Play interactive tour

Edit tour

Analysis Report hfs.exe

Overview

General Information

Sample Name:	hfs.exe
Analysis ID:	423150
MD5:	369b251eb6d24f63c95273f357359669
SHA1:	17820f1585a08fd7b5890192f58ab9860961b064
SHA256:	3b4ad8f1f15f1a73e99cf082ae38a821a7567b63415f57d63595baec079a4b07
Infos:
Most interesting Screenshot:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

IP address seen in connection with other malware

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

hfs.exe (PID: 6272 cmdline: 'C:\Users\user\Desktop\hfs.exe' MD5: 369B251EB6D24F63C95273F357359669)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
hfs.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.229694292.0000000000401000.00000020.00020000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.hfs.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0.0.hfs.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: hfs.exe	Metadefender: Detection: 32%			Perma Link
Source: hfs.exe	ReversingLabs: Detection: 27%

Source: hfs.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_0040D74C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,	0_2_0040D74C
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_0040D970 FindFirstFileA,GetLastError,	0_2_0040D970
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_00406C6C GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_00406C6C

Source: Joe Sandbox View

IP Address: 185.20.49.7 185.20.49.7

Source: global traffic

HTTP traffic detected: GET /hfs/hfs.updateinfo.txt HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*User-Agent: HFS/2.3kHost: www.rejetto.com

Source: unknown

DNS traffic detected: queries for: www.rejetto.com

Source: hfs.exe, 00000000.00000002.507087661.0000000004850000.00000004.00000001.sdmp	String found in binary or memory: HTTP://TRENTRICHARDSON.COM
Source: hfs.exe, 00000000.00000002.507087661.0000000004850000.00000004.00000001.sdmp	String found in binary or memory: HTTP://TRENTRICHARDSON.COM/IMPROMPTU/GPL-LICENSE.TXT
Source: hfs.exe, 00000000.00000002.507087661.0000000004850000.00000004.00000001.sdmp	String found in binary or memory: HTTP://TRENTRICHARDSON.COM/IMPROMPTU/MIT-LICENSE.TXT
Source: hfs.exe, 00000000.00000002.507087661.0000000004850000.00000004.00000001.sdmp	String found in binary or memory: HTTP://WWW.REJETTO.COM/HFS/
Source: hfs.exe, 00000000.00000002.507138111.0000000004891000.00000004.00000001.sdmp	String found in binary or memory: HTTP://WWW.REJETTO.COM/HFS/DOWNLOAD
Source: hfs.exe, 00000000.00000002.507138111.0000000004891000.00000004.00000001.sdmp	String found in binary or memory: HTTP://WWW.REJETTO.COM/HFS/HFS24RC06.EXE
Source: hfs.exe, 00000000.00000002.498534055.0000000001020000.00000002.00000001.sdmp	String found in binary or memory: http://192.168.2.7/
Source: hfs.exe, 00000000.00000002.495522267.0000000000199000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.2.7/.7/8
Source: hfs.exe, 00000000.00000002.498273191.0000000000990000.00000004.00000020.sdmp	String found in binary or memory: http://192.168.2.7/Li
Source: hfs.exe, 00000000.00000002.495522267.0000000000199000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.2.7/h
Source: hfs.exe	String found in binary or memory: http://2ip.ru
Source: hfs.exe	String found in binary or memory: http://checkip.dyndns.org
Source: hfs.exe	String found in binary or memory: http://hfsservice.rejetto.com/ipservices.php
Source: hfs.exe	String found in binary or memory: http://hfstest.rejetto.com/?port=
Source: hfs.exe	String found in binary or memory: http://jquery.com/
Source: hfs.exe	String found in binary or memory: http://jquery.org/license
Source: hfs.exe	String found in binary or memory: http://rejetto.webfactional.com/hfs/ip.php
Source: hfs.exe	String found in binary or memory: http://sizzlejs.com/
Source: hfs.exe	String found in binary or memory: http://trentrichardson.com
Source: hfs.exe	String found in binary or memory: http://trentrichardson.com/Impromptu/GPL
Source: hfs.exe	String found in binary or memory: http://trentrichardson.com/Impromptu/GPL-LICENSE.txt
Source: hfs.exe	String found in binary or memory: http://trentrichardson.com/Impromptu/MIT-LICENSE.txt
Source: hfs.exe	String found in binary or memory: http://www.alexnolan.net/ip/
Source: hfs.exe	String found in binary or memory: http://www.canyouseeme.org
Source: hfs.exe	String found in binary or memory: http://www.cjb.net/cgi-bin/dynip.cgi?username=
Source: hfs.exe	String found in binary or memory: http://www.mario-online.com/mio_indirizzo_ip.php
Source: hfs.exe	String found in binary or memory: http://www.melauto.it/public/rejetto/ip.php
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/forum/
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/forum/U
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/hfs-donate
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/hfs-donateU
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/hfs/
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/hfs/U
Source: hfs.exe, 00000000.00000002.500390157.000000000263A000.00000004.00000001.sdmp	String found in binary or memory: http://www.rejetto.com/hfs/download
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/hfs/guide/
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/hfs/guide/U
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/hfs/guide/intro.html
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/hfs/guide/intro.htmlU
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/hfs/hfs.updateinfo.txt
Source: hfs.exe, 00000000.00000002.507138111.0000000004891000.00000004.00000001.sdmp	String found in binary or memory: http://www.rejetto.com/hfs/hfs24rc06.exe
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/sw/?faq=hfs
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/sw/?faq=hfsU
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/sw/license.txt
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/sw/license.txtU
Source: hfs.exe	String found in binary or memory: http://www.rejetto.com/wiki/?title=HFS:_Event_scripts
Source: hfs.exe	String found in binary or memory: http://www.whatsmyrealip.com/

Source: C:\Users\user\Desktop\hfs.exe

Code function: 0_2_00572C7C EntryPoint,GetAsyncKeyState,

0_2_00572C7C

Source: hfs.exe, 00000000.00000002.498301712.000000000099A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_00402290	0_2_00402290
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_004137AC	0_2_004137AC
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_00408EC4	0_2_00408EC4

Source: hfs.exe

Static PE information: Resource name: UNICODEDATA type: DOS executable (COM, 0x8C-variant)

Source: hfs.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: hfs.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: hfs.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: hfs.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: hfs.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: hfs.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: hfs.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: hfs.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: hfs.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: hfs.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: hfs.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: hfs.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: hfs.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: hfs.exe	Binary or memory string: OriginalFilename vs hfs.exe
Source: hfs.exe, 00000000.00000002.500556797.0000000002680000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs hfs.exe
Source: hfs.exe, 00000000.00000002.500487809.0000000002670000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs hfs.exe
Source: hfs.exe	Binary or memory string: OriginalFilename vs hfs.exe

Source: hfs.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: hfs.exe

Binary string: @\??\C:\Device\LanmanRedirector\U

Source: classification engine

Classification label: mal48.winEXE@1/2@1/1

Source: C:\Users\user\Desktop\hfs.exe

Code function: 0_2_00435770 GetLastError,FormatMessageA,

0_2_00435770

Source: C:\Users\user\Desktop\hfs.exe

Code function: 0_2_0040DDF0 GetDiskFreeSpaceA,

0_2_0040DDF0

Source: C:\Users\user\Desktop\hfs.exe

Code function: 0_2_0041F918 FindResourceA,

0_2_0041F918

Source: C:\Users\user\Desktop\hfs.exe

File created: C:\Users\user\Desktop\test.tmp~604344835.tmp

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

Mutant created: \Sessions\1\BaseNamedObjects\HttpFileServer

Source: Yara match	File source: hfs.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.229694292.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.hfs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.hfs.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\hfs.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\hfs.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: hfs.exe	Metadefender: Detection: 32%
Source: hfs.exe	ReversingLabs: Detection: 27%

Source: hfs.exe	String found in binary or memory: log-server-stop
Source: hfs.exe	String found in binary or memory: log-server-start
Source: hfs.exe	String found in binary or memory: copy-url-on-addition
Source: hfs.exe	String found in binary or memory: copy-url-on-start
Source: hfs.exe	String found in binary or memory: find-external-on-startup
Source: hfs.exe	String found in binary or memory: reload-on-startup
Source: hfs.exe	String found in binary or memory: do-not-log-address
Source: hfs.exe	String found in binary or memory: last-external-address
Source: hfs.exe	String found in binary or memory: %number-addresses-ever%
Source: hfs.exe	String found in binary or memory: %number-addresses-downloading%
Source: hfs.exe	String found in binary or memory: %number-addresses%
Source: hfs.exe	String found in binary or memory: %item-added-dt%
Source: hfs.exe	String found in binary or memory: %item-added%
Source: hfs.exe	String found in binary or memory: log-server-stop=
Source: hfs.exe	String found in binary or memory: log-server-start=
Source: hfs.exe	String found in binary or memory: reload-on-startup=
Source: hfs.exe	String found in binary or memory: find-external-on-startup=
Source: hfs.exe	String found in binary or memory: last-external-address=
Source: hfs.exe	String found in binary or memory: do-not-log-address=
Source: hfs.exe	String found in binary or memory: copy-url-on-start=
Source: hfs.exe	String found in binary or memory: copy-url-on-addition=
Source: hfs.exe	String found in binary or memory: }//addPagingButton function pageIt(anim) { var rows = $('#files tr'); if (!rows.size()) return; page = 0; // this is global var pages = $("<div id='pages'>{.!Page.} </div>").css('visibility','hidden').insertBefore('#files');
Source: hfs.exe	String found in binary or memory: /Address family not supported by protocol family
Source: hfs.exe	String found in binary or memory: %number-addresses%
Source: hfs.exe	String found in binary or memory: %number-addresses-ever%
Source: hfs.exe	String found in binary or memory: %number-addresses-downloading%
Source: hfs.exe	String found in binary or memory: %item-added-dt%
Source: hfs.exe	String found in binary or memory: %item-added%
Source: hfs.exe	String found in binary or memory: log-server-start=
Source: hfs.exe	String found in binary or memory: log-server-stop=
Source: hfs.exe	String found in binary or memory: reload-on-startup=
Source: hfs.exe	String found in binary or memory: find-external-on-startup=
Source: hfs.exe	String found in binary or memory: do-not-log-address=
Source: hfs.exe	String found in binary or memory: last-external-address=
Source: hfs.exe	String found in binary or memory: copy-url-on-start=
Source: hfs.exe	String found in binary or memory: copy-url-on-addition=
Source: hfs.exe	String found in binary or memory: log-server-start
Source: hfs.exe	String found in binary or memory: log-server-stop
Source: hfs.exe	String found in binary or memory: copy-url-on-addition
Source: hfs.exe	String found in binary or memory: copy-url-on-start
Source: hfs.exe	String found in binary or memory: reload-on-startup
Source: hfs.exe	String found in binary or memory: find-external-on-startup
Source: hfs.exe	String found in binary or memory: do-not-log-address
Source: hfs.exe	String found in binary or memory: last-external-address
Source: hfs.exe	String found in binary or memory: -START "" /WAIT "%s" -q
Source: hfs.exe	String found in binary or memory: }//addPagingButton

Source: C:\Users\user\Desktop\hfs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

Window found: window name: TButton

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: hfs.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: hfs.exe

Static file information: File size 2501632 > 1048576

Source: hfs.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x16f800

Source: hfs.exe

Static PE information: section name: JCLDEBUG

Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_004150EC push 00415118h; ret	0_2_00415110
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_0040B4BC push 0040B4F9h; ret	0_2_0040B4F1
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_004146A4 push 0041482Fh; ret	0_2_00414827
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_0041B744 push 0041B7BAh; ret	0_2_0041B7B2
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_004077A0 push 004077FBh; ret	0_2_004077F3
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_0041C9C4 push 0041CA11h; ret	0_2_0041CA09
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_00408C20 push 00408C62h; ret	0_2_00408C5A

Source: C:\Users\user\Desktop\hfs.exe

Code function: 0_2_0048C610 IsIconic,SetActiveWindow,IsWindowEnabled,DefWindowProcA,SetWindowPos,SetFocus,

0_2_0048C610

Source: C:\Users\user\Desktop\hfs.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\hfs.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_0-19598

Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_0040D74C FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToSystemTime,	0_2_0040D74C
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_0040D970 FindFirstFileA,GetLastError,	0_2_0040D970
Source: C:\Users\user\Desktop\hfs.exe	Code function: 0_2_00406C6C GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_00406C6C

Source: hfs.exe, 00000000.00000002.498350228.00000000009C1000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: hfs.exe, 00000000.00000002.498534055.0000000001020000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: hfs.exe, 00000000.00000002.498534055.0000000001020000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: hfs.exe, 00000000.00000002.498534055.0000000001020000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: hfs.exe, 00000000.00000002.498534055.0000000001020000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\hfs.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_00406E30
Source: C:\Users\user\Desktop\hfs.exe	Code function: GetLocaleInfoA,	0_2_00411364
Source: C:\Users\user\Desktop\hfs.exe	Code function: GetLocaleInfoA,	0_2_00411308
Source: C:\Users\user\Desktop\hfs.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_00406F3C

Source: C:\Users\user\Desktop\hfs.exe

Code function: 0_2_0040FA4C GetLocalTime,

0_2_0040FA4C

Source: C:\Users\user\Desktop\hfs.exe

Code function: 0_2_00412558 GetVersionExA,

0_2_00412558

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Path Interception	Process Injection1	Masquerading1	Input Capture21	System Time Discovery1	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery14	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
hfs.exe	32%	Metadefender		Browse
hfs.exe	27%	ReversingLabs	Win32.Network.HttpFileServer

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://192.168.2.7/Li	0%	Avira URL Cloud	safe
http://www.alexnolan.net/ip/	0%	Avira URL Cloud	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
http://192.168.2.7/h	0%	Avira URL Cloud	safe
http://rejetto.webfactional.com/hfs/ip.php	0%	Avira URL Cloud	safe
http://192.168.2.7/.7/8	0%	Avira URL Cloud	safe
http://www.melauto.it/public/rejetto/ip.php	0%	Avira URL Cloud	safe
http://www.mario-online.com/mio_indirizzo_ip.php	0%	Avira URL Cloud	safe
http://192.168.2.7/	0%	Avira URL Cloud	safe
http://www.whatsmyrealip.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.rejetto.com	185.20.49.7	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.rejetto.com/hfs/hfs.updateinfo.txt	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
HTTP://WWW.REJETTO.COM/HFS/	hfs.exe, 00000000.00000002.507087661.0000000004850000.00000004.00000001.sdmp	false		high
http://www.canyouseeme.org	hfs.exe	false		high
http://jquery.org/license	hfs.exe	false		high
http://www.rejetto.com/hfs/download	hfs.exe, 00000000.00000002.500390157.000000000263A000.00000004.00000001.sdmp	false		high
http://www.rejetto.com/hfs/guide/intro.html	hfs.exe	false		high
HTTP://WWW.REJETTO.COM/HFS/DOWNLOAD	hfs.exe, 00000000.00000002.507138111.0000000004891000.00000004.00000001.sdmp	false		high
http://www.cjb.net/cgi-bin/dynip.cgi?username=	hfs.exe	false		high
http://www.rejetto.com/wiki/?title=HFS:_Event_scripts	hfs.exe	false		high
http://192.168.2.7/Li	hfs.exe, 00000000.00000002.498273191.0000000000990000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.alexnolan.net/ip/	hfs.exe	false	Avira URL Cloud: safe	unknown
http://sizzlejs.com/	hfs.exe	false		high
http://www.rejetto.com/sw/?faq=hfsU	hfs.exe	false		high
http://www.rejetto.com/hfs/U	hfs.exe	false		high
HTTP://TRENTRICHARDSON.COM/IMPROMPTU/GPL-LICENSE.TXT	hfs.exe, 00000000.00000002.507087661.0000000004850000.00000004.00000001.sdmp	false		high
http://www.rejetto.com/hfs/guide/U	hfs.exe	false		high
http://checkip.dyndns.org	hfs.exe	false	Avira URL Cloud: safe	unknown
http://192.168.2.7/h	hfs.exe, 00000000.00000002.495522267.0000000000199000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://rejetto.webfactional.com/hfs/ip.php	hfs.exe	false	Avira URL Cloud: safe	unknown
http://192.168.2.7/.7/8	hfs.exe, 00000000.00000002.495522267.0000000000199000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.rejetto.com/hfs/guide/intro.htmlU	hfs.exe	false		high
http://www.melauto.it/public/rejetto/ip.php	hfs.exe	false	Avira URL Cloud: safe	unknown
http://www.rejetto.com/hfs-donateU	hfs.exe	false		high
http://www.mario-online.com/mio_indirizzo_ip.php	hfs.exe	false	Avira URL Cloud: safe	unknown
http://www.rejetto.com/sw/license.txt	hfs.exe	false		high
http://www.rejetto.com/hfs/	hfs.exe	false		high
http://www.rejetto.com/sw/license.txtU	hfs.exe	false		high
http://192.168.2.7/	hfs.exe, 00000000.00000002.498534055.0000000001020000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://trentrichardson.com/Impromptu/GPL-LICENSE.txt	hfs.exe	false		high
http://trentrichardson.com/Impromptu/MIT-LICENSE.txt	hfs.exe	false		high
http://www.rejetto.com/forum/	hfs.exe	false		high
http://www.rejetto.com/hfs-donate	hfs.exe	false		high
http://trentrichardson.com/Impromptu/GPL	hfs.exe	false		high
HTTP://TRENTRICHARDSON.COM/IMPROMPTU/MIT-LICENSE.TXT	hfs.exe, 00000000.00000002.507087661.0000000004850000.00000004.00000001.sdmp	false		high
http://2ip.ru	hfs.exe	false		high
http://hfsservice.rejetto.com/ipservices.php	hfs.exe	false		high
http://www.rejetto.com/hfs/guide/	hfs.exe	false		high
http://www.rejetto.com/forum/U	hfs.exe	false		high
http://www.whatsmyrealip.com/	hfs.exe	false	Avira URL Cloud: safe	unknown
HTTP://TRENTRICHARDSON.COM	hfs.exe, 00000000.00000002.507087661.0000000004850000.00000004.00000001.sdmp	false		high
http://trentrichardson.com	hfs.exe	false		high
http://hfstest.rejetto.com/?port=	hfs.exe	false		high
http://jquery.com/	hfs.exe	false		high
HTTP://WWW.REJETTO.COM/HFS/HFS24RC06.EXE	hfs.exe, 00000000.00000002.507138111.0000000004891000.00000004.00000001.sdmp	false		high
http://www.rejetto.com/hfs/hfs24rc06.exe	hfs.exe, 00000000.00000002.507138111.0000000004891000.00000004.00000001.sdmp	false		high
http://www.rejetto.com/sw/?faq=hfs	hfs.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.20.49.7	www.rejetto.com	United Kingdom		198047	UKWEB-EQXGB	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	423150
Start date:	24.05.2021
Start time:	21:25:32
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	hfs.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.winEXE@1/2@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 168.61.161.212, 204.79.197.200, 13.107.21.200, 20.82.209.183, 13.88.21.125, 92.122.145.220, 52.147.198.201, 104.42.151.234, 23.57.80.111, 52.184.81.210, 13.107.4.50, 92.122.213.247, 92.122.213.194, 20.54.7.98, 20.54.104.15, 20.54.26.129 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, elasticShed.au.au-msedge.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, Edge-Prod-FRAr4a.env.au.au-msedge.net, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, iris-de-prod-azsc-eas-b.eastasia.cloudapp.azure.com, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, afdap.au.au-msedge.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, au.au-msedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, au.c-0001.c-msedge.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/423150/sample/hfs.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.20.49.7	http://37.1.211.221:1699	Get hash	malicious	Browse	www.rejetto.com/hfs/pics/favicon.ico
	hfs.exe	Get hash	malicious	Browse	www.rejetto.com/hfs/hfs.updateinfo.txt
	hfs.exe	Get hash	malicious	Browse	www.rejetto.com/hfs/hfs.updateinfo.txt
	rjAAd0Yg6h.exe	Get hash	malicious	Browse	www.rejetto.com/hfs/hfs.updateinfo.txt
	hfs.exe	Get hash	malicious	Browse	www.rejetto.com/hfs/hfs.updateinfo.txt
	hfs.exe	Get hash	malicious	Browse	www.rejetto.com/hfs/hfs.updateinfo.txt
	hfs.exe	Get hash	malicious	Browse	www.rejetto.com/hfs/hfs.updateinfo.txt

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.rejetto.com	http://37.1.211.221:1699	Get hash	malicious	Browse	185.20.49.7
	hfs.exe	Get hash	malicious	Browse	185.20.49.7
	rjAAd0Yg6h.exe	Get hash	malicious	Browse	185.20.49.7
	hfs.exe	Get hash	malicious	Browse	185.20.49.7
	hfs.exe	Get hash	malicious	Browse	185.20.49.7
	hfs.exe	Get hash	malicious	Browse	185.20.49.7

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UKWEB-EQXGB	triage_dropped_file.exe	Get hash	malicious	Browse	185.119.173.245
	Document27467.xls	Get hash	malicious	Browse	31.170.127.252
	Document204.xls	Get hash	malicious	Browse	31.170.127.252
	Document2545.xls	Get hash	malicious	Browse	31.170.127.252
	List items.exe	Get hash	malicious	Browse	185.119.173.82
	document-891775316.xls	Get hash	malicious	Browse	185.119.173.89
	IMG-033-040.exe	Get hash	malicious	Browse	185.119.173.57
	https://www.google.com/url?q=https://montygaels.com/%2B4/index.php&source=gmail&ust=1607683379487000&usg=AFQjCNFkHdnNTrDEDR09rafJw8NnHVS_fg	Get hash	malicious	Browse	31.170.122.48
	Order List.xlsx	Get hash	malicious	Browse	185.119.173.57
	https://ncsautoparts.co.uk/	Get hash	malicious	Browse	185.119.173.37
	https://mrreach.co.uk	Get hash	malicious	Browse	31.170.123.172
	JyK71Q3Y].js	Get hash	malicious	Browse	195.62.29.68
	JyK71Q3Y].js	Get hash	malicious	Browse	195.62.29.68
	test9.exe	Get hash	malicious	Browse	185.119.173.112
	sKu7FoPlk3.exe	Get hash	malicious	Browse	185.20.49.164
	https://mojo-studios.co.uk/	Get hash	malicious	Browse	185.20.51.238
	0RNzedtLDba4L25.exe	Get hash	malicious	Browse	185.24.98.18
	app-debug.apk	Get hash	malicious	Browse	185.119.173.4
	1.12.2018.js	Get hash	malicious	Browse	185.20.50.158
	1.12.2018.js	Get hash	malicious	Browse	185.20.50.158

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\Desktop\HFS last update check.tmp~1132849683.tmp Download File
Process:	C:\Users\user\Desktop\hfs.exe
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file
Preview:

C:\Users\user\Desktop\test.tmp~604344835.tmp Download File
Process:	C:\Users\user\Desktop\hfs.exe
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file
Preview:

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.713169405896338
TrID:	Win32 Executable (generic) a (10002005/4) 99.53% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	hfs.exe
File size:	2501632
MD5:	369b251eb6d24f63c95273f357359669
SHA1:	17820f1585a08fd7b5890192f58ab9860961b064
SHA256:	3b4ad8f1f15f1a73e99cf082ae38a821a7567b63415f57d63595baec079a4b07
SHA512:	305340b4a0047d81452c29eb63bbc263a921b5b6cc46afe09d38329e966aea411a77039671cdc2cbe7715a784025ebb3a9309eaf8ac95b868242a970fe66a1f0
SSDEEP:	49152:Lx7zARwmihR2Gb2Nj4mM1681npUE17RgPT9q5qqvy4ddxCco7SZS1:Lh+wmihRnb2NcmMNc8RvW7
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	78f8cab2b0e17b99

Static PE Info

General
Entrypoint:	0x572c7c
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
DLL Characteristics:	NX_COMPAT
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	836101b1c206392049600d0155c5d3ef

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFECh
push ebx
xor eax, eax
mov dword ptr [ebp-14h], eax
mov eax, 005702A0h
call 00007F4F0C20EDC7h
mov ebx, dword ptr [0057B5B0h]
xor eax, eax
push ebp
push 00572DD1h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
mov eax, dword ptr [0057B240h]
mov eax, dword ptr [eax]
mov dword ptr [eax+14h], 005700FCh
push 00000011h
call 00007F4F0C20FA12h
movsx eax, ax
test ah, FFFFFF80h
jne 00007F4F0C37A1FEh
mov eax, dword ptr [0057B240h]
mov eax, dword ptr [eax]
mov edx, 00572DE8h
call 00007F4F0C2962C5h
test al, al
jne 00007F4F0C37A1C2h
mov eax, dword ptr [0057B240h]
mov eax, dword ptr [eax]
mov ecx, dword ptr [eax+0Ch]
lea eax, dword ptr [ebp-14h]
mov edx, 00572E00h
call 00007F4F0C20CBFEh
mov eax, dword ptr [ebp-14h]
xor ecx, ecx
mov edx, 00000010h
call 00007F4F0C31268Fh
mov eax, 00000001h
call 00007F4F0C20C7E9h
mov eax, dword ptr [0057B240h]
mov eax, dword ptr [eax]
cmp byte ptr [eax+08h], 00000000h
jne 00007F4F0C37A1ACh
call 00007F4F0C37760Fh
test al, al
je 00007F4F0C37A1A3h
mov eax, dword ptr [0057B240h]
mov eax, dword ptr [eax]
call 00007F4F0C296347h
jmp 00007F4F0C37A221h
mov eax, dword ptr [ebx]
call 00007F4F0C2943D3h
mov ecx, dword ptr [0057B428h]
mov eax, dword ptr [ebx]
mov edx, dword ptr [0053D890h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18a000	0x3884	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a6000	0x75800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x190000	0x15178	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x18f018	0x2d	.rdata
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x18f000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x18aaac	0x8b8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x16f750	0x16f800	False	0.461631723002	data	6.42794682465	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.itext	0x171000	0x1e10	0x2000	False	0.541748046875	data	6.15201614074	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x173000	0x88c8	0x8a00	False	0.561084692029	data	5.70575735737	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.bss	0x17c000	0xdd64	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x18a000	0x3884	0x3a00	False	0.308526400862	data	5.15891016227	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x18e000	0x40	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x18f000	0x45	0x200	False	0.142578125	data	1.00105646436	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x190000	0x15178	0x15200	False	0.58806397929	data	6.69825005654	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x1a6000	0x75800	0x75800	False	0.377474650931	data	5.96661610682	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
JCLDEBUG	0x21c000	0x59eec	0x5a000	False	0.407481553819	data	5.99260109275	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
GIF	0x1a79d0	0x179e	GIF image data, version 89a, 387 x 169	Italian	Italy
TEXT	0x1a9170	0x30b	ASCII text, with CRLF line terminators	Italian	Italy
TEXT	0x1a947c	0x109	ASCII text, with CRLF line terminators	Italian	Italy
TEXT	0x1a9588	0xc6cd	HTML document, ASCII text, with CRLF line terminators	Italian	Italy
TEXT	0x1b5c58	0x236	HTML document, ASCII text, with CRLF line terminators	Italian	Italy
TEXT	0x1b5e90	0x56	ASCII text, with CRLF line terminators	Italian	Italy
TEXT	0x1b5ee8	0x1c9	ASCII text, with CRLF line terminators	Italian	Italy
TEXT	0x1b60b4	0x14b	ASCII text, with CRLF line terminators	Italian	Italy
TEXT	0x1b6200	0x119ee	ASCII text, with very long lines	Italian	Italy
TEXT	0x1c7bf0	0xc1	ASCII text, with CRLF line terminators	Italian	Italy
TEXT	0x1c7cb4	0x124	ASCII text, with CRLF line terminators	Italian	Italy
UNICODEDATA	0x1c7dd8	0x7155	data	French	France
UNICODEDATA	0x1cef30	0x7ba5	data	French	France
UNICODEDATA	0x1d6ad8	0x67e	data	French	France
UNICODEDATA	0x1d7158	0x9cf1	data	French	France
UNICODEDATA	0x1e0e4c	0xd271	DOS executable (COM, 0x8C-variant)	French	France
UNICODEDATA	0x1ee0c0	0x1435	data	French	France
RT_CURSOR	0x1ef4f8	0x134	data	English	United States
RT_CURSOR	0x1ef62c	0x134	data	English	United States
RT_CURSOR	0x1ef760	0x134	data	English	United States
RT_CURSOR	0x1ef894	0x134	data	English	United States
RT_CURSOR	0x1ef9c8	0x134	data	English	United States
RT_CURSOR	0x1efafc	0x134	data	English	United States
RT_CURSOR	0x1efc30	0x134	data	English	United States
RT_BITMAP	0x1efd64	0x1d0	data	English	United States
RT_BITMAP	0x1eff34	0x1e4	data	English	United States
RT_BITMAP	0x1f0118	0x1d0	data	English	United States
RT_BITMAP	0x1f02e8	0x1d0	data	English	United States
RT_BITMAP	0x1f04b8	0x1d0	data	English	United States
RT_BITMAP	0x1f0688	0x1d0	data	English	United States
RT_BITMAP	0x1f0858	0x1d0	data	English	United States
RT_BITMAP	0x1f0a28	0x1d0	data	English	United States
RT_BITMAP	0x1f0bf8	0x1d0	data	English	United States
RT_BITMAP	0x1f0dc8	0x1d0	data	English	United States
RT_BITMAP	0x1f0f98	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x1f1058	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x1f1138	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x1f1218	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x1f12f8	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x1f13b8	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x1f1478	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x1f1558	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x1f1618	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x1f16f8	0xe8	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x1f17e0	0xc0	GLS_BINARY_LSB_FIRST	English	United States
RT_BITMAP	0x1f18a0	0xe0	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x1f1980	0x25a8	dBase III DBT, version number 0, next free block index 40	Italian	Italy
RT_ICON	0x1f3f28	0x4228	dBase III DBT, version number 0, next free block index 40	Italian	Italy
RT_ICON	0x1f8150	0x8a8	data	Italian	Italy
RT_ICON	0x1f89f8	0x568	GLS_BINARY_LSB_FIRST	Italian	Italy
RT_DIALOG	0x1f8f60	0x52	data
RT_DIALOG	0x1f8fb4	0x52	data
RT_STRING	0x1f9008	0x464	data
RT_STRING	0x1f946c	0x870	data
RT_STRING	0x1f9cdc	0x8f8	data
RT_STRING	0x1fa5d4	0x77c	data
RT_STRING	0x1fad50	0x84c	data
RT_STRING	0x1fb59c	0xa60	data
RT_STRING	0x1fbffc	0x7cc	data
RT_STRING	0x1fc7c8	0x274	data
RT_STRING	0x1fca3c	0x294	data
RT_STRING	0x1fccd0	0x1fc	data
RT_STRING	0x1fcecc	0x438	data
RT_STRING	0x1fd304	0x44c	data
RT_STRING	0x1fd750	0x310	data
RT_STRING	0x1fda60	0x3d4	data
RT_STRING	0x1fde34	0x2ac	data
RT_STRING	0x1fe0e0	0xbc	data
RT_STRING	0x1fe19c	0x16c	data
RT_STRING	0x1fe308	0x204	data
RT_STRING	0x1fe50c	0x3dc	data
RT_STRING	0x1fe8e8	0x390	data
RT_STRING	0x1fec78	0x3c0	data
RT_STRING	0x1ff038	0x360	data
RT_STRING	0x1ff398	0x43c	data
RT_STRING	0x1ff7d4	0xcc	data
RT_STRING	0x1ff8a0	0xb0	data
RT_STRING	0x1ff950	0x27c	data
RT_STRING	0x1ffbcc	0x3bc	data
RT_STRING	0x1fff88	0x368	data
RT_STRING	0x2002f0	0x2d4	data
RT_RCDATA	0x2005c4	0x5c	data
RT_RCDATA	0x200620	0x10	data
RT_RCDATA	0x200630	0x770	data
RT_RCDATA	0x200da0	0x18d	Delphi compiled form 'TdiffFrm'
RT_RCDATA	0x200f30	0x16a7	Delphi compiled form 'TfilepropFrm'
RT_RCDATA	0x2025d8	0xcfd	Delphi compiled form 'TfolderKindFrm'
RT_RCDATA	0x2032d8	0x370	Delphi compiled form 'TipsEverFrm'
RT_RCDATA	0x203648	0x29d	Delphi compiled form 'TlistSelectFrm'
RT_RCDATA	0x2038e8	0x3cf	Delphi compiled form 'TlonginputFrm'
RT_RCDATA	0x203cb8	0x13ff7	Delphi compiled form 'TmainFrm'
RT_RCDATA	0x217cb0	0x419	Delphi compiled form 'TnewuserpassFrm'
RT_RCDATA	0x2180cc	0x2597	Delphi compiled form 'ToptionsFrm'
RT_RCDATA	0x21a664	0x396	Delphi compiled form 'TpurgeFrm'
RT_RCDATA	0x21a9fc	0x363	Delphi compiled form 'TrunScriptFrm'
RT_RCDATA	0x21ad60	0x2fb	Delphi compiled form 'TshellExtFrm'
RT_GROUP_CURSOR	0x21b05c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x21b070	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x21b084	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x21b098	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x21b0ac	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x21b0c0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0x21b0d4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0x21b0e8	0x3e	data	Italian	Italy
RT_VERSION	0x21b128	0x318	data	Italian	Italy
RT_MANIFEST	0x21b440	0x29f	XML 1.0 document, ASCII text, with CRLF line terminators	Italian	Italy

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetTickCount, QueryPerformanceCounter, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, RemoveDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringA, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, ValidateRect, UpdateWindow, UnregisterClassA, UnionRect, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCaretPos, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, SendDlgItemMessageA, ScrollWindowEx, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharBuffA, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsClipboardFormatAvailable, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetUpdateRect, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMessageA, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassLongA, GetClassInfoA, GetCaretPos, GetCapture, GetAsyncKeyState, GetActiveWindow, FrameRect, FlashWindow, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DestroyCaret, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIconIndirect, CreateIcon, CreateCaret, CopyImage, CloseClipboard, ClientToScreen, ChildWindowFromPoint, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharUpperA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
msimg32.dll	GradientFill
gdi32.dll	UnrealizeObject, StretchBlt, StartPage, StartDocA, SetWindowOrgEx, SetWindowExtEx, SetWinMetaFileBits, SetViewportOrgEx, SetViewportExtEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PolyPolyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectType, GetObjectA, GetNearestPaletteIndex, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipRgn, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExtCreatePen, ExcludeClipRect, EndPage, EndDoc, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateICA, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CombineRgn, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrlenW, lstrcpynW, lstrcpyA, lstrcmpA, WriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TerminateProcess, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetLastError, SetFilePointer, SetFileAttributesA, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryA, ResumeThread, ResetEvent, ReadFile, QueryPerformanceFrequency, QueryPerformanceCounter, PeekNamedPipe, OutputDebugStringA, OpenProcess, MultiByteToWideChar, MulDiv, MoveFileA, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, IsBadReadPtr, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalHandle, GlobalLock, GlobalGetAtomNameA, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathA, GetTempFileNameA, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProfileStringA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameW, GetFullPathNameA, GetFileTime, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableA, GetDriveTypeA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeviceIoControl, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreatePipe, CreateMutexA, CreateFileA, CreateEventA, CreateDirectoryA, CompareStringW, CompareStringA, CloseHandle
advapi32.dll	RegSetValueExA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegFlushKey, RegEnumValueA, RegEnumKeyExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey
kernel32.dll	Sleep
oleaut32.dll	GetErrorInfo, SysFreeString
ole32.dll	CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID, CoCreateInstance, CoUninitialize, CoInitialize
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
shell32.dll	Shell_NotifyIconA, ShellExecuteA, SHGetFileInfoA, SHFileOperationA, DragQueryFileA, DragAcceptFiles
shell32.dll	SHGetPathFromIDListA, SHGetMalloc, SHBrowseForFolderA
winspool.drv	OpenPrinterA, EnumPrintersA, DocumentPropertiesA, ClosePrinter
comdlg32.dll	ChooseFontA, GetSaveFileNameA, GetOpenFileNameA
winmm.dll	timeGetTime, PlaySoundA
kernel32.dll	GetVersionExA
kernel32.dll	MulDiv
shell32.dll

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2002-2010 Massimo Melina (www.rejetto.com)
InternalName	HFS
FileVersion	2.3.0.0
CompanyName	rejetto
LegalTrademarks
Comments
ProductName	Http File Server
ProductVersion	2.3
FileDescription
OriginalFilename	hfs.exe
Translation	0x0410 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
Italian	Italy
French	France
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2021 21:27:33.955357075 CEST	49727	80	192.168.2.7	185.20.49.7
May 24, 2021 21:27:34.007930040 CEST	80	49727	185.20.49.7	192.168.2.7
May 24, 2021 21:27:34.008044958 CEST	49727	80	192.168.2.7	185.20.49.7
May 24, 2021 21:27:34.008574009 CEST	49727	80	192.168.2.7	185.20.49.7
May 24, 2021 21:27:34.061012030 CEST	80	49727	185.20.49.7	192.168.2.7
May 24, 2021 21:27:34.062905073 CEST	80	49727	185.20.49.7	192.168.2.7
May 24, 2021 21:27:34.062926054 CEST	80	49727	185.20.49.7	192.168.2.7
May 24, 2021 21:27:34.062993050 CEST	49727	80	192.168.2.7	185.20.49.7
May 24, 2021 21:27:34.063910961 CEST	49727	80	192.168.2.7	185.20.49.7
May 24, 2021 21:27:34.116339922 CEST	80	49727	185.20.49.7	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2021 21:26:15.364415884 CEST	62452	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:15.417660952 CEST	53	62452	8.8.8.8	192.168.2.7
May 24, 2021 21:26:15.598253965 CEST	57820	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:15.656748056 CEST	53	57820	8.8.8.8	192.168.2.7
May 24, 2021 21:26:15.695535898 CEST	50848	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:15.745712996 CEST	53	50848	8.8.8.8	192.168.2.7
May 24, 2021 21:26:16.289452076 CEST	61242	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:16.339087009 CEST	53	61242	8.8.8.8	192.168.2.7
May 24, 2021 21:26:17.404550076 CEST	58562	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:17.456932068 CEST	53	58562	8.8.8.8	192.168.2.7
May 24, 2021 21:26:18.478482962 CEST	56590	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:18.540669918 CEST	53	56590	8.8.8.8	192.168.2.7
May 24, 2021 21:26:18.598256111 CEST	60501	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:18.650311947 CEST	53	60501	8.8.8.8	192.168.2.7
May 24, 2021 21:26:19.610204935 CEST	53775	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:19.660253048 CEST	53	53775	8.8.8.8	192.168.2.7
May 24, 2021 21:26:21.113945961 CEST	51837	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:21.166131020 CEST	53	51837	8.8.8.8	192.168.2.7
May 24, 2021 21:26:22.718183994 CEST	55411	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:22.768688917 CEST	53	55411	8.8.8.8	192.168.2.7
May 24, 2021 21:26:24.240747929 CEST	63668	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:24.290091038 CEST	53	63668	8.8.8.8	192.168.2.7
May 24, 2021 21:26:25.453555107 CEST	54640	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:25.504585981 CEST	53	54640	8.8.8.8	192.168.2.7
May 24, 2021 21:26:26.644530058 CEST	58739	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:26.696171999 CEST	53	58739	8.8.8.8	192.168.2.7
May 24, 2021 21:26:27.733686924 CEST	60338	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:27.783020973 CEST	53	60338	8.8.8.8	192.168.2.7
May 24, 2021 21:26:28.920090914 CEST	58717	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:28.969948053 CEST	53	58717	8.8.8.8	192.168.2.7
May 24, 2021 21:26:29.864845991 CEST	59762	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:29.914041996 CEST	53	59762	8.8.8.8	192.168.2.7
May 24, 2021 21:26:30.695818901 CEST	54329	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:30.745378971 CEST	53	54329	8.8.8.8	192.168.2.7
May 24, 2021 21:26:32.098417044 CEST	58052	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:32.159338951 CEST	53	58052	8.8.8.8	192.168.2.7
May 24, 2021 21:26:33.205581903 CEST	54008	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:33.263540030 CEST	53	54008	8.8.8.8	192.168.2.7
May 24, 2021 21:26:34.416299105 CEST	59451	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:34.465806007 CEST	53	59451	8.8.8.8	192.168.2.7
May 24, 2021 21:26:35.626372099 CEST	52914	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:35.684406042 CEST	53	52914	8.8.8.8	192.168.2.7
May 24, 2021 21:26:37.031044960 CEST	64569	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:37.080537081 CEST	53	64569	8.8.8.8	192.168.2.7
May 24, 2021 21:26:39.730110884 CEST	52816	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:39.730667114 CEST	50781	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:39.793993950 CEST	53	50781	8.8.8.8	192.168.2.7
May 24, 2021 21:26:39.799544096 CEST	53	52816	8.8.8.8	192.168.2.7
May 24, 2021 21:26:40.867248058 CEST	54230	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:40.916799068 CEST	53	54230	8.8.8.8	192.168.2.7
May 24, 2021 21:26:53.533245087 CEST	54911	53	192.168.2.7	8.8.8.8
May 24, 2021 21:26:53.594068050 CEST	53	54911	8.8.8.8	192.168.2.7
May 24, 2021 21:27:10.816457033 CEST	49958	53	192.168.2.7	8.8.8.8
May 24, 2021 21:27:10.866947889 CEST	53	49958	8.8.8.8	192.168.2.7
May 24, 2021 21:27:30.215508938 CEST	50860	53	192.168.2.7	8.8.8.8
May 24, 2021 21:27:30.265175104 CEST	53	50860	8.8.8.8	192.168.2.7
May 24, 2021 21:27:33.891727924 CEST	50452	53	192.168.2.7	8.8.8.8
May 24, 2021 21:27:33.950155020 CEST	53	50452	8.8.8.8	192.168.2.7
May 24, 2021 21:27:41.001808882 CEST	59730	53	192.168.2.7	8.8.8.8
May 24, 2021 21:27:41.061309099 CEST	53	59730	8.8.8.8	192.168.2.7
May 24, 2021 21:28:04.615545034 CEST	59310	53	192.168.2.7	8.8.8.8
May 24, 2021 21:28:04.760322094 CEST	53	59310	8.8.8.8	192.168.2.7
May 24, 2021 21:28:05.457724094 CEST	51919	53	192.168.2.7	8.8.8.8
May 24, 2021 21:28:05.586978912 CEST	53	51919	8.8.8.8	192.168.2.7
May 24, 2021 21:28:06.446866035 CEST	64296	53	192.168.2.7	8.8.8.8
May 24, 2021 21:28:06.515202999 CEST	53	64296	8.8.8.8	192.168.2.7
May 24, 2021 21:28:06.606220961 CEST	56680	53	192.168.2.7	8.8.8.8
May 24, 2021 21:28:06.669029951 CEST	53	56680	8.8.8.8	192.168.2.7
May 24, 2021 21:28:07.924683094 CEST	58820	53	192.168.2.7	8.8.8.8
May 24, 2021 21:28:07.983522892 CEST	53	58820	8.8.8.8	192.168.2.7
May 24, 2021 21:28:08.920664072 CEST	60983	53	192.168.2.7	8.8.8.8
May 24, 2021 21:28:08.978810072 CEST	53	60983	8.8.8.8	192.168.2.7
May 24, 2021 21:28:09.696399927 CEST	49247	53	192.168.2.7	8.8.8.8
May 24, 2021 21:28:09.757498980 CEST	53	49247	8.8.8.8	192.168.2.7
May 24, 2021 21:28:10.376450062 CEST	52286	53	192.168.2.7	8.8.8.8
May 24, 2021 21:28:10.513739109 CEST	53	52286	8.8.8.8	192.168.2.7
May 24, 2021 21:28:11.771423101 CEST	56064	53	192.168.2.7	8.8.8.8
May 24, 2021 21:28:11.829243898 CEST	53	56064	8.8.8.8	192.168.2.7
May 24, 2021 21:28:13.025057077 CEST	63744	53	192.168.2.7	8.8.8.8
May 24, 2021 21:28:13.083012104 CEST	53	63744	8.8.8.8	192.168.2.7
May 24, 2021 21:28:13.671822071 CEST	61457	53	192.168.2.7	8.8.8.8
May 24, 2021 21:28:13.732264042 CEST	53	61457	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 24, 2021 21:27:33.891727924 CEST	192.168.2.7	8.8.8.8	0x28f1	Standard query (0)	www.rejetto.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 24, 2021 21:27:33.950155020 CEST	8.8.8.8	192.168.2.7	0x28f1	No error (0)	www.rejetto.com		185.20.49.7	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.rejetto.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49727	185.20.49.7	80	C:\Users\user\Desktop\hfs.exe

Timestamp	kBytes transferred	Direction	Data
May 24, 2021 21:27:34.008574009 CEST	1602	OUT	GET /hfs/hfs.updateinfo.txt HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, / User-Agent: HFS/2.3k Host: www.rejetto.com
May 24, 2021 21:27:34.062905073 CEST	1602	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 24 May 2021 19:27:32 GMT Content-Type: text/plain Content-Length: 246 Connection: close Vary: Accept-Encoding Last-Modified: Mon, 29 Jun 2020 08:14:32 GMT ETag: "f6-5a934a60c08f5" Accept-Ranges: bytes X-Frame-Options: SAMEORIGIN Data Raw: 48 46 53 20 75 70 64 61 74 65 20 69 6e 66 6f 0d 0a 5b 6c 61 73 74 20 73 74 61 62 6c 65 5d 0d 0a 32 2e 33 6d 0d 0a 5b 6c 61 73 74 20 73 74 61 62 6c 65 20 62 75 69 6c 64 5d 0d 0a 33 30 30 0d 0a 5b 6c 61 73 74 20 73 74 61 62 6c 65 20 75 72 6c 5d 0d 0a 68 74 74 70 3a 2f 2f 77 77 77 2e 72 65 6a 65 74 74 6f 2e 63 6f 6d 2f 68 66 73 2f 64 6f 77 6e 6c 6f 61 64 0d 0a 5b 6c 61 73 74 20 75 6e 74 65 73 74 65 64 5d 0d 0a 32 2e 34 2e 30 20 52 43 36 0d 0a 5b 6c 61 73 74 20 75 6e 74 65 73 74 65 64 20 62 75 69 6c 64 5d 0d 0a 33 31 38 0d 0a 5b 6c 61 73 74 20 75 6e 74 65 73 74 65 64 20 75 72 6c 5d 0d 0a 68 74 74 70 3a 2f 2f 77 77 77 2e 72 65 6a 65 74 74 6f 2e 63 6f 6d 2f 68 66 73 2f 68 66 73 32 34 72 63 30 36 2e 65 78 65 0d 0a 5b 45 4f 46 5d 0d 0a Data Ascii: HFS update info[last stable]2.3m[last stable build]300[last stable url]http://www.rejetto.com/hfs/download[last untested]2.4.0 RC6[last untested build]318[last untested url]http://www.rejetto.com/hfs/hfs24rc06.exe[EOF]

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: hfs.exe PID: 6272 Parent PID: 5688

General

Start time:	21:26:21
Start date:	24/05/2021
Path:	C:\Users\user\Desktop\hfs.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\hfs.exe'
Imagebase:	0x400000
File size:	2501632 bytes
MD5 hash:	369B251EB6D24F63C95273F357359669
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.229694292.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: hfs.exe PID: 6272 Parent PID: 5688 hfs.exeCOMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	83

Executed Functions

Function 00406E30, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,005737CC), ref: 00406E4C
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,005737CC), ref: 00406E6A
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,005737CC), ref: 00406E88
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406EA6
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406F35,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406EEF
RegQueryValueExA.ADVAPI32(?,0040709C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406F35,?,80000001), ref: 00406F0D
RegCloseKey.ADVAPI32(?,00406F3C,00000000,?,?,00000000,00406F35,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406F2F
lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406F4C
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406F59
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406F5F
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406F8A
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406FD1
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406FE1
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00407009
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00407019
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 0040703F
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 0040704F

Strings

Software\Borland\Locales, xrefs: 00406E60, 00406E7E
Software\Borland\Delphi\Locales, xrefs: 00406E9C

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 753aca0c7c9d09bc21afe209cdcb4051d76638eb44692da263f6186154fbc7c3
Instruction ID: 2b897278796ba95d7bb20e7528a288cbb1ae90ff4893c7f129529ea51d8eace4
Opcode Fuzzy Hash: 753aca0c7c9d09bc21afe209cdcb4051d76638eb44692da263f6186154fbc7c3
Instruction Fuzzy Hash: 85517175E0021D7EFB21E6A49C46FEF7AAC9B04744F4001B7BA05F61C2D678AA448B69

Uniqueness

Uniqueness Score: -1.00%

Function 00406F3C, Relevance: 15.1, APIs: 10, Instructions: 98
stringlibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpynA.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 00406F4C
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 00406F59
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 00406F5F
lstrlenA.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 00406F8A
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00406FD1
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00406FE1
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 00407009
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 00407019
lstrcpynA.KERNEL32(00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 0040703F
LoadLibraryExA.KERNEL32(?,00000000,00000002,00000001,?,00000105,?,00000000,00000002,00000001,?,00000105,?,00000000,00000003,?), ref: 0040704F

Strings

Software\Borland\Locales, xrefs: 00406E60, 00406E7E
Software\Borland\Delphi\Locales, xrefs: 00406E9C

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: e910f95e1a9bbfde91159366fba2c2573f7a2b959fc9a6144f69a81e30731ff3
Instruction ID: fbe750758b96379a79b7a256eeac2b642a3be53931307c4dbf321f1042e2d23f
Opcode Fuzzy Hash: e910f95e1a9bbfde91159366fba2c2573f7a2b959fc9a6144f69a81e30731ff3
Instruction Fuzzy Hash: 94314571E0021D6AFB25E6B49C46FDF7AAC4B04744F4441F7A604F61C2D6789E448B59

Uniqueness

Uniqueness Score: -1.00%

Function 00572C7C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51
keyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004078C4: GetModuleHandleA.KERNEL32(00000000,?,00572C92), ref: 004078D0

GetAsyncKeyState.USER32(00000011), ref: 00572CB6

Strings

\<X, xrefs: 00572D95
l<X, xrefs: 00572D5C
7P, xrefs: 00572D51

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: AsyncHandleModuleState
String ID: \<X$l<X$7P
API String ID: 3119891491-887188085
Opcode ID: 86b293a2784ec673c0449fcbb0666f757c306dae7e624a9dd66bab78b4da538a
Instruction ID: ec7629d697c20e9cd60b4ec353d176b748de0aed08c6ede39c12dcc8909e4ea7
Opcode Fuzzy Hash: 86b293a2784ec673c0449fcbb0666f757c306dae7e624a9dd66bab78b4da538a
Instruction Fuzzy Hash: 68110A742106448FDB01EB19ECE5E193BF6FB6A3047404955F6048B3B6DB34AC4AFB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040D74C, Relevance: 6.1, APIs: 4, Instructions: 51
timefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 0040D76F
FindClose.KERNEL32(000000FF,00000000), ref: 0040D785
FileTimeToLocalFileTime.KERNEL32(?,000000FF), ref: 0040D7A2
FileTimeToSystemTime.KERNEL32(000000FF,?,?,000000FF), ref: 0040D7B2

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: FileTime$Find$CloseFirstLocalSystem
String ID:
API String ID: 1090839835-0
Opcode ID: 0de67e268fac2b6b06e0cd7e53a37c868bb8c4be770f6e71c80d17e0bdda35df
Instruction ID: 1d920058c904a22e08089bc19fc807230f512cec651ea9ef1fefb7835cc967db
Opcode Fuzzy Hash: 0de67e268fac2b6b06e0cd7e53a37c868bb8c4be770f6e71c80d17e0bdda35df
Instruction Fuzzy Hash: 94114C34C0461DDACB60EFA4CC456EFB7B8AF08304F4005E6E458B3281EB355AC5CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040D970, Relevance: 3.0, APIs: 2, Instructions: 37fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?), ref: 0040D99D
GetLastError.KERNEL32(00000000,?), ref: 0040D9CC

Part of subcall function 0040D8B8: FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0040D900
Part of subcall function 0040D8B8: FileTimeToDosDateTime.KERNEL32 ref: 0040D914

Part of subcall function 0040DA18: FindClose.KERNEL32(000000FF,?,?,0040D9CA,00000000,?), ref: 0040DA2F

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: FileTime$Find$CloseDateErrorFirstLastLocal
String ID:
API String ID: 976985129-0
Opcode ID: fbba83c3ab5d940ae9072a9b65e7eef2a319c88e561031d4382c4c22e831123a
Instruction ID: 6b096b53405c5671b10b87a7691fbbdef4733bef63c642c97dabaa5c73fb7f24
Opcode Fuzzy Hash: fbba83c3ab5d940ae9072a9b65e7eef2a319c88e561031d4382c4c22e831123a
Instruction Fuzzy Hash: AF01DAB0D04209AFCB54DFE9C84169EB7B4FF08314F5086AAA424F7391D7389A45CF85

Uniqueness

Uniqueness Score: -1.00%

Function 0041F918, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 0041F944

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: 6373129a745ad0d3eb75248d9359e423f9463027e4a049757d7dd9466bda5204
Instruction ID: 4dae99bc95a637879944811c9ffeb554a4121e08640baccc8ba89bfdd00c99cc
Opcode Fuzzy Hash: 6373129a745ad0d3eb75248d9359e423f9463027e4a049757d7dd9466bda5204
Instruction Fuzzy Hash: B5114FB4E14209AFDB00EFA5D851BEEFBB4EF89304F5080A6E904A7390D6345E81DB95

Uniqueness

Uniqueness Score: -1.00%

Function 00413248, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 204
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetThreadLocale.KERNEL32(00000000,00413531,?,00000007,00000000,00000000), ref: 0041327E

Part of subcall function 00411308: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0041132E

Strings

:mm, xrefs: 004134C1
m/d/yy, xrefs: 00413355
AMPM, xrefs: 004134A2
AMPM , xrefs: 004134B1
mmmm d, yyyy, xrefs: 00413383
:mm:ss, xrefs: 004134DE

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 661c2b077c0b542c26c504cc9a46812dc69e093d2935cb692ad9c8fa6ba11137
Instruction ID: f484c01611efa22f009772391e98b6e530329ed03cdc94eafea912ed944ccded
Opcode Fuzzy Hash: 661c2b077c0b542c26c504cc9a46812dc69e093d2935cb692ad9c8fa6ba11137
Instruction Fuzzy Hash: BB717130A001489BDB04EBE5C881ADFB7B6EF48709F50907BE510B7695C63CDE858B19

Uniqueness

Uniqueness Score: -1.00%

Function 0050B99C, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

%s~%d.tmp, xrefs: 0050BADD
hfs~%d.tmp, xrefs: 0050BB2B

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID:
String ID: %s~%d.tmp$hfs~%d.tmp
API String ID: 0-351780981
Opcode ID: 1529b4ebc782e9a29f6c849712485edd94fdefae3c39e33d3aa668208b9b8e6b
Instruction ID: e46449dd7912bc906d2c4155b818f1c182a82756042e29b734b02b50d6ce2c8b
Opcode Fuzzy Hash: 1529b4ebc782e9a29f6c849712485edd94fdefae3c39e33d3aa668208b9b8e6b
Instruction Fuzzy Hash: 1D513A30A182499FEB11EB65DC917DEBBF8FF49304F5044BAE404A32D1DB399E458B25

Uniqueness

Uniqueness Score: -1.00%

Function 0041315C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetThreadLocale.KERNEL32 ref: 00413182
GetSystemMetrics.USER32 ref: 004131F1
GetSystemMetrics.USER32 ref: 00413202

Strings

0?W, xrefs: 004131C8

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: MetricsSystem$LocaleThread
String ID: 0?W
API String ID: 2159509485-1996215017
Opcode ID: b2326f99d8f4bfce0ed87b667f2333bc9db03b5c9988caeb1f883cfbf5ebeb16
Instruction ID: b3e1d04bec34823e39ef6b579c2a222ae39f10d7873ecb2fa993392c040c5ef8
Opcode Fuzzy Hash: b2326f99d8f4bfce0ed87b667f2333bc9db03b5c9988caeb1f883cfbf5ebeb16
Instruction Fuzzy Hash: F711D331A00249DAD740AF55EC057AF3BE4AB1131AF00602BDD44A62D1D7BD4BCCEB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042D4D4, Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoA.USER32 ref: 0042D4F4
UnregisterClassA.USER32 ref: 0042D524
RegisterClassA.USER32 ref: 0042D52E
SetWindowLongA.USER32(?,000000FC,00000000), ref: 0042D57D

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Class$InfoLongRegisterUnregisterWindow
String ID:
API String ID: 4025006896-0
Opcode ID: 642c7dba289d3b32e9d2636f3cb4a3b40c42c315d493699ebbf9429f99db5176
Instruction ID: b5b040b24001848fa5a04480c3639797f22c1c298d4c89f243f9d28e3b94620f
Opcode Fuzzy Hash: 642c7dba289d3b32e9d2636f3cb4a3b40c42c315d493699ebbf9429f99db5176
Instruction Fuzzy Hash: 8511ABB1A00254BBDB00EB98FD46F9E37E8D718304F408566F548E7391C778D9C5AB55

Uniqueness

Uniqueness Score: -1.00%

Function 00408A48, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32 ref: 00408A90

Strings

BW, xrefs: 00408AA1
BW, xrefs: 00408A68, 00408A6B

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID: BW$BW
API String ID: 716092398-490262059
Opcode ID: 1d73d3689ffc7edf0c3f09454afcb1f727e79342d24a31319ce086699c8702a4
Instruction ID: 0d7461890340546b3568f49732d98a3b05de5eb3ea1390370584bdab046ed2bd
Opcode Fuzzy Hash: 1d73d3689ffc7edf0c3f09454afcb1f727e79342d24a31319ce086699c8702a4
Instruction Fuzzy Hash: 8D010DB6A10109AFCB80DFDDC981EDFB7FCAF4C214B004559BA18E7351D634EA509BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00431178, Relevance: 4.6, APIs: 3, Instructions: 139
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,0043133D), ref: 004311EA
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019,?,00000000,0043133D), ref: 00431262
RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,00000001,?,00000000,00000000,00000000,00000000,00020009,?,?,00000000,00000000,00000000,00020019), ref: 004312D4

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5daff07f214c05828a2cc250fce5589bae546b0df7db6fb981e669e71085a450
Instruction ID: 72653c69fdf6501ab096359b60ca67ba594f9f371682951b2c70b8698992153e
Opcode Fuzzy Hash: 5daff07f214c05828a2cc250fce5589bae546b0df7db6fb981e669e71085a450
Instruction Fuzzy Hash: 53513071A04249EFEB01EBA5C942BEFF7B5AF08304F2414AAE400B7291D7789E00DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00431358, Relevance: 4.6, APIs: 3, Instructions: 123
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyExA.ADVAPI32 ref: 00431432
RegCloseKey.ADVAPI32(00000000,0043148A,00000000,004314CD), ref: 0043147D

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CloseEnum
String ID:
API String ID: 2818636725-0
Opcode ID: c0d934b3e270776ca7bb9a40553a73aad7756a6219116fd22134f720fe10eca6
Instruction ID: d76a1f1f60d59e40f40771bfcee3d0960084cbfa607880b72faa8182da959682
Opcode Fuzzy Hash: c0d934b3e270776ca7bb9a40553a73aad7756a6219116fd22134f720fe10eca6
Instruction Fuzzy Hash: 6C410C70E042089FDB00EBA5C942ADEB7F5EF4C314F64556AE804F7291D778AE418F68

Uniqueness

Uniqueness Score: -1.00%

Function 00412614, Relevance: 4.6, APIs: 3, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,00000000,004126F2), ref: 00412657
GetFileVersionInfoA.VERSION(00000000,?,00000000,?,00000000,004126D5,?,00000000,?,00000000,004126F2), ref: 00412693
VerQueryValueA.VERSION(?,00412700,?,?,00000000,?,00000000,?,00000000,004126D5,?,00000000,?,00000000,004126F2), ref: 004126AD

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: FileInfoVersion$QuerySizeValue
String ID:
API String ID: 2179348866-0
Opcode ID: ffecfd103704f8fb4957da5b2443aff23229188407a94e519289b6a56b6bb1f3
Instruction ID: 07c8d444e066adbc1ba64e429e12591772ba7556b916e86b077a6b605c438be3
Opcode Fuzzy Hash: ffecfd103704f8fb4957da5b2443aff23229188407a94e519289b6a56b6bb1f3
Instruction Fuzzy Hash: 73213B71A0060DAFDB00EFA5C9529EFB7F8EB48314B51857AF510E32D0E7789954CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00403CBC, Relevance: 4.6, APIs: 3, Instructions: 69
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,C0000000,?,00000000,00000002,00000080,00000000,?,00000000,00000000,00403DC2,0050BB53), ref: 00403D57
GetStdHandle.KERNEL32(000000F5,?,00000000,00000000,00403DC2,0050BB53), ref: 00403D77
GetLastError.KERNEL32(000000F5,?,00000000,00000000,00403DC2,0050BB53), ref: 00403D8B

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CreateErrorFileHandleLast
String ID:
API String ID: 1572049330-0
Opcode ID: 2112aa3e360e251c4be237d261852efcd7ecc93ad3aca8c209ba3b529870b4a8
Instruction ID: f9602bc863d9c360b5b4d7c15828484f5b44dba9bab2793b2d72eda3470e3bbf
Opcode Fuzzy Hash: 2112aa3e360e251c4be237d261852efcd7ecc93ad3aca8c209ba3b529870b4a8
Instruction Fuzzy Hash: 5611D86110020066EB24DF6988887567E5D9F45716F28C2BBD418BF3E9E67CCE44C35D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C824, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CharUpperBuffA.USER32(?,00000000), ref: 0040C872

Strings

lTM, xrefs: 0040C830, 0040C84D
G7A, xrefs: 0040C85A

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: BuffCharUpper
String ID: G7A$lTM
API String ID: 3964851224-3624631605
Opcode ID: 177454acc1bdf0d9000306d44521faaaab82e8c665143ec999a49c2ee4303d0d
Instruction ID: 0d9d34881ee8dc0dbe14fe100af129daf1fdf9a2ecb7dfc28a263bcadf936c46
Opcode Fuzzy Hash: 177454acc1bdf0d9000306d44521faaaab82e8c665143ec999a49c2ee4303d0d
Instruction Fuzzy Hash: CAF05F74E00619EFCB50DFADC985AAEB7F4AB48314F1086AAE464E7391D774AA40CB44

Uniqueness

Uniqueness Score: -1.00%

Function 004096E8, Relevance: 4.0, APIs: 3, Instructions: 275
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,?,00409E5C), ref: 00409794
Sleep.KERNEL32(0000000A,00000000,?,00409E5C), ref: 004097AA

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3b2b31bd45bd95e20fec11796116f7059143ba534c9ac208c2d68bab17ab288e
Instruction ID: 839d1859ef1b423f3dc2645a2424741fe84bc4e9048155d05084ea15ad88012f
Opcode Fuzzy Hash: 3b2b31bd45bd95e20fec11796116f7059143ba534c9ac208c2d68bab17ab288e
Instruction Fuzzy Hash: 82B101B35013118FDB54CF29E880256BBE0BB96310F1882BFD459AB3D6D7349C89EB94

Uniqueness

Uniqueness Score: -1.00%

Function 0043150C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,004314CD,004314C9,00000000,004314C5,004314C1,004314BD,00000000,004314B9), ref: 0043155F

Strings

>W, xrefs: 00431575

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: InfoQuery
String ID: >W
API String ID: 1673771737-1358646198
Opcode ID: 577b8ef77bd345f2344105cec4fc8ecca8a68d12c2cdd51214f55f833abd325e
Instruction ID: dfcd374697ae278faf38dc845e415e79763b57ffd7a5a69557f3e63af462ffe4
Opcode Fuzzy Hash: 577b8ef77bd345f2344105cec4fc8ecca8a68d12c2cdd51214f55f833abd325e
Instruction Fuzzy Hash: 80118C75A00148AFDB40CB9CC845F9EBBF8EF09318F148195F548EB392D634ED909B55

Uniqueness

Uniqueness Score: -1.00%

Function 00431354, Relevance: 3.1, APIs: 2, Instructions: 103registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32 ref: 00431432
RegCloseKey.ADVAPI32(00000000,0043148A,00000000,004314CD), ref: 0043147D

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CloseEnum
String ID:
API String ID: 2818636725-0
Opcode ID: 983ee0b290f1b34726103e318fec17ed0210d34351ecf68c2671f4db55984ce2
Instruction ID: 8da43e267c0df782e013ffb717f00791e59783ec1f1e0fc657465f26636d32a9
Opcode Fuzzy Hash: 983ee0b290f1b34726103e318fec17ed0210d34351ecf68c2671f4db55984ce2
Instruction Fuzzy Hash: 5B411970E042089FDB00EBA5C881ADEBBB4EF4C314F60556AE804F72A1D778AE41CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0042D3C0, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040), ref: 0042D3E1

Strings

BW, xrefs: 0042D3F9

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: BW
API String ID: 4275171209-3547430220
Opcode ID: 57f76aa395e07b8f32282190389c9fbe0462407b8c7b870e2b817a28ed4acb41
Instruction ID: f0f17aa91ead6469d887e73786e775ff3128282ac601ae3be909d8cc9286468f
Opcode Fuzzy Hash: 57f76aa395e07b8f32282190389c9fbe0462407b8c7b870e2b817a28ed4acb41
Instruction Fuzzy Hash: 02319274E00609EFCB40DF99D485A8DFBF5EB58314F10C2AAE818EB355D334AA859F49

Uniqueness

Uniqueness Score: -1.00%

Function 00403938, Relevance: 3.1, APIs: 2, Instructions: 61fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,?,?,00000000,?,?,?,?,?,00403A01,00000065,00403930,0000D7B2,?,?), ref: 00403962
GetLastError.KERNEL32(?,?,?,?,?,00403A01,00000065,00403930,0000D7B2,?,?,?,0050B8CE,00000000,00000000,0050B8EE), ref: 00403969

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 0880ece3bbd190726c0ff55e885031d2fc75817d22c709fb6f56cfddee8cc01a
Instruction ID: 156233d6b2fed6b939c2a0fe35079e837c09cb0d611e7678f893f98f3297aff9
Opcode Fuzzy Hash: 0880ece3bbd190726c0ff55e885031d2fc75817d22c709fb6f56cfddee8cc01a
Instruction Fuzzy Hash: EE112E71704108EFCB10DF6AC980A9EBBECEB49311B1040B6E409EB380E674DE109B65

Uniqueness

Uniqueness Score: -1.00%

Function 00452150, Relevance: 3.1, APIs: 2, Instructions: 53timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000001,00000000,004521E8), ref: 00452175
SetTimer.USER32 ref: 004521A8

Part of subcall function 00407740: LoadStringA.USER32 ref: 00407772

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Timer$KillLoadString
String ID:
API String ID: 1423459280-0
Opcode ID: f0c986c902a1ec4acdb369543f7108cc723d50d257338ce3dfd2f6a04182f78e
Instruction ID: 352b75eba2be2f2f3812954ff3baf4fecb018a32e7bf231e10b66cb198aed798
Opcode Fuzzy Hash: f0c986c902a1ec4acdb369543f7108cc723d50d257338ce3dfd2f6a04182f78e
Instruction Fuzzy Hash: BC114230A04604EFD705DB55CA41E9A7BF5EB45304F9140A6ED00AB6A2D779EE84DB04

Uniqueness

Uniqueness Score: -1.00%

Function 00430E44, Relevance: 3.0, APIs: 2, Instructions: 27registryCOMMON

Download Yara Rule

APIs

RegFlushKey.ADVAPI32(83EC8B55,?,?,00430ED0), ref: 00430E64
RegCloseKey.ADVAPI32(83EC8B55,?,?,00430ED0), ref: 00430E70

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CloseFlush
String ID:
API String ID: 320916635-0
Opcode ID: 669577f73a6b64832ef53fb174e5ebac176f850493c5a74ead3c07e81f34ac18
Instruction ID: b8c18932705b41c3bf35b0ad18cf7aedf4cde92a6b4fec513f6982bfed4ecadd
Opcode Fuzzy Hash: 669577f73a6b64832ef53fb174e5ebac176f850493c5a74ead3c07e81f34ac18
Instruction Fuzzy Hash: 66F09871E04108EFEB04DB9AD649E4EB7F9AF08314F55C496F408AB352D738EE409B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040D880, Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(00000000,?), ref: 0040D89E
GetLastError.KERNEL32(00000000,?), ref: 0040D8A7

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 17bd958a75ad2a3ef307c0988209bc76ca9ba5a672525691629efa385509cbc1
Instruction ID: ecd2b36a020c1f333cedebf336ebbf29746df8d6969e3081f1a06471f27501c6
Opcode Fuzzy Hash: 17bd958a75ad2a3ef307c0988209bc76ca9ba5a672525691629efa385509cbc1
Instruction Fuzzy Hash: 13E09A71D04608ABCB50EFEAC84158EB7F89E08254F1081BAA828F3381E6389A108B55

Uniqueness

Uniqueness Score: -1.00%

Function 004D5568, Relevance: 3.0, APIs: 2, Instructions: 19windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconA.SHELL32(00000001,004D5470,?,?,?,?,?,?,?,?,?,?,?,004D546C,?,004D55B2), ref: 004D557D
Shell_NotifyIconA.SHELL32(00000000,004D5470,00000001,004D5470,?,?,?,?,?,?,?,?,?,?,?,004D546C), ref: 004D558C

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 70cb44154354f6246a3acdaf676faae2d4d016f5fe2a8eee0b0a3549ab6264bd
Instruction ID: 16888d6a2e42408d7b6fc74a143f4169cabb25b0e89124d375c8f4d9684ab544
Opcode Fuzzy Hash: 70cb44154354f6246a3acdaf676faae2d4d016f5fe2a8eee0b0a3549ab6264bd
Instruction Fuzzy Hash: 23D05E611086047EF701A5A3ADE1BA6768D9B0D308F485063EE0C8D287E689D844CA74

Uniqueness

Uniqueness Score: -1.00%

Function 004315A0, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0043150C: RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,004314CD,004314C9,00000000,004314C5,004314C1,004314BD,00000000,004314B9), ref: 0043155F

RegEnumValueA.ADVAPI32 ref: 00431621

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: EnumInfoQueryValue
String ID:
API String ID: 918324718-0
Opcode ID: f3914c0d7ed041f63055d52862ca75b64aa959b332084fbf3d6cd6da8ae0e1e8
Instruction ID: d98f0701296b34d91e7d0c6ea300e5703e15a0baff73035a5e174f3958a6d1d5
Opcode Fuzzy Hash: f3914c0d7ed041f63055d52862ca75b64aa959b332084fbf3d6cd6da8ae0e1e8
Instruction Fuzzy Hash: E921FB70A00609AFDB04DFA9D982B9EBBF4EF48314F60546AF405F7291DA34AA41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0048C818, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 0048C7BC: GetWindowTextA.USER32 ref: 0048C7EA

SetWindowTextA.USER32(?,00000000), ref: 0048C877

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 275db02a039e41e1588ef153e052c45b726f41d0e51de0b63fd3401fca6e2002
Instruction ID: d97f19056f30cd8a98b90a36f7aea639f1b81ca5ab32aef156dfa2d2f4c33cb1
Opcode Fuzzy Hash: 275db02a039e41e1588ef153e052c45b726f41d0e51de0b63fd3401fca6e2002
Instruction Fuzzy Hash: 80112E70A00608EFDB01FB99C885E9EB7B4EB04304F6188BAE400A7691C7389E40DF68

Uniqueness

Uniqueness Score: -1.00%

Function 004318F8, Relevance: 1.5, APIs: 1, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,00000000,00000000,00431987), ref: 0043196C

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a5d528a6d695e010a9deb1af53fd924fd760c619df02d31b290402ac2a5107b7
Instruction ID: ad8a75c64810b312d3d7560fc0861615624512263ba660cabd00649b4716a1ec
Opcode Fuzzy Hash: a5d528a6d695e010a9deb1af53fd924fd760c619df02d31b290402ac2a5107b7
Instruction Fuzzy Hash: C9115EB0A08248AFDB05EBA5CC61AEFB7F8EF48314F50457AF414E3291DA389E04CB54

Uniqueness

Uniqueness Score: -1.00%

Function 004520C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 0045213C

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: ProcWindow
String ID:
API String ID: 181713994-0
Opcode ID: b9460ab423bf3df85f3fefd9ac53ec97c37b2773a050eb14601801bcd1ebb718
Instruction ID: 47aa9d559d0722bb3f74d6cdcaa1ac007fbd502a250daf7fca510ab89f095d40
Opcode Fuzzy Hash: b9460ab423bf3df85f3fefd9ac53ec97c37b2773a050eb14601801bcd1ebb718
Instruction Fuzzy Hash: AD012C79A04608AFD740CF9AD981C8EBBF8EB49324B2140A6F908D3791D675AE40CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004043E0, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CompareStringA.KERNEL32(00000800,00000001,00000000,00000000,00000000,00000000,00000000,00404467), ref: 00404446

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: caab3d4619710095245a036ad4a98eb6d0f3a7a22f91d66b67384d89c66d75ab
Instruction ID: 236c4e91a57d58385dbcf1aad7925a3bb1eaac8ec32a75a485eb27b4a265fce9
Opcode Fuzzy Hash: caab3d4619710095245a036ad4a98eb6d0f3a7a22f91d66b67384d89c66d75ab
Instruction Fuzzy Hash: CA01A2B0604608AFD710FA699C83A9FB3ECEB84704F5104BAF508F36D2DA785F004E59

Uniqueness

Uniqueness Score: -1.00%

Function 00408AAC, Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32 ref: 00408AF2

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8e10314e636ef1d9dadfe7d526ffc4df9ea060b72925c5fcfee51851a0300964
Instruction ID: f1cbc7aaee6eba4087c07aadfc445372c9d7f0366c981c020cb2c907249fb502
Opcode Fuzzy Hash: 8e10314e636ef1d9dadfe7d526ffc4df9ea060b72925c5fcfee51851a0300964
Instruction Fuzzy Hash: DB0102B6A10109AFCB80DFDDC981EDFB7FCAF4C214F004559BA18E7251D634EA509BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00406BCC, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 00406BEA

Part of subcall function 00406E30: GetModuleFileNameA.KERNEL32(00000000,?,00000105,00400000,005737CC), ref: 00406E4C
Part of subcall function 00406E30: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,005737CC), ref: 00406E6A
Part of subcall function 00406E30: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,00400000,005737CC), ref: 00406E88
Part of subcall function 00406E30: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 00406EA6
Part of subcall function 00406E30: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,00406F35,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 00406EEF
Part of subcall function 00406E30: RegQueryValueExA.ADVAPI32(?,0040709C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,00406F35,?,80000001), ref: 00406F0D
Part of subcall function 00406E30: RegCloseKey.ADVAPI32(?,00406F3C,00000000,?,?,00000000,00406F35,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 00406F2F

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: 03baeebf6e0a5c891a8496ae599a3546f1971ba67e63b24a9a4490282ecddd1e
Instruction ID: 7468b4b95a6a29277b9b63907d501b2aef0ba0bfcaf371c6f46c27ed6e6a57bb
Opcode Fuzzy Hash: 03baeebf6e0a5c891a8496ae599a3546f1971ba67e63b24a9a4490282ecddd1e
Instruction Fuzzy Hash: B9E06DB1A003108BEB14DE5CC8C1A8737D8AB08758F010566ED98DF386D374ED2087E4

Uniqueness

Uniqueness Score: -1.00%

Function 0043148A, Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32(00000000,00000000), ref: 0043149F

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Delete
String ID:
API String ID: 1035893169-0
Opcode ID: 1dd676b9a1010f3be9e0af31abfe872d7559a4ab17ca08757cbf7986e3a4c777
Instruction ID: 1eee81978b9aeb960a3e15ea997d6f6284054908ca960048c6e61d69414e1343
Opcode Fuzzy Hash: 1dd676b9a1010f3be9e0af31abfe872d7559a4ab17ca08757cbf7986e3a4c777
Instruction Fuzzy Hash: 3EE04F71A082485ADF00FBB2D842AEEB7F8EF48304F94047AF440F25D3DA3C99058A29

Uniqueness

Uniqueness Score: -1.00%

Function 0040D848, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000), ref: 0040D85A

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b69a6cf6b2d6fa619133312bdffbd3e5f49b654f4567b42c3d81f457d6031fdf
Instruction ID: 25e7709e3fdb35e50c13062464354c823a9bc088b9128b73f0db61b0641763ee
Opcode Fuzzy Hash: b69a6cf6b2d6fa619133312bdffbd3e5f49b654f4567b42c3d81f457d6031fdf
Instruction Fuzzy Hash: F4E09271C0428CA9CB10EAFA88056DEBBB44B02324F0087F69874732D1E2394A059F56

Uniqueness

Uniqueness Score: -1.00%

Function 0040D810, Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000), ref: 0040D822

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d0fecce21f584306d5efd39dd4126fe22cbcd31778c08b3c0fe81e0adc456674
Instruction ID: 6cb4814672fd58666af760125804287f02b7311a093c3f18ab04cce0364f78e1
Opcode Fuzzy Hash: d0fecce21f584306d5efd39dd4126fe22cbcd31778c08b3c0fe81e0adc456674
Instruction Fuzzy Hash: 1BE0D831C0428CA9CB10EBF984061DEBBB44A01324F0497FA9C78733C1E2390A05DF56

Uniqueness

Uniqueness Score: -1.00%

Function 00407D18, Relevance: 1.5, APIs: 1, Instructions: 18synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(?,?,?), ref: 00407D2F

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CreateMutex
String ID:
API String ID: 1964310414-0
Opcode ID: 485a42cfd74afe0bd6fd3a83a5c21534c4123a8668d01e8793639fac456bf432
Instruction ID: 62ec4fd61f3d3d0a9c23f5c902332b154f95894068c438da3e6940380e03be4e
Opcode Fuzzy Hash: 485a42cfd74afe0bd6fd3a83a5c21534c4123a8668d01e8793639fac456bf432
Instruction Fuzzy Hash: C7D09E73954248FFCB04EFA9D845D9F77ECEB18255B108829F518D7100D639EA509B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA44, Relevance: 1.5, APIs: 1, Instructions: 17fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000), ref: 0040DA56

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 2b77b20f67ffbef1d9b4fd99dd8683ccaec8ace449bab45a73a4ae8c0d75a7f6
Instruction ID: 5a64a76626489f684d4180bf376f65e932846b1b64ced52b7ab79338e797e08c
Opcode Fuzzy Hash: 2b77b20f67ffbef1d9b4fd99dd8683ccaec8ace449bab45a73a4ae8c0d75a7f6
Instruction Fuzzy Hash: C9D05B21C1828C9DCB10A6B8544389D77E88801124B1005B6E454E22C2E5325700571A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF0C, Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

SetCurrentDirectoryA.KERNEL32(00000000), ref: 0040DF1E

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: 3b8d2fdfe78400e043f183a7ceb2f25435ce1e0463fd3dc609559aabbf49777a
Instruction ID: ed6d2d85cefadb6dc9f38579207303bb97d2ef1bdb3a3b1252168ff091577c2e
Opcode Fuzzy Hash: 3b8d2fdfe78400e043f183a7ceb2f25435ce1e0463fd3dc609559aabbf49777a
Instruction Fuzzy Hash: 52D05B61C182889DCB00A6B8540348D77E88401164B1006B6E454E21C2E5325B00571A

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA18, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(000000FF,?,?,0040D9CA,00000000,?), ref: 0040DA2F

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: fbbbb551f6de0f1844e0aa18f91b51c5acb610a627be5f88371bfb6b14c9bb7b
Instruction ID: 4cc12ee177daab300b83376fe7afe925fdeb3b731c857c3bf10f7726fbe8d463
Opcode Fuzzy Hash: fbbbb551f6de0f1844e0aa18f91b51c5acb610a627be5f88371bfb6b14c9bb7b
Instruction Fuzzy Hash: DBD0BD70918208EF8B58CE99D54484973A8AA053307604399A028AB3E2D630EE029F44

Uniqueness

Uniqueness Score: -1.00%

Function 0040315C, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

SetCurrentDirectoryA.KERNEL32(00000000,026428E0,00403157,00000000,0050BA1B,00000000,0050BBBE,?,00000000,0050BBE3,?,?,00000000,00000000,?,00569353), ref: 00403160

Part of subcall function 0040313C: GetLastError.KERNEL32(00403BD9,?,00000000,00000000,00000000,0050BA95,00000000,0050BBBE,?,00000000,0050BBE3,?,?,00000000,00000000), ref: 0040313C

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CurrentDirectoryErrorLast
String ID:
API String ID: 152501406-0
Opcode ID: d4c9218e7ddef84b7bd53d38a1c8629ab5fc1c4716576a138dc290de66454f87
Instruction ID: a7f0c215053715722c5a591765ab63d95f3c19cf733c12d22bd40f1c91d0b3b1
Opcode Fuzzy Hash: d4c9218e7ddef84b7bd53d38a1c8629ab5fc1c4716576a138dc290de66454f87
Instruction Fuzzy Hash: 6DB0129410028001D81035F618C1877444C080C34A74000777C4079293593C4E010078

Uniqueness

Uniqueness Score: -1.00%

Function 004093BC, Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,?,0040996F,?,00409E5C), ref: 004093D5

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1b1fceb7c252a2539fe30733fdddaed41524f925f61af60f3bce05ce5f80ae9b
Instruction ID: d8192c0357b6a087f4f984278fcb0384299b2eff458d3427a563793a43e7eddd
Opcode Fuzzy Hash: 1b1fceb7c252a2539fe30733fdddaed41524f925f61af60f3bce05ce5f80ae9b
Instruction Fuzzy Hash: 36F081B27013004FEB849F7AAD42301BBD5B78D308F1081BEE60CEB3D9EA71844A9B04

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00406C6C, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 139stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,00400000,005737CC), ref: 00406C89
GetProcAddress.KERNEL32(?,GetLongPathNameA), ref: 00406CA0
lstrcpynA.KERNEL32(?,?,?,?,00400000,005737CC), ref: 00406CD0
lstrcpynA.KERNEL32(?,?,?,kernel32.dll,?,00400000,005737CC), ref: 00406D34
lstrcpynA.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,00400000,005737CC), ref: 00406D6A
FindFirstFileA.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,005737CC), ref: 00406D7D
FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,005737CC), ref: 00406D8F
lstrlenA.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000,005737CC), ref: 00406D9B
lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,00400000), ref: 00406DCF
lstrlenA.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll), ref: 00406DDB
lstrcpynA.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00406DFD

Strings

GetLongPathNameA, xrefs: 00406C97
\, xrefs: 00406DAD
kernel32.dll, xrefs: 00406C84

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: afab20f4c9e13e65c5f8c88b5203c52de66390aed53be4adc0a5a7fa8ce841d2
Instruction ID: 770b6f50c2ba66a0c5af8ff9819a3d01e1642f0cd2d2aa79a2fbfdeb20040ee8
Opcode Fuzzy Hash: afab20f4c9e13e65c5f8c88b5203c52de66390aed53be4adc0a5a7fa8ce841d2
Instruction Fuzzy Hash: 27418F71D00258AFEB10DAE8CC89ADEB3ECAF08304F1505B7E546F7281D6789F508B98

Uniqueness

Uniqueness Score: -1.00%

Function 0048C610, Relevance: 9.1, APIs: 6, Instructions: 110windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 0048C61F
SetActiveWindow.USER32(?,?,00000010,?,?,0050B26E,00000000,0050B2E2,?,00000000,?), ref: 0048C633
IsWindowEnabled.USER32(00000000), ref: 0048C662
DefWindowProcA.USER32(?,00000112,0000F120,00000000,?,?,00000010,?,?,0050B26E,00000000,0050B2E2,?,00000000,?), ref: 0048C67E
SetWindowPos.USER32(?,00000000,00000000,?,?,0050B26E,00000000,0050B2E2,?,00000000,?), ref: 0048C6CA
SetFocus.USER32(00000000,?,00000000,00000000,?,?,0050B26E,00000000,0050B2E2,?,00000000,?), ref: 0048C736

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Window$ActiveEnabledFocusIconicProc
String ID:
API String ID: 848842217-0
Opcode ID: e2eb1e1f3c42358598c0638a58c8829b97b76a0c98f3c65461c88e02957068c9
Instruction ID: 0860af0ac08b559add5ef3b15566e41fc241a81be2009eac8480c07e6a84d40a
Opcode Fuzzy Hash: e2eb1e1f3c42358598c0638a58c8829b97b76a0c98f3c65461c88e02957068c9
Instruction Fuzzy Hash: 7E41AB74A00104EFE710EB99CA85FAD77E5EF04304F5514A9F504AB3A2DB79EE40EB58

Uniqueness

Uniqueness Score: -1.00%

Function 00435770, Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00435811,?,?,00435830), ref: 0043578F
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,00435811), ref: 004357BB

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8a2448d61362538edbeba66af2fc537775b7ecdd8fb0c35327a605f540d165cb
Instruction ID: 7d16cce2f94f67e9ce9b99cd5377eac7cac03e995306e7f5a5579e958c26331e
Opcode Fuzzy Hash: 8a2448d61362538edbeba66af2fc537775b7ecdd8fb0c35327a605f540d165cb
Instruction Fuzzy Hash: BC017570604604DFE755FB61CC42BD973A8EB48704F9044B6E544A76C1DBB86EC08B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040DDF0, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,00000000,?,?,?), ref: 0040DE1D

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: 7447a64587fbc06de3798aeb3d7ce777607662b5e3edb06e5768208381aae7bd
Instruction ID: eaf750400f5bd410cb8f7138c3a576931dcb13d3e6758ca439c541ebbd72efd1
Opcode Fuzzy Hash: 7447a64587fbc06de3798aeb3d7ce777607662b5e3edb06e5768208381aae7bd
Instruction Fuzzy Hash: C611A7B1D00209AFCB44CF99D9409EEB7F9EF8C300F10816AE415E7250E635AA41CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00412558, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(00000094), ref: 00412572

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 107fa725c5c0fa23bfd464186ceba343d41e458fa7fb537efd77e00deaceb9af
Instruction ID: 3aa629c3efcd8399ff05ff35f92d89f58545acda1eda5140fc4236ea99b75c2b
Opcode Fuzzy Hash: 107fa725c5c0fa23bfd464186ceba343d41e458fa7fb537efd77e00deaceb9af
Instruction Fuzzy Hash: C1F069719002198BDBA0CF28ED81B88B7B8BB18314F0040A6D85CD7740EBB59EC8BF44

Uniqueness

Uniqueness Score: -1.00%

Function 00411308, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0041132E

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 002c3646d22b179559b2adc39e2fa793d7933b1d79db44a84aedc0eef7da0307
Instruction ID: 27707d29e615b837cd483b634427c594e82c93e3bccc596ca1054aff4005d459
Opcode Fuzzy Hash: 002c3646d22b179559b2adc39e2fa793d7933b1d79db44a84aedc0eef7da0307
Instruction Fuzzy Hash: 12F01D71D0420CABCB04DF98C881ADEB7B8EB08300F1045AAE929A7255D7749A808F94

Uniqueness

Uniqueness Score: -1.00%

Function 00411364, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000002), ref: 00411381

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 38c78977391f37b590b3b65fa04235b9d619b54747d489ad37d9466e69e9cc4d
Instruction ID: bb1f8d436733f8ad3c5c4802f04fdb7e8f5c329cde4e0d2fe079731290c36a95
Opcode Fuzzy Hash: 38c78977391f37b590b3b65fa04235b9d619b54747d489ad37d9466e69e9cc4d
Instruction Fuzzy Hash: 42F03025D0928CBECB01CBE884415EDFFB85E15200F0495D6A9A4E3342E1315701D7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0040FA4C, Relevance: 1.5, APIs: 1, Instructions: 12timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0040FA56

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: ab023f257b75e1b55d12b6b7ef57da7537a59c12f8bd2aa27d89099a3e9d19fc
Instruction ID: bddf1ad9466a4ed06dbeecf87ccdfb504e72fcc10edf419c570f60d65096c4a2
Opcode Fuzzy Hash: ab023f257b75e1b55d12b6b7ef57da7537a59c12f8bd2aa27d89099a3e9d19fc
Instruction Fuzzy Hash: 3BC0C918C0420D51CB00ABD098068EFB33C9E08610B000295AC18A3750F63D5E10C7EA

Uniqueness

Uniqueness Score: -1.00%

Function 004137AC, Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

D0W, xrefs: 004137B5

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID:
String ID: D0W
API String ID: 0-2728070826
Opcode ID: 6fdf334ee32c604fb90d69a68cfceb20fea48a5e9973fa6d37540e9776d9579a
Instruction ID: 4d08d38d4dad0a2dbf433cdcc652b430b5bac74dc4c76b7a99ed5a59a3341370
Opcode Fuzzy Hash: 6fdf334ee32c604fb90d69a68cfceb20fea48a5e9973fa6d37540e9776d9579a
Instruction Fuzzy Hash: 8491D574E0415A8FCB10CF99C584AEEFBF2BF49301F18C296D454AB356D335AA86CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402290, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Uniqueness

Uniqueness Score: -1.00%

Function 00408EC4, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction ID: d9ca5c35b085eece62e9f9345e2df5b5b2dbbbf6d6fdc43b5a6e4acac797e09a
Opcode Fuzzy Hash: b6d55ffda06be9354f45c85752ae1684c48c89628f5d423d6395e0bf3078b847
Instruction Fuzzy Hash: 44317E3213659B4EC7088B3CC8514ADAB93BE937353A843B7C071CB5D7D7B5A26E8290

Uniqueness

Uniqueness Score: -1.00%

Function 00414DE0, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 00414DE9

Part of subcall function 00414D9C: GetProcAddress.KERNEL32(00000000,00000000), ref: 00414DC2

Strings

VarAnd, xrefs: 00414EBD
VarDiv, xrefs: 00414E7B
VarBoolFromStr, xrefs: 00414F83
VarNeg, xrefs: 00414E0D
VarCmp, xrefs: 00414EFF
oleaut32.dll, xrefs: 00414DE4
VarBstrFromBool, xrefs: 00414FC5
VarXor, xrefs: 00414EE9
VarMul, xrefs: 00414E65
VarNot, xrefs: 00414E23
VarSub, xrefs: 00414E4F
VarI4FromStr, xrefs: 00414F15
VarBstrFromCy, xrefs: 00414F99
VarCyFromStr, xrefs: 00414F6D
VarOr, xrefs: 00414ED3
VarIdiv, xrefs: 00414E91
VarDateFromStr, xrefs: 00414F57
VarR4FromStr, xrefs: 00414F2B
VariantChangeTypeEx, xrefs: 00414DF7
VarAdd, xrefs: 00414E39
VarMod, xrefs: 00414EA7
VarR8FromStr, xrefs: 00414F41
VarBstrFromDate, xrefs: 00414FAF

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: 3b0bd54a8ac2463a694dceb4572408fae39768839f5fc81426fa036638e495d6
Instruction ID: d21251a04b42d9c8712e6890bb0af5a9a462bc0a42d42a6c1ba7946015557598
Opcode Fuzzy Hash: 3b0bd54a8ac2463a694dceb4572408fae39768839f5fc81426fa036638e495d6
Instruction Fuzzy Hash: 3241FCB1614B049A5B046BEAB8015EB77FCD6C8B14361903BB804DB761DF2CA8C6976D

Uniqueness

Uniqueness Score: -1.00%

Function 00435840, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 132windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 00435857
CreateCompatibleDC.GDI32(00000000), ref: 00435861
GetObjectA.GDI32(00000001,00000018,?), ref: 00435881
CreateBitmap.GDI32(?,00000000,00000001,00000001,00000000), ref: 0043589A
GetDC.USER32(00000000), ref: 004358A6
CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 004358D3
ReleaseDC.USER32 ref: 004358F9
SelectObject.GDI32(KbC,00000001), ref: 00435914
SelectObject.GDI32(00000000,00000000), ref: 00435924
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,KbC,00000000,00000000,?,?,00CC0020), ref: 00435951
SelectObject.GDI32(KbC,00000000), ref: 00435964
SelectObject.GDI32(00000000,00000000), ref: 00435977
DeleteDC.GDI32(KbC), ref: 0043598D
DeleteDC.GDI32(00000000), ref: 00435996

Strings

KbC, xrefs: 00435989, 00435910, 0043593D, 00435960, 00435913, 00435940, 00435963, 0043598C

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID: KbC
API String ID: 644427674-999334460
Opcode ID: 92d392192f46bfd7e2b81bfef03ca2084ecdcd3cf8860a8971fa69ec6b9079d4
Instruction ID: 70de80ace057a81ec55f2f6aa845543f5804beb1350ea77326b4f6286e45c92a
Opcode Fuzzy Hash: 92d392192f46bfd7e2b81bfef03ca2084ecdcd3cf8860a8971fa69ec6b9079d4
Instruction Fuzzy Hash: CC41EDB1E00608AFDB10EBE9C946FAEB7BCEF0D714F50446AF544F7280C67999408B68

Uniqueness

Uniqueness Score: -1.00%

Function 004026FC, Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 254windowCOMMON

Download Yara Rule

APIs

MessageBoxA.USER32 ref: 00402A9A

Strings

An unexpected memory leak has occurred. , xrefs: 0040285C
, xrefs: 004029E0
R0W, xrefs: 00402877
Unknown, xrefs: 00402958
The unexpected small block leaks are:, xrefs: 004028D3
The sizes of unexpected leaked medium and large blocks are: , xrefs: 00402A15
bytes: , xrefs: 00402929
String, xrefs: 0040296D
Unexpected Memory Leak, xrefs: 00402A8C
7, xrefs: 0040286D

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Message
String ID: $ bytes: $7$An unexpected memory leak has occurred. $R0W$String$The sizes of unexpected leaked medium and large blocks are: $The unexpected small block leaks are:$Unexpected Memory Leak$Unknown
API String ID: 2030045667-375153721
Opcode ID: e9c5614f0ab96c53571a2613ccc2e54b0f8e20defcc9c0d240fccb11a71cc1af
Instruction ID: 101ba83bb39ca8a3939d22f19bdf63dadec3e4ec7f6a61ff6e609d083b3fdf17
Opcode Fuzzy Hash: e9c5614f0ab96c53571a2613ccc2e54b0f8e20defcc9c0d240fccb11a71cc1af
Instruction Fuzzy Hash: 72A1CB30B042548BDB21AA2CC988B9977E4EB49714F1441FAE449BB3C2CBFC59C5CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00408B0C, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 63windowregistryCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 00408B25
RegisterWindowMessageA.USER32(MSWHEEL_ROLLMSG), ref: 00408B32
RegisterWindowMessageA.USER32(MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 00408B41
RegisterWindowMessageA.USER32(MSH_SCROLL_LINES_MSG,MSH_WHEELSUPPORT_MSG,MSWHEEL_ROLLMSG), ref: 00408B50
SendMessageA.USER32 ref: 00408B76
SendMessageA.USER32 ref: 00408BA5

Strings

Magellan MSWHEEL, xrefs: 00408B1B
MSH_SCROLL_LINES_MSG, xrefs: 00408B4B
MSH_WHEELSUPPORT_MSG, xrefs: 00408B3C
MSWHEEL_ROLLMSG, xrefs: 00408B2D
MouseZ, xrefs: 00408B20

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Message$Window$Register$Send$Find
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 3569030445-3736581797
Opcode ID: 9149e4ade40242f2df746c0eae3a2c9be565ccbe2ab54b11bdcae54505a25ab9
Instruction ID: 0c76566e4b189b92c202fac77f32682852674b307df0b587e08e4c3a0df4fd57
Opcode Fuzzy Hash: 9149e4ade40242f2df746c0eae3a2c9be565ccbe2ab54b11bdcae54505a25ab9
Instruction Fuzzy Hash: 7421ACB0A00209EFDB11DF99C941B6EB7B4EB45310F5485AAF894BB3D0DB74AA40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00435906, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(KbC,00000001), ref: 00435914
SelectObject.GDI32(00000000,00000000), ref: 00435924
StretchBlt.GDI32(00000000,00000000,00000000,?,00000000,KbC,00000000,00000000,?,?,00CC0020), ref: 00435951
SelectObject.GDI32(KbC,00000000), ref: 00435964
SelectObject.GDI32(00000000,00000000), ref: 00435977
DeleteDC.GDI32(KbC), ref: 0043598D
DeleteDC.GDI32(00000000), ref: 00435996

Strings

KbC, xrefs: 00435989, 00435910, 0043593D, 00435960, 00435913, 00435940, 00435963, 0043598C

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: ObjectSelect$Delete$Stretch
String ID: KbC
API String ID: 1458357782-999334460
Opcode ID: 9e16ac02fca4473f65aa3cd0351e782ba5f4de59cc794bf605817e83d57e8f6f
Instruction ID: a65dc3e3a5a929ac4e56a75fbba949d5701eedf655af096b191d2c381bfcf3bd
Opcode Fuzzy Hash: 9e16ac02fca4473f65aa3cd0351e782ba5f4de59cc794bf605817e83d57e8f6f
Instruction Fuzzy Hash: 7D1174B2E00609AFDF40DAD9D945FEEB3FCAB4C714F54146AF244F7280C679A9408B28

Uniqueness

Uniqueness Score: -1.00%

Function 00416090, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00416129
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00416145
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041617E
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004161FB
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 00416214
VariantCopy.OLEAUT32(?), ref: 00416249

Strings

, xrefs: 004160AA

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: 0f3bedfa7976f065e30c44a9b51baad131465cde9ba166d415b5803d469353ad
Instruction ID: ef2feb815cb15a5345cba46f41083b3a8f08fd471a4b71fc5258ab40d7f2e5e6
Opcode Fuzzy Hash: 0f3bedfa7976f065e30c44a9b51baad131465cde9ba166d415b5803d469353ad
Instruction Fuzzy Hash: BB510A7590162D9BCB62DB59C881BDAB3BCAF4C314F4141DAE508E7202D638EFC58F69

Uniqueness

Uniqueness Score: -1.00%

Function 0042B27C, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0042B288
GetCurrentThreadId.KERNEL32 ref: 0042B297

Part of subcall function 0042B218: ResetEvent.KERNEL32(00000274), ref: 0042B221

EnterCriticalSection.KERNEL32(00581528), ref: 0042B2DF
InterlockedExchange.KERNEL32(005742C0,?), ref: 0042B2FB
LeaveCriticalSection.KERNEL32(00581528,00000000,0042B426,?,00000000,0042B445,?,00581528), ref: 0042B354
EnterCriticalSection.KERNEL32(00581528,0042B3D0,0042B426,?,00000000,0042B445,?,00581528), ref: 0042B3C3

Strings

TA, xrefs: 0042B2B1

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID: TA
API String ID: 2189153385-455071654
Opcode ID: b0bcd0dba4da63546b58196dc17c5e576367d4264c34bf3943059f91711d515d
Instruction ID: 90af08bd00a73211bcaadb0d65bfbb622e24727e7ab12e17675abcda981ddb62
Opcode Fuzzy Hash: b0bcd0dba4da63546b58196dc17c5e576367d4264c34bf3943059f91711d515d
Instruction Fuzzy Hash: 3241C130B046149FD701EFA5E852A7EB7F8EF49704F914476F800A2692D7786C00DAA9

Uniqueness

Uniqueness Score: -1.00%

Function 004051F4, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004052BB,?,?,?,00000001,00405366,004030B3,004030FA,?,02565EA0), ref: 0040522D
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004052BB,?,?,?,00000001,00405366,004030B3,004030FA), ref: 00405233
GetStdHandle.KERNEL32(000000F5,0040527C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004052BB), ref: 00405248
WriteFile.KERNEL32(00000000,000000F5,0040527C,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,004052BB), ref: 0040524E
MessageBoxA.USER32 ref: 0040526C

Strings

Error, xrefs: 00405260
Runtime error at 00000000, xrefs: 00405226, 00405265

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: dd9918d1a63a539d179a2d1388ec55f3a636c171c41e308213f5907a221126f6
Instruction ID: 02c531db2dcef5c2ef68a1772b7ce87b8399deba0e2aadf1ef4cefeaa5bee858
Opcode Fuzzy Hash: dd9918d1a63a539d179a2d1388ec55f3a636c171c41e308213f5907a221126f6
Instruction Fuzzy Hash: DBF0F6A468034075EB10B3A47C4BF9B2F589B54B24F1042AFB258B40E3D6BC45C4BF29

Uniqueness

Uniqueness Score: -1.00%

Function 00403350, Relevance: 11.4, APIs: 9, Instructions: 110COMMON

Download Yara Rule

APIs

CharNextA.USER32(00000000,?,?,?,00000000,005817D0,00403470,00000000,0040349D,?,?,005817D0,00000000,?,0056D51D), ref: 0040338A
CharNextA.USER32(00000000,00000000,?,?,?,00000000,005817D0,00403470,00000000,0040349D,?,?,005817D0,00000000,?,0056D51D), ref: 00403394
CharNextA.USER32(00000000,00000000,?,?,?,00000000,005817D0,00403470,00000000,0040349D,?,?,005817D0,00000000,?,0056D51D), ref: 004033B3
CharNextA.USER32(00000000,?,?,?,00000000,005817D0,00403470,00000000,0040349D,?,?,005817D0,00000000,?,0056D51D), ref: 004033BD
CharNextA.USER32(00000000,00000000,?,?,?,00000000,005817D0,00403470,00000000,0040349D,?,?,005817D0,00000000,?,0056D51D), ref: 004033E9
CharNextA.USER32(00000000,00000000,00000000,?,?,?,00000000,005817D0,00403470,00000000,0040349D,?,?,005817D0,00000000), ref: 004033F3
CharNextA.USER32(00000000,00000000,00000000,?,?,?,00000000,005817D0,00403470,00000000,0040349D,?,?,005817D0,00000000), ref: 0040341B
CharNextA.USER32(00000000,00000000,?,?,?,00000000,005817D0,00403470,00000000,0040349D,?,?,005817D0,00000000,?,0056D51D), ref: 00403425

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: a26855fd0cf07ee76e9ecf19d198fc9604d71a4294ccec05f6429a02d4a9def2
Instruction ID: 05012be7b0d338f28dcf3df100297dae7c79775001e5fbd5ee6dc8c2d50b453e
Opcode Fuzzy Hash: a26855fd0cf07ee76e9ecf19d198fc9604d71a4294ccec05f6429a02d4a9def2
Instruction Fuzzy Hash: BB3148556083D06EEB332E799CC47266FCC4B46356F1804BB9982BB3D7D97C4941931E

Uniqueness

Uniqueness Score: -1.00%

Function 0043650C, Relevance: 10.7, APIs: 7, Instructions: 182windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0043661C
GetObjectA.GDI32(?,00000018,?), ref: 0043662B
GetBitmapBits.GDI32(?,?,?), ref: 0043668E
GetBitmapBits.GDI32(?,?,?), ref: 0043669F
DeleteObject.GDI32(?), ref: 004366A8
DeleteObject.GDI32(?), ref: 004366B1
CreateIcon.USER32(00400000,?,?,?,?,?,?), ref: 004366D9

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Object$BitmapBitsDelete$CreateIcon
String ID:
API String ID: 1030595962-0
Opcode ID: d3e93ae4de3c48c872b57c8fa75b1bfcfa435d9c6c6ce4b9a163cf98b1e268cf
Instruction ID: f3eaf0ae94a21232adf2b40a93475f62cf0d5266b0525c833c588f78c882a749
Opcode Fuzzy Hash: d3e93ae4de3c48c872b57c8fa75b1bfcfa435d9c6c6ce4b9a163cf98b1e268cf
Instruction Fuzzy Hash: 5F719075E00209AFCB40DFA9D981A9EBBF8FF09304F15846AF814EB355D734A941CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00411B20, Relevance: 10.6, APIs: 7, Instructions: 63filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00411968: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00411987
Part of subcall function 00411968: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 004119AB
Part of subcall function 00411968: GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 004119C6
Part of subcall function 00411968: LoadStringA.USER32 ref: 00411A7C

CharToOemA.USER32 ref: 00411B6C
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 00411B8C
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 00411B92
GetStdHandle.KERNEL32(000000F4,00411BF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 00411BA6
WriteFile.KERNEL32(00000000,000000F4,00411BF8,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 00411BAC
LoadStringA.USER32 ref: 00411BCD
MessageBoxA.USER32 ref: 00411BE4

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 3084bdd1f2b58946f32e0904288f5f301e1bc44f75e552ff30ac9dee355b6119
Instruction ID: 391572112389a596b4048738f5c1430f4954481f0256d17116e696bea2963aae
Opcode Fuzzy Hash: 3084bdd1f2b58946f32e0904288f5f301e1bc44f75e552ff30ac9dee355b6119
Instruction Fuzzy Hash: AA1157B1945208AED700EB95CC82FDE73BC9B04304F1041A7B758F71D1DB78AE888BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004251A4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(PB,?,PB), ref: 004251BF
LoadResource.KERNEL32(PB,?,PB,?,PB), ref: 004251E5
SizeofResource.KERNEL32(PB,?,PB,?,PB,?,PB), ref: 0042520B
LockResource.KERNEL32(?,00000000,PB,?,PB,?,PB,?,PB), ref: 00425218

Strings

PB, xrefs: 004251B3, 004251B6
PB, xrefs: 004251BB, 004251E1, 00425207, 004251BE, 004251E4, 0042520A

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: PB$PB
API String ID: 3473537107-57270060
Opcode ID: 77660b7ac613bd0e3ddde530a37ce6527335d432aa96946b3349d7e5f1d853f0
Instruction ID: f5de2fba832efa7be2d39a553d3331d009ba6a976d5dc466208d03c2b310a448
Opcode Fuzzy Hash: 77660b7ac613bd0e3ddde530a37ce6527335d432aa96946b3349d7e5f1d853f0
Instruction Fuzzy Hash: E6119675E00208AFCB44DF99D485E9EB7F8AF08324F50459AF518E7351D738EA80CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004042EC, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0040430E
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,^,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00404341
RegCloseKey.ADVAPI32(?,00404364,00000000,?,00000004,00000000,^,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00404357

Strings

^, xrefs: 0040431A
SOFTWARE\Borland\Delphi\RTL, xrefs: 00404304
FPUMaskValue, xrefs: 00404338

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL$^
API String ID: 3677997916-3529713538
Opcode ID: bcd02a307e206bbe20ea5c2b6c675c519a80a6d040fdc40a16d9830c91d17bac
Instruction ID: 8dc68dbbcca98d0d8cb6bee1e287091e12303859b96e0b7eed17a7c57d977e03
Opcode Fuzzy Hash: bcd02a307e206bbe20ea5c2b6c675c519a80a6d040fdc40a16d9830c91d17bac
Instruction Fuzzy Hash: 4E01B5B5A40318BAEB11DBA19C02FB9B3ECEB58B14F104076BF04E25D0E6785A50E75C

Uniqueness

Uniqueness Score: -1.00%

Function 004099F8, Relevance: 9.2, APIs: 6, Instructions: 208sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,?), ref: 00409A83
Sleep.KERNEL32(0000000A,00000000,?), ref: 00409A9D

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 208542d03478f5ec03fc96c67b1f692dd65e46a578eeefbdf72d01e50cf23653
Instruction ID: 7fae3a54bc6858b4e6035075273b27ec40a2e174932332f21da79fba8d178d6b
Opcode Fuzzy Hash: 208542d03478f5ec03fc96c67b1f692dd65e46a578eeefbdf72d01e50cf23653
Instruction Fuzzy Hash: EC710E71A012009FDB11CF28D985B5ABBE4AB45314F2882BFD848AB3D3D778DD45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00436410, Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00436462
GetSystemMetrics.USER32 ref: 0043646E
GetDC.USER32(00000000), ref: 0043648D
GetDeviceCaps.GDI32(00000000,0000000E), ref: 004364B4
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004364C1
ReleaseDC.USER32 ref: 004364FF

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CapsDeviceMetricsSystem$Release
String ID:
API String ID: 447804332-0
Opcode ID: b8c084fa42a12727cee1391f2e3114d123bd326dd67985b89ac9a15abc93ee9c
Instruction ID: 2630b57553802b8fad66ee7d75ec3761aefc7cc5d59cf79d4fedb5509f5f8aab
Opcode Fuzzy Hash: b8c084fa42a12727cee1391f2e3114d123bd326dd67985b89ac9a15abc93ee9c
Instruction Fuzzy Hash: B5312D74A00209EFDB00EFA5C581AAEB7B4FF4D714F52856AF914AB381D775AD00CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004031B8, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,0040DF09), ref: 004031E9
SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,0040DF09), ref: 004031EF
GetCurrentDirectoryA.KERNEL32(00000105,?,?,?,0040DF09), ref: 004031FE
SetCurrentDirectoryA.KERNEL32(?,00000105,?,?,?,0040DF09), ref: 0040320F

Strings

:, xrefs: 004031D2

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CurrentDirectory
String ID: :
API String ID: 1611563598-336475711
Opcode ID: e5fcb6d69538dd793f8ec84f1123155cb3e11e42938d17dd82f55b9ceedd7920
Instruction ID: 11c95d4d81c4deef49d4cae1c2b90cac2b8164082b31cf5e3c5a09c58cb5c4ab
Opcode Fuzzy Hash: e5fcb6d69538dd793f8ec84f1123155cb3e11e42938d17dd82f55b9ceedd7920
Instruction Fuzzy Hash: 8CF0BB722457C01EE310F7A98852BDB77DC8F55304F04446EBAD8D73C2E679894897A7

Uniqueness

Uniqueness Score: -1.00%

Function 0041A93C, Relevance: 7.8, APIs: 5, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c6f7583c32ec8670aeabdc9c0f4cd3ec67ad154a9957058a13a9a04d3fe267
Instruction ID: 5df40e6c3ba6f860b912dcb4e9fe68c40844df16583e73da3ddadb1e9b5ef8a7
Opcode Fuzzy Hash: 39c6f7583c32ec8670aeabdc9c0f4cd3ec67ad154a9957058a13a9a04d3fe267
Instruction Fuzzy Hash: 65D1D435A00149EFCB00EF95D4818FDBBBAEF49314F5440A7E840A7251D738AED6DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0042BAF4, Relevance: 7.6, APIs: 5, Instructions: 61threadsynchronizationwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0042BB06
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0042BB34
MsgWaitForMultipleObjects.USER32 ref: 0042BB48
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0042BB7A
GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0042BB87

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: ThreadWait$CodeCurrentExitMessageMultipleObjectObjectsPeekSingle
String ID:
API String ID: 1797888035-0
Opcode ID: 427c0df3e407946d1f7a51e03ea6acacf1a566c2c302e6cf773632c0d2402ff3
Instruction ID: 9495f44794a4be8a41911c167352b49d36891fcf695cc1dc4ed08eb258b39fef
Opcode Fuzzy Hash: 427c0df3e407946d1f7a51e03ea6acacf1a566c2c302e6cf773632c0d2402ff3
Instruction Fuzzy Hash: 35113071E01219EBDF10EBA4DD46BAEB7B8EB04714F50056AF514F72C0D774AE408B99

Uniqueness

Uniqueness Score: -1.00%

Function 004115F0, Relevance: 7.6, APIs: 5, Instructions: 53threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0041169C), ref: 0041160D

Part of subcall function 00411308: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0041132E

GetThreadLocale.KERNEL32(?,00000004,00000000,0041169C), ref: 00411642
EnumCalendarInfoA.KERNEL32(Function_00011518,00000000,?,00000004), ref: 0041164D
GetThreadLocale.KERNEL32(?,00000003,00000000,0041169C), ref: 00411676
EnumCalendarInfoA.KERNEL32(Function_00011564,00000000,?,00000003), ref: 00411681

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 444ea98e7f629b7af4e665cb2504383298d258d82f3bce77d1b858f49280561e
Instruction ID: 5ce70ef49e6e28fa6b266d577755a372a301ce30ac0bfd1c45cc68d9f54be455
Opcode Fuzzy Hash: 444ea98e7f629b7af4e665cb2504383298d258d82f3bce77d1b858f49280561e
Instruction Fuzzy Hash: 24117075E04208AFDB00EBA5C802ADEBBB8EF45314F6041A6F610A36D1D7799E408B59

Uniqueness

Uniqueness Score: -1.00%

Function 004116B4, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,004118FA), ref: 004116EF

Part of subcall function 00411308: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0041132E

Strings

yyyy, xrefs: 00411822
ggg, xrefs: 0041180D
eeee, xrefs: 00411842

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: d0fe4c88c8cd6f259dc2bd00b5b011403c6c1962529059144695cb88b6be2c2b
Instruction ID: 219561ae973a820724873f60e494f28abd8b6f46d770cf3dc4693fedbd7d50a0
Opcode Fuzzy Hash: d0fe4c88c8cd6f259dc2bd00b5b011403c6c1962529059144695cb88b6be2c2b
Instruction Fuzzy Hash: D1713C74E10549DBCF00EBA9C4819EEB7B1EF48304F1081AAE911B7391C738AE82DF19

Uniqueness

Uniqueness Score: -1.00%

Function 00560E5C, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,00000000,00560EF5), ref: 00560E86
DeleteFileA.KERNEL32(00000000,00000000,00000000,00560EF5), ref: 00560EB6

Strings

Software\rejetto\HFS, xrefs: 00560EC6, 00560ED0
hfs.ini, xrefs: 00560E97

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID: Software\rejetto\HFS$hfs.ini
API String ID: 4033686569-3128979880
Opcode ID: d104c5b68fa7d4297b6e27b7b1768d7c32fc66141adddcb4f78bb4168d8b97bf
Instruction ID: 876995bd800a27a35520f7fe8c827a92762056ee900a3e073bf211cce405cd5a
Opcode Fuzzy Hash: d104c5b68fa7d4297b6e27b7b1768d7c32fc66141adddcb4f78bb4168d8b97bf
Instruction Fuzzy Hash: 44018070A002489FCB50EBB9C84295FBBF8EB45704B605976F404F33D1E6359E058B26

Uniqueness

Uniqueness Score: -1.00%

Function 00415F6C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00415F7B

Strings

LXA, xrefs: 00415FA6

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: ClearVariant
String ID: LXA
API String ID: 1473721057-4118285292
Opcode ID: 845604c4c3d67be121eeece07f48917dc214ef8537b1654e72480d08e501d2bd
Instruction ID: ee6e2e741e89cbd6d76664ae023cd9f0fab861658e9dab0f7bc4812749c97261
Opcode Fuzzy Hash: 845604c4c3d67be121eeece07f48917dc214ef8537b1654e72480d08e501d2bd
Instruction Fuzzy Hash: BBF0C874704910CAD7207F35D888AE62298DFC0308760003BF4069B296CB3D9CC7976F

Uniqueness

Uniqueness Score: -1.00%

Function 00405D4C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(6j@), ref: 00405C62
SysAllocStringLen.OLEAUT32(?,?), ref: 00405D57
SysFreeString.OLEAUT32 ref: 00405D69

Strings

6j@, xrefs: 00405C61

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: String$Free$Alloc
String ID: 6j@
API String ID: 986138563-912884365
Opcode ID: c5579c04c5c0bc53cefcf9d4e9500653c4b779982179fceb59b9625fb17fca34
Instruction ID: d1fb728ac56278bf1ab97066c668ba8423937c58587aef56f6d2d32715f48454
Opcode Fuzzy Hash: c5579c04c5c0bc53cefcf9d4e9500653c4b779982179fceb59b9625fb17fca34
Instruction Fuzzy Hash: 57E0ECB81057015DFF142F218941B372769EF81704B68547FA800AE6A5D67C98419A28

Uniqueness

Uniqueness Score: -1.00%

Function 00413B50, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00413B59
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 00413B70

Strings

kernel32.dll, xrefs: 00413B54
GetDiskFreeSpaceExA, xrefs: 00413B67

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: b3bfb21b029977cf818d122ffb32b6367a188d9ead49095176c2087642f2e69c
Instruction ID: b832522d408142e7757b0c63ec88ba4b3c4a46eace5c8dc5527360693cbc43df
Opcode Fuzzy Hash: b3bfb21b029977cf818d122ffb32b6367a188d9ead49095176c2087642f2e69c
Instruction Fuzzy Hash: 21E04F71C09218AFD700AFA5E90979A73B4D714325F20046BE00867293E27C2BC8B788

Uniqueness

Uniqueness Score: -1.00%

Function 004232A4, Relevance: 6.4, APIs: 5, Instructions: 138COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,00000000,0042344C), ref: 00423302
CharNextA.USER32(?,?,00000000,0042344C), ref: 004233AF
CharNextA.USER32(?,?,00000000,0042344C), ref: 004233DA
CharNextA.USER32(?,?,?,00000000,0042344C), ref: 004233F2

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 134e7bec4a99d9d7c76ed7f68cdd7b0aabf42fa75e8a99b4bc72bae5745dd8b9
Instruction ID: a9d52b50e9c1e65d8aed09b2bb0413a236b71be7f1cce813e2d6353c0803c981
Opcode Fuzzy Hash: 134e7bec4a99d9d7c76ed7f68cdd7b0aabf42fa75e8a99b4bc72bae5745dd8b9
Instruction Fuzzy Hash: 03512770F04158AFCB05EFA9D591A9EBBB1AF46305F9080D6E850A7351CB3CAF41CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00415DF0, Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00415E9F
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 00415EBB
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 00415F32
VariantClear.OLEAUT32(?), ref: 00415F5B

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: 5e9de6e4344ae42cddf5a15a17521d241ad61d2b844521280b097fc5b2d953b6
Instruction ID: 25001542a2eabd47773c239b95fc2dd5130cb5ee08d477bdc5558d9ee89b070f
Opcode Fuzzy Hash: 5e9de6e4344ae42cddf5a15a17521d241ad61d2b844521280b097fc5b2d953b6
Instruction Fuzzy Hash: 26410A75A0171D8FCB61DB59C890BDAB3BDAB88714F0041DAE549A7212DA38AFC18F58

Uniqueness

Uniqueness Score: -1.00%

Function 00411968, Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00411987
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 004119AB
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 004119C6
LoadStringA.USER32 ref: 00411A7C

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: d0f090cf16c46652931e844fac0f1c72c2c0ae3c33bda00c0be9ef5f2dfd3367
Instruction ID: cd2cfecd4ecdef9009155f06d28aeff1375341da784df43e80cfaef14a67b834
Opcode Fuzzy Hash: d0f090cf16c46652931e844fac0f1c72c2c0ae3c33bda00c0be9ef5f2dfd3367
Instruction Fuzzy Hash: 885108B0D002199FDB51DBA9C985BDEB7F8AB08304F0041AAE558F7251D778AF84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040D8B8, Relevance: 6.1, APIs: 4, Instructions: 68timefileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(?,?), ref: 0040D8D1
GetLastError.KERNEL32(?,?), ref: 0040D8DA
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0040D900
FileTimeToDosDateTime.KERNEL32 ref: 0040D914

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: 2f0d9a30da963b6ad822e0c2f8d917aa8416193a46ef13033add01a46f6f917a
Instruction ID: 749665482027116a0e799cf1ce432e9c5ea264ed8bbfd1d03e98b09a2c8d3647
Opcode Fuzzy Hash: 2f0d9a30da963b6ad822e0c2f8d917aa8416193a46ef13033add01a46f6f917a
Instruction Fuzzy Hash: BE21C871E00108EFCB40DFA9C981E9EB7F9FF48304B6485A9E804E7342D634EE419B55

Uniqueness

Uniqueness Score: -1.00%

Function 0048C760, Relevance: 6.0, APIs: 4, Instructions: 35windowCOMMON

Download Yara Rule

APIs

GetLastActivePopup.USER32(00000000), ref: 0048C779
IsWindowVisible.USER32 ref: 0048C796
IsWindowEnabled.USER32(00000000), ref: 0048C7A3
SetForegroundWindow.USER32(00000000), ref: 0048C7B0

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Window$ActiveEnabledForegroundLastPopupVisible
String ID:
API String ID: 2280970139-0
Opcode ID: 60033550e5c5946bb8a2b5f75b8307dc4926997f3c71de52ce114a55165696a1
Instruction ID: 1931c9c4fe4820cb74ddefef0ebdcd8a82e21cc699b1ae4670bb0ca301caca0c
Opcode Fuzzy Hash: 60033550e5c5946bb8a2b5f75b8307dc4926997f3c71de52ce114a55165696a1
Instruction Fuzzy Hash: D8F0A475900249EFDB50EEE9C585D9E77F8AB04314F5405AAB440E7381EB38EE40DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040FDA0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0040FEA6), ref: 0040FE28
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0040FEA6), ref: 0040FE2E

Strings

yyyy, xrefs: 0040FE03

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: 592b27218ed46408f29f05ca92632b7edabddcd1dc36549232160260ee90b01c
Instruction ID: 3fb0858472c7a2515ad391103ee432887c878e12d972104c1c0d184c77bd0d35
Opcode Fuzzy Hash: 592b27218ed46408f29f05ca92632b7edabddcd1dc36549232160260ee90b01c
Instruction Fuzzy Hash: A131C974A046099FDB10DFA8C541ADEB7B4EF08314F5044B6E904F7BA1D738AE44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A48C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0041A49F
VariantInit.OLEAUT32(?), ref: 0041A4D7

Strings

\WA, xrefs: 0041A4C6, 0041A4F7

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: \WA
API String ID: 1927566239-1858516051
Opcode ID: 9ed731877099b48a27a553ac1f048be4883b90046e05b3914d0b9554e1317e0a
Instruction ID: cef582920304ce9dcfea112cab100fbf3f777a2b40d4978b722b4ee003b7c632
Opcode Fuzzy Hash: 9ed731877099b48a27a553ac1f048be4883b90046e05b3914d0b9554e1317e0a
Instruction Fuzzy Hash: 0F11D531A0864CDFCB11EBA1DC618EEB7BDEF88710752443BE400E2651EB789D5E8669

Uniqueness

Uniqueness Score: -1.00%

Function 00416264, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantCopy.OLEAUT32 ref: 00416285

Part of subcall function 00415F6C: VariantClear.OLEAUT32(?), ref: 00415F7B

Strings

LXA, xrefs: 004162C1

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: Variant$ClearCopy
String ID: LXA
API String ID: 274517740-4118285292
Opcode ID: c806d127e729d9af5a90b22a0e4711af831bfb163662a7a6672b8405fa48f71f
Instruction ID: 34c3e817346d15ab289ea6164e92cf69f0b5ac1064ac14749e045b53735057e6
Opcode Fuzzy Hash: c806d127e729d9af5a90b22a0e4711af831bfb163662a7a6672b8405fa48f71f
Instruction Fuzzy Hash: E0117330700214D68B20BF6AD9C5AD73796DF94754712856FF84A8B356DA3CCCC6C29E

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE70, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceExA.KERNEL32(?,?,?,00000000), ref: 0040DEB2

Strings

\, xrefs: 0040DE96
:, xrefs: 0040DE92

Memory Dump Source

Source File: 00000000.00000002.495636259.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.495622145.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.496733811.0000000000573000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496779774.0000000000576000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496808888.0000000000578000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496828769.000000000057B000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496853155.000000000057C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496893582.000000000058A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.496914318.000000000058C000.00000008.00020000.sdmp Download File
Associated: 00000000.00000002.496944253.0000000000590000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_hfs.jbxd

Yara matches

Similarity

API ID: DiskFreeSpace
String ID: :$\
API String ID: 1705453755-1166558509
Opcode ID: ae7a32cb497e85cafcc763a7bfa1fbaecd0f6f049d90c48af7dbf7e0c1f083cc
Instruction ID: 68d53f59b49c005c78d7e1c8bfec5980325a03ed1b2bd455e72273f0a0239e39
Opcode Fuzzy Hash: ae7a32cb497e85cafcc763a7bfa1fbaecd0f6f049d90c48af7dbf7e0c1f083cc
Instruction Fuzzy Hash: 34F0CD74D0428D9EDB01CBE88445BEFBFF4AF19204F04409AD858E7341D2795609CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report hfs.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Function 00406E30, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 184
registrystringlibraryCOMMON

Function 00406F3C, Relevance: 15.1, APIs: 10, Instructions: 98
stringlibrarythreadCOMMON

Function 00572C7C, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51
keyboardCOMMON

Function 0040D74C, Relevance: 6.1, APIs: 4, Instructions: 51
timefileCOMMON

Function 00413248, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 204
threadCOMMON

Function 0050B99C, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170
COMMON

Function 0041315C, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55
threadCOMMON

Function 0042D4D4, Relevance: 6.1, APIs: 4, Instructions: 59
registryCOMMON

Function 00408A48, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40
COMMON

Function 00431178, Relevance: 4.6, APIs: 3, Instructions: 139
registryCOMMON

Function 00431358, Relevance: 4.6, APIs: 3, Instructions: 123
registryCOMMON

Function 00412614, Relevance: 4.6, APIs: 3, Instructions: 77
COMMON

Function 00403CBC, Relevance: 4.6, APIs: 3, Instructions: 69
fileCOMMON

Function 0040C824, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 32
COMMON

Function 004096E8, Relevance: 4.0, APIs: 3, Instructions: 275
sleepCOMMON