Hash: 960e523f689437cada4d7ae4aa69871949e53db0fa435e1935412167641aea6e
Instruction Fuzzy Hash: 5D51F8B09043159BCB10EF26C58569EBBF4EF88304F40C8AEE98897311D7789A85CF96

Function 004B40F7 Relevance: 22.8, APIs: 3, Strings: 10, Instructions: 61
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputs.MSVCRT ref: 004B411A
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,004B487D,?,?,00000000,?), ref: 004B41CE
fprintf.MSVCRT ref: 004B4208

Strings

findRegistryJavaHome(), xrefs: 004B4113
SOFTWARE\JavaSoft\Java Development Kit, xrefs: 004B4134
SOFTWARE\JavaSoft\JDK, xrefs: 004B4155
SOFTWARE\IBM\Java Development Kit, xrefs: 004B417F, 004B41A9
SOFTWARE\JavaSoft\JRE, xrefs: 004B4149
SOFTWARE\IBM\Java Runtime Environment, xrefs: 004B4173
SOFTWARE\IBM\Java2 Runtime Environment, xrefs: 004B419D
SOFTWARE\JavaSoft\Java Runtime Environment, xrefs: 004B4128
C:\Program Files (x86)\Java\jre-1.8, xrefs: 004B41C3
Runtime used:%s (%s-bit), xrefs: 004B41FD

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: fprintffputsstrcpy
String ID: C:\Program Files (x86)\Java\jre-1.8$Runtime used:%s (%s-bit)$SOFTWARE\IBM\Java Development Kit$SOFTWARE\IBM\Java Runtime Environment$SOFTWARE\IBM\Java2 Runtime Environment$SOFTWARE\JavaSoft\JDK$SOFTWARE\JavaSoft\JRE$SOFTWARE\JavaSoft\Java Development Kit$SOFTWARE\JavaSoft\Java Runtime Environment$findRegistryJavaHome()
API String ID: 1909795467-2117825052
Opcode ID: dfc89a2b05e76453d8002cb543121d5f255aa14783f2fb7ef3b6a6d307a95b1f
Instruction ID: ba4dc8aa210425d6ea627cd94068284ae1487a8ce234e741a2a9c5ba4150568a
Opcode Fuzzy Hash: dfc89a2b05e76453d8002cb543121d5f255aa14783f2fb7ef3b6a6d307a95b1f
Instruction Fuzzy Hash: 6221FA709193049EDB607FA9D4097A977E0ABA0308F42886FA5C486352DBBD48C4DF7F

Function 004B2657 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 165
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcpy.MSVCRT ref: 004B269E
_stat64.MSVCRT ref: 004B26B8
fprintf.MSVCRT ref: 004B27C0
SetLastError.KERNEL32 ref: 004B27D0
strcpy.MSVCRT ref: 004B27FA
_stat64.MSVCRT ref: 004B281C
fprintf.MSVCRT ref: 004B2924

Strings

Check launcher:%s %s, xrefs: 004B27B5
Check javac:%s %s, xrefs: 004B2919
(OK), xrefs: 004B279E, 004B2902
bin\javac.exe, xrefs: 004B27FF
(not found), xrefs: 004B27A5, 004B2909

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: _stat64fprintfstrcpy$ErrorLast
String ID: (OK)$(not found)$Check javac:%s %s$Check launcher:%s %s$bin\javac.exe
API String ID: 2531230949-2473518738
Opcode ID: 7d2ab7dc854d05a56c3cadefadbe17e17e20d166762a30b7122a5b7821ee3bac
Instruction ID: 68831be82f4d73e89c5529a8e3470a7a2014cf620ad26900854e041df1fd93b8
Opcode Fuzzy Hash: 7d2ab7dc854d05a56c3cadefadbe17e17e20d166762a30b7122a5b7821ee3bac
Instruction Fuzzy Hash: 648115749056288BCB60DF25C9886DAB7F1FF98310F1086EAD84CA3350EB749E85DF59

Function 004B4726 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

fputs.MSVCRT ref: 004B474A
fprintf.MSVCRT ref: 004B4788
fprintf.MSVCRT ref: 004B47C6
fprintf.MSVCRT ref: 004B480F
fprintf.MSVCRT ref: 004B4858

Strings

Yes, xrefs: 004B476C, 004B47AA
Java min ver:%s, xrefs: 004B4804
Java max ver:%s, xrefs: 004B484D
jreSearch(), xrefs: 004B4743
Requires JDK:%s, xrefs: 004B477D
Requires 64-Bit: %s, xrefs: 004B47BB

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: fprintf$fputs
String ID: Java max ver:%s$Java min ver:%s$Requires 64-Bit: %s$Requires JDK:%s$Yes$jreSearch()
API String ID: 1801251168-2968954267
Opcode ID: 002db1b10a1996eda5c5509486eacfda8b6d1d9079dabc467919dc8396687547
Instruction ID: 0c1fcb70337548153d1bc9b0ab09194286f3681452ae1a29d7b84a64b22e8a6d
Opcode Fuzzy Hash: 002db1b10a1996eda5c5509486eacfda8b6d1d9079dabc467919dc8396687547
Instruction Fuzzy Hash: 81310FB46053009BDB44BF69D5456AE7AE4EB84708F01C82FE48887342EB7CC840DB7E

Function 004B2E9D Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004B206E: fprintf.MSVCRT ref: 004B209D
Part of subcall function 004B206E: FindResourceExA.KERNEL32 ref: 004B20C1
Part of subcall function 004B206E: LoadResource.KERNEL32 ref: 004B20D9
Part of subcall function 004B206E: LockResource.KERNEL32 ref: 004B20E7
Part of subcall function 004B206E: fprintf.MSVCRT ref: 004B2124

strcat.MSVCRT ref: 004B2ED1
strncpy.MSVCRT ref: 004B2F02
strcat.MSVCRT ref: 004B2F12
_open.MSVCRT ref: 004B2F22
fprintf.MSVCRT ref: 004B2F4C
_read.MSVCRT ref: 004B2F82
strcat.MSVCRT ref: 004B2FE3
_close.MSVCRT ref: 004B2FF1

Strings

Loading:%s, xrefs: 004B2F41
l4j.ini, xrefs: 004B2F07

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: Resourcefprintfstrcat$FindLoadLock_close_open_readstrncpy
String ID: Loading:%s$l4j.ini
API String ID: 1951458220-28774081
Opcode ID: ff23a8f85a0f9f8221ffce791e463de03fb1707bae0f0fee973aa21eff84fb30
Instruction ID: cd0438025359b1cb3888dcb6ece0a6a77e5fdebaa93d86e431e4c9033e8b58d3
Opcode Fuzzy Hash: ff23a8f85a0f9f8221ffce791e463de03fb1707bae0f0fee973aa21eff84fb30
Instruction Fuzzy Hash: B94183709043049BD710AF79C5843EEBBE0EB85354F14896FE9889B381D7BCD8819BA6

Function 004B63F0 Relevance: 16.6, APIs: 11, Instructions: 149
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fullpath.MSVCRT ref: 004B6427
malloc.MSVCRT ref: 004B6479
memcpy.MSVCRT ref: 004B649C
_findfirst.MSVCRT ref: 004B64AF
strncpy.MSVCRT ref: 004B651C
_errno.MSVCRT ref: 004B65F1
_errno.MSVCRT ref: 004B6622

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: _errno$_findfirst_fullpathmallocmemcpystrncpy
String ID:
API String ID: 114964343-0
Opcode ID: 617703f76fd749dff74b2c6018ee418b6078d3074324700df7586d43ea141d78
Instruction ID: b1017c8aa6733b5b899a3452e2adaaf93ae4f0fb08f7c17e9c303c607d40a39c
Opcode Fuzzy Hash: 617703f76fd749dff74b2c6018ee418b6078d3074324700df7586d43ea141d78
Instruction Fuzzy Hash: 8E517DB01047058FD720DF29C8853DAB7E1EF89304F498A6EE4D9C7255E77CA485CB66

Function 004B3A11 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77
stringprocesssynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strcpy.MSVCRT ref: 004B3A69
strcat.MSVCRT ref: 004B3A79
strcat.MSVCRT ref: 004B3A89
strcat.MSVCRT ref: 004B3A99
CreateProcessA.KERNEL32 ref: 004B3AE6
WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,00000000,?,004B1B58), ref: 004B3B08
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 004B3B1B

Part of subcall function 004B39ED: CloseHandle.KERNEL32 ref: 004B39FB
Part of subcall function 004B39ED: CloseHandle.KERNEL32(00000000), ref: 004B3A09

Strings

-jar "C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe", xrefs: 004B3A8E
D, xrefs: 004B3A48

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: strcat$CloseHandleProcess$CodeCreateExitObjectSingleWaitstrcpy
String ID: -jar "C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe"$D
API String ID: 3105771607-2527456581
Opcode ID: fc993daaacd0f92b341ee5a08f9cc55f4793fbe8df66cc21e02ae1c350badb7c
Instruction ID: d8fe2ae6f1b52e1f6a0561df22b5913a813d9f165e9f13506de1bb65b6fd2438
Opcode Fuzzy Hash: fc993daaacd0f92b341ee5a08f9cc55f4793fbe8df66cc21e02ae1c350badb7c
Instruction Fuzzy Hash: 7F3134B0409314DFD750AF19C48479EBBE4FB84318F40891EE48857351CBB99949DFA6

Function 004B6640 Relevance: 10.6, APIs: 7, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.MSVCRT ref: 004B666F
_findnext.MSVCRT ref: 004B6687
strncpy.MSVCRT ref: 004B66E2
strlen.MSVCRT ref: 004B66EE
GetLastError.KERNEL32 ref: 004B675F
_errno.MSVCRT ref: 004B676B
_errno.MSVCRT ref: 004B678D

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: _errno$ErrorLast_findnextstrlenstrncpy
String ID:
API String ID: 2306919634-0
Opcode ID: 91a493b97e1567579b3ad9968e914a421ba7be3c6a2e9bf5d9fabaac9b9aaaf8
Instruction ID: db4ebd29ea2aebf4d2dd8cf865ed50d30b89ac7f8e37cfe9ab019fc4f089a3cd
Opcode Fuzzy Hash: 91a493b97e1567579b3ad9968e914a421ba7be3c6a2e9bf5d9fabaac9b9aaaf8
Instruction Fuzzy Hash: 9C415D755042018FCB10DF68C4C569ABBE1EF85318F1686AEEC488F346DB78D945CBA6

Function 004B12B9 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_setmode.MSVCRT ref: 004B13AB
_setmode.MSVCRT ref: 004B13BF
_setmode.MSVCRT ref: 004B13D3
__p__fmode.MSVCRT ref: 004B13D8
__p__environ.MSVCRT ref: 004B13F2
_cexit.MSVCRT ref: 004B1415
ExitProcess.KERNEL32 ref: 004B141D
__getmainargs.MSVCRT ref: 004B153C

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: _setmode$ExitProcess__getmainargs__p__environ__p__fmode_cexit
String ID:
API String ID: 2438820944-0
Opcode ID: cac63f0a5df829a0a52e2c47758baff1de0ca947977b6838221345e7a9b778fe
Instruction ID: 1076dd75e80a62626fb184eed2a71e1a7f3db391161e203f30aaf8100f627f90
Opcode Fuzzy Hash: cac63f0a5df829a0a52e2c47758baff1de0ca947977b6838221345e7a9b778fe
Instruction Fuzzy Hash: E6415E74E04304CFDB50DF79D890B9EBBE1BF99318F46856AE884D7321E73898418B69

Function 004B293E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 004B2992
RegQueryValueExA.ADVAPI32 ref: 004B29F2
RegCloseKey.ADVAPI32 ref: 004B2A1C
strcpy.MSVCRT(00000000), ref: 004B2A31

Strings

JavaHome, xrefs: 004B29DD
C:\Program Files (x86)\Java\jre-1.8, xrefs: 004B2A2A

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: CloseOpenQueryValuestrcpy
String ID: C:\Program Files (x86)\Java\jre-1.8$JavaHome
API String ID: 1410419071-2792304130
Opcode ID: 2561926f3066c133b3cf8180a97385755e437d538a7ccf61b84f78a4e962b0a6
Instruction ID: a378e10dd6f79e14ccf3a38bac6ddba378920671cb6820c7d04b7c826518be07
Opcode Fuzzy Hash: 2561926f3066c133b3cf8180a97385755e437d538a7ccf61b84f78a4e962b0a6
Instruction Fuzzy Hash: D72175709053599FDB20DF69D9847DAFBF4EB48304F00846ED98893300D7B499498F96

Function 004B2E1F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 004B2E36

Part of subcall function 004B2CCE: fprintf.MSVCRT ref: 004B2D81
Part of subcall function 004B2CCE: fprintf.MSVCRT ref: 004B2DC3
Part of subcall function 004B2CCE: strcat.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,004B2E6A), ref: 004B2DD5
Part of subcall function 004B2CCE: _itoa.MSVCRT ref: 004B2DFC

Strings

-Xms, xrefs: 004B2E4D
@, xrefs: 004B2E2F
-Xmx, xrefs: 004B2E73

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: fprintf$GlobalMemoryStatus_itoastrcat
String ID: -Xms$-Xmx$@
API String ID: 1064291243-2676391021
Opcode ID: c13f8e56175e4410722a46dcaa77d93eb6ea2fc610d9efb0a9eaf608fbee8975
Instruction ID: 6effd6fc5b69954c93d3030362d2b8c82546550e04dc531f5764c822179b2975
Opcode Fuzzy Hash: c13f8e56175e4410722a46dcaa77d93eb6ea2fc610d9efb0a9eaf608fbee8975
Instruction Fuzzy Hash: 830184B0909309AFDB00EF55D18568EBBF4AF88318F50881DE588A7341D3B899499FA6

Function 004B5E70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004B54D0: malloc.MSVCRT ref: 004B54ED

strlen.MSVCRT ref: 004B5EC1
_strdup.MSVCRT ref: 004B5F0B

Strings

glob-1.0-mingw32, xrefs: 004B5E7F, 004B5E8E

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: _strdupmallocstrlen
String ID: glob-1.0-mingw32
API String ID: 3776109042-3253302226
Opcode ID: 58e2cc77ebc2e73923943afd9d1152f4352bc92e973db9bd860687428f855a7a
Instruction ID: 0768df3bab0c210ec5c04a90d823b9e75c45c267334c24d15bd7dfa956608430
Opcode Fuzzy Hash: 58e2cc77ebc2e73923943afd9d1152f4352bc92e973db9bd860687428f855a7a
Instruction Fuzzy Hash: 3A113BB2A046084BCF10AF29D8413EEFB61EE50314F58459FEC9487342E339DA15C7B5

Function 004BBA30 Relevance: 4.6, APIs: 3, Instructions: 80COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 004BBA48
GetStartupInfoA.KERNEL32 ref: 004BBA55
GetModuleHandleA.KERNEL32 ref: 004BBABB

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: CommandHandleInfoLineModuleStartup
String ID:
API String ID: 1628297973-0
Opcode ID: 24ab8eb71bb645cf36de499fa8a534a93647ab79a2c1463b5c0ad30472aac9a0
Instruction ID: f4d57047dae7c3f23cbe7b643959c17080e408f7b018e9c35d5a3b1b5c23f767
Opcode Fuzzy Hash: 24ab8eb71bb645cf36de499fa8a534a93647ab79a2c1463b5c0ad30472aac9a0
Instruction Fuzzy Hash: BE21FBB2C4431849DF3066A984853F67BA5DB2A304F84005BDCD146245E3ED6947D6FF

Function 004B67A0 Relevance: 4.5, APIs: 3, Instructions: 23COMMON

Download Yara Rule

APIs

_findclose.MSVCRT ref: 004B67B6
free.MSVCRT ref: 004B67C4
_errno.MSVCRT ref: 004B67D1

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: _errno_findclosefree
String ID:
API String ID: 531968878-0
Opcode ID: c384672c9782469b7d01815495fe31bd96caf040fa83a3d94504463f27ecc95e
Instruction ID: 02eda7f8ac2ce1f5e2465d55e6faee2409fe12c9192e03e83055d95e5a418561
Opcode Fuzzy Hash: c384672c9782469b7d01815495fe31bd96caf040fa83a3d94504463f27ecc95e
Instruction Fuzzy Hash: 74E04FB56043584FCB107E29988169676D4AB44368F160ABFED848B382EF7C880097B6

Function 004B4214 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

fputs.MSVCRT ref: 004B4237

Strings

registryJreSearch(), xrefs: 004B4230

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: fputs
String ID: registryJreSearch()
API String ID: 1795875747-1180825924
Opcode ID: 6aa600b41215d0b2c11a396902e6993a8634f0f3e439ee670578056b4cae92ba
Instruction ID: 1cec9d46727728e83784888e596fcf894483679f2e85283147b35e9ed10ba85f
Opcode Fuzzy Hash: 6aa600b41215d0b2c11a396902e6993a8634f0f3e439ee670578056b4cae92ba
Instruction Fuzzy Hash: FFE04F60504341CED3447BBA9805BA676E45784344F4584AFA4C4C23A2EBBCD881DB7E

Function 004BBAE9 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 004BBABB

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: c8171771f55805592ee4753954c1db0c6697d052e603e55c123443acfda92c2c
Instruction ID: 5fe5a0c14c91497f6eb5dc5c1cff37ccf39630b875e11d480a796a5f3f9d4824
Opcode Fuzzy Hash: c8171771f55805592ee4753954c1db0c6697d052e603e55c123443acfda92c2c
Instruction Fuzzy Hash: 1F01A2B2C083684DDF305B6994853E9BBE0EB19304F88444BDCD556245D3BD1985DBAA

Function 004B1590 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 004B159A

Part of subcall function 004B1180: SetUnhandledExceptionFilter.KERNEL32 ref: 004B11B5
Part of subcall function 004B1180: GetCommandLineA.KERNEL32 ref: 004B11D4

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: CommandExceptionFilterLineUnhandled__set_app_type
String ID:
API String ID: 3309298700-0
Opcode ID: f71f1bdde41f994dc267a0c22ef02b59027553b9476ef57eb8e12268043e628f
Instruction ID: 5926610b3c5ac22b2f90000c7d7afb02347d09e36ce65aa1d0f60b4063b79708
Opcode Fuzzy Hash: f71f1bdde41f994dc267a0c22ef02b59027553b9476ef57eb8e12268043e628f
Instruction Fuzzy Hash: 26C09B314005559BC7007F24D415394F7B4FF40348F45451CD59527021C77435158BF6

Non-executed Functions

Function 004B1F36 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 66stringwindowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 004B1F3D
fprintf.MSVCRT ref: 004B1F60
FormatMessageA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004B1F9F
fprintf.MSVCRT ref: 004B1FC2
strcat.MSVCRT ref: 004B1FD6
strcat.MSVCRT ref: 004B1FE9
LocalFree.KERNEL32 ref: 004B1FF1
fprintf.MSVCRT ref: 004B2028
ShellExecuteA.SHELL32 ref: 004B205C

Strings

open, xrefs: 004B204D
Error:%s, xrefs: 004B1FB3
Open URL:%s, xrefs: 004B201D
Error msg:%s, xrefs: 004B1F55

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: fprintf$strcat$ErrorExecuteFormatFreeLastLocalMessageShell
String ID: Error msg:%s$Error:%s$Open URL:%s$open
API String ID: 623906192-1000128352
Opcode ID: fd4f11f9515f14a4611dab8d421211257b6dd689ae44fc5d4cf1671db0062350
Instruction ID: fa502354c16783e4c48d72151efd12107ca425c107f692f0b144c33707ff440a
Opcode Fuzzy Hash: fd4f11f9515f14a4611dab8d421211257b6dd689ae44fc5d4cf1671db0062350
Instruction Fuzzy Hash: 3A31E7B0908305ABD700EF65C58979EBBF4EB84748F40C89EE4C85B351D7BC8944CBAA

Function 004B206E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 004B209D
FindResourceExA.KERNEL32 ref: 004B20C1
LoadResource.KERNEL32 ref: 004B20D9
LockResource.KERNEL32 ref: 004B20E7
fprintf.MSVCRT ref: 004B2124
SetLastError.KERNEL32 ref: 004B2132
fputs.MSVCRT ref: 004B215A

Strings

%s, xrefs: 004B2119
<NULL>, xrefs: 004B2153
Resource %d:, xrefs: 004B2092

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: Resource$fprintf$ErrorFindLastLoadLockfputs
String ID: %s$<NULL>$Resource %d:
API String ID: 2361679423-125972688
Opcode ID: 701135b07c157d1c6ab9fbac5f1843ad119ad51adb30435613b687e596c842d5
Instruction ID: 5f44dafc459bc015240680493c61ea53dd01972e2737f53a503d90b549dbf37c
Opcode Fuzzy Hash: 701135b07c157d1c6ab9fbac5f1843ad119ad51adb30435613b687e596c842d5
Instruction Fuzzy Hash: 8B213571505311ABD710AF2ADA447AB7BE4EB45744F04C47FEA8887311D7B88841CBAA

Function 004B8FD0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 1317COMMON

Download Yara Rule

Strings

Infinity, xrefs: 004B9150
NaN, xrefs: 004B911C
, xrefs: 004BA36C
9, xrefs: 004BA34F

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID:
String ID: $9$Infinity$NaN
API String ID: 0-197352145
Opcode ID: 402d001ae8b11e61839b5107dbd5ca1335434da14b4d7b3c019517b097fa2b76
Instruction ID: e16ca7cb7a5eb6b369bdb38c4967c118127d98724a168b8f7bd3069856d91c08
Opcode Fuzzy Hash: 402d001ae8b11e61839b5107dbd5ca1335434da14b4d7b3c019517b097fa2b76
Instruction Fuzzy Hash: 01C233B1A083419FC714EF29C48429BBBE0BB84358F148D1EE98997351E379D855CFAB

Function 004B34B3 Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 243stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004B2168: strcmp.MSVCRT ref: 004B2198

Part of subcall function 004B206E: fprintf.MSVCRT ref: 004B209D
Part of subcall function 004B206E: FindResourceExA.KERNEL32 ref: 004B20C1
Part of subcall function 004B206E: LoadResource.KERNEL32 ref: 004B20D9
Part of subcall function 004B206E: LockResource.KERNEL32 ref: 004B20E7
Part of subcall function 004B206E: fprintf.MSVCRT ref: 004B2124

Part of subcall function 004B206E: SetLastError.KERNEL32 ref: 004B2132
Part of subcall function 004B206E: fputs.MSVCRT ref: 004B215A

fprintf.MSVCRT ref: 004B3566
fputs.MSVCRT ref: 004B3593
strcat.MSVCRT(?,00000000,?,?,004B4A4F,?,?,00000000,?,004B1822), ref: 004B35C7
strtok.MSVCRT(?,00000000,?,?,004B4A4F,?,?,00000000,?,004B1822), ref: 004B360B
fprintf.MSVCRT ref: 004B3632
strpbrk.MSVCRT ref: 004B3642
strrchr.MSVCRT ref: 004B365A
strncpy.MSVCRT ref: 004B3684
_findfirst.MSVCRT(?,00000000,?,?,004B4A4F,?,?,00000000,?,004B1822), ref: 004B36A7
strncpy.MSVCRT ref: 004B3735
strcpy.MSVCRT(?,00000000,?,?,004B4A4F,?,?,00000000,?,004B1822), ref: 004B3747
fprintf.MSVCRT ref: 004B3774
_findnext.MSVCRT(?,00000000,?,?,004B4A4F,?,?,00000000,?,004B1822), ref: 004B3786
_findclose.MSVCRT ref: 004B37A4
strncpy.MSVCRT ref: 004B381A
strcat.MSVCRT(?,00000000,?,?,004B4A4F,?,?,00000000,?,004B1822), ref: 004B387A
strcat.MSVCRT(?,00000000,?,?,004B4A4F,?,?,00000000,?,004B1822), ref: 004B38A0
strcat.MSVCRT(?,00000000,?,?,004B4A4F,?,?,00000000,?,004B1822), ref: 004B38B0
strcat.MSVCRT(?,00000000,?,?,004B4A4F,?,?,00000000,?,004B1822), ref: 004B38B7
strncat.MSVCRT ref: 004B38D1

Part of subcall function 004B25E6: strcat.MSVCRT(?,?,?,?,004B3151,?,?), ref: 004B2612

Strings

" :%s, xrefs: 004B3769
-classpath ", xrefs: 004B35B8
Add classpath:%s, xrefs: 004B3627
-jar "C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe", xrefs: 004B35C0, 004B35EE, 004B3750, 004B3836, 004B3858, 004B386A, 004B3897, 004B38A9, 004B38C6, 004B38DA, 004B38ED
0L, xrefs: 004B352E
0L, xrefs: 004B3553
-jar ", xrefs: 004B388F
\, xrefs: 004B364F
Main class:%s, xrefs: 004B355B
0L, xrefs: 004B387F
Info:Classpath not defined., xrefs: 004B358C

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: strcat$fprintf$Resourcestrncpy$fputs$ErrorFindLastLoadLock_findclose_findfirst_findnextstrcmpstrcpystrncatstrpbrkstrrchrstrtok
String ID: " :%s$-classpath "$-jar "$-jar "C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe"$0L$0L$0L$Add classpath:%s$Info:Classpath not defined.$Main class:%s$\
API String ID: 613304418-3541880247
Opcode ID: 5a2a5a1beada6d07a565fde73b6df7626c896ef64d9268419e9593769f9b1d0b
Instruction ID: cff29a95efd578b30c6b9cb8da49d8e95b6d5447fbf66bba1119f0eab79a6e91
Opcode Fuzzy Hash: 5a2a5a1beada6d07a565fde73b6df7626c896ef64d9268419e9593769f9b1d0b
Instruction Fuzzy Hash: 43B1ECB49053189BCB609F2AC9849DDBBF0BF45704F0089AEE4C897311D7B896C5DF6A

Function 004B2A7B Relevance: 43.9, APIs: 16, Strings: 9, Instructions: 152stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 004B2ACE
strchr.MSVCRT ref: 004B2AFD
strncat.MSVCRT ref: 004B2B25
strncat.MSVCRT ref: 004B2B4D
strcmp.MSVCRT ref: 004B2B6A
strncat.MSVCRT ref: 004B2B84
strcmp.MSVCRT ref: 004B2B99
strcmp.MSVCRT ref: 004B2BB5
GetCurrentDirectoryA.KERNEL32 ref: 004B2BC9
strcmp.MSVCRT ref: 004B2BE0
strcat.MSVCRT ref: 004B2C7F
fprintf.MSVCRT ref: 004B2CA0
strcat.MSVCRT(?,00000000,?,?,004B4563,00000001,00000000,000000B7,?,004B4874,?,?,00000000,?,004B1822), ref: 004B2CB8

Strings

OLDPWD, xrefs: 004B2BD5
PWD, xrefs: 004B2BAA
JREHOMEDIR, xrefs: 004B2BF6
EXEDIR, xrefs: 004B2B59
HKEY, xrefs: 004B2C14
C:\Program Files (x86)\Java\jre-1.8, xrefs: 004B2C0A
EXEFILE, xrefs: 004B2B8E
Substitute:%s = %s, xrefs: 004B2C95
%, xrefs: 004B2AE6

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: strcmp$strncat$strcatstrchr$CurrentDirectoryfprintf
String ID: %$C:\Program Files (x86)\Java\jre-1.8$EXEDIR$EXEFILE$HKEY$JREHOMEDIR$OLDPWD$PWD$Substitute:%s = %s
API String ID: 54753763-1518370859
Opcode ID: 8af669a2995c37c499a045281c2168f74a18af592593be7de09327cfcc3c2dd6
Instruction ID: 6793be350c77875c8170d320c5b406f4df1bf081c2b957ff62ecd499653220ea
Opcode Fuzzy Hash: 8af669a2995c37c499a045281c2168f74a18af592593be7de09327cfcc3c2dd6
Instruction Fuzzy Hash: 5351FFB09097059FD754AF25C9441AEBBF4FF84344F00C86EE4C897311DBB8D9459BAA

Function 004B21DE Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 105stringregistryCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 004B21F5
strstr.MSVCRT ref: 004B2209
strstr.MSVCRT ref: 004B221D
strstr.MSVCRT ref: 004B2231
strstr.MSVCRT ref: 004B2247
strchr.MSVCRT ref: 004B2280
strrchr.MSVCRT ref: 004B2293
RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004B22C6
RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,00000000,?,?,004B4563,00000001,00000000,000000B7,?), ref: 004B22F2
RegQueryValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,004B4563), ref: 004B232B
RegCloseKey.ADVAPI32 ref: 004B2343

Strings

HKEY_CURRENT_CONFIG, xrefs: 004B223A
HKEY_USERS, xrefs: 004B2226
HKEY_CLASSES_ROOT, xrefs: 004B21EA
HKEY_CURRENT_USER, xrefs: 004B21FE
\, xrefs: 004B2288
HKEY_LOCAL_MACHINE, xrefs: 004B2212

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: strstr$Open$CloseQueryValuestrchrstrrchr
String ID: HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$\
API String ID: 356245303-3439841907
Opcode ID: 628f704f7ffb81da23a14507b7d0db3609c9306cfbfaeb1c61f8617248949b54
Instruction ID: 125b847e28d407d601bd858cf860050c585028070f9932fc0e2bdd8719db975c
Opcode Fuzzy Hash: 628f704f7ffb81da23a14507b7d0db3609c9306cfbfaeb1c61f8617248949b54
Instruction Fuzzy Hash: 274118B1909715DFCB00AFA9C98429EFBE4AF44704F01896FE89497311D7BC89449FA7

Function 004B425D Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 135stringpipeCOMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 004B42BA
CreatePipe.KERNEL32 ref: 004B4302
fputs.MSVCRT ref: 004B4322
SetHandleInformation.KERNEL32(?,?,?,?,004B4874,?,?,00000000,?,004B1822), ref: 004B4347
fputs.MSVCRT ref: 004B4367
CloseHandle.KERNEL32 ref: 004B4375
strcpy.MSVCRT ref: 004B43AC
fputs.MSVCRT ref: 004B4405
CloseHandle.KERNEL32(?,?,?,?,?,?,?,004B4874,?,?,00000000,?,004B1822), ref: 004B4413
CloseHandle.KERNEL32(?,?,?,?,?,?,?,004B4874,?,?,00000000,?,004B1822), ref: 004B4464

Strings

Cannot set handle information, xrefs: 004B4360
Cannot run java(w) -version, xrefs: 004B43FE
"%s" -version, xrefs: 004B43C3
Cannot create pipe, xrefs: 004B431B
Check Java Version: %s min=%s max=%s, xrefs: 004B42AF

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: Handle$Closefputs$CreateInformationPipefprintfstrcpy
String ID: "%s" -version$Cannot create pipe$Cannot run java(w) -version$Cannot set handle information$Check Java Version: %s min=%s max=%s
API String ID: 571126077-3734277957
Opcode ID: 29cb85a8793d7d455a4334a66fd5f5f2cbc5e33c55f71a88551f486518ad4ede
Instruction ID: 24a24b0b4ac6f8b736e67971df3063b8189bf49e54acc3ffd9b89aaecfac4736
Opcode Fuzzy Hash: 29cb85a8793d7d455a4334a66fd5f5f2cbc5e33c55f71a88551f486518ad4ede
Instruction Fuzzy Hash: 3D510CB09057149FDB10AF25D44569EBBF4FF84744F00C8AEE88897301DB789A85CFAA

Function 004B1D3A Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 75stringCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(?,00000000,?,?,004B48EF,?,?,00000000,?,004B1822), ref: 004B1D7A
strstr.MSVCRT ref: 004B1D8D
strstr.MSVCRT ref: 004B1DA1
strstr.MSVCRT ref: 004B1DCD
strstr.MSVCRT ref: 004B1DE6
fprintf.MSVCRT ref: 004B1E14
fprintf.MSVCRT ref: 004B1E35

Strings

debug, xrefs: 004B1D96
--l4j-debug-all, xrefs: 004B1DC2
debug-all, xrefs: 004B1DDB
Version:%s, xrefs: 004B1E09
Launch4j, xrefs: 004B1D73
--l4j-debug, xrefs: 004B1D82
CmdLine:%s %s, xrefs: 004B1E2A
3.50, xrefs: 004B1E01

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: strstr$fprintf$EnvironmentVariable
String ID: Version:%s$--l4j-debug$--l4j-debug-all$3.50$CmdLine:%s %s$Launch4j$debug$debug-all
API String ID: 1078084263-4240183270
Opcode ID: 266e2130839a30b1d37513d9fe2dac49ea3f919619abb46cddfc83b67acc71aa
Instruction ID: bd95a7b03df6f7621c3d2ee96317bbcde54b16380b6b24f5e95f2d8cdf1c9863
Opcode Fuzzy Hash: 266e2130839a30b1d37513d9fe2dac49ea3f919619abb46cddfc83b67acc71aa
Instruction Fuzzy Hash: 3D214FB09193059BC710AF36C94459EBBE4EF84348F41C87FE88887311E7B9D8459BAA

Function 004B23B8 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 141stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004B47F3,?,?,00000000,?,004B1822), ref: 004B23CF

Part of subcall function 004B2356: strchr.MSVCRT ref: 004B2377
Part of subcall function 004B2356: strchr.MSVCRT ref: 004B2389

strncpy.MSVCRT ref: 004B243B
strcpy.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004B47F3,?,?,00000000,?,004B1822), ref: 004B2462
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004B47F3,?,?,00000000,?,004B1822), ref: 004B2481
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004B47F3,?,?,00000000,?,004B1822), ref: 004B24A7
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004B47F3,?,?,00000000,?,004B1822), ref: 004B24C3
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004B47F3,?,?,00000000,?,004B1822), ref: 004B24E9
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004B47F3,?,?,00000000,?,004B1822), ref: 004B24FE
fputs.MSVCRT ref: 004B2545
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004B47F3,?,?,00000000,?,004B1822), ref: 004B255E
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004B47F3,?,?,00000000,?,004B1822), ref: 004B256E
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004B47F3,?,?,00000000,?,004B1822), ref: 004B257E
strcat.MSVCRT(?,?,?,?,?,?,?,00000000,000000B7,?,004B47F3,?,?,00000000,?,004B1822), ref: 004B258E

Strings

1.0_, xrefs: 004B2457

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: strcat$strchrstrcpy$fputsstrncpy
String ID: 1.0_
API String ID: 2030749601-2140295588
Opcode ID: 6790027395c984c944a9a135eb5c4811e0dafdc918a6811114415e19e272420b
Instruction ID: 741b2148fce5d66224acd059595b00347091eb1f9828c7ed1c82e0360e7f0e11
Opcode Fuzzy Hash: 6790027395c984c944a9a135eb5c4811e0dafdc918a6811114415e19e272420b
Instruction Fuzzy Hash: E0516C709052089FCB10EF69C9845EEBBF1FF48314F50C96EE895AB241D7B89841DF6A

Function 004B3B64 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 99stringfileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32 ref: 004B3BAA
fprintf.MSVCRT ref: 004B3BED
strchr.MSVCRT ref: 004B3C03
strchr.MSVCRT ref: 004B3C34
fputs.MSVCRT ref: 004B3C6E
strstr.MSVCRT ref: 004B3C8E
strstr.MSVCRT ref: 004B3CA7

Strings

", xrefs: 004B3C29
Java version output: %s, xrefs: 004B3BE2
Cannot get version string: missing end quote, xrefs: 004B3C4A
64-bit, xrefs: 004B3C9C
Cannot get version string: data too large, xrefs: 004B3C67
64-Bit, xrefs: 004B3C83
Cannot get version string: cannot find quote, xrefs: 004B3C1D

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: strchrstrstr$FileReadfprintffputs
String ID: "$64-Bit$64-bit$Cannot get version string: cannot find quote$Cannot get version string: data too large$Cannot get version string: missing end quote$Java version output: %s
API String ID: 654744459-1675060857
Opcode ID: 36082a193cf58a9ce42cf6aaccfd978061933c795e93c42f2eb7a0b392bbdbf9
Instruction ID: bc9291eb9b44e1eed3671cdcc9e3777a46f4ca0f82cde82fc5ee812f774a46a8
Opcode Fuzzy Hash: 36082a193cf58a9ce42cf6aaccfd978061933c795e93c42f2eb7a0b392bbdbf9
Instruction Fuzzy Hash: AF4141B1A083049BD7109F3AC9447DABBF4EF44705F41C86EE88897301E778E944CBAA

Function 004B5C6C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 227stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 004B5944
_strdup.MSVCRT ref: 004B598C
strlen.MSVCRT ref: 004B5A47

Strings

\, xrefs: 004B59E0

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: strlen$_strdup
String ID: \
API String ID: 2848476203-2967466578
Opcode ID: 8ce9d6c2032786f2e6b85c43e24765aac631c61c687c19720561fc3cb001510f
Instruction ID: 96d070ca2b5dfeaa913ddcf5009f5b384c4f9485b4c744ddf21d1107668c2e7c
Opcode Fuzzy Hash: 8ce9d6c2032786f2e6b85c43e24765aac631c61c687c19720561fc3cb001510f
Instruction Fuzzy Hash: 5D914971E04B088FDB14EF69D4813EEFBF1AF48314F19852EE855AB341E77898418BA5

Function 004B4B90 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 87memoryfileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 004B4BBC
vfprintf.MSVCRT ref: 004B4BD0
abort.MSVCRT(?,?,?,004B0000,?,004B4CC3), ref: 004B4BD5
VirtualQuery.KERNEL32 ref: 004B4C01
memcpy.MSVCRT ref: 004B4C24
VirtualProtect.KERNEL32 ref: 004B4C55
memcpy.MSVCRT ref: 004B4C6E
VirtualProtect.KERNEL32 ref: 004B4C9B

Strings

Mingw runtime failure:, xrefs: 004B4BAE
@, xrefs: 004B4C40

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: Virtual$Protectmemcpy$Queryabortfwritevfprintf
String ID: @$Mingw runtime failure:
API String ID: 978211760-2549925133
Opcode ID: 21abc95c359f6742e916b2acd8e806df07f62c6f473eb615119597a22224dfe7
Instruction ID: 166856742baa950dd95cc0cf88c9e091a06c145eaf95691da668243991727a56
Opcode Fuzzy Hash: 21abc95c359f6742e916b2acd8e806df07f62c6f473eb615119597a22224dfe7
Instruction Fuzzy Hash: B531F8B4905308AFDB00EF69D48059EFBF4EF88754F40882EF88893311D7789844CBA6

Function 004B3CC0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 74processCOMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 004B3D21
CreateProcessA.KERNEL32 ref: 004B3D6C
fprintf.MSVCRT ref: 004B3D92
CloseHandle.KERNEL32 ref: 004B3D9F
CloseHandle.KERNEL32(00000000), ref: 004B3DAB
CloseHandle.KERNEL32(?,00000000), ref: 004B3DB7

Strings

D, xrefs: 004B3CF0
Create process: %s, xrefs: 004B3D13
Cannot create process %s, xrefs: 004B3D87

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: CloseHandle$fprintf$CreateProcess
String ID: Cannot create process %s$Create process: %s$D
API String ID: 991247836-3672066502
Opcode ID: 727eb8c50742a51dcf59c9a8fc2e6818ac775aa6d8601db12ed43da0e816916f
Instruction ID: b6b1ed7b9b1908a9211eecd96a3676ce17cec6f9b0c7660204060f25a830331a
Opcode Fuzzy Hash: 727eb8c50742a51dcf59c9a8fc2e6818ac775aa6d8601db12ed43da0e816916f
Instruction Fuzzy Hash: 2531DAB19043059BDB10DF6AD44479EFBF4FB88308F00892EE95897341D77995448FA6

Function 004B3903 Relevance: 15.1, APIs: 7, Strings: 3, Instructions: 63stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004B206E: fprintf.MSVCRT ref: 004B209D
Part of subcall function 004B206E: FindResourceExA.KERNEL32 ref: 004B20C1
Part of subcall function 004B206E: LoadResource.KERNEL32 ref: 004B20D9
Part of subcall function 004B206E: LockResource.KERNEL32 ref: 004B20E7
Part of subcall function 004B206E: fprintf.MSVCRT ref: 004B2124

strcat.MSVCRT(?,00000000,?,?,004B4A5A,?,?,00000000,?,004B1822), ref: 004B3950
strcat.MSVCRT(?,00000000,?,?,004B4A5A,?,?,00000000,?,004B1822), ref: 004B3960
strcpy.MSVCRT(?,00000000,?,?,004B4A5A,?,?,00000000,?,004B1822), ref: 004B3971
strstr.MSVCRT ref: 004B3981
strchr.MSVCRT ref: 004B3997
strcat.MSVCRT ref: 004B39CD
strcat.MSVCRT ref: 004B39DD

Strings

-jar "C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe", xrefs: 004B3949, 004B3959, 004B39C6, 004B39D6
, xrefs: 004B398C
--l4j-, xrefs: 004B3976

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: strcat$Resource$fprintf$FindLoadLockstrchrstrcpystrstr
String ID: $--l4j-$-jar "C:\Users\user\Desktop\SAMPLE_5.exe.bin.exe"
API String ID: 3962799999-476743524
Opcode ID: 7143cd3b99f9d9ca80f6ae1bb6d933de1fe5760a5df12ab2d71989ef2f236911
Instruction ID: 6f5c12ac8f43f9b543abf3af6cc9441d14f431cbe5f37bb4e67be38537b80095
Opcode Fuzzy Hash: 7143cd3b99f9d9ca80f6ae1bb6d933de1fe5760a5df12ab2d71989ef2f236911
Instruction Fuzzy Hash: 972142B04093049ED7606F2A854979EBBE0EF85714F05C85FA4C897241D7FC8988DBBB

Function 004B600C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

mbstowcs.MSVCRT ref: 004B6026
mbstowcs.MSVCRT ref: 004B605A
wcstombs.MSVCRT ref: 004B6136
realloc.MSVCRT ref: 004B614A
wcstombs.MSVCRT ref: 004B6164
wcstombs.MSVCRT ref: 004B6249
setlocale.MSVCRT ref: 004B6262
free.MSVCRT ref: 004B626A

Strings

/, xrefs: 004B610A

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: wcstombs$mbstowcs$freereallocsetlocale
String ID: /
API String ID: 2027400679-2043925204
Opcode ID: a629ef2b6a3aa74357a0babbe366cc469a75cde366faecfdfda3c0db8136e4bf
Instruction ID: 04f56da5e94ed42edd994704819c887e4b3f2f70943771e1d8ecf1819f54db78
Opcode Fuzzy Hash: a629ef2b6a3aa74357a0babbe366cc469a75cde366faecfdfda3c0db8136e4bf
Instruction Fuzzy Hash: 2641FA75D042198BCB14EFA9C0416EEB7F1FF48300F45856FE899A7351E77C98418BAA

Function 004B1E4D Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 004B1E5B
GetProcAddress.KERNEL32 ref: 004B1E6C
GetCurrentProcess.KERNEL32 ref: 004B1E79
fprintf.MSVCRT ref: 004B1EBA

Strings

kernel32, xrefs: 004B1E54
Yes, xrefs: 004B1E9E
WOW64:%s, xrefs: 004B1EA8
IsWow64Process, xrefs: 004B1E61

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcessfprintf
String ID: IsWow64Process$WOW64:%s$Yes$kernel32
API String ID: 24026888-2598006572
Opcode ID: 142e638adeeee39d45baf45bb28edbf4cd0f209f33c58466eb8148af1d2c036f
Instruction ID: 5f68d047ce68afb5f2d478ec74c800bd5b8c5e72c4c6963c4ead7b573d0f0b96
Opcode Fuzzy Hash: 142e638adeeee39d45baf45bb28edbf4cd0f209f33c58466eb8148af1d2c036f
Instruction Fuzzy Hash: 96F018B0608344EFD704BF7A9485A6B76E8EB84708F51C87EE48497201E779D8449B7E

Function 004B319C Relevance: 13.6, APIs: 7, Strings: 2, Instructions: 55stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004B206E: fprintf.MSVCRT ref: 004B209D
Part of subcall function 004B206E: FindResourceExA.KERNEL32 ref: 004B20C1
Part of subcall function 004B206E: LoadResource.KERNEL32 ref: 004B20D9
Part of subcall function 004B206E: LockResource.KERNEL32 ref: 004B20E7
Part of subcall function 004B206E: fprintf.MSVCRT ref: 004B2124

strcat.MSVCRT ref: 004B31D6
strcat.MSVCRT ref: 004B31EA
strcat.MSVCRT ref: 004B3207
strcat.MSVCRT ref: 004B321B
strcat.MSVCRT ref: 004B3238
strcat.MSVCRT ref: 004B327E
strcat.MSVCRT ref: 004B328E

Strings

(64-bit), xrefs: 004B3229
- , xrefs: 004B31F8

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: strcat$Resource$fprintf$FindLoadLock
String ID: (64-bit)$ -
API String ID: 2267084178-2895498852
Opcode ID: 9214f0365a8935e06f053b81df26eeaa87f93f5d103d53f5d53b5e3bfae989bd
Instruction ID: 2be4b1599664900c90ae90a4d8240a8cd1cc01716109061b93839a4310e9179a
Opcode Fuzzy Hash: 9214f0365a8935e06f053b81df26eeaa87f93f5d103d53f5d53b5e3bfae989bd
Instruction Fuzzy Hash: 5421D4B4809305AAE7506F5A950D7AEBBF4EB80708F05889F91C41A241DBBC4D85EB7B

Function 004B33D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004B206E: fprintf.MSVCRT ref: 004B209D
Part of subcall function 004B206E: FindResourceExA.KERNEL32 ref: 004B20C1
Part of subcall function 004B206E: LoadResource.KERNEL32 ref: 004B20D9
Part of subcall function 004B206E: LockResource.KERNEL32 ref: 004B20E7
Part of subcall function 004B206E: fprintf.MSVCRT ref: 004B2124

strtok.MSVCRT(?,00000000,?,?,004B49E7,?,?,00000000,?,004B1822), ref: 004B3424
strchr.MSVCRT ref: 004B343A

Part of subcall function 004B2A7B: strchr.MSVCRT ref: 004B2ACE
Part of subcall function 004B2A7B: strchr.MSVCRT ref: 004B2AFD
Part of subcall function 004B2A7B: strncat.MSVCRT ref: 004B2B25
Part of subcall function 004B2A7B: strncat.MSVCRT ref: 004B2B4D
Part of subcall function 004B2A7B: strcmp.MSVCRT ref: 004B2B6A
Part of subcall function 004B2A7B: strncat.MSVCRT ref: 004B2B84
Part of subcall function 004B2A7B: strcmp.MSVCRT ref: 004B2B99
Part of subcall function 004B2A7B: strcat.MSVCRT ref: 004B2C7F
Part of subcall function 004B2A7B: fprintf.MSVCRT ref: 004B2CA0
Part of subcall function 004B2A7B: strcat.MSVCRT(?,00000000,?,?,004B4563,00000001,00000000,000000B7,?,004B4874,?,?,00000000,?,004B1822), ref: 004B2CB8

fprintf.MSVCRT ref: 004B3480
SetEnvironmentVariableA.KERNEL32(?,?), ref: 004B348C
strtok.MSVCRT(?,?), ref: 004B34A2

Strings

=, xrefs: 004B342F
Set var:%s = %s, xrefs: 004B3475

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: fprintf$Resourcestrchrstrncat$strcatstrcmpstrtok$EnvironmentFindLoadLockVariable
String ID: =$Set var:%s = %s
API String ID: 3861738652-24686798
Opcode ID: d20e7417fedfed01a96dbddc5ddfe676d6e175c3db9734c2e339814ae228a7e7
Instruction ID: 4fa67770bd0b8938ca9d777c7f01eb10a49601c428b303a7c207546341c2e96b
Opcode Fuzzy Hash: d20e7417fedfed01a96dbddc5ddfe676d6e175c3db9734c2e339814ae228a7e7
Instruction Fuzzy Hash: 34211D71809718AFC711AF26C48469EBBE4EF84754F01C86EE4C997201D7B88A459BE6

Function 004B3001 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004B206E: fprintf.MSVCRT ref: 004B209D
Part of subcall function 004B206E: FindResourceExA.KERNEL32 ref: 004B20C1
Part of subcall function 004B206E: LoadResource.KERNEL32 ref: 004B20D9
Part of subcall function 004B206E: LockResource.KERNEL32 ref: 004B20E7
Part of subcall function 004B206E: fprintf.MSVCRT ref: 004B2124

fprintf.MSVCRT ref: 004B305A
CreateMutexA.KERNEL32 ref: 004B3092
GetLastError.KERNEL32 ref: 004B309A
fprintf.MSVCRT ref: 004B30C7

Strings

Create mutex:%s, xrefs: 004B304F
Instance already exists., xrefs: 004B30B4
Error:%s, xrefs: 004B30BC

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: fprintf$Resource$CreateErrorFindLastLoadLockMutex
String ID: Create mutex:%s$Error:%s$Instance already exists.
API String ID: 891584312-2614424452
Opcode ID: 1ef72a937afcc5ff8c8f39e61c40b3d749a4c0664d0eaa0c9ae8d0ff07c59bb2
Instruction ID: d77d9688f4ac5fff58c6212fcbdd026bea4a60951624ad4735791f78a1e95ac7
Opcode Fuzzy Hash: 1ef72a937afcc5ff8c8f39e61c40b3d749a4c0664d0eaa0c9ae8d0ff07c59bb2
Instruction Fuzzy Hash: 3B1112709043049AD720AF2AC84579EBBF5EF84704F40C8AED48C97355D7B99A85CB66

Function 004B2CCE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004B21AB: atoi.MSVCRT ref: 004B21D3

fprintf.MSVCRT ref: 004B2D81
fprintf.MSVCRT ref: 004B2DC3
strcat.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,?,004B2E6A), ref: 004B2DD5
_itoa.MSVCRT ref: 004B2DFC

Strings

Heap %s:Requested %d MB / %d%%, Available: %d MB, Heap size: %d MB, xrefs: 004B2DB4
Heap limit:Reduced %d MB heap size to 32-bit maximum %d MB, xrefs: 004B2D76

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: fprintf$_itoaatoistrcat
String ID: Heap %s:Requested %d MB / %d%%, Available: %d MB, Heap size: %d MB$Heap limit:Reduced %d MB heap size to 32-bit maximum %d MB
API String ID: 2922754228-3040617333
Opcode ID: 2dbb17f8be8214dfa9178e33b0c73fa18139710334cdc20620380a614bf317b7
Instruction ID: 8bb3ec178afc464677d318a6e233521b4fd1a408a165ca5bc9f2c2f91876e3a6
Opcode Fuzzy Hash: 2dbb17f8be8214dfa9178e33b0c73fa18139710334cdc20620380a614bf317b7
Instruction Fuzzy Hash: 5F4105B4A047099BCB04DF69C58469EBBF4EF88364F10C82EE958E7350D77898418FA5

Function 004B15D0 Relevance: 10.6, APIs: 7, Instructions: 62timewindowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32 ref: 004B1606
KillTimer.USER32(00000000,00000000), ref: 004B162D

Part of subcall function 004B1F36: GetLastError.KERNEL32 ref: 004B1F3D
Part of subcall function 004B1F36: fprintf.MSVCRT ref: 004B1F60
Part of subcall function 004B1F36: FormatMessageA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004B1F9F
Part of subcall function 004B1F36: fprintf.MSVCRT ref: 004B1FC2
Part of subcall function 004B1F36: strcat.MSVCRT ref: 004B1FD6
Part of subcall function 004B1F36: strcat.MSVCRT ref: 004B1FE9
Part of subcall function 004B1F36: LocalFree.KERNEL32 ref: 004B1FF1
Part of subcall function 004B1F36: fprintf.MSVCRT ref: 004B2028
Part of subcall function 004B1F36: ShellExecuteA.SHELL32 ref: 004B205C

PostQuitMessage.USER32(00000000), ref: 004B1640
EnumWindows.USER32 ref: 004B1668
GetExitCodeProcess.KERNEL32(00000000,00000000), ref: 004B167F
KillTimer.USER32 ref: 004B16B4
PostQuitMessage.USER32(00000000), ref: 004B16C2

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: Messagefprintf$KillPostQuitTimerstrcat$CodeEnumErrorExecuteExitFormatFreeLastLocalProcessShellShowWindowWindows
String ID:
API String ID: 3625041480-0
Opcode ID: 3a25c40c505b5f85158e696abece4e66c02679203f450ebb0dc58c6061d44d95
Instruction ID: 37540541ec11881ca9bf78c94298231ba4a982b5e1645971dec14fb92d92edca
Opcode Fuzzy Hash: 3a25c40c505b5f85158e696abece4e66c02679203f450ebb0dc58c6061d44d95
Instruction Fuzzy Hash: CC213BB0004304DFD750AF65E869FAA37E8EB1030DF45892EE48486261C7BD9884CF7E

Function 004B3352 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33stringCOMMON

Download Yara Rule

APIs

strcpy.MSVCRT ref: 004B337C
strcat.MSVCRT ref: 004B338C

Part of subcall function 004B32B9: GetEnvironmentVariableA.KERNEL32(?,00000000,?,?,004B3399), ref: 004B32F5
Part of subcall function 004B32B9: strcat.MSVCRT(?,?,004B3399), ref: 004B3324
Part of subcall function 004B32B9: strcat.MSVCRT(?,?,004B3399), ref: 004B3333
Part of subcall function 004B32B9: SetEnvironmentVariableA.KERNEL32(?,?,004B3399), ref: 004B3343

fprintf.MSVCRT ref: 004B33BE

Strings

appendToPathVar failed., xrefs: 004B33AB
Error:%s, xrefs: 004B33B3
\bin, xrefs: 004B3381

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: strcat$EnvironmentVariable$fprintfstrcpy
String ID: Error:%s$\bin$appendToPathVar failed.
API String ID: 4002749114-3685084685
Opcode ID: bb7431f4b99f93a7232d6c2dd1199003c0aee66cf14af8bc150f8809e1485b1e
Instruction ID: c2dc618618f369bc89e5a6fa3f85221e7d8e5cd3cc05a1e5a96e6182f237ee92
Opcode Fuzzy Hash: bb7431f4b99f93a7232d6c2dd1199003c0aee66cf14af8bc150f8809e1485b1e
Instruction Fuzzy Hash: 7BF068715087049BD710AF26D4452FEB7E1DBC0704F41C86ED8885B301EBBC99559BAB

Function 004B1000 Relevance: 9.1, APIs: 6, Instructions: 80COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 004B1034
signal.MSVCRT ref: 004B1091
signal.MSVCRT ref: 004B10C9
signal.MSVCRT ref: 004B1112

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: aeec0c4a87c07f7c9f5ab1529ee77c8b59e66693d593f2f0f948f8b159f4556e
Instruction ID: 3b3423c0b45bea64f330179494feb493cc8d5ae820ce0f276e8b179180c314a5
Opcode Fuzzy Hash: aeec0c4a87c07f7c9f5ab1529ee77c8b59e66693d593f2f0f948f8b159f4556e
Instruction Fuzzy Hash: 09212B705082408AD7107F7884A53AF76D0AF46368F914A1BE5E9C77E1C7BDC8C49B6B

Function 004B3DC7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 004B3DEA
strcmp.MSVCRT ref: 004B3E09
fprintf.MSVCRT ref: 004B3E79

Strings

Ignore, xrefs: 004B3E46
Version string: %s / %s-Bit (%s), xrefs: 004B3E6E

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: strcmp$fprintf
String ID: Ignore$Version string: %s / %s-Bit (%s)
API String ID: 512415533-1929821993
Opcode ID: c0591ffe09f756c2889398e16105e112254f80b5e34f697ca0375d75c7d125a1
Instruction ID: 14cc539f67aa80f2ea562661c9f145cd6f8d13c9963618db3d1f80c4bcfc170b
Opcode Fuzzy Hash: c0591ffe09f756c2889398e16105e112254f80b5e34f697ca0375d75c7d125a1
Instruction Fuzzy Hash: 131160B1605741ABD7615F6B9484797BBE4EF80319F05843FE44887350D7B8CD848BAA

Function 004B32B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49stringCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(?,00000000,?,?,004B3399), ref: 004B32F5
strcat.MSVCRT(?,?,004B3399), ref: 004B3324
strcat.MSVCRT(?,?,004B3399), ref: 004B3333
SetEnvironmentVariableA.KERNEL32(?,?,004B3399), ref: 004B3343

Strings

Path, xrefs: 004B32EE, 004B333C

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: EnvironmentVariablestrcat
String ID: Path
API String ID: 194762557-2875597873
Opcode ID: 7f97dc0dd09ea0c706beb5f87b722edd5a822761983ab7e4063d79c14251513d
Instruction ID: 754e33d0da61a4d334e685e3f30e2ecb00f0748d8c15506eb16926e64a79f690
Opcode Fuzzy Hash: 7f97dc0dd09ea0c706beb5f87b722edd5a822761983ab7e4063d79c14251513d
Instruction Fuzzy Hash: 65018075D052189BCB10BF6AD84549EBBE4EF80760F00897EF88897241DB7899448BE6

Function 004B30D5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32 ref: 004B310E

Part of subcall function 004B206E: fprintf.MSVCRT ref: 004B209D
Part of subcall function 004B206E: FindResourceExA.KERNEL32 ref: 004B20C1
Part of subcall function 004B206E: LoadResource.KERNEL32 ref: 004B20D9
Part of subcall function 004B206E: LockResource.KERNEL32 ref: 004B20E7
Part of subcall function 004B206E: fprintf.MSVCRT ref: 004B2124

strncpy.MSVCRT ref: 004B3140

Part of subcall function 004B25E6: strcat.MSVCRT(?,?,?,?,004B3151,?,?), ref: 004B2612

_chdir.MSVCRT ref: 004B3154
fprintf.MSVCRT ref: 004B3171

Strings

Working dir:%s, xrefs: 004B3166

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: Resourcefprintf$CurrentDirectoryFindLoadLock_chdirstrcatstrncpy
String ID: Working dir:%s
API String ID: 3319590416-1807235602
Opcode ID: 0167a2d83956dd0ffc042f6cde8ccabdbf5315917de06ad574e32e95682801de
Instruction ID: 59e32bc90cd7eacd209643cf7fa1757bc82c8f532fc00dcf428816a3c0aa042d
Opcode Fuzzy Hash: 0167a2d83956dd0ffc042f6cde8ccabdbf5315917de06ad574e32e95682801de
Instruction Fuzzy Hash: F61100B1508308AFD710AF69C9815DEFBF8FF84344F418C6EA58897311D7B899848B66

Function 004B5AFC Relevance: 7.6, APIs: 5, Instructions: 100COMMON

Download Yara Rule

APIs

_strdup.MSVCRT ref: 004B5B2B
_stricoll.MSVCRT ref: 004B5B91
malloc.MSVCRT ref: 004B5BB1
free.MSVCRT ref: 004B5C27
free.MSVCRT ref: 004B5C3C

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: free$_strdup_stricollmalloc
String ID:
API String ID: 1482192206-0
Opcode ID: 351a2a8870e22f0329fc654e75e7251c6513b7c51ff2b9e5253af2975e1597e5
Instruction ID: 7be193944dc9b16c531bbfcadc8e6aaa9cb8b400cd2f96d48889b7e5762514b2
Opcode Fuzzy Hash: 351a2a8870e22f0329fc654e75e7251c6513b7c51ff2b9e5253af2975e1597e5
Instruction Fuzzy Hash: 4541F471E05A188FDB149F69D4807AEFBF1BF54304F15846EE895AB341D738A840CBA4

Function 004BA880 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32 ref: 004BA8D3
InitializeCriticalSection.KERNEL32 ref: 004BA8E6
InitializeCriticalSection.KERNEL32 ref: 004BA8F5
EnterCriticalSection.KERNEL32 ref: 004BA920

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterExchangeInterlocked
String ID:
API String ID: 33273390-0
Opcode ID: 87c429a4fa58c21606a6e9a373325806676149b0c889859fa2281c1ce7e03e83
Instruction ID: 0b87010f8045512ea7597e75a56f946d813224f6589530f4291179387ffcd1da
Opcode Fuzzy Hash: 87c429a4fa58c21606a6e9a373325806676149b0c889859fa2281c1ce7e03e83
Instruction Fuzzy Hash: 270182F0901200DAEB90FF75D18A79F36B5EB40308F51442EC48146716E3BC99A9D7BB

Function 004B8B61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004B8BA6
strchr.MSVCRT ref: 004B8BB6
atoi.MSVCRT ref: 004B8BCD

Strings

., xrefs: 004B8BAB

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: e2363b09b94ebdf7a7908b4725bdd46078964bc533aeccb49155b5101b4f5384
Instruction ID: 7e8c1a282ac72163284bb004351b0f21e9f9dfc656a2c0686ada4258fdeab713
Opcode Fuzzy Hash: e2363b09b94ebdf7a7908b4725bdd46078964bc533aeccb49155b5101b4f5384
Instruction Fuzzy Hash: 294107B5A093058FD710DF69D88065BFBE8EF94754F05482EE99887300EBB8D844DBA6

Function 004B8E79 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004B8E9C
strchr.MSVCRT ref: 004B8EAC
atoi.MSVCRT ref: 004B8EBB

Strings

., xrefs: 004B8EA1

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 4643a30243296a7df377f399390b2e2afc7f1dac62376ae5729e226b4d5e8b63
Instruction ID: f78b96c4a6b1abe5de2034e735e27007d6016036ca09eae140755a37ecb2d112
Opcode Fuzzy Hash: 4643a30243296a7df377f399390b2e2afc7f1dac62376ae5729e226b4d5e8b63
Instruction Fuzzy Hash: C9417176A083048FC7109FA9D8406AAF7E9EB94354F18482FF888C7350E779D845CBA6

Function 004B8AD0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004B8B04
strchr.MSVCRT ref: 004B8B14
atoi.MSVCRT(?,?,?,?,?,?,?,?,?,?,004B7590), ref: 004B8B25

Strings

., xrefs: 004B8B09

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: cadbe3afb2bb4883ce50dbc34ae2c9a2ac24db6bf0c987095bbe8016e1e4d812
Instruction ID: e9e7adb396b3ca5dc5e6f59ef9b24f6362768fdfbf448073bd8a3fc9900be176
Opcode Fuzzy Hash: cadbe3afb2bb4883ce50dbc34ae2c9a2ac24db6bf0c987095bbe8016e1e4d812
Instruction Fuzzy Hash: DA01D3B5A083018FD700AF2AD49565BBBE4FFC9754F01882EF88897351D7B9D844CB96

Function 004B8CE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004B8D06
strchr.MSVCRT ref: 004B8D16
atoi.MSVCRT ref: 004B8D27

Strings

., xrefs: 004B8D0B

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: 5c1496784958f62aeae2005e36e06f63657c0c21bc893aef5dad9c03036db77c
Instruction ID: fb95135e748911dd5d65afa66f1ddd2242373247369b34b3abfd87703368949d
Opcode Fuzzy Hash: 5c1496784958f62aeae2005e36e06f63657c0c21bc893aef5dad9c03036db77c
Instruction Fuzzy Hash: 3501C4B8A093048FD700AF29D48565BBBE4BF89304F01892EF889C7351E779D844CB56

Function 004B8E00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 004B8E2D
strchr.MSVCRT ref: 004B8E3D
atoi.MSVCRT ref: 004B8E4E

Strings

., xrefs: 004B8E32

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: e595a86afbcc8180cf548ed73960309150e5a647cf45b36436f53c9d63f38b9d
Instruction ID: 0a6b81fee6bd0f44d9af59f6da8479abfd757709ecd79af3f3c0db72dfa94ab4
Opcode Fuzzy Hash: e595a86afbcc8180cf548ed73960309150e5a647cf45b36436f53c9d63f38b9d
Instruction Fuzzy Hash: 3BF087B2A083009FD300AF6AD48565FBBE8FF84304F00882EF48487250D7B8D840CBA2

Function 004B1CC3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25stringfileCOMMON

Download Yara Rule

APIs

strncpy.MSVCRT ref: 004B1CF3
strcat.MSVCRT ref: 004B1D03
fopen.MSVCRT ref: 004B1D13

Strings

\launch4j.log, xrefs: 004B1CFB

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: fopenstrcatstrncpy
String ID: \launch4j.log
API String ID: 1410583167-1044402884
Opcode ID: 521cd6b367cb3005b84788c62bf0198fc54468ee03743d5d6b9719cb7c5b2cb2
Instruction ID: 77fffd91c2bc9a777aab610db73cf56966b9167e88279013e78ab5ddfdb95002
Opcode Fuzzy Hash: 521cd6b367cb3005b84788c62bf0198fc54468ee03743d5d6b9719cb7c5b2cb2
Instruction Fuzzy Hash: 40F0F8B59043089FCB20AF69D4411DDFBE4EF94308F01886EA58C97211D7B899958BA6

Function 004B8950 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 004B89A1
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004B8B5A), ref: 004B89E0
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004B8B5A), ref: 004B8A80

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: Byte$CharMultiWide$Lead
String ID:
API String ID: 2933009993-0
Opcode ID: c01dad700cd316040131830a86ddead0c57abd91402bd1c3d1d49247e91733aa
Instruction ID: c7d9ef7cffbc910ea83334d7beee09fa3eb6adea2ae5175ebd71b619480df3cf
Opcode Fuzzy Hash: c01dad700cd316040131830a86ddead0c57abd91402bd1c3d1d49247e91733aa
Instruction Fuzzy Hash: 5E414870A083059FDB10DF69D4402DABBE4EF48368F00855FE8988B340D779E954CBA2

Function 004B67F0 Relevance: 6.1, APIs: 4, Instructions: 87stringCOMMON

Download Yara Rule

APIs

_findclose.MSVCRT ref: 004B680D
_errno.MSVCRT ref: 004B6816
_findfirst.MSVCRT ref: 004B6841
strncpy.MSVCRT ref: 004B6898

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: _errno_findclose_findfirststrncpy
String ID:
API String ID: 1756046557-0
Opcode ID: 233afb7bb0cc25fe4f15c6f6278a5643bd76a5286e5f1e42dbedadc7c72b6943
Instruction ID: 2b03a5a901edd866f5a026581d2c50f3daad4929d31d82861380ab70b13da038
Opcode Fuzzy Hash: 233afb7bb0cc25fe4f15c6f6278a5643bd76a5286e5f1e42dbedadc7c72b6943
Instruction Fuzzy Hash: 5D312BB19153018BDB10EF28C4816D6BBE1BF88314F154A6FEC888F346E778D545CBA6

Function 004B8150 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 004B8172
wcslen.MSVCRT ref: 004B86BD

Strings

(null), xrefs: 004B882B
(null), xrefs: 004B86AB

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: strlenwcslen
String ID: (null)$(null)
API String ID: 803329031-1601437019
Opcode ID: 021178ab9d32d1292da18b92e15b1a9e21e870d7be259367a92c689d39a55b05
Instruction ID: bafe2f8f9894f9f1c761c1dba6af3a37a039db58ed8da41c1f6d4f3a3d6524bd
Opcode Fuzzy Hash: 021178ab9d32d1292da18b92e15b1a9e21e870d7be259367a92c689d39a55b05
Instruction Fuzzy Hash: AC113D746093458FC710DF28C8D06ABBBE5AF88304F504A2EE99147342DB39D90ACB66

Function 004B173C Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004B206E: fprintf.MSVCRT ref: 004B209D
Part of subcall function 004B206E: FindResourceExA.KERNEL32 ref: 004B20C1
Part of subcall function 004B206E: LoadResource.KERNEL32 ref: 004B20D9
Part of subcall function 004B206E: LockResource.KERNEL32 ref: 004B20E7
Part of subcall function 004B206E: fprintf.MSVCRT ref: 004B2124

FindWindowExA.USER32 ref: 004B179D
GetWindowTextA.USER32 ref: 004B17BA
strstr.MSVCRT ref: 004B17C9
FindWindowExA.USER32 ref: 004B17ED

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: FindResourceWindow$fprintf$LoadLockTextstrstr
String ID:
API String ID: 2277964966-0
Opcode ID: 95a9f5b95524026365e8c7ac09c65ee1ba0843219f0e1703a3545d923de10726
Instruction ID: 0ea27837128f8f9ec3f7b79de60d72d9c262b23a83dc331c9b9771fd6e5887d7
Opcode Fuzzy Hash: 95a9f5b95524026365e8c7ac09c65ee1ba0843219f0e1703a3545d923de10726
Instruction Fuzzy Hash: A2119EB15083049AE310AF69C8553DFFBE4EF84344F008C2EE98897211DBB889488BA7

Function 004B4BE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 004B4C01
memcpy.MSVCRT ref: 004B4C24
VirtualProtect.KERNEL32 ref: 004B4C55
memcpy.MSVCRT ref: 004B4C6E
VirtualProtect.KERNEL32 ref: 004B4C9B

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 004B4CB7

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: Virtual$Protectmemcpy$Query
String ID: VirtualQuery failed for %d bytes at address %p
API String ID: 228986436-2206166143
Opcode ID: d12829d6756bfbeb375c3b18967b61272b544ec257198fe8fbcdfab312ee3f91
Instruction ID: 559a74de9584614124ef08ea600e83cdcfade44ba6a6710621629b3b7dd1fa7c
Opcode Fuzzy Hash: d12829d6756bfbeb375c3b18967b61272b544ec257198fe8fbcdfab312ee3f91
Instruction Fuzzy Hash: 6A014F719053049BDB00AF65D4817DAFBF8FB84744F41882EE54893241D7B4E8058BA5

Function 004B1ED3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25windowCOMMON

Download Yara Rule

APIs

printf.MSVCRT ref: 004B1F01
MessageBoxA.USER32 ref: 004B1F2C

Strings

%s: %s, xrefs: 004B1EFA

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: Messageprintf
String ID: %s: %s
API String ID: 351756659-482213395
Opcode ID: 5d0b2663d545db3698a5e5d38bafee39333eabd1ff5b5476d689677e89d0ca91
Instruction ID: d1a3ae324eeb4d0173fc9cec49270b0f63d42809c61b05e31aac1c5da35b88f1
Opcode Fuzzy Hash: 5d0b2663d545db3698a5e5d38bafee39333eabd1ff5b5476d689677e89d0ca91
Instruction Fuzzy Hash: 74F01270808305EED740AF2AD4597AA7FE0FB45348F90C4AFE4C946251D7BC8498CBAB

Function 004B1C58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23stringCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 004B1C6D
strcpy.MSVCRT ref: 004B1C8B

Strings

Launch4j, xrefs: 004B1C7C

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: HandleModulestrcpy
String ID: Launch4j
API String ID: 122033455-841392896
Opcode ID: 010d052e8a9c6b61c109f7bdebc0126c229c480c7da75aa64b17159803ae64ff
Instruction ID: c655463530c9f890b01bab339aac4232b1d96ea3ed751310603223b935e8db61
Opcode Fuzzy Hash: 010d052e8a9c6b61c109f7bdebc0126c229c480c7da75aa64b17159803ae64ff
Instruction Fuzzy Hash: 99F0C0B05053449AD780AF26D955B967BF4E740308F40442ED8818B361DBBD8848ABEA

Function 004B25A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,00000000,?,004B1822), ref: 004B25BE
strrchr.MSVCRT ref: 004B25D5

Strings

\, xrefs: 004B25CA

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: FileModuleNamestrrchr
String ID: \
API String ID: 3219412323-2967466578
Opcode ID: ac60b51a5823fb84ab9bc24574dafc4f5aea39072ce74ce3e00434ebfd785a57
Instruction ID: 3bb33f32404b30b3476fd1da840c4ab07c6d2897e6eb1397c783b72f0f51df71
Opcode Fuzzy Hash: ac60b51a5823fb84ab9bc24574dafc4f5aea39072ce74ce3e00434ebfd785a57
Instruction Fuzzy Hash: 9BE048B0504305ABC710FF39DAC554A7FE4EB04358F00892EE9D547385D7B4D944DBA6

Function 004B5180 Relevance: 5.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 004B51A7
free.MSVCRT ref: 004B51EF
LeaveCriticalSection.KERNEL32 ref: 004B51FB

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: CriticalSection$EnterLeavefree
String ID:
API String ID: 4020351045-0
Opcode ID: ce4b0ac946d8369dd9aa66889a11d2decd3399aab64aa1fbb2b085514116d620
Instruction ID: 38c1820eabd6a24cac80addfbf793d9c74b7fdca31f64028c2c0bf6960454d37
Opcode Fuzzy Hash: ce4b0ac946d8369dd9aa66889a11d2decd3399aab64aa1fbb2b085514116d620
Instruction Fuzzy Hash: FF016170B00206CF8B44FF7AE481B9AB7E5AB44308B15456ED54987301E778DC44DBAE

Function 004B5080 Relevance: 5.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 004B508F
TlsGetValue.KERNEL32 ref: 004B50A6
GetLastError.KERNEL32 ref: 004B50B0
LeaveCriticalSection.KERNEL32 ref: 004B50D3

Memory Dump Source

Source File: 00000000.00000002.1305621331.00000000004B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 004B0000, based on PE: true

Associated: 00000000.00000002.1305600093.00000000004B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305643571.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004C8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305666950.00000000004CA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305757359.00000000004CD000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1305790244.00000000004CE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_SAMPLE_5.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 969c9038525879ab3b1bbc1db0c7bc7708dc8f90a92c91325c5aa00c925e6a67
Instruction ID: b4df8ebae6572c01db15d57113b6f29ae62caa3fa1fd95c60cf8556447f24467
Opcode Fuzzy Hash: 969c9038525879ab3b1bbc1db0c7bc7708dc8f90a92c91325c5aa00c925e6a67
Instruction Fuzzy Hash: 9BF062755007058B9B10BFBAA5C16DBBBA8DE01344F01042ADE8447206D778D80886EA

Analysis Process: javaw.exePID: 7192, Parent PID: 5500COMMON

Executed Functions

Function 02C3D8F7 Relevance: 1.5, Strings: 1, Instructions: 223COMMON

Download Yara Rule

Strings

`p*m, xrefs: 02C3DAC5

Memory Dump Source

Source File: 00000001.00000002.1336773161.0000000002C32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c32000_javaw.jbxd

Similarity

API ID:
String ID: `p*m
API String ID: 0-318476674
Opcode ID: 684813d2de6f2ba522811c9a09364f9e61836db1abc64411e2f3b8e417ff07c3
Instruction ID: 7df5e0bba635ea6d1e225188838f9570707982ab41bec1e6215dfa1dfa0c92dd
Opcode Fuzzy Hash: 684813d2de6f2ba522811c9a09364f9e61836db1abc64411e2f3b8e417ff07c3
Instruction Fuzzy Hash: 43A1BD71A04645DFDB1ADF24C594BAAFBB1FF89318F08899DD91A4B381CB34A940CF91

Function 02C3D8E0 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

`p*m, xrefs: 02C3DAC5

Memory Dump Source

Source File: 00000001.00000002.1336773161.0000000002C32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c32000_javaw.jbxd

Similarity

API ID:
String ID: `p*m
API String ID: 0-318476674
Opcode ID: 75e01f92f2173f11fcb0c0674ccee14e03b8cadda0f4c1ac71af8e1bd6cbe1f4
Instruction ID: c9671d7480604bc3f9a127efb5254f72183f044c117ac5a09f352bf257004900
Opcode Fuzzy Hash: 75e01f92f2173f11fcb0c0674ccee14e03b8cadda0f4c1ac71af8e1bd6cbe1f4
Instruction Fuzzy Hash: 8161BB71604601EFDB1ACF20C594BAAFBB1FF89718F08899CD91A4B381C774A981CF91

Function 02C30672 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336773161.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c30000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f874d57c0373d2874d5474f303d01eed66bc59206309001e830f9a17a6d2ca8
Instruction ID: 929ecec2d5bf36a887af5826feeee180863744ca9624c7b00d2d6522ce196a03
Opcode Fuzzy Hash: 1f874d57c0373d2874d5474f303d01eed66bc59206309001e830f9a17a6d2ca8
Instruction Fuzzy Hash: B9115BB6C0022ADFCF29DF48C9815ADB7B0FB99314B164925DC65A3346D734AE20CB90

Function 02C30667 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336773161.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c30000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 043702c30cb96ee7cd83d3c777d9805a73e252d3be2a4911be2f121a28bb503c
Instruction ID: 247fd42951aadd256e5593083cf1ca03fc786cb4a0f068e2dc9091be2198b105
Opcode Fuzzy Hash: 043702c30cb96ee7cd83d3c777d9805a73e252d3be2a4911be2f121a28bb503c
Instruction Fuzzy Hash: 68118F76D0022A9FCF29DF88C5825EDB7B0FB89314B064959DC64A3342D734AE61CB81

Function 02C30722 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336773161.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c30000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 518f6ffaa4a51255068d4b88d2d388c7d59e9cfad18ce2867c7dcabaee69d95b
Instruction ID: cefc7f0f1315fbcacd70b9b2c6546c86c020de57f5585a383e72a95394b4ecbe
Opcode Fuzzy Hash: 518f6ffaa4a51255068d4b88d2d388c7d59e9cfad18ce2867c7dcabaee69d95b
Instruction Fuzzy Hash: 11F0A576C00229DB8B15DF48C4451EDB7B1EB46218B1A8896DC6977241D332AE62CF91

Function 02C44CCD Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336773161.0000000002C32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c32000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8415bedc393646a3057f852792e48a1a8bf3ef1970c867b9ee34e9553533a46
Instruction ID: 07c311ad4129fde44d01ff5551d11cbe4231325945fc51d5bdc3b00d3edadd9b
Opcode Fuzzy Hash: c8415bedc393646a3057f852792e48a1a8bf3ef1970c867b9ee34e9553533a46
Instruction Fuzzy Hash: 6EF0BCB6900A06EBEB158F60C0047EAF7B8BB88704F04460AD82C53210C3787465CBD0

Function 02C44B78 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336773161.0000000002C32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c32000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f05d7d63c53cfbc32d6bf75cf68646d8fdf0d6b1f206d1502b76e5730b19f1a1
Instruction ID: a0c06ae594c423e721cef451f4fcd5b66cf077b057f4c9725f16713faf586641
Opcode Fuzzy Hash: f05d7d63c53cfbc32d6bf75cf68646d8fdf0d6b1f206d1502b76e5730b19f1a1
Instruction Fuzzy Hash: ABF07FB6904A06EBDB158F61C0047DAFBB4BB88714F15421AD92C57350D77874658BC0

Function 02C45346 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336773161.0000000002C32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c32000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73a1acd7818cfb234ac17cb506b77db41d4d9cb1708171dd1b59a064cab3b311
Instruction ID: 255142deb122bf28a68d1d7cf4b91972cd346341bbcb07c8ef76697b02e8616a
Opcode Fuzzy Hash: 73a1acd7818cfb234ac17cb506b77db41d4d9cb1708171dd1b59a064cab3b311
Instruction Fuzzy Hash: E5F09BB6A04A06EBDB25CF61C1047DAFBB4BB88714F15421AC92D67350C7B8B465CBC0

Function 02C46495 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336773161.0000000002C32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c32000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1bc21cf19514447e6e8d7ea70f938fec1472fd14f075dc3f280b9e7e15e5024
Instruction ID: ca189424c8c06b6364c83c82d212d9ad8f0e8e8f91b6ff6b595b341c3ac53463
Opcode Fuzzy Hash: c1bc21cf19514447e6e8d7ea70f938fec1472fd14f075dc3f280b9e7e15e5024
Instruction Fuzzy Hash: A3F092BA904A06EBDB15CF65C0047CAFBB4BB88714F15421AD52C67350D7787465CBC0

Function 02C3DA35 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336773161.0000000002C32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c32000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df4c0861d7c0bce43d9652d3583c6e255fcb556d5b56d56184b69d3514a8083e
Instruction ID: f653ff793bc38d3aa92b6f2cb19af9cabda590a9014f97745bb17508cb0ea6ff
Opcode Fuzzy Hash: df4c0861d7c0bce43d9652d3583c6e255fcb556d5b56d56184b69d3514a8083e
Instruction Fuzzy Hash: 92F0C2B6D00A0AABDB258F61C1047DAFBB4BB84714F19461AC52C63310D3787465CBC0

Function 02C449AA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336773161.0000000002C32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c32000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0590c0ff0478afa7ad65f5f1fbf2985aaa3a3c1507f9cf6c8d85494227724a
Instruction ID: 4aa6eab398752bf6f92f8b234548f8f4b70e69aa58443ca5e6e697c4c6b9a27e
Opcode Fuzzy Hash: 1f0590c0ff0478afa7ad65f5f1fbf2985aaa3a3c1507f9cf6c8d85494227724a
Instruction Fuzzy Hash: 0FF0C2B6D00A06ABDB25CF61C0047CAFBB4BB88714F15461AC52C67310D3787465CBC0

Function 02C3DE6E Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336773161.0000000002C32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c32000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1406d4fff8894865a1cf73f73786185b19d653840b2bcae36ed2130099c3e17
Instruction ID: 0257cab4e52c9e465a3635714d8abcb00d1ec68babe8e4f55a173f12d0339b18
Opcode Fuzzy Hash: d1406d4fff8894865a1cf73f73786185b19d653840b2bcae36ed2130099c3e17
Instruction Fuzzy Hash: A7F0C2B6D00A06ABDB258F61C0047CAFBB4BB84714F15421AC52C63310C7787565CBC0

Function 02C43C76 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336773161.0000000002C32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c32000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5fe288e039036f78f18ae64851ac20690cbfe7d92416a9b3f0254a7287c3099
Instruction ID: 436bed6c742feebb0dbf143dca2a462397cdf026bc00e6c81143f93db0e45cff
Opcode Fuzzy Hash: c5fe288e039036f78f18ae64851ac20690cbfe7d92416a9b3f0254a7287c3099
Instruction Fuzzy Hash: D8F0C2B6D00A0AABDB258F61C1047CAFBB4BB84714F15461AC52C67320D3787465CBC0

Function 02C3B407 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336773161.0000000002C32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c32000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c93c892d1714ec7131220346ff55216c3f36a06e868cf1c06102891230ae5699
Instruction ID: 8e8b96fbcfecbb470d9470fc5a4974ae75d72a9bce698f73c3a7a3929f3836b2
Opcode Fuzzy Hash: c93c892d1714ec7131220346ff55216c3f36a06e868cf1c06102891230ae5699
Instruction Fuzzy Hash: 24F0C2B6D00A06ABDB258F61C0047CAFBB4BB84714F15461AC52C63350D3787465CBC0

Function 02C445E9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336773161.0000000002C32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c32000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f752d386f78022fa1ca22014394cee4d07edfd7e8ee9aca087f3f5f752b747f0
Instruction ID: dec6ea57df6190743d9c389f4743478a2bedf08221e0990db548d9ed3551a492
Opcode Fuzzy Hash: f752d386f78022fa1ca22014394cee4d07edfd7e8ee9aca087f3f5f752b747f0
Instruction Fuzzy Hash: 80F0C2B6D00A0AABDB258F65C1047CAFBB4BB84714F19461AC52C63310D3B87465CBC0

Function 02C44EF4 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336773161.0000000002C32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c32000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2389c21714578c38d4afa4b074654f735e738324dba7e06ccab979c59883b53
Instruction ID: f2d79fc898ccd5f12968fc87aed71bdfd75ec280573540990a2990181e6eb79c
Opcode Fuzzy Hash: e2389c21714578c38d4afa4b074654f735e738324dba7e06ccab979c59883b53
Instruction Fuzzy Hash: 87F0C2B6D00A0AABDB24CF61C10439AF7B0BB84B14F15421AC52C63350C3B8B465CBC0

Non-executed Functions

Function 02CDF818 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336773161.0000000002CD4000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2cd4000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2849d91b70f12643592cd8148f4cc774a008c668dc032f8306b3330de4ea16ac
Instruction ID: fb529632f750e7bf4f7150fc3e45b77c295b833d5b66e2aabbec2c26bb7fab12
Opcode Fuzzy Hash: 2849d91b70f12643592cd8148f4cc774a008c668dc032f8306b3330de4ea16ac
Instruction Fuzzy Hash: 76518171A043119FC310DF28D48062AF7F2BF89318F698A6EED99A7755D331E942CB91

Function 02C303C0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1336773161.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_2c30000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
Instruction ID: c2dff64f1870814ea72defaa0baeb9938e28260648a59b8416da2276eb4ec2b9
Opcode Fuzzy Hash: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
Instruction Fuzzy Hash: 3721C2BB5082568FDB368F1988403D9B7A5FB58314F214C2EDECDA7710D2306B898B91

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SAMPLE_5.exe.bin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7192

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SAMPLE_5.exe.bin.exePID: 5500, Parent PID: 3968

General

Chronological Activities

Analysis Process: javaw.exePID: 7192, Parent PID: 5500

General

Chronological Activities

Windows Analysis Report
SAMPLE_5.exe.bin.exe

Function 004B1180 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 230
COMMON

Function 004B1803 Relevance: 54.5, APIs: 22, Strings: 9, Instructions: 258
stringCOMMON

Function 004B449F Relevance: 38.7, APIs: 14, Strings: 8, Instructions: 160
stringCOMMON

Function 004B5880 Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 448
stringCOMMON

Function 004B5F50 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 282
COMMON

Function 004B4890 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 143
COMMON

Function 004B3E88 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 128
registrystringCOMMON

Function 004B40F7 Relevance: 22.8, APIs: 3, Strings: 10, Instructions: 61
stringCOMMON

Function 004B2657 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 165
stringCOMMON

Function 004B4726 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 84
COMMON

Function 004B2E9D Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109
stringCOMMON

Function 004B63F0 Relevance: 16.6, APIs: 11, Instructions: 149
stringCOMMON

Function 004B3A11 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77
stringprocesssynchronizationCOMMON

Function 004B6640 Relevance: 10.6, APIs: 7, Instructions: 109
stringCOMMON

Function 004B12B9 Relevance: 10.6, APIs: 7, Instructions: 97
COMMON