Edit tour

Windows Analysis Report
Rr6TGP9rEq.exe

Overview

General Information

Sample name:	Rr6TGP9rEq.exe renamed because original name is a hash value
Original sample name:	297270c13474cdcd006acc261c98050a.exe
Analysis ID:	1491466
MD5:	297270c13474cdcd006acc261c98050a
SHA1:	40fd185b12939822e4cc02da09ae3d38aea83306
SHA256:	ddc4a98828ac3afea03294fd57189778ce57e305d075f08f0ace443352d5447b
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected RisePro Stealer

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to check for running processes (XOR)

Contains functionality to inject threads in other processes

Drops PE files to the user root directory

Found API chain indicative of sandbox detection

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

Rr6TGP9rEq.exe (PID: 7124 cmdline: "C:\Users\user\Desktop\Rr6TGP9rEq.exe" MD5: 297270C13474CDCD006ACC261C98050A)

Au3Check.exe (PID: 7164 cmdline: "C:\Program Files (x86)\autoit3\Au3Check.exe" MD5: 3BE697D1A92115D5CA76A633A527DFB7)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\bgEoRLupllWTRAp.pdf	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000003.1807457246.0000022DEDF70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: Au3Check.exe PID: 7164	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.Rr6TGP9rEq.exe.c000800000.8.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.3.Rr6TGP9rEq.exe.22dedf70000.3.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.Rr6TGP9rEq.exe.c000940000.7.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.Rr6TGP9rEq.exe.c000380000.1.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
1.2.Au3Check.exe.510000.0.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.Rr6TGP9rEq.exe.c000a8c000.6.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.Rr6TGP9rEq.exe.c000600000.5.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.3.Rr6TGP9rEq.exe.22dedf70000.3.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.3.Rr6TGP9rEq.exe.22dee0c0000.0.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
1.2.Au3Check.exe.510000.0.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.Rr6TGP9rEq.exe.c000600000.5.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.3.Rr6TGP9rEq.exe.22dee0c0000.0.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.Rr6TGP9rEq.exe.c000a8c000.6.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.Rr6TGP9rEq.exe.c0004f2000.2.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.Rr6TGP9rEq.exe.c00052c000.3.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.Rr6TGP9rEq.exe.c000572000.4.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.Rr6TGP9rEq.exe.c000940000.7.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0.2.Rr6TGP9rEq.exe.c000800000.8.raw.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Click to see the 13 entries

Suricata Signatures

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.67

Timestamp:	2024-08-12T11:29:18.496103+0200
SID:	2046269
Severity:	1
Source Port:	49730
Destination Port:	5000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 193.233.132.67

Timestamp:	2024-08-12T11:29:15.502619+0200
SID:	2049060
Severity:	1
Source Port:	49730
Destination Port:	5000
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Rr6TGP9rEq.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: Rr6TGP9rEq.exe	ReversingLabs: Detection: 52%
Source: Rr6TGP9rEq.exe	Virustotal: Detection: 63%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Rr6TGP9rEq.exe

Joe Sandbox ML: detected

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_0053053B CryptUnprotectData,LocalFree,

1_2_0053053B

Source: Rr6TGP9rEq.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0051E150 FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,GetFileAttributesA,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,__Mtx_unlock,	1_2_0051E150
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0054E2D0 SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,CopyFileA,__Mtx_unlock,__Mtx_unlock,	1_2_0054E2D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0051A750 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,__Mtx_unlock,	1_2_0051A750
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005ED997 FindClose,FindFirstFileExW,GetLastError,	1_2_005ED997
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005EDA1D GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	1_2_005EDA1D
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00530D83 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	1_2_00530D83

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 193.233.132.67:5000

Source: Joe Sandbox View

IP Address: 193.233.132.67 193.233.132.67

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.67
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.67
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.67
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.67
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.67

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_0052E0A0 recv,setsockopt,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,freeaddrinfo,WSACleanup,freeaddrinfo,

1_2_0052E0A0

Source: Network traffic	Suricata IDS: 2049060 - Severity 1 - ET MALWARE RisePro TCP Heartbeat Packet : 192.168.2.4:49730 -> 193.233.132.67:5000
Source: Network traffic	Suricata IDS: 2046269 - Severity 1 - ET MALWARE [ANY.RUN] RisePro TCP (Activity) : 192.168.2.4:49730 -> 193.233.132.67:5000

Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807457246.0000022DEDF70000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, Au3Check.exe, 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, bgEoRLupllWTRAp.pdf.0.dr	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Au3Check.exe	String found in binary or memory: https://ipinfo.io/
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807457246.0000022DEDF70000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, bgEoRLupllWTRAp.pdf.0.dr	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Au3Check.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_0051AF30 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown,

1_2_0051AF30

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Process Stats: CPU usage > 49%

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00573E4B	1_2_00573E4B
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0059A03B	1_2_0059A03B
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005670F0	1_2_005670F0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005990E0	1_2_005990E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0053B0E9	1_2_0053B0E9
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0051E150	1_2_0051E150
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0059E140	1_2_0059E140
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0053E108	1_2_0053E108
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005E5100	1_2_005E5100
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00538129	1_2_00538129
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005411D0	1_2_005411D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005191A0	1_2_005191A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005AD1A0	1_2_005AD1A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00529259	1_2_00529259
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00595240	1_2_00595240
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005B1270	1_2_005B1270
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00556230	1_2_00556230
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00551220	1_2_00551220
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0053E229	1_2_0053E229
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0054E2D0	1_2_0054E2D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005512D8	1_2_005512D8
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0052A290	1_2_0052A290
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00543286	1_2_00543286
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0055F280	1_2_0055F280
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0059F360	1_2_0059F360
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00533330	1_2_00533330
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005A63D0	1_2_005A63D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0056A3E8	1_2_0056A3E8
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0060B3B9	1_2_0060B3B9
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00554457	1_2_00554457
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00569440	1_2_00569440
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0053C470	1_2_0053C470
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005F646A	1_2_005F646A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005124F0	1_2_005124F0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005AC4F0	1_2_005AC4F0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0059E490	1_2_0059E490
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0054B480	1_2_0054B480
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005F84A0	1_2_005F84A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00596550	1_2_00596550
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0055B568	1_2_0055B568
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005955B0	1_2_005955B0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00598610	1_2_00598610
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005A0610	1_2_005A0610
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005A2610	1_2_005A2610
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0059F600	1_2_0059F600
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0055C620	1_2_0055C620
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0054B6C9	1_2_0054B6C9
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00526689	1_2_00526689
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00567770	1_2_00567770
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0054C7F0	1_2_0054C7F0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005477E0	1_2_005477E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00609824	1_2_00609824
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0059F810	1_2_0059F810
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005DF800	1_2_005DF800
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005A68C0	1_2_005A68C0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005248E0	1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00599880	1_2_00599880
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005388A0	1_2_005388A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005458A0	1_2_005458A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005E2950	1_2_005E2950
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005E6970	1_2_005E6970
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0054D910	1_2_0054D910
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0059E910	1_2_0059E910
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0055A900	1_2_0055A900
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0055B939	1_2_0055B939
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005719E0	1_2_005719E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00547A47	1_2_00547A47
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0053EA60	1_2_0053EA60
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00525A10	1_2_00525A10
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00548A00	1_2_00548A00
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00534AD0	1_2_00534AD0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0056DA99	1_2_0056DA99
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0054CA80	1_2_0054CA80
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005DDA80	1_2_005DDA80
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005FBB6D	1_2_005FBB6D
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005C7B30	1_2_005C7B30
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00595B20	1_2_00595B20
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00533B28	1_2_00533B28
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00569BD9	1_2_00569BD9
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00528C58	1_2_00528C58
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00542C59	1_2_00542C59
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0056FC77	1_2_0056FC77
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005CDC70	1_2_005CDC70
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00596C00	1_2_00596C00
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0056EC08	1_2_0056EC08
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0056ACC9	1_2_0056ACC9
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005A2CF0	1_2_005A2CF0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005F2CE0	1_2_005F2CE0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00548C97	1_2_00548C97
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0059BD50	1_2_0059BD50
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00569D39	1_2_00569D39
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00527DC0	1_2_00527DC0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0053AE30	1_2_0053AE30
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00535E30	1_2_00535E30
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005FBEAF	1_2_005FBEAF
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00552F40	1_2_00552F40
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0056AF69	1_2_0056AF69
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00570F08	1_2_00570F08
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00593F80	1_2_00593F80

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: String function: 0057E530 appears 42 times
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: String function: 005A2450 appears 83 times
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: String function: 005EFED0 appears 53 times

Source: Rr6TGP9rEq.exe

Static PE information: Number of sections : 12 > 10

Source: Rr6TGP9rEq.exe, 00000000.00000003.1807163393.0000022DEE257000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAu3Check.exeN vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAu3Check.exeN vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefilezilla.exe4 vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe, 00000000.00000003.1807457246.0000022DEE0A8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefilezilla.exe4 vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe, 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefilezilla.exe4 vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAu3Check.exeN vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe, 00000000.00000002.1811658210.00007FF682648000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename" vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C000400000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefilezilla.exe4 vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe, 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefilezilla.exe4 vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAu3Check.exeN vs Rr6TGP9rEq.exe
Source: Rr6TGP9rEq.exe	Binary or memory string: OriginalFilename" vs Rr6TGP9rEq.exe

Source: Rr6TGP9rEq.exe	Binary or memory string: main.SLnQ0g
Source: Rr6TGP9rEq.exe	Binary or memory string: g9ew8IJGJBP.slN5jqtgKy

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/2@0/1

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_005A47F0 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA,

1_2_005A47F0

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_005A4110 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA,

1_2_005A4110

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_005191A0 CopyFileA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,

1_2_005191A0

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_00556230 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA,

1_2_00556230

Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe

File created: C:\Users\user\bgEoRLupllWTRAp.pdf

Jump to behavior

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

File created: C:\Users\user\AppData\Local\Temp\adobeDL8YL5T4U3oi

Jump to behavior

Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe

File opened: C:\Windows\system32\0d1903ecbb5bf6ef80622a77571fd1ca577007d1dbc1da5f200c0b1d21d0fd50AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: Rr6TGP9rEq.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807457246.0000022DEDF70000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, Au3Check.exe, 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, bgEoRLupllWTRAp.pdf.0.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807457246.0000022DEDF70000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, bgEoRLupllWTRAp.pdf.0.dr	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: Rr6TGP9rEq.exe	ReversingLabs: Detection: 52%
Source: Rr6TGP9rEq.exe	Virustotal: Detection: 63%

Source: Au3Check.exe

String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Process created: C:\Users\user\Desktop\Rr6TGP9rEq.exe "C:\Users\user\Desktop\Rr6TGP9rEq.exe"
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	Process created: C:\Program Files (x86)\AutoIt3\Au3Check.exe "C:\Program Files (x86)\autoit3\Au3Check.exe"
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	Process created: C:\Program Files (x86)\AutoIt3\Au3Check.exe "C:\Program Files (x86)\autoit3\Au3Check.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Section loaded: devobj.dll	Jump to behavior

Source: Rr6TGP9rEq.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Rr6TGP9rEq.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Rr6TGP9rEq.exe

Static file information: File size 5046784 > 1048576

Source: Rr6TGP9rEq.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x142600
Source: Rr6TGP9rEq.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x354c00

Source: Rr6TGP9rEq.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

Contains functionality to check for running processes (XOR)

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: CopyFileA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,

1_2_005191A0

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_0054C7F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_0054C7F0

Source: bgEoRLupllWTRAp.pdf.0.dr	Static PE information: real checksum: 0x0 should be: 0x15af84
Source: XPCwyNRACAjFfEg.pdf.0.dr	Static PE information: real checksum: 0x465e9 should be: 0x5125f

Source: Rr6TGP9rEq.exe

Static PE information: section name: .xdata

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_005EFA97 push ecx; ret

1_2_005EFAAA

Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	File created: C:\Users\user\XPCwyNRACAjFfEg.pdf			Jump to dropped file
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	File created: C:\Users\user\bgEoRLupllWTRAp.pdf			Jump to dropped file

Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	File created: C:\Users\user\XPCwyNRACAjFfEg.pdf			Jump to dropped file
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	File created: C:\Users\user\bgEoRLupllWTRAp.pdf			Jump to dropped file

Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	File created: C:\Users\user\bgEoRLupllWTRAp.pdf			Jump to dropped file
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	File created: C:\Users\user\XPCwyNRACAjFfEg.pdf			Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	File created: C:\Users\user\XPCwyNRACAjFfEg.pdf			Jump to dropped file
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	File created: C:\Users\user\bgEoRLupllWTRAp.pdf			Jump to dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_005955B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_005955B0

Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

graph_1-120451

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

graph_1-119193

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

1_2_00573A40

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Window / User API: threadDelayed 2176			Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Window / User API: threadDelayed 6244			Jump to behavior

Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	Dropped PE file which has not been started: C:\Users\user\XPCwyNRACAjFfEg.pdf			Jump to dropped file
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	Dropped PE file which has not been started: C:\Users\user\bgEoRLupllWTRAp.pdf			Jump to dropped file

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-119917

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

API coverage: 3.7 %

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 3104	Thread sleep count: 54 > 30	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 3104	Thread sleep count: 2176 > 30	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 3104	Thread sleep time: -219776s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 3592	Thread sleep count: 350 > 30	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 3104	Thread sleep count: 6244 > 30	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe TID: 3104	Thread sleep time: -630644s >= -30000s	Jump to behavior

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Last function: Thread delayed

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00579610 GetKeyboardLayoutList followed by cmp: cmp ecx, edx and CTI: je 0057962Ah	1_2_00579610
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00577750 GetKeyboardLayoutList followed by cmp: cmp eax, 0eh and CTI: jc 00577760h country: Hungarian (hu)	1_2_00577750
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00577780 GetKeyboardLayoutList followed by cmp: cmp eax, 21h and CTI: jc 00577790h country: Indonesian (id)	1_2_00577780
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00577D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 00577D50h country: Upper Sorbian (hsb)	1_2_00577D40

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_005A4670 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 005A46C1h

1_2_005A4670

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0051E150 FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,GetFileAttributesA,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,__Mtx_unlock,	1_2_0051E150
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0054E2D0 SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,CopyFileA,__Mtx_unlock,__Mtx_unlock,	1_2_0054E2D0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0051A750 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,__Mtx_unlock,	1_2_0051A750
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005ED997 FindClose,FindFirstFileExW,GetLastError,	1_2_005ED997
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005EDA1D GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	1_2_005EDA1D
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00530D83 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	1_2_00530D83

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_0051C430 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,

1_2_0051C430

Source: Au3Check.exe, 00000001.00000003.1827137520.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\|
Source: Au3Check.exe, 00000001.00000003.1827137520.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&
Source: Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Au3Check.exe, 00000001.00000002.4167359109.000000000019D000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_A1A98C04
Source: Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_A1A98C048$
Source: Au3Check.exe, 00000001.00000002.4167604295.00000000009D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}>
Source: Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}&
Source: Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000z
Source: Au3Check.exe, 00000001.00000002.4167604295.00000000009D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Rr6TGP9rEq.exe, 00000000.00000002.1809939764.0000022DE89D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll@@

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_00524280 IsDebuggerPresent,

1_2_00524280

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_00574577 CreateThread,FindCloseChangeNotification,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetCurrentDirectoryA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,shutdown,closesocket,WSACleanup,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,Sleep,GetModuleHandleA,GetProcAddress,GetCurrentProcess,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CreateThread,CreateThread,CreateThread,FreeLibrary,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,CloseHandle,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,

1_2_00574577

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_0054C7F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

1_2_0054C7F0

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h]	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577 mov ecx, dword ptr fs:[00000030h]	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h]	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h]	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h]	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h]	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h]	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h]	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h]	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h]	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h]	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h]	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h]	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h]	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h]	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h]	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h]	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574577 mov eax, dword ptr fs:[00000030h]	1_2_00574577
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00573A40 mov eax, dword ptr fs:[00000030h]	1_2_00573A40
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00573A40 mov eax, dword ptr fs:[00000030h]	1_2_00573A40
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00573E4B mov eax, dword ptr fs:[00000030h]	1_2_00573E4B
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00573E4B mov eax, dword ptr fs:[00000030h]	1_2_00573E4B
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00573E4B mov eax, dword ptr fs:[00000030h]	1_2_00573E4B
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00573E4B mov eax, dword ptr fs:[00000030h]	1_2_00573E4B
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0052C0A0 mov eax, dword ptr fs:[00000030h]	1_2_0052C0A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0052C0A0 mov eax, dword ptr fs:[00000030h]	1_2_0052C0A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00524280 mov eax, dword ptr fs:[00000030h]	1_2_00524280
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0052C0A0 mov eax, dword ptr fs:[00000030h]	1_2_0052C0A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00525498 mov eax, dword ptr fs:[00000030h]	1_2_00525498
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0052C0A0 mov eax, dword ptr fs:[00000030h]	1_2_0052C0A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574638 mov eax, dword ptr fs:[00000030h]	1_2_00574638
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005257B8 mov eax, dword ptr fs:[00000030h]	1_2_005257B8
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005757A3 mov eax, dword ptr fs:[00000030h]	1_2_005757A3
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h]	1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h]	1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h]	1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h]	1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h]	1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h]	1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h]	1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h]	1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h]	1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h]	1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h]	1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005248E0 mov eax, dword ptr fs:[00000030h]	1_2_005248E0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0054D910 mov eax, dword ptr fs:[00000030h]	1_2_0054D910
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005759E5 mov eax, dword ptr fs:[00000030h]	1_2_005759E5
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00525A10 mov ecx, dword ptr fs:[00000030h]	1_2_00525A10
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0052FC20 mov eax, dword ptr fs:[00000030h]	1_2_0052FC20
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_0052C0A0 mov eax, dword ptr fs:[00000030h]	1_2_0052C0A0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00524DC9 mov eax, dword ptr fs:[00000030h]	1_2_00524DC9
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_00574EC8 mov eax, dword ptr fs:[00000030h]	1_2_00574EC8

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_00595240 GetProcessHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,CharNextA,CharNextA,CharNextA,CharNextA,

1_2_00595240

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005F006D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_005F006D
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005F45A4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_005F45A4
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: 1_2_005EFCC4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_005EFCC4

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe

Memory allocated: C:\Program Files (x86)\AutoIt3\Au3Check.exe base: 510000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject threads in other processes

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_00529F50 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

1_2_00529F50

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe

Memory written: C:\Program Files (x86)\AutoIt3\Au3Check.exe base: 510000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	Memory written: C:\Program Files (x86)\AutoIt3\Au3Check.exe base: 510000			Jump to behavior
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	Memory written: C:\Program Files (x86)\AutoIt3\Au3Check.exe base: 3F0008			Jump to behavior

Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe

Process created: C:\Program Files (x86)\AutoIt3\Au3Check.exe "C:\Program Files (x86)\autoit3\Au3Check.exe"

Jump to behavior

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_00524400 cpuid

1_2_00524400

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: EnumSystemLocalesW,	1_2_0061004D
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_006100D8
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: GetLocaleInfoW,	1_2_0061032B
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_00610454
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	1_2_0051C430
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: GetLocaleInfoW,	1_2_006074CE
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: GetLocaleInfoW,	1_2_0061055A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_00610630
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: GetLocaleInfoEx,FormatMessageA,	1_2_005ED793
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	1_2_0060FCBB
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: GetLocaleInfoW,	1_2_0060FEC0
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: EnumSystemLocalesW,	1_2_0060FF67
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: EnumSystemLocalesW,	1_2_00606F4A
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Code function: EnumSystemLocalesW,	1_2_0060FFB2

Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\Au3Check.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Rr6TGP9rEq.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\Au3Check.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_005EF26A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

1_2_005EF26A

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

1_2_00556230

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_00609160 GetTimeZoneInformation,

1_2_00609160

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Code function: 1_2_005A4110 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA,

1_2_005A4110

Source: C:\Program Files (x86)\AutoIt3\Au3Check.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000800000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Rr6TGP9rEq.exe.22dedf70000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000940000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000380000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Au3Check.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000a8c000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000600000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Rr6TGP9rEq.exe.22dedf70000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Rr6TGP9rEq.exe.22dee0c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Au3Check.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000600000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Rr6TGP9rEq.exe.22dee0c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000a8c000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c0004f2000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c00052c000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000572000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000940000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000800000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1807457246.0000022DEDF70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Au3Check.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\bgEoRLupllWTRAp.pdf, type: DROPPED

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000800000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Rr6TGP9rEq.exe.22dedf70000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000940000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000380000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Au3Check.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000a8c000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000600000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Rr6TGP9rEq.exe.22dedf70000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Rr6TGP9rEq.exe.22dee0c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Au3Check.exe.510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000600000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Rr6TGP9rEq.exe.22dee0c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000a8c000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c0004f2000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c00052c000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000572000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000940000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Rr6TGP9rEq.exe.c000800000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1807457246.0000022DEDF70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Au3Check.exe PID: 7164, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\bgEoRLupllWTRAp.pdf, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	411 Process Injection	121 Masquerading	OS Credential Dumping	12 System Time Discovery	Remote Services	1 Screen Capture	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	411 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	11 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 File and Directory Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	46 System Information Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Rr6TGP9rEq.exe	53%	ReversingLabs	Win64.Adware.RedCap
Rr6TGP9rEq.exe	64%	Virustotal		Browse
Rr6TGP9rEq.exe	100%	Avira	TR/Redcap.mfglo
Rr6TGP9rEq.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
https://ipinfo.io/	0%	URL Reputation	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
https://www.autoitscript.com/autoit3/	0%	Avira URL Cloud	safe
https://www.maxmind.com/en/locate-my-ip-address	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Virustotal		Browse
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Virustotal		Browse
https://www.autoitscript.com/autoit3/	0%	Virustotal		Browse
https://www.maxmind.com/en/locate-my-ip-address	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807457246.0000022DEDF70000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, bgEoRLupllWTRAp.pdf.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C000400000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807457246.0000022DEDF70000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, Au3Check.exe, 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, bgEoRLupllWTRAp.pdf.0.dr	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORT	Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/	Au3Check.exe	false	URL Reputation: safe	unknown
https://www.autoitscript.com/autoit3/	Rr6TGP9rEq.exe, 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000003.1807110203.0000022DEE110000.00000004.00001000.00020000.00000000.sdmp, Rr6TGP9rEq.exe, 00000000.00000002.1808498843.000000C00011C000.00000004.00001000.00020000.00000000.sdmp, Au3Check.exe, 00000001.00000002.4167604295.000000000097E000.00000004.00000020.00020000.00000000.sdmp, XPCwyNRACAjFfEg.pdf.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.maxmind.com/en/locate-my-ip-address	Au3Check.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.233.132.67	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1491466
Start date and time:	2024-08-12 11:28:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Rr6TGP9rEq.exe renamed because original name is a hash value
Original Sample Name:	297270c13474cdcd006acc261c98050a.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/2@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Rr6TGP9rEq.exe, PID 7124 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
05:29:48	API Interceptor	1043257x Sleep call for process: Au3Check.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.233.132.67	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	193.233.132.67:8081/static/crypted_f961bb26.exe
	SecuriteInfo.com.Win32.PWSX-gen.9534.16812.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	193.233.132.67:8081/static/crypted_f961bb26.exe
	file.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.67:666/static/rise.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	SecuriteInfo.com.Trojan.InjectNET.17.6536.18785.exe	Get hash	malicious	RedLine	Browse	147.45.44.131
	SecuriteInfo.com.Trojan.InjectNET.17.31870.20719.exe	Get hash	malicious	RedLine	Browse	147.45.44.73
	284ae9899ae53d03d27bd3f72892d843fe5bbecb097f5.exe	Get hash	malicious	Amadey, DarkTortilla, Djvu, LummaC Stealer, RedLine, Stealc, Vidar	Browse	147.45.47.169
	5zFCjSBLvw.exe	Get hash	malicious	LummaC, Go Injector, LummaC Stealer	Browse	147.45.44.104
	file.exe	Get hash	malicious	Amadey, Cryptbot, Neoreklami, PureLog Stealer, RedLine, Stealc, Vidar	Browse	147.45.60.44
	file.exe	Get hash	malicious	DarkTortilla, Neoreklami	Browse	147.45.60.44
	SecuriteInfo.com.Trojan.InjectNET.17.3445.31574.exe	Get hash	malicious	Unknown	Browse	147.45.44.138
	SecuriteInfo.com.Trojan.InjectNET.17.30163.22147.exe	Get hash	malicious	Unknown	Browse	147.45.44.131
	SecuriteInfo.com.Trojan.InjectNET.17.12466.260.exe	Get hash	malicious	LummaC	Browse	147.45.44.131
	SecuriteInfo.com.Trojan.InjectNET.17.30163.22147.exe	Get hash	malicious	Unknown	Browse	147.45.44.131

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\XPCwyNRACAjFfEg.pdf

Download File

Process:	C:\Users\user\Desktop\Rr6TGP9rEq.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	284088
Entropy (8bit):	6.583673771403912
Encrypted:	false
SSDEEP:	3072:4wOvOIXbP5KVkD8QC2mCBFv9m7usyT8tKQ9clyPqlO91/iDVSsWUG0bCP0nVyiGe:nCb4VQjVsxyItKQNhigibouMBPwPCs
MD5:	262D6B1FED356C09AEB4666335031DF2
SHA1:	6D46B1E195D1FFBCF5D5197A1291C6EA790EBA92
SHA-256:	DA17AB28094D89B0A94FB32715E2BCDFE9947031711CB94DD9F1CE541BF3948E
SHA-512:	45FB554A35C38967E77D00D0E5F70FC0901276FF2DFAE5A341E3A3D0CCF17DD4FBF6478DC5CF58E0C54D34AD6F739E8149E0E8FBBFE46318F7A9DDAD7B89CBD4
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-.J%-.2.-.2.-.2.-.[.,.2.-.[I-.2.-.2!-.2.-.[.,.2.-Rich.2.-........................PE..L...g.(c.....................6......&........0....@..................................e......................................,b..<....p...............l..h&...........L..8............................L..@............0..,............................text............................... ..`.rdata...8...0...:..."..............@..@.data........p.......\..............@....rsrc........p.......f..............@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\bgEoRLupllWTRAp.pdf

Download File

Process:	C:\Users\user\Desktop\Rr6TGP9rEq.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1357136
Entropy (8bit):	6.739954842849538
Encrypted:	false
SSDEEP:	24576:9jhWSkCh5jR4pkIhn1Fg7YqPCxYL+ID4ntel4LbKbmNTwExzpKPSaYQ1:Ob6jCkIhn1PGyuFbmNTXzAPSaX
MD5:	F1EE4E4D017CC4F4D219194699B41D29
SHA1:	301399A3ACE2E43794359AF582B7B2EDE1DD97EF
SHA-256:	006657553CE820ADAFECAFC222944C84EC584F1E2E0ABA054A36D4F101A997E9
SHA-512:	7822E172F28AD80926713E8DC20E77913D4A5ED483FD688B293E4173E0D3107652E844909830F029CC2DAF4A60F23BD1A09AEFA534DA2B3135DEDE6D5ABFE5C0
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\bgEoRLupllWTRAp.pdf, Author: Joe Security
Reputation:	low
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.\|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{Tf..Tg.{T..yUg.{TRichf.{T................PE..L.....e...............".....0....................@..........................0............@.............................L...\...........X+.......................z..8k..8...........................xj..@............................................text...X........................... ..`.rdata...<.......>..................@..@.data....H...0...4..................@....rsrc...X+.......,...J..............@..@.reloc...z.......\|...v..............@..B................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.020958484955603
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	Rr6TGP9rEq.exe
File size:	5'046'784 bytes
MD5:	297270c13474cdcd006acc261c98050a
SHA1:	40fd185b12939822e4cc02da09ae3d38aea83306
SHA256:	ddc4a98828ac3afea03294fd57189778ce57e305d075f08f0ace443352d5447b
SHA512:	cb1a42bf6c34f3042809f29a6cb2e11f4699c4d1718e5da340fac205a6875145cae2a690736206d8c19ad68916efc5c835d3488a1aa272f0d0e00cddeb150d00
SSDEEP:	49152:/s+CpclD5n5jx/cOOXjdyfpPaG02dj6cwH4n1Yzb5UBAyXjYeBhZ8jGdn7h:XxlDnZpPx024cw47
TLSH:	03369C87BC9004F4C0EE933689A655827B31BC480F3067D73A50BEB92E7ABD5AD75718
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.&....L................@..............................S.......M...`... ............................

File Icon


Icon Hash:	a9d337070f113428

Static PE Info

General

Entrypoint:	0x1400014c0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:	0x40137f80, 0x1, 0x40137f50, 0x1, 0x4013b9e0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	5929190c8765f5bc37b052ab5c6c53e7

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [004BEF35h]
mov dword ptr [eax], 00000001h
call 00007F0BD87E3D1Fh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [004BEF15h]
mov dword ptr [eax], 00000000h
call 00007F0BD87E3CFFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007F0BD89258ACh
dec eax
test eax, eax
sete al
movzx eax, al
neg eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007F0BD87E4039h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 10h
dec eax
mov ecx, dword ptr [00158619h]
dec eax
mov edx, dword ptr [0015860Ah]
dec eax
cmp eax, ecx
jnl 00007F0BD87E407Ah
jnc 00007F0BD87E4094h
dec eax
shl eax, 04h
dec eax
mov ecx, dword ptr [edx+eax]
dec eax
mov ebx, dword ptr [edx+eax+08h]
dec eax
mov eax, ecx
dec eax
add esp, 10h
pop ebp
ret
dec eax
test ecx, ecx
jbe 00007F0BD87E406Fh
dec eax
mov eax, dword ptr [edx]
dec eax
mov ebx, dword ptr [edx+08h]
dec eax
add esp, 10h
pop ebp
ret
xor eax, eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x523000	0x4e	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x524000	0x13d0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x528000	0x1ab5	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x4c1000	0x7398	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x52a000	0x56d8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4bfd60	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x52447c	0x440	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x142510	0x142600	1689c0a61f068e655e9cc9a429bb9cd1	False	0.45523337533927877	data	6.262547988503689	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x144000	0x27b30	0x27c00	2ccac218f42c3f0561e3d8062d0978e2	False	0.34171088836477986	data	4.1391825243617415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x16c000	0x354b90	0x354c00	6cf0780f922948988c9e9a536d11e12e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.pdata	0x4c1000	0x7398	0x7400	f168e58d0a77ce383fb0fae8433af4aa	False	0.42298626077586204	data	5.435032323770333	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.xdata	0x4c9000	0xc38	0xe00	cea507ee74ab8c28fdbe399dd8878db3	False	0.2544642857142857	data	3.962633143064429	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.bss	0x4ca000	0x58860	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x523000	0x4e	0x200	e47cf641fe57baf17bad501765a3a96a	False	0.1328125	data	0.835069313857098	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.idata	0x524000	0x13d0	0x1400	41b114f6ee85dc581b4af4e0204adde3	False	0.3171875	data	4.495096723445719	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x526000	0x70	0x200	0eac8bed04ff70b62412779975fa2666	False	0.08203125	data	0.47139462148086453	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x527000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x528000	0x1ab5	0x1c00	a6f614766ad09b44db5b2ef7c06c8c7b	False	0.7693917410714286	data	6.966829299150213	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x52a000	0x56d8	0x5800	331e21ea698e2d37d0c9f5a9dacc775f	False	0.3044655539772727	data	5.382899971776336	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x52813c	0x117e	PNG image data, 256 x 256, 8-bit/color RGB, non-interlaced			0.9678427869584636
RT_GROUP_ICON	0x5292bc	0x14	data			1.05
RT_VERSION	0x5292d0	0x378	data	English	United States	0.47072072072072074
RT_MANIFEST	0x529648	0x46d	XML 1.0 document, ASCII text	English	United States	0.4510150044130627

Imports

DLL

Import

KERNEL32.dll

AddAtomA, AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateFileA, CreateIoCompletionPort, CreateMutexA, CreateSemaphoreA, CreateThread, CreateWaitableTimerExW, DeleteAtom, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, ExitProcess, FindAtomA, FormatMessageA, FreeEnvironmentStringsW, GetAtomNameA, GetConsoleMode, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetEnvironmentStringsW, GetErrorMode, GetHandleInformation, GetLastError, GetProcAddress, GetProcessAffinityMask, GetQueuedCompletionStatusEx, GetStartupInfoA, GetStdHandle, GetSystemDirectoryA, GetSystemInfo, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount, InitializeCriticalSection, IsDBCSLeadByteEx, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryExW, LoadLibraryW, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, PostQueuedCompletionStatus, QueryPerformanceCounter, QueryPerformanceFrequency, RaiseException, RaiseFailFastException, ReleaseMutex, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, SetConsoleCtrlHandler, SetErrorMode, SetEvent, SetLastError, SetProcessAffinityMask, SetProcessPriorityBoost, SetThreadContext, SetThreadPriority, SetUnhandledExceptionFilter, SetWaitableTimer, Sleep, SuspendThread, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WerGetFlags, WerSetFlags, WideCharToMultiByte, WriteConsoleW, WriteFile, __C_specific_handler

msvcrt.dll

___lc_codepage_func, ___mb_cur_max_func, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _beginthread, _beginthreadex, _cexit, _commode, _endthreadex, _errno, _fmode, _initterm, _lock, _memccpy, _onexit, _setjmp, _strdup, _ultoa, _unlock, abort, calloc, exit, fprintf, fputc, free, fwrite, localeconv, longjmp, malloc, memcpy, memmove, memset, printf, realloc, signal, strerror, strlen, strncmp, vfprintf, wcslen

Exports

Name	Ordinal	Address
_cgo_dummy_export	1	0x140521a90

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-12T11:29:18.496103+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	1	49730	5000	192.168.2.4	193.233.132.67
2024-08-12T11:29:15.502619+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	1	49730	5000	192.168.2.4	193.233.132.67

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 12, 2024 11:29:15.475203991 CEST	49730	5000	192.168.2.4	193.233.132.67
Aug 12, 2024 11:29:15.481153011 CEST	5000	49730	193.233.132.67	192.168.2.4
Aug 12, 2024 11:29:15.481267929 CEST	49730	5000	192.168.2.4	193.233.132.67
Aug 12, 2024 11:29:15.502619028 CEST	49730	5000	192.168.2.4	193.233.132.67
Aug 12, 2024 11:29:15.507800102 CEST	5000	49730	193.233.132.67	192.168.2.4
Aug 12, 2024 11:29:18.496103048 CEST	49730	5000	192.168.2.4	193.233.132.67
Aug 12, 2024 11:29:18.501389027 CEST	5000	49730	193.233.132.67	192.168.2.4
Aug 12, 2024 11:29:36.828337908 CEST	5000	49730	193.233.132.67	192.168.2.4
Aug 12, 2024 11:29:36.828521967 CEST	49730	5000	192.168.2.4	193.233.132.67

Target ID:	0
Start time:	05:29:02
Start date:	12/08/2024
Path:	C:\Users\user\Desktop\Rr6TGP9rEq.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Rr6TGP9rEq.exe"
Imagebase:	0x7ff682120000
File size:	5'046'784 bytes
MD5 hash:	297270C13474CDCD006ACC261C98050A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1756716858.0000022DEE0C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1807457246.0000022DEDF70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.1808998337.000000C0004F2000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.1809631801.000000C000800000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:29:12
Start date:	12/08/2024
Path:	C:\Program Files (x86)\AutoIt3\Au3Check.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\autoit3\Au3Check.exe"
Imagebase:	0x400000
File size:	234'088 bytes
MD5 hash:	3BE697D1A92115D5CA76A633A527DFB7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	45.6%
Total number of Nodes:	1558
Total number of Limit Nodes:	37

Executed Functions

Function 00574577 Relevance: 102.4, APIs: 48, Strings: 9, Instructions: 2690sleepthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,0052F1D0,00000000,00000000,00000000), ref: 0057461C
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00574623
Sleep.KERNELBASE(00000001), ref: 005746D8
GetTempPathA.KERNEL32(000000FB,?,0100C8CB), ref: 00574737

Strings

#@#^@#TGRERTERYERY, xrefs: 00575154
d4, xrefs: 005746F7
45 hgfch rtdyt gfch, xrefs: 00575D6A
ewetwertyer eytdryrtdy, xrefs: 0057521F
.6, xrefs: 0057476D
ntdll.dll, xrefs: 00575124
jjj, xrefs: 0057460D
drthdrthdrthdr hrtd hr, xrefs: 00576BF6
td ydrthrhfty, xrefs: 00575485

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ChangeCloseCreateFindNotificationPathSleepTempThread
String ID: drthdrthdrthdr hrtd hr$#@#^@#TGRERTERYERY$45 hgfch rtdyt gfch$ewetwertyer eytdryrtdy$jjj$ntdll.dll$td ydrthrhfty$.6$d4
API String ID: 3366971898-4161778564
Opcode ID: d4457a634c1ecdb7a9ef507b363ee9c52fb4417ae2afffde31a989ecd81a4506
Instruction ID: b71d5980b67cee39c8459b662e1fd82ab401feb57e89d18f504e6eb52c44ca32
Opcode Fuzzy Hash: d4457a634c1ecdb7a9ef507b363ee9c52fb4417ae2afffde31a989ecd81a4506
Instruction Fuzzy Hash: 8A33F634A042198BCB25EF64DC99BEDBB75FF84304F1480D9E4496B252EB30AE85DF91

Function 00573E4B Relevance: 23.2, APIs: 6, Strings: 7, Instructions: 477
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32(00000000,E7FAFAC5,FAE1F3C6,00000014), ref: 00573F73
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00574018
GetProcessId.KERNELBASE(0000A9BD,00000000,00000000,00000003,00000000,00000000,00000000,00000003,00000000,00000000), ref: 0057407E

Strings

{8, xrefs: 00574340
P7a, xrefs: 005740A3
PN^, xrefs: 0057438C
WVV, xrefs: 00573FB3
/*************/, xrefs: 00574210
';, xrefs: 00574094
A8, xrefs: 0057437A

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: MessageProcessUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: /*************/$P7a$PN^$WVV$';$A8${8
API String ID: 1999352760-2137135086
Opcode ID: 050fc2e557f3481ce162944258dde15767b40f4ade1633b30e88c150466a5772
Instruction ID: b5ef58809efb0d65fc33bf7d59b7d00ddc2dee8836c65ed06a66b3b31a7f6dd8
Opcode Fuzzy Hash: 050fc2e557f3481ce162944258dde15767b40f4ade1633b30e88c150466a5772
Instruction Fuzzy Hash: D012F534A44225CBCB24CF14E894BAABBB2FF84704F14859DD94A6F751DB30AE85DF80

Function 0052E0A0 Relevance: 12.1, APIs: 8, Instructions: 93
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0052E0CA
getaddrinfo.WS2_32(?,?,?,00647320), ref: 0052E15D
socket.WS2_32(?,?,?), ref: 0052E17E
connect.WS2_32(00000000,?,00000000), ref: 0052E192
closesocket.WS2_32(00000000), ref: 0052E19E
freeaddrinfo.WS2_32(?,?,?,?,00647320,?,?,?,?,?,?), ref: 0052E1AB
WSACleanup.WS2_32 ref: 0052E1B1
freeaddrinfo.WS2_32(?,?,?,?,00647320,?,?,?,?,?,?), ref: 0052E1C6

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: freeaddrinfo$CleanupStartupclosesocketconnectgetaddrinfosocket
String ID:
API String ID: 58224237-0
Opcode ID: 1dbee7ac01d11c3f207edcc2f62f04c2f9b17a49c32e817fbbe5caba0fd6d19f
Instruction ID: cac3c2b77853f7bcff5336494e2cb69a9d7d0fc41575315bd56aa2d47c9794b8
Opcode Fuzzy Hash: 1dbee7ac01d11c3f207edcc2f62f04c2f9b17a49c32e817fbbe5caba0fd6d19f
Instruction Fuzzy Hash: C5317E72604310AFD7209F25EC4976ABBE5FF85724F044B2DF9B8962E0D3359814CB92

Function 00573A40 Relevance: 7.7, APIs: 5, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCursorPos.USER32(?), ref: 00573A53
GetCursorPos.USER32(?), ref: 00573A59
Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00573DB6), ref: 00573B08
GetCursorPos.USER32(?), ref: 00573B0E
Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00573DB6), ref: 00573BBA

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Cursor$Sleep
String ID:
API String ID: 1847515627-0
Opcode ID: 5b94d7a6f0a2fee03543c2f0ead46ddc954a7b4c5d191674bbc66f5b5d2c93bd
Instruction ID: 109e3ac0b1173c44c13e9c1300e26bde590a3ab1e53f643b58ef21546360212a
Opcode Fuzzy Hash: 5b94d7a6f0a2fee03543c2f0ead46ddc954a7b4c5d191674bbc66f5b5d2c93bd
Instruction Fuzzy Hash: 6451BA35A04219CFCB24CF58D8D5EA9BBB1FF48724B29859AD449AB311D731EE05EB80

Function 005FE813 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005FE4CC: CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000), ref: 005FE4E9

GetLastError.KERNEL32 ref: 005FE927
__dosmaperr.LIBCMT ref: 005FE92E
GetFileType.KERNELBASE(00000000), ref: 005FE93A
GetLastError.KERNEL32 ref: 005FE944
__dosmaperr.LIBCMT ref: 005FE94D
CloseHandle.KERNEL32(00000000), ref: 005FE96D
CloseHandle.KERNEL32(?), ref: 005FEABA
GetLastError.KERNEL32 ref: 005FEAEC
__dosmaperr.LIBCMT ref: 005FEAF3

Strings

H, xrefs: 005FEA78

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 537428f3d2f85738b8f2939a80b42b263b1d887533b52fe75c43d5593ccacdd7
Instruction ID: cd9ee92fd73fccb5f37b13421650b881d2e7d05a91940067c6664dce6f9cd352
Opcode Fuzzy Hash: 537428f3d2f85738b8f2939a80b42b263b1d887533b52fe75c43d5593ccacdd7
Instruction Fuzzy Hash: 7AA12432A001599FCF19AF68DC96BBD3FB2BB46314F14015DFA019B2A1DB399D06C752

Function 0051B830 Relevance: 16.4, APIs: 5, Strings: 4, Instructions: 668
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0051A440: GetCurrentProcess.KERNEL32(?), ref: 0051A44F
Part of subcall function 0051A440: IsWow64Process.KERNEL32(00000000), ref: 0051A456

RegOpenKeyExA.KERNELBASE(80000002,C0D5DDC2,00000000,00020019,00000000,FAF8FCC4,FAF8FCC5), ref: 0051B946
RegQueryValueExA.KERNELBASE(00000000,FCF0F3DC,00000000,00020019,?,00000400), ref: 0051B9A9
RegCloseKey.ADVAPI32(00000000), ref: 0051B9DF
GetCurrentHwProfileA.ADVAPI32(?), ref: 0051BA77
SetupDiGetClassDevsA.SETUPAPI(0061F540,00000000,00000000,00000012), ref: 0051BAD0

Part of subcall function 0051B1A0: LocalAlloc.KERNEL32(00000040,0000001C), ref: 0051B1F0
Part of subcall function 0051B1A0: SetupDiEnumDeviceInfo.SETUPAPI(?,00000000,00000000), ref: 0051B1FF

Strings

_, xrefs: 0051BB25
_, xrefs: 0051BAC6
:, xrefs: 0051B443
_, xrefs: 0051BB32

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CurrentProcessSetup$AllocClassCloseDeviceDevsEnumInfoLocalOpenProfileQueryValueWow64
String ID: :$_$_$_
API String ID: 2396838628-4119709311
Opcode ID: 6cb66c2b9353e0e3607024f480d67fad21603ef19342be715195c3926695248c
Instruction ID: 85fd847d36f659da2e412c83d67beb768fed9d99eb769387f98681d705afb972
Opcode Fuzzy Hash: 6cb66c2b9353e0e3607024f480d67fad21603ef19342be715195c3926695248c
Instruction Fuzzy Hash: 2A528F70D002599FEB18CF68CC98BEDBFB5BF45304F1481A9E449AB282E7755A85CF50

Function 00604623 Relevance: 9.3, APIs: 6, Instructions: 292
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151553ef43e1e2bc9f9febcb4bf39ac9ae964ade4cb46c6b6e6c8b694a297cd3
Instruction ID: 109cc01d0d77480a202ffb14ea5874ef3c6ceaa841186f58249773a979873ac9
Opcode Fuzzy Hash: 151553ef43e1e2bc9f9febcb4bf39ac9ae964ade4cb46c6b6e6c8b694a297cd3
Instruction Fuzzy Hash: 8BB1D3B4A44249AFDB29DFA8D881BAF7BB3BF46304F144158F644973D1CB709942CBA1

Function 005FE276 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 221
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000), ref: 005FE4E9

Strings

-_, xrefs: 005FE27D, 005FE280, 005FE49D, 005FE399, 005FE4E6
@, xrefs: 005FE33D
-_, xrefs: 005FE4B1

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: -_$-_$@
API String ID: 823142352-1923655781
Opcode ID: da123e846fedc5db3ecdf16f24c98cbab7acb55469fbb823188b2144493ccd76
Instruction ID: 9dbc50ba7136b585ab31b4306fc00bbc8b14d45e1bff178b5d3171021034cbef
Opcode Fuzzy Hash: da123e846fedc5db3ecdf16f24c98cbab7acb55469fbb823188b2144493ccd76
Instruction Fuzzy Hash: A461D17190010DAADF259A68DC8FBBD3E66FB00364F28492AFB14D72F1D23DDD819661

Function 005EF290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0051220E

Strings

`!Q, xrefs: 00512216
`!Q, xrefs: 005121FC

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q
API String ID: 2659868963-674047163
Opcode ID: bea4122cb0115a8b9d65407e7c28dc79c0f8986298e99f954259dd21c054b8b6
Instruction ID: 1c5126556307acc7506a7b22bebd4661648819c9edd32a102af14d01b999c4a3
Opcode Fuzzy Hash: bea4122cb0115a8b9d65407e7c28dc79c0f8986298e99f954259dd21c054b8b6
Instruction Fuzzy Hash: 03012B3940030DABCB18EFA9DC058AA7FEDBA00320B444439FB58DB591EB30E990C791

Function 0051A690 Relevance: 4.6, APIs: 3, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE ref: 0051A6BE
GetLastError.KERNEL32 ref: 0051A6C9
__Mtx_unlock.LIBCPMT ref: 0051A6EE

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: AttributesErrorFileLastMtx_unlock
String ID:
API String ID: 441747541-0
Opcode ID: ef09833f780a66896017453d8b4d86062b002d51d542c2492cbd5857399587a9
Instruction ID: 0349615ae64a19efd38a0a50a047703d525dc799bf83c99c267b3f5a77ece004
Opcode Fuzzy Hash: ef09833f780a66896017453d8b4d86062b002d51d542c2492cbd5857399587a9
Instruction Fuzzy Hash: B4F08171D47151167E3A96B56C5A4F93F0AB95332C72C4622E845C6553F607CCC18593

Function 005F4942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

O_, xrefs: 005F4A93, 005F4A61, 005F4AAB, 005F4AC7

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: O_
API String ID: 0-2128823147
Opcode ID: c5f0ec7b1c6fc88c5d3552c0a52f83b287307c3b3ab2d58feece3c7eb62e9dd7
Instruction ID: 1626921da8c42e604611b2bb99c594bcf26711910522ccb0e1e1e219ed5d14a1
Opcode Fuzzy Hash: c5f0ec7b1c6fc88c5d3552c0a52f83b287307c3b3ab2d58feece3c7eb62e9dd7
Instruction Fuzzy Hash: 6E51A070A0010CAFDB14CF58C885ABBBFB6FF89364F248158E9899B252D2759E41CF94

Function 005FE4CC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,?,?,?,?,?,00000000), ref: 005FE4E9

Strings

-_, xrefs: 005FE27D, 005FE280, 005FE49D, 005FE399, 005FE4E6

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: -_
API String ID: 823142352-366110843
Opcode ID: 7efdeef83c5fd10c923e3c940ec20b2c2a22c038daffbfa16762055254062c6f
Instruction ID: d4ec3953310a42f1145e6c9d46ee810abcd2f47364c341068cdf969d7cebf13a
Opcode Fuzzy Hash: 7efdeef83c5fd10c923e3c940ec20b2c2a22c038daffbfa16762055254062c6f
Instruction Fuzzy Hash: 10D06C3200010DFBDF028F84DC06EDA3BAAFB88724F018010BE1856020C732E861EB90

Function 00604B12 Relevance: 3.1, APIs: 2, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,006049F9,00000000,CF830579,00641140,0000000C,00604AB5,005F8BBD,?), ref: 00604B68
GetLastError.KERNEL32(?,006049F9,00000000,CF830579,00641140,0000000C,00604AB5,005F8BBD,?), ref: 00604B72

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 3d9ce4fbcdb03520ecb0a5912ac885b713a4830c7c0afca97f1f0e1ace3bba7c
Instruction ID: c10d4ba88b41c38f99e868d3ce223be98d395987f124be8c56ebbeacbc602431
Opcode Fuzzy Hash: 3d9ce4fbcdb03520ecb0a5912ac885b713a4830c7c0afca97f1f0e1ace3bba7c
Instruction Fuzzy Hash: 9F112532AD42145AC73C2774A945BBF7B5B8B867B4F29021DFA088B2D2EF22DC418159

Function 005FE05C Relevance: 3.1, APIs: 2, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00640DF8,0051A3EB,00000002,0051A3EB,00000000,?,?,?,005FE166,00000000,?,0051A3EB,00000002,00640DF8), ref: 005FE098
GetLastError.KERNEL32(0051A3EB,?,?,?,005FE166,00000000,?,0051A3EB,00000002,00640DF8,00000000,0051A3EB,00000000,00640DF8,0000000C,005F915E), ref: 005FE0A5

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 93cdd5da7aea4e9ef497547a5c686bf92fa3bf4d0ebb8168052cd25fc50d6389
Instruction ID: 2ff2419506d98a44966b5bbe1b925a6fa90e768581c1e160a5e87b6d4cacebb8
Opcode Fuzzy Hash: 93cdd5da7aea4e9ef497547a5c686bf92fa3bf4d0ebb8168052cd25fc50d6389
Instruction Fuzzy Hash: E2012B36610109AFCF058F65CC0ACAF3F2AFB85324B240248F9119B1E1EA71ED41CBD0

Function 0051A210 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 0051A343

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: b4786ccb5abc9ce717ff485e748ee77bf778934dad8dbca2040e27a9d6ecf089
Instruction ID: f454b76df3c6e6b47d09ca7971dfbfa404390bf54b9db760909911edbbf78c03
Opcode Fuzzy Hash: b4786ccb5abc9ce717ff485e748ee77bf778934dad8dbca2040e27a9d6ecf089
Instruction Fuzzy Hash: D44126709012059FEB15DF68C849BAEBFF4FF41700F20896DF5159B282D7B99981CB92

Function 00580560 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 005806AE

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 5b8477abd5dfbafd0efb1f6b93b48d469f4d73f05dc056d89ab6e976788f4514
Instruction ID: f4df40b54ea0e01903499650bc81dd24ea63272c68eae7a981902edc8bdabf84
Opcode Fuzzy Hash: 5b8477abd5dfbafd0efb1f6b93b48d469f4d73f05dc056d89ab6e976788f4514
Instruction Fuzzy Hash: D041E372A001199BCB15EF69DC806AE7FA5BF88350F140569FC05EB382E730DD648BE1

Function 00606A18 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00606A52

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 8724513643eea024314cd992aba80936861fde2c76bcb2830cae26b6e57b53eb
Instruction ID: e2ec2eeca04dbcec3af327adc70d07eb0f27b612226570652ba90cce4d3ed369
Opcode Fuzzy Hash: 8724513643eea024314cd992aba80936861fde2c76bcb2830cae26b6e57b53eb
Instruction Fuzzy Hash: C61145B1A0020AAFCB09DF58E9459DB7BF5EF48308F104069F808EB351D630EA21CBA4

Function 00606E2D Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0060D635,4D88C033,?,0060D635,00000220,?,006057EF,4D88C033), ref: 00606E5F

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f277032d07f74d98d26ee67a4081d6e3cf48d9ad72ec3fcc61f729327466e9ae
Instruction ID: 405eab3e05091c55a44e066254b1307802ad3694a5dfa42e2ccc3a23f6b6e793
Opcode Fuzzy Hash: f277032d07f74d98d26ee67a4081d6e3cf48d9ad72ec3fcc61f729327466e9ae
Instruction Fuzzy Hash: FFE0E5391C87255ADB382A65DC0479B7B5B9B817E1F040121FD05D62D1CB20CD2081E8

Non-executed Functions

Function 00569440 Relevance: 163.9, APIs: 70, Strings: 19, Instructions: 8125COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0056B6A4

Strings

\, xrefs: 0056B7DD
_, xrefs: 0056DF0F
\, xrefs: 0056F0DB
\, xrefs: 0056FF32
type must be boolean, but is , xrefs: 0056C5D1, 0056C623, 0056C685, 0056C6D7
\, xrefs: 0056DD24
\, xrefs: 0056DFBC
, xrefs: 00571152
\, xrefs: 0056ECFF
_, xrefs: 0056F04E
-, xrefs: 00570CA7
\, xrefs: 0056A7C0
_, xrefs: 0057014B
, xrefs: 0056BAF4
\, xrefs: 0056A4DA
-, xrefs: 00570FAE
\, xrefs: 0056DB80
\, xrefs: 005701F7
\, xrefs: 0056FD6F

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID: $ $-$-$\$\$\$\$\$\$\$\$\$\$\$_$_$_$type must be boolean, but is
API String ID: 4241100979-3297522916
Opcode ID: 74a2649cc73b63e85cbb92f078080c665b0e644dc4d3d35cf837e04065200db4
Instruction ID: d24c8ae9fb2ca65fd9d65074adc5e14bd2aacf0b955cc93019a63677e7ec256f
Opcode Fuzzy Hash: 74a2649cc73b63e85cbb92f078080c665b0e644dc4d3d35cf837e04065200db4
Instruction Fuzzy Hash: A0F3CA709042598FEB29CF28CC997EEBFB5BF45304F1481E9D049A7292EB709A85CF51

Function 0051E150 Relevance: 91.0, APIs: 48, Strings: 3, Instructions: 1776fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?,?,BEBDB8CD,?,?,BEBDB8CD,BEBDB8CE), ref: 0051E29B

Strings

., xrefs: 0051E2C0
y, xrefs: 0052337B
\, xrefs: 0051FF16

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: FileFindFirst
String ID: .$\$y
API String ID: 1974802433-705995259
Opcode ID: d5cf5c937341de7555c206c065dd4ed148498b14d134b9fa0f6b233247d5766d
Instruction ID: 0debe1d1cefbe2e016e1a1b6a5c0d7a2f3d86c31578789a040498b0f3841bbd5
Opcode Fuzzy Hash: d5cf5c937341de7555c206c065dd4ed148498b14d134b9fa0f6b233247d5766d
Instruction Fuzzy Hash: 96D21770D002499BEF18DFA8DC8A6EDBF76BF55300F14826CE855A7292E7309A85CB51

Function 0051C430 Relevance: 83.7, APIs: 43, Strings: 4, Instructions: 1449registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,C0D5DDC2,00000000,00020019,00000000), ref: 0051C6DD
RegQueryValueExA.ADVAPI32(00000000,FCF0F3DC,00000000,00020019,?,00000400), ref: 0051C753
RegCloseKey.ADVAPI32(00000000), ref: 0051C788
GetCurrentHwProfileA.ADVAPI32(?), ref: 0051C82F

Strings

@, xrefs: 0051D7D3
1.8, xrefs: 0051C575, 0051C583, 0051C5BD
?, xrefs: 0051DCB9
Maestro_build, xrefs: 0051C527, 0051C52E, 0051C564

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProfileQueryValue
String ID: 1.8$?$@$Maestro_build
API String ID: 1240309278-2215060601
Opcode ID: 74622d2d23146962ea74465dab412a5a05e0b8a596b50d840ed6e11caf542412
Instruction ID: 965cbe2944e9e4dca211cb5164a7a934ebb86f62df10307db8c94f357ab5bea7
Opcode Fuzzy Hash: 74622d2d23146962ea74465dab412a5a05e0b8a596b50d840ed6e11caf542412
Instruction Fuzzy Hash: 90E226B180422D9EEF20DF60DC49BEEBBB9BF54304F4440D9E549A6242EB715B89CF61

Function 0054E2D0 Relevance: 52.5, APIs: 22, Strings: 7, Instructions: 1770COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?), ref: 0054E327
GetFileAttributesA.KERNEL32(?,?,F8F6C6CE,?,?), ref: 0054E449
GetLastError.KERNEL32(?,F8F6C6CE,?,?), ref: 0054E456
__Mtx_unlock.LIBCPMT ref: 0054E475
GetFileAttributesA.KERNEL32(?,F5F7E6CE,?,?,F8F6C6CE,?,?), ref: 0054E540
GetLastError.KERNEL32(?,?,F8F6C6CE,?,?), ref: 0054E547
__Mtx_unlock.LIBCPMT ref: 0054E566

Strings

., xrefs: 0054E751
\, xrefs: 0054F698
s, xrefs: 0054F68B
\, xrefs: 0054EEAA
\, xrefs: 0054F437
\, xrefs: 0054F139
s, xrefs: 0054F42A

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: AttributesErrorFileLastMtx_unlock$FolderPath
String ID: .$\$\$\$\$s$s
API String ID: 3673586248-1144724142
Opcode ID: c5b35c3c0de7a5c6547ee5e1fc31e57aadc931bfb04b53c93f4a64a620e158f6
Instruction ID: 10219ed061191ef3858e1867691b92154a9b46c4a14170a9559d69b539a6b69c
Opcode Fuzzy Hash: c5b35c3c0de7a5c6547ee5e1fc31e57aadc931bfb04b53c93f4a64a620e158f6
Instruction Fuzzy Hash: A8F2B0709002598FDB28CF68CC99BEDBFB5BF45304F1482E9E449A7282E7749A85CF51

Function 00554457 Relevance: 38.4, APIs: 20, Strings: 1, Instructions: 1609fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 0055457D
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0055465A
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 005548B7
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 005549C7

Strings

l, xrefs: 005560FC

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CopyCreateDirectoryFile
String ID: l
API String ID: 3761107634-2517025534
Opcode ID: 9c06706c2e23829d60ad9b4cec8d8e09c6fc4ee4b66e1d4e4f4e4dd47470083b
Instruction ID: 9efe3b6ca018ca63d62c6543126ce19b4ca8f299d242fdeb64662cce40c495bc
Opcode Fuzzy Hash: 9c06706c2e23829d60ad9b4cec8d8e09c6fc4ee4b66e1d4e4f4e4dd47470083b
Instruction Fuzzy Hash: 66F29174C042599AEF25EB60DC5ABEDBB75BF54304F0481D9D84967282EB701BC8CFA2

Function 00556230 Relevance: 29.1, APIs: 13, Strings: 2, Instructions: 2835COMMON

Download Yara Rule

Strings

P, xrefs: 005591E2
Maestro_build, xrefs: 00556592

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: Maestro_build$P
API String ID: 118556049-1949223644
Opcode ID: b98a9700821180d8546c6a2616d5c088904ad59dd7e02ab2e14466a7b202e238
Instruction ID: 911f59d124184d0b2fafd50eb57e465d0cdd164d5b6a234b0341ae034b03c148
Opcode Fuzzy Hash: b98a9700821180d8546c6a2616d5c088904ad59dd7e02ab2e14466a7b202e238
Instruction Fuzzy Hash: 29537D7081425D9ADF25EB64DC6ABEDBB78BF54304F4440D9E84963282EB701F89CF62

Function 0054B480 Relevance: 25.8, APIs: 5, Strings: 9, Instructions: 1314COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0054B596
GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 0054B6B5
GetPrivateProfileStringA.KERNEL32(?,FCE7F3C1,00000000,?,00000104,?), ref: 0054B76A

Strings

/, xrefs: 0054B937
), xrefs: 0054BFD8
LX+N, xrefs: 0054BDD2
423-, xrefs: 0054BDBE
\, xrefs: 0054BA44
\, xrefs: 0054B773
T.ft, xrefs: 0054BDDC
1S@W, xrefs: 0054BDE6
%IUL, xrefs: 0054BDC8

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: PrivateProfile$FolderNamesPathSectionString
String ID: %IUL$)$/$1S@W$423-$LX+N$T.ft$\$\
API String ID: 1539182551-1036846380
Opcode ID: 26aa1a02f0b41a2cf7c5e3ea8f631e0bc8666d7ca988c272212ee01ae794d59a
Instruction ID: f9df44f6845e5c32539d2e11733de2cdd82c46e1597fdae863865555bcb9db57
Opcode Fuzzy Hash: 26aa1a02f0b41a2cf7c5e3ea8f631e0bc8666d7ca988c272212ee01ae794d59a
Instruction Fuzzy Hash: EAC2B0709042599FDB28CF28CC99BEDBFB5BF45308F1445E9E449AB282DB709A84CF51

Function 00551220 Relevance: 25.5, APIs: 13, Strings: 1, Instructions: 963registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00647420,00000000), ref: 0055130F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0055134A
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00551375
RegQueryValueExA.ADVAPI32(?,FDF2FFD4,00000000,00000001,?,00000104), ref: 00551475
RegQueryValueExA.ADVAPI32(?,C4D2DFD8,00000000,00000001,?,00000104,?,?,?,?,0000002D,?), ref: 005515BF
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000001,?,00000104,?,?,?,?,0000002D,?), ref: 00551610
RegQueryValueExA.ADVAPI32(?,C4D2DFD8,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 005516BC
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 00551717
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 00551772
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 005517C9
RegCloseKey.ADVAPI32(?), ref: 0055204D
RegEnumKeyA.ADVAPI32(?,00000001,?,00000104), ref: 0055207C
RegCloseKey.ADVAPI32(?), ref: 00552090

Strings

cannot use operator[] with a string argument with , xrefs: 005520EB

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseEnumOpen
String ID: cannot use operator[] with a string argument with
API String ID: 2041898428-2766135566
Opcode ID: a3ebc4535adffc76adf3b3738b3dcd7947c2baccb1005750a0726a6149ebcf53
Instruction ID: 32be46e609e94597c80adf459f73f746bb7487762cc4922aae0d6a0e24e7ac66
Opcode Fuzzy Hash: a3ebc4535adffc76adf3b3738b3dcd7947c2baccb1005750a0726a6149ebcf53
Instruction Fuzzy Hash: 94928A708002599EDB25DF64CC59BEEBFB8BF59304F1081DAD449A7282EB715B88CF61

Function 0054B6C9 Relevance: 22.1, APIs: 3, Strings: 9, Instructions: 1086COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(?,FCE7F3C1,00000000,?,00000104,?), ref: 0054B76A

Strings

/, xrefs: 0054B937
), xrefs: 0054BFD8
LX+N, xrefs: 0054BDD2
423-, xrefs: 0054BDBE
\, xrefs: 0054BA44
\, xrefs: 0054B773
T.ft, xrefs: 0054BDDC
1S@W, xrefs: 0054BDE6
%IUL, xrefs: 0054BDC8

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: PrivateProfileString
String ID: %IUL$)$/$1S@W$423-$LX+N$T.ft$\$\
API String ID: 1096422788-1036846380
Opcode ID: b54c9da0e3bbc1a0ff2ac293fad0b28825219f0303064f449dd2ad3e9cc7c595
Instruction ID: 8e9e0f9f49cfea2b31dd46c4c68097962cea160601d96ba0ad23ad3ed197763e
Opcode Fuzzy Hash: b54c9da0e3bbc1a0ff2ac293fad0b28825219f0303064f449dd2ad3e9cc7c595
Instruction Fuzzy Hash: 4FA2AE709042599FDB68CF28CC98BEDBFB5BF85308F1445D9D449AB282DB709A84CF91

Function 005A0610 Relevance: 22.1, APIs: 3, Strings: 9, Instructions: 1060COMMON

Download Yara Rule

Strings

NaN, xrefs: 005A0CD7
+, xrefs: 005A0C3A
, xrefs: 005A0E79, 005A0EA1, 005A14D7, 005A14F7
+Inf, xrefs: 005A0E15
-Inf, xrefs: 005A0DF2
Inf, xrefs: 005A0E1E
0123456789ABCDEF0123456789abcdef, xrefs: 005A0B1B
-x0, xrefs: 005A0BC1
gfff, xrefs: 005A10BC

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: $+$+Inf$-Inf$-x0$0123456789ABCDEF0123456789abcdef$Inf$NaN$gfff
API String ID: 0-3242634575
Opcode ID: 6be73e1bee1737f9b0bf3526189eda0d078409bb85fa4aed6e23f403afaaf2ef
Instruction ID: 9339eb918f032133901ee87b91e32ea65193c69ed80769c87147ffc464a990b4
Opcode Fuzzy Hash: 6be73e1bee1737f9b0bf3526189eda0d078409bb85fa4aed6e23f403afaaf2ef
Instruction Fuzzy Hash: F8821371A187828BD7268F28C49436FBFE0BBC7344F185D9DE4C597292E635C949CB82

Function 005512D8 Relevance: 20.3, APIs: 13, Instructions: 808registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,?,00647420,00000000), ref: 0055130F
RegEnumKeyA.ADVAPI32(?,00000000,?,00000104), ref: 0055134A
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 00551375
RegQueryValueExA.ADVAPI32(?,FDF2FFD4,00000000,00000001,?,00000104), ref: 00551475
RegQueryValueExA.ADVAPI32(?,C4D2DFD8,00000000,00000001,?,00000104,?,?,?,?,0000002D,?), ref: 005515BF
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000001,?,00000104,?,?,?,?,0000002D,?), ref: 00551610
RegQueryValueExA.ADVAPI32(?,C4D2DFD8,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 005516BC
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 00551717
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 00551772
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000003,?,00000200,?,?,?,?,0000002D,?), ref: 005517C9
RegEnumKeyA.ADVAPI32(?,00000001,?,00000104), ref: 0055207C
RegCloseKey.ADVAPI32(?), ref: 00552090

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: QueryValue$EnumOpen$Close
String ID:
API String ID: 2931576859-0
Opcode ID: 3185b2f9e022a0e4281c119b5001ebfdd72a5f3e711a130f6d454c0ad398a34f
Instruction ID: bf7cffb422b052b17d279f819b1ccb2c4d0dc993a821bca3202a459963db6f85
Opcode Fuzzy Hash: 3185b2f9e022a0e4281c119b5001ebfdd72a5f3e711a130f6d454c0ad398a34f
Instruction Fuzzy Hash: FA828C708002599EDB25CF64CC59BEEBFB8BF59304F1041EAD549A7282EB745B88CF61

Function 0053C470 Relevance: 20.1, APIs: 1, Strings: 9, Instructions: 2614COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,00000000), ref: 0053C54A

Strings

\, xrefs: 0053D478
cannot use operator[] with a string argument with , xrefs: 0053EA0F
\, xrefs: 0053D0FB
\, xrefs: 0053DCB2
\, xrefs: 0053D723
\, xrefs: 0053D6A5
\, xrefs: 0053DD19
\, xrefs: 0053D090
A, xrefs: 0053EA2C

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: A$\$\$\$\$\$\$\$cannot use operator[] with a string argument with
API String ID: 1514166925-727479227
Opcode ID: 2b9d0cd6590cfde177b2f0c86f81aa106fa5901ae1f0a707f6768f6b5ed6ef50
Instruction ID: 68f6583f34444414230fd5932c8409c5f04c29849d20f0eaab03894cc716c804
Opcode Fuzzy Hash: 2b9d0cd6590cfde177b2f0c86f81aa106fa5901ae1f0a707f6768f6b5ed6ef50
Instruction Fuzzy Hash: 50339F719002598FDB28DF68CC897EEBFB5BF45304F1481D9E449A7282D770AA85CFA1

Function 005191A0 Relevance: 16.9, APIs: 5, Strings: 4, Instructions: 1127processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00519283
Process32First.KERNEL32(00000000,00000128), ref: 00519293
Process32Next.KERNEL32(00000000,00000128), ref: 005192B0

Strings

k:R, xrefs: 0051950F, 005194F0
/\/, xrefs: 0051956A, 0051959C
\, xrefs: 00519528
/, xrefs: 005194E2

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32
String ID: /$/\/$\$k:R
API String ID: 1238713047-4104199226
Opcode ID: a5532653b63562a5f2077e431d5726220666d687bdcd84f60ada98ca753d347d
Instruction ID: 34c8f9642be17b32a3256bc95882219b530ac5a1136b3e202f5b2f5ba3852d2f
Opcode Fuzzy Hash: a5532653b63562a5f2077e431d5726220666d687bdcd84f60ada98ca753d347d
Instruction Fuzzy Hash: 7892F571D002499FEF19CFA8C8A46EEBFB5BF45314F14426DD445AB282E7305E86CBA1

Function 005955B0 Relevance: 15.2, APIs: 10, Instructions: 187libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,F1E7FCD8), ref: 005955FC
GetProcAddress.KERNEL32(00000000,F1E7FCD8), ref: 0059563E
GetProcAddress.KERNEL32(00000000,E4E7E6D9), ref: 00595686
GetProcAddress.KERNEL32(00000000,F1E7FCD8), ref: 005956C7
GetProcAddress.KERNEL32(00000000,F1E7FCD8), ref: 00595708
GetProcAddress.KERNEL32(00000000,E4E7E6D9), ref: 00595746
GetProcAddress.KERNEL32(00000000,F1E7FCD8), ref: 0059578E
GetProcAddress.KERNEL32(00000000,E4E7E6D9), ref: 005957D6
GetProcAddress.KERNEL32(00000000,F1E7FCD8), ref: 00595817
GetProcAddress.KERNEL32(00000000,F1E7FCD8), ref: 0059585D

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 4b754765c7de2766ed18039b3f4a1b09bc732e9621cc5057ea13f0b15216dd1e
Instruction ID: d295fe6d2213ccf14067a8061b50dd42fd58c7a2cb02a829134d74316b2cf658
Opcode Fuzzy Hash: 4b754765c7de2766ed18039b3f4a1b09bc732e9621cc5057ea13f0b15216dd1e
Instruction Fuzzy Hash: 878192B481429C9EDF19CFA4D445AEEBFB9FF06304F5080AED441AB641E378430ACB66

Function 005E5100 Relevance: 14.3, Strings: 10, Instructions: 1841COMMON

Download Yara Rule

Strings

Q, xrefs: 005E5B17
@, xrefs: 005E5AE0
,, xrefs: 005E5B09
-, xrefs: 005E5B02
H, xrefs: 005E5B1E
>, xrefs: 005E5AEA
., xrefs: 005E5AF4
+, xrefs: 005E5AFB
@, xrefs: 005E5167
.,+-, xrefs: 005E5723

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: +$,$-$.$.,+-$>$@$@$H$Q
API String ID: 0-262771488
Opcode ID: 2bb66d51075f4c401b0db156811db391b67e66e397475115847e4b2db615038b
Instruction ID: 8752559fba0ace90c3a357913066fd11b23a9f1e9c103f160f80f9d3d9435b13
Opcode Fuzzy Hash: 2bb66d51075f4c401b0db156811db391b67e66e397475115847e4b2db615038b
Instruction Fuzzy Hash: 3C13A870A00685CFCB28DF59C480BAABBB1FF48348F15819DD985AB392E775E915CF90

Function 005411D0 Relevance: 11.7, Strings: 9, Instructions: 443COMMON

Download Yara Rule

Strings

\, xrefs: 00543010
, xrefs: 00545453
cannot use operator[] with a string argument with , xrefs: 0054538C, 005453E1, 00545436
\, xrefs: 00542F7D
-, xrefs: 00541BAE
;, xrefs: 005445C4
-, xrefs: 00541B8E
\, xrefs: 00542A67
authorization: , xrefs: 005412C4

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: $-$-$;$\$\$\$authorization: $cannot use operator[] with a string argument with
API String ID: 1646373207-2790917795
Opcode ID: a0704703ff41f95840d6c1a40cf62073c665fc4bb64bed1915ae0f7227094da3
Instruction ID: 1726c2c7295f21a312b46300aecbc9cf27d7f63e3f92ad48f9d3303e9e22e77a
Opcode Fuzzy Hash: a0704703ff41f95840d6c1a40cf62073c665fc4bb64bed1915ae0f7227094da3
Instruction Fuzzy Hash: 3402D170D002498FDB08DFA8D8897DEBFB5BF49304F14816DE41AEB682D7349984CB95

Function 0053B0E9 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1107COMMON

Download Yara Rule

Strings

DUD, xrefs: 0053BBCD
%, xrefs: 0053C15C
\, xrefs: 0053B7A3
!kg$, xrefs: 0053BBC3
\, xrefs: 0053B843

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: !kg$$%$DUD$\$\
API String ID: 0-1765724623
Opcode ID: 28cbaa501cdcaaacbe9a262be1a7b512847423d18e0189d29e2302b6db6c2d5a
Instruction ID: 8f4323a8f7dc29b35ca56e3d2402a3b31bdf1748558a5be058b9bb353037299f
Opcode Fuzzy Hash: 28cbaa501cdcaaacbe9a262be1a7b512847423d18e0189d29e2302b6db6c2d5a
Instruction Fuzzy Hash: D3A29F719002598FEB29CF68CC947EEBFB1BF45300F148299E549AB382D7749A85CF91

Function 0056A3E8 Relevance: 11.2, APIs: 3, Strings: 3, Instructions: 708COMMON

Download Yara Rule

Strings

", xrefs: 0056B2B5
\, xrefs: 0056A4DA
@, xrefs: 0056A525

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: "$@$\
API String ID: 0-2984034985
Opcode ID: 530ea1cf219928335f19f711fd8fe7888f8fd1fb243b39c807b7645a5d823a5e
Instruction ID: 299d13d077eb9e1e02f20bf93c75fc29995f88e9131dcaa4ba4ce054d5853ad4
Opcode Fuzzy Hash: 530ea1cf219928335f19f711fd8fe7888f8fd1fb243b39c807b7645a5d823a5e
Instruction Fuzzy Hash: 76629BB08042688AEF29CB28CC587DEBFB5BF45304F1441EDD04AA7292DB755B89CF56

Function 00538129 Relevance: 10.7, Strings: 7, Instructions: 1993COMMON

Download Yara Rule

Strings

f, xrefs: 00536DC3
ig{O, xrefs: 00536DAF
rsap, xrefs: 00536DB9
CTHE, xrefs: 00536D9B
`of$, xrefs: 00536D91
3, xrefs: 005386D1
)iyi, xrefs: 00536DA5

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: )iyi$3$CTHE$`of$$f$ig{O$rsap
API String ID: 0-3302844315
Opcode ID: 6255c12e757de48f8cdf6573ca1ec0f952f70c51e66f426cca9b6f063774671b
Instruction ID: dce13b608b115a52cecd379d7084ea7b93ab151eefb2b4a18366fa114fe02687
Opcode Fuzzy Hash: 6255c12e757de48f8cdf6573ca1ec0f952f70c51e66f426cca9b6f063774671b
Instruction Fuzzy Hash: E213CDB0D042598BDB25DF24C8897EEBFB4BF55304F1481E9D449A7282DB349B89CF91

Function 00610630 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00605BDB: GetLastError.KERNEL32(005F47AC,00000000,006002A8,?,?,00000003,005F45A3,FF176ACC,005F4512,?,00000000,005F4721), ref: 00605BDF
Part of subcall function 00605BDB: SetLastError.KERNEL32(00000000,00000000,005F4721,?,?,?,?,?,00000000,005F47AC,00000000,00000000,00000000,00000000,00000000,005F89CE), ref: 00605C81

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00610738
IsValidCodePage.KERNEL32(00000000), ref: 00610776
IsValidLocale.KERNEL32(?,00000001), ref: 00610789
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 006107D1
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 006107EC

Strings

`Db, xrefs: 006106E5

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: `Db
API String ID: 415426439-2151651399
Opcode ID: a774324960514bf7e47775b86eee49274d3166e292b8f3856b81aec5450ae46d
Instruction ID: cea180f9ada95ffaab8fc2f0e31e664feea79005358fe1332d94b11a1dc7d497
Opcode Fuzzy Hash: a774324960514bf7e47775b86eee49274d3166e292b8f3856b81aec5450ae46d
Instruction Fuzzy Hash: 0E518471A04205AFEF50DFA4CC41AEF77BABF48700F184469E515E7291DBB1A9C4CB64

Function 00533330 Relevance: 10.5, APIs: 1, Strings: 4, Instructions: 1726COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,FBE7E7F0), ref: 00533453

Strings

\, xrefs: 00533DED
cannot use operator[] with a string argument with , xrefs: 005349FB, 00534A53
\, xrefs: 00533D65
&, xrefs: 00534A18

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: &$\$\$cannot use operator[] with a string argument with
API String ID: 1514166925-52429261
Opcode ID: 5f919d01a9d6b41b5ab30d5ceab17a2acfda4c3d86bdfcc93d922ec34dccf0a5
Instruction ID: 033a29b7cb64f61e935033b811d2884b7fd150a0db67442f7ad7a0392ea486c1
Opcode Fuzzy Hash: 5f919d01a9d6b41b5ab30d5ceab17a2acfda4c3d86bdfcc93d922ec34dccf0a5
Instruction Fuzzy Hash: F6E2AF719002598FDF28CF68CC997EDBFB5BF45300F1481A9E449AB282D774AA85CF91

Function 0052A290 Relevance: 9.5, Strings: 6, Instructions: 2043COMMON

Download Yara Rule

Strings

., xrefs: 0052B0E2
., xrefs: 0052AB30
,, xrefs: 0052A5D2
type must be boolean, but is , xrefs: 0052BF3C, 0052BF6D, 0052C02B
$, xrefs: 0052BD6D
,, xrefs: 0052A6AF

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: $$,$,$.$.$type must be boolean, but is
API String ID: 0-4086305923
Opcode ID: 418949fa4a9cd8fb4a894cc4d4efc4ff38dd95366f4bf337d2086056cd9473be
Instruction ID: ac7e200bfb6a209bebd9599cde24b37e439dee2344eb2631c99865d0ad68e111
Opcode Fuzzy Hash: 418949fa4a9cd8fb4a894cc4d4efc4ff38dd95366f4bf337d2086056cd9473be
Instruction Fuzzy Hash: 7313CD709002698FEB29DF68D858BEDBFB4BF46300F1481D9D449AB292DB319E84CF51

Function 00610454 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00610766,00000002,00000000,?,?,?,00610766,?,00000000), ref: 006104ED
GetLocaleInfoW.KERNEL32(?,20001004,00610766,00000002,00000000,?,?,?,00610766,?,00000000), ref: 00610516
GetACP.KERNEL32(?,?,00610766,?,00000000), ref: 0061052B

Strings

OCP, xrefs: 006104A8
ACP, xrefs: 00610472

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 8779f752ec26bc537e469adf8f0eb0d9de74fac0e04ab07ea39aed8d74cc262e
Instruction ID: 6921c22a5b73752f2e79181c7c085aa43c13f970720e2cf6a69524655fe3ab9a
Opcode Fuzzy Hash: 8779f752ec26bc537e469adf8f0eb0d9de74fac0e04ab07ea39aed8d74cc262e
Instruction Fuzzy Hash: E221B622700105E6FF308F64DA41AEB76E7AF54B64B5E8474EA0ADB214EBB2DDC1C750

Function 00595240 Relevance: 7.8, APIs: 5, Instructions: 250networkCOMMON

Download Yara Rule

APIs

InternetCloseHandle.WININET(?), ref: 00595403
CharNextA.USER32(?,00000000,?,-00000023,?,?,?,?,?,?,?,00000000,00000000,74DEF380), ref: 00595475
CharNextA.USER32(?,00000000,?,-00000023,?,?,?,?,?,?,?,00000000,00000000,74DEF380), ref: 0059548C
CharNextA.USER32(?,00000000,?,-00000023,?,?,?,?,?,?,?,00000000,00000000,74DEF380), ref: 005954A5

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CharNext$CloseHandleInternet
String ID:
API String ID: 581584189-0
Opcode ID: 7d28dc5c691a0dd1b4395843922dd54029e115c9f1ffaa38c874db2298a0954c
Instruction ID: 89a3e24a2ad303a942da38ddaa8079e7779fe52c009ba1fb59335f1ce82a20c5
Opcode Fuzzy Hash: 7d28dc5c691a0dd1b4395843922dd54029e115c9f1ffaa38c874db2298a0954c
Instruction Fuzzy Hash: 3E81DF71A0060AABDF15CFA9DC51BEEBFB9FF49340F144069E908A3251E7709E518BA0

Function 0053E108 Relevance: 7.7, Strings: 5, Instructions: 1446COMMON

Download Yara Rule

Strings

\, xrefs: 0053D478
\, xrefs: 0053D0FB
%, xrefs: 0053E79D
\, xrefs: 0053D723
\, xrefs: 0053DD19

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: %$\$\$\$\
API String ID: 0-255543811
Opcode ID: dd5eed4a0ef1eda8ba3aa38720e934a229a48d1d32dd810ec5e9faafe38897d0
Instruction ID: 344c74aec86082ad30959ca54e5c2aa36017a362d37338dd48ca4bb9056809f9
Opcode Fuzzy Hash: dd5eed4a0ef1eda8ba3aa38720e934a229a48d1d32dd810ec5e9faafe38897d0
Instruction Fuzzy Hash: 42D2AB709002598FDB29CF68DC897EEBFB5BF55300F1482E9E449AB282D7709A85CF51

Function 0053E229 Relevance: 7.7, Strings: 5, Instructions: 1445COMMON

Download Yara Rule

Strings

\, xrefs: 0053D478
\, xrefs: 0053D0FB
%, xrefs: 0053E79D
\, xrefs: 0053D723
\, xrefs: 0053DD19

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: %$\$\$\$\
API String ID: 0-255543811
Opcode ID: 194f852d9f900e6856e58e1955b4a8309c3c9e2d569060910bc6e0ea46588792
Instruction ID: 23dafe3da46321ba2ca9f08064dc8ae32f917759a6b1a352f263b4b4100321f0
Opcode Fuzzy Hash: 194f852d9f900e6856e58e1955b4a8309c3c9e2d569060910bc6e0ea46588792
Instruction Fuzzy Hash: 92D2AB709002598FDB29CF68DC897EEBFB5BF55300F1482E9E449AB282D7709A85CF51

Function 0055B568 Relevance: 7.7, APIs: 3, Strings: 1, Instructions: 675COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 0055B5E9

Strings

*, xrefs: 0055BEB2

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: FolderPath
String ID: *
API String ID: 1514166925-163128923
Opcode ID: a8276e29d583391688afec0868f2c6a59796de8620cb59e0451e5a6b2eadf4a4
Instruction ID: 262b3f29bf6feb708f3cc44f07279391231cba88545f761de1733d69757f3836
Opcode Fuzzy Hash: a8276e29d583391688afec0868f2c6a59796de8620cb59e0451e5a6b2eadf4a4
Instruction Fuzzy Hash: 6D42B071D002489FEF18CFA8D8987EDBFB5BF45300F2481AED859A7282E7715A49CB51

Function 005F84A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction ID: fa72119d763c41ce507c4b5e08828b50c96f072b29f168590d063ceb56f1789b
Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction Fuzzy Hash: CF023C71E012199BDF14CFA9C9806BEFBF1FF88314F248669D619E7381DB35A9418B90

Function 0052C0A0 Relevance: 6.3, Strings: 4, Instructions: 1274COMMON

Download Yara Rule

Strings

Content-Type: application/x-www-form-urlencoded, xrefs: 0052C1B1, 0052C43F, 0052CDA2
C, xrefs: 0052DF64
https://www.maxmind.com/en/locate-my-ip-address, xrefs: 0052D28A
https://ipinfo.io/, xrefs: 0052CABC

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: AddressConcurrency::cancel_current_taskHandleModuleProc
String ID: C$Content-Type: application/x-www-form-urlencoded$https://ipinfo.io/$https://www.maxmind.com/en/locate-my-ip-address
API String ID: 2385143733-2400714340
Opcode ID: a4d9850abf7888587847929ef497dce24d0e2f451c3598609469d549ffb619b8
Instruction ID: d8432a5da1ae175fc55bdda7341a7f5c057a8cbdde4add86962f88158ce2db84
Opcode Fuzzy Hash: a4d9850abf7888587847929ef497dce24d0e2f451c3598609469d549ffb619b8
Instruction Fuzzy Hash: 03C28B709042699ADF24EB64DC5ABEEBF75BF95304F0440D8E44977282EB701B89CF62

Function 005A4110 Relevance: 6.2, APIs: 4, Instructions: 225fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,?,00000003,00000000,?,?,00000000), ref: 005A4208
CreateFileA.KERNEL32(00000000,?,00000003,00000000,?,?,00000000), ref: 005A4210

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 79ba54dee12a99d5e1f57adf10db26b1d13320eb8772cbdecd632756f3e3447e
Instruction ID: 3676b17facff502085dcb45424836d17350e3ee2611662772394f07abfecafd0
Opcode Fuzzy Hash: 79ba54dee12a99d5e1f57adf10db26b1d13320eb8772cbdecd632756f3e3447e
Instruction Fuzzy Hash: A071EDB16043018BDB10CF68D845BAFBBE9FFC6314F04492EF99986251E775C985CB92

Function 005A4670 Relevance: 6.1, APIs: 4, Instructions: 61timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 005A468A
GetCurrentProcessId.KERNEL32 ref: 005A46B5
GetTickCount.KERNEL32 ref: 005A46CA
QueryPerformanceCounter.KERNEL32(?), ref: 005A46E1

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CountCounterCurrentPerformanceProcessQuerySystemTickTime
String ID:
API String ID: 4122616988-0
Opcode ID: 97fe228d6c22aeb01a6a25a303f63774e305b3b128eecb279eae291899a5a0ae
Instruction ID: 48371d23f9f3a07e7bd576459557e1182cf3547f86edcaf45f2c2e9010a357fc
Opcode Fuzzy Hash: 97fe228d6c22aeb01a6a25a303f63774e305b3b128eecb279eae291899a5a0ae
Instruction Fuzzy Hash: 10115B76A00628DBCB10CFA8D8885DDFBF5FB4A320B448476EC49D7315D631E941CB90

Function 00543286 Relevance: 5.9, Strings: 4, Instructions: 937COMMON

Download Yara Rule

Strings

", xrefs: 0054377E
\, xrefs: 00543010
\, xrefs: 00542F7D
\, xrefs: 00542A67

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: "$\$\$\
API String ID: 0-2102624741
Opcode ID: 6ed92f3a8db808a27ad8e8535da3ee69adc9f5ac005cdb7611c68b15107d5d8a
Instruction ID: dc92eacf9792847825e59d1aca090d51c1f0f2732aafd9ef451bd24d1e2e8d39
Opcode Fuzzy Hash: 6ed92f3a8db808a27ad8e8535da3ee69adc9f5ac005cdb7611c68b15107d5d8a
Instruction Fuzzy Hash: 7382BC709002698BDB18CF68CC897EDBFB5BF45308F5482DDE449AB692D7706B85CB90

Function 006100D8 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00605BDB: GetLastError.KERNEL32(005F47AC,00000000,006002A8,?,?,00000003,005F45A3,FF176ACC,005F4512,?,00000000,005F4721), ref: 00605BDF
Part of subcall function 00605BDB: SetLastError.KERNEL32(00000000,00000000,005F4721,?,?,?,?,?,00000000,005F47AC,00000000,00000000,00000000,00000000,00000000,005F89CE), ref: 00605C81

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0061012C
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00610176
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0061023C

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: ea1edd574c659cbbff25b15299977892a1982ce7fcb8ee6de896cd842c47c802
Instruction ID: acff281ffb4f7c04b33e7ba8199395a31f602d0a8f58c8705136e7de43cac57e
Opcode Fuzzy Hash: ea1edd574c659cbbff25b15299977892a1982ce7fcb8ee6de896cd842c47c802
Instruction Fuzzy Hash: 7C61A07154420B9FEF68DF24CC86BEA77AAEF14300F18416AE915C6689F7B4DAC1CB50

Function 005F45A4 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 005F469C
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 005F46A6
UnhandledExceptionFilter.KERNEL32(005F4484,?,?,?,?,?,00000000), ref: 005F46B3

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 3e5dd56b1fb5298e7fb7ab45f600f5bf7168b0abf22b21694986f8e3c7a7ff96
Instruction ID: 905088620edd0f85bb75edbfb52fa4982d2a50057dc8b094d84a935e8a6aaa62
Opcode Fuzzy Hash: 3e5dd56b1fb5298e7fb7ab45f600f5bf7168b0abf22b21694986f8e3c7a7ff96
Instruction Fuzzy Hash: 8031C37590122DABCB21DF64D8897DDBBB8BF48310F5041EAE50CA7251EB749F858F44

Function 005990E0 Relevance: 4.2, Strings: 3, Instructions: 411COMMON

Download Yara Rule

Strings

invalid distance too far back, xrefs: 005994D9
invalid distance code, xrefs: 005994C3
invalid literal/length code, xrefs: 005994AA

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: invalid distance code$invalid distance too far back$invalid literal/length code
API String ID: 0-3255898291
Opcode ID: e79e1e614b61c4b8435e2ccd599855c6680f9d307dc00e9d6710b568c99d3ff3
Instruction ID: 77a11e599059b916f01e501a1d8551dbe1548a6263d35bbc6de10ef0a69f7a06
Opcode Fuzzy Hash: e79e1e614b61c4b8435e2ccd599855c6680f9d307dc00e9d6710b568c99d3ff3
Instruction Fuzzy Hash: 9DF16C71E002599FCF04CFADC5906ACBFF2FF99304B2485AED495AB342D635AA46CB50

Function 0055C620 Relevance: 3.8, Strings: 1, Instructions: 2575COMMON

Download Yara Rule

Strings

z, xrefs: 0055F20D

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: z
API String ID: 0-1657960367
Opcode ID: 9b87f67ac102212b6fb959b30c056054221d409a6255cdafe151d50f5dfe12b9
Instruction ID: 23fffd6a2e18449e0dc776b918d2be6d5f0b777395f723bbc7bac046a330addf
Opcode Fuzzy Hash: 9b87f67ac102212b6fb959b30c056054221d409a6255cdafe151d50f5dfe12b9
Instruction Fuzzy Hash: 2C4399B180426ADADF25EF68C8196EEBF75BF45300F4442C9D84937282D7711B89CFA2

Function 005A2610 Relevance: 3.5, APIs: 2, Instructions: 456COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005A28FB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005A294D

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: e1169bf2a2d88f9097cbc5291f777eb9e6fb9c7e2e75234ed14d65dbaf6a6de8
Instruction ID: 1a288245f105955c42638d63c3b92732988b2e147f454b26f39e54aec7b28d5f
Opcode Fuzzy Hash: e1169bf2a2d88f9097cbc5291f777eb9e6fb9c7e2e75234ed14d65dbaf6a6de8
Instruction Fuzzy Hash: 96F1E271E0021A8BCF14CF5DD8912BDFFF2FB89310F1982AAE595AB291DB7549418B90

Function 0053053B Relevance: 3.0, APIs: 2, Instructions: 33encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00530535
LocalFree.KERNEL32(?), ref: 00530564

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 0b81b86400fb19b0c18e7d408a73abd1e8b37d4cb140fcbbaa70da07f718e2da
Instruction ID: 533ed626120b7f29397a842dcb3c38181b91d0bf0c4ca9f00f6c73a8ca9525a8
Opcode Fuzzy Hash: 0b81b86400fb19b0c18e7d408a73abd1e8b37d4cb140fcbbaa70da07f718e2da
Instruction Fuzzy Hash: E4E09B73D4021D16DF2096A49C55BEEBB68FB54761F015073ED49F6181D6254E048EE2

Function 005EF26A Relevance: 3.0, APIs: 2, Instructions: 15timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,?,005EEC78,?,?,?,?,005240EB,?,00573C2E), ref: 005EF283
GetSystemTimeAsFileTime.KERNEL32(?,?,?,005EEC78,?,?,?,?,005240EB,?,00573C2E), ref: 005EF287

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: 0169edcfba86221f0bdc54baff4c70f354a88b29cfc713275bb8e683c312cc1e
Instruction ID: 2d59f8a3579d4c648ca915ac350bcc63844a2a3133431e75e29c03c861c3550a
Opcode Fuzzy Hash: 0169edcfba86221f0bdc54baff4c70f354a88b29cfc713275bb8e683c312cc1e
Instruction Fuzzy Hash: 03D0223A5005B8E78B092FD1FC048DC7F2AFA0AB503088077FA0983124CF211C008BC1

Function 00529259 Relevance: 2.0, Strings: 1, Instructions: 787COMMON

Download Yara Rule

Strings

+, xrefs: 00529B19

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: 33d096c3b9e13fc021566d33fb60f7e95d58920849c9cd52ed11a8b7900c165d
Instruction ID: 374603c5a67e8d60c14232c678459eda74b44ca88c802696e027eb6a3e68e53d
Opcode Fuzzy Hash: 33d096c3b9e13fc021566d33fb60f7e95d58920849c9cd52ed11a8b7900c165d
Instruction Fuzzy Hash: 43726C709002698FDB18CF68D8987DDBBB5BF46300F2482EDD059AB782E7749A85CF50

Function 005B1270 Relevance: 1.8, Strings: 1, Instructions: 513COMMON

Download Yara Rule

Strings

%s-mj%08X, xrefs: 005B1456

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: %s-mj%08X
API String ID: 0-77246884
Opcode ID: 448fc39f872702818dadb165210a53d9838cf7a70e9be67fe8432c37282cff97
Instruction ID: 0dbe326acba404a3471f2d881f5791bbcd8aac032625ffafd9517a7fc1f43873
Opcode Fuzzy Hash: 448fc39f872702818dadb165210a53d9838cf7a70e9be67fe8432c37282cff97
Instruction Fuzzy Hash: DD126C70604B019FD764CF69C890BAABBE5FFC8314F54892DE99A87251DB31F841CB4A

Function 005A63D0 Relevance: 1.7, APIs: 1, Instructions: 168COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 005A6449

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: __allrem
String ID:
API String ID: 2933888876-0
Opcode ID: 1ae21db2f24bae033a874413a08895cf9ef0a6936569dd53fef1bb6e24226d22
Instruction ID: 6a0d4a47c696437260d3519ce59a653953009ccc764e9f33138adf274d0c262f
Opcode Fuzzy Hash: 1ae21db2f24bae033a874413a08895cf9ef0a6936569dd53fef1bb6e24226d22
Instruction Fuzzy Hash: 10616A71610740DFCB28CF6DC88056AFBF5AF99300B088AAEDD86DB756D630E955CB90

Function 00609160 Relevance: 1.7, APIs: 1, Instructions: 156timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00606DB3: HeapFree.KERNEL32(00000000,00000000,?,0060ECA9,005F89C3,00000000,005F89C3,?,0060EF4A,005F89C3,00000007,005F89C3,?,0060F43E,005F89C3,005F89C3), ref: 00606DC9
Part of subcall function 00606DB3: GetLastError.KERNEL32(005F89C3,?,0060ECA9,005F89C3,00000000,005F89C3,?,0060EF4A,005F89C3,00000007,005F89C3,?,0060F43E,005F89C3,005F89C3), ref: 00606DD4

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00609313,00000000,00000000,00000000), ref: 006091D2

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 3335090040-0
Opcode ID: 047590866a50a0a3ed8b40d57cce0762a1a26530c912eb94fe7bf74fde8b5ecb
Instruction ID: e162799986963195751de8b80979baba6591c4f421e9c48cbe9f5458a8cdcaf4
Opcode Fuzzy Hash: 047590866a50a0a3ed8b40d57cce0762a1a26530c912eb94fe7bf74fde8b5ecb
Instruction Fuzzy Hash: 9941E675940125AFCB18EF65EC0699B7F7BAF42760B10416AF454A72E2EB309E00CBA4

Function 0061032B Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00605BDB: GetLastError.KERNEL32(005F47AC,00000000,006002A8,?,?,00000003,005F45A3,FF176ACC,005F4512,?,00000000,005F4721), ref: 00605BDF
Part of subcall function 00605BDB: SetLastError.KERNEL32(00000000,00000000,005F4721,?,?,?,?,?,00000000,005F47AC,00000000,00000000,00000000,00000000,00000000,005F89CE), ref: 00605C81

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0061037F

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 0ba3c15ef53b571376abd5d4431c1df9cad4954e471b662ac661dff2d933006d
Instruction ID: 2fb6de2176c0ce4f7ee092243e70b1668ea74a5f3fc3c3dcd330d37dbe979520
Opcode Fuzzy Hash: 0ba3c15ef53b571376abd5d4431c1df9cad4954e471b662ac661dff2d933006d
Instruction Fuzzy Hash: 2521A132611207ABEF289B25DC81AFB37AAEB04310F14017AF915D6281EBB4EDC08B54

Function 0059E140 Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

-, xrefs: 0059E198

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 2a2e03b90355dc0d59000aeef2c7e7f9d6bd4af588e3a47cd3e57602e03e1696
Instruction ID: 5bc310b744196eac31cd953c03f2a46461962f343431ff8d175d28990ca305ab
Opcode Fuzzy Hash: 2a2e03b90355dc0d59000aeef2c7e7f9d6bd4af588e3a47cd3e57602e03e1696
Instruction Fuzzy Hash: 71B1A1356007059FEF20CAA4CC41ABEFBF5FF44310F144E1AE9AAD2690D371A946CB61

Function 005AC4F0 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

d, xrefs: 005AC718

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: a46c03965f89406d21e4840a8879490cd355410da3bfc95495e00d4f6904263f
Instruction ID: 75acc801fc2566a54498e5fa300652ea53ace401c0fd58e5b07d4af67fa206e7
Opcode Fuzzy Hash: a46c03965f89406d21e4840a8879490cd355410da3bfc95495e00d4f6904263f
Instruction Fuzzy Hash: A9C171716047428FC715CF29C48056ABFE2BFDA344F1885ADE8998B346DB35ED06CBA1

Function 00524400 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(FAE1F7FA), ref: 0052446D

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: cc950a95dce5ff95e785122f5184d828b507a2eedb93c1b78dded785e97a1ba2
Instruction ID: fc9eef203d3167730693a814ddc29224c8ca56efc21fde2109924a4f19aa2584
Opcode Fuzzy Hash: cc950a95dce5ff95e785122f5184d828b507a2eedb93c1b78dded785e97a1ba2
Instruction Fuzzy Hash: AC015BB1915218AFDB00DFA9D8856CEFBF8FF08310F5085AAE419E7241D375A205CBA0

Function 0061055A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00605BDB: GetLastError.KERNEL32(005F47AC,00000000,006002A8,?,?,00000003,005F45A3,FF176ACC,005F4512,?,00000000,005F4721), ref: 00605BDF
Part of subcall function 00605BDB: SetLastError.KERNEL32(00000000,00000000,005F4721,?,?,?,?,?,00000000,005F47AC,00000000,00000000,00000000,00000000,00000000,005F89CE), ref: 00605C81

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,006103D5,00000000,00000000,?), ref: 00610586

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 005763b52e6410c09ce1b8511ea4d81e0cd6910015807635b6cb8cacbb8b1f0a
Instruction ID: afbc30c313302886a278c6a7cc5870b223ca7b81aa3bf5c4daa390f34718b25b
Opcode Fuzzy Hash: 005763b52e6410c09ce1b8511ea4d81e0cd6910015807635b6cb8cacbb8b1f0a
Instruction Fuzzy Hash: B401DB32600116ABEF289B248A45AFB776BDB40754F194429EC46A31C0EAB4FDC2CD90

Function 0061004D Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00605BDB: GetLastError.KERNEL32(005F47AC,00000000,006002A8,?,?,00000003,005F45A3,FF176ACC,005F4512,?,00000000,005F4721), ref: 00605BDF
Part of subcall function 00605BDB: SetLastError.KERNEL32(00000000,00000000,005F4721,?,?,?,?,?,00000000,005F47AC,00000000,00000000,00000000,00000000,00000000,005F89CE), ref: 00605C81

EnumSystemLocalesW.KERNEL32(0061032B,00000001,FFFFFFFF,?,-00000050,?,006106D4,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00610097

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 698648870ab998a35d3e21d8a0abd4c583c67cc4dd88312cd9ec148d8011cb59
Instruction ID: 92fdf73d9813b16d46527402e4dcafd7e11d96ef09186ef227328806549dfeaf
Opcode Fuzzy Hash: 698648870ab998a35d3e21d8a0abd4c583c67cc4dd88312cd9ec148d8011cb59
Instruction Fuzzy Hash: 3BF0C2362007049FEB246F359881BEA7B92FB84369F19842DF9464B690D6B1ACC2CB50

Function 006074CE Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00603B89,?,20001004,00000000,00000002,?,?,0060317B), ref: 00607502

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: cf4ae74dd506eeff0fb7818d64b21c8a87832422d4a35f6e3d9fd1103e66f4e9
Instruction ID: d7bf2133b4ce6a2b2b4f4f9f6111c25f4b3395656b1c5b3b48320380bd496042
Opcode Fuzzy Hash: cf4ae74dd506eeff0fb7818d64b21c8a87832422d4a35f6e3d9fd1103e66f4e9
Instruction Fuzzy Hash: 35E01A32984528BBCB162F61EC04EEF3F67AB44750F048425FC05652A1CB32AA21AAD4

Function 00524280 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,00000000,00000001,?,00000000), ref: 00524293

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: DebuggerPresent
String ID:
API String ID: 1347740429-0
Opcode ID: e411a5c97a685fbefe1d6a0eadf707ea147b736d87097e6eb6e3d0c70a403559
Instruction ID: af295caf409a97897ccc08494b60c97847354ea6889fadeb0d238c1f306e2683
Opcode Fuzzy Hash: e411a5c97a685fbefe1d6a0eadf707ea147b736d87097e6eb6e3d0c70a403559
Instruction Fuzzy Hash: B3E07234141215EBCB02CF8AA9423EABBECFB16310F180089F808D3700C226CA00AB60

Function 0059F360 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

-, xrefs: 0059F3DF

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: ffad52e287b60b8b48c8f6c01dcfbe838c716be90c45fb450b26370899277487
Instruction ID: 80a956d39aa894fe09583f73f8bfb0f9b4aae5ffc161a2b174383d22acec2d80
Opcode Fuzzy Hash: ffad52e287b60b8b48c8f6c01dcfbe838c716be90c45fb450b26370899277487
Instruction Fuzzy Hash: FA818F71951648AEEF219AB4C840BEDFFF0EF05201F1489E8E8D5E3B41D678D64AC7A1

Function 0059A03B Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

invalid block type, xrefs: 0059A196

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID: invalid block type
API String ID: 0-1830746294
Opcode ID: e6d8240b112a78a09a0ed4fa221f66ddd0840ef3361a09ce087ebf80c5767fda
Instruction ID: c22ac230a91375823e95ac23d54dcd14ecd5d61067096e2ce1fa5a83b435216f
Opcode Fuzzy Hash: e6d8240b112a78a09a0ed4fa221f66ddd0840ef3361a09ce087ebf80c5767fda
Instruction Fuzzy Hash: 856139B5E006158BDB08CF59C4442ADBFB1FB88314F14C1AED8189B756D776DA46CF90

Function 005AD1A0 Relevance: 1.0, Instructions: 966COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6094c59931180dee46fcb7a570bc31a5db8888ad96c1c80ab7b2378a9d329632
Instruction ID: e5dd06fb9e742d12c9ff5ec71d543e2fc7c19b9c22be57ac397748bf796f4e1f
Opcode Fuzzy Hash: 6094c59931180dee46fcb7a570bc31a5db8888ad96c1c80ab7b2378a9d329632
Instruction Fuzzy Hash: 18929D74A083528FC714DF29D48062EBBF2BFCA304F15496DE8968B752D735E845CBA2

Function 0055F280 Relevance: .7, Instructions: 658COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979fb8f93f60bc7e3a4f33676972e644137c874c556c6cda60a5e639773166af
Instruction ID: 415b1f69013bfa3049c8e2b4ed8b5237d22e1e852f5f384cd5cb82c0dd775f7d
Opcode Fuzzy Hash: 979fb8f93f60bc7e3a4f33676972e644137c874c556c6cda60a5e639773166af
Instruction Fuzzy Hash: 1E526EB190424A8EDB48DF68C4156AEFFF4FF09304F1482AED845EB642E7719689CBD1

Function 0060B3B9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae9debd5fdadac9df3dae3d946f93778898e26d91da155b118361be0891ff27
Instruction ID: 370c5f4bd44a3509d8dc4cd2ce649ec4dedf7e18bf458a220bb2bd81d7134c04
Opcode Fuzzy Hash: fae9debd5fdadac9df3dae3d946f93778898e26d91da155b118361be0891ff27
Instruction Fuzzy Hash: 27323621D69F414DD7379634CC22336A24AAFB73D4F15E727F81AB5AA9EF29C9834100

Function 00598610 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28d73c0b092ef984f92d42c05f47b3fe9854d4a3893dd605d8e8d710e45b8fc
Instruction ID: 6368f64f042d4186b98edcf152e7f41783211b9fb6a6a35570034c0507328270
Opcode Fuzzy Hash: c28d73c0b092ef984f92d42c05f47b3fe9854d4a3893dd605d8e8d710e45b8fc
Instruction Fuzzy Hash: 0B025A35600B008FCB24CF29C484A6ABBF2FF89314F55495EE9968BB92DB75F851CB50

Function 005670F0 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_taskFolderNamesPathPrivateProfileSection
String ID:
API String ID: 1185923200-0
Opcode ID: 79e802052aba22b5e1dbcb441e2bdf86f60f083011ecf5141175cf5ab1925fd0
Instruction ID: f36b6d8507c617a9eed6374c82864c0465579252861624bd1a23b8658af1d30a
Opcode Fuzzy Hash: 79e802052aba22b5e1dbcb441e2bdf86f60f083011ecf5141175cf5ab1925fd0
Instruction Fuzzy Hash: A2E1EF74D042898FCB15DB68CC49BEDBFB6BF99314F1880D9D449A7342EB705A48CBA1

Function 0059E490 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88923f8df2a61e7006f5ecf14fd7805f83e68085996bdc7208aa9031238299ab
Instruction ID: 490e25d703bf2389942f55cccb75498ed556e8392beed292251798a5721673df
Opcode Fuzzy Hash: 88923f8df2a61e7006f5ecf14fd7805f83e68085996bdc7208aa9031238299ab
Instruction Fuzzy Hash: 36D19D706007418BEB24CF39C49479ABBE1FF58314F548A6DD4EE8B781EB74A489CB91

Function 005124F0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970760fb301abcd751a2535e2fc00994ad1a2215bf31372becfa56a4f6f65e52
Instruction ID: 09a458d104271dc0fdde13bedee7aebcdf8d8c07d5a10f8380e34d6c8dc67631
Opcode Fuzzy Hash: 970760fb301abcd751a2535e2fc00994ad1a2215bf31372becfa56a4f6f65e52
Instruction Fuzzy Hash: FA7104B4E011468FEB14CF68D8D17FEBFB6FB1A300F050169D85597782CB289996C7A0

Function 0059F600 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d31ba86242bfd7bd76f9ba221a1519e07e8bc4f3f0aa95c67da6b44e1bb030
Instruction ID: d5569f474a28144352b1a2fb2cc242acae7b9b31f6f407bc9e283419549aa584
Opcode Fuzzy Hash: 41d31ba86242bfd7bd76f9ba221a1519e07e8bc4f3f0aa95c67da6b44e1bb030
Instruction Fuzzy Hash: ED61B431500709AFDF30CAA8C880BEEBFE5FF45310F208AB9E595D26A0D275E685C751

Function 00596550 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01fa3ee8db4cf0f3d1f92b962ccb34bcd4349841ee1e19269a56cd65cbf3ca22
Instruction ID: 9c21d87bae517280a858c4eeda8aaec5cbd6f708df631f964d5dd397f332ed9e
Opcode Fuzzy Hash: 01fa3ee8db4cf0f3d1f92b962ccb34bcd4349841ee1e19269a56cd65cbf3ca22
Instruction Fuzzy Hash: 506144316109664FD728CF5EECC04663752E78A301386661AEAC1DB2A6C735F527DBE0

Function 005F646A Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920c44e739ca4d08db5b5969fbc7a5a158caad0a814d8dad7807257cb044add9
Instruction ID: 2988480aa988442f801a26c19e2885f991f9754534a8e66d8d31943de64ceac2
Opcode Fuzzy Hash: 920c44e739ca4d08db5b5969fbc7a5a158caad0a814d8dad7807257cb044add9
Instruction Fuzzy Hash: 70517F72D00219AFDF14CF98C981AFEBFB6FF88314F598459E915AB201D7389A50DB90

Function 00525498 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57c5513b2a6ddb8df53c919b5ef77e69e08df4e3d3e96d3fc4e754907942400
Instruction ID: ce92f9a939328a0158453f0a07f9d7cc3c329335ca545680f6950edaadd9edde
Opcode Fuzzy Hash: f57c5513b2a6ddb8df53c919b5ef77e69e08df4e3d3e96d3fc4e754907942400
Instruction Fuzzy Hash: B2118C30614665CBCB29CF18D0A0BA9FBA2BF46754BA9408EC8855F792E771AD45CBC0

Function 00574638 Relevance: .0, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000001), ref: 005746D8
GetTempPathA.KERNEL32(000000FB,?,0100C8CB), ref: 00574737

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: PathSleepTemp
String ID:
API String ID: 119084202-0
Opcode ID: 7254be406cc0f86c6983815bf956a4fbaaafac700f82c4976941d6250270d2b0
Instruction ID: 62f13091fafeaa674e6152a60e9caddd73a184611d12e33a3a6f7f3d21cd2891
Opcode Fuzzy Hash: 7254be406cc0f86c6983815bf956a4fbaaafac700f82c4976941d6250270d2b0
Instruction Fuzzy Hash: DA113A35A04655CBCB25CF04D0A0A6AF7B1FF45758B298589C8691F715D731E94ACFC0

Function 00579610 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3469e2706c7b8808072a0d70d13407581380fe56500d1ba4e961cf50c2cc6b8c
Instruction ID: dbc702a08d152575c0d9f4efb0c0dd8df9a70d10112f3a1208ba3dba4c9c81cc
Opcode Fuzzy Hash: 3469e2706c7b8808072a0d70d13407581380fe56500d1ba4e961cf50c2cc6b8c
Instruction Fuzzy Hash: 9FC0CAB06042108BCA28DB1CB480866B7E6AF98210328CA2EE08A83600E672ED009B90

Function 00595450 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,00000000,?,-00000023,?,?,?,?,?,?,?,00000000,00000000,74DEF380), ref: 00595475
CharNextA.USER32(?,00000000,?,-00000023,?,?,?,?,?,?,?,00000000,00000000,74DEF380), ref: 0059548C
CharNextA.USER32(?,00000000,?,-00000023,?,?,?,?,?,?,?,00000000,00000000,74DEF380), ref: 005954A5

Strings

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36, xrefs: 0059557F

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CharNext
String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
API String ID: 3213498283-2732702261
Opcode ID: 784c1c15fe1aa32dc9641f7e8f4a1616ef73e0240794f039d3c2f399316f2aa8
Instruction ID: 82ab2f4c158aeb7807b1b6c9c6983b4b0e06d12b8b8d8b892858048b83120db6
Opcode Fuzzy Hash: 784c1c15fe1aa32dc9641f7e8f4a1616ef73e0240794f039d3c2f399316f2aa8
Instruction Fuzzy Hash: 9E416939940614ABCF52DF689C80AADBFB7FF4A311F094069ED88D7321E7314E568B50

Function 005F3306 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

___TypeMatch.LIBVCRUNTIME ref: 005F3533
CatchIt.LIBVCRUNTIME ref: 005F3584
_UnwindNestedFrames.LIBCMT ref: 005F3685
CallUnexpected.LIBVCRUNTIME ref: 005F36A0

Strings

b, xrefs: 005F341C
csm, xrefs: 005F3343
csm, xrefs: 005F345C
csm, xrefs: 005F33B0

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwind
String ID: csm$csm$csm$b
API String ID: 944608866-1124614693
Opcode ID: d8b54be5ecb7279b6850f66950320b191d0dfffbac8d575c94d8bfe3c3c2b9cd
Instruction ID: 0f0791b8eb696a74d2c5a4c60a6e97a1b940f28bd6bde632a280b20980339126
Opcode Fuzzy Hash: d8b54be5ecb7279b6850f66950320b191d0dfffbac8d575c94d8bfe3c3c2b9cd
Instruction Fuzzy Hash: BEB1557180020EEBEF15DFA4C8899BEBFB5FF94310B14455AEA01AB202D739DA51CF91

Function 006133AC Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,811C9DC5,?,?,?,?,?,?,?,0061448A), ref: 006133C5

Strings

log, xrefs: 00613422, 00613431
pow, xrefs: 00613463, 0061350D, 0061355A
sqrt, xrefs: 00613504
log10, xrefs: 00613407, 00613416
acos, xrefs: 006134FB
exp, xrefs: 00613444, 006134A9
asin, xrefs: 006134F2

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 297b0b9c951f5bd73616194bbc5f425296444d194a741a00c02861a85b5f6bf7
Instruction ID: eb24b1fd0acbca56f8e351c06700685752a34fbad8da3c68b7611e48c0ed5fd8
Opcode Fuzzy Hash: 297b0b9c951f5bd73616194bbc5f425296444d194a741a00c02861a85b5f6bf7
Instruction Fuzzy Hash: AD5147B4900A2ACBCF119F59E80C1EDBFB7FB49704F184056D492AA354CB798BA5CF54

Function 0051B1A0 Relevance: 13.6, APIs: 9, Instructions: 131memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,0000001C), ref: 0051B1F0
SetupDiEnumDeviceInfo.SETUPAPI(?,00000000,00000000), ref: 0051B1FF
LocalAlloc.KERNEL32(00000040,0000001C,?,00000000,00000000), ref: 0051B239
SetupDiEnumDeviceInterfaces.SETUPAPI(?,00000000,0061F540,00000000,00000000), ref: 0051B251
SetupDiGetDeviceInterfaceDetailA.SETUPAPI(?,00000000,00000000,00000000,?,00000000), ref: 0051B26D
SetupDiGetDeviceInterfaceDetailA.SETUPAPI(?,?,00000000,?,00000000,00000000), ref: 0051B28F
LocalFree.KERNEL32(?,?,?,?,?,00000000,?,00000000,00000000), ref: 0051B2C0
LocalFree.KERNEL32(?,?,?,00000000,?,00000000,00000000), ref: 0051B2C5
LocalFree.KERNEL32(?,?,?,00000000,?,00000000,00000000), ref: 0051B2C8

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: Local$DeviceSetup$Free$AllocDetailEnumInterface$InfoInterfaces
String ID:
API String ID: 45558158-0
Opcode ID: 2fc3ded58bfc13478eb5c79bd7a3a87bc892eb8f736f92cd3746db8217bbe1cd
Instruction ID: dcbd8c47dab12788d076ee99284abccb88a065d76e521a727a8699a6d87d0e63
Opcode Fuzzy Hash: 2fc3ded58bfc13478eb5c79bd7a3a87bc892eb8f736f92cd3746db8217bbe1cd
Instruction Fuzzy Hash: 59413CB5A40309AFDB60DFA9DC41B9EFBF9FB48700F14852AE519E7650E774A9008F60

Function 005A43B0 Relevance: 13.6, APIs: 9, Instructions: 88sleepfileCOMMON

Download Yara Rule

APIs

Part of subcall function 005A3E50: GetVersionExA.KERNEL32(?), ref: 005A3E76

GetVersionExA.KERNEL32(?), ref: 005A43F3
DeleteFileW.KERNEL32(00000000), ref: 005A4412
GetFileAttributesW.KERNEL32(00000000), ref: 005A4419
GetLastError.KERNEL32 ref: 005A4426
Sleep.KERNEL32(00000064), ref: 005A443C
DeleteFileA.KERNEL32(00000000), ref: 005A4445
GetFileAttributesA.KERNEL32(00000000), ref: 005A444C
GetLastError.KERNEL32 ref: 005A4459
Sleep.KERNEL32(00000064), ref: 005A446F

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: File$AttributesDeleteErrorLastSleepVersion
String ID:
API String ID: 1421123951-0
Opcode ID: f8063c74552b481fd06f19973c27757e23bbc73517f8b7ace63e1d926da70a25
Instruction ID: f12187bb19c7de63b763daf322be59253268958384ebdcdee2e6486cc4a4a7a1
Opcode Fuzzy Hash: f8063c74552b481fd06f19973c27757e23bbc73517f8b7ace63e1d926da70a25
Instruction Fuzzy Hash: B721E5359002149BCF10ABB8AC886BE7BF5FB8F335F20C666E91EC2241EB7449419F51

Function 0051E2B7 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 365fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?), ref: 0051E53C
GetLastError.KERNEL32 ref: 0051E547
__Mtx_unlock.LIBCPMT ref: 0051E562
__Mtx_unlock.LIBCPMT ref: 0051E571
CreateDirectoryA.KERNEL32(?,00000000), ref: 0051E588
CopyFileA.KERNEL32(?,?,00000000), ref: 0051E5F0
FindNextFileA.KERNEL32(00000000,?), ref: 0051E604
FindClose.KERNEL32(00000000), ref: 0051E614
GetLastError.KERNEL32 ref: 0051E61A
GetLastError.KERNEL32 ref: 0051E630
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,00000000), ref: 0051E7F0

Strings

., xrefs: 0051E2C0

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ErrorFileLast$FindMtx_unlock$AttributesCloseCopyCreateDirectoryFolderNextPath
String ID: .
API String ID: 3822727861-248832578
Opcode ID: 7274ac666042fce18f5da42e2aaab16039180c3a5f3221c4465ad78747679616
Instruction ID: cc643f09935a8db41ae752f69f293d5549082a7b86f8cfb2f7faef721874937b
Opcode Fuzzy Hash: 7274ac666042fce18f5da42e2aaab16039180c3a5f3221c4465ad78747679616
Instruction Fuzzy Hash: 24D1DD719002488BEB1CDF28DC8ABEDBF76BF55310F548258E819A7792D734A9C1CB90

Function 0051C190 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 176registryCOMMON

Download Yara Rule

APIs

RegGetValueA.ADVAPI32(80000002,E0E0EBC2,F5FEFDD5,0001FFFF,00000001,?,00000104), ref: 0051C2B2
GetComputerNameExA.KERNEL32(00000002,?,00000104), ref: 0051C31C
LsaOpenPolicy.ADVAPI32(00000000,006456CC,00000001,00000000), ref: 0051C375

Strings

%wZ, xrefs: 0051C3A5

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ComputerNameOpenPolicyValue
String ID: %wZ
API String ID: 642710655-705104578
Opcode ID: 964aefc5871dd21a5c9538ff98d78de7ddb1eada1a6ce6d5199e0dce2fdc983d
Instruction ID: 53d75ef2b57e7537aa9568300706464194d523846beed17187213c53db81b639
Opcode Fuzzy Hash: 964aefc5871dd21a5c9538ff98d78de7ddb1eada1a6ce6d5199e0dce2fdc983d
Instruction Fuzzy Hash: E871AEB1940258DFEF20CFA4D849BEEBFB8BF05300F04456EE559AB241E7B65689CB50

Function 005950C0 Relevance: 12.1, APIs: 8, Instructions: 140networkCOMMON

Download Yara Rule

APIs

InternetSetOptionA.WININET(00000000,00000006,00000000,00000004), ref: 00595100
HttpOpenRequestA.WININET(00000000,D0D2D7D9,?,00000000,00000000,00000000,80000000,00000000), ref: 00595175
GetLastError.KERNEL32(00000000,00000000), ref: 005951A0
InternetQueryOptionA.WININET(00000000,0000001F,80000000,?), ref: 005951CB
InternetSetOptionA.WININET(00000000,0000001F,00000100,00000004), ref: 005951E1

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: InternetOption$ErrorHttpLastOpenQueryRequest
String ID:
API String ID: 482189329-0
Opcode ID: 519fd74dd3c4f222391f2ca2af2559af22bd4b98511b1bc3005cd8a4b1fc17a0
Instruction ID: 5b8c9bedebde1194860fb76edaae1b081af8cb9346664c6cb1fb08c8a3d67b62
Opcode Fuzzy Hash: 519fd74dd3c4f222391f2ca2af2559af22bd4b98511b1bc3005cd8a4b1fc17a0
Instruction Fuzzy Hash: 79419575A40209BBEB21CF94DC49FAF7BB9EB45704F104059FA05BB280E7B49B04DB55

Function 00513190 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 170COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005132C6
___std_exception_destroy.LIBVCRUNTIME ref: 00513350

Strings

`!Q, xrefs: 005132D1
@3Q, xrefs: 00513316
`!Q, xrefs: 005132AD, 00513349
+4Q, xrefs: 00513190

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: +4Q$@3Q$`!Q$`!Q
API String ID: 2970364248-74169555
Opcode ID: 4864e0c79e1366dd5093894e37f81f5854b3674c835b86367817a7941c249697
Instruction ID: b5b0fe487274b767b858b553b5df9d72fcf648426577df82a92fcc68c27a451e
Opcode Fuzzy Hash: 4864e0c79e1366dd5093894e37f81f5854b3674c835b86367817a7941c249697
Instruction Fuzzy Hash: 0F51A0719002499FDB08DF98D899BDEBFF6FF48310F14812AE815A7382D7749A81CB90

Function 005EE5EC Relevance: 10.7, APIs: 7, Instructions: 153threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005EE614
GetCurrentThreadId.KERNEL32 ref: 005EE631
GetCurrentThreadId.KERNEL32 ref: 005EE652
GetCurrentThreadId.KERNEL32 ref: 005EE6D5
__Xtime_diff_to_millis2.LIBCPMT ref: 005EE6ED
GetCurrentThreadId.KERNEL32 ref: 005EE719
GetCurrentThreadId.KERNEL32 ref: 005EE75F

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: CurrentThread$Xtime_diff_to_millis2
String ID:
API String ID: 1280559528-0
Opcode ID: 3f88ef1a2d2011dffc1c2fc882fd28097b322cc5f72d9f408a340324effe5f81
Instruction ID: 88f078ad942b6932a47670ca62396092b47e1f7c3e5f555803c1c8cfb6601926
Opcode Fuzzy Hash: 3f88ef1a2d2011dffc1c2fc882fd28097b322cc5f72d9f408a340324effe5f81
Instruction Fuzzy Hash: 2B51D235910695CFCF28DF65D9878A9BBF2FF58310B25846AE8869B241DB30EC41CF50

Function 00607118 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00607227,005F89C3,005FD244,00000000,00000000,00000000,?,00607451,00000022,FlsSetValue,00623B28,p;b,00000000), ref: 006071D9

Strings

api-ms-, xrefs: 0060716F
ext-ms-, xrefs: 00607183

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: f8d4f676038b4a1c1e92fe3a192567e8e6eea8b5b4a7a5488bbce0034ba26d6c
Instruction ID: ae0f51698ac3b6db2dc74ba7b7089233ecbde21ea45b0c469ad33d081da09915
Opcode Fuzzy Hash: f8d4f676038b4a1c1e92fe3a192567e8e6eea8b5b4a7a5488bbce0034ba26d6c
Instruction Fuzzy Hash: F3210576E88210ABC7259B64DC40A9B37ABAF42374F1901A0FD06A73D0E770FE01CAD1

Function 0061301D Relevance: 9.2, APIs: 6, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 006130C3
__freea.LIBCMT ref: 00613258
__freea.LIBCMT ref: 0061325E
__freea.LIBCMT ref: 00613294
__freea.LIBCMT ref: 0061329A
__freea.LIBCMT ref: 006132AA

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: __freea$Info
String ID:
API String ID: 541289543-0
Opcode ID: 0e97ea135973d165fea505ffd3e37dedda8393d8cdaafd6b8c96c8c791a21e9b
Instruction ID: 6b4b08a6c4141cddeef66d6f77359d8fee98aaeb2da538d478682b8eecdfc7ea
Opcode Fuzzy Hash: 0e97ea135973d165fea505ffd3e37dedda8393d8cdaafd6b8c96c8c791a21e9b
Instruction Fuzzy Hash: 8471C672904266ABDF24AF54CC42BEF7BABAF49310F2C0059E946BB381D7359F858750

Function 00524490 Relevance: 9.2, APIs: 6, Instructions: 205registryCOMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0052449B
IsProcessorFeaturePresent.KERNEL32(00000015), ref: 005244A7
RegOpenKeyExA.ADVAPI32(80000002,C0C0CBC2,00000000,00020019,?), ref: 0052452C
RegOpenKeyExA.ADVAPI32(80000002,C0C0CBC2,00000000,00020019,?), ref: 005245AA
RegCloseKey.ADVAPI32(?), ref: 005245B5
GetComputerNameA.KERNEL32(?,?), ref: 005245CA

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: OpenPresent$CloseComputerDebuggerFeatureNameProcessor
String ID:
API String ID: 2393775839-0
Opcode ID: c91fda855e356346202d83207b76113f7fd768b696904c9fa85ad288ff5d02c5
Instruction ID: a4d6608399f69672e76826d58c64b4d2bdeb0311dc4ac1c13f27252e962d2912
Opcode Fuzzy Hash: c91fda855e356346202d83207b76113f7fd768b696904c9fa85ad288ff5d02c5
Instruction Fuzzy Hash: E871AD7090026CAEDF14CFA4E884AEDBFB9FF0A304F14415DE845AB282E770A545CF64

Function 00515460 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 005155C4
___std_fs_directory_iterator_advance@8.LIBCPMT ref: 005155FF

Strings

., xrefs: 00515722

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_fs_directory_iterator_advance@8
String ID: .
API String ID: 2610647541-248832578
Opcode ID: 252926316b0406c02cc289696f9d4ec0676907b97eb3fad9dd05e55569c75e58
Instruction ID: 7b1524c8d28a175596b4280d414dbaa6a727882fdf04ff40149e83bc3aa0e623
Opcode Fuzzy Hash: 252926316b0406c02cc289696f9d4ec0676907b97eb3fad9dd05e55569c75e58
Instruction Fuzzy Hash: 22C1EF75A00A26DFEB24CF18C4846E9BBB2FF84320F554669D8559B290F735ADC4CBD0

Function 005173B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005175BE
___std_exception_destroy.LIBVCRUNTIME ref: 005175CD

Strings

at line , xrefs: 005173F7
`!Q, xrefs: 005175B6, 005175C6
, column , xrefs: 00517434, 0051744A

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column $`!Q
API String ID: 4194217158-3570351978
Opcode ID: d9c15410a5c118c90975e1361f7b6b8c659fa07921b49db98d2c8164c43f73fa
Instruction ID: 51829fd37b9b8bb6353c0acd2004eea68b089b5f882f566cc4a003031960c869
Opcode Fuzzy Hash: d9c15410a5c118c90975e1361f7b6b8c659fa07921b49db98d2c8164c43f73fa
Instruction Fuzzy Hash: FC61F971A042499FEB08DF68DC84B9DBFB6FF88300F14462CE415A7782D774AA80CB90

Function 00513370 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 00513190: ___std_exception_copy.LIBVCRUNTIME ref: 005132C6

___std_exception_copy.LIBVCRUNTIME ref: 0051345F

Strings

@3Q, xrefs: 00513464
@3Q, xrefs: 005133F3, 0051347B
`!Q, xrefs: 00513450
+4Q, xrefs: 005133B3, 00513410

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: +4Q$@3Q$@3Q$`!Q
API String ID: 2659868963-2244486879
Opcode ID: c5b10aef47ef45ffe0d1ae1e360459a342529804b669f832fc9a30a48d1e5127
Instruction ID: a667031697b3c26895c80163bd6b5ef16fee3c5dfab99ccee6be91f318a90bbf
Opcode Fuzzy Hash: c5b10aef47ef45ffe0d1ae1e360459a342529804b669f832fc9a30a48d1e5127
Instruction Fuzzy Hash: 173183B1900209AFCB18DFA8D845AEEFFF9FB48310F14852AF515E7641E774A690CB94

Function 00513410 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 005F0EFB: RaiseException.KERNEL32(E06D7363,00000001,00000003,00573D00,00573D00,?,?,005ED708,00573D00,006409C4,00000000,00573D00,00000000,00000001), ref: 005F0F5B

___std_exception_copy.LIBVCRUNTIME ref: 0051345F

Strings

@3Q, xrefs: 00513464
@3Q, xrefs: 005133F3, 0051347B
`!Q, xrefs: 00513450
+4Q, xrefs: 005133B3, 00513410

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: +4Q$@3Q$@3Q$`!Q
API String ID: 3109751735-2244486879
Opcode ID: 02ac4cfb0c47430e8a23a32c09928d6e41d60212aa2f893110cab2f538bc7af1
Instruction ID: 12060f76310e50b19a33cad5673592cf0d75d8ad7a4bf63da4a8e8ddf17dc5c9
Opcode Fuzzy Hash: 02ac4cfb0c47430e8a23a32c09928d6e41d60212aa2f893110cab2f538bc7af1
Instruction Fuzzy Hash: D2014FB650020AAF8704DFA8D405896FFFDBF44310704842AE62987611EBB0E554CB90

Function 005FF175 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,63EEBEBE,005F47AC,?,00000000,0061D2B1,000000FF,?,005FF151,FF176ACC,?,005FF125,00000000), ref: 005FF1AA
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005FF1BC
FreeLibrary.KERNEL32(00000000,?,00000000,0061D2B1,000000FF,?,005FF151,FF176ACC,?,005FF125,00000000), ref: 005FF1DE

Strings

mscoree.dll, xrefs: 005FF1A3
CorExitProcess, xrefs: 005FF1B4

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 6adf3e2a5eb246f5847bf128e56d0028e075a653c01457c80dbe34131a118d62
Instruction ID: 30b4ab417910c1936268a30238db8041801f599f36a9fde87c0e473a2ca430f5
Opcode Fuzzy Hash: 6adf3e2a5eb246f5847bf128e56d0028e075a653c01457c80dbe34131a118d62
Instruction Fuzzy Hash: A4016775544A2AFFDB119B50DC05FEEBBB9FB04B21F048536EC11E2690DB789900CB90

Function 0057D050 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0057D06F
___std_exception_copy.LIBVCRUNTIME ref: 0057D096

Strings

`!Q, xrefs: 0057D09B
`!Q, xrefs: 0057D060, 0057D085
uQ, xrefs: 0057D0A5

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q$uQ
API String ID: 2659868963-1635935002
Opcode ID: 5542d998bc9f276b9de09799c8a3c6af9b9b123f1bbfd2b1cd3a1a1f2b2d10bd
Instruction ID: 1c9a36f9857229ba223778fa611c24b24e81897b96aed9abb7d89dd684721aa4
Opcode Fuzzy Hash: 5542d998bc9f276b9de09799c8a3c6af9b9b123f1bbfd2b1cd3a1a1f2b2d10bd
Instruction Fuzzy Hash: AF01A4B650060AAF8704DF59D409892FFFAFF58710704852BA529CBB11E7B0E568CFA0

Function 005A4560 Relevance: 7.6, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 005A3E50: GetVersionExA.KERNEL32(?), ref: 005A3E76

GetVersionExA.KERNEL32(?,?,?,?), ref: 005A4591
GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?), ref: 005A45B6
GetFullPathNameW.KERNEL32(00000000,00000003,00000000,00000000,?), ref: 005A45D6
GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?), ref: 005A45EF
GetFullPathNameA.KERNEL32(00000000,00000003,00000000,00000000,?), ref: 005A4621

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: FullNamePath$Version
String ID:
API String ID: 495861893-0
Opcode ID: 2be0e66c9867936495926d750cff8215042d4e4d483c097261c3efae2f7eb728
Instruction ID: 1aed157da81442f69b2fa1603fa575926d78917411fff9065881f5dbe4b18c7e
Opcode Fuzzy Hash: 2be0e66c9867936495926d750cff8215042d4e4d483c097261c3efae2f7eb728
Instruction Fuzzy Hash: 32212DB2A0110967D7107B64EC4AFBF7B69FFC3314F044034F90A57252DB689905C7A6

Function 00517620 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005177B4

Strings

`!Q, xrefs: 005177BF
`!Q, xrefs: 0051779F
invalid_iterator, xrefs: 00517656

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q$invalid_iterator
API String ID: 2659868963-2457165433
Opcode ID: d6f76faeaf49e0222cf05479c9f35fb5ba9f559c2f5d370a5a66870217d9c61c
Instruction ID: f62e94db0ad494021ba79c1c6ab61c43f77cf161d7567bd430a832aac0064341
Opcode Fuzzy Hash: d6f76faeaf49e0222cf05479c9f35fb5ba9f559c2f5d370a5a66870217d9c61c
Instruction Fuzzy Hash: 32514EB09002499FDB18CF68D89479DFFF2FB48310F148669E419EB792E774A980CB90

Function 00515010 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 005F0EFB: RaiseException.KERNEL32(E06D7363,00000001,00000003,00573D00,00573D00,?,?,005ED708,00573D00,006409C4,00000000,00573D00,00000000,00000001), ref: 005F0F5B

___std_exception_copy.LIBVCRUNTIME ref: 005150C8

Strings

@3Q, xrefs: 005150CD
`!Q, xrefs: 005150B9
recursive_directory_iterator::operator++, xrefs: 0051504C

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: @3Q$`!Q$recursive_directory_iterator::operator++
API String ID: 3109751735-2614750537
Opcode ID: 940839b5e45b1404ea1042a13614301229402a96202b5476458da35579457fed
Instruction ID: ac821ef525c603702dd6d1eb30e45b0a1dd67158fec3a7d53841dd302c2629e9
Opcode Fuzzy Hash: 940839b5e45b1404ea1042a13614301229402a96202b5476458da35579457fed
Instruction Fuzzy Hash: C33180B6800609EFC714DF54D945F8AFBF8FB44710F048669E92A93781DB74BA14CBA1

Function 0057D0C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0057D0DF
___std_exception_copy.LIBVCRUNTIME ref: 0057D106

Strings

`!Q, xrefs: 0057D10E
`!Q, xrefs: 0057D0D0, 0057D0F5

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q
API String ID: 2659868963-674047163
Opcode ID: 9940d1acb60a71fbee33f00c383a2ae0849cec9c513006fc10dc722c846f653f
Instruction ID: f16c871ece39802eadb44443dbbaa31ab9a1d752b09aec970a6d89af778da10d
Opcode Fuzzy Hash: 9940d1acb60a71fbee33f00c383a2ae0849cec9c513006fc10dc722c846f653f
Instruction Fuzzy Hash: CBF0C4B650060AAF8708DF58D409892FFEAFA54710705853BA529CBB01E7B0E568CFA0

Function 0058B3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0058B3DF
___std_exception_copy.LIBVCRUNTIME ref: 0058B406

Strings

`!Q, xrefs: 0058B40E
`!Q, xrefs: 0058B3D0, 0058B3F5

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q
API String ID: 2659868963-674047163
Opcode ID: 56f60a0efb31b411004c69370bca0858b066b4b0414069862f8a2c64f9a23001
Instruction ID: 306760a5b0a0c58843ef841e6875e3707fc5825cc462c9d7c96577c4f011cd96
Opcode Fuzzy Hash: 56f60a0efb31b411004c69370bca0858b066b4b0414069862f8a2c64f9a23001
Instruction Fuzzy Hash: 38F0C4B650060AAF8708DF58D409896BFEAFA54710305852BE52ACBB01E7B0E568CFA0

Function 005F40C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,005F4078,00000000,?,00646988,?,?,?,005F421B,00000004,InitializeCriticalSectionEx,006215CC,InitializeCriticalSectionEx), ref: 005F40D4
GetLastError.KERNEL32(?,005F4078,00000000,?,00646988,?,?,?,005F421B,00000004,InitializeCriticalSectionEx,006215CC,InitializeCriticalSectionEx,00000000,?,005F3E62), ref: 005F40DE
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 005F4106

Strings

api-ms-, xrefs: 005F40EB

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 59487e1819e3e4d6b9e0c1747807fa37e43665c41ce29fecf557bf2bb1e1545e
Instruction ID: a2e08ee297dbade59886715e4f378b6e993b11ecfa08f4690378606ea8d8bb1b
Opcode Fuzzy Hash: 59487e1819e3e4d6b9e0c1747807fa37e43665c41ce29fecf557bf2bb1e1545e
Instruction Fuzzy Hash: 5AE01A3068820CB6EF105BA1EC06F6A3E6BBB11B50F148031FA0DA84E1EB75E9909944

Function 005F30AF Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 005F3176
___AdjustPointer.LIBCMT ref: 005F3199
___AdjustPointer.LIBCMT ref: 005F3235

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 5731da0b598b6d78cba2267ac0d38802d5865d48c1e3f55e07ead866f44965bf
Instruction ID: 5eec340306c823e1933e993c72371c1d434a78851c523fb4fa1ac709dc1a7f83
Opcode Fuzzy Hash: 5731da0b598b6d78cba2267ac0d38802d5865d48c1e3f55e07ead866f44965bf
Instruction Fuzzy Hash: C151A37560160A9FFB289F14D845FBA7FA5FF40310F244529EE0187291DB3AAA85CB90

Function 005FF54B Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 599017c89d470981fefea27f155824e36b1cd886e50e5685f193db0a798847b3
Instruction ID: d4829d4132f064b77d27710cf36a8de4e1c66b2f3ae118b727fdcacd4f6d6dda
Opcode Fuzzy Hash: 599017c89d470981fefea27f155824e36b1cd886e50e5685f193db0a798847b3
Instruction Fuzzy Hash: 17410BB2640709AFD724AF38D845B7ABFB5FF84710F10453AF201DBA91D77999408790

Function 005FF276 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0729fb4909c83ad4ecad4a37ccf2d15157d5c48bf3d7ee6d86927987860ca1e
Instruction ID: fb378e397ff78bbf523c6f26fed8c2958a372a6ed2e70450098e802c70bdbf05
Opcode Fuzzy Hash: f0729fb4909c83ad4ecad4a37ccf2d15157d5c48bf3d7ee6d86927987860ca1e
Instruction Fuzzy Hash: EB21927564020EAF9B10AF65DC8497A7F6ABF903647118935FB18D7981EB38ED0187A0

Function 005242C0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,00000100), ref: 005242F8
GetComputerNameA.KERNEL32(?,00000100), ref: 0052431F
GetCurrentProcess.KERNEL32(00000000), ref: 005243A8
TerminateProcess.KERNEL32(00000000), ref: 005243AF

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: NameProcess$ComputerCurrentTerminateUser
String ID:
API String ID: 1086297622-0
Opcode ID: efc96081783eca5f1435bdafcca3e43d9d15e3ae63d095d8cea5d459068e07b2
Instruction ID: 2ec99e40e4e0dc7aa4aeba2e0c9d04edbe3f883add55e5bfc39333803fc6a03e
Opcode Fuzzy Hash: efc96081783eca5f1435bdafcca3e43d9d15e3ae63d095d8cea5d459068e07b2
Instruction Fuzzy Hash: 29218671C4425CABDF10DBE0EC49BDEBBBCAF18305F1041AAE945D7182E7759289CBA1

Function 006141B2 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,005F9087,00000000,00000000,?,00610F2F,00000000,00000001,?,?,?,00604FA4,?,00000000,00000000), ref: 006141C9
GetLastError.KERNEL32(?,00610F2F,00000000,00000001,?,?,?,00604FA4,?,00000000,00000000,?,?,?,0060557E,00000000), ref: 006141D5

Part of subcall function 0061419B: CloseHandle.KERNEL32(FFFFFFFE,006141E5,?,00610F2F,00000000,00000001,?,?,?,00604FA4,?,00000000,00000000,?,?), ref: 006141AB

___initconout.LIBCMT ref: 006141E5

Part of subcall function 0061415D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0061418C,00610F1C,?,?,00604FA4,?,00000000,00000000,?), ref: 00614170

WriteConsoleW.KERNEL32(00000000,00000000,005F9087,00000000,?,00610F2F,00000000,00000001,?,?,?,00604FA4,?,00000000,00000000,?), ref: 006141FA

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 2df3bda3c0e5d09e80aa0c8a33cf6a574ce7d1a610a517150f5924b888a4aa47
Instruction ID: e0d9bf839152ae3d0ffba15970a65bfe3bdf4559e6a1c33c460443f4262b885b
Opcode Fuzzy Hash: 2df3bda3c0e5d09e80aa0c8a33cf6a574ce7d1a610a517150f5924b888a4aa47
Instruction Fuzzy Hash: 6AF0123A000125BBCF226FD1DC099D93F67FF0A3A1F098015FA1D96630CA3289A09B90

Function 0052E1E0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 363libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,?,?,?,?,?,?,00000000,006322E8,00000000), ref: 0052E557
GetProcAddress.KERNEL32(00000000,C7D2C1C6), ref: 0052E562

Strings

Ws2_32.dll, xrefs: 0052E54E

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: Ws2_32.dll
API String ID: 1646373207-3093949381
Opcode ID: aab0e015a796fbe62367bd9e587ee8f51ff09821fcadbac78285a68e97363212
Instruction ID: 5d11e451eab1dadb33dbd2028f9dc5e161f010a06ed81c37cb2250edaa70f5ea
Opcode Fuzzy Hash: aab0e015a796fbe62367bd9e587ee8f51ff09821fcadbac78285a68e97363212
Instruction Fuzzy Hash: F7E1BF70600221DFEB25CF68D88166DBFE2FF56310F24495DE4A69B3D2DB70A941CB91

Function 00513490 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005134AF

Strings

@3Q, xrefs: 005134B7
`!Q, xrefs: 005134A0

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @3Q$`!Q
API String ID: 2659868963-2844704439
Opcode ID: 26ccfd862ffb857bb4669486b6ba2dac6845ac4ee95a905b4cba5cf52c6d838b
Instruction ID: 25ad08f5b60d01b37825a46c904af3658f3564112f679ec65ed8c1bd6faafb21
Opcode Fuzzy Hash: 26ccfd862ffb857bb4669486b6ba2dac6845ac4ee95a905b4cba5cf52c6d838b
Instruction Fuzzy Hash: 83F0A5B660470AAF8708CF59D401896FBE9FB99320305853BE529C7B00E7B0E5248BA4

Function 00513050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00513078

Strings

`!Q, xrefs: 00513080
`!Q, xrefs: 00513063

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q
API String ID: 2659868963-674047163
Opcode ID: 0b78440d9291ec1e783ac7c08242bf6ad28a5221b5ecd803e107569c13f4949b
Instruction ID: fd0ee94aa4340964ea0801a4b488dd923d23cd9493619fa2b0658b0e48f51f6f
Opcode Fuzzy Hash: 0b78440d9291ec1e783ac7c08242bf6ad28a5221b5ecd803e107569c13f4949b
Instruction Fuzzy Hash: 8FE012B29013099BC710DFA8D8059CAFFF9AB59711F0486BAE948D7301F6B0D5948BD1

Function 005175E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005175F1
___std_exception_destroy.LIBVCRUNTIME ref: 00517600

Strings

`!Q, xrefs: 005175E9, 005175F9

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: `!Q
API String ID: 4194217158-660956851
Opcode ID: 73c2244f9fc807076d07fba8c252deb731c01c674e66a1b7b70aaacd15a80fed
Instruction ID: 5a724f3f3b6cfa56aa7d7f67e3638b0da99a29a9cf31a3c22f9e69b4d3e12872
Opcode Fuzzy Hash: 73c2244f9fc807076d07fba8c252deb731c01c674e66a1b7b70aaacd15a80fed
Instruction Fuzzy Hash: B3E026F240074813C720AF549C0DBCABEEDAF60314F08083AFA5092342E7B4E65883E0

Function 00513090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005130AE

Strings

`!Q, xrefs: 005130B6
`!Q, xrefs: 0051309C

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q
API String ID: 2659868963-674047163
Opcode ID: c2d4a24d0ab07bacfbe2ccd4410b2f665a8b3164d6c814142d23e2f662bdd90c
Instruction ID: dfb2b47b467553cec50254d5e986dda1a7ca0008b7d94c0be3c8d9d1d4d169cd
Opcode Fuzzy Hash: c2d4a24d0ab07bacfbe2ccd4410b2f665a8b3164d6c814142d23e2f662bdd90c
Instruction Fuzzy Hash: 6BE012B25042199FC714DF48D805896BFDDEB15754709843EF649DB301E670D4508BA8

Function 00512230 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0051224E

Strings

`!Q, xrefs: 00512256
`!Q, xrefs: 0051223C

Memory Dump Source

Source File: 00000001.00000002.4167391733.0000000000510000.00000040.00000400.00020000.00000000.sdmp, Offset: 00510000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_510000_Au3Check.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!Q$`!Q
API String ID: 2659868963-674047163
Opcode ID: 401f76050f5728a0f12d10cc5740254eae01a823aea7712218f10f69a5bc145a
Instruction ID: dd1332e80cdb1cd88eb2bdc2220f6f74893cb9ca54e2ef14f5cfe7b4d910754c
Opcode Fuzzy Hash: 401f76050f5728a0f12d10cc5740254eae01a823aea7712218f10f69a5bc145a
Instruction Fuzzy Hash: A2E012B25042159BC714DF48D805896BFDDEB15754749843EF649DB301E770D8508BA4

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Rr6TGP9rEq.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\XPCwyNRACAjFfEg.pdf

C:\Users\user\bgEoRLupllWTRAp.pdf

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Windows Analysis Report
Rr6TGP9rEq.exe

Function 00573E4B Relevance: 23.2, APIs: 6, Strings: 7, Instructions: 477
windowCOMMON

Function 0052E0A0 Relevance: 12.1, APIs: 8, Instructions: 93
networkCOMMON

Function 00573A40 Relevance: 7.7, APIs: 5, Instructions: 156
sleepCOMMON

Function 005FE813 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Function 0051B830 Relevance: 16.4, APIs: 5, Strings: 4, Instructions: 668
registryCOMMON

Function 00604623 Relevance: 9.3, APIs: 6, Instructions: 292
COMMONLIBRARYCODE

Function 005FE276 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 221
fileCOMMONLIBRARYCODE

Function 005EF290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
COMMONLIBRARYCODE

Function 0051A690 Relevance: 4.6, APIs: 3, Instructions: 60
COMMON

Function 005F4942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157
COMMON

Function 005FE4CC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Function 00604B12 Relevance: 3.1, APIs: 2, Instructions: 63
COMMONLIBRARYCODE

Function 005FE05C Relevance: 3.1, APIs: 2, Instructions: 52
COMMONLIBRARYCODE

Function 0051A210 Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Function 00580560 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON