Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1501455
MD5:	8ef3231a2184f8e55fe3656d01f21075
SHA1:	0dba37c84d8a65d3cce20548ef68663c3a498008
SHA256:	0cd7337379f60570ecc65298ffddb43bb5a0eb93300b83906c38b741725c974d
Infos:

Detection

BlackSuit

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected BlackSuit Ransomware

Deletes shadow drive data (may be related to ransomware)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Program does not show much activity (idle)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

file.exe (PID: 6592 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8EF3231A2184F8E55FE3656D01F21075)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
BlackSuit	According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.	No Attribution	https://blog.cyble.com/2023/05/12/blacksuit-ransomware-strikes-windows-and-linux-users/ https://thedfirreport.com/2024/08/26/blacksuit-ransomware/ https://www.reliaquest.com/blog/blacksuit-attack-analysis/ https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-ransomwares-similarities-to-royal.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.blacksuit

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: file.exe PID: 6592	JoeSecurity_BlackSuit	Yara detected BlackSuit Ransomware	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Source: C:\Users\user\Desktop\file.exe	Code function: -----BEGIN RSA PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA42b6yev524etcti9MBEdY1cgr2ybNMRDHyZZHpV0nTpWeVFCtgSMoUDKuaY5DJzru65IkZyoQWqP6n78pbLnCFxB7+JJ3jeb1aZDfDpnPnY81u+h+1jVbcL0qo8PMPIDbkRcOsu7hCi76++HvACKxHeThbue6rHprDZ5HcOZnNpEb8Mihl3q2/sidy	0_2_0100AB60
Source: C:\Users\user\Desktop\file.exe	Code function: -----BEGIN RSA PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA42b6yev524etcti9MBEdY1cgr2ybNMRDHyZZHpV0nTpWeVFCtgSMoUDKuaY5DJzru65IkZyoQWqP6n78pbLnCFxB7+JJ3jeb1aZDfDpnPnY81u+h+1jVbcL0qo8PMPIDbkRcOsu7hCi76++HvACKxHeThbue6rHprDZ5HcOZnNpEb8Mihl3q2/sidy	0_2_0100AB60
Source: file.exe	Binary or memory string: -----BEGIN RSA PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA42b6yev524etcti9MBEdY1cgr2ybNMRDHyZZHpV0nTpWeVFCtgSMoUDKuaY5DJzru65IkZyoQWqP6n78pbLnCFxB7+JJ3jeb1aZDfDpnPnY81u+h+1jVbcL0qo8PMPIDbkRcOsu7hCi76++HvACKxHeThbue6rHprDZ5HcOZnNpEb8Mihl3q2/sidy

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Spam, unwanted Advertisements and Ransom Demands

Yara detected BlackSuit Ransomware

Source: Yara match

File source: Process Memory Space: file.exe PID: 6592, type: MEMORYSTR

Deletes shadow drive data (may be related to ransomware)

Source: file.exe, 00000000.00000002.1661517890.0000000002D4D000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: cmd.exe /c vssadmin delete shadows /all /quietD
Source: file.exe, 00000000.00000002.1661517890.0000000002D4D000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: cmd.exe /c vssadmin delete shadows /all /quietX

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01007030	0_2_01007030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01007FC0	0_2_01007FC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010018C0	0_2_010018C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01008BD0	0_2_01008BD0

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.rans.winEXE@1/0@0/0

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Section loaded: apphelp.dll

Jump to behavior

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0100B110 GetProcessHeap,HeapFree,

0_2_0100B110

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 File Deletion	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Dropper.Gen

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1501455
Start date and time:	2024-08-30 00:06:29 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	1
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal60.rans.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 5 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

VT rate limit hit for: file.exe

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.170566055977904
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	68'608 bytes
MD5:	8ef3231a2184f8e55fe3656d01f21075
SHA1:	0dba37c84d8a65d3cce20548ef68663c3a498008
SHA256:	0cd7337379f60570ecc65298ffddb43bb5a0eb93300b83906c38b741725c974d
SHA512:	28f201b85f7f6518f2348ed4b0b7936be03c6f9530320da3af76a8bf39b730a6333a0c4561ce3baed7b5dcba33a689d00fbeddd0d39147ade02f8ee5b3256b7b
SSDEEP:	1536:wZfowJIzIhKOmZ6dpa80BN0WryYpwDZ9kVy+E1kpIE:Z4IzEZmAp0BNjrcZKcu7
TLSH:	03637C01D89ED0F0F29219F4795E862244F66C2553AE1EF363909F139AB3AD0FD3666C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................;.................................!.............Rich....................PE..L....%.f...............$...........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x406690
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x668925E4 [Sat Jul 6 11:09:24 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	ecc488e51fbb2e01a7aac2b35d5f10bd

Entrypoint Preview

Instruction
call 00007F9E00B71600h
retn 0010h
int3
int3
int3
int3
int3
int3
int3
int3
push 00000000h
push dword ptr [esp+08h]
call 00007F9E00B763AAh
add esp, 08h
ret
int3
push esi
mov esi, dword ptr [esp+08h]
push dword ptr [esi]
call 00007F9E00B76399h
push 00000000h
push esi
call 00007F9E00B76391h
add esp, 0Ch
pop esi
ret
int3
int3
int3
int3
int3
int3
int3
sub esp, 1Ch
push ebx
push ebp
mov ebp, dword ptr [00455C94h]
push esi
push edi
test ebp, ebp
jne 00007F9E00B71958h
mov edx, 004066A0h
call 00007F9E00B7142Ah
mov ebp, eax
mov dword ptr [00455C94h], ebp
test ebp, ebp
je 00007F9E00B71961h
cmp dword ptr [ebp+04h], 00000000h
je 00007F9E00B7195Bh
mov ecx, ebp
call 00007F9E00B714D1h
mov edx, 004066A0h
call 00007F9E00B71407h
mov ebp, eax
mov dword ptr [00455C94h], ebp
push 00000118h
mov dword ptr [esp+20h], 00000118h
call 00007F9E00B7630Dh
mov esi, eax
add esp, 04h
mov dword ptr [esp+20h], esi
test esi, esi
je 00007F9E00B719BFh
mov edx, 00000013h
push 0000F050h
push 49336547h
lea ecx, dword ptr [edx-0Dh]
call 00007F9E00B6D9D9h
add esp, 08h
lea ecx, dword ptr [esp+1Ch]
push 00000000h
push ecx
push esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1169c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x57000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x58000	0x2c0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xea2c	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc4ba	0xc600	b515775d07b9c4b67bf02d3373400cf9	False	0.5116003787878788	data	6.244303927533799	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x38fc	0x3a00	c67e0ca067d5e26e1bd89856bf4f4f91	False	0.49212015086206895	data	5.515155570891862	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x12000	0x43ef0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x56000	0x18	0x200	fb17f86eeadcc21b5a95b49cd91cac97	False	0.060546875	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "@"	0.2797047950073886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x57000	0x1e8	0x200	ac3199c3f5c2959d8efbd1d6f1cbe96f	False	0.529296875	data	4.728472067285766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x58000	0x2c0	0x400	854346813db8fc74ad68ea4f1533d793	False	0.6240234375	data	4.770355989687143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x57060	0x181	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5922077922077922

Imports

DLL	Import
KERNEL32.dll	MultiByteToWideChar, EnterCriticalSection, lstrlenW, WaitForMultipleObjects, LeaveCriticalSection, InitializeCriticalSection, FindClose, GetLastError, TerminateThread, WideCharToMultiByte, ExitProcess, lstrcatW, lstrcpyW, LocalFree, HeapFree, SetLastError, HeapAlloc, GetProcessHeap
USER32.dll	CharLowerW
SHLWAPI.dll	StrCmpNIW, StrCpyNW
WS2_32.dll	htons, WSAGetLastError

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: file.exePID: 6592, Parent PID: 2580

General

Target ID:	0
Start time:	18:07:18
Start date:	29/08/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x1000000
File size:	68'608 bytes
MD5 hash:	8EF3231A2184F8E55FE3656D01F21075
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 6592, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	3.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.4%
Total number of Nodes:	787
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0100CBC0 Relevance: 157.7, APIs: 1, Strings: 89, Instructions: 205
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0100CECA

Strings

U, xrefs: 0100CC30
], xrefs: 0100CCB7
U, xrefs: 0100CD20
], xrefs: 0100CCDF
U, xrefs: 0100CD7A
U, xrefs: 0100CD8E
h, xrefs: 0100CD4D
U, xrefs: 0100CDA2
U, xrefs: 0100CC08
G, xrefs: 0100CBEF
U, xrefs: 0100CD52
U, xrefs: 0100CD66
R, xrefs: 0100CD93
@, xrefs: 0100CBF9
@, xrefs: 0100CC7B
U, xrefs: 0100CC26
1, xrefs: 0100CD89
v, xrefs: 0100CC5D
U, xrefs: 0100CC62
U, xrefs: 0100CD48
U, xrefs: 0100CDB6
v, xrefs: 0100CC67
U, xrefs: 0100CDAC
U, xrefs: 0100CCC6
U, xrefs: 0100CCD0
U, xrefs: 0100CC8A
U, xrefs: 0100CD70
*, xrefs: 0100CD61
<, xrefs: 0100CD7F
5, xrefs: 0100CCFD
3, xrefs: 0100CD75
U, xrefs: 0100CC1C
k, xrefs: 0100CD25
N, xrefs: 0100CC53
|, xrefs: 0100CC49
*, xrefs: 0100CCC1
3, xrefs: 0100CD43
3, xrefs: 0100CC35
|, xrefs: 0100CCA3
U, xrefs: 0100CC94
@, xrefs: 0100CCAD
#, xrefs: 0100CC3F
@, xrefs: 0100CD11
U, xrefs: 0100CD98
U, xrefs: 0100CC12
U, xrefs: 0100CCE4
U, xrefs: 0100CD34
U, xrefs: 0100CC3A
U, xrefs: 0100CBEA
U, xrefs: 0100CCEE
], xrefs: 0100CD9D
|, xrefs: 0100CD39
d, xrefs: 0100CC99
U, xrefs: 0100CD02
U, xrefs: 0100CD5C
U, xrefs: 0100CD84
|, xrefs: 0100CCE9
U, xrefs: 0100CC6C
U, xrefs: 0100CCB2
U, xrefs: 0100CC76
h, xrefs: 0100CD07
], xrefs: 0100CC21
|, xrefs: 0100CD6B
U, xrefs: 0100CCBC
U, xrefs: 0100CD2A
U, xrefs: 0100CC9E
U, xrefs: 0100CD3E
U, xrefs: 0100CDB1
], xrefs: 0100CC0D
D, xrefs: 0100CE1D
U, xrefs: 0100CD16
*, xrefs: 0100CD57
h, xrefs: 0100CC71
U, xrefs: 0100CC58
U, xrefs: 0100CC4E
], xrefs: 0100CCCB
U, xrefs: 0100CBFE
v, xrefs: 0100CD2F
|, xrefs: 0100CC2B
U, xrefs: 0100CC80
U, xrefs: 0100CBF4
U, xrefs: 0100CCDA
U, xrefs: 0100CC44
U, xrefs: 0100CCF8
U, xrefs: 0100CD0C
U, xrefs: 0100CCA8
v, xrefs: 0100CCF3
G, xrefs: 0100CC85
R, xrefs: 0100CC8F

Memory Dump Source

Source File: 00000000.00000002.1661389392.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1661379020.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661401529.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661420001.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CreateProcess
String ID: #$*$*$*$1$3$3$3$5$<$@$@$@$@$D$G$G$N$R$R$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$U$]$]$]$]$]$]$d$h$h$h$k$v$v$v$v$|$|$|$|$|$|
API String ID: 963392458-1537683230
Opcode ID: 994fa99692b8e3a42a6d046e26866904babd5e714022bd3f5eef0992c205b33e
Instruction ID: 7e0776037331504bc639d127d3f5fbd0cf587979dd767f433247a75f06c6d57c
Opcode Fuzzy Hash: 994fa99692b8e3a42a6d046e26866904babd5e714022bd3f5eef0992c205b33e
Instruction Fuzzy Hash: 0FB1C02050CBC1D9E312CA68CC5974BFFD15FA630AF48498DB1D81A2D2DBFA9548CB67

Function 010027E0 Relevance: 147.4, APIs: 1, Strings: 83, Instructions: 407
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(00000020,?,?), ref: 01002DBF

Part of subcall function 010023E0: StrCpyNW.SHLWAPI(?,?,0100280A,?,?,?), ref: 0100247F
Part of subcall function 010023E0: CharLowerW.USER32(?,?,?,?), ref: 0100248C

Strings

r, xrefs: 010028BC
,, xrefs: 01002822
T, xrefs: 01002BE8
3, xrefs: 010029A2
\, xrefs: 01002B79
, xrefs: 01002D01
,, xrefs: 010029CA
x, xrefs: 01002AB6
/, xrefs: 01002C6C
|, xrefs: 01002946
[, xrefs: 01002ACA
7, xrefs: 01002BF2
,, xrefs: 01002A51
c, xrefs: 01002CF1
!, xrefs: 01002818
Z, xrefs: 01002BFC
E, xrefs: 0100284F
, xrefs: 01002CE9
L, xrefs: 01002ADE
[, xrefs: 01002AE8
H, xrefs: 01002A42
o, xrefs: 01002C0B
a, xrefs: 01002840
X, xrefs: 01002A60
y, xrefs: 01002932
;, xrefs: 0100282C
o, xrefs: 01002923
N, xrefs: 01002D11
Y, xrefs: 01002845
!, xrefs: 01002827
X, xrefs: 01002A38
U, xrefs: 01002854
J, xrefs: 01002B60
, xrefs: 01002D21
Y, xrefs: 0100281D
$, xrefs: 01002A33
', xrefs: 01002D09
}, xrefs: 01002950
|, xrefs: 0100294B
o, xrefs: 01002C06
X, xrefs: 01002A5B
`, xrefs: 01002C01
9, xrefs: 01002D19
c, xrefs: 01002C10
k, xrefs: 01002C62
}, xrefs: 01002C99
o, xrefs: 01002A56
1, xrefs: 01002A4C
", xrefs: 010028B7
+, xrefs: 01002B47
\, xrefs: 01002B74
G, xrefs: 01002B5B
/, xrefs: 010029CF
C, xrefs: 01002B65
,, xrefs: 010029B6
[, xrefs: 0100289E
S, xrefs: 01002C67
E, xrefs: 0100284A
', xrefs: 01002B6A
X, xrefs: 01002C85
H, xrefs: 010029A7
(, xrefs: 01002BDE
x, xrefs: 01002B56
b, xrefs: 01002B7E
n, xrefs: 01002D31
[, xrefs: 01002AE3
,, xrefs: 010029B1
F, xrefs: 01002AD9
9, xrefs: 01002C71
$, xrefs: 01002B6F
m, xrefs: 01002C76
^, xrefs: 0100293C
o, xrefs: 01002BE3
O, xrefs: 01002AED
,, xrefs: 010029C5
>, xrefs: 01002AC0
W, xrefs: 0100283B
Q, xrefs: 01002A65
Q, xrefs: 010029BB
[, xrefs: 01002AC5
2, xrefs: 010028C1
0, xrefs: 01002D29
', xrefs: 01002CF9

Memory Dump Source

Source File: 00000000.00000002.1661389392.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1661379020.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661401529.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661420001.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CharLibraryLoadLower
String ID: $ $ $!$!$"$$$$$'$'$'$($+$,$,$,$,$,$,$/$/$0$1$2$3$7$9$9$;$>$C$E$E$F$G$H$H$J$L$N$O$Q$Q$S$T$U$W$X$X$X$X$Y$Y$Z$[$[$[$[$[$\$\$^$`$a$b$c$c$k$m$n$o$o$o$o$o$r$x$x$y$|$|$}$}
API String ID: 3706104380-3667687842
Opcode ID: 98af70fc9ae21d5791a397d43777a8d18ac6e9e95df3f378ad64345332ee53bc
Instruction ID: 257d7e9d323376c5e6f31169084f753390907976ba89ef77fb60d2ef296f6a47
Opcode Fuzzy Hash: 98af70fc9ae21d5791a397d43777a8d18ac6e9e95df3f378ad64345332ee53bc
Instruction Fuzzy Hash: FB02372000C3C088E766C63994487AFBFD15FA6308F5819DEE5D95B293C2AAC64DDB67

Function 01006350 Relevance: 58.0, APIs: 4, Strings: 29, Instructions: 217
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 010064D8
CreateThread.KERNELBASE(00000000,00000000,0100CF40,00000000,00000000,00000000), ref: 0100663F

Part of subcall function 01003060: InitializeCriticalSection.KERNEL32(01012020), ref: 010031F4

ExitProcess.KERNEL32 ref: 0100666D
ExitProcess.KERNEL32 ref: 01006681

Strings

a, xrefs: 010063E9
|, xrefs: 01006568
n, xrefs: 0100654A
b, xrefs: 01006439
l, xrefs: 0100655E
~, xrefs: 010063AD
W, xrefs: 010063D5
6, xrefs: 01006457
d, xrefs: 01006399
<, xrefs: 010063FD
:, xrefs: 01006425
\, xrefs: 0100657C
(, xrefs: 010063F3
<, xrefs: 0100637B
`, xrefs: 01006461
@, xrefs: 01006385
=, xrefs: 010063B7
z, xrefs: 01006572
k, xrefs: 01006540
2, xrefs: 0100642F
l, xrefs: 01006411
p, xrefs: 01006554
d, xrefs: 01006371
w, xrefs: 01006407
t, xrefs: 010063CB
+, xrefs: 01006362
p, xrefs: 01006443
#, xrefs: 0100638F
C, xrefs: 0100641B

Memory Dump Source

Source File: 00000000.00000002.1661389392.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1661379020.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661401529.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661420001.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CreateExitProcess$CriticalInitializeMutexSectionThread
String ID: #$($+$2$6$:$<$<$=$@$C$W$\$`$a$b$d$d$k$l$l$n$p$p$t$w$z$|$~
API String ID: 1276792753-586605904
Opcode ID: 06aead34d7083681c0116c98607042d8ab79c139042ed3e05ad65f0e7bcc8bbe
Instruction ID: 5fedd2cd4235a8ddeea7398cf957647ff051bdf5c66bd2024cfb6b42dfe620d1
Opcode Fuzzy Hash: 06aead34d7083681c0116c98607042d8ab79c139042ed3e05ad65f0e7bcc8bbe
Instruction Fuzzy Hash: 77A1143050C3C589F316D668C85879BBFD15BA6708F480D9CF6C85B2C3D7EA968893A7

Function 01003060 Relevance: 12.4, APIs: 2, Strings: 6, Instructions: 372
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(01012020), ref: 010031F4
InitializeCriticalSection.KERNEL32(01012000), ref: 01003211

Strings

y, xrefs: 010030F0
:, xrefs: 0100310E
a, xrefs: 010030FA
o, xrefs: 01003118
a, xrefs: 01003104
{:, xrefs: 0100350A

Memory Dump Source

Source File: 00000000.00000002.1661389392.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1661379020.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661401529.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661420001.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: :$a$a$o$y${:
API String ID: 32694325-2230504418
Opcode ID: 984535122b68dd5e199211974d2c701e2bcc1847d6055fbe6742509fd725c3b9
Instruction ID: 33b9009358c8a4cd7337fcb68bf52c4cc94d659869420b58bff79d507b627137
Opcode Fuzzy Hash: 984535122b68dd5e199211974d2c701e2bcc1847d6055fbe6742509fd725c3b9
Instruction Fuzzy Hash: 06D1F7706043019EF726DF28DC46B9ABBD0BF54705F150198E9C4AF2D2EBB5E644CB62

Function 01005600 Relevance: 3.2, APIs: 2, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1661389392.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1661379020.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661401529.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661420001.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539d9f088f080cf4bc3975485b2e0f19f5b2bfd1993e300185426058a8a8b163
Instruction ID: 3e03dca870c7d772408212f24277114924c9d387cc61ab99efd2de7385ac31bf
Opcode Fuzzy Hash: 539d9f088f080cf4bc3975485b2e0f19f5b2bfd1993e300185426058a8a8b163
Instruction Fuzzy Hash: 9B91E875E042499BEB05CFA8DD51BEDBBB6AFA8300F148069E185FB3C1D6749A01CB61

Non-executed Functions

Function 01008BD0 Relevance: 432.9, Strings: 345, Instructions: 1638COMMON

Download Yara Rule

Strings

$, xrefs: 0100902D
M, xrefs: 0100A96F
", xrefs: 0100A5AC
W, xrefs: 01009155
S, xrefs: 0100A1A2
S, xrefs: 01008C4B
N, xrefs: 01009917
9, xrefs: 0100A7E8
R, xrefs: 010092B9
J, xrefs: 0100A6BF
1, xrefs: 0100925A
O, xrefs: 0100A4AC
I, xrefs: 01009E1B
N, xrefs: 01009A64
z, xrefs: 0100A22B
l, xrefs: 01009530
!, xrefs: 01008CE0
a, xrefs: 0100A454
^, xrefs: 010090B3
$, xrefs: 01008E74
a, xrefs: 01009CF7
m, xrefs: 01008EE0
!, xrefs: 01008CD1
1, xrefs: 0100948C
$, xrefs: 01008FE5
], xrefs: 0100A886
;, xrefs: 0100A120
R, xrefs: 0100A9AF
", xrefs: 0100A53C
G, xrefs: 01008E05
$, xrefs: 01009015
D, xrefs: 01009BB2
F, xrefs: 01009C88
f, xrefs: 01009C18
F, xrefs: 01009C60
z, xrefs: 01008CC2
8, xrefs: 0100A608
., xrefs: 0100A618
}, xrefs: 0100A98F
P, xrefs: 0100A8BE
\, xrefs: 010098B2
g, xrefs: 01008FDD
], xrefs: 0100A9CF
t, xrefs: 0100A2BD
O, xrefs: 0100A4BC
z, xrefs: 01009C58
z, xrefs: 0100A203
[, xrefs: 01009790
C, xrefs: 0100A594
WYYDl??, xrefs: 0100984B
f, xrefs: 01009EF2
U, xrefs: 0100A21B
Q, xrefs: 010091E8
h, xrefs: 0100A810
#, xrefs: 01009A5C
J, xrefs: 0100A6AF
F, xrefs: 01009C90
l, xrefs: 01009510
F, xrefs: 01009C80
], xrefs: 0100A8D6
[, xrefs: 010097A0
~, xrefs: 01009E5B
z, xrefs: 01008E83
l, xrefs: 01009638
F, xrefs: 01009C40
F, xrefs: 01009C20
N, xrefs: 01009A44
$, xrefs: 01009005
], xrefs: 0100A8A6
", xrefs: 0100A52C
], xrefs: 0100A8F6
X, xrefs: 0100A95F
", xrefs: 0100A58C
h, xrefs: 0100A808
2, xrefs: 01008C69
], xrefs: 0100A8B6
}, xrefs: 01008C5F
G, xrefs: 01009F9F
f, xrefs: 01009F1A
3, xrefs: 0100A97F
_, xrefs: 0100A8CE
s, xrefs: 010093EC
D, xrefs: 01009BA2
>, xrefs: 0100A640
S, xrefs: 01008BE0
F, xrefs: 01009C50
1, xrefs: 0100925F
', xrefs: 01009ADA
C, xrefs: 010099D4
O, xrefs: 0100A49C
R, xrefs: 010092D9
O, xrefs: 0100A4C4
Y, xrefs: 010096BF
*, xrefs: 0100A584
`, xrefs: 0100A0F0
9, xrefs: 01008E14
3, xrefs: 010094F8
l, xrefs: 01009520
2, xrefs: 01008F70
>, xrefs: 0100A638
s, xrefs: 01009404
j, xrefs: 0100A758
$, xrefs: 01009025
`, xrefs: 0100A554
f, xrefs: 01009364
!, xrefs: 01009F87
U, xrefs: 0100A87E
v, xrefs: 0100A574
x, xrefs: 01009A54
}, xrefs: 01009B8A
", xrefs: 0100A5A4
2, xrefs: 01008F6B
O, xrefs: 0100A44C
", xrefs: 0100A55C
W, xrefs: 01009125
-, xrefs: 0100913D
m, xrefs: 01008EF4
e, xrefs: 01009EFA
z, xrefs: 0100A233
,, xrefs: 0100A4B4
U, xrefs: 01008EEF
$, xrefs: 01008FC5
w, xrefs: 01008FCD
K, xrefs: 01008E00
4, xrefs: 010099BC
d, xrefs: 0100A8AE
O, xrefs: 0100A47C
m, xrefs: 01009DDB
2, xrefs: 01008F57
Y, xrefs: 010096EF
Q, xrefs: 010091F0
[, xrefs: 01009760
$, xrefs: 01008BDB
W, xrefs: 0100914D
2, xrefs: 01008C6E
p, xrefs: 0100A3BE
$, xrefs: 01008E7E
q, xrefs: 01009628
C, xrefs: 0100A29D
Y, xrefs: 010096DF
N, xrefs: 01009947
?, xrefs: 010095BF
8, xrefs: 0100991F
!, xrefs: 01008CDB
H, xrefs: 01009648
a, xrefs: 01009778
p, xrefs: 010093E4
8, xrefs: 010092B1
_, xrefs: 01008E79
D, xrefs: 01009B82
s, xrefs: 010093FC
C, xrefs: 0100A534
', xrefs: 010096C7
Z, xrefs: 01009DBB
l, xrefs: 01009DAB
l, xrefs: 01009500
Q, xrefs: 010092D1
xGGfeDD, xrefs: 0100A068
o, xrefs: 0100A464
T, xrefs: 0100992F
!, xrefs: 01008CC7
r, xrefs: 0100A564
r, xrefs: 01009D0F
!, xrefs: 010098C1
wll10ss, xrefs: 010095C7
F, xrefs: 01009C30
R, xrefs: 010092E1
s, xrefs: 0100940C
Q, xrefs: 010091E0
m, xrefs: 01009E6B
2, xrefs: 01008C50
J, xrefs: 0100911D
x, xrefs: 01009B9A
3, xrefs: 010092C1
$, xrefs: 01008BE5
N, xrefs: 0100993F
\, xrefs: 01009DCB
Z, xrefs: 01009E2B
b, xrefs: 0100A060
0, xrefs: 01009474
4, xrefs: 010099DC
r, xrefs: 01009CEF
J, xrefs: 0100A6CF
", xrefs: 0100A56C
*, xrefs: 01009C48
N, xrefs: 01009927
%, xrefs: 01009EEA
N, xrefs: 01009937
2, xrefs: 01008F75
Y, xrefs: 0100A349
D, xrefs: 01009B92
O, xrefs: 0100A48C
R, xrefs: 010092C9
I, xrefs: 010099C4
&, xrefs: 010091D8
O, xrefs: 0100A4CC
Y, xrefs: 0100A353
D, xrefs: 01009660
s, xrefs: 01008FED
$, xrefs: 01008FF5
k, xrefs: 0100924B
s, xrefs: 01008E0A
7, xrefs: 01008D31
$, xrefs: 01008FD5
z, xrefs: 0100A223
r, xrefs: 01009D1F
F, xrefs: 01009C70
G, xrefs: 01008E0F
E, xrefs: 01009F0A
D, xrefs: 0100A3AE
#, xrefs: 01009A4C
}, xrefs: 01008F5C
1, xrefs: 0100947C
h, xrefs: 0100A7E0
M, xrefs: 01009FA7
$, xrefs: 01008E88
7, xrefs: 0100A33A
$, xrefs: 01008E92
l, xrefs: 01008E6F
4, xrefs: 010099E4
{, xrefs: 0100A6A7
[, xrefs: 01009770
8, xrefs: 0100A6B7
f, xrefs: 01009F02
r, xrefs: 01009CFF
3, xrefs: 01009D17
$, xrefs: 01009035
W, xrefs: 01009135
d, xrefs: 0100A8DE
1, xrefs: 01009494
], xrefs: 0100A8EE
O, xrefs: 0100A46C
D, xrefs: 01009BAA
n, xrefs: 0100A88E
1, xrefs: 01009264
{, xrefs: 0100900D
G, xrefs: 01009FB7
>, xrefs: 0100A630
*, xrefs: 010093D4
p, xrefs: 01008F52
8, xrefs: 01008C55
$, xrefs: 01009DFB
], xrefs: 0100A8C6
], xrefs: 0100A896
J, xrefs: 0100A6C7
J, xrefs: 01009DEB
L, xrefs: 01008D45
Z, xrefs: 0100A494
D, xrefs: 01009658
I, xrefs: 01009B7A
r, xrefs: 01009D3F
2, xrefs: 01008C5A
2, xrefs: 01008C64
w, xrefs: 0100A9DF
7, xrefs: 0100A100
s, xrefs: 0100901D
1, xrefs: 0100946C
#, xrefs: 01009E4B
%, xrefs: 01009354
p, xrefs: 01009518
[, xrefs: 01009780
/, xrefs: 01009484
#, xrefs: 01009A74
TFFFF, xrefs: 0100A140
b, xrefs: 0100A344
C, xrefs: 0100A544
1, xrefs: 0100949C
Q, xrefs: 010091D0
D, xrefs: 01009630
y, xrefs: 01009F97
G, xrefs: 01008E1E
G, xrefs: 01008E23
#, xrefs: 01009A7C
[, xrefs: 01009798
O, xrefs: 0100A45C
m, xrefs: 01008EF9
|, xrefs: 01009464
!, xrefs: 01008CE5
D, xrefs: 01009650
#, xrefs: 01009A6C
2, xrefs: 01008F61
#, xrefs: 01009C68
R, xrefs: 010092E9
J, xrefs: 0100A69F
F, xrefs: 0100A89E
$, xrefs: 01008E8D
D, xrefs: 01009640
", xrefs: 0100A59C
G, xrefs: 01009F8F
Q, xrefs: 010091C0
f, xrefs: 01009F12
h, xrefs: 0100A800
m, xrefs: 01008FBD
r, xrefs: 01009D37
l, xrefs: 01009528
Y, xrefs: 010096E7
G, xrefs: 01009FAF
h, xrefs: 0100A7F0
', xrefs: 01009758
Y, xrefs: 0100A33F
#, xrefs: 01009C38
m, xrefs: 01008EEA
], xrefs: 0100A8E6
f, xrefs: 01009F22
$, xrefs: 0100A628
y, xrefs: 01008DA5
e, xrefs: 0100A748
V, xrefs: 010093F4
G, xrefs: 01008E19
>, xrefs: 0100A620
b[[, xrefs: 010099F4
(, xrefs: 0100A738
G, xrefs: 01009768
], xrefs: 01008F66
K, xrefs: 0100A2AD
(, xrefs: 0100A99F
!, xrefs: 010098AD
s, xrefs: 010093DC
", xrefs: 0100A54C
a, xrefs: 0100A474
O, xrefs: 0100A43C
G, xrefs: 01009255
X, xrefs: 0100912D
", xrefs: 0100A57C
Y, xrefs: 0100A34E
4, xrefs: 010099EC
$, xrefs: 01008BFA
^22, xrefs: 010090D3
Y, xrefs: 010096CF
>, xrefs: 0100A610
r, xrefs: 01009D2F
!, xrefs: 010098BC
W, xrefs: 01009145
m, xrefs: 01008EFE
I, xrefs: 01008BEA
5, xrefs: 01009AEA
~, xrefs: 0100990F
G, xrefs: 01009FBF
D, xrefs: 0100A198
z, xrefs: 0100A213
4, xrefs: 010099CC
!, xrefs: 010098B7
i, xrefs: 01008DAF
Z, xrefs: 01009E0B
1, xrefs: 01009250

Memory Dump Source

Source File: 00000000.00000002.1661389392.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1661379020.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661401529.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661420001.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID: !$!$!$!$!$!$!$!$!$!$"$"$"$"$"$"$"$"$"$"$#$#$#$#$#$#$#$#$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$%$%$&$'$'$'$($($*$*$*$,$-$.$/$0$1$1$1$1$1$1$1$1$1$2$2$2$2$2$2$2$2$2$2$3$3$3$3$4$4$4$4$4$5$7$7$7$8$8$8$8$8$9$9$;$>$>$>$>$>$?$C$C$C$C$C$D$D$D$D$D$D$D$D$D$D$D$D$E$F$F$F$F$F$F$F$F$F$F$G$G$G$G$G$G$G$G$G$G$G$G$H$I$I$I$I$J$J$J$J$J$J$J$K$K$L$M$M$N$N$N$N$N$N$N$O$O$O$O$O$O$O$O$O$O$O$P$Q$Q$Q$Q$Q$Q$R$R$R$R$R$R$S$S$S$T$TFFFF$U$U$U$V$W$W$W$W$W$WYYDl??$X$X$Y$Y$Y$Y$Y$Y$Y$Y$Y$Z$Z$Z$Z$[$[$[$[$[$[$\$\$]$]$]$]$]$]$]$]$]$]$]$^$^22$_$_$`$`$a$a$a$a$b$b$b[[$d$d$e$e$f$f$f$f$f$f$f$g$h$h$h$h$h$i$j$k$l$l$l$l$l$l$l$l$m$m$m$m$m$m$m$m$n$o$p$p$p$p$q$r$r$r$r$r$r$r$r$s$s$s$s$s$s$s$s$t$v$w$w$wll10ss$x$x$xGGfeDD$y$y$z$z$z$z$z$z$z$z${${$|$}$}$}$}$~$~
API String ID: 0-3725935762
Opcode ID: 2a33115a5b65e9ba0ed335379edfe63754a4f6cfd88c01791815ecb9874a3a1b
Instruction ID: cc0b429b089c804852933ff711e1a8693b927f97d81712e357b22bf83be2c878
Opcode Fuzzy Hash: 2a33115a5b65e9ba0ed335379edfe63754a4f6cfd88c01791815ecb9874a3a1b
Instruction Fuzzy Hash: 4003037440D3C0C9E332C63990587DBFFD16BA6308F4859AED5DD8A293C2BA8249D727

Function 01007030 Relevance: 305.8, Strings: 244, Instructions: 758
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

c, xrefs: 01007E2C
Q, xrefs: 01007956
&, xrefs: 010076AE
(, xrefs: 01007926
7, xrefs: 0100792E
5, xrefs: 01007A8C
y, xrefs: 01007108
7, xrefs: 0100791E
7, xrefs: 0100796E
k, xrefs: 01007A94
$, xrefs: 01007374
v, xrefs: 01007B54
y, xrefs: 010070FE
', xrefs: 01007E94
M, xrefs: 010079EC
k, xrefs: 010070EF
9, xrefs: 0100718C
w, xrefs: 01007311
j, xrefs: 01007EA4
G, xrefs: 01007C9B
=, xrefs: 010075F5
G, xrefs: 01007C96
K, xrefs: 01007BCC
c, xrefs: 01007EEC
e, xrefs: 0100782B
1, xrefs: 01007813
q, xrefs: 010078D6
k, xrefs: 01007A84
v, xrefs: 01007B94
e, xrefs: 0100780B
9, xrefs: 010071DC
7, xrefs: 01007966
k, xrefs: 01007AA4
k, xrefs: 01007AD4
y, xrefs: 010070E0
e, xrefs: 01007843
c, xrefs: 01007EAC
e, xrefs: 0100784B
,, xrefs: 01007A7C
$, xrefs: 01007384
$, xrefs: 01007334
,, xrefs: 010071F4
v, xrefs: 01007BA4
^, xrefs: 01007711
^, xrefs: 0100748F
c, xrefs: 01007E4C
7, xrefs: 0100794E
G, xrefs: 01007C87
k, xrefs: 01007A24
W, xrefs: 010077E3
%, xrefs: 01007C8C
d, xrefs: 010072C3
k, xrefs: 01007A64
=, xrefs: 010075FF
7, xrefs: 010078FE
e, xrefs: 010077BB
$, xrefs: 01007320
9, xrefs: 010071CC
<, xrefs: 010077D3
`, xrefs: 01007ED4
&, xrefs: 01007690
0, xrefs: 0100733C
m, xrefs: 01007E44
y, xrefs: 010070EA
/, xrefs: 01007ABC
G, xrefs: 01007C91
e, xrefs: 010077CB
c, xrefs: 01007E6C
^, xrefs: 0100740F
/, xrefs: 010079CC
k, xrefs: 01007AC4
), xrefs: 010074FF
A, xrefs: 01007B8C
k, xrefs: 01007ACC
^, xrefs: 01007725
r, xrefs: 01007734
S, xrefs: 01007681
-, xrefs: 01007214
c, xrefs: 01007E5C
$, xrefs: 0100737C
$, xrefs: 01007316
e, xrefs: 0100783B
7, xrefs: 0100793E
D, xrefs: 01007E54
&, xrefs: 010076A9
v, xrefs: 01007BF4
c, xrefs: 01007E9C
^, xrefs: 0100771B
=, xrefs: 010075E1
7, xrefs: 010078AE
W, xrefs: 01007833
%, xrefs: 01007604
B, xrefs: 010071C4
nddd, xrefs: 01007F52, 01007F8A
c, xrefs: 01007E8C
J, xrefs: 010073FF
y, xrefs: 010070F4
!, xrefs: 010073EF
d, xrefs: 01007296
a, xrefs: 01007194
d, xrefs: 010072C8
k, xrefs: 010079D4
c, xrefs: 01007EE4
ceeeeee$v0[w^^^^&0S====, xrefs: 01007D9D
;, xrefs: 0100742F
9, xrefs: 0100720C
7, xrefs: 010078DE
v, xrefs: 01007BD4
o, xrefs: 010070F9
e, xrefs: 010077AB
d, xrefs: 010072BE
@, xrefs: 01007BBC
y, xrefs: 0100710D
h, xrefs: 010078A6
R, xrefs: 010074BF
J, xrefs: 010077A3
!, xrefs: 010073CF
W, xrefs: 010077B3
^, xrefs: 0100774D
c, xrefs: 01007E7C
{, xrefs: 0100753F
=, xrefs: 010072AF
k, xrefs: 01007A34
k, xrefs: 01007A44
9, xrefs: 0100719C
^, xrefs: 01007739
w, xrefs: 010074EF
0, xrefs: 0100768B
I, xrefs: 01007A6C
L, xrefs: 010071D4
[, xrefs: 01007325
/, xrefs: 01007A2C
c, xrefs: 01007EBC
2, xrefs: 010078E6
k, xrefs: 01007A54
4, xrefs: 01007E74
U, xrefs: 01007A3C
x, xrefs: 010071A4
v, xrefs: 01007BE4
J, xrefs: 010077F3
v, xrefs: 01007B44
^, xrefs: 0100772F
9, xrefs: 0100721C
v, xrefs: 01007C04
x, xrefs: 01007720
-, xrefs: 010075FA
k, xrefs: 010079F4
9, xrefs: 010071BC
=, xrefs: 0100760E
&, xrefs: 010076A4
e, xrefs: 010077EB
$, xrefs: 0100732A
9, xrefs: 0100716C
?, xrefs: 01007A4C
^, xrefs: 01007748
k, xrefs: 010079E4
d, xrefs: 0100728C
L, xrefs: 01007184
R, xrefs: 010071E4
M, xrefs: 010079DC
v, xrefs: 01007B64
9, xrefs: 010071EC
k, xrefs: 01007A74
J, xrefs: 01007EC4
9, xrefs: 010071AC
=, xrefs: 01007B5C
k, xrefs: 01007A04
v, xrefs: 01007BFC
=, xrefs: 01007613
<, xrefs: 010072B9
0, xrefs: 01007695
7, xrefs: 010078BE
9, xrefs: 0100717C
c, xrefs: 01007E3C
=, xrefs: 010075EB
E, xrefs: 010079FC
J, xrefs: 0100751F
7, xrefs: 010078CE
v, xrefs: 01007B84
y, xrefs: 01007112
^, xrefs: 01007743
9, xrefs: 01007224
K, xrefs: 01007A5C
G, xrefs: 01007C73
M, xrefs: 0100736C
", xrefs: 01007204
e, xrefs: 0100781B
-, xrefs: 010075C8
y====, xrefs: 010076B3
e, xrefs: 0100779B
^, xrefs: 01007707
e, xrefs: 010077FB
U, xrefs: 01007AAC
=, xrefs: 010075CD
k, xrefs: 01007A14
I, xrefs: 01007823
m, xrefs: 01007E34
d, xrefs: 010072A0
4, xrefs: 0100770C
a, xrefs: 010071B4
G, xrefs: 01007C7D
7, xrefs: 0100795E
=, xrefs: 01007609
v, xrefs: 01007BB4
7vvvvvv, xrefs: 01007EF4
$, xrefs: 01007344
], xrefs: 010070DB
3, xrefs: 01007A1C
Q, xrefs: 01007916
4, xrefs: 01007716
), xrefs: 0100741F
&, xrefs: 0100767C
n, xrefs: 01007BAC
$, xrefs: 01007354
e, xrefs: 010077DB
$, xrefs: 01007936
&, xrefs: 01007686
7, xrefs: 010078EE
c, xrefs: 01007ECC
v, xrefs: 01007B74
&, xrefs: 0100769A
v, xrefs: 01007BC4
), xrefs: 0100747F
/, xrefs: 01007A9C
=, xrefs: 010075D7
;, xrefs: 0100749F
{, xrefs: 010074DF
9, xrefs: 0100750F
s, xrefs: 0100746F
d, xrefs: 010072AA
$, xrefs: 01007364
c, xrefs: 01007EDC
7, xrefs: 0100790E
<, xrefs: 01007164
d, xrefs: 01007B7C
{, xrefs: 0100744F
4, xrefs: 01007EB4
k, xrefs: 01007AB4
9, xrefs: 010071FC
v, xrefs: 0100735C
9, xrefs: 0100722C
?, xrefs: 01007A0C
R, xrefs: 0100754F
d, xrefs: 010072B4

Memory Dump Source

Source File: 00000000.00000002.1661389392.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1661379020.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661401529.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661420001.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID: !$!$"$$$$$$$$$$$$$$$$$$$$$$$%$%$&$&$&$&$&$&$&$'$($)$)$)$,$,$-$-$-$/$/$/$/$0$0$0$1$2$3$4$4$4$4$5$7$7$7$7$7$7$7$7$7$7$7$7$7$7$7vvvvvv$9$9$9$9$9$9$9$9$9$9$9$9$9$9$9$;$;$<$<$<$=$=$=$=$=$=$=$=$=$=$=$?$?$@$A$B$D$E$G$G$G$G$G$G$I$I$J$J$J$J$J$K$K$L$L$M$M$M$Q$Q$R$R$R$S$U$U$W$W$W$[$]$^$^$^$^$^$^$^$^$^$^$^$`$a$a$c$c$c$c$c$c$c$c$c$c$c$c$c$c$ceeeeee$v0[w^^^^&0S====$d$d$d$d$d$d$d$d$d$e$e$e$e$e$e$e$e$e$e$e$e$e$h$j$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$k$m$m$n$nddd$o$q$r$s$v$v$v$v$v$v$v$v$v$v$v$v$v$v$v$w$w$x$x$y$y$y$y$y$y$y$y====${${${
API String ID: 0-671366649
Opcode ID: 7704dd6c9ed8124bb592b2bb7925e20da9965f65f7458f2f9cf62649c6dd3342
Instruction ID: 61343346860f743e4565e2cc5fcbeab71981bec749d912297f180fc8d1cc1125
Opcode Fuzzy Hash: 7704dd6c9ed8124bb592b2bb7925e20da9965f65f7458f2f9cf62649c6dd3342
Instruction Fuzzy Hash: 3E92C96000C7C0CCE332C63994487DBBFD25BA6308F4849AED5D94B293D2FA8699D767

Function 01007FC0 Relevance: 285.6, Strings: 228, Instructions: 595
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

), xrefs: 01008443
4, xrefs: 01007FF6
u, xrefs: 01008384
u, xrefs: 010083E3
D, xrefs: 01008475
-, xrefs: 01008300
, xrefs: 010083BB
C, xrefs: 01008763
R, xrefs: 0100844D
`, xrefs: 01008452
J, xrefs: 010088EF
4, xrefs: 01008032
-, xrefs: 01008103
C, xrefs: 01008723
$, xrefs: 0100842F
[, xrefs: 01008323
&, xrefs: 0100864B
*, xrefs: 010080FB
`, xrefs: 010081B0
n, xrefs: 01008663
@, xrefs: 0100883B
4, xrefs: 01007FEC
#, xrefs: 01008622
@, xrefs: 010081A8
J, xrefs: 010088DF
*, xrefs: 0100813B
z, xrefs: 010088F7
`, xrefs: 01008260
C, xrefs: 01008793
*, xrefs: 0100810B
1, xrefs: 0100878B
C, xrefs: 010087A3
q, xrefs: 01008208
W, xrefs: 01008574
4, xrefs: 01007FCE
[, xrefs: 01008319
w, xrefs: 01008937
`, xrefs: 01008434
o, xrefs: 01008ACB
[, xrefs: 0100832D
q, xrefs: 010081B8
B, xrefs: 01007FC9
`, xrefs: 01008470
`, xrefs: 01008484
v, xrefs: 01008389
~, xrefs: 01008248
C, xrefs: 010087AB
*, xrefs: 0100814B
D, xrefs: 01008461
k, xrefs: 0100830A
z, xrefs: 01008584
_, xrefs: 0100839D
d, xrefs: 01008258
{, xrefs: 0100800F
C, xrefs: 01008733
`, xrefs: 01008250
[, xrefs: 010082E7
%, xrefs: 01008544
W, xrefs: 010088B7
r, xrefs: 0100857C
s, xrefs: 010082F6
), xrefs: 01008439
u, xrefs: 010086FB
&, xrefs: 0100861D
_, xrefs: 01008A9B
W, xrefs: 010081F8
&, xrefs: 01008631
*, xrefs: 0100809B
,, xrefs: 01008840
@, xrefs: 01008827
B, xrefs: 01008023
[, xrefs: 010082F1
Z, xrefs: 01008A1B
w, xrefs: 010083D9
H, xrefs: 01008314
&, xrefs: 01008673
*, xrefs: 010080BB
[, xrefs: 010082FB
4, xrefs: 010080C3
`, xrefs: 0100845C
}, xrefs: 0100877B
C, xrefs: 010086F3
u, xrefs: 010083CA
%, xrefs: 010082E2
`, xrefs: 01008200
;, xrefs: 01008238
J, xrefs: 0100889F
o, xrefs: 01008AEB
C, xrefs: 01008743
J, xrefs: 01008947
r, xrefs: 0100856C
@, xrefs: 0100881D
[, xrefs: 01008305
i, xrefs: 01008618
J, xrefs: 010088FF
*, xrefs: 010080AB
&, xrefs: 01008564
*, xrefs: 01008836
P, xrefs: 010080A3
v, xrefs: 01008A4B
B, xrefs: 01008514
[, xrefs: 0100830F
C, xrefs: 01008753
4, xrefs: 01008041
y, xrefs: 01008A6B
u, xrefs: 010083C0
t, xrefs: 01008818
`, xrefs: 0100847A
`, xrefs: 01008220
C, xrefs: 01008703
u, xrefs: 010083DE
C, xrefs: 010087B3
[, xrefs: 01008337
u, xrefs: 010083D4
|, xrefs: 01008A8B
Z, xrefs: 01008ABB
H, xrefs: 010083B1
u, xrefs: 010083B6
{, xrefs: 01007FE7
&, xrefs: 010084D4
C, xrefs: 01008783
3, xrefs: 01008218
Puuuuu, xrefs: 01008683
+, xrefs: 01008A0B
J, xrefs: 010088AF
P, xrefs: 010080E3
4, xrefs: 01008000
d, xrefs: 0100871B
`, xrefs: 01008270
%, xrefs: 01008504
`, xrefs: 01008268
C, xrefs: 01008773
V, xrefs: 01007FDD
&, xrefs: 0100866B
u, xrefs: 0100838E
`, xrefs: 010081D0
4, xrefs: 01007FD8
!, xrefs: 010088D7
u, xrefs: 010083E8
r, xrefs: 010084EC
4, xrefs: 01008014
J, xrefs: 0100890F
`, xrefs: 0100843E
4, xrefs: 0100801E
u, xrefs: 01008398
J, xrefs: 0100891F
r, xrefs: 0100855C
g, xrefs: 01008927
4, xrefs: 01007FE2
T, xrefs: 0100802D
r, xrefs: 0100851C
`, xrefs: 01008466
`, xrefs: 01008210
0, xrefs: 01008005
t, xrefs: 0100873B
`, xrefs: 0100847F
r, xrefs: 0100858C
d, xrefs: 0100862C
-, xrefs: 01008328
r, xrefs: 010084DC
!, xrefs: 010080B3
`, xrefs: 01008448
*, xrefs: 010080CB
@, xrefs: 01008831
*, xrefs: 01008143
r, xrefs: 0100854C
*, xrefs: 0100811B
r, xrefs: 0100859C
w, xrefs: 01008917
u, xrefs: 010083AC
r, xrefs: 0100852C
J, xrefs: 0100894F
@, xrefs: 01008845
W, xrefs: 0100872B
w, xrefs: 010083C5
V, xrefs: 01007FD3
*, xrefs: 010080DB
o, xrefs: 01008AAB
k, xrefs: 010083CF
m, xrefs: 0100846B
[, xrefs: 01008332
*, xrefs: 010080EB
J, xrefs: 010088BF
z, xrefs: 01008534
u, xrefs: 010083A2
&, xrefs: 01008627
1, xrefs: 010088E7
J, xrefs: 0100892F
q, xrefs: 010081E8
4, xrefs: 0100803C
r, xrefs: 0100853C
4, xrefs: 01008028
r, xrefs: 010084FC
`, xrefs: 01008230
Q, xrefs: 010088A7
`, xrefs: 01008240
C, xrefs: 010086D3
&, xrefs: 0100867B
J, xrefs: 010088CF
`, xrefs: 010081C0
v, xrefs: 010089DB
`, xrefs: 010081F0
C, xrefs: 01008713
r, xrefs: 0100850C
`, xrefs: 010081E0
r, xrefs: 01008594
@, xrefs: 0100884F
(, xrefs: 0100879B
*, xrefs: 0100812B
A, xrefs: 0100874B
W, xrefs: 0100876B
4, xrefs: 01008046
7, xrefs: 01008554
&, xrefs: 0100863B
J, xrefs: 0100893F
>, xrefs: 010082EC
UCCC, xrefs: 01008B0B
@, xrefs: 0100884A
, xrefs: 010086CB
b, xrefs: 01008A7B
[, xrefs: 010082DD
q, xrefs: 01008019
C, xrefs: 010086E3
$, xrefs: 01008ADB
4, xrefs: 0100800A
k, xrefs: 0100837F
B, xrefs: 010080D3
&, xrefs: 0100865B

Memory Dump Source

Source File: 00000000.00000002.1661389392.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1661379020.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661401529.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661420001.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID:
String ID: $ $!$!$#$$$$$%$%$%$&$&$&$&$&$&$&$&$&$&$&$($)$)$*$*$*$*$*$*$*$*$*$*$*$*$*$*$+$,$-$-$-$0$1$1$3$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$7$;$>$@$@$@$@$@$@$@$@$A$B$B$B$B$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$C$D$D$H$H$J$J$J$J$J$J$J$J$J$J$J$J$J$P$P$Puuuuu$Q$R$T$UCCC$V$V$W$W$W$W$W$Z$Z$[$[$[$[$[$[$[$[$[$[$[$_$_$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$`$b$d$d$d$g$i$k$k$k$m$n$o$o$o$q$q$q$q$r$r$r$r$r$r$r$r$r$r$r$r$r$r$s$t$t$u$u$u$u$u$u$u$u$u$u$u$u$u$v$v$v$w$w$w$w$y$z$z$z${${$|$}$~
API String ID: 0-697038378
Opcode ID: 55a290864d8f61e87842251b7d395c55d774bd4f193dc7a42426be62e165e2d6
Instruction ID: 3d93f9f260ba2378e2b30636707ad10305dcc00a842c01daa0bf9472f7ef0b8e
Opcode Fuzzy Hash: 55a290864d8f61e87842251b7d395c55d774bd4f193dc7a42426be62e165e2d6
Instruction Fuzzy Hash: 5A72CB6050C7C0C9E332C62890587DBFFD16BA7308F48999ED1D85A293C3FA8659DB67

Function 010018C0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 344COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 01001AA3
__aulldiv.LIBCMT ref: 01001AFE
__aulldiv.LIBCMT ref: 01001B7C
__aulldiv.LIBCMT ref: 01001B93
__aulldiv.LIBCMT ref: 01001B9C
__aulldiv.LIBCMT ref: 01001BB1
__aulldiv.LIBCMT ref: 01001BBA

Part of subcall function 010027E0: LoadLibraryA.KERNELBASE(00000020,?,?), ref: 01002DBF

Strings

, xrefs: 01001C7C

Memory Dump Source

Source File: 00000000.00000002.1661389392.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1661379020.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661401529.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661420001.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: __aulldiv$LibraryLoad__aullrem
String ID:
API String ID: 3418814274-3916222277
Opcode ID: 6ea0e3d76126cfe31118055ae846c7f15595f40367b1c0acf53f67eebbc58ee0
Instruction ID: b5268c87f58b1a93e55691d3e22f82d84bb0d57437cebb5e0a877c6c416102d1
Opcode Fuzzy Hash: 6ea0e3d76126cfe31118055ae846c7f15595f40367b1c0acf53f67eebbc58ee0
Instruction Fuzzy Hash: 15C1C3716043019FE719DF68C984BAABBE5EB88304F08857CFD889B396E774D845CB91

Function 0100AB60 Relevance: 2.7, Strings: 2, Instructions: 180COMMON

Download Yara Rule

Strings

-----BEGIN RSA PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA42b6yev524etcti9MBEdY1cgr2ybNMRDHyZZHpV0nTpWeVFCtgSMoUDKuaY5DJzru65IkZyoQWqP6n78pbLnCFxB7+JJ3jeb1aZDfDpnPnY81u+h+1jVbcL0qo8PMPIDbkRcOsu7hCi76++HvACKxHeThbue6rHprDZ5HcOZnNpEb8Mihl3q2/sidy, xrefs: 0100ABF2, 0100AC3B
, xrefs: 0100ABCF

Memory Dump Source

Source File: 00000000.00000002.1661389392.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1661379020.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661401529.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661420001.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Heap$AllocFreeLibraryLoadLocalProcess
String ID: $-----BEGIN RSA PUBLIC KEY-----MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA42b6yev524etcti9MBEdY1cgr2ybNMRDHyZZHpV0nTpWeVFCtgSMoUDKuaY5DJzru65IkZyoQWqP6n78pbLnCFxB7+JJ3jeb1aZDfDpnPnY81u+h+1jVbcL0qo8PMPIDbkRcOsu7hCi76++HvACKxHeThbue6rHprDZ5HcOZnNpEb8Mihl3q2/sidy
API String ID: 2209227660-1321880044
Opcode ID: 2a8bed1cd19852a32c05a9ae13591e6b14223d94525a9592aa9551d597762c47
Instruction ID: 421b5cf364584494fb4f921919f41bbfbc492e0f70aadfa792d502690fa78018
Opcode Fuzzy Hash: 2a8bed1cd19852a32c05a9ae13591e6b14223d94525a9592aa9551d597762c47
Instruction Fuzzy Hash: BB51D471244302ABF711DF51CC55F9BB7D4AB94751F10092DFA88AB2C0EBB1EA09C7A2

Function 0100B110 Relevance: 2.5, APIs: 2, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,01006923,?,01006923,00000000,?,?,00000000,?,?,?,?,?,?,010034DD), ref: 0100B119
HeapFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,010034DD), ref: 0100B120

Memory Dump Source

Source File: 00000000.00000002.1661389392.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1661379020.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661401529.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661420001.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: da887030d4f74b2c9b511809ecc4f5a9dabe7e0032c1f90972012ad5d25a9d8c
Instruction ID: 16c3854af377ed0b204961f824dc18cb707ddab81a71835ddffa268bfe5808a9
Opcode Fuzzy Hash: da887030d4f74b2c9b511809ecc4f5a9dabe7e0032c1f90972012ad5d25a9d8c
Instruction Fuzzy Hash: EAC09BB1144308ABD611ABE4E90DF99376CD708652F004440F74DD6184C679A5804771

Function 01006B90 Relevance: 63.4, APIs: 5, Strings: 31, Instructions: 360
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyW.KERNEL32(00000000,0000006B), ref: 01006E80
lstrcatW.KERNEL32(00000000,?), ref: 01006E93
lstrcatW.KERNEL32(00000000,0000005F), ref: 01006EF7
lstrcatW.KERNEL32(00000000,?), ref: 01006EFE
lstrcatW.KERNEL32(00000000,00000012), ref: 01006F58

Strings

y, xrefs: 01006D15
D, xrefs: 01006C66
I, xrefs: 01006C52
\, xrefs: 01006D10
y, xrefs: 01006D3D
9, xrefs: 01006E3E
n, xrefs: 01006D1A
d, xrefs: 01006E9A
d, xrefs: 01006EA4
9, xrefs: 01006E39
$, xrefs: 01006F0F
$, xrefs: 01006F14
d, xrefs: 01006E9F
y, xrefs: 01006D33
k, xrefs: 01006E25
y, xrefs: 01006D01
E, xrefs: 01006D06
$, xrefs: 01006F05
y, xrefs: 01006D38
y, xrefs: 01006D0B
S, xrefs: 01006F0A
y, xrefs: 01006D29
9, xrefs: 01006E2A
z, xrefs: 01006C84
V, xrefs: 01006D2E
$, xrefs: 01006F19
_, xrefs: 01006C7A
9, xrefs: 01006E34
_, xrefs: 01006E95
k, xrefs: 01006E2F
y, xrefs: 01006D1F

Memory Dump Source

Source File: 00000000.00000002.1661389392.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1661379020.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661401529.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661420001.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: lstrcat$lstrcpy
String ID: $$$$$$$$9$9$9$9$D$E$I$S$V$\$_$_$d$d$d$k$k$n$y$y$y$y$y$y$y$y$z
API String ID: 2482611188-1225197215
Opcode ID: 9450eecb8539e434b6aaa4ae100dd20de0e9dd03fd35c52b4f1fd996c65498c9
Instruction ID: ca967127a118c8322d4e9a7487c89f504db022e6f096e82f55f08deca63c20c0
Opcode Fuzzy Hash: 9450eecb8539e434b6aaa4ae100dd20de0e9dd03fd35c52b4f1fd996c65498c9
Instruction Fuzzy Hash: AEE1B17050C3C19EE712DB68C88476BBFD1AF95308F4808ADE5C54B292D7BAD958C763

Function 01005470 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 127stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0100559A

Strings

4, xrefs: 010054D0
p, xrefs: 010054F8
$, xrefs: 010054E4
Z, xrefs: 010054DA
O, xrefs: 010054EE

Memory Dump Source

Source File: 00000000.00000002.1661389392.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1661379020.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661401529.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661420001.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: lstrlen
String ID: $$4$O$Z$p
API String ID: 1659193697-2970395073
Opcode ID: 0d0a0626f8b425b8dc060a5e593501395dad459e842b7b2711ed9bfd4c0cc17e
Instruction ID: bcb366e81e6bc41ab8fb43459e56a9818a637868f290dedce19147a6bcfef338
Opcode Fuzzy Hash: 0d0a0626f8b425b8dc060a5e593501395dad459e842b7b2711ed9bfd4c0cc17e
Instruction Fuzzy Hash: DA412A711083818EE705CB28CC447EBBFD19F99308F0805ACEA88AB282E779D549C777

Function 0100B400 Relevance: 7.7, APIs: 5, Instructions: 246COMMON

Download Yara Rule

APIs

Part of subcall function 010027E0: LoadLibraryA.KERNELBASE(00000020,?,?), ref: 01002DBF

SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0100B505
SetLastError.KERNEL32 ref: 0100B52D
StrCmpNIW.SHLWAPI(?,?,00000000), ref: 0100B667
StrCpyNW.SHLWAPI(?,?,00000004), ref: 0100B68E

Memory Dump Source

Source File: 00000000.00000002.1661389392.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1661379020.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661401529.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661420001.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: ErrorLast$LibraryLoad
String ID:
API String ID: 1136134869-0
Opcode ID: 7b9a396da702741760a033beaab3032069c8ca4711b1e7cabb40e06ff430f93a
Instruction ID: 49c8222b56be6f5d987513b9eabc11e5e3683cd5c333fa293461eb3c3418d946
Opcode Fuzzy Hash: 7b9a396da702741760a033beaab3032069c8ca4711b1e7cabb40e06ff430f93a
Instruction Fuzzy Hash: 19813775644306ABF721DB54DC45FABB3E4AF68300F040668F695A71C1FBB4E648C7A1

Function 01005F20 Relevance: 6.1, APIs: 4, Instructions: 116threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(?,00000000), ref: 01006004
TerminateThread.KERNEL32(?,00000000), ref: 01006030
TerminateThread.KERNEL32(?,00000000), ref: 01006037
TerminateThread.KERNEL32(?,00000000), ref: 0100603E

Memory Dump Source

Source File: 00000000.00000002.1661389392.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1661379020.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661401529.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661420001.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 5451c4d356752e13aeb892a386f30832e21a298c3e7ea3b555cb2f5f48b32c7b
Instruction ID: d05a1ee05bce216e84bc10f0de077ef598120d08a7697fc2ca91f04940ade1c7
Opcode Fuzzy Hash: 5451c4d356752e13aeb892a386f30832e21a298c3e7ea3b555cb2f5f48b32c7b
Instruction Fuzzy Hash: E5312C316402059BFB32DF18DC45FB977D4AF10354F0541A8FD88AF2D0EBA6A905CB51

Function 010023E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

StrCpyNW.SHLWAPI(?,?,0100280A,?,?,?), ref: 0100247F
CharLowerW.USER32(?,?,?,?), ref: 0100248C

Strings

klqq, xrefs: 0100249F

Memory Dump Source

Source File: 00000000.00000002.1661389392.0000000001001000.00000020.00000001.01000000.00000003.sdmp, Offset: 01000000, based on PE: true

Associated: 00000000.00000002.1661379020.0000000001000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661401529.000000000100E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1661420001.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1000000_file.jbxd

Similarity

API ID: CharLower
String ID: klqq
API String ID: 1615517891-2642973767
Opcode ID: e8c97e68807a461a7009a75a4310c9f208ae528ee51ee706ccdc06101a93b4e3
Instruction ID: dcd2bc009999bc91f05c0a9d14418253663b48c15673d967935c29e12e213709
Opcode Fuzzy Hash: e8c97e68807a461a7009a75a4310c9f208ae528ee51ee706ccdc06101a93b4e3
Instruction Fuzzy Hash: C5314671E00209EFDB55CF98D5949AEB7F5FB88300F2085AAE555A7381DB34AA81CF90

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spam, unwanted Advertisements and Ransom Demands

System Summary

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: file.exePID: 6592, Parent PID: 2580

General

Chronological Activities

Disassembly

Analysis Process: file.exePID: 6592, Parent PID: 2580COMMON

Execution Graph

Graph

Callgraph

Executed Functions

Function 0100CBC0 Relevance: 157.7, APIs: 1, Strings: 89, Instructions: 205processCOMMON

Control-flow Graph

Function 010027E0 Relevance: 147.4, APIs: 1, Strings: 83, Instructions: 407libraryCOMMON

Control-flow Graph

Function 01006350 Relevance: 58.0, APIs: 4, Strings: 29, Instructions: 217synchronizationthreadCOMMON

Windows Analysis Report
file.exe

Function 0100CBC0 Relevance: 157.7, APIs: 1, Strings: 89, Instructions: 205
processCOMMON

Function 010027E0 Relevance: 147.4, APIs: 1, Strings: 83, Instructions: 407
libraryCOMMON

Function 01006350 Relevance: 58.0, APIs: 4, Strings: 29, Instructions: 217
synchronizationthreadCOMMON

Function 01003060 Relevance: 12.4, APIs: 2, Strings: 6, Instructions: 372
COMMON

Function 01005600 Relevance: 3.2, APIs: 2, Instructions: 241
COMMON

Function 01007030 Relevance: 305.8, Strings: 244, Instructions: 758
COMMON

Function 01007FC0 Relevance: 285.6, Strings: 228, Instructions: 595
COMMON

Function 01006B90 Relevance: 63.4, APIs: 5, Strings: 31, Instructions: 360
stringCOMMON