Edit tour

Windows Analysis Report
4V6Beh3FOX.exe

Overview

General Information

Sample name:	4V6Beh3FOX.exe renamed because original name is a hash value
Original sample name:	942fa054aa449b438d394d6b37d383af.exe
Analysis ID:	1520457
MD5:	942fa054aa449b438d394d6b37d383af
SHA1:	1dd5556529cf575c5d14b74e51f082cff3b33bbf
SHA256:	77a4b26f77a0ce0c304b98002536fe19ecf8cd736ab20c4aad314e4c8b4d947e
Tags:	exeuser-abuse_ch

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contains functionality to detect sleep reduction / modifications

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query network adapater information

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found potential string decryption / allocating functions

May check if the current machine is a sandbox (GetTickCount - Sleep)

PE file contains executable resources (Code or Archives)

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

4V6Beh3FOX.exe (PID: 8104 cmdline: "C:\Users\user\Desktop\4V6Beh3FOX.exe" MD5: 942FA054AA449B438D394D6B37D383AF)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 4V6Beh3FOX.exe

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 81.9% probability

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

Code function: 0_2_0045C730 BCryptGenRandom,

0_2_0045C730

Source: 4V6Beh3FOX.exe, 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_6a684240-d

Source: 4V6Beh3FOX.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: D:\SpeedEngineUpgradeTo2019_09_30_15_41_41\3rdparty\curl-7.32.0\vs\vc142\lib\Release\libcurl.pdb source: 4V6Beh3FOX.exe
Source:	Binary string: D:\qqspeed2013_Release\__Obj\Win32\Shipping\pdb\Network.pdb source: 4V6Beh3FOX.exe, 00000000.00000000.1294255765.0000000000A0C000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: F:\VCtest\Projects\NEWGZXTEST\KF\Release\GZX.pdb source: 4V6Beh3FOX.exe

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

Code function: 0_2_0040E160 Sleep,Sleep,#21,WSAIoctl,EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,#21,#22,#3,#266,#265,WSARecv,#111,EnterCriticalSection,LeaveCriticalSection,#266,

0_2_0040E160

Source: 4V6Beh3FOX.exe	String found in binary or memory: http://121.14.75.55:10032/upload
Source: 4V6Beh3FOX.exe	String found in binary or memory: http://121.14.75.55:10032/uploadClientLog%u
Source: 4V6Beh3FOX.exe	String found in binary or memory: http://27.25.156.102:9999/style.html
Source: 4V6Beh3FOX.exe	String found in binary or memory: http://27.25.156.102:9999/style.htmllibcurl.dllt1.dllt2.dlllibcurldllNetworkdllMapCodeinit2.dll
Source: 4V6Beh3FOX.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 4V6Beh3FOX.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 4V6Beh3FOX.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 4V6Beh3FOX.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 4V6Beh3FOX.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 4V6Beh3FOX.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 4V6Beh3FOX.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 4V6Beh3FOX.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 4V6Beh3FOX.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 4V6Beh3FOX.exe	String found in binary or memory: http://curl.haxx.se/docs/http-cookies.html
Source: 4V6Beh3FOX.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: 4V6Beh3FOX.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: 4V6Beh3FOX.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 4V6Beh3FOX.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: 4V6Beh3FOX.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: 4V6Beh3FOX.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 4V6Beh3FOX.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: 4V6Beh3FOX.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

Code function: 0_2_0041AE10 memset,memset,SHGetSpecialFolderPathA,_time64,OpenClipboard,GetClipboardData,GlobalSize,malloc,GlobalLock,memset,GlobalUnlock,CloseClipboard,strstr,#296,#296,memset,memset,SendMessageW,#4815,SendMessageW,#8067,#7820,#290,#13656,#1045,#290,#13656,#1045,#13656,#290,#13656,#1045,memset,memcpy,_time64,#296,#4815,#13656,#1045,atoll,atoi,atoi,#2990,#2990,#2990,#296,#4815,SendMessageW,#1045,#1045,#1045,#266,

0_2_0041AE10

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

0_2_0041AE10

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

Code function: 0_2_00410970: memset,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,memset,DeviceIoControl,memmove,malloc,free,

0_2_00410970

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_0040403E	0_2_0040403E
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_00413100	0_2_00413100
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_00403190	0_2_00403190
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_0047A230	0_2_0047A230
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_0044F2E0	0_2_0044F2E0
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_0041D350	0_2_0041D350
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_0045B420	0_2_0045B420
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_004024B0	0_2_004024B0
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_00401610	0_2_00401610
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_00416740	0_2_00416740
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_004107A0	0_2_004107A0
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_00459AE0	0_2_00459AE0
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_0041AE10	0_2_0041AE10
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_00405FA0	0_2_00405FA0
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_00472FB0	0_2_00472FB0

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: String function: 00444860 appears 44 times
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: String function: 00444790 appears 40 times

Source: 4V6Beh3FOX.exe	Static PE information: Resource name: LIBCURLDLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: 4V6Beh3FOX.exe	Static PE information: Resource name: NETWORKDLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: 4V6Beh3FOX.exe, 00000000.00000000.1294255765.0000000000A0C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNetwork.dllZ vs 4V6Beh3FOX.exe
Source: 4V6Beh3FOX.exe, 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGZX.exe8 vs 4V6Beh3FOX.exe
Source: 4V6Beh3FOX.exe	Binary or memory string: OriginalFilenameGZX.exe8 vs 4V6Beh3FOX.exe

Source: 4V6Beh3FOX.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

Code function: 0_2_00411750 VirtualQuery,memset,#296,#296,memset,GetCurrentDirectoryA,FindResourceW,SizeofResource,LoadResource,LockResource,fopen,fwrite,fclose,#1045,#1045,

0_2_00411750

Source: 4V6Beh3FOX.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 4V6Beh3FOX.exe

ReversingLabs: Detection: 15%

Source: 4V6Beh3FOX.exe	String found in binary or memory: :8085/add
Source: 4V6Beh3FOX.exe	String found in binary or memory: iphlpapi.dllif_nametoindexws2_32FreeAddrInfoExWGetAddrInfoExCancelGetAddrInfoExWkernel32LoadLibraryExA\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %u
Source: 4V6Beh3FOX.exe	String found in binary or memory: :8085/add
Source: 4V6Beh3FOX.exe	String found in binary or memory: B1721829950816Timestampapplication/jsonContent-TypelsjCustom-Header:8085/addhttp://UIN{"id":"UIN","txt":"data"}data:8085/query{"id":"UIN"}vector<bool> too longmap/set<T> too longalnumalnumalphaalphablankblankcntrlcntrldddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacessupperupperwwxdigitxdigitabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Section loaded: mfc140u.dll	Jump to behavior
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Section loaded: plfl32.dll	Jump to behavior
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: 4V6Beh3FOX.exe

Static file information: File size 11517952 > 1048576

Source: 4V6Beh3FOX.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xa58a00

Source: 4V6Beh3FOX.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\SpeedEngineUpgradeTo2019_09_30_15_41_41\3rdparty\curl-7.32.0\vs\vc142\lib\Release\libcurl.pdb source: 4V6Beh3FOX.exe
Source:	Binary string: D:\qqspeed2013_Release\__Obj\Win32\Shipping\pdb\Network.pdb source: 4V6Beh3FOX.exe, 00000000.00000000.1294255765.0000000000A0C000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: F:\VCtest\Projects\NEWGZXTEST\KF\Release\GZX.pdb source: 4V6Beh3FOX.exe

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

Code function: 0_2_00448140 #115,#116,GetModuleHandleA,GetProcAddress,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,QueryPerformanceFrequency,

0_2_00448140

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

Code function: 0_2_0042C146 push ecx; ret

0_2_0042C159

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

Code function: 0_2_004139D8 GetPrivateProfileIntA,memset,memset,memset,memset,memset,memset,memset,

0_2_004139D8

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

Code function: 0_2_00412DA0 IsIconic,memset,#890,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#1391,#11038,

0_2_00412DA0

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_00415420		0_2_00415420
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_00415A90		0_2_00415A90

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

Code function: malloc,malloc,GetAdaptersInfo,GetAdaptersInfo,free,malloc,GetAdaptersInfo,strstr,strstr,free,

0_2_00410870

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

Code function: 0_2_00415A90

0_2_00415A90

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

Code function: 0_2_0040F8A0 #115,#111,CreateIoCompletionPort,CreateIoCompletionPort,CreateIoCompletionPort,CloseHandle,GetLastError,GetSystemInfo,CloseHandle,_beginthreadex,_beginthreadex,CloseHandle,_beginthreadex,CloseHandle,

0_2_0040F8A0

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

Code function: 0_2_0042C2EB IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0042C2EB

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

0_2_00448140

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

Code function: 0_2_00420DE0 HeapFree,GetProcessHeap,HeapFree,

0_2_00420DE0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_0042C2EB IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042C2EB
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_0042C47D SetUnhandledExceptionFilter,	0_2_0042C47D
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_004119C0 #10472,SetUnhandledExceptionFilter,GetSystemMenu,#4885,#296,#8464,AppendMenuW,AppendMenuW,AppendMenuW,#1045,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,#8062,#8062,#8062,#8062,#8062,#8062,#8062,#8062,#8062,#8062,#8062,#8062,#8062,#8062,#8062,#8062,#8062,#8062,#8062,#8062,#8062,#8062,#8062,#14137,#14137,SendMessageW,SendMessageW,SendMessageW,SendMessageW,#14137,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,#14234,#14234,#14234,#14234,#14234,GetClientRect,#8817,#13628,#5419,#5419,#13800,#13800,#5419,#13800,#5419,#13800,#5419,#13800,#5419,#13800,#5419,#13800,#12793,#14234,GetFileAttributesW,CreateDirectoryW,memset,#296,#296,memset,SHGetSpecialFolderPathW,#4815,GetPrivateProfileIntW,GetPrivateProfileIntW,SendMessageW,SendMessageW,SendMessageW,GetPrivateProfileIntW,SendMessageW,SendMessageW,GetPrivateProfileIntW,SendMessageW,SendMessageW,GetPrivateProfileIntW,SendMessageW,SendMessageW,GetPrivateProfileIntW,SendMessageW,SendMessageW,GetPrivateProfileIntW,SendMessageW,SendMessageW,GetPrivateProfileIntW,SendMessageW,SendMessageW,GetPrivateProfileIntW,SendMessageW,SendMessageW,GetPrivateProfileStringW,#14137,#14137,_wtoll,_wtoll,GetPrivateProfileStringW,#14137,_wtoll,GetPrivateProfileStringW,#14137,_wtoll,GetPrivateProfileStringW,#14137,_wtoll,GetPrivateProfileStringW,#14137,_wtoll,GetPrivateProfileStringW,#14137,_wtoll,GetPrivateProfileStringW,#14137,_wtoll,GetPrivateProfileStringW,#14137,_wtoll,GetPrivateProfileStringW,#14137,_wtoll,GetPrivateProfileStringW,#14137,#286,#5110,WideCharToMultiByte,WideCharToMultiByte,#5110,WideCharToMultiByte,#1045,GetPrivateProfileStringW,#14137,#14137,_wtoll,_wtoll,GetPrivateProfileStringW,#14137,_wtoll,GetPrivateProfileStringW,_wtoll,SendMessageW,SendMessageW,GetPrivateProfileIntW,SendMessageW,SendMessageW,GetPrivateProfileIntW,SendMessageW,GetPrivateProfileIntW,SendMessageW,SendMessageW,GetPrivateProfileIntW,SendMessageW,SendMessageW,GetPrivateProfileIntW,SendMessageW,SendMessageW,GetPrivateProfileIntW,SendMessageW,SendMessageW,GetPrivateProfileIntW,SendMessageW,SendMessageW,GetPrivateProfileIntW,SendMessageW,SendMessageW,GetPrivateProfileIntW,SendMessageW,SendMessageW,GetPrivateProfileIntW,SendMessageW,SendMessageW,GetPrivateProfileIntW,SendMessageW,SendMessageW,SendMessageW,GetPrivateProfileIntW,SendMessageW,SendMessageW,SendMessageW,GetPrivateProfileStringW,#14137,_wtoll,GetPrivateProfileStringW,#14137,_wtoll,GetPrivateProfileStringW,#14137,_wtoll,GetPrivateProfileStringW,#14137,_wtoll,GetPrivateProfileStringW,#14137,_wtoll,_wtoll,#296,P_GetDataValue,#4815,_wtoll,P_GetInfo,#290,#4815,#1045,#14234,#14234,#14234,#14234,#14234,#14234,#14234,GetPrivateProfileIntW,SendMessageW,SendMessageW,#1045,SHGetSpecialFolderPathA,SHGetSpecialFolderPathA,SendMessageW,memset,SHGetSpecialFolderPathA,_beginthreadex,CloseHandle,SendMessageW,SetTimer,MessageBoxA,#1045,#1045,	0_2_004119C0
Source: C:\Users\user\Desktop\4V6Beh3FOX.exe	Code function: 0_2_0042BB39 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0042BB39

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

Code function: 0_2_0042C526 cpuid

0_2_0042C526

Source: C:\Users\user\Desktop\4V6Beh3FOX.exe

Code function: 0_2_0042C1DD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0042C1DD

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Obfuscated Files or Information	LSASS Memory	13 Security Software Discovery	Remote Desktop Protocol	2 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
4V6Beh3FOX.exe	16%	ReversingLabs	Win32.Trojan.Generic

Name	Source	Malicious	Reputation
http://121.14.75.55:10032/uploadClientLog%u	4V6Beh3FOX.exe	false	unknown
https://curl.se/docs/hsts.html	4V6Beh3FOX.exe	false	unknown
http://27.25.156.102:9999/style.html	4V6Beh3FOX.exe	false	unknown
https://curl.se/docs/alt-svc.html	4V6Beh3FOX.exe	false	unknown
http://27.25.156.102:9999/style.htmllibcurl.dllt1.dllt2.dlllibcurldllNetworkdllMapCodeinit2.dll	4V6Beh3FOX.exe	false	unknown
https://curl.se/docs/http-cookies.html	4V6Beh3FOX.exe	false	unknown
http://121.14.75.55:10032/upload	4V6Beh3FOX.exe	false	unknown
http://curl.haxx.se/docs/http-cookies.html	4V6Beh3FOX.exe	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520457
Start date and time:	2024-09-27 11:19:43 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	4V6Beh3FOX.exe renamed because original name is a hash value
Original Sample Name:	942fa054aa449b438d394d6b37d383af.exe
Detection:	MAL
Classification:	mal56.evad.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 247
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 4V6Beh3FOX.exe, PID 8104 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 4V6Beh3FOX.exe

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.761587647769371
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	4V6Beh3FOX.exe
File size:	11'517'952 bytes
MD5:	942fa054aa449b438d394d6b37d383af
SHA1:	1dd5556529cf575c5d14b74e51f082cff3b33bbf
SHA256:	77a4b26f77a0ce0c304b98002536fe19ecf8cd736ab20c4aad314e4c8b4d947e
SHA512:	00f6880ebad2656b7c56a778ec67378b450740a0a299081bd769ad8ae29b114b04d1e8c3e2165282c67e67bfbde6ec3963e4637543c205cb376f8367ae2e421e
SSDEEP:	196608:JUigvRpdR0F5TEXCFYFet9dysiHtjohq3G5WWOJLZgPj:JN4Rn2EXCFYFet9dysiHtjohq3G5WWOE
TLSH:	18C64A69FC6695D8C50F8B71809E9025D9380E306B18E8C7FEC26F1B76B4ED1C07E56A
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......^@...!...!...!...^..d!...Y]..!..\|....!.......!......:!...x...!...x...!...x...!...!...#...x...!...x...!...x1..!...!Y..!...x...!.

File Icon


Icon Hash:	6c2d1d3171717103

Static PE Info

General

Entrypoint:	0x42b8b3
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F51ACE [Thu Sep 26 08:26:54 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	3f436ccd3642223a3f31e0a885144c9d

Entrypoint Preview

Instruction
call 00007FC85117169Ah
jmp 00007FC851170BF5h
cmp ecx, dword ptr [004A4014h]
jne 00007FC851170D75h
ret
jmp 00007FC851171009h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007FC851170D8Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007FC851170D7Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007FC851170D7Eh
add edx, 28h
cmp edx, esi
jne 00007FC851170D5Ch
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007FC851170D6Bh
call 00007FC851171B25h
test eax, eax
jne 00007FC851170D75h
xor al, al
ret
mov eax, dword ptr fs:[00000018h]
push esi
mov esi, 004A5514h
mov edx, dword ptr [eax+04h]
jmp 00007FC851170D76h
cmp edx, eax
je 00007FC851170D82h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007FC851170D62h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007FC851170D79h
mov byte ptr [004A5530h], 00000001h
call 00007FC85117193Fh
call 00007FC8511CCBC2h
test al, al
jne 00007FC851170D76h
xor al, al
pop ebp
ret
call 00007FC8511CCBB5h
test al, al
jne 00007FC851170D7Ch
push 00000000h
call 00007FC8511CCBAAh
pop ecx

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[IMP] VS2012 UPD4 build 61030
[RES] VS2015 build 23026
[LNK] VS2015 build 23026

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa0ba0	0x230	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3aa000	0xa58950	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x9d740	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x9d80c	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x9d7b0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8b000	0xa00	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8941b	0x89600	80103f4ca169970d18690d04d2334328	False	0.5111393880800728	data	6.494804399382646	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8b000	0x18372	0x18400	43e45c5549b3a17de8f6be6e3ca95d15	False	0.38028551868556704	data	5.571010194780266	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa4000	0x304b58	0x1600	a5aa0686af788cd12b438d9c665bf0a2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x3a9000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3aa000	0xa58950	0xa58a00	71dd23795c0f7a6b4ade36940637f0b7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x3c2110	0x2	data	Chinese	China	5.0
ITEMNAME	0x3c23b0	0x208527	Non-ISO extended-ASCII text, with CRLF line terminators	Chinese	China	0.2944469451904297
LIBCURLDLL	0x5ca8d8	0x53750	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	Chinese	China	0.4220834308448397
MAPCODEINI	0xe015c8	0x1027	ASCII text, with CRLF line terminators	Chinese	China	0.5354292623941959
NETWORKDLL	0x61e028	0x7e35a0	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	Chinese	China	0.3015270233154297
RT_ICON	0x3aa600	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 128	Chinese	China	0.6578947368421053
RT_ICON	0x3aa730	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	Chinese	China	0.46646341463414637
RT_ICON	0x3aad98	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Chinese	China	0.5645161290322581
RT_ICON	0x3ab080	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Chinese	China	0.6418918918918919
RT_ICON	0x3ab1a8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Chinese	China	0.5501066098081023
RT_ICON	0x3ac050	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.6069494584837545
RT_ICON	0x3ac8f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Chinese	China	0.430635838150289
RT_ICON	0x3ace60	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Chinese	China	0.1290961788714066
RT_ICON	0x3bd688	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.2945020746887967
RT_ICON	0x3bfc30	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.3773452157598499
RT_ICON	0x3c0cd8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.550531914893617
RT_MENU	0x3c2118	0x292	data	Chinese	China	0.44680851063829785
RT_DIALOG	0x3c11e0	0x10c	data	Chinese	China	0.6343283582089553
RT_DIALOG	0x3c12f0	0xb76	data	Chinese	China	0.4219495569188821
RT_STRING	0xe025f0	0x3a	data	Chinese	China	0.6379310344827587
RT_GROUP_ICON	0x3c1140	0xa0	data	Chinese	China	0.625
RT_VERSION	0x3c1e68	0x2a4	data	Chinese	China	0.5014792899408284
RT_MANIFEST	0xe02630	0x31c	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (736), with CRLF line terminators	English	United States	0.5238693467336684

Imports

DLL	Import
mfc140u.dll
KERNEL32.dll	GetCurrentThreadId, CreateFileW, HeapCreate, GetSystemInfo, GetQueuedCompletionStatus, lstrcatA, OutputDebugStringA, lstrlenA, lstrcpyA, LeaveCriticalSection, EnterCriticalSection, PostQueuedCompletionStatus, GetLastError, CreateIoCompletionPort, InitializeCriticalSection, GetCurrentDirectoryA, GetPrivateProfileStringW, GetModuleFileNameW, GetPrivateProfileIntA, CreateDirectoryW, WritePrivateProfileStringW, CreateFileA, DeviceIoControl, GetVolumeInformationA, VirtualQuery, FindResourceW, SizeofResource, LoadResource, LockResource, GetFileSizeEx, VerifyVersionInfoW, VerSetConditionMask, PeekNamedPipe, GetFileType, GetStdHandle, GetEnvironmentVariableA, FreeLibrary, GetSystemDirectoryA, GetCurrentThread, QueryPerformanceFrequency, MultiByteToWideChar, LoadLibraryA, FormatMessageW, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, MoveFileExA, WaitForSingleObject, GetCurrentProcess, GetSystemTime, GetCurrentProcessId, Sleep, CloseHandle, WritePrivateProfileStringA, HeapAlloc, IsBadReadPtr, OutputDebugStringW, VirtualProtect, GetProcessHeap, HeapFree, WideCharToMultiByte, GetTickCount, GetPrivateProfileIntW, GetPrivateProfileStringA, GetFileSize, ReadFile, TerminateThread, CreateThread, GlobalSize, GlobalLock, GlobalUnlock, InitializeCriticalSectionEx, DeleteCriticalSection, WaitForMultipleObjects, SetLastError, GetModuleHandleA, GetModuleHandleW, UnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, SetUnhandledExceptionFilter, GetFileAttributesW, CreateEventA, GetProcAddress, GetDriveTypeA, GetFileAttributesA, SleepEx, CreateDirectoryA
USER32.dll	wsprintfA, MessageBoxW, KillTimer, CloseClipboard, GetClipboardData, EnableWindow, LoadIconW, GetSystemMenu, AppendMenuW, GetClientRect, SetTimer, MessageBoxA, IsIconic, GetSystemMetrics, DrawIcon, LoadMenuW, GetSubMenu, GetCursorPos, GetWindowTextA, OpenClipboard, SendMessageW
ADVAPI32.dll	CryptImportKey, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, CryptDestroyKey, OpenThreadToken, CryptAcquireContextA, CryptReleaseContext, CryptGetHashParam, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptEncrypt
SHELL32.dll	SHFileOperationW, SHGetSpecialFolderPathW, DragQueryFileA, SHGetSpecialFolderPathA, ShellExecuteW
COMCTL32.dll	InitCommonControlsEx
MSVCP140.dll	?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z, ?uncaught_exception@std@@YA_NXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ, ??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@H@Z, _Mtx_destroy_in_situ, _Mtx_init_in_situ, _Mtx_unlock, _Mtx_lock, ?_Throw_C_error@std@@YAXH@Z, ?_Xlength_error@std@@YAXPBD@Z, ?_Xout_of_range@std@@YAXPBD@Z, ?_Xbad_alloc@std@@YAXXZ, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?_Xbad_function_call@std@@YAXXZ, ??0_Locinfo@std@@QAE@PBD@Z, ??1_Locinfo@std@@QAE@XZ, ?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ, ?_Incref@facet@locale@std@@UAEXXZ, ?_Decref@facet@locale@std@@UAEPAV_Facet_base@3@XZ, ??0facet@locale@std@@IAE@I@Z, ??1facet@locale@std@@MAE@XZ, ?tolower@?$ctype@D@std@@QBEDD@Z, ?tolower@?$ctype@D@std@@QBEPBDPADPBD@Z, ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ?id@?$collate@D@std@@2V0locale@2@A, ?id@?$ctype@D@std@@2V0locale@2@A, ?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z, ?_Init@locale@std@@CAPAV_Locimp@12@_N@Z, _Strxfrm, _Strcoll, ??Bid@locale@std@@QAEIXZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ
WS2_32.dll	socket, WSACleanup, WSASetLastError, WSAWaitForMultipleEvents, WSAResetEvent, __WSAFDIsSet, WSAEnumNetworkEvents, WSACreateEvent, WSACloseEvent, getsockopt, setsockopt, WSAIoctl, WSARecv, WSASend, send, gethostbyname, ioctlsocket, connect, select, recv, htonl, getpeername, getsockname, ntohs, accept, recvfrom, sendto, listen, bind, inet_addr, WSAGetLastError, WSASocketW, inet_ntoa, ntohl, htons, WSAEventSelect, freeaddrinfo, inet_ntop, getaddrinfo, gethostname, WSAStartup, closesocket, shutdown
VCRUNTIME140.dll	_except_handler4_common, __vcrt_InitializeCriticalSectionEx, _CxxThrowException, __telemetry_main_return_trigger, __telemetry_main_invoke_trigger, __CxxFrameHandler3, memset, memchr, __std_exception_destroy, __std_exception_copy, strstr, strchr, _purecall, strrchr, memcpy, memmove, __std_terminate
plfl32.dll	P_CardReCharge, P_UserReg, P_GetLoginValue, P_UserLogin, P_LoadSystem, P_GetInfo, P_GetDataValue
WININET.dll	InternetReadFile, InternetOpenUrlA, InternetOpenW, InternetCloseHandle
IPHLPAPI.DLL	GetAdaptersInfo
dbghelp.dll	MiniDumpWriteDump
api-ms-win-crt-utility-l1-1-0.dll	srand, rand, qsort
api-ms-win-crt-runtime-l1-1-0.dll	_errno, exit, _seh_filter_exe, _set_app_type, _configure_wide_argv, _initialize_wide_environment, _get_wide_winmain_command_line, __sys_nerr, __sys_errlist, _beginthreadex, _initterm, _initterm_e, _exit, _cexit, _controlfp_s, terminate, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _register_thread_local_exe_atexit_callback, _c_exit, _invalid_parameter_noinfo_noreturn
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, malloc, realloc, calloc, free
api-ms-win-crt-time-l1-1-0.dll	_gmtime64, strftime, _localtime64_s, _time64
api-ms-win-crt-stdio-l1-1-0.dll	fseek, _set_fmode, __acrt_iob_func, fputs, __stdio_common_vswprintf, feof, __stdio_common_vsscanf, _open, fgets, _fseeki64, fflush, _lseeki64, __stdio_common_vfprintf, fwrite, fputc, _read, _write, _fileno, _close, __stdio_common_vsprintf_s, __stdio_common_vsprintf, fclose, fread, ftell, fopen, __p__commode
api-ms-win-crt-convert-l1-1-0.dll	strtoll, atoll, strtoul, atoi, strtol, wcstombs, _wtoll
api-ms-win-crt-string-l1-1-0.dll	_strdup, strncpy, strtok, strspn, strpbrk, strcspn, strncmp, toupper
api-ms-win-crt-filesystem-l1-1-0.dll	_fstat64, _stat64, _access, _unlink
api-ms-win-crt-math-l1-1-0.dll	_fdopen, __setusermatherr, _except1
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
bcrypt.dll	BCryptGenRandom
CRYPT32.dll	CertFreeCertificateContext, CertFindCertificateInStore, CertEnumCertificatesInStore, CertCloseStore, CertOpenStore, CertFreeCertificateChain, CertGetCertificateChain, CertFreeCertificateChainEngine, CertCreateCertificateChainEngine, CryptQueryObject, CertGetNameStringA, CertFindExtension, CertAddCertificateContextToStore, CryptDecodeObjectEx, PFXImportCertStore, CryptStringToBinaryA
Normaliz.dll	IdnToAscii, IdnToUnicode
WLDAP32.dll

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Target ID:	0
Start time:	05:20:36
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\4V6Beh3FOX.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\4V6Beh3FOX.exe"
Imagebase:	0x400000
File size:	11'517'952 bytes
MD5 hash:	942FA054AA449B438D394D6B37D383AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Function 004119C0 Relevance: 433.6, APIs: 230, Strings: 17, Instructions: 1325windowtimeCOMMON

Download Yara Rule

APIs

#10472.MFC140U(BEE31567), ref: 004119F0
SetUnhandledExceptionFilter.KERNEL32(Function_000102F0), ref: 004119FB
GetSystemMenu.USER32(?,00000000), ref: 00411A06
#4885.MFC140U(00000000), ref: 00411A0D
#296.MFC140U ref: 00411A1F
#8464.MFC140U(00000065), ref: 00411A34
AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 00411A58
AppendMenuW.USER32(00000000,00000000,00000010,?), ref: 00411A67
#1045.MFC140U ref: 00411A76
SendMessageW.USER32(?,00000080,00000001,?), ref: 00411A97
SendMessageW.USER32(?,00000080,00000000,?), ref: 00411AA9
SendMessageW.USER32(?,00001037,00000000,00000000), ref: 00411ABA
SendMessageW.USER32(?,00001036,00000000,00000000), ref: 00411ACD
#8062.MFC140U(00000000,0049B72C,00000000,00000032,000000FF), ref: 00411AEA
#8062.MFC140U(00000001,0049B734,00000000,0000005A,000000FF), ref: 00411AFB
#8062.MFC140U(00000002,0049B73C,00000000,00000014,000000FF), ref: 00411B0C
#8062.MFC140U(00000003,:Sg,00000000,00000032,000000FF), ref: 00411B1D
#8062.MFC140U(00000004,0049B74C,00000000,00000032,000000FF), ref: 00411B2E
#8062.MFC140U(00000005,0049B754,00000000,00000032,000000FF), ref: 00411B3F
#8062.MFC140U(00000006,0049B75C,00000000,00000032,000000FF), ref: 00411B50
#8062.MFC140U(00000007,0049B764,00000000,0000003C,000000FF), ref: 00411B61
#8062.MFC140U(00000008,0049B76C,00000000,0000003C,000000FF), ref: 00411B72
#8062.MFC140U(00000009,0049B774,00000000,0000003C,000000FF), ref: 00411B83
#8062.MFC140U(0000000A,0049B77C,00000000,00000041,000000FF), ref: 00411B94
#8062.MFC140U(0000000B,0049B784,00000000,00000032,000000FF), ref: 00411BA5
#8062.MFC140U(0000000C,0049B78C,00000000,00000041,000000FF), ref: 00411BB6
#8062.MFC140U(0000000D,0049B794,00000000,0000003C,000000FF), ref: 00411BC7
#8062.MFC140U(0000000E,0049B79C,00000002,00000050,000000FF), ref: 00411BD8
#8062.MFC140U(0000000F,0049B7B0,00000000,00000032,000000FF), ref: 00411BE9
#8062.MFC140U(00000010,0049B7C8,00000000,00000019,000000FF), ref: 00411BFA
#8062.MFC140U(00000011,0049B7DC,00000000,00000064,000000FF), ref: 00411C0B
#8062.MFC140U(00000012,0049B7E8,00000000,00000078,000000FF), ref: 00411C1C
#8062.MFC140U(00000013,0049B7F4,00000000,00000078,000000FF), ref: 00411C2D
#8062.MFC140U(00000014,0049B800,00000000,0000005A,000000FF), ref: 00411C3E
#8062.MFC140U(00000015,0049B808,00000000,0000005A,000000FF), ref: 00411C4F
#14137.MFC140U(5uO:S), ref: 00411C62
SendMessageW.USER32(?,0000014A,00000000,5uO:S), ref: 00411C7C
SendMessageW.USER32(?,0000014A,00000001,0049B81C), ref: 00411C90
SendMessageW.USER32(?,0000014A,00000002,0049B824), ref: 00411CA4
#14137.MFC140U(0049B82C), ref: 00411CB1
SendMessageW.USER32(?,0000014A,00000000,0049B82C), ref: 00411CC5
SendMessageW.USER32(?,0000014A,00000001,0049B834), ref: 00411CD9
SendMessageW.USER32(?,0000014A,00000002,0049B83C), ref: 00411CED
SendMessageW.USER32(?,0000014A,00000003,0049B844), ref: 00411D01
SendMessageW.USER32(?,0000014A,00000004,0049B84C), ref: 00411D15
SendMessageW.USER32(?,0000014A,00000005,0049B854), ref: 00411D29
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00411D3A
SendMessageW.USER32(?,00000151,00000001,00000001), ref: 00411D4B
SendMessageW.USER32(?,00000151,00000002,00000002), ref: 00411D5C
SendMessageW.USER32(?,00000151,00000003,00000003), ref: 00411D6D
SendMessageW.USER32(?,00000151,00000004,00000004), ref: 00411D7E
SendMessageW.USER32(?,00000151,00000005,00000005), ref: 00411D8F
#14234.MFC140U(00000000), ref: 00411D9F
#14234.MFC140U(00000000), ref: 00411DA9
#14234.MFC140U(00000000), ref: 00411DB3
#14234.MFC140U(00000000), ref: 00411DBD
GetClientRect.USER32(?,?), ref: 00411DEA
#8817.MFC140U(00000000,?,?,00000019,00000001,?,00000000,50008200,0000E801), ref: 00411E08
#13628.MFC140U(004A4C0C,00000006,?,00000000,50008200,0000E801), ref: 00411E17
#5419.MFC140U(08000000,00000064,?,00000000,50008200,0000E801), ref: 00411E2C
#13800.MFC140U(00000000,00000000,?,00000000,50008200,0000E801), ref: 00411E39
#5419.MFC140U(08000000,00000064,?,00000000,50008200,0000E801), ref: 00411E48
#13800.MFC140U(00000001,00000000,?,00000000,50008200,0000E801), ref: 00411E53
#5419.MFC140U(08000000,0000001E,?,00000000,50008200,0000E801), ref: 00411E62
#13800.MFC140U(00000002,00000000,?,00000000,50008200,0000E801), ref: 00411E6D
#5419.MFC140U(08000000,00000050,?,00000000,50008200,0000E801), ref: 00411E7C
#13800.MFC140U(00000003,00000000,?,00000000,50008200,0000E801), ref: 00411E87
#5419.MFC140U(08000000,00000032,?,00000000,50008200,0000E801), ref: 00411E96
#13800.MFC140U(00000004,00000000,?,00000000,50008200,0000E801), ref: 00411EA1
#5419.MFC140U(08000000,00000032,?,00000000,50008200,0000E801), ref: 00411EB0
#13800.MFC140U(00000005,00000000,?,00000000,50008200,0000E801), ref: 00411EBD
#12793.MFC140U(0000E800,0000E8FF,00000000,00000000,00000000,00000000,00000001,?,00000000,50008200,0000E801), ref: 00411ED5
#14234.MFC140U(00000001,?,00000000,50008200,0000E801), ref: 00411EDF
GetFileAttributesW.KERNEL32(D:\LogInfo,?,00000000,50008200,0000E801), ref: 00411EF0
CreateDirectoryW.KERNEL32(D:\LogInfo,00000000,?,00000000,50008200,0000E801), ref: 00411F02
memset.VCRUNTIME140(?,00000000,00000200,?,00000000,50008200,0000E801), ref: 00411F16
#296.MFC140U ref: 00411F24
#296.MFC140U ref: 00411F37
memset.VCRUNTIME140(?,00000000,00000200), ref: 00411F4F
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 00411F64
#4815.MFC140U(?,%s\IPsET.ini,?), ref: 00411F7D
GetPrivateProfileIntW.KERNEL32(0049B89C,0049B890,00000000,?), ref: 00411F9E
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00411FB4
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00411FC5
GetPrivateProfileIntW.KERNEL32(0049B89C,0049B8A4,00000000,?), ref: 00411FDE
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00411FEE
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00411FFF
GetPrivateProfileIntW.KERNEL32(0049B89C,0049B8AC,00000000,?), ref: 00412018
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00412028
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00412039
GetPrivateProfileIntW.KERNEL32(0049B89C,0049B8B4,00000000,?), ref: 00412052
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00412062
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00412073
GetPrivateProfileIntW.KERNEL32(0049B89C,0049B8BC,00000000,?), ref: 0041208C
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 0041209C
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004120AD
GetPrivateProfileIntW.KERNEL32(0049B89C,0049B8C8,00000000,?), ref: 004120C6
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 004120D6
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004120E7
GetPrivateProfileIntW.KERNEL32(0049B89C,0049B8D4,00000000,?), ref: 00412100
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00412110
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00412121
GetPrivateProfileIntW.KERNEL32(0049B89C,0049B8E0,00000000,?), ref: 0041213A
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 0041214A
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041215B
GetPrivateProfileStringW.KERNEL32(0049B89C,0049B8F4,0049B8EC,?,00000100,?), ref: 00412183
#14137.MFC140U(?), ref: 0041219C
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 004121AB
GetPrivateProfileStringW.KERNEL32(0049B89C,0049B908,0049B904,?,00000100,?), ref: 004121D6
#14137.MFC140U(?), ref: 004121E9
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 004121F2
GetPrivateProfileStringW.KERNEL32(0049B89C,0049B918,0049B914,?,00000100,?), ref: 0041221D
#14137.MFC140U(?), ref: 00412230
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00412239
GetPrivateProfileStringW.KERNEL32(0049B89C,0049B92C,0049B924,?,00000100,?), ref: 00412264
#14137.MFC140U(?), ref: 00412277
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00412280
GetPrivateProfileStringW.KERNEL32(0049B89C,0049B938,0049B914,?,00000100,?), ref: 004122AB
#14137.MFC140U(?), ref: 004122BE
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 004122C7
GetPrivateProfileStringW.KERNEL32(0049B89C,0049B948,0049B914,?,00000100,?), ref: 004122F2
#14137.MFC140U(?), ref: 00412305
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041230E
GetPrivateProfileStringW.KERNEL32(0049B89C,0049B954,0049B924,?,00000100,?), ref: 00412339
#14137.MFC140U(?), ref: 0041234C
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00412355
GetPrivateProfileStringW.KERNEL32(0049B89C,0049B964,0049B960,?,00000100,?), ref: 00412380
#14137.MFC140U(?), ref: 00412393
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041239C
GetPrivateProfileStringW.KERNEL32(0049B89C,0049B970,0049B904,?,00000100,?), ref: 004123C7
#14137.MFC140U(?), ref: 004123DA
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 004123E3
GetPrivateProfileStringW.KERNEL32(0049B89C,0049B97C,0049B904,?,00000100,?), ref: 00412409
#14137.MFC140U(?), ref: 0041241C
#286.MFC140U(?), ref: 0041242B
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0041244C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0041245D
#5110.MFC140U(?,004A6484,00000000,00000000,00000000), ref: 0041247A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 00412485
#1045.MFC140U ref: 00412498
GetPrivateProfileStringW.KERNEL32(0049B89C,,g0W,0049B988,?,00000100,?), ref: 004124BF
#14137.MFC140U(?), ref: 004124D8
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 004124E7
GetPrivateProfileStringW.KERNEL32(0049B89C,0049B998,0049B914,?,00000100,?), ref: 00412512
#14137.MFC140U(?), ref: 00412525
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041252E
GetPrivateProfileStringW.KERNEL32(0049B89C,0049B9A8,0049B9A4,?,00000100,?), ref: 00412559
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00412566
SendMessageW.USER32(?,0000014E,?,00000000), ref: 00412587
GetPrivateProfileIntW.KERNEL32(0049B89C,0049B9B8,00000000,?), ref: 0041259B
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 004125AF
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004125C0
GetPrivateProfileIntW.KERNEL32(0049B89C,0049B9C4,00000001,?), ref: 004125D9
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 004125ED
GetPrivateProfileIntW.KERNEL32(0049B89C,0049B9D0,00000000,?), ref: 00412601
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00412615
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00412626
GetPrivateProfileIntW.KERNEL32(0049B89C,0049B9DC,00000000,?), ref: 0041263F
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00412653
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00412664
GetPrivateProfileIntW.KERNEL32(0049B89C,0049B9EC,00000000,?), ref: 0041267D
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00412691
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004126A2
GetPrivateProfileIntW.KERNEL32(0049B89C,0049B9F8,00000000,?), ref: 004126BB
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 004126CF
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004126E0
GetPrivateProfileIntW.KERNEL32(0049B89C,0049BA04,00000000,?), ref: 004126F9
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 0041270D
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041271E
GetPrivateProfileIntW.KERNEL32(0049B89C,0049BA10,00000000,?), ref: 00412737
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 0041274B
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041275C
GetPrivateProfileIntW.KERNEL32(0049B89C,0049BA1C,00000000,?), ref: 00412775
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00412789
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041279A
GetPrivateProfileIntW.KERNEL32(0049B89C,0049BA2C,00000000,?), ref: 004127B3
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 004127C7
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004127D8
GetPrivateProfileIntW.KERNEL32(0049B89C,0049BA38,00000000,?), ref: 004127F1
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00412805
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00412816
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041282C
GetPrivateProfileIntW.KERNEL32(0049B89C,0049BA40,00000000,?), ref: 0041284B
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00412865
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00412889
GetPrivateProfileStringW.KERNEL32(0049B89C,0049BA50,0049BA4C,?,00000100,?), ref: 004128D8
#14137.MFC140U(?), ref: 004128EB
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 004128F4
GetPrivateProfileStringW.KERNEL32(0049B89C,0049BA5C,0049BA4C,?,00000100,?), ref: 00412923
#14137.MFC140U(?), ref: 00412936
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041293F
GetPrivateProfileStringW.KERNEL32(0049B89C,0049BA74,500,?,00000100,?), ref: 0041296E
#14137.MFC140U(?), ref: 00412981
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041298A
GetPrivateProfileStringW.KERNEL32(0049B89C,0049BA88,1000,?,00000100,?), ref: 004129BE
#14137.MFC140U(?), ref: 004129D1
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 004129DA
GetPrivateProfileStringW.KERNEL32(0049B89C,0049BA94,0049B914,?,00000100,?), ref: 00412A09
#14137.MFC140U(?), ref: 00412A1C
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00412A2B
#296.MFC140U ref: 00412A40
P_GetDataValue.PLFL32(00000003), ref: 00412A4C
#4815.MFC140U(?,0049B15C,00000000), ref: 00412A5F
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00412A6B
P_GetInfo.PLFL32(00000000), ref: 00412A77
#290.MFC140U(00000000), ref: 00412A84
#4815.MFC140U(?,%ws,00000000), ref: 00412A9C
#1045.MFC140U ref: 00412AAF
#14234.MFC140U(00000001), ref: 00412ACD
#14234.MFC140U(00000001), ref: 00412AD7
#14234.MFC140U(00000001), ref: 00412AFA
#14234.MFC140U(00000001), ref: 00412B04
#14234.MFC140U(00000001), ref: 00412B0E
#14234.MFC140U(00000001), ref: 00412B18
GetPrivateProfileIntW.KERNEL32(0049B89C,0049BAA0,00000000,?), ref: 00412B2C
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00412B40
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00412B51
#1045.MFC140U ref: 00412B62
SHGetSpecialFolderPathA.SHELL32(00000000,004A5B68,00000000,00000000), ref: 00412B79
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00412B8F
memset.VCRUNTIME140(?,00000000,00000400), ref: 00412BA3
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000010,00000000), ref: 00412BB8
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,00414860,00000000,00000000,00000000,004A5F68,0049BAAC,?), ref: 00412BDF
CloseHandle.KERNEL32(00000000), ref: 00412BE9
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00412BFE
SetTimer.USER32(?,00002767,00002710,00416490), ref: 00412C16
MessageBoxA.USER32(00000000,0049BB0C,speed.qq.com,00000000), ref: 00412C90
#1045.MFC140U ref: 00412C9C
#1045.MFC140U ref: 00412CA8

Strings

speed.qq.com, xrefs: 00412C84
D:\LogInfo, xrefs: 00411EE5, 00411EFD
,g0W, xrefs: 004124B5
dxdir1.speed.qq.com, xrefs: 00412C21
%ws, xrefs: 00412A96
:Sg, xrefs: 00411B14
N', xrefs: 0041219E, 004124DA, 004128F4, 0041293F, 0041298A, 004129DA, 00412A1E
wtdir1.speed.qq.com, xrefs: 00412C30
pZJ, xrefs: 00412C5C
5uO:S, xrefs: 00411C5D, 00411C6A
500, xrefs: 0041295F
1000, xrefs: 004129AF
<ZJ, xrefs: 00412C3A
%s\IPsET.ini, xrefs: 00411F77
dx2dir1.speed.qq.com, xrefs: 00412C3F
pZJ, xrefs: 00412C2B
<ZJ, xrefs: 00412C6F

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Message$Send$PrivateProfile$#8062$#14137$String_wtoll$#14234$#1045#13800#5419$#296$#4815FolderMenuPathSpecialmemset$#5110AppendByteCharMultiWide$#10472#12793#13628#286#290#4885#8464#8817AttributesClientCloseCreateDataDirectoryExceptionFileFilterHandleInfoRectSystemTimerUnhandledValue_beginthreadex
String ID: %s\IPsET.ini$%ws$,g0W$1000$500$5uO:S$:Sg$<ZJ$<ZJ$D:\LogInfo$N'$dx2dir1.speed.qq.com$dxdir1.speed.qq.com$pZJ$pZJ$speed.qq.com$wtdir1.speed.qq.com
API String ID: 280690962-71077628
Opcode ID: e81bac24f9bef84a8ae6342683b23b05e313dcc0233ec07880e35be34ea15307
Instruction ID: 8aefc1c4e5cb0202cfabcf540e9e79b85a062239cdf67f297383cad6cb12d117
Opcode Fuzzy Hash: e81bac24f9bef84a8ae6342683b23b05e313dcc0233ec07880e35be34ea15307
Instruction Fuzzy Hash: 38B292706C0309BEEF30AB60DD86FEA7A68EB44B00F204579F255691E0DBF569448F9D

Function 00403190 Relevance: 214.9, APIs: 118, Strings: 4, Instructions: 1400COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040320E
#13656.MFC140U(?,00000012,0049AA90), ref: 004032A2
#296.MFC140U(?,00000000,?,00000000), ref: 00403356
#4815.MFC140U(?,0049AAE8), ref: 004033DF
#5110.MFC140U ref: 004033EE
#13656.MFC140U(?,00000012,0049AAF4), ref: 00403415
memset.VCRUNTIME140(?,00000000,00000100), ref: 00404BB3
memcpy.VCRUNTIME140(?,?,?), ref: 00404BDB
#290.MFC140U(?), ref: 00404BF0
#13656.MFC140U(?,0000000C,00000000), ref: 00404C08
#1045.MFC140U ref: 00404C1B
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0040565F
GetTickCount.KERNEL32 ref: 00405674
#296.MFC140U(?,?,?,?,?), ref: 004056E1
GetTickCount.KERNEL32 ref: 004056F6
GetTickCount.KERNEL32 ref: 00405716
GetTickCount.KERNEL32 ref: 00405736
GetTickCount.KERNEL32 ref: 00405767
#1045.MFC140U(00000004,?,00000000,00000000,?,00000000), ref: 00405BC3

Part of subcall function 00407230: memset.VCRUNTIME140(?,00000000,00000100,?,?,?,004032DC), ref: 00407261
Part of subcall function 00407230: memset.VCRUNTIME140(?,00000000,00000100,?,004032DC), ref: 00407275
Part of subcall function 00407230: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,?,004032DC), ref: 00407288
Part of subcall function 00407230: memset.VCRUNTIME140(?,00000000,00005000,?,?,?,?,?,?,?,004032DC), ref: 004072B7
Part of subcall function 00407230: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0049AFC8,?,?,?,?,?,?,?,?,?,?,004032DC), ref: 004072CC
Part of subcall function 00407230: fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000002,?,?,?,?,?,?,?,?,?,?,?,?,004032DC), ref: 004072EC
Part of subcall function 00407230: ftell.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 004072F5
Part of subcall function 00407230: fseek.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000000,00000000), ref: 0040730A
Part of subcall function 00407230: fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 00407322
Part of subcall function 00407230: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00407329

Part of subcall function 004085E0: #296.MFC140U(BEE31567,?), ref: 00408621
Part of subcall function 004085E0: #8.WS2_32(?), ref: 00408631
Part of subcall function 004085E0: #296.MFC140U ref: 00408647
Part of subcall function 004085E0: #290.MFC140U(00000037), ref: 00408658
Part of subcall function 004085E0: #13656.MFC140U(00000000,00000005,00000000), ref: 00408670
Part of subcall function 004085E0: #1045.MFC140U ref: 0040867D
Part of subcall function 004085E0: #8.WS2_32(?), ref: 00408689
Part of subcall function 004085E0: #4815.MFC140U(?,0049B244,00000000), ref: 004086A6
Part of subcall function 004085E0: #13656.MFC140U(00000000,00000006,?), ref: 004086BE
Part of subcall function 004085E0: #8.WS2_32(?), ref: 004086D3
Part of subcall function 004085E0: #4815.MFC140U(?,0049B244,00000000), ref: 004086EC
Part of subcall function 004085E0: #13656.MFC140U(00000000,00000007,?), ref: 00408704
Part of subcall function 004085E0: #8.WS2_32(?), ref: 00408713
Part of subcall function 004085E0: #4815.MFC140U(?,0049B244,00000000), ref: 0040872C
Part of subcall function 004085E0: #13656.MFC140U(00000000,00000009,?), ref: 00408744
Part of subcall function 004085E0: #8.WS2_32(?), ref: 00408753

Strings

,c@, xrefs: 004031B4
P, xrefs: 00405A5F
%d , xrefs: 004049ED
%ws, xrefs: 004053F4

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13656$CountTick$#296#4815memset$#1045$#290fseek$#5110FolderPathSpecial_time64fclosefopenfreadftellmemcpy
String ID: %d $%ws$,c@$P
API String ID: 1411597898-2729357543
Opcode ID: f8461f440c0107c46b98b82533a622c5bad7d491e8a6a6dbac82622db89c7044
Instruction ID: 27d1f445ab742853e048c83bf5bde1a157073022debf574856ba8cc07e737c8b
Opcode Fuzzy Hash: f8461f440c0107c46b98b82533a622c5bad7d491e8a6a6dbac82622db89c7044
Instruction Fuzzy Hash: C9D280B0601A04DFEB249F20DD59BAF7BB5EB44305F00087EE51AA62D1D7786A84CF5E

Function 00416740 Relevance: 169.0, APIs: 90, Strings: 6, Instructions: 954sleepwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004151D0: IsBadReadPtr.KERNEL32(?,00000001), ref: 0041521F

GetTickCount.KERNEL32 ref: 004167E8
GetTickCount.KERNEL32 ref: 004167F0
GetTickCount.KERNEL32 ref: 00416809
#296.MFC140U(BEE31567), ref: 0041688A
#4815.MFC140U(?,%d/%d/%d|%d,?,?,00000000), ref: 004168D3
SendMessageW.USER32(?,0000040B,00000001,?), ref: 004168ED
#13656.MFC140U(00000000,00000012,0049B09C), ref: 0041695B
GetTickCount.KERNEL32 ref: 0041696D
GetTickCount.KERNEL32 ref: 00416994
GetTickCount.KERNEL32 ref: 004169BB
GetTickCount.KERNEL32 ref: 004169DC
GetTickCount.KERNEL32 ref: 004169E8
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00416A0B
GetTickCount.KERNEL32 ref: 00416A1A
GetTickCount.KERNEL32 ref: 00416A41
GetTickCount.KERNEL32 ref: 00416A68
GetTickCount.KERNEL32 ref: 00416A6A
GetTickCount.KERNEL32 ref: 00416A72
#296.MFC140U ref: 00416AF3
#13656.MFC140U(00000000,0000000B,?), ref: 00416B2E
#1045.MFC140U ref: 00416B3A
#13656.MFC140U(00000000,00000012,0049AEBC), ref: 00416B83
#13656.MFC140U(00000000,0000000D,0049AEBC), ref: 00416B93
#13656.MFC140U(00000000,00000012,0049BD4C), ref: 00416BD5
Sleep.KERNEL32(00000050), ref: 00416BEC
GetTickCount.KERNEL32 ref: 00416C08
GetTickCount.KERNEL32 ref: 00416C13
GetTickCount.KERNEL32 ref: 00416C44
memset.VCRUNTIME140(?,00000000,00000100), ref: 00416C66
#13656.MFC140U(00000000,0000000B,0049BD64), ref: 00416D22
GetTickCount.KERNEL32 ref: 00416D4C
#13656.MFC140U(00000000,0000000B,0049BD74), ref: 00416DA5
#296.MFC140U ref: 00416DDF
#13656.MFC140U(00000000,0000000B,?), ref: 00416E20
#1045.MFC140U ref: 00416E2C
GetTickCount.KERNEL32 ref: 00416E50
#13656.MFC140U(00000000,0000000B,0049AF34), ref: 00416E88
#296.MFC140U ref: 00416EC8
#13656.MFC140U(00000000,0000000B,?), ref: 00416F03
#1045.MFC140U ref: 00416F19
#296.MFC140U ref: 00417199
#4815.MFC140U(?,I{{vU_ ,?), ref: 004171B5
#13656.MFC140U(00000000,00000011,?), ref: 004171CD
#5850.MFC140U(?,00000000,00000012), ref: 004171F1
#2996.MFC140U(0049AA90), ref: 00417206
#1045.MFC140U ref: 0041723F
#1045.MFC140U ref: 0041724F
#1045.MFC140U ref: 00417260
#1045.MFC140U ref: 00417270
#296.MFC140U ref: 004172DE
GetTickCount.KERNEL32 ref: 00417309
#1045.MFC140U(00000000), ref: 00417396
GetTickCount.KERNEL32 ref: 0041740E
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,Function_00016470,00000000,00000000,00000000), ref: 0041742D
CloseHandle.KERNEL32(00000000), ref: 0041743B
#13656.MFC140U(00000000,00000011,0049BE44), ref: 00417451
GetLastError.KERNEL32 ref: 00417453
#4815.MFC140U(?,%d/%d/%d|%d %x,?,?,00000000,00000000), ref: 00417498
SendMessageW.USER32(?,0000040B,00000001,?), ref: 004174B6
Sleep.KERNEL32(000000C8), ref: 004174C1
#1045.MFC140U ref: 004174D1
GetTickCount.KERNEL32 ref: 004175CC
memset.VCRUNTIME140(?,00000000,00000200), ref: 004175FA
#296.MFC140U ref: 00417608
#296.MFC140U ref: 00417614
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 0041762B
#4815.MFC140U(?,%s\IPsET.ini,?), ref: 0041764A
#4815.MFC140U(?,0049B244,00000001), ref: 0041765C
WritePrivateProfileStringW.KERNEL32(0049B89C,S_MR{vU_*Npe,?,?), ref: 00417677
#5850.MFC140U(?,00000000,00000012), ref: 0041768D
#1045.MFC140U ref: 00417699
#1045.MFC140U ref: 004176A5
#1045.MFC140U ref: 004176B5
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,Function_00016470,00000000,00000000,00000000), ref: 004176E7
CloseHandle.KERNEL32(00000000), ref: 004176F5
#4815.MFC140U(?,%d/%d/%d|%d %x,?,?,00000000,00000000), ref: 00417764
SendMessageW.USER32(?,0000040B,00000001,?), ref: 0041777E
Sleep.KERNEL32(000000C8), ref: 00417789
#1045.MFC140U ref: 004177A7

Strings

S_MR{vU_*Npe, xrefs: 0041766D
10082|%d|%d|%d|%s%s, xrefs: 00416C8D
%s\IPsET.ini, xrefs: 00417644
I{{vU_ , xrefs: 004171AF
%d/%d/%d|%d, xrefs: 004168CD
%d/%d/%d|%d %x, xrefs: 00417492, 0041775E

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CountTick$#1045$#13656$#296$#4815$MessageSendSleep$#5850CloseHandle_beginthreadexmemset$#2996ErrorFolderLastPathPrivateProfileReadSpecialStringWrite_time64
String ID: %d/%d/%d|%d$%d/%d/%d|%d %x$%s\IPsET.ini$10082|%d|%d|%d|%s%s$I{{vU_ $S_MR{vU_*Npe
API String ID: 3500644471-473250055
Opcode ID: e53fe52662a08203fa924e2d390e3cf8243fe9d96315d05100d5d1b1c37c2570
Instruction ID: 761e3b61be54b56f720aa8f7368ffbdc90d371f8d71df6ed0ae1c39b0169f40e
Opcode Fuzzy Hash: e53fe52662a08203fa924e2d390e3cf8243fe9d96315d05100d5d1b1c37c2570
Instruction Fuzzy Hash: B792CF70505208DFCB24DF68DD88BEA7BB1FB05305F1445AAE909972A1C778A9C8CF5D

Function 0041AE10 Relevance: 98.6, APIs: 52, Strings: 4, Instructions: 626windowclipboardstringCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000400,BEE31567,?,?,?,00488EE5,000000FF), ref: 0041AE55
memset.VCRUNTIME140(?,00000000,00000400,?,00000000,00000400,BEE31567,?,?,?,00488EE5,000000FF), ref: 0041AE68
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000010,00000000), ref: 0041AE7D
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0041AE85

Part of subcall function 0040DC90: _localtime64_s.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,0040DC29,?), ref: 0040DCAD

OpenClipboard.USER32(?), ref: 0041AFB4
GetClipboardData.USER32(00000001), ref: 0041AFC4
GlobalSize.KERNEL32(00000000), ref: 0041AFD5
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 0041AFF8
GlobalLock.KERNEL32(00000000), ref: 0041B008
memset.VCRUNTIME140(?,00000000,?), ref: 0041B020
GlobalUnlock.KERNEL32(00000000), ref: 0041B03E
CloseClipboard.USER32 ref: 0041B044
strstr.VCRUNTIME140(?,----), ref: 0041B0C8

Part of subcall function 00412EA0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000010,BEE31567), ref: 00412F30
Part of subcall function 00412EA0: memset.VCRUNTIME140(00000000,00000000,BEE31567,00000000,?,BEE31567,004886A8,000000FF), ref: 00412F4B
Part of subcall function 00412EA0: memcpy.VCRUNTIME140(00000000,?,BEE31566,00000000,00000000,BEE31567,00000000,?,BEE31567,004886A8,000000FF), ref: 00412F5A
Part of subcall function 00412EA0: #265.MFC140U(004886AA,?,?,?,?,?,?,00000000,?,BEE31567,004886A8,000000FF), ref: 00412F78
Part of subcall function 00412EA0: memset.VCRUNTIME140(00000000,00000000,004886AA,?,?,?,?,?,?,00000000,?,BEE31567,004886A8,000000FF), ref: 00412F85
Part of subcall function 00412EA0: memcpy.VCRUNTIME140(BEE31567,004886A8,?,00000000,00000000,004886AA,?,?,?,?,?,?,00000000,?,BEE31567,004886A8), ref: 00412F94
Part of subcall function 00412EA0: strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,BEE31567,BEE31567,004886A8,?,00000000,00000000,004886AA,?,?,?,?,?,?,00000000), ref: 00412F9D
Part of subcall function 00412EA0: strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 00413009

#296.MFC140U ref: 0041B12A
#296.MFC140U ref: 0041B136
memset.VCRUNTIME140(?,00000000,000007C7), ref: 0041B14E

Part of subcall function 00401F80: #1511.MFC140U(00000014), ref: 00402077
Part of subcall function 00401F80: #360.MFC140U(?,?,?,000000FF), ref: 0040209A

memset.VCRUNTIME140(?,00000000,00000214), ref: 0041B173
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0041B18C
#4815.MFC140U(?,0049B244,00000001), ref: 0041B1A0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0041B1C0
#8067.MFC140U(00000001,00000000,?,00000000,00000000,00000000,00000000), ref: 0041B1D8
#7820.MFC140U(?), ref: 0041B1F3
#290.MFC140U(?), ref: 0041B201
#13656.MFC140U(00000000,00000001,00000000), ref: 0041B216
#1045.MFC140U ref: 0041B226
#290.MFC140U(00000004), ref: 0041B235
#13656.MFC140U(00000000,00000002,00000000), ref: 0041B24A
#1045.MFC140U ref: 0041B25A
#13656.MFC140U(00000000,00000003,?), ref: 0041B26F
#290.MFC140U(?), ref: 0041B289
#13656.MFC140U(?,00000004,00000000), ref: 0041B2A3
#1045.MFC140U ref: 0041B2B3
memset.VCRUNTIME140(?,00000000,0000054E), ref: 0041B2C7
memcpy.VCRUNTIME140(?,00000004,?,?,?,?,0000054E), ref: 0041B316
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,00000004,?,?,?,?,0000054E), ref: 0041B31D
#296.MFC140U ref: 0041B34F
#4815.MFC140U(?,0049BC08,00000000,00000000,00000000,FFFFFFFF,FFFFFFFF,?,?,?,?), ref: 0041B44D
#13656.MFC140U(?,00000012,?), ref: 0041B46A
#1045.MFC140U ref: 0041B481
atoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041B5D1
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041B5E8
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041B5FF
#2990.MFC140U ref: 0041B623
#2990.MFC140U(0049B81C), ref: 0041B644
#2990.MFC140U(0049B824), ref: 0041B665
#296.MFC140U(?), ref: 0041B68D
#4815.MFC140U(?,%d/%d,?), ref: 0041B6C7
SendMessageW.USER32(?,0000040B,00000003,?), ref: 0041B6E5
#1045.MFC140U ref: 0041B6F7
#1045.MFC140U ref: 0041B70E
#1045.MFC140U ref: 0041B71A
#266.MFC140U(?), ref: 0041B782

Strings

gzx1122, xrefs: 0041B507
----, xrefs: 0041B0C0, 0041B0EF
%d/%d, xrefs: 0041B6C1
5uO:S, xrefs: 0041B60E

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: memset$#1045$#13656$#296$#290#2990#4815ClipboardGlobalMessageSendmemcpy$_time64atoimallocstrtok$#1511#265#266#360#7820#8067CloseDataFolderLockOpenPathSizeSpecialUnlock_localtime64_satollstrstr
String ID: %d/%d$----$5uO:S$gzx1122
API String ID: 3840359665-3402022143
Opcode ID: 4670da21d2c6bda78ebccbcb4acaa3d1a53eb511b294cc4094be0062ede4a18c
Instruction ID: c64d90ae2e98256166aa1cf729f5ba3fbffb15259f9f4ccc553d7687cdb4ed1e
Opcode Fuzzy Hash: 4670da21d2c6bda78ebccbcb4acaa3d1a53eb511b294cc4094be0062ede4a18c
Instruction Fuzzy Hash: 26428C719002189FDB24DF20CD45BEABBB5FF05304F0481EAE649A6291DB35AA85CFD9

Function 0040403E Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 300COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00404051
GetTickCount.KERNEL32 ref: 004040AD
#13656.MFC140U(?,00000012,0049AB8C), ref: 004040C7
#13656.MFC140U(?,0000000B,0049B240,?,?,?,?,00000012,0049AB8C), ref: 00404113
#296.MFC140U(?,0000000B,0049B240,?,?,?,?,00000012,0049AB8C), ref: 0040414E
#4815.MFC140U(?,%d/%d/%d,00000000,00000000,?,0000000B,0049B240,?,?,?,?,00000012,0049AB8C), ref: 00404179
#296.MFC140U(?,0000000B,0049B240,?,?,?,?,00000012,0049AB8C), ref: 00404184
#4815.MFC140U(?,0049B244,?,?,0000000B,0049B240,?,?,?,?,00000012,0049AB8C), ref: 004041A3
#13656.MFC140U(?,0000000C,?), ref: 004041BB
#1045.MFC140U(?,0000000C,?), ref: 004041CE
memset.VCRUNTIME140(?,00000000,00000100,?,0000000C,?), ref: 004041F4
memset.VCRUNTIME140(?,00000000,00000400,?,0049ABAC,?,?,?,?,?,?), ref: 00404262
memset.VCRUNTIME140(?,00000000,00000400,?,00000000,00000400,?,0049ABAC,?,?,?,?,?,?), ref: 00404275
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000000,00000000), ref: 004042A5
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0040565F
GetTickCount.KERNEL32 ref: 00405674
#296.MFC140U(?,?,?,?,?), ref: 004056E1
GetTickCount.KERNEL32 ref: 004056F6
GetTickCount.KERNEL32 ref: 00405716
GetTickCount.KERNEL32 ref: 00405736
GetTickCount.KERNEL32 ref: 00405767
GetTickCount.KERNEL32 ref: 00405812
GetTickCount.KERNEL32 ref: 00405832
GetTickCount.KERNEL32 ref: 00405852
GetTickCount.KERNEL32 ref: 00405858
GetTickCount.KERNEL32 ref: 0040585E
GetTickCount.KERNEL32 ref: 00405870
GetTickCount.KERNEL32 ref: 00405890

Part of subcall function 0040CC20: #9.WS2_32(?), ref: 0040CCAA
Part of subcall function 0040CC20: #8.WS2_32(?), ref: 0040CCC2
Part of subcall function 0040CC20: #8.WS2_32(?), ref: 0040CCD1
Part of subcall function 0040CC20: #8.WS2_32(?), ref: 0040CCE2
Part of subcall function 0040CC20: memset.VCRUNTIME140(?,00000000,00000100), ref: 0040CD70
Part of subcall function 0040CC20: memset.VCRUNTIME140(?,00000000,00000100,?,00000000,00000100), ref: 0040CD83

GetTickCount.KERNEL32 ref: 004058B0
GetTickCount.KERNEL32 ref: 004058B6
GetTickCount.KERNEL32 ref: 004058BC
GetTickCount.KERNEL32 ref: 004058E9
#13656.MFC140U(?,0000000B,0049AF20), ref: 00405938
GetTickCount.KERNEL32 ref: 00405972
#13656.MFC140U(?,0000000B,0049AF34), ref: 004059A4
#296.MFC140U ref: 004059F4
#4815.MFC140U(?,0049AF50), ref: 00405A10
#13656.MFC140U(?,0000000B,?), ref: 00405A28
#1045.MFC140U(?,?,00000000), ref: 00405A4B
#1045.MFC140U(00000004,?,00000000,00000000,?,00000000), ref: 00405BC3

Strings

%d/%d/%d, xrefs: 00404173

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CountTick$#13656$memset$#296$#1045#4815$FolderPathSpecial_time64
String ID: %d/%d/%d
API String ID: 321036007-1911543829
Opcode ID: 621903f7b437a125236a135820a4201ce366950ff26e01efb7ea44f03e6a5928
Instruction ID: 1e54a70dee57700f7303b859c3ae246db5873044f5535b8061c17a7df0d64beb
Opcode Fuzzy Hash: 621903f7b437a125236a135820a4201ce366950ff26e01efb7ea44f03e6a5928
Instruction Fuzzy Hash: E8D1AE71600B04DFDB25AF74DD19B9FBBB5EB09301F00086EE51AA6291DB782A84CF5D

Function 00415A90 Relevance: 45.9, APIs: 24, Strings: 2, Instructions: 372sleepwindowCOMMON

Download Yara Rule

APIs

#296.MFC140U(BEE31567), ref: 00415AC1
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00415B03
srand.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 00415B0C
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00415B15
GetTickCount.KERNEL32 ref: 00415C78
GetTickCount.KERNEL32 ref: 00415CC1
#4815.MFC140U(?,%d %d,?,?), ref: 00415D09
#13656.MFC140U(?,00000004,?), ref: 00415D1E
#4815.MFC140U(?,0049B244,?), ref: 00415D31
#13656.MFC140U(?,00000004,?), ref: 00415D4B
GetTickCount.KERNEL32 ref: 00415E2F
Sleep.KERNEL32(?), ref: 00415E6D
GetTickCount.KERNEL32 ref: 00415F41
GetTickCount.KERNEL32 ref: 00415F7A
#13656.MFC140U(?,00000004,0049BCC4), ref: 00415FB0
#13656.MFC140U(?,00000004,0049BCC4), ref: 00415FC5
#13656.MFC140U(?,00000004,?), ref: 00415D62

Part of subcall function 0040C4F0: #360.MFC140U ref: 0040C541
Part of subcall function 0040C4F0: #8.WS2_32(00000000,00000003,00000000), ref: 0040C55B
Part of subcall function 0040C4F0: GetTickCount.KERNEL32 ref: 0040C56E
Part of subcall function 0040C4F0: #8.WS2_32(00000000), ref: 0040C575
Part of subcall function 0040C4F0: #13253.MFC140U(?,00000000), ref: 0040C592
Part of subcall function 0040C4F0: #13253.MFC140U(?,00000000), ref: 0040C59C
Part of subcall function 0040C4F0: #13253.MFC140U(?,00000000), ref: 0040C5A6
Part of subcall function 0040C4F0: #13253.MFC140U(?,00000000), ref: 0040C5B0
Part of subcall function 0040C4F0: #13253.MFC140U(?,00000000), ref: 0040C5BA
Part of subcall function 0040C4F0: #13253.MFC140U(?,?), ref: 0040C5C5
Part of subcall function 0040C4F0: #13253.MFC140U(?,?), ref: 0040C5D0
Part of subcall function 0040C4F0: #13253.MFC140U(?,00000000), ref: 0040C5DA
Part of subcall function 0040C4F0: #13253.MFC140U(?,00000000), ref: 0040C5E4
Part of subcall function 0040C4F0: #1067.MFC140U(?,?,?,?), ref: 0040C5FD

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0041602D
#296.MFC140U ref: 00416043

Part of subcall function 0040DC90: _localtime64_s.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,0040DC29,?), ref: 0040DCAD

#4815.MFC140U(?,%d/%d %d/%d/%d,00000000,?,?,?,?,?,?,?), ref: 004160B3
SendMessageW.USER32(?,0000040B,00000002,?), ref: 004160CE
#1045.MFC140U ref: 004160DB
Sleep.KERNEL32(00000000), ref: 004160EC
#1045.MFC140U ref: 00416102

Strings

%d %d, xrefs: 00415D03
%d/%d %d/%d/%d, xrefs: 004160AD

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$CountTick$#13656$#4815$#1045#296Sleep_time64$#1067#360MessageSend_localtime64_srandsrand
String ID: %d %d$%d/%d %d/%d/%d
API String ID: 1638511155-1696482672
Opcode ID: cd7593fdec027c7cf1d4beca3a5c5a5e25b535b2237e2815607c940a4605ec2a
Instruction ID: 5e670666db0770b0a0e67de3ea9e692f265452181fa0e9b58d0dcb1fcab20abe
Opcode Fuzzy Hash: cd7593fdec027c7cf1d4beca3a5c5a5e25b535b2237e2815607c940a4605ec2a
Instruction Fuzzy Hash: AD028270901615DFDB10CF54DC88BEABBB4FB49308F0441AEE909A73A1D7796988CF59

Function 00448140 Relevance: 43.9, APIs: 16, Strings: 9, Instructions: 188libraryloaderstringCOMMON

Download Yara Rule

APIs

#115.WS2_32(00000202,?), ref: 00448168
#116.WS2_32 ref: 00448181
GetModuleHandleA.KERNEL32(kernel32,?,00000000), ref: 004481B8
GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 004481DC
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(iphlpapi.dll,00490074,?,?,00000000), ref: 004481EA
LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00448212
GetProcAddress.KERNEL32(00000000,AddDllDirectory), ref: 00448229
GetSystemDirectoryA.KERNEL32(00000000,00000000), ref: 00448248
GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00448272
LoadLibraryA.KERNEL32(00000000), ref: 004482CB
GetProcAddress.KERNEL32(00000000,if_nametoindex), ref: 004482EE
GetModuleHandleA.KERNEL32(ws2_32), ref: 00448306
GetProcAddress.KERNEL32(00000000,FreeAddrInfoExW), ref: 00448318
GetProcAddress.KERNEL32(00000000,GetAddrInfoExCancel), ref: 00448325
GetProcAddress.KERNEL32(00000000,GetAddrInfoExW), ref: 00448332
QueryPerformanceFrequency.KERNEL32(007A8B50), ref: 00448371

Strings

LoadLibraryExA, xrefs: 004481D6
GetAddrInfoExW, xrefs: 00448327
ws2_32, xrefs: 00448301
if_nametoindex, xrefs: 004482E8
kernel32, xrefs: 004481B1
GetAddrInfoExCancel, xrefs: 0044831A
FreeAddrInfoExW, xrefs: 00448312
iphlpapi.dll, xrefs: 004481E3, 004481FF, 0044820D, 00448236, 004482A1
AddDllDirectory, xrefs: 00448223

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: AddressProc$DirectoryHandleLibraryLoadModuleSystem$#115#116FrequencyPerformanceQuerystrpbrk
String ID: AddDllDirectory$FreeAddrInfoExW$GetAddrInfoExCancel$GetAddrInfoExW$LoadLibraryExA$if_nametoindex$iphlpapi.dll$kernel32$ws2_32
API String ID: 659629491-760012282
Opcode ID: db0a88707cf4a6719d71ec473a333680219797e7df15aa7821d532fe0853af64
Instruction ID: cf020ac86fe61691ddd149a04f9c77f9676499459c079230f4733cb4e42d983a
Opcode Fuzzy Hash: db0a88707cf4a6719d71ec473a333680219797e7df15aa7821d532fe0853af64
Instruction Fuzzy Hash: 56512530740701ABE7215B24AC1AB7F3B94AF86B44F18047EEE059A2D1EFAD8801875D

Function 00415420 Relevance: 38.9, APIs: 20, Strings: 2, Instructions: 357sleepwindowCOMMON

Download Yara Rule

APIs

#296.MFC140U(BEE31567), ref: 00415468
#1045.MFC140U ref: 00415A67

Part of subcall function 004194C0: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,00407881), ref: 004194C8
Part of subcall function 004194C0: srand.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,?,?,00407881), ref: 004194D2
Part of subcall function 004194C0: rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 004194DB

GetTickCount.KERNEL32 ref: 00415608
GetTickCount.KERNEL32 ref: 00415651
#4815.MFC140U(?,%d %d,?,?), ref: 00415699
#13656.MFC140U(?,00000004,?), ref: 004156AE
#4815.MFC140U(?,0049B244,?), ref: 004156C1
#13656.MFC140U(?,00000004,?), ref: 004156DB
#13656.MFC140U(?,00000004,?), ref: 004156F2
GetTickCount.KERNEL32 ref: 00415782
Sleep.KERNEL32(?), ref: 004157FF
GetTickCount.KERNEL32 ref: 004158CB
GetTickCount.KERNEL32 ref: 00415904
#13656.MFC140U(?,00000004,0049BCC4), ref: 0041593A
#13656.MFC140U(?,00000004,0049BCC4), ref: 0041594F

Part of subcall function 0040C4F0: #360.MFC140U ref: 0040C541
Part of subcall function 0040C4F0: #8.WS2_32(00000000,00000003,00000000), ref: 0040C55B
Part of subcall function 0040C4F0: GetTickCount.KERNEL32 ref: 0040C56E
Part of subcall function 0040C4F0: #8.WS2_32(00000000), ref: 0040C575
Part of subcall function 0040C4F0: #13253.MFC140U(?,00000000), ref: 0040C592
Part of subcall function 0040C4F0: #13253.MFC140U(?,00000000), ref: 0040C59C
Part of subcall function 0040C4F0: #13253.MFC140U(?,00000000), ref: 0040C5A6
Part of subcall function 0040C4F0: #13253.MFC140U(?,00000000), ref: 0040C5B0
Part of subcall function 0040C4F0: #13253.MFC140U(?,00000000), ref: 0040C5BA
Part of subcall function 0040C4F0: #13253.MFC140U(?,?), ref: 0040C5C5
Part of subcall function 0040C4F0: #13253.MFC140U(?,?), ref: 0040C5D0
Part of subcall function 0040C4F0: #13253.MFC140U(?,00000000), ref: 0040C5DA
Part of subcall function 0040C4F0: #13253.MFC140U(?,00000000), ref: 0040C5E4
Part of subcall function 0040C4F0: #1067.MFC140U(?,?,?,?), ref: 0040C5FD

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 004159AA
#296.MFC140U ref: 004159C0
#4815.MFC140U(?,%d/%d %d/%d/%d,00000000,?,00000000,?,?,?,?,?), ref: 00415A30
SendMessageW.USER32(?,0000040B,00000002,?), ref: 00415A4B
#1045.MFC140U ref: 00415A54

Strings

%d %d, xrefs: 00415693
%d/%d %d/%d/%d, xrefs: 00415A2A

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$CountTick$#13656$#4815$#1045#296_time64$#1067#360MessageSendSleeprandsrand
String ID: %d %d$%d/%d %d/%d/%d
API String ID: 297462253-1696482672
Opcode ID: 9b384f78c933b0bd86856046634e5c49647c157f32f95967f532dce969ddccc4
Instruction ID: 31938d77b1e37feec75c7090db186ee775a20e54d78bbf3f298d37f569960488
Opcode Fuzzy Hash: 9b384f78c933b0bd86856046634e5c49647c157f32f95967f532dce969ddccc4
Instruction Fuzzy Hash: DBF18170900605DFDB20DF64DC88BEBBBB4FB85308F0445AEE909A7291D7796988CF59

Function 004139D8 Relevance: 35.3, APIs: 8, Strings: 12, Instructions: 333COMMON

Download Yara Rule

APIs

GetPrivateProfileIntA.KERNEL32(?,time,00000000,?), ref: 004139EB
memset.VCRUNTIME140(?,00000000,00000400,?,0109_0038,0049B5BD,?,00000400,?,?,0109_0001,0049B5BD,?,00000400,?), ref: 00413B5F
memset.VCRUNTIME140(?,00000000,00000400), ref: 00413BCA
memset.VCRUNTIME140(?,00000000,00000400), ref: 00413C3C
memset.VCRUNTIME140(?,00000000,00000400), ref: 00413CAA
memset.VCRUNTIME140(?,00000000,00000400), ref: 00413D1F
memset.VCRUNTIME140(?,00000000,00000400), ref: 00413D8F
memset.VCRUNTIME140(?,00000000,00000400), ref: 00413DFA

Strings

0109_0038, xrefs: 00413B49
0109_0001, xrefs: 00413B29
buf16bytesGTKey_ST, xrefs: 00413A53
bufST_PTLOGIN, xrefs: 00413A93
bufTGT, xrefs: 00413A33
bufSigSession, xrefs: 00413AD3
0107_0001, xrefs: 00413B09
time, xrefs: 004139E5
bufTGT_GTKey, xrefs: 00413A13
0107_0088, xrefs: 00413AE9
bufSessionKey, xrefs: 00413AB3
bufServiceTicket, xrefs: 00413A73

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: memset$PrivateProfile
String ID: 0107_0001$0107_0088$0109_0001$0109_0038$buf16bytesGTKey_ST$bufST_PTLOGIN$bufServiceTicket$bufSessionKey$bufSigSession$bufTGT$bufTGT_GTKey$time
API String ID: 4189490405-4181835950
Opcode ID: aeb7add20d8663164d1c267772c678f11d11f1ea898325a03574af35e3f9b271
Instruction ID: bbcd5bd7971fe1b09946323b9550e056d807cd055a03fe25b9d83402d64b269e
Opcode Fuzzy Hash: aeb7add20d8663164d1c267772c678f11d11f1ea898325a03574af35e3f9b271
Instruction Fuzzy Hash: 41D1D371A402689ADF11DF24CD41FF977B8BB09308F4441EAEA49AA182D7746BC5CFD8

Function 00411750 Relevance: 29.8, APIs: 15, Strings: 2, Instructions: 92fileCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(Function_00011710,?,0000001C), ref: 00411773
memset.VCRUNTIME140(?,00000000,00000400), ref: 0041178D
#296.MFC140U ref: 0041179B
#296.MFC140U ref: 004117A7
memset.VCRUNTIME140(?,00000000,00000400), ref: 004117BB
GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004117CF
FindResourceW.KERNEL32(?,00000084,ItemName), ref: 00411800
SizeofResource.KERNEL32(?,00000000), ref: 0041180F
LoadResource.KERNEL32(?,00000000), ref: 00411819
LockResource.KERNEL32(00000000), ref: 00411820
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0049B6D0), ref: 00411834
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,00000000), ref: 00411848
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00411856
#1045.MFC140U ref: 00411866
#1045.MFC140U ref: 00411872

Strings

ItemName, xrefs: 004117F5
%s\%s, xrefs: 004117E7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Resource$#1045#296memset$CurrentDirectoryFindLoadLockQuerySizeofVirtualfclosefopenfwrite
String ID: %s\%s$ItemName
API String ID: 2115850410-1537255643
Opcode ID: 00ec3619c254f695f56d00c807c508b805d0118a52623fbf818eab194fadc549
Instruction ID: a15e65e845f3338fa0c7551379b0ce17dce4cc7d409cbd10680bc069e99e9be6
Opcode Fuzzy Hash: 00ec3619c254f695f56d00c807c508b805d0118a52623fbf818eab194fadc549
Instruction Fuzzy Hash: 1C3186B1A01219AFDB10AB60EC49FDE777CEB04745F0044B9FB05A2291EF745A488BDD

Function 0045B420 Relevance: 24.9, APIs: 3, Strings: 11, Instructions: 417COMMON

Download Yara Rule

Strings

[DoH] AAAA: , xrefs: 0045B6A7
CNAME: %s, xrefs: 0045B76C
DoH: %s type %s for %s, xrefs: 0045B5C2
Could not DoH-resolve: %s, xrefs: 0045B48F
[DoH] A: %u.%u.%u.%u, xrefs: 0045B68B
unknown, xrefs: 0045B590
%s%02x%02x, xrefs: 0045B6EF
bad error code, xrefs: 0045B5B1, 0045B5C1
AAAA, xrefs: 0045B597
[DoH] TTL: %u seconds, xrefs: 0045B643
[DoH] hostname: %s, xrefs: 0045B631

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID:
String ID: %s%02x%02x$AAAA$CNAME: %s$Could not DoH-resolve: %s$DoH: %s type %s for %s$[DoH] A: %u.%u.%u.%u$[DoH] AAAA: $[DoH] TTL: %u seconds$[DoH] hostname: %s$bad error code$unknown
API String ID: 0-228328110
Opcode ID: 43d5087908520c55f4fbc3dcabfa4095bf3484bf7ce42d8dc5b239b93a25899f
Instruction ID: 0b9f1e6af908b33988b53fedd40f530f1487ae787b84b7eaa8494d59a5ea7e87
Opcode Fuzzy Hash: 43d5087908520c55f4fbc3dcabfa4095bf3484bf7ce42d8dc5b239b93a25899f
Instruction Fuzzy Hash: 4DE1E271904344AFD720DF15C885B6BB7E4FF88309F45092EED8897242E779A909CBDA

Function 0040E160 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 164networksleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0040DEE0: #1511.MFC140U(00000034), ref: 0040DEF7
Part of subcall function 0040DEE0: memset.VCRUNTIME140(00000000,00000000,00000034), ref: 0040DF04
Part of subcall function 0040DEE0: #265.MFC140U(00000000,00000000,00000034), ref: 0040DF0F
Part of subcall function 0040DEE0: WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 0040DF47
Part of subcall function 0040DEE0: #266.MFC140U(?), ref: 0040DF5E
Part of subcall function 0040DEE0: #266.MFC140U(00000000), ref: 0040DF68
Part of subcall function 0040DEE0: #111.WS2_32 ref: 0040DF6D

Sleep.KERNEL32(00000001), ref: 0040E189

Part of subcall function 0040DEE0: #21.WS2_32(00000000,0000FFFF,00001002,004A4720,00000004), ref: 0040DF9C
Part of subcall function 0040DEE0: #21.WS2_32(?,0000FFFF,00001001,00000001,00000004), ref: 0040DFB8
Part of subcall function 0040DEE0: #21.WS2_32(?,0000FFFF,00000004,FFFFFFFF,00000004), ref: 0040DFD1
Part of subcall function 0040DEE0: CreateIoCompletionPort.KERNEL32(?,00000000,00000000), ref: 0040DFE0
Part of subcall function 0040DEE0: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000), ref: 0040E004
Part of subcall function 0040DEE0: #266.MFC140U(?), ref: 0040E013
Part of subcall function 0040DEE0: #266.MFC140U(00000000), ref: 0040E01D
Part of subcall function 0040DEE0: GetLastError.KERNEL32 ref: 0040E022

#21.WS2_32(?,0000FFFF,0000700B,?,00000004), ref: 0040E1A6
WSAIoctl.WS2_32(00000001,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 0040E1E2
EnterCriticalSection.KERNEL32(00000000,?,00000004), ref: 0040E1EC
LeaveCriticalSection.KERNEL32(00000000,?,00000004), ref: 0040E1F6
#21.WS2_32(00000001,0000FFFF,00000080,?,00000004,?,00000001,00000003,00000000,00000000,00000000,?,00000001,00000001,00000000,00000000), ref: 0040E25F
#22.WS2_32(00000001,00000002,?,00000001,00000003,00000000,00000000,00000000,?,00000001,00000001,00000000,00000000,00000000,?,00000004), ref: 0040E268
#3.WS2_32(00000001,?,00000001,00000003,00000000,00000000,00000000,?,00000001,00000001,00000000,00000000,00000000,?,00000004), ref: 0040E26F
#266.MFC140U(00000000,?,00000001,00000001,00000000,00000000,00000000,?,00000004), ref: 0040E28A
#265.MFC140U(00000004), ref: 0040E29C
WSARecv.WS2_32(00000001,?,00000001,00000000,?,?,00000000), ref: 0040E2EF
#111.WS2_32(?,00000001,00000001,00000000,00000000,00000000,?,00000004), ref: 0040E2F9
#266.MFC140U(00000000,?,00000001,00000003,00000000,00000000,00000000,?,00000001,00000001,00000000,00000000,00000000,?,00000004), ref: 0040E345

Strings

0u, xrefs: 0040E1D4

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #266$#111#265CompletionCriticalSection$#1511CreateEnterErrorIoctlLastLeavePortPostQueuedRecvSleepSocketStatusmemset
String ID: 0u
API String ID: 903272316-3203441087
Opcode ID: 34ce8feb0496d20cd4c11b09acfc7c7b228cf714d63fb8bc45ae6e07740bbaa5
Instruction ID: 39fe5cc2ce7f99786120c4965860b3dfba2d905dbefe166c0cd3e45dda4ca106
Opcode Fuzzy Hash: 34ce8feb0496d20cd4c11b09acfc7c7b228cf714d63fb8bc45ae6e07740bbaa5
Instruction Fuzzy Hash: AF51A2B1500705BFE7209F60DC45F6EBBB8FF08700F104929FA42A66D1D778A519CB99

Function 00410870 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 94stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000288), ref: 00410894
GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 004108C0
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 004108C8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000288), ref: 004108D1
GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 004108E1
strstr.VCRUNTIME140(0000010C,Intel), ref: 004108FC
strstr.VCRUNTIME140(0000010C,Realtek), ref: 0041090F
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00410927

Strings

Intel, xrefs: 004108F6
Null, xrefs: 004108A0, 00410932
Realtek, xrefs: 00410909

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: AdaptersInfofreemallocstrstr
String ID: Intel$Null$Realtek
API String ID: 523960851-1241629947
Opcode ID: 87753b4ef3389cc22df8359344ffb91d7010cfd990e096fc94f153f507a85375
Instruction ID: 0e1f610962990e46a42021fec612c9f920f09c81029f154adec7fefccfcd4917
Opcode Fuzzy Hash: 87753b4ef3389cc22df8359344ffb91d7010cfd990e096fc94f153f507a85375
Instruction Fuzzy Hash: 7E21F8729001045BDB10AB68AD519FF77A8DF85714F04017FEC0997302EB78AD8587D9

Function 00472FB0 Relevance: 18.6, APIs: 2, Strings: 10, Instructions: 640COMMON

Download Yara Rule

Strings

uI, xrefs: 0047371F
https, xrefs: 0047347E, 00473487
xn--, xrefs: 00473335, 004735D6
%.*s%%25%s], xrefs: 00473536
%s://, xrefs: 00473642
file://%s%s%s, xrefs: 00473439
p!I, xrefs: 0047377D
uI, xrefs: 004736F3
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s, xrefs: 0047373E
file, xrefs: 00473407

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID:
String ID: %.*s%%25%s]$%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$%s://$file$file://%s%s%s$https$p!I$xn--$uI$uI
API String ID: 0-753750292
Opcode ID: 82b14e078c69f96123e2cd2ea5ab23615e57ca8bfce992b13f2ee541bbd11896
Instruction ID: 6ae14880b7cda7be71797a09c85385c401bdd3acd7cd264015e150d575a22b1f
Opcode Fuzzy Hash: 82b14e078c69f96123e2cd2ea5ab23615e57ca8bfce992b13f2ee541bbd11896
Instruction Fuzzy Hash: AE32C271A04341ABEB20DF25C8017ABBBD4AF84319F44852EF98D97381D739DE44DB9A

Function 00459AE0 Relevance: 18.0, APIs: 6, Strings: 4, Instructions: 541stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,?), ref: 00459DAB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 00459DB3
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,0000000A,?,?), ref: 00459DC7
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00459DD4
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00459DE0
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00459DEA

Strings

2', xrefs: 00459DAB, 00459DB3, 00459DD4, 00459DE0, 00459DEA
,$I, xrefs: 00459BB4
GMT, xrefs: 00459C7B, 00459C9E
#I, xrefs: 00459BBD

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: _errno$strtol
String ID: ,$I$2'$GMT$#I
API String ID: 3596500743-2801289378
Opcode ID: 2cee2271248f5a2c15cc463284beaa739dace5b3a8935b4dbc81597ca1516366
Instruction ID: e53a2ec6577b28db36ce818b48fbe4e784b75244d545fd24675ea5e80fcb05f5
Opcode Fuzzy Hash: 2cee2271248f5a2c15cc463284beaa739dace5b3a8935b4dbc81597ca1516366
Instruction Fuzzy Hash: 1502E771A047418FD714CF28D88126BB7E2ABC5325F54472FE9A5C7392D339DC4A8B4A

Function 0040F8A0 Relevance: 16.6, APIs: 11, Instructions: 106COMMON

Download Yara Rule

APIs

#115.WS2_32(00000202,?), ref: 0040F8D1
#111.WS2_32 ref: 0040F8DB
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040F91A
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 0040F92D
CloseHandle.KERNEL32(00000000), ref: 0040F939
GetLastError.KERNEL32 ref: 0040F93F

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CompletionCreatePort$#111#115CloseErrorHandleLast
String ID:
API String ID: 402296374-0
Opcode ID: a5a1187b6acf01bc4309200025153fa73c518a80166d4972b3ffc9f8871b18af
Instruction ID: d663a825b26a1ca848514733eb1e70c9ddc72422f0d194d8e0c7a1fd813d988a
Opcode Fuzzy Hash: a5a1187b6acf01bc4309200025153fa73c518a80166d4972b3ffc9f8871b18af
Instruction Fuzzy Hash: E731E7717443006BE330AB74AC46F5A7798E785B21F50063AFA15EA6D1DB74A404CBDE

Function 00412DA0 Relevance: 15.1, APIs: 10, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00412DBC
memset.VCRUNTIME140(?,00000000,00000054), ref: 00412DD3
#890.MFC140U ref: 00412DE0
SendMessageW.USER32(?,00000027,?,00000000), ref: 00412DF1
GetSystemMetrics.USER32(0000000B), ref: 00412DFF
GetSystemMetrics.USER32(0000000C), ref: 00412E05
GetClientRect.USER32(?,?), ref: 00412E19
DrawIcon.USER32(?,?,?,?), ref: 00412E4B
#1391.MFC140U ref: 00412E55
#11038.MFC140U ref: 00412E6F

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MetricsSystem$#11038#1391#890ClientDrawIconIconicMessageRectSendmemset
String ID:
API String ID: 1369620942-0
Opcode ID: a5c29cadc23cabaeb59634efb89a6bb79be2ff2fc21286e70a5ebe08d21cc303
Instruction ID: edcb1c9bb7ba3d1157bb2b83e16f1c68939986eeb023a2ad67033e0bad944cfb
Opcode Fuzzy Hash: a5c29cadc23cabaeb59634efb89a6bb79be2ff2fc21286e70a5ebe08d21cc303
Instruction Fuzzy Hash: 2221B7326043019FD710DF78DC49A6E7BE9FF88315F140A2DFA99D61A1DB60E9148BC5

Function 00410970 Relevance: 13.7, APIs: 9, Instructions: 182fileCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000100), ref: 00410993
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 004109CA
DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?,00000000), ref: 004109F9
CloseHandle.KERNEL32(00000000), ref: 00410A00
memset.VCRUNTIME140(?,00000000,00000400), ref: 00410A53
DeviceIoControl.KERNEL32(00000000,0007C088,00000200,00000020,?,00000220,?,00000000), ref: 00410A7F
memmove.VCRUNTIME140(?,?,00000100), ref: 00410A94
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004), ref: 00410A9C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00410B5A

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: ControlDevicememset$CloseCreateFileHandlefreemallocmemmove
String ID:
API String ID: 2475429783-0
Opcode ID: c1975153bc2e4c1c6a77b62c5f26fdc5d125fe48fa5e062192c733fc5165345a
Instruction ID: 4162ad337c979ecbc46aac3e6f60edc59a0f289727cde61cd162270631e40271
Opcode Fuzzy Hash: c1975153bc2e4c1c6a77b62c5f26fdc5d125fe48fa5e062192c733fc5165345a
Instruction Fuzzy Hash: A1613B30A042685ED721CF648C117FDBBB49F56300F0801DAE95DEB2C2D6B96AC4CFA8

Function 0041D350 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 398fileCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000100,BEE31567), ref: 0041D38C
memset.VCRUNTIME140(?,00000000,00000100,?,00000000,00000100,BEE31567), ref: 0041D39F
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,BEE31567), ref: 0041D3B4
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0049B6D0,?,?,?,?,?,BEE31567), ref: 0041D8EC
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,00000000,?,?,?,?,?,?,?,BEE31567), ref: 0041D907
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,BEE31567), ref: 0041D913

Part of subcall function 0040D850: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,?,Et@,?,0040D7FF,?,?,?,?,00407445,?), ref: 0040D881

Strings

%s\GZXIP.db, xrefs: 0041D3C7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: memset$FolderPathSpecialXlength_error@std@@fclosefopenfwrite
String ID: %s\GZXIP.db
API String ID: 1743414663-1600395696
Opcode ID: 90bea91809419578a68aaeb4bcdae8d0627eb1bf4ac47080d7aab1d3f3f0dc47
Instruction ID: 5c4d16b365397d646a0cb1e122a3848fca5ed1388f391b99a889ff207d2d960f
Opcode Fuzzy Hash: 90bea91809419578a68aaeb4bcdae8d0627eb1bf4ac47080d7aab1d3f3f0dc47
Instruction Fuzzy Hash: FD0230B5D411299BDB20DF58DD88BD9B3B0EF58304F1842EAD809A7351D735AEC08F98

Function 0047A230 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0047A46E

Strings

2', xrefs: 0047A46E

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: _errno
String ID: 2'
API String ID: 2918714741-3804148631
Opcode ID: d913c9580b69a572830bc57e318a031592389938820835a6832e2f56bcf304e8
Instruction ID: c83623d117394641b849399aeec70d830e6399869d272ba85727bad9751e9a74
Opcode Fuzzy Hash: d913c9580b69a572830bc57e318a031592389938820835a6832e2f56bcf304e8
Instruction Fuzzy Hash: E88108326087118BC725CE2CC4802AFB7D1ABC5324F18872FE8A9C73D1E77599598B87

Function 0042C526 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0042C53F

Strings

, xrefs: 0042C6A3

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-3916222277
Opcode ID: bdbaf08d25c6d3996f3c10ad973e21c87dc46fa39fda174220173482e58d3b86
Instruction ID: a15120fd96c10d87368acb7e9d43b99c6a27ac46e07c7ccef222703398d1f5e9
Opcode Fuzzy Hash: bdbaf08d25c6d3996f3c10ad973e21c87dc46fa39fda174220173482e58d3b86
Instruction Fuzzy Hash: 93519EB1A05615DBEB24CF69E9867AEBBF4FB48314F54802BD405E7260D378E940CFA4

Function 00420DE0 Relevance: 2.5, APIs: 2, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000), ref: 00420DF7
HeapFree.KERNEL32(00000000), ref: 00420DFE

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a249b530524752f5ce649bf8151610868e9ae2943e63cdcb5a576fb5c02879c5
Instruction ID: 9a5c6486348828b1d437edf65d416f0dda42326a280fbb90c6c893c8327dff86
Opcode Fuzzy Hash: a249b530524752f5ce649bf8151610868e9ae2943e63cdcb5a576fb5c02879c5
Instruction Fuzzy Hash: 64E04F73501A229BD7204B99E89C747F7A8FF48760F56451AE908AB250C7B5AC4187E8

Function 0045C730 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

BCryptGenRandom.BCRYPT(00000000,?), ref: 0045C78A

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CryptRandom
String ID:
API String ID: 2662593985-0
Opcode ID: f4931dafe0015d15191cb151899da88ce0aad18836c698d9baf9dd15748b4302
Instruction ID: 038688e3687404b172cd05d4f9543c1d96fe2bc10904f6c2436a6f84104a2e38
Opcode Fuzzy Hash: f4931dafe0015d15191cb151899da88ce0aad18836c698d9baf9dd15748b4302
Instruction Fuzzy Hash: BB11E0B66083079EE310CE15D881B2BBBE8DB89355F00042FE941CB342D738DD098F5A

Function 0042C47D Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(0042C489,0042B730), ref: 0042C482

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8e7635246348e3410c3eefb0eb3c77cbb1cb94d485afa7c06af968b7a3c69b3d
Instruction ID: 7521eb37369a6b88bf65d1f9586abdc08fcbf8f22cae868798da526e5337614f
Opcode Fuzzy Hash: 8e7635246348e3410c3eefb0eb3c77cbb1cb94d485afa7c06af968b7a3c69b3d
Instruction Fuzzy Hash:

Function 00401610 Relevance: .7, Instructions: 672COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aca56f3c37e329ccba96ec434b1f95ac29af55b47cb5f36657d4edd7591d2ed6
Instruction ID: 30253bde1cd2f49d9a0e613484bef6221bf6baea4ea65b314cde9bb1dd686f1d
Opcode Fuzzy Hash: aca56f3c37e329ccba96ec434b1f95ac29af55b47cb5f36657d4edd7591d2ed6
Instruction Fuzzy Hash: 111271B3F515144BDB0CCA5DCCA23EDB2E3AFD4218B0E813DA40AE3745EA7DD9158688

Function 0044F2E0 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1024de59c63029eeb6bf9dfea8c9efb016a4acc820f582c26ea4e604eec017c8
Instruction ID: f30b7e886ff73b7a9fc33699cf09ff4cbb25a2aaabbf1592908fb10f61a8ef96
Opcode Fuzzy Hash: 1024de59c63029eeb6bf9dfea8c9efb016a4acc820f582c26ea4e604eec017c8
Instruction Fuzzy Hash: 1822D2B2A083418FE310CF1DD48076ABBE1FB84354F54493FE99A87351D779D94A8B86

Function 00413100 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c92c817de14773ec29c60740f1fc5eccb6164dd170d1273092883fa0b89770
Instruction ID: f34534a00e69df49ea63d800399edff26cd8edaee15de033cc049cca26491315
Opcode Fuzzy Hash: 10c92c817de14773ec29c60740f1fc5eccb6164dd170d1273092883fa0b89770
Instruction Fuzzy Hash: 47817E72E0021D9BCF04CFA9D8805EEBBB1FF89315F2485AED855F7301D6385A858B98

Function 00405FA0 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f82359d68e261eb215cb3ddd4ca4bf9042022fa32fbeebddfc86479373234711
Instruction ID: 45dfb56dec85701f45a8f6a1851ba7955baff1edbecb6fea4157457565e97a5a
Opcode Fuzzy Hash: f82359d68e261eb215cb3ddd4ca4bf9042022fa32fbeebddfc86479373234711
Instruction Fuzzy Hash: AF818F71D001198BCF04CFA9C8805EEBBB1EF89314F25857ED856FB342D6399A55CBA8

Function 004024B0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1022567ff60495345587e1afb4fffedac9aad0a57bb83fafe518e122a3683509
Instruction ID: 698b9527001fe319a246d436da4d1acb1a933641d0af35e3b7fdea7eec27df60
Opcode Fuzzy Hash: 1022567ff60495345587e1afb4fffedac9aad0a57bb83fafe518e122a3683509
Instruction Fuzzy Hash: 8D31C61590C1E55DD7268B3D44A86E6BFD08E6A118F1E82EAE8D89F3D3C09A850AC371

Function 004107A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfdd3717fe1d0bcd0f2f7db099a8a25b20a2ab4a42d8bd880b2599caf5012151
Instruction ID: 5b690feceb7721495b02b61f8d624d6cc9c0f3996ebc4108ec34950efc1044b6
Opcode Fuzzy Hash: cfdd3717fe1d0bcd0f2f7db099a8a25b20a2ab4a42d8bd880b2599caf5012151
Instruction Fuzzy Hash: D111513A578E0D46C61D642C1420AFB22805B01315F94062FAAEAE93C1EFDDE8D7C4CF

Function 0042FE80 Relevance: 166.5, APIs: 6, Strings: 89, Instructions: 272COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0042FEA5
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0042FEAF

Strings

SEC_E_UNKNOWN_CREDENTIALS, xrefs: 00430195
SEC_E_NOT_OWNER, xrefs: 00430087
SEC_E_INSUFFICIENT_MEMORY, xrefs: 0042FFDD
SEC_I_COMPLETE_NEEDED, xrefs: 0043024C
SEC_E_CERT_EXPIRED, xrefs: 0042FF6A
SEC_E_KDC_CERT_REVOKED, xrefs: 0043002D
SEC_E_QOP_NOT_SUPPORTED, xrefs: 00430109
SEC_E_NO_TGT_REPLY, xrefs: 004300D7
SEC_E_DOWNGRADE_DETECTED, xrefs: 0042FFB5
SEC_E_INVALID_TOKEN, xrefs: 00430005
SEC_E_UNFINISHED_CONTEXT_DELETED, xrefs: 0043018B
CRYPT_E_NO_REVOCATION_CHECK, xrefs: 00430201
SEC_E_ENCRYPT_FAILURE, xrefs: 0042FFBF
SEC_E_BUFFER_TOO_SMALL, xrefs: 0042FF55
SEC_E_STRONG_CRYPTO_NOT_SUPPORTED, xrefs: 00430163
SEC_E_NO_AUTHENTICATING_AUTHORITY, xrefs: 00430091
SEC_E_NO_IMPERSONATION, xrefs: 004300A5
SEC_E_OUT_OF_SEQUENCE, xrefs: 004300E1
SEC_E_INVALID_PARAMETER, xrefs: 0042FFFB
CRYPT_E_NOT_IN_REVOCATION_DATABASE, xrefs: 00430215
SEC_E_MESSAGE_ALTERED, xrefs: 00430069
SEC_I_CONTEXT_EXPIRED, xrefs: 00430256
%s (0x%08X), xrefs: 004302C5
SEC_E_NO_KERB_KEY, xrefs: 004300B9
SEC_E_KDC_UNKNOWN_ETYPE, xrefs: 0043004B
SEC_E_WRONG_PRINCIPAL, xrefs: 004301C7
SEC_E_CANNOT_INSTALL, xrefs: 0042FF5C
SEC_E_NO_PA_DATA, xrefs: 004300C3
SEC_E_TARGET_UNKNOWN, xrefs: 0043016D
SEC_E_SHUTDOWN_IN_PROGRESS, xrefs: 0043013B
%s (0x%08X) - %s, xrefs: 0042FF33
SEC_E_PKINIT_CLIENT_FAILURE, xrefs: 004300EB
SEC_E_DECRYPT_FAILURE, xrefs: 0042FF97
SEC_E_ISSUING_CA_UNTRUSTED, xrefs: 0043000F
SEC_I_COMPLETE_AND_CONTINUE, xrefs: 00430242
SEC_E_BAD_BINDINGS, xrefs: 0042FF47
SEC_E_CANNOT_PACK, xrefs: 0042FF63
SEC_E_INCOMPLETE_MESSAGE, xrefs: 0042FFD3
SEC_I_SIGNATURE_NEEDED, xrefs: 00430292
SEC_E_DELEGATION_REQUIRED, xrefs: 0042FFAB
SEC_E_KDC_INVALID_REQUEST, xrefs: 00430037
SEC_E_CONTEXT_EXPIRED, xrefs: 0042FF7F
SEC_E_MUST_BE_KDC, xrefs: 0043007D
SEC_E_NO_IP_ADDRESSES, xrefs: 004300AF
SEC_E_POLICY_NLTM_ONLY, xrefs: 004300FF
SEC_E_CRYPTO_SYSTEM_INVALID, xrefs: 0042FF8D
SEC_I_NO_LSA_CONTEXT, xrefs: 0043027E
SEC_E_UNSUPPORTED_FUNCTION, xrefs: 0043019F
SEC_E_MAX_REFERRALS_EXCEEDED, xrefs: 0043005F
SEC_I_INCOMPLETE_CREDENTIALS, xrefs: 0043026A
SEC_E_INTERNAL_ERROR, xrefs: 0042FFE7
SEC_E_INCOMPLETE_CREDENTIALS, xrefs: 0042FFC9
SEC_E_WRONG_CREDENTIAL_HANDLE, xrefs: 004301BD
SEC_E_SMARTCARD_LOGON_REQUIRED, xrefs: 00430159
No error, xrefs: 0043021F
SEC_E_NO_CREDENTIALS, xrefs: 0043009B
SEC_E_ALGORITHM_MISMATCH, xrefs: 0042FF0C
SEC_E_DELEGATION_POLICY, xrefs: 0042FFA1
CRYPT_E_REVOKED, xrefs: 004301D1
SEC_E_SECURITY_QOS_FAILED, xrefs: 00430131
SEC_E_UNTRUSTED_ROOT, xrefs: 004301B3
SEC_E_INVALID_HANDLE, xrefs: 0042FFF1
SEC_E_TIME_SKEW, xrefs: 00430177
SEC_I_CONTINUE_NEEDED, xrefs: 0042FF32, 00430260
SEC_E_LOGON_DENIED, xrefs: 00430055
SEC_I_LOCAL_LOGON, xrefs: 00430274
SEC_E_CERT_WRONG_USAGE, xrefs: 0042FF78
SEC_E_REVOCATION_OFFLINE_KDC, xrefs: 0043011D
CRYPT_E_NO_REVOCATION_DLL, xrefs: 004301F7
SEC_E_CROSSREALM_DELEGATION_FAILURE, xrefs: 0042FF86
SEC_E_KDC_CERT_EXPIRED, xrefs: 00430023
2', xrefs: 0042FEAF, 004302D4
SEC_E_UNSUPPORTED_PREAUTH, xrefs: 004301A9
Unknown error, xrefs: 0043029C, 004302C4
SEC_E_CERT_UNKNOWN, xrefs: 0042FF71
SEC_E_SECPKG_NOT_FOUND, xrefs: 00430127
SEC_E_ISSUING_CA_UNTRUSTED_KDC, xrefs: 00430019
SEC_E_TOO_MANY_PRINCIPALS, xrefs: 00430181
SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log., xrefs: 004302B2
SEC_E_SMARTCARD_CERT_REVOKED, xrefs: 0043014F
SEC_E_MULTIPLE_ACCOUNTS, xrefs: 00430073
CRYPT_E_REVOCATION_OFFLINE, xrefs: 0043020B
SEC_E_BAD_PKGID, xrefs: 0042FF4E
SEC_E_NO_S4U_PROT_SUPPORT, xrefs: 004300CD
SEC_E_KDC_UNABLE_TO_REFER, xrefs: 00430041
SEC_E_SMARTCARD_CERT_EXPIRED, xrefs: 00430145
SEC_I_RENEGOTIATE, xrefs: 00430288
SEC_E_REVOCATION_OFFLINE_C, xrefs: 00430113
SEC_E_PKINIT_NAME_MISMATCH, xrefs: 004300F5

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: ErrorLast_errno
String ID: %s (0x%08X)$%s (0x%08X) - %s$2'$CRYPT_E_NOT_IN_REVOCATION_DATABASE$CRYPT_E_NO_REVOCATION_CHECK$CRYPT_E_NO_REVOCATION_DLL$CRYPT_E_REVOCATION_OFFLINE$CRYPT_E_REVOKED$No error$SEC_E_ALGORITHM_MISMATCH$SEC_E_BAD_BINDINGS$SEC_E_BAD_PKGID$SEC_E_BUFFER_TOO_SMALL$SEC_E_CANNOT_INSTALL$SEC_E_CANNOT_PACK$SEC_E_CERT_EXPIRED$SEC_E_CERT_UNKNOWN$SEC_E_CERT_WRONG_USAGE$SEC_E_CONTEXT_EXPIRED$SEC_E_CROSSREALM_DELEGATION_FAILURE$SEC_E_CRYPTO_SYSTEM_INVALID$SEC_E_DECRYPT_FAILURE$SEC_E_DELEGATION_POLICY$SEC_E_DELEGATION_REQUIRED$SEC_E_DOWNGRADE_DETECTED$SEC_E_ENCRYPT_FAILURE$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_E_INCOMPLETE_CREDENTIALS$SEC_E_INCOMPLETE_MESSAGE$SEC_E_INSUFFICIENT_MEMORY$SEC_E_INTERNAL_ERROR$SEC_E_INVALID_HANDLE$SEC_E_INVALID_PARAMETER$SEC_E_INVALID_TOKEN$SEC_E_ISSUING_CA_UNTRUSTED$SEC_E_ISSUING_CA_UNTRUSTED_KDC$SEC_E_KDC_CERT_EXPIRED$SEC_E_KDC_CERT_REVOKED$SEC_E_KDC_INVALID_REQUEST$SEC_E_KDC_UNABLE_TO_REFER$SEC_E_KDC_UNKNOWN_ETYPE$SEC_E_LOGON_DENIED$SEC_E_MAX_REFERRALS_EXCEEDED$SEC_E_MESSAGE_ALTERED$SEC_E_MULTIPLE_ACCOUNTS$SEC_E_MUST_BE_KDC$SEC_E_NOT_OWNER$SEC_E_NO_AUTHENTICATING_AUTHORITY$SEC_E_NO_CREDENTIALS$SEC_E_NO_IMPERSONATION$SEC_E_NO_IP_ADDRESSES$SEC_E_NO_KERB_KEY$SEC_E_NO_PA_DATA$SEC_E_NO_S4U_PROT_SUPPORT$SEC_E_NO_TGT_REPLY$SEC_E_OUT_OF_SEQUENCE$SEC_E_PKINIT_CLIENT_FAILURE$SEC_E_PKINIT_NAME_MISMATCH$SEC_E_POLICY_NLTM_ONLY$SEC_E_QOP_NOT_SUPPORTED$SEC_E_REVOCATION_OFFLINE_C$SEC_E_REVOCATION_OFFLINE_KDC$SEC_E_SECPKG_NOT_FOUND$SEC_E_SECURITY_QOS_FAILED$SEC_E_SHUTDOWN_IN_PROGRESS$SEC_E_SMARTCARD_CERT_EXPIRED$SEC_E_SMARTCARD_CERT_REVOKED$SEC_E_SMARTCARD_LOGON_REQUIRED$SEC_E_STRONG_CRYPTO_NOT_SUPPORTED$SEC_E_TARGET_UNKNOWN$SEC_E_TIME_SKEW$SEC_E_TOO_MANY_PRINCIPALS$SEC_E_UNFINISHED_CONTEXT_DELETED$SEC_E_UNKNOWN_CREDENTIALS$SEC_E_UNSUPPORTED_FUNCTION$SEC_E_UNSUPPORTED_PREAUTH$SEC_E_UNTRUSTED_ROOT$SEC_E_WRONG_CREDENTIAL_HANDLE$SEC_E_WRONG_PRINCIPAL$SEC_I_COMPLETE_AND_CONTINUE$SEC_I_COMPLETE_NEEDED$SEC_I_CONTEXT_EXPIRED$SEC_I_CONTINUE_NEEDED$SEC_I_INCOMPLETE_CREDENTIALS$SEC_I_LOCAL_LOGON$SEC_I_NO_LSA_CONTEXT$SEC_I_RENEGOTIATE$SEC_I_SIGNATURE_NEEDED$Unknown error
API String ID: 3939687465-70889030
Opcode ID: b52b8cd7a32f2d5db427a78d18241c765de2c67c1606b1d28b620dae3e7b9881
Instruction ID: d45daf3c0a848e3c00b1bb9b3a30ea292974729412456fde04f4519a9b140fd5
Opcode Fuzzy Hash: b52b8cd7a32f2d5db427a78d18241c765de2c67c1606b1d28b620dae3e7b9881
Instruction Fuzzy Hash: 8E91F862E0A23097A31075047E4492F237C9646334BEBCDB7AC1A6B2C1E32D5C4A67DF

Function 00410D70 Relevance: 108.9, APIs: 61, Strings: 1, Instructions: 382windowCOMMON

Download Yara Rule

APIs

#462.MFC140U(00000066,00000000,BEE31567,?,00000000,?,?,0040FC15,?,00001DAC), ref: 00410DA1
#1002.MFC140U(?,00000000), ref: 00410DC5
#1002.MFC140U(?,00000000), ref: 00410DDC
#1002.MFC140U(?,00000000), ref: 00410DF3
#968.MFC140U(?,00000000), ref: 00410E05
#1002.MFC140U(?,00000000), ref: 00410E1A
#1002.MFC140U(?,00000000), ref: 00410E31
#1002.MFC140U(?,00000000), ref: 00410E48
#1002.MFC140U(?,00000000), ref: 00410E5F
#1002.MFC140U(?,00000000), ref: 00410E76
#1002.MFC140U(?,00000000), ref: 00410E8D
#1002.MFC140U(?,00000000), ref: 00410EA4
#1002.MFC140U(?,00000000), ref: 00410EBB
#1002.MFC140U(?,00000000), ref: 00410EE6
#1002.MFC140U(?,00000000), ref: 00410EFD
#1002.MFC140U(?,00000000), ref: 00410F14
#1002.MFC140U(?,00000000), ref: 00410F2B
#1002.MFC140U(?,00000000), ref: 00410F42
#1002.MFC140U(?,00000000), ref: 00410F59
#1002.MFC140U(?,00000000), ref: 00410F70
#1002.MFC140U(?,00000000), ref: 00410F87
#1002.MFC140U(?,00000000), ref: 00410F9E
#1002.MFC140U(?,00000000), ref: 00410FB5
#1002.MFC140U(?,00000000), ref: 00410FCC
#1002.MFC140U(?,00000000), ref: 00410FE3
#1002.MFC140U(?,00000000), ref: 00410FFA
#1002.MFC140U(?,00000000), ref: 00411011
#1002.MFC140U(?,00000000), ref: 00411028
#1002.MFC140U(?,00000000), ref: 0041103F
#1002.MFC140U(?,00000000), ref: 00411056
#1002.MFC140U(?,00000000), ref: 0041106D
#1002.MFC140U(?,00000000), ref: 00411084
#1002.MFC140U(?,00000000), ref: 0041109B
#1002.MFC140U(?,00000000), ref: 004110B2
#1002.MFC140U(?,00000000), ref: 004110C9
#1002.MFC140U(?,00000000), ref: 004110E0
#1002.MFC140U(?,00000000), ref: 004110F7
#1002.MFC140U(?,00000000), ref: 0041110E
#1002.MFC140U(?,00000000), ref: 00411125
#1002.MFC140U(?,00000000), ref: 0041113C
#1002.MFC140U(?,00000000), ref: 00411153
#1002.MFC140U(?,00000000), ref: 0041116A
#1002.MFC140U(?,00000000), ref: 00411181
#1002.MFC140U(?,00000000), ref: 00411198
#1002.MFC140U(?,00000000), ref: 004111AF
#1002.MFC140U(?,00000000), ref: 004111C6
#1002.MFC140U(?,00000000), ref: 004111DD
#1002.MFC140U(?,00000000), ref: 004111F4
#1002.MFC140U(?,00000000), ref: 0041120B
#1002.MFC140U(?,00000000), ref: 00411222
#1002.MFC140U(?,00000000), ref: 00411239
#1002.MFC140U(?,00000000), ref: 00411250
#1002.MFC140U(?,00000000), ref: 00411267
#1002.MFC140U(?,00000000), ref: 0041127E
#1002.MFC140U(?,00000000), ref: 00411295
#1002.MFC140U(?,00000000), ref: 004112AC
#1002.MFC140U(?,00000000), ref: 004112C3
#1002.MFC140U(?,00000000), ref: 004112DA
#2246.MFC140U(?,00000000), ref: 004112E6
#2215.MFC140U(00000080,0000000E,00000080,?,00000000), ref: 004112F8
LoadIconW.USER32(00000000), ref: 004112FF

Strings

9, xrefs: 004112E2

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1002$#2215#2246#462#968IconLoad
String ID: 9
API String ID: 2630162603-2366072709
Opcode ID: d64885589c0de647da799af41db59515dc56f28ccc7f710f86890673f06f505a
Instruction ID: 59f8d6c74aee2b44432e09a26dfe6c9a199aabb79892dee4f79a51f4962dc17e
Opcode Fuzzy Hash: d64885589c0de647da799af41db59515dc56f28ccc7f710f86890673f06f505a
Instruction Fuzzy Hash: 3402D374911269CACF11DF588A442DCFFF8AF55B04F6580AFD8806B245C7F92B058BEA

Function 0040FC70 Relevance: 88.7, APIs: 59, Instructions: 165COMMON

Download Yara Rule

APIs

#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FC88
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FC96
#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FC9E
#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FCA6
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FCAE
#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FCB6
#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FCBE
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FCC6
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FCCE
#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FCD6
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FCDE
#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FCE6
#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FCEE
#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FCF6
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FCFE
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FD06
#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FD0E
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FD16
#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FD1E
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FD26
#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FD2E
#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FD36
#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FD3E
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FD46
#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FD4E
#1070.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FD5C
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FD67
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FD72
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FD7D
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FD88
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FD93
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FD9E
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FDA9
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FDB4
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FDBF
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FDCA
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FDD5
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FDE0
#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FDEB
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FDF6
#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FE01
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FE0C
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FE17
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FE22
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FE2D
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FE38
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FE43
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FE4E
#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FE59
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FE64
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FE6F
#1133.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FE7A
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FE85
#1447.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FE8D
#1070.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FE99
#1066.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FEA1
#1180.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FEA9
#1113.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FEB5

Part of subcall function 00410020: #3882.MFC140U(BEE31567,0040FC45,8000042E,8000042A), ref: 0041005E

#1111.MFC140U(?,00000000,?,?,?,0040FC45,?,00001DAC), ref: 0040FECE

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1066$#1133$#1070$#1111#1113#1180#1447#3882
String ID:
API String ID: 2665430492-0
Opcode ID: 776411bbcf96a41f6d01dee26dd536729df4a5b93177ccd6de7cc5e0ffea413f
Instruction ID: 44d11fc4122e2d3fb82141050be6512e27123f3c741113478a00b065a0f15e01
Opcode Fuzzy Hash: 776411bbcf96a41f6d01dee26dd536729df4a5b93177ccd6de7cc5e0ffea413f
Instruction Fuzzy Hash: 1871A23660150ADFCB18EB78EDE49EDB3B0BFA4308B64446DC05B571A1AE317A0ACF45

Function 00418BF0 Relevance: 87.8, APIs: 49, Strings: 1, Instructions: 333windowfileCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000100,BEE31567), ref: 00418C2C
memset.VCRUNTIME140(?,00000000,00000100,?,00000000,00000100,BEE31567), ref: 00418C3F
memset.VCRUNTIME140(?,00000000,00000100,?,00000000,00000100,?,00000000,00000100,BEE31567), ref: 00418C52
#296.MFC140U(?,?,?,?,?,BEE31567), ref: 00418C60
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,?,?,BEE31567), ref: 00418C7A
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0049BD0C,?,0049BF90,?,?,?,?,?,?,BEE31567), ref: 00418CA4
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00418CC7
#5850.MFC140U(?,00000000,00000014,?,?,?,?,?,?,?,?,?,?,BEE31567), ref: 00418CF0
#5850.MFC140U(?,00000000,00000013,?,?,?,?,?,?,?,?,?,?,BEE31567), ref: 00418D0C
#5850.MFC140U(?,00000000,00000012,?,?,?,?,?,?,?,?,?,?,BEE31567), ref: 00418D28
#5850.MFC140U(?,00000000,0000000E,?,?,?,?,?,?,?,?,?,?,BEE31567), ref: 00418D44
#5850.MFC140U(?,00000000,0000000D,?,?,?,?,?,?,?,?,?,?,BEE31567), ref: 00418D60
#5850.MFC140U(?,00000000,0000000C,?,?,?,?,?,?,?,?,?,?,BEE31567), ref: 00418D7C
#5850.MFC140U(?,00000000,0000000B,?,?,?,?,?,?,?,?,?,?,BEE31567), ref: 00418D98
#5850.MFC140U(?,00000000,0000000A,?,?,?,?,?,?,?,?,?,?,BEE31567), ref: 00418DB4
#5850.MFC140U(?,00000000,00000009,?,?,?,?,?,?,?,?,?,?,BEE31567), ref: 00418DD0
#5850.MFC140U(?,00000000,00000008,?,?,?,?,?,?,?,?,?,?,BEE31567), ref: 00418DEC
#5850.MFC140U(?,00000000,00000007,?,?,?,?,?,?,?,?,?,?,BEE31567), ref: 00418E08
#5850.MFC140U(?,00000000,00000006,?,?,?,?,?,?,?,?,?,?,BEE31567), ref: 00418E24
#5850.MFC140U(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,BEE31567), ref: 00418E40
#5850.MFC140U(?,00000000,00000004,?,?,?,?,?,?,?,?,?,?,BEE31567), ref: 00418E5C
#5850.MFC140U(?,00000000,00000002,?,?,?,?,?,?,?,?,?,?,BEE31567), ref: 00418E74
#5850.MFC140U(?,00000000,00000001,?,?,?,?,?,?,?,?,?,?,BEE31567), ref: 00418E8C
#4815.MFC140U(?,%s----%s----%s----%s----%s----%s----%s----%s----%s----%s----%s----%s----%s----%s----%s----%s,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00418F10
#1045.MFC140U ref: 00418F1F
#1045.MFC140U ref: 00418F2B
#1045.MFC140U ref: 00418F37
#1045.MFC140U ref: 00418F43
#1045.MFC140U ref: 00418F4F
#1045.MFC140U ref: 00418F5B
#1045.MFC140U ref: 00418F67
#1045.MFC140U ref: 00418F73
#1045.MFC140U ref: 00418F7F
#1045.MFC140U ref: 00418F8B
#1045.MFC140U ref: 00418F97
#1045.MFC140U ref: 00418FA3
#1045.MFC140U ref: 00418FAF
#1045.MFC140U ref: 00418FBB
#1045.MFC140U ref: 00418FC7
#1045.MFC140U ref: 00418FD7
#280.MFC140U(?), ref: 00418FEA
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0041900B
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0041901C
#5110.MFC140U(?,?,00000000,00000000,00000000), ref: 0041903B
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 00419046
#1045.MFC140U ref: 0041905A
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00419091
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,BEE31567), ref: 004190AA
#1045.MFC140U(?,?,?,?,?,?,?,?,?,?,BEE31567), ref: 004190B9

Strings

%s----%s----%s----%s----%s----%s----%s----%s----%s----%s----%s----%s----%s----%s----%s----%s, xrefs: 00418F0A

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045$#5850$memset$#5110ByteCharMessageMultiSendWide$#280#296#4815FolderPathSpecialfclosefopen
String ID: %s----%s----%s----%s----%s----%s----%s----%s----%s----%s----%s----%s----%s----%s----%s----%s
API String ID: 3542791364-1782761721
Opcode ID: c10be9279454396ec905051ba408a8c1b95f23b9982c86f7599c81ee6a3be21f
Instruction ID: 4191982bbafc23bb7fe1ceb4a16ec6b4eaff8b3c648f26c43a7142c9eefb299a
Opcode Fuzzy Hash: c10be9279454396ec905051ba408a8c1b95f23b9982c86f7599c81ee6a3be21f
Instruction Fuzzy Hash: 7CE11871901218AFDB26DB60DD44FE9BBBDFB09705F0004E9E609A72A0DB716B84CF65

Function 00411370 Relevance: 84.3, APIs: 56, Instructions: 302COMMON

Download Yara Rule

APIs

#3697.MFC140U(?,000003E8,?), ref: 00411392
#3697.MFC140U(?,000003E9,?), ref: 004113AA
#3697.MFC140U(?,000003ED,?), ref: 004113C2
#3697.MFC140U(?,000003F0,?), ref: 004113DA
#3697.MFC140U(?,000003F2,?), ref: 004113E9
#3697.MFC140U(?,000003F5,?), ref: 004113F8
#3697.MFC140U(?,000003FA,?), ref: 00411407
#3697.MFC140U(?,00000404,?), ref: 00411416
#3697.MFC140U(?,0000040D,?), ref: 00411425
#3697.MFC140U(?,0000040E,?), ref: 00411434
#3697.MFC140U(?,0000040F,?), ref: 00411443
#3697.MFC140U(?,00000410,?), ref: 00411452
#3697.MFC140U(?,00000411,?), ref: 00411461
#3697.MFC140U(?,0000041B,?), ref: 00411470
#3697.MFC140U(?,00000416,?), ref: 0041147F
#3697.MFC140U(?,0000041D,?), ref: 0041148E
#3697.MFC140U(?,0000041E,?), ref: 0041149D
#3697.MFC140U(?,00000424,?), ref: 004114AC
#3697.MFC140U(?,00000425,?), ref: 004114BB
#3697.MFC140U(?,00000426,?), ref: 004114CA
#3697.MFC140U(?,00000429,?), ref: 004114D9
#3697.MFC140U(?,000003F7,?), ref: 004114E8
#3697.MFC140U(?,0000042E,?), ref: 004114F7
#3697.MFC140U(?,00000434,?), ref: 00411506
#3697.MFC140U(?,00000436,?), ref: 00411515
#3697.MFC140U(?,00000437,?), ref: 00411524
#3697.MFC140U(?,000003EA,?), ref: 00411533
#3697.MFC140U(?,0000044C,?), ref: 00411542
#3697.MFC140U(?,00000452,?), ref: 00411551
#3697.MFC140U(?,00000454,?), ref: 00411560
#3697.MFC140U(?,000003F8,?), ref: 0041156F
#3697.MFC140U(?,00000456,?), ref: 0041157E
#3697.MFC140U(?,00000458,?), ref: 0041158D
#3697.MFC140U(?,00000412,?), ref: 0041159C
#3697.MFC140U(?,0000045A,?), ref: 004115AB
#3697.MFC140U(?,0000045D,?), ref: 004115BA
#3697.MFC140U(?,0000045E,?), ref: 004115C9
#3697.MFC140U(?,0000045F,?), ref: 004115D8
#3697.MFC140U(?,00000460,?), ref: 004115E7
#3697.MFC140U(?,00000461,?), ref: 004115F6
#3697.MFC140U(?,0000045C,?), ref: 00411605
#3697.MFC140U(?,00000462,?), ref: 00411614
#3697.MFC140U(?,00000464,?), ref: 00411623
#3697.MFC140U(?,00000465,?), ref: 00411632
#3697.MFC140U(?,00000469,?), ref: 00411641
#3697.MFC140U(?,0000046A,?), ref: 00411650
#3697.MFC140U(?,0000046B,?), ref: 0041165F
#3697.MFC140U(?,000003F6,?), ref: 0041166E
#3697.MFC140U(?,000003F9,?), ref: 0041167D
#3697.MFC140U(?,000003F1,?), ref: 0041168C
#3697.MFC140U(?,0000040C,?), ref: 0041169B
#3697.MFC140U(?,000003FC,?), ref: 004116AA
#3697.MFC140U(?,00000421,?), ref: 004116B9
#3697.MFC140U(?,00000447,?), ref: 004116C8
#3697.MFC140U(?,000003FD,?), ref: 004116D7
#3697.MFC140U(?,00000427,?), ref: 004116E6

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #3697
String ID:
API String ID: 872563729-0
Opcode ID: 3389550a40116d22807621f7016f31adf36582435ae53dec1b2887bd692c55e1
Instruction ID: 27d4560c0c4b7d945d70a326b13a7c543878c32721480ba0435b4eb920a23158
Opcode Fuzzy Hash: 3389550a40116d22807621f7016f31adf36582435ae53dec1b2887bd692c55e1
Instruction Fuzzy Hash: 9E91DDFA64070C7EE520A7749C81EEB73DCDF49710F019926FB57E6086DAB4FA048A25

Function 0040E640 Relevance: 75.6, APIs: 42, Strings: 1, Instructions: 379networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 0040E687
CreateIoCompletionPort.KERNEL32(00000000,00000000,00000000,?,00000000,?), ref: 0040E6A3
#21.WS2_32(00000000,0000FFFF,00000080,?), ref: 0040E6CE
#22.WS2_32(00000000,00000002), ref: 0040E6D7
#3.WS2_32(00000000), ref: 0040E6DE
GetLastError.KERNEL32(?,00000000,?), ref: 0040E6EA
#2.WS2_32(00000000,?), ref: 0040E720
#111.WS2_32(?,00000000,?), ref: 0040E732
#52.WS2_32(00000000), ref: 0040E76C
memcpy.VCRUNTIME140(?,?,?), ref: 0040E781
#12.WS2_32(?,?,00000000,?), ref: 0040E78D
#11.WS2_32(00000000,?,00000000,?), ref: 0040E794
#9.WS2_32(00000000,?,00000000,?), ref: 0040E7A1
#10.WS2_32 ref: 0040E7C0
#4.WS2_32(00000000,?,00000010), ref: 0040E7CF
#18.WS2_32(?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 0040E7FB
#21.WS2_32(00000000,0000FFFF,00000080,?,00000004,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 0040E82B
#22.WS2_32(00000000,00000002,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 0040E834
#3.WS2_32(00000000,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 0040E83B
#52.WS2_32(?), ref: 0040E864
memcpy.VCRUNTIME140(?,?,?), ref: 0040E879
#12.WS2_32(?,?,00000000,?), ref: 0040E885
#11.WS2_32(00000000,?,00000000,?), ref: 0040E88C
#9.WS2_32(?,?,00000000,?), ref: 0040E899
#10.WS2_32 ref: 0040E8B8
#4.WS2_32(00000000,?,00000010), ref: 0040E8C7
#18.WS2_32(?,?,?,?,00000000,?,00000000,?), ref: 0040E8F9
#21.WS2_32(00000000,0000FFFF,00000080,?,00000004,?,?,?,?,00000000,?,00000000,?), ref: 0040E925
#22.WS2_32(00000000,00000002,?,?,?,?,00000000,?,00000000,?), ref: 0040E92E
#3.WS2_32(00000000,?,?,?,?,00000000,?,00000000,?), ref: 0040E935
#21.WS2_32(00000000,0000FFFF,00001005,?,00000004,?,?,?,?,00000000,?,00000000,?), ref: 0040E97B
#21.WS2_32(00000000,0000FFFF,00001006,?,00000004,?,?,?,?,00000000,?,00000000,?), ref: 0040E990
WSAIoctl.WS2_32(00000000,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 0040E9CD
#21.WS2_32(-00000003,0000FFFF,00000080,?,00000004,?,?,?,?,00000000,?,00000000,?), ref: 0040EA07
#22.WS2_32(-00000003,00000002,?,?,?,?,00000000,?,00000000,?), ref: 0040EA0C
#3.WS2_32(-00000003,?,?,?,?,00000000,?,00000000,?), ref: 0040EA13
#21.WS2_32(-00000001,0000FFFF,00000080,?,00000004,?,00000000,?,?,?,?,?,?,00000000,?,00000000), ref: 0040EAA3
#22.WS2_32(-00000001,00000002,?,?,?,?,?,00000000,?,00000000,?), ref: 0040EAAC
#3.WS2_32(-00000001,?,?,?,?,?,00000000,?,00000000,?), ref: 0040EAB3
#1511.MFC140U(00000030,?,00000000,?,?,?,?,?,?,00000000,?,00000000,?), ref: 0040EADA
memset.VCRUNTIME140(00000000,00000000,00000030,?,?,?,?,?,00000000,?,00000000,?), ref: 0040EAE7
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,?,00000000,8004667E,?,?,00000000,?), ref: 0040EB19

Strings

0u, xrefs: 0040E973

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Completionmemcpy$#111#1511CreateErrorIoctlLastPortPostQueuedSocketStatusmemset
String ID: 0u
API String ID: 36828649-3203441087
Opcode ID: e3083d88d8fdf2c2fdd9b0cf6e953f22e9bc8a00de89bf2e7b1f9269b54b97e2
Instruction ID: 64ff55cc1c83962de7f8f460d477b11e62a897e30d5ea0bced0cb0975b4cb57b
Opcode Fuzzy Hash: e3083d88d8fdf2c2fdd9b0cf6e953f22e9bc8a00de89bf2e7b1f9269b54b97e2
Instruction Fuzzy Hash: DCE1A171204301AFE3109F65DC49F5EBBA8FF88724F004A2EFA55962E1C7759918CB9A

Function 004045A0 Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 223stringCOMMON

Download Yara Rule

APIs

#296.MFC140U ref: 004045A6
#8.WS2_32(?), ref: 004045BC
GetTickCount.KERNEL32 ref: 004045D7
strstr.VCRUNTIME140(?,0049AE04), ref: 004045F2
#290.MFC140U(?), ref: 00404622
#4815.MFC140U(?,%d/10 %u %s,00000000,?,00000000), ref: 00404646
#1045.MFC140U(?,?,?,?,?), ref: 00404659
#13656.MFC140U(?,00000012,?,?,?,?,?,?), ref: 0040466E
#13656.MFC140U(?,0000000B,0049AE24,?,00000012,?,?,?,?,?,?), ref: 004046A1
#1045.MFC140U(00000004,?,00000000,00000000,?,00000000), ref: 00405BC3

Strings

%d/10 %u %s, xrefs: 00404640

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#13656$#290#296#4815CountTickstrstr
String ID: %d/10 %u %s
API String ID: 280517580-3016937181
Opcode ID: c90cb58a67781ca5b1f7b8331c103815111a5b10d267c4a941002ceb0b0aea57
Instruction ID: 9b19d72b498af564213c5db923542aab01ad7940c6f3c9eb0a3852e84b7c1fc1
Opcode Fuzzy Hash: c90cb58a67781ca5b1f7b8331c103815111a5b10d267c4a941002ceb0b0aea57
Instruction Fuzzy Hash: 7CA17F70601604CFDB28AF34DD587AEBBB1EB49301F40087EE91A972A5CB746944CF5D

Function 0040A920 Relevance: 52.8, APIs: 35, Instructions: 294COMMON

Download Yara Rule

APIs

#360.MFC140U ref: 0040A967
#8.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040A98B
#13960.MFC140U(00000001,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040A99F
GetTickCount.KERNEL32 ref: 0040A9AB
#8.WS2_32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040A9B2
#13960.MFC140U(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040A9E8
memcpy.VCRUNTIME140(?,004A44D0,00000096), ref: 0040A9FA
#360.MFC140U ref: 0040AA13
#13960.MFC140U(?,000000FF), ref: 0040AA29
#13960.MFC140U(00000000,000000FF), ref: 0040AA4D
#13960.MFC140U(00000000,000000FF), ref: 0040AA6C
#9.WS2_32(?), ref: 0040AA86
#13960.MFC140U(00000000,000000FF), ref: 0040AA9E
memcpy.VCRUNTIME140(?,?,?), ref: 0040AACF
#360.MFC140U ref: 0040AAE8
#9.WS2_32(00004C68), ref: 0040AB00
#13960.MFC140U(00000000,000000FF), ref: 0040AB1E
#13960.MFC140U(00000101,000000FF), ref: 0040AB37
#8.WS2_32(00000000), ref: 0040AB50
#8.WS2_32(00000001), ref: 0040AB77
#13960.MFC140U(00000001,000000FF), ref: 0040AB8B
#13253.MFC140U(00000001,00000001), ref: 0040ABA5
#13253.MFC140U(00000000,00000000), ref: 0040ABAF
memset.VCRUNTIME140(?,00000000), ref: 0040ABC6

Part of subcall function 004027A0: rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 004027D3
Part of subcall function 004027A0: rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00402801
Part of subcall function 004027A0: rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00402861

#13960.MFC140U(00000000,000000FF,?,?,00001000), ref: 0040ABFD
memcpy.VCRUNTIME140(?,?,?,?,?,00001000), ref: 0040AC11
#360.MFC140U ref: 0040AC2A
#8.WS2_32(00000FFC), ref: 0040AC3B
#13960.MFC140U(00000001,000000FF), ref: 0040AC4F
#13960.MFC140U(?,000000FF), ref: 0040AC6F
memcpy.VCRUNTIME140(?,?,00001000), ref: 0040AC7E
#1067.MFC140U(?,?,?,?,?,?,?,?,00001000), ref: 0040ACAA
#1067.MFC140U(?,?,?,?,?,?,?,?,00001000), ref: 0040ACAF
#1067.MFC140U(?,?,?,?,?,?,?,?,00001000), ref: 0040ACB4
#1067.MFC140U(?,?,?,?,?,?,?,?,00001000), ref: 0040ACB9

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13960$#1067#360memcpy$rand$#13253$CountTickmemset
String ID:
API String ID: 3929952459-0
Opcode ID: b24596fe43edfdc7a5bd421781f5daf074eb7162d1c72ec68f59cc9a10b96084
Instruction ID: 20f684e9f462c91bc4eefe32d7100321a1bcb902a51a6776548e2a581471922b
Opcode Fuzzy Hash: b24596fe43edfdc7a5bd421781f5daf074eb7162d1c72ec68f59cc9a10b96084
Instruction Fuzzy Hash: B6D12875C002189FCF10DF94DC84AEDBBB4FF58324F244669E925A72A1EB34AA45CF54

Function 0040BA60 Relevance: 51.3, APIs: 34, Instructions: 260COMMON

Download Yara Rule

APIs

#360.MFC140U(BEE31567,00000000), ref: 0040BAAE
#13960.MFC140U(?,000000FF), ref: 0040BAC7
#13253.MFC140U(?,000000FF), ref: 0040BAF3
#13253.MFC140U(?,000000FF), ref: 0040BB00
#13960.MFC140U(00000000,000000FF), ref: 0040BB0E
#9.WS2_32(0040BE75), ref: 0040BB26
#13960.MFC140U(00000000,000000FF), ref: 0040BB3E
#13960.MFC140U(?,000000FF), ref: 0040BB5B
memcpy.VCRUNTIME140(?,?,0040BE73), ref: 0040BB6B
memset.VCRUNTIME140(?,00000000), ref: 0040BB85

Part of subcall function 004027A0: rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 004027D3
Part of subcall function 004027A0: rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00402801
Part of subcall function 004027A0: rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00402861

#360.MFC140U ref: 0040BBC6
#9.WS2_32(00004C68), ref: 0040BBD5
#13960.MFC140U(00000000,000000FF), ref: 0040BBF3
#13960.MFC140U(00000101,000000FF), ref: 0040BC0C
#8.WS2_32(00000000), ref: 0040BC25
#13960.MFC140U(00000001,000000FF), ref: 0040BC39
#8.WS2_32(00000001), ref: 0040BC4B
#13960.MFC140U(00000001,000000FF), ref: 0040BC5F
#13253.MFC140U(00000001,00000001), ref: 0040BC79
#13253.MFC140U(00000000,00000000), ref: 0040BC83
#13960.MFC140U(00000000,000000FF), ref: 0040BC94
memcpy.VCRUNTIME140(?,?,?), ref: 0040BCA8
#360.MFC140U ref: 0040BCC1
#8.WS2_32(?), ref: 0040BCD2
#13960.MFC140U(00000001,000000FF), ref: 0040BCE6
#13960.MFC140U(?,000000FF), ref: 0040BD06
memcpy.VCRUNTIME140(?,?,?), ref: 0040BD15
#265.MFC140U(?), ref: 0040BD2C
memset.VCRUNTIME140(00000000,00000000,?), ref: 0040BD3D
memcpy.VCRUNTIME140(00000000,?,?,00000000,00000000,?), ref: 0040BD49
#266.MFC140U(00000000), ref: 0040BD6B
#1067.MFC140U ref: 0040BD7D
#1067.MFC140U ref: 0040BD82
#1067.MFC140U ref: 0040BD87

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13960$#13253memcpy$#1067#360rand$memset$#265#266
String ID:
API String ID: 2932419479-0
Opcode ID: 2c2a23c5bf5fef2e546ab41551b2b3bc50360f686f1423b61b3a8b8555eb68c5
Instruction ID: afc0e31a7aade4c084aa2c7e9608ed8f4a141d19d124ae18d8589db6a5211eef
Opcode Fuzzy Hash: 2c2a23c5bf5fef2e546ab41551b2b3bc50360f686f1423b61b3a8b8555eb68c5
Instruction Fuzzy Hash: 62B12975C00219AFCF11DF94DC44AEEBBB4FF08324F204669E925A7291E734AA45CB94

Function 00404411 Relevance: 49.7, APIs: 33, Instructions: 241COMMON

Download Yara Rule

APIs

#296.MFC140U ref: 0040442C
#8.WS2_32(?), ref: 00404442
#4815.MFC140U(?,0049ADBC,00000000), ref: 00404455
#13656.MFC140U(?,0000000B,?), ref: 0040446D
#1045.MFC140U(?,0000000B,?), ref: 00404480
#9.WS2_32(?), ref: 00404497
#8.WS2_32(?), ref: 004044AF
#13656.MFC140U(?,00000012,0049ADD0), ref: 004044E2
#296.MFC140U ref: 0040450B
#4815.MFC140U(?,0049ADF0,?), ref: 0040452A
#13656.MFC140U(?,00000012,?), ref: 00404542
GetTickCount.KERNEL32 ref: 0040457C
#1045.MFC140U ref: 00404595
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0040565F
GetTickCount.KERNEL32 ref: 00405674
#296.MFC140U(?,?,?,?,?), ref: 004056E1
GetTickCount.KERNEL32 ref: 004056F6
GetTickCount.KERNEL32 ref: 00405716
GetTickCount.KERNEL32 ref: 00405736

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CountTick$#13656#296$#1045#4815$_time64
String ID:
API String ID: 2121568691-0
Opcode ID: bb65ff6f59d6b7ae0945b38efdc88c34b9548d92999ab53e244bd90b28209f2a
Instruction ID: 7768e7674ef469938c54868635527f1a829b27cbdb4b79dfaa614b231b753241
Opcode Fuzzy Hash: bb65ff6f59d6b7ae0945b38efdc88c34b9548d92999ab53e244bd90b28209f2a
Instruction Fuzzy Hash: 3DA18F71601A04CFDB28AF24DD587AF7BB1EB49301F40097EE91AA62A1DB346984CF5D

Function 00403DF5 Relevance: 49.7, APIs: 33, Instructions: 226COMMON

Download Yara Rule

APIs

#1045.MFC140U(?,0049AE6C,00000000,?,0000000D,?), ref: 00403B5D
#8.WS2_32(?), ref: 00403DFE
#8.WS2_32(?), ref: 00403E0D
#8.WS2_32(?), ref: 00403E22

Part of subcall function 00413EA0: atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?), ref: 00413EF6

#8.WS2_32(?), ref: 00403E3E
#296.MFC140U ref: 00403E50
#4815.MFC140U(?,0049B244,?), ref: 00403E70
#4815.MFC140U(?,0049B244,?), ref: 00403E88
#13656.MFC140U(?,00000006,?), ref: 00403EA0
#4815.MFC140U(?,0049B244,?,?,00000006,?), ref: 00403EB8
#13656.MFC140U(?,00000007,?), ref: 00403ED0
#8.WS2_32(?,?,00000007,?), ref: 00403EF2
#4815.MFC140U(?,0049B244,00000000,?,00000007,?), ref: 00403F23
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0040565F
GetTickCount.KERNEL32 ref: 00405674
#296.MFC140U(?,?,?,?,?), ref: 004056E1
GetTickCount.KERNEL32 ref: 004056F6
GetTickCount.KERNEL32 ref: 00405716
GetTickCount.KERNEL32 ref: 00405736
GetTickCount.KERNEL32 ref: 00405767
GetTickCount.KERNEL32 ref: 00405812
GetTickCount.KERNEL32 ref: 00405832
GetTickCount.KERNEL32 ref: 00405852
GetTickCount.KERNEL32 ref: 00405858
GetTickCount.KERNEL32 ref: 0040585E
GetTickCount.KERNEL32 ref: 00405870

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CountTick$#4815$#13656#296$#1045_time64atoi
String ID:
API String ID: 1972929877-0
Opcode ID: 37eec46d43d3c38e41b91bd4ff80457d20f6f311f9c76287ce6358d6e999dc68
Instruction ID: 7eba7d13c335a749bae31e04244afdb74278ddd0595e1352ef39f7b22a4bd358
Opcode Fuzzy Hash: 37eec46d43d3c38e41b91bd4ff80457d20f6f311f9c76287ce6358d6e999dc68
Instruction Fuzzy Hash: A4A15071601604CFDB28AF24DD59B6E7BB5FB48301F4009BEE91AA72A1DB346A44CF49

Function 00403C7D Relevance: 45.2, APIs: 30, Instructions: 217COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403C99
GetTickCount.KERNEL32 ref: 00403CAF
#8.WS2_32(00000000), ref: 00403CB6
#296.MFC140U ref: 00403CC8
#4815.MFC140U(?,0049AB48,0000000A), ref: 00403CE7
#13656.MFC140U(?,00000012,?), ref: 00403D33
#8.WS2_32(?,?,00000012,?), ref: 00403D42
#8.WS2_32(?,?,00000012,?), ref: 00403D51
#8.WS2_32(?,?,00000012,?), ref: 00403D62
#1045.MFC140U(?,?,00000000,00000000,?,00000012,?), ref: 00403D93
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0040565F
GetTickCount.KERNEL32 ref: 00405674
#296.MFC140U(?,?,?,?,?), ref: 004056E1
GetTickCount.KERNEL32 ref: 004056F6
GetTickCount.KERNEL32 ref: 00405716
GetTickCount.KERNEL32 ref: 00405736
GetTickCount.KERNEL32 ref: 00405767
GetTickCount.KERNEL32 ref: 00405812
#1045.MFC140U(00000004,?,00000000,00000000,?,00000000), ref: 00405BC3

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CountTick$#1045#296$#13656#4815_time64
String ID:
API String ID: 2347787467-0
Opcode ID: fc45775ff9d900d7e29e42fa0ef3858d9b0b63df557ca9ac26d788da6360873b
Instruction ID: af7fb64e95a404d8d11f7f4c1549924bc3636b730e2417ab3f653026a11d7523
Opcode Fuzzy Hash: fc45775ff9d900d7e29e42fa0ef3858d9b0b63df557ca9ac26d788da6360873b
Instruction Fuzzy Hash: 29915971601A04CFDB28AF34DD187AEBBB1EB49301F40497EE91A972A1CB786944CF5D

Function 0041E020 Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 394filewindowCOMMON

Download Yara Rule

APIs

#296.MFC140U(BEE31567), ref: 0041E05A
memset.VCRUNTIME140(?,00000000,00000200), ref: 0041E075
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 0041E08A
#4815.MFC140U(?,%s\,?), ref: 0041E0A3
SendMessageW.USER32(?,0000040B,00000005,0049C1F4), ref: 0041E0C0
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 0041E0DB
GetFileSize.KERNEL32(00000000,?), ref: 0041E0F4
#265.MFC140U(00000001), ref: 0041E100
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041E11D
#266.MFC140U(00000000), ref: 0041E134
CloseHandle.KERNEL32(00000000), ref: 0041E143
#296.MFC140U ref: 0041E14F
atoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041E1D9
atoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041E1EB
#296.MFC140U ref: 0041E2E5
#1045.MFC140U ref: 0041E5EE

Strings

%s\, xrefs: 0041E09D

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #296File$atoll$#1045#265#266#4815CloseCreateFolderHandleMessagePathReadSendSizeSpecialmemset
String ID: %s\
API String ID: 3287862490-2802346739
Opcode ID: a1e4ba6508e65d08a69775ba611ad70ffc54e38a5a1fcf060aac5be225bf8005
Instruction ID: e40d7449b2a07ac570baffd05f9d49ced0b4cccbfdf8b305a70a3ed04793cb45
Opcode Fuzzy Hash: a1e4ba6508e65d08a69775ba611ad70ffc54e38a5a1fcf060aac5be225bf8005
Instruction Fuzzy Hash: F4F1D275A012149FCB24CF65EC88BAA77B5FB85704F1841ADE80A973A0D738BD81CF49

Function 0041EC00 Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 394filewindowCOMMON

Download Yara Rule

APIs

#296.MFC140U(BEE31567), ref: 0041EC3A
memset.VCRUNTIME140(?,00000000,00000200), ref: 0041EC55
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 0041EC6A
#4815.MFC140U(?,%s\,?), ref: 0041EC83
SendMessageW.USER32(?,0000040B,00000005,0049C248), ref: 0041ECA0
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 0041ECBB
GetFileSize.KERNEL32(00000000,?), ref: 0041ECD4
#265.MFC140U(00000001), ref: 0041ECE0
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041ECFD
#266.MFC140U(00000000), ref: 0041ED14
CloseHandle.KERNEL32(00000000), ref: 0041ED23
#296.MFC140U ref: 0041ED2F
atoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041EDB9
atoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041EDCB
#296.MFC140U ref: 0041EEC5
#1045.MFC140U ref: 0041F1CE

Strings

%s\, xrefs: 0041EC7D

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #296File$atoll$#1045#265#266#4815CloseCreateFolderHandleMessagePathReadSendSizeSpecialmemset
String ID: %s\
API String ID: 3287862490-2802346739
Opcode ID: 95e8a323d600b0591ad477491dc02fd153c6fc2af88c3fb07a93fcef52980b71
Instruction ID: bcb9c745a5fedee579ead055cfe661b4c4a5bbed6502d359dc13e71cee619209
Opcode Fuzzy Hash: 95e8a323d600b0591ad477491dc02fd153c6fc2af88c3fb07a93fcef52980b71
Instruction Fuzzy Hash: 52F18075A012149FCB24CF64EC88BAA77B5FB85704F1841BDE909972A0D738BD85CF49

Function 0041E610 Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 394filewindowCOMMON

Download Yara Rule

APIs

#296.MFC140U(BEE31567), ref: 0041E64A
memset.VCRUNTIME140(?,00000000,00000200), ref: 0041E665
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 0041E67A
#4815.MFC140U(?,%s\,?), ref: 0041E693
SendMessageW.USER32(?,0000040B,00000005,0049C21C), ref: 0041E6B0
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 0041E6CB
GetFileSize.KERNEL32(00000000,?), ref: 0041E6E4
#265.MFC140U(00000001), ref: 0041E6F0
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041E70D
#266.MFC140U(00000000), ref: 0041E724
CloseHandle.KERNEL32(00000000), ref: 0041E733
#296.MFC140U ref: 0041E73F
atoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041E7C9
atoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041E7DB
#296.MFC140U ref: 0041E8D5
#1045.MFC140U ref: 0041EBDE

Strings

%s\, xrefs: 0041E68D

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #296File$atoll$#1045#265#266#4815CloseCreateFolderHandleMessagePathReadSendSizeSpecialmemset
String ID: %s\
API String ID: 3287862490-2802346739
Opcode ID: 19c72167568a10e4104c76582d3b2f516758fa8c3d8181dab3766e59826efb11
Instruction ID: 0595636f7baeecacc6b4acdd0072eefd738560f157c615e6d5c24653207f4e33
Opcode Fuzzy Hash: 19c72167568a10e4104c76582d3b2f516758fa8c3d8181dab3766e59826efb11
Instruction Fuzzy Hash: 29F1D375A012149FCB24DF25EC88BAA77B5FB85704F1841ADE90A973A0D738BD81CF49

Function 00414150 Relevance: 43.9, APIs: 29, Instructions: 372COMMON

Download Yara Rule

APIs

_Mtx_lock.MSVCP140(007A6A08,BEE31567), ref: 0041419C
?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000,?), ref: 004141AA

Part of subcall function 0040DC90: _localtime64_s.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,0040DC29,?), ref: 0040DCAD

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?), ref: 004142AB
#296.MFC140U ref: 004142DF
#4815.MFC140U(?,0049BC58,00000000,00000000,00000000,FFFFFFFF,FFFFFFFF,FFFFFFFF,?,?,?,?,?,?), ref: 004143D9
#13656.MFC140U(00000000,00000012,?), ref: 004143F4
#13656.MFC140U(00000000,00000013,0049BC84), ref: 00414404
#1045.MFC140U ref: 0041440D
_Mtx_unlock.MSVCP140(007A6A08), ref: 00414469
?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 00414477
#5850.MFC140U(?,?,00000001), ref: 004144D6
memset.VCRUNTIME140(?,00000000,00000032), ref: 004144E8
#280.MFC140U(?), ref: 004144FA
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0041451B
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0041452C
#5110.MFC140U(?,?,00000000,00000000,00000000), ref: 00414548
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 00414553
#1045.MFC140U ref: 00414564

Part of subcall function 00413F50: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,BEE31567,?,00000000), ref: 00413FB5
Part of subcall function 00413F50: #296.MFC140U ref: 00413FE1
Part of subcall function 00413F50: #4815.MFC140U(00488739,0049BC08,00000000,00000000,00000000,FFFFFFFF,FFFFFFFF,?,?,?,?,?), ref: 004140B7

#296.MFC140U(00000000), ref: 004145E0
#4815.MFC140U(?,0049BC2C,?,00000001,?), ref: 004145FE
#13656.MFC140U(00000000,0000000D,?), ref: 00414621
#13656.MFC140U(00000000,00000012,?), ref: 0041462F
#13656.MFC140U(00000000,00000013,?), ref: 0041463D
#290.MFC140U(?), ref: 00414656
#13656.MFC140U(?,00000001,00000000), ref: 0041466B
#1045.MFC140U ref: 00414677
#13656.MFC140U(00000000,00000001,?), ref: 0041469C
#1045.MFC140U(?,0049BC4C), ref: 004146DB
#1045.MFC140U ref: 004146E4

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13656$#1045$#296#4815$#5110ByteC_error@std@@CharMultiThrow_Wide_time64$#280#290#5850Mtx_lockMtx_unlock_localtime64_smemset
String ID:
API String ID: 1940400716-0
Opcode ID: 8de449bc5df600c946b4218a6607160fecd2f686acab4f5e04b95f1be92dbc15
Instruction ID: 7615e88e121609a17cb1113e0f444ffe480f376f4aac4e349062466410691e8a
Opcode Fuzzy Hash: 8de449bc5df600c946b4218a6607160fecd2f686acab4f5e04b95f1be92dbc15
Instruction Fuzzy Hash: 6BF1AF71A01208DFDB14DF54DD54BEEBBB4FB49304F0440AEE905A72A1DB79AA84CF98

Function 004037D5 Relevance: 42.3, APIs: 28, Instructions: 253stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140(?,0049AEB4), ref: 00403802
#13656.MFC140U ref: 00403831
#13656.MFC140U(?,0000000D,0049AEBC), ref: 00403846

Part of subcall function 004161F0: memset.VCRUNTIME140(?,00000000,00000400,?,?,?), ref: 00416224
Part of subcall function 004161F0: memset.VCRUNTIME140(?,00000000,00000400,?,?,?), ref: 0041623B
Part of subcall function 004161F0: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,?,?,?), ref: 00416251
Part of subcall function 004161F0: memset.VCRUNTIME140(?,00000000,00000400,?,?,?,?,?,?,?,?,?), ref: 00416283
Part of subcall function 004161F0: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041628D

memset.VCRUNTIME140(?,00000000,00000400), ref: 0040387A
memset.VCRUNTIME140(?,00000000,00000400,?,00000000,00000400), ref: 0040388D
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000000,00000000), ref: 004038BD
WritePrivateProfileStringA.KERNEL32(0049AC88,00000000,0049AC84,?), ref: 00403904

Part of subcall function 00414150: _Mtx_lock.MSVCP140(007A6A08,BEE31567), ref: 0041419C
Part of subcall function 00414150: ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000,?), ref: 004141AA
Part of subcall function 00414150: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?), ref: 004142AB
Part of subcall function 00414150: #296.MFC140U ref: 004142DF

#13656.MFC140U ref: 00403936
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0040565F
GetTickCount.KERNEL32 ref: 00405674
#296.MFC140U(?,?,?,?,?), ref: 004056E1
GetTickCount.KERNEL32 ref: 004056F6
GetTickCount.KERNEL32 ref: 00405716
GetTickCount.KERNEL32 ref: 00405736
GetTickCount.KERNEL32 ref: 00405767
GetTickCount.KERNEL32 ref: 00405812
GetTickCount.KERNEL32 ref: 00405832
GetTickCount.KERNEL32 ref: 00405852
GetTickCount.KERNEL32 ref: 00405858
GetTickCount.KERNEL32 ref: 0040585E
GetTickCount.KERNEL32 ref: 00405870
GetTickCount.KERNEL32 ref: 00405890

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CountTick$memset$#13656_time64$#296FolderPathSpecial$C_error@std@@Mtx_lockPrivateProfileStringThrow_Writestrstr
String ID:
API String ID: 525013424-0
Opcode ID: 901c938e084d394143782aad2512d56f93c91b4f314149203002f25537d86794
Instruction ID: 90c50cbb896a0f6f3258be3dd6932a676d04aa85fbd3347a78c3c9a758280582
Opcode Fuzzy Hash: 901c938e084d394143782aad2512d56f93c91b4f314149203002f25537d86794
Instruction Fuzzy Hash: 61A19071600A04CFDB24EB64DD19BAFBBB4EB48305F40093EE91AA62D1DB786944CF5D

Function 0040A460 Relevance: 42.2, APIs: 28, Instructions: 216COMMON

Download Yara Rule

APIs

#360.MFC140U ref: 0040A4AB
#13960.MFC140U(00000000,000000FF), ref: 0040A4C7
memcpy.VCRUNTIME140(?,?,0040C80D), ref: 0040A4D7
memset.VCRUNTIME140(?,00000000,?,?,?,00001000,?,?,0040C80D), ref: 0040A4F1

Part of subcall function 004027A0: rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 004027D3
Part of subcall function 004027A0: rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00402801
Part of subcall function 004027A0: rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00402861

#360.MFC140U ref: 0040A532
#9.WS2_32(00004C68), ref: 0040A541
#13960.MFC140U(?,000000FF), ref: 0040A55F
#13960.MFC140U(?,000000FF), ref: 0040A578
#8.WS2_32(00000000), ref: 0040A591
#13960.MFC140U(00000004,000000FF), ref: 0040A5A5
#8.WS2_32(00000004), ref: 0040A5B7
#13960.MFC140U(00000004,000000FF), ref: 0040A5CB
#13253.MFC140U(?,00000001), ref: 0040A5E5
#13253.MFC140U(?,00000000), ref: 0040A5EF
#13960.MFC140U(00000000,000000FF), ref: 0040A600
memcpy.VCRUNTIME140(?,?,?), ref: 0040A614
#360.MFC140U ref: 0040A62D
#8.WS2_32(?), ref: 0040A63E
#13960.MFC140U(00000004,000000FF), ref: 0040A652
#13960.MFC140U(?,000000FF), ref: 0040A672
memcpy.VCRUNTIME140(?,?,?), ref: 0040A681
#265.MFC140U(?), ref: 0040A698
memset.VCRUNTIME140(00000000,00000000,?), ref: 0040A6A9
memcpy.VCRUNTIME140(00000000,?,?,00000000,00000000,?), ref: 0040A6B5
#266.MFC140U(00000000), ref: 0040A6D7
#1067.MFC140U ref: 0040A6E9
#1067.MFC140U ref: 0040A6EE
#1067.MFC140U ref: 0040A6F3

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13960$memcpy$#1067#360rand$#13253memset$#265#266
String ID:
API String ID: 627285181-0
Opcode ID: 8f7a5f03d51c2fbe3c9556adcd3af669a74cd16541468d6d08d87d973691058b
Instruction ID: c603b34c9a907734cfda34ccd647aaf3bc5f0c83775ba352f4df54b7f0c23d3c
Opcode Fuzzy Hash: 8f7a5f03d51c2fbe3c9556adcd3af669a74cd16541468d6d08d87d973691058b
Instruction Fuzzy Hash: 95914872D00219AFCF00DF94DC45AEEBBB8FF08324F244269E916B7291E7746A45CB94

Function 00403AA6 Relevance: 42.2, APIs: 28, Instructions: 198COMMON

Download Yara Rule

APIs

#296.MFC140U ref: 00403AAC
#8.WS2_32(?), ref: 00403AC8
#8.WS2_32(?), ref: 00403AD9
#4815.MFC140U(?,0049B244,?), ref: 00403AFC
#13656.MFC140U(?,00000007,?), ref: 00403B19
#4815.MFC140U(?,0049B244,00000000), ref: 00403B2C
#13656.MFC140U(?,00000008,?), ref: 00403B4A
#1045.MFC140U(?,0049AE6C,00000000,?,0000000D,?), ref: 00403B5D
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0040565F
GetTickCount.KERNEL32 ref: 00405674
#296.MFC140U(?,?,?,?,?), ref: 004056E1
GetTickCount.KERNEL32 ref: 004056F6
GetTickCount.KERNEL32 ref: 00405716
GetTickCount.KERNEL32 ref: 00405736
GetTickCount.KERNEL32 ref: 00405767
GetTickCount.KERNEL32 ref: 00405812
GetTickCount.KERNEL32 ref: 00405832
GetTickCount.KERNEL32 ref: 00405852
GetTickCount.KERNEL32 ref: 00405858
GetTickCount.KERNEL32 ref: 0040585E
GetTickCount.KERNEL32 ref: 00405870
GetTickCount.KERNEL32 ref: 00405890
GetTickCount.KERNEL32 ref: 004058B0
GetTickCount.KERNEL32 ref: 004058B6
GetTickCount.KERNEL32 ref: 004058BC
GetTickCount.KERNEL32 ref: 004058E9
#13656.MFC140U(?,0000000B,0049AF20), ref: 00405938
#1045.MFC140U(00000004,?,00000000,00000000,?,00000000), ref: 00405BC3

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CountTick$#13656$#1045#296#4815$_time64
String ID:
API String ID: 3774616486-0
Opcode ID: 98ae5875159e66f2f937be577c06eaa4b301ee809d98e3ba5494ed4068f43edf
Instruction ID: 0fda11433c45b3bbef8c0e69024f8dd06986038572417a757fdce4dd390427c7
Opcode Fuzzy Hash: 98ae5875159e66f2f937be577c06eaa4b301ee809d98e3ba5494ed4068f43edf
Instruction Fuzzy Hash: 92816F71601604CFDB28AF34DD5876EBBB1FB48301F40097EE91AA72A4DB746944CF59

Function 00402B70 Relevance: 39.3, APIs: 26, Instructions: 347memoryCOMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000001), ref: 00402BBF
#296.MFC140U ref: 00402C1B
IsBadReadPtr.KERNEL32(?,00000001), ref: 00402C47
#8.WS2_32(?), ref: 00402C5D
memset.VCRUNTIME140(?,00000000,000186A0), ref: 00402C99
#360.MFC140U ref: 00402CBD

Part of subcall function 00405EA0: #13960.MFC140U(?,000000FF,?,00000000,?,?,00402CE8,?,?,?,?), ref: 00405EC1
Part of subcall function 00405EA0: memcpy.VCRUNTIME140(00000001,?,,@,?,00000000,?,?,00402CE8,?,?,?,?), ref: 00405ED1

memcpy.VCRUNTIME140(?,?,?,?,?,?,?), ref: 00402D15
#9.WS2_32(?,?,?,?), ref: 00402DA3
#9.WS2_32(?), ref: 00402DC5
memset.VCRUNTIME140(?,00000000,00000064), ref: 00402DE0
memset.VCRUNTIME140(?,00000000,00000064,?,00000000,00000064), ref: 00402DED
memset.VCRUNTIME140(?,00000000,00000064,?,00000000,00000064,?,00000000,00000064), ref: 00402DFD
HeapAlloc.KERNEL32(00000000,00400000), ref: 00402E12
#9.WS2_32(?), ref: 00402E82
#9.WS2_32(?), ref: 00402E9C
#9.WS2_32(00000001), ref: 00402EB7
#9.WS2_32(?), ref: 00402ED2
#9.WS2_32(?), ref: 00402EED
#9.WS2_32(?), ref: 00402F08
#9.WS2_32(?), ref: 00402F23
memcpy.VCRUNTIME140(?,?,0000C350), ref: 00402F57
HeapFree.KERNEL32(00000000,?), ref: 00402F6D
#12637.MFC140U(00000000,?,?,?,?,?), ref: 00403086
#1067.MFC140U(?,?,?,?), ref: 00403095
#1045.MFC140U(?,?,?,?), ref: 004030A1
#1045.MFC140U(?), ref: 004030BE

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: memset$memcpy$#1045HeapRead$#1067#12637#13960#296#360AllocFree
String ID:
API String ID: 279948265-0
Opcode ID: 83127db0df67b95062505d89bea30f7eeb85db906bf78ae640d287abb80dab78
Instruction ID: e9ad64bc2fcc4f16b6a43c8e97256ac6c7b3262a45905b22cc4f871ce4af673b
Opcode Fuzzy Hash: 83127db0df67b95062505d89bea30f7eeb85db906bf78ae640d287abb80dab78
Instruction Fuzzy Hash: 40E17034A01A15DFCB24DF64CC48BEBB7A8EF05701F40426AE419A7391D739AE94CF99

Function 00403BA5 Relevance: 37.7, APIs: 25, Instructions: 203COMMON

Download Yara Rule

APIs

#1045.MFC140U(?,0049AE6C,00000000,?,0000000D,?), ref: 00403B5D
GetTickCount.KERNEL32 ref: 00403BF4
#296.MFC140U ref: 00403C06
#4815.MFC140U(?,0049AB2C,00000009), ref: 00403C25
#13656.MFC140U(?,00000012,?), ref: 00403C3D
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0040565F
GetTickCount.KERNEL32 ref: 00405674
#296.MFC140U(?,?,?,?,?), ref: 004056E1
GetTickCount.KERNEL32 ref: 004056F6
GetTickCount.KERNEL32 ref: 00405716
GetTickCount.KERNEL32 ref: 00405736
GetTickCount.KERNEL32 ref: 00405767
GetTickCount.KERNEL32 ref: 00405812
GetTickCount.KERNEL32 ref: 00405832
GetTickCount.KERNEL32 ref: 00405852
GetTickCount.KERNEL32 ref: 00405858
GetTickCount.KERNEL32 ref: 0040585E
GetTickCount.KERNEL32 ref: 00405870
#1045.MFC140U(00000004,?,00000000,00000000,?,00000000), ref: 00405BC3

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CountTick$#1045#296$#13656#4815_time64
String ID:
API String ID: 2347787467-0
Opcode ID: 4008c105b91e0f9af993b6829ba19daf20e8af6def4c4cac099f11a63c047051
Instruction ID: ddcbb07f56837ff72be464d8dabb495a23e4a19908561fb1cfc55f6676400e95
Opcode Fuzzy Hash: 4008c105b91e0f9af993b6829ba19daf20e8af6def4c4cac099f11a63c047051
Instruction Fuzzy Hash: C6816D71601A04CFDB28AF34D96876FBBB1EB45301F40497EE81A972A5CB782948CF5D

Function 004047C4 Relevance: 37.7, APIs: 25, Instructions: 202COMMON

Download Yara Rule

APIs

#1045.MFC140U(?,0049AE6C,00000000,?,0000000D,?), ref: 00403B5D
#296.MFC140U ref: 004047E9
#8.WS2_32(?), ref: 004047FF
GetTickCount.KERNEL32 ref: 0040483F
#4815.MFC140U(?,0049AF10,?), ref: 0040487B
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0040565F
GetTickCount.KERNEL32 ref: 00405674
#296.MFC140U(?,?,?,?,?), ref: 004056E1
GetTickCount.KERNEL32 ref: 004056F6
GetTickCount.KERNEL32 ref: 00405716
GetTickCount.KERNEL32 ref: 00405736
GetTickCount.KERNEL32 ref: 00405767
GetTickCount.KERNEL32 ref: 00405812
GetTickCount.KERNEL32 ref: 00405832
GetTickCount.KERNEL32 ref: 00405852
GetTickCount.KERNEL32 ref: 00405858
GetTickCount.KERNEL32 ref: 0040585E
GetTickCount.KERNEL32 ref: 00405870
GetTickCount.KERNEL32 ref: 00405890
GetTickCount.KERNEL32 ref: 004058B0
GetTickCount.KERNEL32 ref: 004058B6
GetTickCount.KERNEL32 ref: 004058BC
GetTickCount.KERNEL32 ref: 004058E9
#13656.MFC140U(?,0000000B,0049AF20), ref: 00405938
#1045.MFC140U(00000004,?,00000000,00000000,?,00000000), ref: 00405BC3

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CountTick$#1045#296$#13656#4815_time64
String ID:
API String ID: 2347787467-0
Opcode ID: 5cf70dd962827f18cded088e85717b95a9be91c68eb0ac88293eec73badfd212
Instruction ID: 297d0c335d4a3208cf10935745d4a0acf27ace679eaddc9b237f7f7f56016e42
Opcode Fuzzy Hash: 5cf70dd962827f18cded088e85717b95a9be91c68eb0ac88293eec73badfd212
Instruction Fuzzy Hash: D7817E71600A04CFDB28AF34D9187AFBBB1EB49301F40497EE91AA7294C7746944CF5D

Function 004046D2 Relevance: 37.7, APIs: 25, Instructions: 183COMMON

Download Yara Rule

APIs

#8.WS2_32(?), ref: 004046DB
#296.MFC140U ref: 004046F6
#4815.MFC140U(?,0049AED4,?), ref: 00404715
#13656.MFC140U(?,00000012,?), ref: 0040472D
#1045.MFC140U(?,00000012,?), ref: 00404740
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0040565F
GetTickCount.KERNEL32 ref: 00405674
#296.MFC140U(?,?,?,?,?), ref: 004056E1
GetTickCount.KERNEL32 ref: 004056F6
GetTickCount.KERNEL32 ref: 00405716
GetTickCount.KERNEL32 ref: 00405736
GetTickCount.KERNEL32 ref: 00405767
GetTickCount.KERNEL32 ref: 00405812
GetTickCount.KERNEL32 ref: 00405832
GetTickCount.KERNEL32 ref: 00405852
GetTickCount.KERNEL32 ref: 00405858
GetTickCount.KERNEL32 ref: 0040585E
GetTickCount.KERNEL32 ref: 00405870
GetTickCount.KERNEL32 ref: 00405890

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CountTick$#296$#1045#13656#4815_time64
String ID:
API String ID: 1766200338-0
Opcode ID: 2d38f2ed6799fcead65cd4323fd9a0837141076ec33869a2c92eeac9360c726f
Instruction ID: 11b8abee6c1a1ecdd1bae16096ddb75bd33529b61d3da14d79af07005845034f
Opcode Fuzzy Hash: 2d38f2ed6799fcead65cd4323fd9a0837141076ec33869a2c92eeac9360c726f
Instruction Fuzzy Hash: 27715E71601A04CFDB28AF34ED587AEBBB1EB49301F40497EE81A972A4DB746944CF49

Function 004102F0 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 112filetimethreadCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000208,BEE31567), ref: 0041032E
#296.MFC140U(BEE31567), ref: 0041033C
#296.MFC140U ref: 0041034F
GetSystemTime.KERNEL32(?), ref: 00410360
GetModuleFileNameW.KERNEL32(00000000,?,00000207), ref: 00410374
#1525.MFC140U(?), ref: 00410387
#8712.MFC140U ref: 00410393
#4815.MFC140U(?,%04d%02d%02d%02d%02d%02d.dmp,?,?,?,?,?,?), ref: 004103D5
#12763.MFC140U(.exe,?), ref: 004103EF
#12763.MFC140U(.dll,?), ref: 00410406

Part of subcall function 00410220: #296.MFC140U(BEE31567), ref: 00410250
Part of subcall function 00410220: #2477.MFC140U(?,0049B5CC,00000000,00000000), ref: 004102A6
Part of subcall function 00410220: MessageBoxW.USER32(00000000,?,0049B5F0,00000000), ref: 004102C2
Part of subcall function 00410220: #1045.MFC140U ref: 004102CB

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041042C
GetCurrentThreadId.KERNEL32 ref: 0041043A
GetCurrentProcessId.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0041045E
GetCurrentProcess.KERNEL32(00000000), ref: 00410465
MiniDumpWriteDump.DBGHELP(00000000), ref: 0041046C
CloseHandle.KERNEL32(00000000), ref: 00410473
#1045.MFC140U ref: 0041047F
#1045.MFC140U ref: 0041048B

Strings

.exe, xrefs: 004103EA
.dll, xrefs: 00410401
%04d%02d%02d%02d%02d%02d.dmp, xrefs: 004103CF

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296Current$#12763DumpFileProcess$#1525#2477#4815#8712CloseCreateHandleMessageMiniModuleNameSystemThreadTimeWritememset
String ID: %04d%02d%02d%02d%02d%02d.dmp$.dll$.exe
API String ID: 2733844461-1259758831
Opcode ID: 3fee1db25970e1addc8766ebbc10c791cfbe7bcee2b203d92ce8920f5bd41b56
Instruction ID: 2be776548ea8188b3e86f61fe6003746ccc9536299b7d04264402acb6bc5b790
Opcode Fuzzy Hash: 3fee1db25970e1addc8766ebbc10c791cfbe7bcee2b203d92ce8920f5bd41b56
Instruction Fuzzy Hash: 46414F7194122CAFDB209F90EC5DFEDB778FB08701F1044A9F605A21A0DB786A85CF94

Function 00403582 Relevance: 34.7, APIs: 23, Instructions: 193windowCOMMON

Download Yara Rule

APIs

#296.MFC140U ref: 00403599
SendMessageW.USER32(?,0000040B,00000003,?), ref: 004035E7
#1045.MFC140U(?,0049AE6C,00000000,?,0000000D,?), ref: 00403B5D
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0040565F
GetTickCount.KERNEL32 ref: 00405674
#296.MFC140U(?,?,?,?,?), ref: 004056E1
GetTickCount.KERNEL32 ref: 004056F6
GetTickCount.KERNEL32 ref: 00405716
GetTickCount.KERNEL32 ref: 00405736
GetTickCount.KERNEL32 ref: 00405767
GetTickCount.KERNEL32 ref: 00405812
GetTickCount.KERNEL32 ref: 00405832
GetTickCount.KERNEL32 ref: 00405852
GetTickCount.KERNEL32 ref: 00405858
GetTickCount.KERNEL32 ref: 0040585E
GetTickCount.KERNEL32 ref: 00405870
GetTickCount.KERNEL32 ref: 00405890

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CountTick$#296$#1045MessageSend_time64
String ID:
API String ID: 1295674719-0
Opcode ID: d7489bf9b6d6905a82f382d3edc86dad99d036f77f9e83e7550fd4c05f0bb7dc
Instruction ID: 55775a7b6cf88e6cb43a514406b296183ac718405332b29414e5fae751f3dced
Opcode Fuzzy Hash: d7489bf9b6d6905a82f382d3edc86dad99d036f77f9e83e7550fd4c05f0bb7dc
Instruction Fuzzy Hash: E5716C71601A04CFDB28EB38ED5876E7BB1EB49301F40097EE81AA72A4CB746944CF5D

Function 0040DEE0 Relevance: 33.2, APIs: 22, Instructions: 203networkCOMMON

Download Yara Rule

APIs

#1511.MFC140U(00000034), ref: 0040DEF7
memset.VCRUNTIME140(00000000,00000000,00000034), ref: 0040DF04
#265.MFC140U(00000000,00000000,00000034), ref: 0040DF0F
WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 0040DF47
#266.MFC140U(?), ref: 0040DF5E
#266.MFC140U(00000000), ref: 0040DF68
#111.WS2_32 ref: 0040DF6D
#21.WS2_32(00000000,0000FFFF,00001002,004A4720,00000004), ref: 0040DF9C
#21.WS2_32(?,0000FFFF,00001001,00000001,00000004), ref: 0040DFB8
#21.WS2_32(?,0000FFFF,00000004,FFFFFFFF,00000004), ref: 0040DFD1
CreateIoCompletionPort.KERNEL32(?,00000000,00000000), ref: 0040DFE0
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000), ref: 0040E004
#266.MFC140U(?), ref: 0040E013
#266.MFC140U(00000000), ref: 0040E01D
GetLastError.KERNEL32 ref: 0040E022

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #266$Completion$#111#1511#265CreateErrorLastPortPostQueuedSocketStatusmemset
String ID:
API String ID: 3193823385-0
Opcode ID: 9293ef47097a5b55c7170de6ceb1123fb5b05f3a1affbe5ed91b3a6e16a9fbbc
Instruction ID: 8e070eee40c72758fa2c9e6531e3ff89f67dfcda937f061f2bc2d38669db627f
Opcode Fuzzy Hash: 9293ef47097a5b55c7170de6ceb1123fb5b05f3a1affbe5ed91b3a6e16a9fbbc
Instruction Fuzzy Hash: 8671B070B40209BFDB109F65EC46B6DBB74FF49710F10022AE614AA6E0D7B16914CFD9

Function 0040B2A0 Relevance: 33.1, APIs: 22, Instructions: 134COMMON

Download Yara Rule

APIs

#360.MFC140U(BEE31567), ref: 0040B2F4
#8.WS2_32(00000001), ref: 0040B304
#13960.MFC140U(00000001,000000FF), ref: 0040B318
GetTickCount.KERNEL32 ref: 0040B324
#8.WS2_32(00000000), ref: 0040B32B
#13960.MFC140U(00000001,000000FF), ref: 0040B33F
#13253.MFC140U(?,00000000), ref: 0040B359
#13253.MFC140U(?,00000001), ref: 0040B363
#13253.MFC140U(?,00000000), ref: 0040B36D
#13253.MFC140U(?,00000007), ref: 0040B377
#8.WS2_32(00002724), ref: 0040B37E
#13960.MFC140U(00000001,000000FF), ref: 0040B392
#13253.MFC140U(?,00000001), ref: 0040B3AC
#13253.MFC140U(?,00000000), ref: 0040B3B6
#13253.MFC140U(?,00000000), ref: 0040B3C0
#13253.MFC140U(?,00000000), ref: 0040B3CA
#13253.MFC140U(?,00000000), ref: 0040B3D4
#13253.MFC140U(?,00000000), ref: 0040B3DE
#13253.MFC140U(?,00000000), ref: 0040B3E8
#13253.MFC140U(?,00000000), ref: 0040B3F2
#13253.MFC140U(?,00000000), ref: 0040B3FC
#1067.MFC140U(00008200,00000000,?,?), ref: 0040B415

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$#13960$#1067#360CountTick
String ID:
API String ID: 338892868-0
Opcode ID: 8ee6da92c87d21829482ed3272f7e71a2b03afe9708594b2184bc96f3e64419c
Instruction ID: 754f106d9134705f49305bb900225933680779dbaff3cf2bc7f2d5b62d1f2d02
Opcode Fuzzy Hash: 8ee6da92c87d21829482ed3272f7e71a2b03afe9708594b2184bc96f3e64419c
Instruction Fuzzy Hash: 3A511672D0011AAFDF15DF90CD55BEEBBB4EB18714F204159E526722A0EB362A05CF54

Function 0040343C Relevance: 31.7, APIs: 21, Instructions: 190COMMON

Download Yara Rule

APIs

Part of subcall function 0040CB00: #296.MFC140U ref: 0040CB1E
Part of subcall function 0040CB00: #9.WS2_32(?), ref: 0040CB61
Part of subcall function 0040CB00: #9.WS2_32(?), ref: 0040CB7B
Part of subcall function 0040CB00: #9.WS2_32(00000000), ref: 0040CB87
Part of subcall function 0040CB00: #8.WS2_32(?), ref: 0040CBA3
Part of subcall function 0040CB00: #1045.MFC140U ref: 0040CBF7

#13656.MFC140U(?,00000012,0049AB08), ref: 004034A7
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0040565F
GetTickCount.KERNEL32 ref: 00405674
#296.MFC140U(?,?,?,?,?), ref: 004056E1
GetTickCount.KERNEL32 ref: 004056F6
GetTickCount.KERNEL32 ref: 00405716
GetTickCount.KERNEL32 ref: 00405736
GetTickCount.KERNEL32 ref: 00405767
GetTickCount.KERNEL32 ref: 00405812
GetTickCount.KERNEL32 ref: 00405832
GetTickCount.KERNEL32 ref: 00405852
GetTickCount.KERNEL32 ref: 00405858
GetTickCount.KERNEL32 ref: 0040585E
GetTickCount.KERNEL32 ref: 00405870
GetTickCount.KERNEL32 ref: 00405890
GetTickCount.KERNEL32 ref: 004058B0
GetTickCount.KERNEL32 ref: 004058B6
GetTickCount.KERNEL32 ref: 004058BC
GetTickCount.KERNEL32 ref: 004058E9
#13656.MFC140U(?,0000000B,0049AF20), ref: 00405938
GetTickCount.KERNEL32 ref: 00405972
#13656.MFC140U(?,0000000B,0049AF34), ref: 004059A4

Part of subcall function 00414150: _Mtx_lock.MSVCP140(007A6A08,BEE31567), ref: 0041419C
Part of subcall function 00414150: ?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000,?), ref: 004141AA
Part of subcall function 00414150: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?), ref: 004142AB
Part of subcall function 00414150: #296.MFC140U ref: 004142DF

#1045.MFC140U(00000004,?,00000000,00000000,?,00000000), ref: 00405BC3

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CountTick$#13656#296$#1045_time64$C_error@std@@Mtx_lockThrow_
String ID:
API String ID: 932276010-0
Opcode ID: 3261f5fd5a865ec9e724cd2b17a4ada01f0d05317a2d797b49b631ed4d5a3d7f
Instruction ID: d58dbc3e2236f57663908e2d5242c6e30f2e5f1df15807f245a4b24db3216f47
Opcode Fuzzy Hash: 3261f5fd5a865ec9e724cd2b17a4ada01f0d05317a2d797b49b631ed4d5a3d7f
Instruction Fuzzy Hash: FC715E71600A04CFDB28AB34ED6976F7BB1EB49301F44493EE81AA62D4CB786944CF5D

Function 00403DA7 Relevance: 31.7, APIs: 21, Instructions: 174COMMON

Download Yara Rule

APIs

#13656.MFC140U ref: 00403DD2

Part of subcall function 0040CA00: #360.MFC140U(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000012,0049AB64), ref: 0040CA50
Part of subcall function 0040CA00: #8.WS2_32(00000000,00000003,00000000), ref: 0040CA7C
Part of subcall function 0040CA00: GetTickCount.KERNEL32 ref: 0040CA93
Part of subcall function 0040CA00: #8.WS2_32(00000000), ref: 0040CA9A
Part of subcall function 0040CA00: #1067.MFC140U(?,?,?,?), ref: 0040CAD8

Part of subcall function 0040D080: #360.MFC140U ref: 0040D0D1
Part of subcall function 0040D080: #8.WS2_32(00000000,00000003,00000000), ref: 0040D0EB
Part of subcall function 0040D080: GetTickCount.KERNEL32 ref: 0040D0FE
Part of subcall function 0040D080: #8.WS2_32(00000000), ref: 0040D105
Part of subcall function 0040D080: #13253.MFC140U(?,00000000), ref: 0040D122
Part of subcall function 0040D080: #13253.MFC140U(?,00000000), ref: 0040D12C
Part of subcall function 0040D080: #13253.MFC140U(?,00000000), ref: 0040D136
Part of subcall function 0040D080: #1067.MFC140U(?,?,?,?), ref: 0040D154

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0040565F
GetTickCount.KERNEL32 ref: 00405674
#296.MFC140U(?,?,?,?,?), ref: 004056E1
GetTickCount.KERNEL32 ref: 004056F6
GetTickCount.KERNEL32 ref: 00405716
GetTickCount.KERNEL32 ref: 00405736
GetTickCount.KERNEL32 ref: 00405767
GetTickCount.KERNEL32 ref: 00405812
GetTickCount.KERNEL32 ref: 00405832
GetTickCount.KERNEL32 ref: 00405852
GetTickCount.KERNEL32 ref: 00405858
GetTickCount.KERNEL32 ref: 0040585E
GetTickCount.KERNEL32 ref: 00405870
GetTickCount.KERNEL32 ref: 00405890
GetTickCount.KERNEL32 ref: 004058B0
GetTickCount.KERNEL32 ref: 004058B6
GetTickCount.KERNEL32 ref: 004058BC
GetTickCount.KERNEL32 ref: 004058E9
#13656.MFC140U(?,0000000B,0049AF20), ref: 00405938
#1045.MFC140U(00000004,?,00000000,00000000,?,00000000), ref: 00405BC3

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CountTick$#13253$#1067#13656#360$#1045#296_time64
String ID:
API String ID: 2782995450-0
Opcode ID: 9aad9dfa67699824516fc89334725c183679ac87fdde6e8e032156ce28e46bd5
Instruction ID: 2e653ad8e6cdcf117aa86810bd22cd0fad7a1ac83511d6fae49f2626f1bb19f7
Opcode Fuzzy Hash: 9aad9dfa67699824516fc89334725c183679ac87fdde6e8e032156ce28e46bd5
Instruction Fuzzy Hash: 36616071600A04CFDB28AB34D96C76F7BB1EB49301F44493EE81A97294DB786944CF5D

Function 00404762 Relevance: 30.2, APIs: 20, Instructions: 182COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0040565F
GetTickCount.KERNEL32 ref: 00405674
#296.MFC140U(?,?,?,?,?), ref: 004056E1
GetTickCount.KERNEL32 ref: 004056F6
GetTickCount.KERNEL32 ref: 00405716
GetTickCount.KERNEL32 ref: 00405736
GetTickCount.KERNEL32 ref: 00405767
GetTickCount.KERNEL32 ref: 00405812
GetTickCount.KERNEL32 ref: 00405832
GetTickCount.KERNEL32 ref: 00405852
GetTickCount.KERNEL32 ref: 00405858
GetTickCount.KERNEL32 ref: 0040585E

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CountTick$#296_time64
String ID:
API String ID: 1415019371-0
Opcode ID: 0ebde4c681f80a7b93037627b192f611b32e9f7482765037ab7b1a35be5ed5a7
Instruction ID: 78fb481cc8a516fb09de13110969e93b13febe4bf970f25b12f13e0101f01fc0
Opcode Fuzzy Hash: 0ebde4c681f80a7b93037627b192f611b32e9f7482765037ab7b1a35be5ed5a7
Instruction Fuzzy Hash: CF715C71600A01CFDB28AB38A96876F7BB1EB49301F44493FE81AD7294DB786944CF5D

Function 00403968 Relevance: 30.2, APIs: 20, Instructions: 167COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0040565F
GetTickCount.KERNEL32 ref: 00405674
#296.MFC140U(?,?,?,?,?), ref: 004056E1
GetTickCount.KERNEL32 ref: 004056F6
GetTickCount.KERNEL32 ref: 00405716
GetTickCount.KERNEL32 ref: 00405736
GetTickCount.KERNEL32 ref: 00405767
GetTickCount.KERNEL32 ref: 00405812
GetTickCount.KERNEL32 ref: 00405832
GetTickCount.KERNEL32 ref: 00405852
GetTickCount.KERNEL32 ref: 00405858
GetTickCount.KERNEL32 ref: 0040585E
GetTickCount.KERNEL32 ref: 00405870
GetTickCount.KERNEL32 ref: 00405890

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CountTick$#296_time64
String ID:
API String ID: 1415019371-0
Opcode ID: e80ebe3e77b14085e5ca26a0a339cb9c489a074d7f3972f2a2e7ba173eb1cfb6
Instruction ID: cd07ab465c127712a70d19a283f1e0b93eeec7588f772bb841bb789e336b21fe
Opcode Fuzzy Hash: e80ebe3e77b14085e5ca26a0a339cb9c489a074d7f3972f2a2e7ba173eb1cfb6
Instruction Fuzzy Hash: E2616C71600A04CFDB28AF38E96876F7BB1EB49301F44493EE81A972A4CB746944CF5D

Function 00404308 Relevance: 30.2, APIs: 20, Instructions: 163COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0040565F
GetTickCount.KERNEL32 ref: 00405674
#296.MFC140U(?,?,?,?,?), ref: 004056E1
GetTickCount.KERNEL32 ref: 004056F6
GetTickCount.KERNEL32 ref: 00405716
GetTickCount.KERNEL32 ref: 00405736
GetTickCount.KERNEL32 ref: 00405767
GetTickCount.KERNEL32 ref: 00405812
GetTickCount.KERNEL32 ref: 00405832
GetTickCount.KERNEL32 ref: 00405852
GetTickCount.KERNEL32 ref: 00405858
GetTickCount.KERNEL32 ref: 0040585E
GetTickCount.KERNEL32 ref: 00405870
GetTickCount.KERNEL32 ref: 00405890
GetTickCount.KERNEL32 ref: 004058B0
GetTickCount.KERNEL32 ref: 004058B6
GetTickCount.KERNEL32 ref: 004058BC
GetTickCount.KERNEL32 ref: 004058E9
#13656.MFC140U(?,0000000B,0049AF20), ref: 00405938
#1045.MFC140U(00000004,?,00000000,00000000,?,00000000), ref: 00405BC3

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CountTick$#1045#13656#296_time64
String ID:
API String ID: 668879676-0
Opcode ID: 6a98bf9f7bcb5d5e318e3943db7102735c8efd3f711f5e1f4d516874389d4dd7
Instruction ID: 8d1d7cbc11d39db654d72455c30e257fcf2816efec5d7dd75faa29d0cf2f2995
Opcode Fuzzy Hash: 6a98bf9f7bcb5d5e318e3943db7102735c8efd3f711f5e1f4d516874389d4dd7
Instruction Fuzzy Hash: CA615D71600A04CFDB28AB38E96C76E7BB1EB49301F44493EE81A972A4DB746944CF5D

Function 0041DD90 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000200,BEE31567), ref: 0041DDCC
#296.MFC140U(?,BEE31567), ref: 0041DDDA
#296.MFC140U(?,BEE31567), ref: 0041DDED
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,BEE31567), ref: 0041DE04
#4815.MFC140U(BEE31567,%s\IPsET.ini,?,?,BEE31567), ref: 0041DE1D
#7820.MFC140U(?), ref: 0041DE33
#280.MFC140U(?), ref: 0041DE46
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0041DE67
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0041DE72
#5110.MFC140U(?,004A6484,00000000,00000000,00000000), ref: 0041DE93
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0041DE9E
#1045.MFC140U ref: 0041DEB1
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B97C,?,?), ref: 0041DECD
#1045.MFC140U ref: 0041DED9
#1045.MFC140U ref: 0041DEE5

Strings

%s\IPsET.ini, xrefs: 0041DE17

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045$#296#5110ByteCharMultiWide$#280#4815#7820FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 1759814412-2680549692
Opcode ID: ded4808f2847bdec2b2bfa7c9bcc79b4ed6fa1c121e966f73361ed390843b244
Instruction ID: b02fbe2205259991a3ab3f959defda40ff1732cb266481b377d39dfb8d53ac67
Opcode Fuzzy Hash: ded4808f2847bdec2b2bfa7c9bcc79b4ed6fa1c121e966f73361ed390843b244
Instruction Fuzzy Hash: 78414C7198121DAFDB20DB60DC4DBDDBB78EB14704F1045A9F60AA61E0DBB02A44CF99

Function 0044A870 Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 347stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,0000003A), ref: 0044A8CE
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,00000000,0000000A), ref: 0044A8E9
strchr.VCRUNTIME140(?,0000003A), ref: 0044A9DB
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,0000000A), ref: 0044A9FE
strchr.VCRUNTIME140(?,0000002C), ref: 0044AA38
memcpy.VCRUNTIME140(?,?,00000000), ref: 0044AA8E

Strings

Couldn't parse CURLOPT_RESOLVE entry '%s', xrefs: 0044AC80
Bad syntax CURLOPT_RESOLVE removal entry '%s', xrefs: 0044A908, 0044A923
(non-permanent), xrefs: 0044ABE8
RESOLVE *:%d using wildcard, xrefs: 0044AC1A
Added %.*s:%d:%s to DNS cache%s, xrefs: 0044AC01
+, xrefs: 0044ABE3
Resolve address '%s' found illegal, xrefs: 0044AC6C
:%u, xrefs: 0044A964, 0044AB24
RESOLVE %.*s:%d - old addresses discarded, xrefs: 0044AB77

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: strchr$strtoul$memcpy
String ID: (non-permanent)$+$:%u$Added %.*s:%d:%s to DNS cache%s$Bad syntax CURLOPT_RESOLVE removal entry '%s'$Couldn't parse CURLOPT_RESOLVE entry '%s'$RESOLVE %.*s:%d - old addresses discarded$RESOLVE *:%d using wildcard$Resolve address '%s' found illegal
API String ID: 1902193620-3374123344
Opcode ID: 6443d754d87e93f1713ffe02af7ed7485eaa78ebf765e51c8effba2db28f9c03
Instruction ID: abf3bd6e74a821f35034d7157844c7f79d3a8643eebe634eb1b2befabc96e054
Opcode Fuzzy Hash: 6443d754d87e93f1713ffe02af7ed7485eaa78ebf765e51c8effba2db28f9c03
Instruction Fuzzy Hash: D7C10472944241AFE7309F25C845F6B7BE8EF85704F04092EFD89A7242D639AD14C7AB

Function 0040CC20 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 243COMMON

Download Yara Rule

APIs

#9.WS2_32(?), ref: 0040CCAA
#8.WS2_32(?), ref: 0040CCC2
#8.WS2_32(?), ref: 0040CCD1
#8.WS2_32(?), ref: 0040CCE2
memset.VCRUNTIME140(?,00000000,00000100), ref: 0040CD70
memset.VCRUNTIME140(?,00000000,00000100,?,00000000,00000100), ref: 0040CD83
atoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0040CE37
#296.MFC140U ref: 0040CF17
#8.WS2_32(00000000), ref: 0040CF3A
#8.WS2_32(?), ref: 0040CF44
#2477.MFC140U(?,%u|,00000000), ref: 0040CF55
#1045.MFC140U ref: 0040CF87

Strings

%X1, xrefs: 0040CDB5
$', xrefs: 0040CF63
%u|, xrefs: 0040CF4F

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: memset$#1045#2477#296atoll
String ID: $'$%X1$%u|
API String ID: 1912357654-3315878219
Opcode ID: 3efb0b33469404d27cd7a598f16f53287db5ffe1117adfeb2720268fec93e44a
Instruction ID: bcda97c5f9ecba768196e06a33f6e883b195f589f551d85b8c47c9068ad55dbf
Opcode Fuzzy Hash: 3efb0b33469404d27cd7a598f16f53287db5ffe1117adfeb2720268fec93e44a
Instruction Fuzzy Hash: DEA1B571900219DBCF218F60DC897EABBB5EF15304F1405FAD849A7382D7399A88CF99

Function 0041A980 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 170COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,0000020A), ref: 0041A9DB
SHFileOperationW.SHELL32(00000000), ref: 0041AAAA

Part of subcall function 0042BC5C: ___report_securityfailure.LIBCMT ref: 0042BC61

memset.VCRUNTIME140(?,00000000,00000400), ref: 0041AAFB
memset.VCRUNTIME140(?,00000000,00000400,?,00000000,00000400), ref: 0041AB0E

Part of subcall function 0041A870: RegOpenKeyExA.ADVAPI32(?,0049C0F0,00000000,00020019,?), ref: 0041A8A9
Part of subcall function 0041A870: memset.VCRUNTIME140(?), ref: 0041A8CE
Part of subcall function 0041A870: RegQueryValueExA.ADVAPI32(?,path,00000000,?,?,00000400), ref: 0041A901
Part of subcall function 0041A870: #265.MFC140U(00000400), ref: 0041A914
Part of subcall function 0041A870: memset.VCRUNTIME140(00000000,00000000,00000400), ref: 0041A925
Part of subcall function 0041A870: memcpy.VCRUNTIME140(00000000,?,00000400,00000000,00000000,00000400), ref: 0041A938
Part of subcall function 0041A870: memcpy.VCRUNTIME140(?,00000000,00000400,00000000,?,00000400,00000000,00000000,00000400), ref: 0041A945
Part of subcall function 0041A870: #266.MFC140U(00000000,?,00000000,00000400,00000000,?,00000400,00000000,00000000,00000400), ref: 0041A94B
Part of subcall function 0041A870: RegCloseKey.ADVAPI32(?), ref: 0041A95F

#290.MFC140U(?), ref: 0041AB57

Part of subcall function 0041A980: #1045.MFC140U ref: 0041AB6A
Part of subcall function 0041A980: #290.MFC140U(?), ref: 0041AB9D
Part of subcall function 0041A980: #1045.MFC140U ref: 0041ABB0
Part of subcall function 0041A980: #290.MFC140U(?), ref: 0041ABE3
Part of subcall function 0041A980: #1045.MFC140U ref: 0041ABF6

Strings

%s%s, xrefs: 0041AB3C, 0041AB82, 0041ABC8
\Releasephysx27\CefProcess, xrefs: 0041ABB6
\Releasephysx27\AwesomiumProcess.exe, xrefs: 0041AB2A
\Releasephysx27\QQSpeedMonitor.exe, xrefs: 0041AB70

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: memset$#1045#290$memcpy$#265#266CloseFileOpenOperationQueryValue___report_securityfailure
String ID: %s%s$\Releasephysx27\AwesomiumProcess.exe$\Releasephysx27\CefProcess$\Releasephysx27\QQSpeedMonitor.exe
API String ID: 2711171373-1064650307
Opcode ID: 008733709401969640bc0d187d6e2b868c6903d669df74858db773c5a1327317
Instruction ID: 8f3d607e707df87c1a9dfb04db9dc6e30998fa65c2c7f3af6ebae7566a4efa68
Opcode Fuzzy Hash: 008733709401969640bc0d187d6e2b868c6903d669df74858db773c5a1327317
Instruction Fuzzy Hash: FB5191B5D4011C9ADB20EB60DC85BEDB3B8EF54304F4045EAE649A3181EF785BC98F99

Function 0041A1C0 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 86windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0041A1FF
memset.VCRUNTIME140(?,00000000,00000200), ref: 0041A21D
#296.MFC140U ref: 0041A22B
#296.MFC140U ref: 0041A23E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 0041A255
#5850.MFC140U(?,00000000,00000001), ref: 0041A26B
#4815.MFC140U(?,%s\GzxItem\%s.ini,?,00000000), ref: 0041A28A
#1045.MFC140U ref: 0041A299
GetFileAttributesW.KERNEL32(?), ref: 0041A2A5
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0041A2C3
#1045.MFC140U ref: 0041A2CF
#1045.MFC140U ref: 0041A2DB

Strings

%s\GzxItem\%s.ini, xrefs: 0041A284
open, xrefs: 0041A2BC

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045$#296$#4815#5850AttributesExecuteFileFolderMessagePathSendShellSpecialmemset
String ID: %s\GzxItem\%s.ini$open
API String ID: 1297625082-1296819631
Opcode ID: 69e2b09f1977aac19d1fc4a88df02c9483ce167c686d428312a9f6d4206d12ba
Instruction ID: 336035fa49033220d32677aaaddf8ae4e11f1d2aead55abe3fda85a95ea5e9f4
Opcode Fuzzy Hash: 69e2b09f1977aac19d1fc4a88df02c9483ce167c686d428312a9f6d4206d12ba
Instruction Fuzzy Hash: 8A315C7198021DAFDB20AB50DC4DFDDBB78EB14711F1005A9F615A62E0DBB41A84CB95

Function 00407230 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 175fileCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000100,?,?,?,004032DC), ref: 00407261
memset.VCRUNTIME140(?,00000000,00000100,?,004032DC), ref: 00407275
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,?,004032DC), ref: 00407288
memset.VCRUNTIME140(?,00000000,00005000,?,?,?,?,?,?,?,004032DC), ref: 004072B7
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0049AFC8,?,?,?,?,?,?,?,?,?,?,004032DC), ref: 004072CC
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,00000002,?,?,?,?,?,?,?,?,?,?,?,?,004032DC), ref: 004072EC
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 004072F5
fseek.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000000,00000000), ref: 0040730A
fread.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,?), ref: 00407322
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00407329

Part of subcall function 0040D850: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,?,Et@,?,0040D7FF,?,?,?,?,00407445,?), ref: 0040D881

Strings

0hJ, xrefs: 004073C6
%s\GZXIP.db, xrefs: 0040729A
0hJ, xrefs: 00407390

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: memset$fseek$FolderPathSpecialXlength_error@std@@fclosefopenfreadftell
String ID: %s\GZXIP.db$0hJ$0hJ
API String ID: 941492005-2065257852
Opcode ID: d56eb0e2ff55fef967f7f30225ec8279dc5478d80206a93fb74f092413f25a9b
Instruction ID: 83a302b39a77785e654ded9804cc057f393d13129e4f4015a7e8f8bdd53e3b71
Opcode Fuzzy Hash: d56eb0e2ff55fef967f7f30225ec8279dc5478d80206a93fb74f092413f25a9b
Instruction Fuzzy Hash: 6661E370A092419BD724EB24DC51B9B7BE8EF40304F45443EF989A72D1E738B944CBCA

Function 0041CFF0 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 85windowthreadCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041D02C
#296.MFC140U(?,BEE31567), ref: 0041D03A
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 0041D054
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041D06D
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041D08B
WritePrivateProfileStringW.KERNEL32(0049B89C,,g0W,0049BF80), ref: 0041D0AC
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041D0C1
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,Function_00015A90,00000000,00000000,00000000), ref: 0041D0DF
CloseHandle.KERNEL32(00000000), ref: 0041D0EE
TerminateThread.KERNEL32(00000000), ref: 0041D0FC
#1045.MFC140U ref: 0041D108

Strings

,g0W, xrefs: 0041D0A2
%s\IPsET.ini, xrefs: 0041D067

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815CloseFolderHandlePathPrivateProfileSpecialStringTerminateThreadWrite_beginthreadexmemset
String ID: %s\IPsET.ini$,g0W
API String ID: 2869469165-1155573605
Opcode ID: 29a9be1ee3626c00686c93cbfcd121a86546ae63e4fab5112cfc06bb32718cdb
Instruction ID: 99980a129d7e5a182fffc4035dc72f10164ace32fc80e659466056a9cf6415eb
Opcode Fuzzy Hash: 29a9be1ee3626c00686c93cbfcd121a86546ae63e4fab5112cfc06bb32718cdb
Instruction Fuzzy Hash: 48318471A80209BFEB209B60EC4AFAD7B78FB04B01F504579F615A61D0DBB469008F9C

Function 0041D130 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 67COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000200,BEE31567), ref: 0041D16C
#296.MFC140U(?,BEE31567), ref: 0041D17A
#296.MFC140U(?,BEE31567), ref: 0041D18D
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,BEE31567), ref: 0041D1A4
#4815.MFC140U(?,%s\IPsET.ini,?,?,BEE31567), ref: 0041D1BD
#7820.MFC140U(?), ref: 0041D1D3
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041D1DF
WritePrivateProfileStringW.KERNEL32(0049B89C,,g0W,?,?), ref: 0041D203
#1045.MFC140U ref: 0041D20F
#1045.MFC140U ref: 0041D21B

Strings

,g0W, xrefs: 0041D1F9
%s\IPsET.ini, xrefs: 0041D1B7
N', xrefs: 0041D1DF

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296$#4815#7820FolderPathPrivateProfileSpecialStringWrite_wtollmemset
String ID: %s\IPsET.ini$,g0W$N'
API String ID: 1890701572-2969577077
Opcode ID: 7e9e14213f426b16d5862c7edc541af054204638e4db232ba8aedc06cb88a115
Instruction ID: 188cc49ce3d239b8f68dee750890b65beab7185bb525631c6cee1ea2e086df1d
Opcode Fuzzy Hash: 7e9e14213f426b16d5862c7edc541af054204638e4db232ba8aedc06cb88a115
Instruction Fuzzy Hash: 2D214FB194025DAFDB20EB60EC4DBDDBB78FB14704F4005AAE519A21A0EB741A48CFD9

Function 0047B1D0 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 172libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,RtlVerifyVersionInfo), ref: 0047B1FE
GetProcAddress.KERNEL32(00000000), ref: 0047B205
memset.VCRUNTIME140(?,00000000,0000010C,00000000), ref: 0047B26C
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,?), ref: 0047B2D1
VerSetConditionMask.KERNEL32(00000000,?,00000001,?), ref: 0047B2DB
VerSetConditionMask.KERNEL32(00000000,?,00000010,?,?,00000020,?,?,00000001,?), ref: 0047B2F8
VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000010,?,?,00000020,?,?,00000001,?), ref: 0047B304
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 0047B32C
VerifyVersionInfoW.KERNEL32(?,00000004,00000000), ref: 0047B3B9

Strings

RtlVerifyVersionInfo, xrefs: 0047B1F4
ntdll, xrefs: 0047B1F9
&,, xrefs: 0047B311

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion$AddressHandleModuleProcmemset
String ID: &,$RtlVerifyVersionInfo$ntdll
API String ID: 2720349688-1577282042
Opcode ID: 9ab99024b4fde7f7bb1f7fe07f8ebbe14482fc21193bd9f2e93d9101f23a5d0e
Instruction ID: c54ea35385228ee7729eada364de058bae6425ce7b341353238d68799ba28596
Opcode Fuzzy Hash: 9ab99024b4fde7f7bb1f7fe07f8ebbe14482fc21193bd9f2e93d9101f23a5d0e
Instruction Fuzzy Hash: AE51D271609340AFE7209B64DC46BEF7BD8DFC9310F04885EF98C97291C77998448B9A

Function 0040F130 Relevance: 21.2, APIs: 14, Instructions: 169sleepstringCOMMON

Download Yara Rule

APIs

#19.WS2_32(00000000,?,00000004,00000000,00000000), ref: 0040F178
Sleep.KERNEL32(00000064,-00000002,80000015), ref: 0040F1A0
#16.WS2_32(00000000,02000205,00000400,00000000), ref: 0040F1B8
lstrlenA.KERNEL32(?), ref: 0040F1F4
wsprintfA.USER32 ref: 0040F21C
wsprintfA.USER32 ref: 0040F240
#19.WS2_32(00000000,?,-00000003,00000000), ref: 0040F253
Sleep.KERNEL32(00000064), ref: 0040F265
#16.WS2_32(00000000,?,00000400,00000000), ref: 0040F27D
OutputDebugStringA.KERNEL32(?), ref: 0040F290

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Sleepwsprintf$DebugOutputStringlstrlen
String ID:
API String ID: 2704851267-0
Opcode ID: 5ef97aadff4cd9d3b510b371c3d0ad4dd753b1105438e528263b350caf6754d2
Instruction ID: 86f0542434d3517769313e4aabb610ecedefff10e4b68f2a4908287a30f76b3d
Opcode Fuzzy Hash: 5ef97aadff4cd9d3b510b371c3d0ad4dd753b1105438e528263b350caf6754d2
Instruction Fuzzy Hash: 745194B5A001199FDB209F65DD45BAE7BB8EF04300F0045FAEB08B7292D7755E858F98

Function 00447F50 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148librarystringloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,?,?,security.dll,0047B5FD,security.dll,00000004,00000000,00000000,00000002,00000002,004481A6), ref: 00447F5A
GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 00447F72
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,00490074,?,?,?,security.dll,0047B5FD,security.dll,00000004,00000000,00000000,00000002,00000002,004481A6), ref: 00447F84

Strings

LoadLibraryExA, xrefs: 00447F6C
kernel32, xrefs: 00447F53
security.dll, xrefs: 00447F50
AddDllDirectory, xrefs: 00447FB7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: AddressHandleModuleProcstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$kernel32$security.dll
API String ID: 27745253-2138446276
Opcode ID: ad765d769bae2a8d3bc24abc084eda407d98ceeb7e4eedcddc07b9e510525066
Instruction ID: 8a21db167b18b50d4b8ed8a26f7017ee3a39dd784298ac3a4074fc324a2b5418
Opcode Fuzzy Hash: ad765d769bae2a8d3bc24abc084eda407d98ceeb7e4eedcddc07b9e510525066
Instruction Fuzzy Hash: 894116363083055FEB105F68BC48B6F7B45EF85366F28457EEA4286642DF6AC40A47A8

Function 0040C4F0 Relevance: 21.1, APIs: 14, Instructions: 100COMMON

Download Yara Rule

APIs

#360.MFC140U ref: 0040C541
#8.WS2_32(00000000,00000003,00000000), ref: 0040C55B
GetTickCount.KERNEL32 ref: 0040C56E
#8.WS2_32(00000000), ref: 0040C575

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

#13253.MFC140U(?,00000000), ref: 0040C592
#13253.MFC140U(?,00000000), ref: 0040C59C
#13253.MFC140U(?,00000000), ref: 0040C5A6
#13253.MFC140U(?,00000000), ref: 0040C5B0
#13253.MFC140U(?,00000000), ref: 0040C5BA
#13253.MFC140U(?,?), ref: 0040C5C5
#13253.MFC140U(?,?), ref: 0040C5D0
#13253.MFC140U(?,00000000), ref: 0040C5DA
#13253.MFC140U(?,00000000), ref: 0040C5E4
#1067.MFC140U(?,?,?,?), ref: 0040C5FD

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$#1067#360CountTick
String ID:
API String ID: 968516752-0
Opcode ID: 861d645e57f2f8941d2f4d74998f624b3b3ca28bf17073f81b4226feacf9ee2f
Instruction ID: 95b196d8c40f7d7faceff75bf9a77f50fd1544b9492458ad24d1d40f0377b9e0
Opcode Fuzzy Hash: 861d645e57f2f8941d2f4d74998f624b3b3ca28bf17073f81b4226feacf9ee2f
Instruction Fuzzy Hash: E7417731D0021EABDF11DFA1CD56BEEBFB5EF08314F20402AE515362A0EB762A15CB94

Function 00430520 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00430523
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0043052B
__sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00430556
__sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00430560
strrchr.VCRUNTIME140(?,0000000A), ref: 004305AD
strrchr.VCRUNTIME140(?,0000000D), ref: 004305C8
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 004305E6
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 004305F0
GetLastError.KERNEL32 ref: 004305F4
SetLastError.KERNEL32(00000000), ref: 004305FF

Strings

2', xrefs: 0043052B, 004305E0
Unknown error %d (%#x), xrefs: 0043059B

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: ErrorLast_errno$strrchr$__sys_errlist__sys_nerr
String ID: 2'$Unknown error %d (%#x)
API String ID: 3904614065-3474087152
Opcode ID: 2a1844617d69a72901d04832cdc8f12eb1a388cc2496d63ec63659518e9afc06
Instruction ID: 2b85e4f07b61d8840c559b278c857dd2f3f785baff9c1b4be7cb5fd274d2f4a9
Opcode Fuzzy Hash: 2a1844617d69a72901d04832cdc8f12eb1a388cc2496d63ec63659518e9afc06
Instruction Fuzzy Hash: C921F3716052016FE711AB259C59B2F7798EF5A359F15192EF80182262EB289801CBFA

Function 0041BCF0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0041BD34
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0041BD44
memset.VCRUNTIME140(?,00000000,00000200), ref: 0041BD59
#296.MFC140U ref: 0041BD67
#296.MFC140U ref: 0041BD7A
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 0041BD91
#4815.MFC140U(?,%s\IPsET.ini,?), ref: 0041BDB0
#4815.MFC140U(?,0049B244,00000000), ref: 0041BDC6
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B9A8,?,?), ref: 0041BDE1
#1045.MFC140U ref: 0041BDED
#1045.MFC140U ref: 0041BDF9

Strings

%s\IPsET.ini, xrefs: 0041BDAA

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296#4815MessageSend$FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 215349424-2680549692
Opcode ID: 1aa207f4f0f58a8c1f36804ba4f033be6df968764cf97eea2421ee7f15e22ed5
Instruction ID: 4c3a7b29faf475bffda98908503532f4af1d9a8d9cd9754c530fdd8869476242
Opcode Fuzzy Hash: 1aa207f4f0f58a8c1f36804ba4f033be6df968764cf97eea2421ee7f15e22ed5
Instruction Fuzzy Hash: EA316F7198021DAFDB109B50DD89BDDBB78EB14711F1005AAF619A31E0DBB42A44CFE9

Function 004195D0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000200,BEE31567), ref: 0041960C
#296.MFC140U(?,BEE31567), ref: 0041961A
#296.MFC140U(?,BEE31567), ref: 0041962D
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,BEE31567), ref: 00419644
#4815.MFC140U(?,%s\IPsET.ini,?,?,BEE31567), ref: 0041965D
#7820.MFC140U(?), ref: 00419673
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041967F
WritePrivateProfileStringW.KERNEL32(0049B89C,0049BA74,?,?), ref: 004196A8
#1045.MFC140U ref: 004196B4
#1045.MFC140U ref: 004196C0

Strings

%s\IPsET.ini, xrefs: 00419657
N', xrefs: 0041967F

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296$#4815#7820FolderPathPrivateProfileSpecialStringWrite_wtollmemset
String ID: %s\IPsET.ini$N'
API String ID: 1890701572-2529619940
Opcode ID: 8f3dd52112b14621fc7dc7130d5e21e606f9aea1b02f777a4a8bd5fd35e4ad62
Instruction ID: 3dc508f1e599eb7f03ced0e2a6c19f3e33225524dcc9f9750767f9617f5106f7
Opcode Fuzzy Hash: 8f3dd52112b14621fc7dc7130d5e21e606f9aea1b02f777a4a8bd5fd35e4ad62
Instruction Fuzzy Hash: EE2130B194021DAFDB10EF60ED8DBDDBBB8FB14705F0005B9E519921A0EB745A48CF99

Function 0041C040 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000200,BEE31567), ref: 0041C07C
#296.MFC140U(?,BEE31567), ref: 0041C08A
#296.MFC140U(?,BEE31567), ref: 0041C09D
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,BEE31567), ref: 0041C0B4
#4815.MFC140U(?,%s\IPsET.ini,?,?,BEE31567), ref: 0041C0CD
#7820.MFC140U(?), ref: 0041C0E3
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041C0EF
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B908,?,?), ref: 0041C113
#1045.MFC140U ref: 0041C11F
#1045.MFC140U ref: 0041C12B

Strings

%s\IPsET.ini, xrefs: 0041C0C7
N', xrefs: 0041C0EF

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296$#4815#7820FolderPathPrivateProfileSpecialStringWrite_wtollmemset
String ID: %s\IPsET.ini$N'
API String ID: 1890701572-2529619940
Opcode ID: 056385f7323b8dddeb2f734efaa40d4f98900c346b9a1352094f526240fa02ff
Instruction ID: 81fd08f95c202e1b9679363fe77d3038651f3e13d6976ca76423fb4961401009
Opcode Fuzzy Hash: 056385f7323b8dddeb2f734efaa40d4f98900c346b9a1352094f526240fa02ff
Instruction Fuzzy Hash: 2C214FB194021DAFDB20EB60ED8DBDDBB78FB14705F0005A9E519A21A0EB745A48CFD9

Function 0041A0B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000200,BEE31567), ref: 0041A0EC
#296.MFC140U(?,BEE31567), ref: 0041A0FA
#296.MFC140U(?,BEE31567), ref: 0041A10D
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,BEE31567), ref: 0041A124
#4815.MFC140U(?,%s\IPsET.ini,?,?,BEE31567), ref: 0041A13D
#7820.MFC140U(?), ref: 0041A153
WritePrivateProfileStringW.KERNEL32(0049B89C,0049BA5C,?,?), ref: 0041A16F
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041A17B
#1045.MFC140U ref: 0041A18F
#1045.MFC140U ref: 0041A19B

Strings

%s\IPsET.ini, xrefs: 0041A137
N', xrefs: 0041A17B

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296$#4815#7820FolderPathPrivateProfileSpecialStringWrite_wtollmemset
String ID: %s\IPsET.ini$N'
API String ID: 1890701572-2529619940
Opcode ID: 5582829a399c0650d8979cca5ce48261060cacb4dfb781a10bf905e8f287c61c
Instruction ID: 99d82ed407c0134d7d4c505d15210ac07584f87d46ced81faec53789696776a1
Opcode Fuzzy Hash: 5582829a399c0650d8979cca5ce48261060cacb4dfb781a10bf905e8f287c61c
Instruction Fuzzy Hash: 122141B194021DAFDB20EB60DC4DBDDBB78FB14704F0005A9E519921A0EB745A44CFD5

Function 0041C150 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000200,BEE31567), ref: 0041C18C
#296.MFC140U(?,BEE31567), ref: 0041C19A
#296.MFC140U(?,BEE31567), ref: 0041C1AD
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,BEE31567), ref: 0041C1C4
#4815.MFC140U(?,%s\IPsET.ini,?,?,BEE31567), ref: 0041C1DD
#7820.MFC140U(?), ref: 0041C1F3
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041C1FF
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B918,?,?), ref: 0041C223
#1045.MFC140U ref: 0041C22F
#1045.MFC140U ref: 0041C23B

Strings

%s\IPsET.ini, xrefs: 0041C1D7
N', xrefs: 0041C1FF

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296$#4815#7820FolderPathPrivateProfileSpecialStringWrite_wtollmemset
String ID: %s\IPsET.ini$N'
API String ID: 1890701572-2529619940
Opcode ID: 6825b2b0842d3db4ba476073d900d1d232a3ab26800b004d4c8d017d9514a352
Instruction ID: 1c98a1be443b6a496fafda71b9356334692ccf1d40b2c88382a64f5436f84622
Opcode Fuzzy Hash: 6825b2b0842d3db4ba476073d900d1d232a3ab26800b004d4c8d017d9514a352
Instruction Fuzzy Hash: AF2141B194021DAFDF10EB60DC4DBDDBB78FB14705F4005A9E519921A0DB741A44CFD9

Function 0041C260 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000200,BEE31567), ref: 0041C29C
#296.MFC140U(?,BEE31567), ref: 0041C2AA
#296.MFC140U(?,BEE31567), ref: 0041C2BD
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,BEE31567), ref: 0041C2D4
#4815.MFC140U(?,%s\IPsET.ini,?,?,BEE31567), ref: 0041C2ED
#7820.MFC140U(?), ref: 0041C303
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041C30F
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B92C,?,?), ref: 0041C333
#1045.MFC140U ref: 0041C33F
#1045.MFC140U ref: 0041C34B

Strings

%s\IPsET.ini, xrefs: 0041C2E7
N', xrefs: 0041C30F

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296$#4815#7820FolderPathPrivateProfileSpecialStringWrite_wtollmemset
String ID: %s\IPsET.ini$N'
API String ID: 1890701572-2529619940
Opcode ID: 7a5ea3a5e11cbb90c7d5fa7617be280215f3e7ecc67773acc230a1e66b5d4f62
Instruction ID: 1e55a8d9fc01bb69f2a227270430dffe2bf3046f68c7c2b507267c4285cc7eaf
Opcode Fuzzy Hash: 7a5ea3a5e11cbb90c7d5fa7617be280215f3e7ecc67773acc230a1e66b5d4f62
Instruction Fuzzy Hash: 082141B194021DAFDB10EB60DC8DBDDBBB8FB14704F4005B9E519921A0DB745A44CFD5

Function 0041DA60 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000200,BEE31567), ref: 0041DA9C
#296.MFC140U(?,BEE31567), ref: 0041DAAA
#296.MFC140U(?,BEE31567), ref: 0041DABD
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,BEE31567), ref: 0041DAD4
#4815.MFC140U(?,%s\IPsET.ini,?,?,BEE31567), ref: 0041DAED
#7820.MFC140U(?), ref: 0041DB03
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041DB0F
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B964,?,?), ref: 0041DB33
#1045.MFC140U ref: 0041DB3F
#1045.MFC140U ref: 0041DB4B

Strings

%s\IPsET.ini, xrefs: 0041DAE7
N', xrefs: 0041DB0F

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296$#4815#7820FolderPathPrivateProfileSpecialStringWrite_wtollmemset
String ID: %s\IPsET.ini$N'
API String ID: 1890701572-2529619940
Opcode ID: 7810269e36a44f9604e25efddcc750652a191075407d2476c956ccc2c8425dbd
Instruction ID: 705c1b805935fba88082ee75b28091257575763a8737957f605c55649a5927ed
Opcode Fuzzy Hash: 7810269e36a44f9604e25efddcc750652a191075407d2476c956ccc2c8425dbd
Instruction Fuzzy Hash: 902141B194025DAFDB10EB60EC4DBDDBB78FB14704F0005B9E519A21A0DB745A44CFD5

Function 0041F210 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000200,BEE31567), ref: 0041F24C
#296.MFC140U(?,BEE31567), ref: 0041F25A
#296.MFC140U(?,BEE31567), ref: 0041F26D
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,BEE31567), ref: 0041F284
#4815.MFC140U(?,%s\IPsET.ini,?,?,BEE31567), ref: 0041F29D
#7820.MFC140U(?), ref: 0041F2B3
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041F2BF
WritePrivateProfileStringW.KERNEL32(0049B89C,0049BA94,?,?), ref: 0041F2E3
#1045.MFC140U ref: 0041F2EF
#1045.MFC140U ref: 0041F2FB

Strings

%s\IPsET.ini, xrefs: 0041F297
N', xrefs: 0041F2BF

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296$#4815#7820FolderPathPrivateProfileSpecialStringWrite_wtollmemset
String ID: %s\IPsET.ini$N'
API String ID: 1890701572-2529619940
Opcode ID: 9d3961dea4198f6a37b292c1c19db41b087774eaebcedbd9e9fbcfd9c3d87b91
Instruction ID: caf54839cae472008044a87992cea0f92737de7af060013e27b65dbb7ae4ec87
Opcode Fuzzy Hash: 9d3961dea4198f6a37b292c1c19db41b087774eaebcedbd9e9fbcfd9c3d87b91
Instruction Fuzzy Hash: 4521217194021DAFDB20EB60DD8DBDDBB78FB14705F0005AAE519921A0DB745A48CFD5

Function 0041A420 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000200,BEE31567), ref: 0041A45C
#296.MFC140U(?,BEE31567), ref: 0041A46A
#296.MFC140U(?,BEE31567), ref: 0041A47D
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,BEE31567), ref: 0041A494
#4815.MFC140U(?,%s\IPsET.ini,?,?,BEE31567), ref: 0041A4AD
#7820.MFC140U(?), ref: 0041A4C3
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041A4CF
WritePrivateProfileStringW.KERNEL32(0049B89C,0049BA88,?,?), ref: 0041A4F3
#1045.MFC140U ref: 0041A4FF
#1045.MFC140U ref: 0041A50B

Strings

%s\IPsET.ini, xrefs: 0041A4A7
N', xrefs: 0041A4CF

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296$#4815#7820FolderPathPrivateProfileSpecialStringWrite_wtollmemset
String ID: %s\IPsET.ini$N'
API String ID: 1890701572-2529619940
Opcode ID: ff3ab53fb665e8fd12f397d2f71d80a1ef2a88dd3420c43e19be34717b87832e
Instruction ID: d51dff8d8a5e5e5f1198c658c518c7fe59345cc6c911ea6f363f133f4ef24f69
Opcode Fuzzy Hash: ff3ab53fb665e8fd12f397d2f71d80a1ef2a88dd3420c43e19be34717b87832e
Instruction Fuzzy Hash: BA212FB194021DAFDB20EB60ED4DBDDBB78FB14705F0005B9E519A21A0EB745A48CFD9

Function 0041C480 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000200,BEE31567), ref: 0041C4BC
#296.MFC140U(?,BEE31567), ref: 0041C4CA
#296.MFC140U(?,BEE31567), ref: 0041C4DD
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,BEE31567), ref: 0041C4F4
#4815.MFC140U(?,%s\IPsET.ini,?,?,BEE31567), ref: 0041C50D
#7820.MFC140U(?), ref: 0041C523
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041C52F
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B998,?,?), ref: 0041C553
#1045.MFC140U ref: 0041C55F
#1045.MFC140U ref: 0041C56B

Strings

%s\IPsET.ini, xrefs: 0041C507
N', xrefs: 0041C52F

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296$#4815#7820FolderPathPrivateProfileSpecialStringWrite_wtollmemset
String ID: %s\IPsET.ini$N'
API String ID: 1890701572-2529619940
Opcode ID: e442d49a937f26be8aad13b2a2d4b125662c5e2b93a2637d7a2176c0ed28de0f
Instruction ID: 1097ab6594bc5e8179cf54520b8c4885fb3becf6e7a05a4e684fdec7d582467e
Opcode Fuzzy Hash: e442d49a937f26be8aad13b2a2d4b125662c5e2b93a2637d7a2176c0ed28de0f
Instruction Fuzzy Hash: 23214FB194021DAFDB20EB60ED8DBDDBB78FB14705F0005A9E519A21A0EB745A48CFD9

Function 0041CC80 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000200,BEE31567), ref: 0041CCBC
#296.MFC140U(?,BEE31567), ref: 0041CCCA
#296.MFC140U(?,BEE31567), ref: 0041CCDD
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,BEE31567), ref: 0041CCF4
#4815.MFC140U(?,%s\IPsET.ini,?,?,BEE31567), ref: 0041CD0D
#7820.MFC140U(?), ref: 0041CD23
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041CD2F
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B948,?,?), ref: 0041CD53
#1045.MFC140U ref: 0041CD5F
#1045.MFC140U ref: 0041CD6B

Strings

%s\IPsET.ini, xrefs: 0041CD07
N', xrefs: 0041CD2F

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296$#4815#7820FolderPathPrivateProfileSpecialStringWrite_wtollmemset
String ID: %s\IPsET.ini$N'
API String ID: 1890701572-2529619940
Opcode ID: 332f850822cec1636786216aa61104696d8a8953f794195cbe1b46fbe82647c5
Instruction ID: 11b94cec05345100971117ad11de7dfc129a052e5f912fd7e0858ffbc1776dc4
Opcode Fuzzy Hash: 332f850822cec1636786216aa61104696d8a8953f794195cbe1b46fbe82647c5
Instruction Fuzzy Hash: 14214FB194025DAFDB20EB60EC8DBDDBB78FB14705F0005A9E519A21A0EB741A48CFD9

Function 0041BE20 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000200,BEE31567), ref: 0041BE5C
#296.MFC140U(?,BEE31567), ref: 0041BE6A
#296.MFC140U(?,BEE31567), ref: 0041BE7D
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,BEE31567), ref: 0041BE94
#4815.MFC140U(?,%s\IPsET.ini,?,?,BEE31567), ref: 0041BEAD
#7820.MFC140U(?), ref: 0041BEC3
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041BECF
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B8F4,?,?), ref: 0041BEF3
#1045.MFC140U ref: 0041BEFF
#1045.MFC140U ref: 0041BF0B

Strings

%s\IPsET.ini, xrefs: 0041BEA7
N', xrefs: 0041BECF

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296$#4815#7820FolderPathPrivateProfileSpecialStringWrite_wtollmemset
String ID: %s\IPsET.ini$N'
API String ID: 1890701572-2529619940
Opcode ID: db07be371aa92ea280e7c5e39aa9af9e5c49ef242ba6f6967cb73248559f8e6d
Instruction ID: 437b25ad0ab63491ea4813ea78d3c82c0d355f040e8a0066ae143e6f315ddb68
Opcode Fuzzy Hash: db07be371aa92ea280e7c5e39aa9af9e5c49ef242ba6f6967cb73248559f8e6d
Instruction Fuzzy Hash: 01214FB194021DAFDB20EB60EC4DBDDBB78FB14705F0005BAE519A21A0EB745A48CFD9

Function 0041CEE0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000200,BEE31567), ref: 0041CF1C
#296.MFC140U(?,BEE31567), ref: 0041CF2A
#296.MFC140U(?,BEE31567), ref: 0041CF3D
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,BEE31567), ref: 0041CF54
#4815.MFC140U(?,%s\IPsET.ini,?,?,BEE31567), ref: 0041CF6D
#7820.MFC140U(?), ref: 0041CF83
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041CF8F
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B954,?,?), ref: 0041CFB3
#1045.MFC140U ref: 0041CFBF
#1045.MFC140U ref: 0041CFCB

Strings

%s\IPsET.ini, xrefs: 0041CF67
N', xrefs: 0041CF8F

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296$#4815#7820FolderPathPrivateProfileSpecialStringWrite_wtollmemset
String ID: %s\IPsET.ini$N'
API String ID: 1890701572-2529619940
Opcode ID: e1b0e5cd082da36c801772f8cacff39d6277cf5283b918cf75ecfc88c0dd85f0
Instruction ID: ff64407085745f2c616f1310b5765fe7471fa2dbd2fcd00781ecb9c87a09d5ea
Opcode Fuzzy Hash: e1b0e5cd082da36c801772f8cacff39d6277cf5283b918cf75ecfc88c0dd85f0
Instruction Fuzzy Hash: 392141B194025DAFDB10EB60DD4DBDDBB78FB14704F0005A9E519921A0DB741A48CFD5

Function 0041C6A0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000200,BEE31567), ref: 0041C6DC
#296.MFC140U(?,BEE31567), ref: 0041C6EA
#296.MFC140U(?,BEE31567), ref: 0041C6FD
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,BEE31567), ref: 0041C714
#4815.MFC140U(?,%s\IPsET.ini,?,?,BEE31567), ref: 0041C72D
#7820.MFC140U(?), ref: 0041C743
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041C74F
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B938,?,?), ref: 0041C773
#1045.MFC140U ref: 0041C77F
#1045.MFC140U ref: 0041C78B

Strings

%s\IPsET.ini, xrefs: 0041C727
N', xrefs: 0041C74F

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296$#4815#7820FolderPathPrivateProfileSpecialStringWrite_wtollmemset
String ID: %s\IPsET.ini$N'
API String ID: 1890701572-2529619940
Opcode ID: 186cc2706746ba64b450801dc95eae97c9ab4f354a8d78f7858c4138b4dea594
Instruction ID: aa837a25fbe9fa46edbf8ab0faf0986cdaaa03f09c0d9310155dc49bd5e418b8
Opcode Fuzzy Hash: 186cc2706746ba64b450801dc95eae97c9ab4f354a8d78f7858c4138b4dea594
Instruction Fuzzy Hash: EC2141B194021DAFDB10EB60DC8DBDDBB78FB14705F0005A9E519921A0DB745A44CFD9

Function 0041DF10 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000200,BEE31567), ref: 0041DF4C
#296.MFC140U(?,BEE31567), ref: 0041DF5A
#296.MFC140U(?,BEE31567), ref: 0041DF6D
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,BEE31567), ref: 0041DF84
#4815.MFC140U(?,%s\IPsET.ini,?,?,BEE31567), ref: 0041DF9D
#7820.MFC140U(?), ref: 0041DFB3
WritePrivateProfileStringW.KERNEL32(0049B89C,0049BA50,?,?), ref: 0041DFCF
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041DFDB
#1045.MFC140U ref: 0041DFEF
#1045.MFC140U ref: 0041DFFB

Strings

%s\IPsET.ini, xrefs: 0041DF97
N', xrefs: 0041DFDB

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296$#4815#7820FolderPathPrivateProfileSpecialStringWrite_wtollmemset
String ID: %s\IPsET.ini$N'
API String ID: 1890701572-2529619940
Opcode ID: 84c8423dd63ccc40aad89c9defc68ddae59f255e4065636952c4f7b13a5742ee
Instruction ID: d1be1888da1413864690782f0d79d65375d527de3e7ac08b5ce599f677ca6045
Opcode Fuzzy Hash: 84c8423dd63ccc40aad89c9defc68ddae59f255e4065636952c4f7b13a5742ee
Instruction Fuzzy Hash: 7821417194021DAFDB20EB60DC4DBDDBB78FB14704F0005B9E51AA21A0DB745A44CFD9

Function 0041DB70 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000200,BEE31567), ref: 0041DBAC
#296.MFC140U(?,BEE31567), ref: 0041DBBA
#296.MFC140U(?,BEE31567), ref: 0041DBCD
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,BEE31567), ref: 0041DBE4
#4815.MFC140U(?,%s\IPsET.ini,?,?,BEE31567), ref: 0041DBFD
#7820.MFC140U(?), ref: 0041DC13
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041DC1F
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B970,?,?), ref: 0041DC3E
#1045.MFC140U ref: 0041DC4A
#1045.MFC140U ref: 0041DC56

Strings

%s\IPsET.ini, xrefs: 0041DBF7
N', xrefs: 0041DC1F

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296$#4815#7820FolderPathPrivateProfileSpecialStringWrite_wtollmemset
String ID: %s\IPsET.ini$N'
API String ID: 1890701572-2529619940
Opcode ID: 572c29817771f9a30c1981239e905bccdd47d1f5780ec79bc09f550d9d3ae041
Instruction ID: 9fa369e77ccc7df2d908d101c5ff16b748e99fa8fd5f1e846fe7a7ed9fac8eb5
Opcode Fuzzy Hash: 572c29817771f9a30c1981239e905bccdd47d1f5780ec79bc09f550d9d3ae041
Instruction Fuzzy Hash: AE21517194021DAFDF20EB60DC8DBDDB778FB14704F0005A9E519A21A0DB741A48CFD9

Function 0041B8F0 Relevance: 19.6, APIs: 13, Instructions: 123windowthreadCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0041B91D
memset.VCRUNTIME140(?,00000000,00000400), ref: 0041B93D
memset.VCRUNTIME140(?,00000000,00000400,?,00000000,00000400), ref: 0041B950
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000000,00000000), ref: 0041B980
WritePrivateProfileStringA.KERNEL32(0049AC88,00000000,0049C1A0,?), ref: 0041B9D3
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0041BA08
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041BA19
TerminateThread.KERNEL32(00000000), ref: 0041BA2E
TerminateThread.KERNEL32(00000000), ref: 0041BA38
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,Function_00016740,00000000,00000000,00000000,?,0049C1A4), ref: 0041BA68
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,004165F0,00000000,00000000,00000000), ref: 0041BA7E
CloseHandle.KERNEL32(00000000), ref: 0041BA8F
CloseHandle.KERNEL32 ref: 0041BA97

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$CloseHandleTerminateThread_beginthreadexmemset$FolderPathPrivateProfileSpecialStringWrite
String ID:
API String ID: 952308022-0
Opcode ID: 445549058f7f0eb7b64a837a8afc710bc257735971cf1fb3472d7f3cce9f23cd
Instruction ID: 074ac0f2eea7468031305d0e8d1503bb68818cb587f1404fe20ddc7373a4b189
Opcode Fuzzy Hash: 445549058f7f0eb7b64a837a8afc710bc257735971cf1fb3472d7f3cce9f23cd
Instruction Fuzzy Hash: 4441A471A80308BBEB209B64DC46F997BE8EB09704F54416AF604BA1D1DBB579448FDC

Function 00416490 Relevance: 18.1, APIs: 12, Instructions: 98timewindowCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,BEE31567), ref: 004164CB

Part of subcall function 0040DC90: _localtime64_s.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,0040DC29,?), ref: 0040DCAD

KillTimer.USER32(?,?,?), ref: 004164FE
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00416515
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,004182D0,00000000,00000000,00000000), ref: 0041653A
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,00416740,00000000,00000000,00000000), ref: 00416550
CloseHandle.KERNEL32 ref: 00416566
CloseHandle.KERNEL32 ref: 0041656E
#296.MFC140U(?), ref: 00416575
#4815.MFC140U(?,0049BD10), ref: 00416591
SendMessageW.USER32(?,0000040B,00000002,?), ref: 004165AC
#1045.MFC140U ref: 004165B5
KillTimer.USER32(?,?,BEE31567), ref: 004165C1

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CloseHandleKillMessageSendTimer_beginthreadex$#1045#296#4815_localtime64_s_time64
String ID:
API String ID: 1018744923-0
Opcode ID: 4bc9fcaa99c1f24fbbd6b5bcc2e43d48e361d60cd1e94b4b58652aec5cc25b62
Instruction ID: d823225fa67d7b3d05d11e17607d2c4cd21cea47095608dd0daa0ca12f82d9cb
Opcode Fuzzy Hash: 4bc9fcaa99c1f24fbbd6b5bcc2e43d48e361d60cd1e94b4b58652aec5cc25b62
Instruction Fuzzy Hash: 15314D71940208AFDB109F50ED4AFAE7FB4FB05700F11452AFA11A62E0DBB56944DF9D

Function 0041A870 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,0049C0F0,00000000,00020019,?), ref: 0041A8A9
memset.VCRUNTIME140(?), ref: 0041A8CE
RegQueryValueExA.ADVAPI32(?,path,00000000,?,?,00000400), ref: 0041A901
#265.MFC140U(00000400), ref: 0041A914
memset.VCRUNTIME140(00000000,00000000,00000400), ref: 0041A925
memcpy.VCRUNTIME140(00000000,?,00000400,00000000,00000000,00000400), ref: 0041A938
memcpy.VCRUNTIME140(?,00000000,00000400,00000000,?,00000400,00000000,00000000,00000400), ref: 0041A945
#266.MFC140U(00000000,?,00000000,00000400,00000000,?,00000400,00000000,00000000,00000400), ref: 0041A94B
RegCloseKey.ADVAPI32(?), ref: 0041A95F

Strings

path, xrefs: 0041A8F6

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: memcpymemset$#265#266CloseOpenQueryValue
String ID: path
API String ID: 2010162712-190089999
Opcode ID: e45ec30603183fe472931c456aed159e3000f97f6f0c934682e739b6de153483
Instruction ID: 290b45ee578c93c29fd534a13cc7de6fec5fc236ccbc43cab681d7f907e99d2d
Opcode Fuzzy Hash: e45ec30603183fe472931c456aed159e3000f97f6f0c934682e739b6de153483
Instruction Fuzzy Hash: 0B217175A00168ABDB21AB51DC45BDEBBBCEF09345F0044EAF648E2100D7B45EC49BA9

Function 0042B688 Relevance: 16.6, APIs: 11, Instructions: 51COMMON

Download Yara Rule

APIs

_set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000002), ref: 0042B68B
_set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 0042B696
__p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 0042B69B
___scrt_initialize_onexit_tables.LIBCMT ref: 0042B6AB

Part of subcall function 0042B980: _initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0(004A5518,00000000), ref: 0042B9A5

__RTC_Initialize.LIBCMT ref: 0042B6BA

Part of subcall function 0042BB24: __onexit.LIBCMT ref: 0042BB2A

_configure_wide_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,0042C4F5), ref: 0042B6CF

Part of subcall function 0042C283: InitializeSListHead.KERNEL32(004A5880,0042B6DF), ref: 0042C288

__setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_0000FF20), ref: 0042B6ED
_configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 0042B708
_initialize_wide_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0042B70E
___scrt_fastfail.LIBCMT ref: 0042B71D
___scrt_initialize_default_local_stdio_options.LIBCMT ref: 0042B723

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Initialize$HeadList___scrt_fastfail___scrt_initialize_default_local_stdio_options___scrt_initialize_onexit_tables__onexit__p__commode__setusermatherr_configthreadlocale_configure_wide_argv_initialize_onexit_table_initialize_wide_environment_set_app_type_set_fmode
String ID:
API String ID: 2645771224-0
Opcode ID: 2be18f6bc422b402f082ebb10eb680fbe4665cab59fdd027363790e551cb0b2e
Instruction ID: 089f6b4231b4f5acc3db48bab8d18190d32ed379483d87cf67b6b4a0a56164ac
Opcode Fuzzy Hash: 2be18f6bc422b402f082ebb10eb680fbe4665cab59fdd027363790e551cb0b2e
Instruction Fuzzy Hash: 02F03762F4023290D96433F37887A5F02888F4135DFD489BFB504A6AC7EE6D904481BE

Function 00419BE0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?), ref: 00419C6B
#296.MFC140U ref: 00419C97

Part of subcall function 0040DC90: _localtime64_s.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,0040DC29,?), ref: 0040DCAD

#4815.MFC140U(?,0049BC08,00000000,00000000,00000000,FFFFFFFF,FFFFFFFF,?,?,?,?,?), ref: 00419D6D
#13656.MFC140U(?,00000012,?), ref: 00419D87
#296.MFC140U ref: 00419DF0
#4815.MFC140U(?,%d/%d,?), ref: 00419E25
SendMessageW.USER32(?,0000040B,00000003,?), ref: 00419E40
#1045.MFC140U ref: 00419E50

Strings

%d/%d, xrefs: 00419E1F

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #296#4815$#1045#13656MessageSend_localtime64_s_time64
String ID: %d/%d
API String ID: 1509501840-3933881158
Opcode ID: a3a4ab5ba99bdf4b61c7abf81d6a589993e8c90f0a4769120f8d8911418b0c7e
Instruction ID: 4ffe216d2cb3712b9bb08c45442a67266f7e7ae4082627757e88a9956c450a49
Opcode Fuzzy Hash: a3a4ab5ba99bdf4b61c7abf81d6a589993e8c90f0a4769120f8d8911418b0c7e
Instruction Fuzzy Hash: 76819271900119DFDB15DF94DD44BEEB7B4FB44304F0481AAE909B72A1EB38AA84CF98

Function 00419810 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 124sleepCOMMON

Download Yara Rule

APIs

#1511.MFC140U(00000010), ref: 0041984B
Sleep.KERNEL32(000003E8), ref: 004198B0
GetTickCount.KERNEL32 ref: 004198BF
GetTickCount.KERNEL32 ref: 004198C6
GetTickCount.KERNEL32 ref: 004198ED
memset.VCRUNTIME140(?,00000000,00000100), ref: 0041990F

Strings

10083|%d|%d|%d|%s%s|2, xrefs: 00419944
103.7.141.205, xrefs: 0041987E
10083|%d|%d|%d|%s%s|1, xrefs: 0041993D

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CountTick$#1511Sleepmemset
String ID: 10083|%d|%d|%d|%s%s|1$10083|%d|%d|%d|%s%s|2$103.7.141.205
API String ID: 3682973178-402540188
Opcode ID: 699da888ac3e0ae8bc5aa5425e882c7028ef3f9610aea8b7cd9309a8ec010e44
Instruction ID: e34e9e2839ed74973b3d7a120dc1ec79c18e6491a7df882909e9194d4ce032aa
Opcode Fuzzy Hash: 699da888ac3e0ae8bc5aa5425e882c7028ef3f9610aea8b7cd9309a8ec010e44
Instruction Fuzzy Hash: 294128B0A102149BCB24AF26ED55BAABB69AB56701F04417EE804572D1D7B85CC4CFEC

Function 00413852 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000800), ref: 0041386C
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,?), ref: 004138D9
WritePrivateProfileStringA.KERNEL32(?,Soso,?,?), ref: 0041391B
#296.MFC140U ref: 00413943
#2477.MFC140U(?,%02X,?), ref: 00413975
#280.MFC140U(?), ref: 00413990
#1045.MFC140U ref: 004139A7

Strings

%02X, xrefs: 0041396F
Soso, xrefs: 00413915

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#2477#280#296PrivateProfileStringWrite_time64memset
String ID: %02X$Soso
API String ID: 2489403887-65949111
Opcode ID: 47d338de4f8a40f26c17387a3403614a82fbc304e7b261946d3d0a3226946cbe
Instruction ID: 5fe860f3e25e2d4e6b5af813ffbc04e45223761ca268136e71a2155254c11b31
Opcode Fuzzy Hash: 47d338de4f8a40f26c17387a3403614a82fbc304e7b261946d3d0a3226946cbe
Instruction Fuzzy Hash: CE41F171D001288FCB24DB24DC58BDEB7B5EB49302F0441EEE94AA7191DB386B84CF84

Function 0041A640 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041A67C
#296.MFC140U(?,BEE31567), ref: 0041A68A
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 0041A6A4
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041A6BD
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041A6D5
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041A6FB
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B9C4,0049BF80), ref: 0041A71C
#1045.MFC140U ref: 0041A728

Strings

%s\IPsET.ini, xrefs: 0041A6B7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: 7c51b118ab6d8a581861d703450387b5b53046f8ea39c349f30b0b926a392098
Instruction ID: f1f8e54bf714617daab05644f516b0fb0c57dc43a70ddf7109a372f80e183724
Opcode Fuzzy Hash: 7c51b118ab6d8a581861d703450387b5b53046f8ea39c349f30b0b926a392098
Instruction Fuzzy Hash: CF21A77168020DAFDB109B50DD4AFADBB78FB44B04F50057DF615961D1DBB46A048B98

Function 004190E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041911C
#296.MFC140U(?,BEE31567), ref: 0041912A
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 00419144
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041915D
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041917B
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B890,0049BF80), ref: 0041919C
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004191B1
#1045.MFC140U ref: 004191C2

Strings

%s\IPsET.ini, xrefs: 00419157

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: 3118aeea76132e1f841d5e64098436478b647782944148b808b6443af7850322
Instruction ID: 3728dff9029ddb0259a7529e43163752159048560694a767f86ed1078e422793
Opcode Fuzzy Hash: 3118aeea76132e1f841d5e64098436478b647782944148b808b6443af7850322
Instruction Fuzzy Hash: EB215671A8020DAFDB20DB60DD4AFADBB78FB44700F50057EF615961D0DBB469048F99

Function 0041D950 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041D98C
#296.MFC140U(?,BEE31567), ref: 0041D99A
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 0041D9B4
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041D9CD
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041D9EB
WritePrivateProfileStringW.KERNEL32(0049B89C,0049BA38,0049BF80), ref: 0041DA0C
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041DA21
#1045.MFC140U ref: 0041DA32

Strings

%s\IPsET.ini, xrefs: 0041D9C7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: 8167c30e619bbe7dc641092a94bbc96c5fc72f11385d9a0d748b333f82e1a313
Instruction ID: d69f8ef26db988c5593fd6d6728b97bee46f6847398a0e6d791768382fa79d90
Opcode Fuzzy Hash: 8167c30e619bbe7dc641092a94bbc96c5fc72f11385d9a0d748b333f82e1a313
Instruction Fuzzy Hash: C0219871A8020DAFDB20DB60ED4AFADBBB8FB44700F50057EF615961D0DBB469048F98

Function 0041D240 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041D27C
#296.MFC140U(?,BEE31567), ref: 0041D28A
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 0041D2A4
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041D2BD
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041D2DB
WritePrivateProfileStringW.KERNEL32(0049B89C,0049BA1C,0049BF80), ref: 0041D2FC
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041D311
#1045.MFC140U ref: 0041D322

Strings

%s\IPsET.ini, xrefs: 0041D2B7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: 66a36bad4b7d86482176a61634c427b8613d5cad95ed10b3a46b1c1d34ae203c
Instruction ID: 7ba975cd8c8a54367c7de1778d7625c47a9f1b29f493aea8229c109776bddcb0
Opcode Fuzzy Hash: 66a36bad4b7d86482176a61634c427b8613d5cad95ed10b3a46b1c1d34ae203c
Instruction Fuzzy Hash: 4B215371A8020DAFDB20DB60ED4AFADBB78FB44700F50457EF615A62D0DBB469048F99

Function 0041BAD0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041BB0C
#296.MFC140U(?,BEE31567), ref: 0041BB1A
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 0041BB34
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041BB4D
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041BB6B
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B9D0,0049BF80), ref: 0041BB8C
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041BBA1
#1045.MFC140U ref: 0041BBB2

Strings

%s\IPsET.ini, xrefs: 0041BB47

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: 14292b69a22f342e2386322bc8daca84ba690d7da8f8a523feb3414a0a40887f
Instruction ID: 8842601df5acf89b38683d16841df19b9b8534e91e7706f7aed0727e64d2b44b
Opcode Fuzzy Hash: 14292b69a22f342e2386322bc8daca84ba690d7da8f8a523feb3414a0a40887f
Instruction Fuzzy Hash: CA218671A8020DAFDB20DB60ED4AFADBB78FB44700F50057EF615961D0DBB469048F98

Function 0041C370 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041C3AC
#296.MFC140U(?,BEE31567), ref: 0041C3BA
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 0041C3D4
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041C3ED
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041C40B
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B9F8,0049BF80), ref: 0041C42C
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041C441
#1045.MFC140U ref: 0041C452

Strings

%s\IPsET.ini, xrefs: 0041C3E7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: 460a876fab7384912aa382535f20819d8344a050fafe413ea0252fc16bd5b060
Instruction ID: 7db84a3cc10365b3e0adebeff1b7a5237e1e3fba056f56ad1928f5ccf73e6f4a
Opcode Fuzzy Hash: 460a876fab7384912aa382535f20819d8344a050fafe413ea0252fc16bd5b060
Instruction Fuzzy Hash: 1A218671A8020DAFDB20DB60ED4AFADBBB8FB44701F50057EF615A61D0DBB469048F98

Function 0041A310 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041A34C
#296.MFC140U(?,BEE31567), ref: 0041A35A
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 0041A374
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041A38D
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041A3A5
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041A3C5
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B8E0,0049BF80), ref: 0041A3E6
#1045.MFC140U ref: 0041A3F2

Strings

%s\IPsET.ini, xrefs: 0041A387

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: d755cd05ea34de736414cba18526a70d1d31fa6a1acdbff27951eb3c60c8acb9
Instruction ID: 65b002af2f9e54a9eb1a45c0be6e040569584365104c3c7b6d8a87a59e31814b
Opcode Fuzzy Hash: d755cd05ea34de736414cba18526a70d1d31fa6a1acdbff27951eb3c60c8acb9
Instruction Fuzzy Hash: CE215671A8020DAFEB20DB50ED4AFADBB78FB44701F50057EF615A62D0DBB469048F99

Function 0041BBE0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041BC1C
#296.MFC140U(?,BEE31567), ref: 0041BC2A
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 0041BC44
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041BC5D
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041BC7B
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B9DC,0049BF80), ref: 0041BC9C
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041BCB1
#1045.MFC140U ref: 0041BCC2

Strings

%s\IPsET.ini, xrefs: 0041BC57

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: ca45a603d0e22f0d263138c283f7e39ef3e0ed663725371314ccec5ffe90e4ef
Instruction ID: 16ff7ca91f8d7026f853971955fb7055d8f39f144e5f7d0dcd097638c49212f5
Opcode Fuzzy Hash: ca45a603d0e22f0d263138c283f7e39ef3e0ed663725371314ccec5ffe90e4ef
Instruction Fuzzy Hash: C5216871A8020DAFDB20DB60ED4AFADBB78FB44700F50057EF615961D0DBB469048F99

Function 004193B0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 004193EC
#296.MFC140U(?,BEE31567), ref: 004193FA
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 00419414
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041942D
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041944B
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B8A4,0049BF80), ref: 0041946C
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00419481
#1045.MFC140U ref: 00419492

Strings

%s\IPsET.ini, xrefs: 00419427

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: 0e5d8fde46a2d886a05dd4f6823d7f40d4214510d78d744d1390a76d271f7400
Instruction ID: 1125887928e9913f881a2063c42c73ed6e28d9041d3ecb7406ce65943dde1a97
Opcode Fuzzy Hash: 0e5d8fde46a2d886a05dd4f6823d7f40d4214510d78d744d1390a76d271f7400
Instruction Fuzzy Hash: 2D216571A8020DAFDB20DB60DD4AFADBB78FB44700F50057EF615A62D0DBB469048F99

Function 0041AC10 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041AC4C
#296.MFC140U(?,BEE31567), ref: 0041AC5A
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 0041AC74
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041AC8D
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041ACAB
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B8AC,0049BF80), ref: 0041ACCC
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041ACE1
#1045.MFC140U ref: 0041ACF2

Strings

%s\IPsET.ini, xrefs: 0041AC87

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: 6a01efec344e244ed6d52e95277e662a0122578958f08d2a13a9d18065ccc7a4
Instruction ID: 38b8e37ae105320c687966b5edec7b373622df9ca678af1b9d47a2b40e34fe6e
Opcode Fuzzy Hash: 6a01efec344e244ed6d52e95277e662a0122578958f08d2a13a9d18065ccc7a4
Instruction Fuzzy Hash: A3215671A8020DAFDB20EB60ED4AFADBB78FB44700F50057EF615A61D0DBB469048F99

Function 0041DC80 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041DCBC
#296.MFC140U(?,BEE31567), ref: 0041DCCA
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 0041DCE4
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041DCFD
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041DD1B
WritePrivateProfileStringW.KERNEL32(0049B89C,0049BA2C,0049BF80), ref: 0041DD3C
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041DD51
#1045.MFC140U ref: 0041DD62

Strings

%s\IPsET.ini, xrefs: 0041DCF7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: ec1f719c929df3c05115b810d29a41ec9ae6129eac7d2a46fc33b138e0178a24
Instruction ID: 3b5274da0197c293bcc8712f8fea9d5cd4c27580de17c8ac9dd13153b4c77f1f
Opcode Fuzzy Hash: ec1f719c929df3c05115b810d29a41ec9ae6129eac7d2a46fc33b138e0178a24
Instruction Fuzzy Hash: E2215671A8020DAFDB20DB60ED4AFADBB78FB44B00F50457EF615961D0DBB469048F99

Function 00418560 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041859C
#296.MFC140U(?,BEE31567), ref: 004185AA
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 004185C4
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 004185DD
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004185FB
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B8D4,0049BF80), ref: 0041861C
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00418631
#1045.MFC140U ref: 00418642

Strings

%s\IPsET.ini, xrefs: 004185D7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: 73c444949e200d01c17af6bc3094600712367e67aa11f211592d1fc548b6878a
Instruction ID: d89a60f08fd2d84efe3704de0aed4b610cd045dfd2572fde7219e5e6806b14a1
Opcode Fuzzy Hash: 73c444949e200d01c17af6bc3094600712367e67aa11f211592d1fc548b6878a
Instruction Fuzzy Hash: FD215371A8020DAFDB20DB60ED4AFADBB78FB44700F50057EF615A62D0DBB469048F99

Function 0041A530 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041A56C
#296.MFC140U(?,BEE31567), ref: 0041A57A
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 0041A594
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041A5AD
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041A5CB
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B9B8,0049BF80), ref: 0041A5EC
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041A601
#1045.MFC140U ref: 0041A612

Strings

%s\IPsET.ini, xrefs: 0041A5A7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: bf45112915b6edf4ff531482b9bd06831a090311bff9e207bae8e3ffaa13292a
Instruction ID: 34a9f80cc76481c392d722ea87a7d3c2e3006557ce2ff58771c9ea0a740bc51e
Opcode Fuzzy Hash: bf45112915b6edf4ff531482b9bd06831a090311bff9e207bae8e3ffaa13292a
Instruction Fuzzy Hash: 07215371A8020DAFDB20DB60ED4AFADBB78FB44701F50057EF615A62D0DBB469048F99

Function 0041C590 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041C5CC
#296.MFC140U(?,BEE31567), ref: 0041C5DA
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 0041C5F4
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041C60D
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041C62B
WritePrivateProfileStringW.KERNEL32(0049B89C,0049BA10,0049BF80), ref: 0041C64C
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041C661
#1045.MFC140U ref: 0041C672

Strings

%s\IPsET.ini, xrefs: 0041C607

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: 1d8c0864256fbaf682e1efeda0543c7e11d540117e92cbaec5671dd7275eeaa2
Instruction ID: 40bde623fa8a2c031dc482694bae42f3904d90c7f47a2edd23ad5864ef457b1f
Opcode Fuzzy Hash: 1d8c0864256fbaf682e1efeda0543c7e11d540117e92cbaec5671dd7275eeaa2
Instruction Fuzzy Hash: 8D216B7168020DAFDB20DB50ED4AFADB778FB44700F50057DF615961D0DBB469048F99

Function 004196E0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041971C
#296.MFC140U(?,BEE31567), ref: 0041972A
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 00419744
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041975D
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041977B
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B8BC,0049BF80), ref: 0041979C
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004197B1
#1045.MFC140U ref: 004197C2

Strings

%s\IPsET.ini, xrefs: 00419757

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: fd7468deb9d26f8f99dd07d623c701a9f2e53101c72c63c0c452f588fb1ce40d
Instruction ID: af632db8941f5d52ac13e1ce39863693f497b65705cf8df671fb8f107aa5e708
Opcode Fuzzy Hash: fd7468deb9d26f8f99dd07d623c701a9f2e53101c72c63c0c452f588fb1ce40d
Instruction Fuzzy Hash: 0D216871A8020DAFDB20DB60DD4AFADBB78FB44701F50057EF615961D0DBB469048F99

Function 0041A760 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041A79C
#296.MFC140U(?,BEE31567), ref: 0041A7AA
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 0041A7C4
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041A7DD
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041A7FB
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B8B4,0049BF80), ref: 0041A81C
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041A831
#1045.MFC140U ref: 0041A842

Strings

%s\IPsET.ini, xrefs: 0041A7D7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: edfd4a733fdc1067d4416b3e0420db8bc47f7a300917f66f7da2f943485ed4cb
Instruction ID: c6310b8a6e7bcb9c72011e7220d3b2106f3b12ccce00291745b446defecd1635
Opcode Fuzzy Hash: edfd4a733fdc1067d4416b3e0420db8bc47f7a300917f66f7da2f943485ed4cb
Instruction Fuzzy Hash: BE219871A8020DAFDB24DB60ED4AFADBB78FB44700F50057EF615A61D0DBB469048F98

Function 0041BF30 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041BF6C
#296.MFC140U(?,BEE31567), ref: 0041BF7A
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 0041BF94
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041BFAD
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041BFCB
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B9EC,0049BF80), ref: 0041BFEC
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041C001
#1045.MFC140U ref: 0041C012

Strings

%s\IPsET.ini, xrefs: 0041BFA7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: 8c72512a3e74b3ac7b8168d650a522dc20d8d23915a54c490a23550c5c5fe2b7
Instruction ID: dacd2c050dc522001c365e8ace3a011e8ea95ec5e6856a5fddd1758cb3f645ca
Opcode Fuzzy Hash: 8c72512a3e74b3ac7b8168d650a522dc20d8d23915a54c490a23550c5c5fe2b7
Instruction Fuzzy Hash: 2B218671A8020DAFDB24DB60ED4AFADBBB8FB44700F50057EF615961D0DBB469048F98

Function 0041B7C0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041B7FC
#296.MFC140U(?,BEE31567), ref: 0041B80A
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 0041B824
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041B83D
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041B85B
WritePrivateProfileStringW.KERNEL32(0049B89C,0049BAA0,0049BF80), ref: 0041B87C
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041B891
#1045.MFC140U ref: 0041B8A2

Strings

%s\IPsET.ini, xrefs: 0041B837

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: db3fdd3b83b55388a1df7a3ec4d8cd9014ed3208e7dd9bbc1a7ab0c49957818e
Instruction ID: 0e8a44fd1440b55eb5148cb14b69b9eed8be7745b097dd4568b670129ecde547
Opcode Fuzzy Hash: db3fdd3b83b55388a1df7a3ec4d8cd9014ed3208e7dd9bbc1a7ab0c49957818e
Instruction Fuzzy Hash: 2E214471A8020DAFDB20DB60ED4AFADBB78FB44700F50457AF615961D0DBB469048F99

Function 00419FA0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 00419FDC
#296.MFC140U(?,BEE31567), ref: 00419FEA
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 0041A004
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041A01D
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041A03B
WritePrivateProfileStringW.KERNEL32(0049B89C,0049B8C8,0049BF80), ref: 0041A05C
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041A071
#1045.MFC140U ref: 0041A082

Strings

%s\IPsET.ini, xrefs: 0041A017

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: 7e7d952e75f8fa80dd042eeeaf0bacc399deba5b14a64d55c4b6eb81a2e960c8
Instruction ID: 2740afed199ca6325927e39eea73efa12e1273da78f26565aebb1c702f6321ed
Opcode Fuzzy Hash: 7e7d952e75f8fa80dd042eeeaf0bacc399deba5b14a64d55c4b6eb81a2e960c8
Instruction Fuzzy Hash: F5219871A8020DAFDB20DB60ED4AFADBBB8FB44701F50457EF615A61D0DBB469048F98

Function 0041C7B0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041C7EC
#296.MFC140U(?,BEE31567), ref: 0041C7FA
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,BEE31567), ref: 0041C814
#4815.MFC140U(?,%s\IPsET.ini,BEE31567,?,BEE31567), ref: 0041C82D
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041C84B
WritePrivateProfileStringW.KERNEL32(0049B89C,0049BA04,0049BF80), ref: 0041C86C
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041C881
#1045.MFC140U ref: 0041C892

Strings

%s\IPsET.ini, xrefs: 0041C827

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 942942460-2680549692
Opcode ID: 5dd746981cb6f1fa9927ccc1d67d515d9b98afafcf1010ffd83e0426fad37edc
Instruction ID: 36fbf74fab00225711f88a4b67bec67bc2a0a3f2025e6e7cae4428dd4dc06a15
Opcode Fuzzy Hash: 5dd746981cb6f1fa9927ccc1d67d515d9b98afafcf1010ffd83e0426fad37edc
Instruction Fuzzy Hash: 98217471A8020DAFDB20DB60ED4AFADBBB8FB44701F50057EF615961D0DBB469048F98

Function 004194F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 57COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,BEE31567), ref: 0041951A
srand.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 00419523
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 0041952C
#296.MFC140U ref: 00419554
#4815.MFC140U(00000000,%x,00000000), ref: 00419572
OutputDebugStringW.KERNEL32(?), ref: 0041957E

Part of subcall function 0040AEB0: #360.MFC140U(BEE31567), ref: 0040AF01
Part of subcall function 0040AEB0: #9.WS2_32(000006A6), ref: 0040AF13
Part of subcall function 0040AEB0: #8.WS2_32(00000000,00000003,00000000), ref: 0040AF2A
Part of subcall function 0040AEB0: GetTickCount.KERNEL32 ref: 0040AF3D
Part of subcall function 0040AEB0: #8.WS2_32(00000000), ref: 0040AF44
Part of subcall function 0040AEB0: #1067.MFC140U(?,00000000,?,?), ref: 0040AF78

#1045.MFC140U ref: 004195B0

Strings

/, xrefs: 00419543
%x, xrefs: 0041956C

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#1067#296#360#4815CountDebugOutputStringTick_time64randsrand
String ID: %x$/
API String ID: 2140772873-908494387
Opcode ID: 0fc9ce1431863dffe4d8731f1a4fea2c153bf4704253bbf9309dedef047b41f8
Instruction ID: 18699b7c3a0c952cc3bfb8563dfae0fcb7eabec89fb5f0fefa6c8cd5e1ec1369
Opcode Fuzzy Hash: 0fc9ce1431863dffe4d8731f1a4fea2c153bf4704253bbf9309dedef047b41f8
Instruction Fuzzy Hash: A4214F71800649DFCB01DFA4EC59BAEBBB8FB09705F40053EE902A6261EB385504CBA9

Function 00410080 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 45COMMON

Download Yara Rule

APIs

#296.MFC140U ref: 00410086
#4815.MFC140U(?,%Ts (%Ts:%d)%Ts,Exception thrown in destructor,D:\VS2015\VC\atlmfc\include\afxwin1.inl,0000004D,?), ref: 004100CE
#4815.MFC140U(?,%Ts (%Ts:%d),Exception thrown in destructor,D:\VS2015\VC\atlmfc\include\afxwin1.inl,0000004D), ref: 004100F1
#2304.MFC140U(?,00000000,00000000), ref: 00410104
#1045.MFC140U ref: 00410114

Strings

%Ts (%Ts:%d)%Ts, xrefs: 004100C8
Exception thrown in destructor, xrefs: 004100BD, 004100E0
D:\VS2015\VC\atlmfc\include\afxwin1.inl, xrefs: 004100B8, 004100DB
%Ts (%Ts:%d), xrefs: 004100EB

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #4815$#1045#2304#296
String ID: %Ts (%Ts:%d)$%Ts (%Ts:%d)%Ts$D:\VS2015\VC\atlmfc\include\afxwin1.inl$Exception thrown in destructor
API String ID: 3171837016-3670023387
Opcode ID: 57039da82469992e4118bf276f08a09ae734f2a054284b6a07b2d4f141563ea8
Instruction ID: d805118ef37fc93a787f960f35ab674ee15b4f5848d44bea096e7c23cace7f23
Opcode Fuzzy Hash: 57039da82469992e4118bf276f08a09ae734f2a054284b6a07b2d4f141563ea8
Instruction Fuzzy Hash: 391100B0A40218AFDB20DB54DD49FC87B64EB14701F5044E9F645A32D1DBB45AC58BED

Function 00406C60 Relevance: 15.5, APIs: 10, Instructions: 457COMMON

Download Yara Rule

APIs

#296.MFC140U(BEE31567,?,?,?), ref: 00406C97
#9.WS2_32(00000000,?,?), ref: 00406CB1
#9.WS2_32(00000000,?,?), ref: 00406CBA
#9.WS2_32(?,?,?), ref: 00406CC5
#9.WS2_32(?,?,?), ref: 00406D6F

Part of subcall function 0040D850: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,?,Et@,?,0040D7FF,?,?,?,?,00407445,?), ref: 0040D881

#9.WS2_32(?,?,?), ref: 00406E5E
#9.WS2_32(?,?,?), ref: 00406F50
#9.WS2_32(?,?,?), ref: 0040705B
#9.WS2_32(?,?,?), ref: 00407148
#1045.MFC140U(?,?), ref: 00407202

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296Xlength_error@std@@
String ID:
API String ID: 3847242781-0
Opcode ID: a5ad596bb53d784ec46d61cc82aff53919c2acb42416408981a0f2ed5b27ff30
Instruction ID: ecf7389c7b6c68b3af8ccc3d8161bc24536348837d5efe980d4b05a5028a5712
Opcode Fuzzy Hash: a5ad596bb53d784ec46d61cc82aff53919c2acb42416408981a0f2ed5b27ff30
Instruction Fuzzy Hash: C8127E74D04659CFCF21CFA8C4806AEBBB1BF04308F14816ED859BB786D739A946CB59

Function 0044FC90 Relevance: 15.4, APIs: 1, Strings: 9, Instructions: 376COMMON

Download Yara Rule

APIs

atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,00000000), ref: 0044FF32

Strings

Clear auth, redirects to port from %u to %u, xrefs: 0044FF53
Switch to %s, xrefs: 004500BC
The redirect target URL could not be parsed: %s, xrefs: 0044FE59
Issue another request to this URL: '%s', xrefs: 00450048
Maximum (%ld) redirects followed, xrefs: 00450105
Clear auth, redirects scheme from %s to %s, xrefs: 0044FFAD
HEAD, xrefs: 004500AC, 004500BB
GET, xrefs: 004500A7
Switch from POST to GET, xrefs: 00450156

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: atoi
String ID: Clear auth, redirects scheme from %s to %s$Clear auth, redirects to port from %u to %u$GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET$Switch to %s$The redirect target URL could not be parsed: %s
API String ID: 657269090-2860807360
Opcode ID: 01450b15ba3c7fa4f935fcf5193c6451c4290c80bcec6719981bdce87a580322
Instruction ID: 53bcf69beb3f57b0999cf691fc370b0e8b397df17982b6395688331726a02167
Opcode Fuzzy Hash: 01450b15ba3c7fa4f935fcf5193c6451c4290c80bcec6719981bdce87a580322
Instruction Fuzzy Hash: CEC148746047406BF721AB389C41BEB7BD5DF81305F44043FF98A82293DA7EA949875B

Function 00418A20 Relevance: 15.1, APIs: 10, Instructions: 98COMMON

Download Yara Rule

APIs

#5850.MFC140U(?,?,BEE31567), ref: 00418A63
#5850.MFC140U(?,?), ref: 00418A7B
#5419.MFC140U ref: 00418A83
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00418AC7
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00418ACC
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00418ADD
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00418AE2
#2996.MFC140U(?), ref: 00418B04
#1045.MFC140U ref: 00418B0F
#1045.MFC140U ref: 00418B18

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: _wtoll$#1045#5850$#2996#5419
String ID:
API String ID: 1193204051-0
Opcode ID: cc963191d3fed86605b7c4205a1784a2d266e8f0fbf13e20bdbc1aecea747812
Instruction ID: f49b5952ba3e2279301330a1422390afad294ce8f67ed77237d1404f3ef0c8db
Opcode Fuzzy Hash: cc963191d3fed86605b7c4205a1784a2d266e8f0fbf13e20bdbc1aecea747812
Instruction Fuzzy Hash: BB3170719001199FCF21DBA4DD45AAF7BB9FB84350F14052BE905A32A0EB785D84CBD9

Function 0040B190 Relevance: 15.1, APIs: 10, Instructions: 82COMMON

Download Yara Rule

APIs

#360.MFC140U(BEE31567), ref: 0040B1E4
#8.WS2_32(00000001), ref: 0040B1F4
#13960.MFC140U(00000001,000000FF), ref: 0040B208
GetTickCount.KERNEL32 ref: 0040B214
#8.WS2_32(00000000), ref: 0040B21B
#13960.MFC140U(00000001,000000FF), ref: 0040B22F
#13253.MFC140U(?,00000000), ref: 0040B249
#13253.MFC140U(?,00000001), ref: 0040B253
#13253.MFC140U(?,00000002), ref: 0040B25D
#1067.MFC140U(0000C55F,00000000,?,?), ref: 0040B276

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$#13960$#1067#360CountTick
String ID:
API String ID: 338892868-0
Opcode ID: 7fc740e98f7ab2ff5e48680b7ffb116345af7c3067e78d573d0cf97c170fe2c7
Instruction ID: 12624151d5a393a6ccb9158e9de09574c043e4cab06ff0756b85fa020a0844c5
Opcode Fuzzy Hash: 7fc740e98f7ab2ff5e48680b7ffb116345af7c3067e78d573d0cf97c170fe2c7
Instruction Fuzzy Hash: 28313976C002199FDB15DF90DD55BEEBBB4FB48710F20466EE92273290DB356904CBA4

Function 00418740 Relevance: 15.1, APIs: 10, Instructions: 82windowCOMMON

Download Yara Rule

APIs

#4886.MFC140U(?,BEE31567), ref: 00418776
#2215.MFC140U(00000082,00000004,00000082), ref: 004187C1
LoadMenuW.USER32(00000000), ref: 004187C8
#2526.MFC140U(00000000), ref: 004187D2
GetSubMenu.USER32(00000000,00000000), ref: 004187DD
#4885.MFC140U(00000000), ref: 004187E4
GetCursorPos.USER32(00000000), ref: 004187FE
SendMessageW.USER32(00000000,0000100C,000000FF,00000002), ref: 00418810
#14377.MFC140U(00000000,00000000,00000000,?,00000000), ref: 00418825
#3932.MFC140U ref: 0041883C

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Menu$#14377#2215#2526#3932#4885#4886CursorLoadMessageSend
String ID:
API String ID: 1337069456-0
Opcode ID: f257bdd5e816463db465277af3e310ed8f44941e947df7502beb05456baaad77
Instruction ID: fee8456ab51f84b34cf2774767a504cb40eacc53c0d64f98c82c9e627dac8253
Opcode Fuzzy Hash: f257bdd5e816463db465277af3e310ed8f44941e947df7502beb05456baaad77
Instruction Fuzzy Hash: 98315E71900209EFDB10DFD0DD49BAEBBB8FB08711F10462EFA11A7290DB745944CB98

Function 0040FB40 Relevance: 15.1, APIs: 10, Instructions: 81COMMON

Download Yara Rule

APIs

InitCommonControlsEx.COMCTL32(?,BEE31567,?,?,?,00488156,000000FF), ref: 0040FB85
#7997.MFC140U(?,?,?,00488156,000000FF), ref: 0040FB8D
#2205.MFC140U(00000000,?,?,?,00488156,000000FF), ref: 0040FB95
#1511.MFC140U(0000000C,?,?,?,00488156,000000FF), ref: 0040FB9D
#952.MFC140U ref: 0040FBC7
#7313.MFC140U ref: 0040FBDA
#13442.MFC140U(00000000), ref: 0040FBE1
#13911.MFC140U(0049B314), ref: 0040FBEE
memset.VCRUNTIME140(?,00000000,00001DAC), ref: 0040FC02
#4092.MFC140U(?,00001DAC), ref: 0040FC27

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13442#13911#1511#2205#4092#7313#7997#952CommonControlsInitmemset
String ID:
API String ID: 82765627-0
Opcode ID: da8561496318c7c604f83f082d0944b5ca5827796b17aabecb5305089d93f5a2
Instruction ID: 3c4fa02dd58b3d3f7de296a645d71c1a7e6edf6da569cef3f5f764642d23f5b4
Opcode Fuzzy Hash: da8561496318c7c604f83f082d0944b5ca5827796b17aabecb5305089d93f5a2
Instruction Fuzzy Hash: B531AD31A002099FDB20EFA5DC09B9DBBF8EB48314F10097EE419A32D0EB745944CB98

Function 00418460 Relevance: 15.1, APIs: 10, Instructions: 75windowthreadCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00418479
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0041848F
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,Function_000182D0,00000000,00000000,00000000), ref: 004184B4
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,Function_00016740,00000000,00000000,00000000), ref: 004184CA
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,004165F0,00000000,00000000,00000000), ref: 004184E0
CloseHandle.KERNEL32 ref: 004184F6
CloseHandle.KERNEL32 ref: 004184FE
TerminateThread.KERNEL32(?,00000000), ref: 0041850F
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,Function_000183E0,00000000,00000000,00000000), ref: 00418542
CloseHandle.KERNEL32(00000000), ref: 00418551

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: _beginthreadex$CloseHandle$MessageSend$TerminateThread
String ID:
API String ID: 1530266106-0
Opcode ID: 54e2b712016bd8ae4d04d10bb7709faa271bd16a1fc9fa09b1f18cddb7368292
Instruction ID: 60f51f68b16f7267066cacd22769005eeadec4b027eab2201fe036a4ebb34e61
Opcode Fuzzy Hash: 54e2b712016bd8ae4d04d10bb7709faa271bd16a1fc9fa09b1f18cddb7368292
Instruction Fuzzy Hash: 0E21B471B80311BAE7205B65BC1AF4A3EA4E702B55F29043AF604BE2E5DBF574448B9C

Function 0044E7E0 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 353COMMON

Download Yara Rule

Strings

FALSE, xrefs: 0044E882
-, xrefs: 0044E893
unknown, xrefs: 0044E806
(, xrefs: 0044EFAF
(nil), xrefs: 0044EB21, 0044EFA7
0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 0044E830, 0044EC61
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0044EC66

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID:
String ID: ($(nil)$-$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz$FALSE$unknown
API String ID: 0-3741205749
Opcode ID: 8b2592b64f5f33afe15e6697f71e8d8d0db9c643216686d8aef3d07f814ccbaa
Instruction ID: bcd6778a78338fad8ee7adf52e86b527ce31d8183d46b61135aef0bcfb5fc428
Opcode Fuzzy Hash: 8b2592b64f5f33afe15e6697f71e8d8d0db9c643216686d8aef3d07f814ccbaa
Instruction Fuzzy Hash: 02D17D746087458FE724DF2AC88065BBBE0FFC8314F144A2EF9A987391E778D9058B46

Function 004161F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 144fileCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000400,?,?,?), ref: 00416224
memset.VCRUNTIME140(?,00000000,00000400,?,?,?), ref: 0041623B
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,?,?,?), ref: 00416251
memset.VCRUNTIME140(?,00000000,00000400,?,?,?,?,?,?,?,?,?), ref: 00416283
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041628D

Part of subcall function 0040DC90: _localtime64_s.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,0040DC29,?), ref: 0040DCAD

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0049BD0C,?,%u----%d/%d/%d/%d/%d/%d----%s,?,00000000,00000000,00000000,?,?,FFFFFFFF,?,?,?,?,?), ref: 0041638E
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 004163B4

Strings

%u----%d/%d/%d/%d/%d/%d----%s, xrefs: 00416376

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: memset$FolderPathSpecial_localtime64_s_time64fclosefopen
String ID: %u----%d/%d/%d/%d/%d/%d----%s
API String ID: 2784709916-2168455461
Opcode ID: 519ddaa22aa248f6e6e42449e0411bf9842036a9c4a129b637589564e13452a4
Instruction ID: 317fd27a91b38be028d68427945d0103df561d610fbd08a1f169a27c0398e06d
Opcode Fuzzy Hash: 519ddaa22aa248f6e6e42449e0411bf9842036a9c4a129b637589564e13452a4
Instruction Fuzzy Hash: 5F51A3B25083049FD320DF91DC45FABB7E8EF84304F05092EFA5992191E774D909CB9A

Function 0041C8E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 116filewindowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0041C902
memset.VCRUNTIME140(?,00000000,00000100), ref: 0041C9AF
memset.VCRUNTIME140(?,00000000,00000100,?,00000000,00000100), ref: 0041C9C2
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000000,00000000), ref: 0041C9D7
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0049B6D0), ref: 0041CA16
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,00000000), ref: 0041CA3B
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 0041CA42

Strings

%s\GZXIP.db, xrefs: 0041C9EA

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: memset$FolderMessagePathSendSpecialfclosefopenfwrite
String ID: %s\GZXIP.db
API String ID: 1017832532-1600395696
Opcode ID: 2a0148723a58fdbb605558948cfd0ec7dde2c17ff193258227e0ffdb7f876baf
Instruction ID: fa007bb7cd12e4198b9aef84df0d2cf16ded16b106fb68b66d5f81e24e912976
Opcode Fuzzy Hash: 2a0148723a58fdbb605558948cfd0ec7dde2c17ff193258227e0ffdb7f876baf
Instruction Fuzzy Hash: 97415A71A41204AFD710EB2CDD85BEDB768EF05700F5842AEE9189B2D2D7786980CBDC

Function 0040BEA0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 97sleepCOMMON

Download Yara Rule

APIs

#8.WS2_32(00000000,80000009,?,?,00405050), ref: 0040BECD

Part of subcall function 0040B8F0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000011,?,?,?,0040BEDD,?,?,00405050), ref: 0040B91E
Part of subcall function 0040B8F0: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,0040BEDD,?,?,00405050), ref: 0040B95E

#21.WS2_32(?,0000FFFF,00000080,PP@,00000004,?,?), ref: 0040BF16
#22.WS2_32(?,00000002,?,0000FFFF,00000080,PP@,00000004,?,?), ref: 0040BF1F
#3.WS2_32(?,?,00000002,?,0000FFFF,00000080,PP@,00000004,?,?), ref: 0040BF26
#1511.MFC140U(00000010,?,?,00405050), ref: 0040BF34
Sleep.KERNEL32(00000032,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000005,?,00405050), ref: 0040BF94

Strings

PP@, xrefs: 0040BF00, 0040BF0A
PP@, xrefs: 0040BFA3

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1511Sleepfreemalloc
String ID: PP@$PP@
API String ID: 531556207-1699703914
Opcode ID: 03e42a54f7a8261cf53c32e5ad66669f3acbc57d7c4efa90e845ec2c415e88e2
Instruction ID: 0de5c9706c21dbf364257dd552c6a8287ceefa35106dc37529263797f5773326
Opcode Fuzzy Hash: 03e42a54f7a8261cf53c32e5ad66669f3acbc57d7c4efa90e845ec2c415e88e2
Instruction Fuzzy Hash: 1F31B070A0021AABDB109F618C4ABAFBB65EF44710F00432AFE64772D1D7B81955CBDD

Function 0040CB00 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

#296.MFC140U ref: 0040CB1E
#9.WS2_32(?), ref: 0040CB61
#9.WS2_32(?), ref: 0040CB7B
#9.WS2_32(00000000), ref: 0040CB87
#8.WS2_32(?), ref: 0040CBA3
#1045.MFC140U ref: 0040CBF7

Strings

A, xrefs: 0040CB4C
AQ4@, xrefs: 0040CBCB

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296
String ID: A$AQ4@
API String ID: 504170297-3265738774
Opcode ID: da514ba539de78f15a024ccc2b2f7cae1aa9ce517ab47d99923e86c9298f2fc4
Instruction ID: 93b649d65b4c50690d38ee383487b466ec647ddb551284e1289c9c10a57d3585
Opcode Fuzzy Hash: da514ba539de78f15a024ccc2b2f7cae1aa9ce517ab47d99923e86c9298f2fc4
Instruction Fuzzy Hash: 4F312571D00229DFCB10CF99E8856AEB7B4EF08301B11466BE951F3351D778AA45DB98

Function 00430610 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00430613
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0043061B
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00430668
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00430672
GetLastError.KERNEL32 ref: 00430676
SetLastError.KERNEL32(00000000), ref: 00430681

Strings

2', xrefs: 0043061B
Unknown error %lu (0x%08lX), xrefs: 00430653

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: ErrorLast_errno
String ID: 2'$Unknown error %lu (0x%08lX)
API String ID: 3939687465-3508922609
Opcode ID: 6bee75c83018b4c33ecaee20a453c292ec5cff9ec6e2f88a0aa11b9bd3a05b84
Instruction ID: babf483269c5db0e764e57abb7030947a48d2749324e41f45fa638e3dad065c2
Opcode Fuzzy Hash: 6bee75c83018b4c33ecaee20a453c292ec5cff9ec6e2f88a0aa11b9bd3a05b84
Instruction Fuzzy Hash: C101D4726003059FC310AF65EC8592FBBACEB8A365F51096EF80183212DB359C0187BA

Function 0041CE10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000200,BEE31567), ref: 0041CE49
#296.MFC140U(?,?,BEE31567), ref: 0041CE57
#296.MFC140U(?,?,BEE31567), ref: 0041CE6A
SHGetSpecialFolderPathW.SHELL32(00000000,BEE31567,00000000,00000000,?,?,BEE31567), ref: 0041CE81
#4815.MFC140U(?,%s\,BEE31567,?,?,BEE31567), ref: 0041CE9A
#1045.MFC140U ref: 0041CEB4
#1045.MFC140U ref: 0041CEC0

Strings

%s\, xrefs: 0041CE94

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296$#4815FolderPathSpecialmemset
String ID: %s\
API String ID: 3610967067-2802346739
Opcode ID: d4ae965185c5abc1a8c62ac99265eeef627c38b85018f014e10968ab59c16193
Instruction ID: 5c482960d7c1c09dc0654a3ca4f506b80ff51f24900d05dc5c920bef0e42484b
Opcode Fuzzy Hash: d4ae965185c5abc1a8c62ac99265eeef627c38b85018f014e10968ab59c16193
Instruction Fuzzy Hash: 62112EB198021D9FDB10EB50DC89BEDB778FB14705F4005AAEA1AA32D0DB741A44CFA9

Function 00419A40 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(00000200,00000000,00000200,BEE31567), ref: 00419A79
#296.MFC140U(?,?,BEE31567), ref: 00419A87
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,BEE31567), ref: 00419AA1
#4815.MFC140U(?,%s\IPsET.ini,?,?,?,BEE31567), ref: 00419ABA
WritePrivateProfileStringW.KERNEL32(0049B89C,0049BA40,100,?), ref: 00419AD8
#1045.MFC140U ref: 00419AEE

Strings

100, xrefs: 00419AC9
%s\IPsET.ini, xrefs: 00419AB4

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini$100
API String ID: 4053994538-182754733
Opcode ID: 63ed422566c6eaaee0a53c90687c1b5904c7dbc1c08fb4e328b04892580b6723
Instruction ID: 42e4adfe4da9e5f9187540925f5360389631c855fab6d0dfa49e9989c3540f2b
Opcode Fuzzy Hash: 63ed422566c6eaaee0a53c90687c1b5904c7dbc1c08fb4e328b04892580b6723
Instruction Fuzzy Hash: 3F11827198021CAFDB10EF90ED49BDDBB78FB04704F5005BAF519A22D0DBB466048F99

Function 00419B10 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(00000200,00000000,00000200,BEE31567), ref: 00419B49
#296.MFC140U(?,?,BEE31567), ref: 00419B57
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,BEE31567), ref: 00419B71
#4815.MFC140U(?,%s\IPsET.ini,?,?,?,BEE31567), ref: 00419B8A
WritePrivateProfileStringW.KERNEL32(0049B89C,0049BA40,300,?), ref: 00419BA8
#1045.MFC140U ref: 00419BBE

Strings

%s\IPsET.ini, xrefs: 00419B84
300, xrefs: 00419B99

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini$300
API String ID: 4053994538-157305283
Opcode ID: 7e45b8ce97fe8152e689b4c81206bfe02493c2126a83cfc3dca8f7070947ae3d
Instruction ID: baa58add694b9251ef6eb4f2ffd65602ed11a9d8cb45f66f987bf51b325ece5f
Opcode Fuzzy Hash: 7e45b8ce97fe8152e689b4c81206bfe02493c2126a83cfc3dca8f7070947ae3d
Instruction Fuzzy Hash: E811427198021CAFDB10EF90ED4ABDDBB78FB14704F5005BAF515A22D0DBB456448F99

Function 0040E380 Relevance: 13.7, APIs: 9, Instructions: 170networkCOMMON

Download Yara Rule

APIs

#266.MFC140U(00000000), ref: 0040E41D
#265.MFC140U(?), ref: 0040E427
#266.MFC140U(00000000), ref: 0040E4B0
#265.MFC140U(00000004), ref: 0040E4B8
WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 0040E52B
#111.WS2_32(?,?,00000002,00000000,?,?), ref: 0040E535
EnterCriticalSection.KERNEL32(00000000), ref: 0040E54D
LeaveCriticalSection.KERNEL32(00000000), ref: 0040E557
#266.MFC140U(?,?,?,00000003,00000000,00000000,00000000), ref: 0040E573

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #266$#265CriticalSection$#111EnterLeaveRecv
String ID:
API String ID: 4047909676-0
Opcode ID: 2e483b84106766a54501f9112c2644cea031c44732e7bbf0cf8f3afc5840087c
Instruction ID: 60b8aba12ca2a29255c463423b924ebaa6dc72da6991bf7dd2445e3ff7b4cd5a
Opcode Fuzzy Hash: 2e483b84106766a54501f9112c2644cea031c44732e7bbf0cf8f3afc5840087c
Instruction Fuzzy Hash: 7F6182B1A00605FFDB14CFA5CD88B9EBBB8FF08304F14452AE505A6A91E374E564CF99

Function 0040ACE1 Relevance: 13.6, APIs: 9, Instructions: 121COMMON

Download Yara Rule

APIs

#22.WS2_32(?,00000002,?,0000FFFF,00000080,00000000,00000004,00006500,?,?,00000004), ref: 0040AD6D
#3.WS2_32(?,?,00000002,?,0000FFFF,00000080,00000000,00000004,00006500,?,?,00000004), ref: 0040AD74
#22.WS2_32(?,00000002,?,?,00000004), ref: 0040ADB3
#3.WS2_32(?,?,?,00000004), ref: 0040ADBA
CloseHandle.KERNEL32(?,?,?,00000004), ref: 0040ADDC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 0040AE52
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 0040AE6C
#4859.MFC140U ref: 0040AE81
#13960.MFC140U(00000000,000000FF), ref: 0040AE91

Part of subcall function 0040C620: #360.MFC140U ref: 0040C671
Part of subcall function 0040C620: #8.WS2_32(?,00000003,00000000), ref: 0040C68B
Part of subcall function 0040C620: GetTickCount.KERNEL32 ref: 0040C69E
Part of subcall function 0040C620: #8.WS2_32(00000000), ref: 0040C6A5
Part of subcall function 0040C620: #13253.MFC140U(?,00000000), ref: 0040C6C2
Part of subcall function 0040C620: #13253.MFC140U(?,00000004), ref: 0040C6CC
Part of subcall function 0040C620: #13253.MFC140U(?,00000000), ref: 0040C6D6
Part of subcall function 0040C620: #1067.MFC140U(?,?,?,?), ref: 0040C6F4

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$free$#1067#13960#360#4859CloseCountHandleTick
String ID:
API String ID: 2069879033-0
Opcode ID: d2ee0742ea9dd247cef0ccd1395f3f3c8cf517737e515ffe9ee0fa3c2aac9c61
Instruction ID: 86e0704285a1ea32a3e263279756d610253564bc50bfd6a014f7a83b465c5790
Opcode Fuzzy Hash: d2ee0742ea9dd247cef0ccd1395f3f3c8cf517737e515ffe9ee0fa3c2aac9c61
Instruction Fuzzy Hash: 18414DB0600B059BE720DF64CC89BAB77E4EF04715F100A2DE56AA73D1D7796908CB99

Function 0040C2A0 Relevance: 13.6, APIs: 9, Instructions: 108COMMON

Download Yara Rule

APIs

#360.MFC140U(BEE31567), ref: 0040C301
#8.WS2_32(00000015,00000003,00000000), ref: 0040C31B
GetTickCount.KERNEL32 ref: 0040C32E
#8.WS2_32(00000000), ref: 0040C335

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

#9.WS2_32(?,00000002,00000000), ref: 0040C34F

Part of subcall function 00401E60: #13253.MFC140U(?,00000000), ref: 00401EEA

#13253.MFC140U(?,?), ref: 0040C394
#8.WS2_32(?,00000003,00000000), ref: 0040C3A1
#9.WS2_32(?,?,?), ref: 0040C3C8
#1067.MFC140U(00006800,?), ref: 0040C3DD

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$#1067#360CountTick
String ID:
API String ID: 968516752-0
Opcode ID: ad7406ab81264f91fb81c991708893f13aeca70dc06096260f842d8be99a0de9
Instruction ID: ab92ee8bf1817edfecbd584e2e80a52bfe74646c28a89ae702c75c462254ddd6
Opcode Fuzzy Hash: ad7406ab81264f91fb81c991708893f13aeca70dc06096260f842d8be99a0de9
Instruction Fuzzy Hash: 83416C71D0021CEBDB01EFA5DD42BEEBBB5EF58704F10412AF911762A1EBB42A14CB94

Function 0040A720 Relevance: 13.6, APIs: 9, Instructions: 89COMMON

Download Yara Rule

APIs

#360.MFC140U(BEE31567,000A17DC), ref: 0040A75D
#13253.MFC140U(?,00000000), ref: 0040A78C
#13253.MFC140U(?,00000000), ref: 0040A796
#13253.MFC140U(?,00000000), ref: 0040A7A0
#13253.MFC140U(?,00000000), ref: 0040A7AA
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 0040A7AC
#13253.MFC140U(?,?), ref: 0040A7C9
#13960.MFC140U(?), ref: 0040A7F0
#1067.MFC140U(00007000,?,?,?), ref: 0040A826

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$#1067#13960#360rand
String ID:
API String ID: 1347462944-0
Opcode ID: 5e0b39a9574d0947dcff620a0637a6c4385efb07422a55bb7d5043be2b745dea
Instruction ID: bd1fcabc629f4c6a82196455e7e080621457957abdfde0425b6b7b216c98763c
Opcode Fuzzy Hash: 5e0b39a9574d0947dcff620a0637a6c4385efb07422a55bb7d5043be2b745dea
Instruction Fuzzy Hash: EB314231C04209EFDF15DF94C845BEEBBB5EF08314F20425AE825722A0DB792A05CBA4

Function 00418670 Relevance: 13.6, APIs: 9, Instructions: 63windowthreadCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0041868A
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 004186A5
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004186B6
TerminateThread.KERNEL32(00000000), ref: 004186CB
TerminateThread.KERNEL32(00000000), ref: 004186D5
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,Function_00016740,00000000,00000000,00000000,00000000,0049BF84), ref: 00418703
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,004165F0,00000000,00000000,00000000), ref: 00418719
CloseHandle.KERNEL32 ref: 0041872F
CloseHandle.KERNEL32 ref: 00418737

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$CloseHandleTerminateThread_beginthreadex
String ID:
API String ID: 1914339545-0
Opcode ID: 421e8d4a16c3006beeabd54236c519d1c754c95002371df9ee6e569212c3ad90
Instruction ID: e63f403e1ec21c13b1bc233aa4cb6bcd3ffac5f22c3be3360d83c36713ec8626
Opcode Fuzzy Hash: 421e8d4a16c3006beeabd54236c519d1c754c95002371df9ee6e569212c3ad90
Instruction Fuzzy Hash: 78112A30B80315BAEB312B61AC47F567EA4EB01B50F25013ABB147A1F4DAE638109E8C

Function 00404327 Relevance: 13.6, APIs: 9, Instructions: 51COMMON

Download Yara Rule

APIs

#296.MFC140U ref: 0040432D
#8.WS2_32(?), ref: 00404349
#8.WS2_32(?), ref: 0040435A
#8.WS2_32(?), ref: 0040436B

Part of subcall function 00413EA0: atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?), ref: 00413EF6

#4815.MFC140U(?,0049B244,00000000), ref: 0040439F
#13656.MFC140U(?,00000006,?), ref: 004043BC
#4815.MFC140U(?,0049B244,?), ref: 004043CF
#13656.MFC140U(?,00000007,?), ref: 004043ED
#4815.MFC140U(?,0049B244,?), ref: 00404405

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #4815$#13656$#296atoi
String ID:
API String ID: 4193521977-0
Opcode ID: 7981a2eb06a7fb63554ff9f0c9ac5571b5839c0d098f63da42ed7e9fdda88e36
Instruction ID: c8df7a5840e46cc7020f652d9af95cd62c2e88592cdc00435e103797b8d396f5
Opcode Fuzzy Hash: 7981a2eb06a7fb63554ff9f0c9ac5571b5839c0d098f63da42ed7e9fdda88e36
Instruction Fuzzy Hash: 3D211AB1902618EFDB21AF64DD45E9DBBB9FF88300F0104E9E209A3262D7316B41DF48

Function 00420E20 Relevance: 12.5, APIs: 10, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000018,?,?,00401145), ref: 00420E4E
HeapAlloc.KERNEL32(00000000,?,?,00401145), ref: 00420E5B
InitializeCriticalSection.KERNEL32(00000000,?,?,00401145), ref: 00420E60
GetProcessHeap.KERNEL32(00000008,0000000C,?,?,00401145), ref: 00420E76
HeapAlloc.KERNEL32(00000000,?,?,00401145), ref: 00420E79
GetProcessHeap.KERNEL32(00000008,00000018,?,?,00401145), ref: 00420E8E
HeapAlloc.KERNEL32(00000000,?,?,00401145), ref: 00420E91
InitializeCriticalSection.KERNEL32(00000000,?,?,00401145), ref: 00420E96
GetProcessHeap.KERNEL32(00000008,0000000C,?,?,00401145), ref: 00420EA6
HeapAlloc.KERNEL32(00000000,?,?,00401145), ref: 00420EAD

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Heap$AllocProcess$CriticalInitializeSection
String ID:
API String ID: 301627333-0
Opcode ID: ec6b509aa7cb181004ffb490a247b97bd0338f8a96334acccbb5a45e89d2253c
Instruction ID: e5ea08ceaaf1551da8ed42b5bbd3334d3f5d7004e634a55eadef8e311c65a44b
Opcode Fuzzy Hash: ec6b509aa7cb181004ffb490a247b97bd0338f8a96334acccbb5a45e89d2253c
Instruction Fuzzy Hash: AE012CB1542314AFE3505F64AC5CB1F3EA8FB8AB51F48851DE6049B2E0CBBD58048B9D

Function 00436150 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 172fileCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,0042E2F7), ref: 00436220
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0042E2F7), ref: 004362E6
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0048E040,?,?,?,?,?,?,?,?,?,0042E2F7), ref: 0043632F

Strings

ignoring failed cookie_init for %s, xrefs: 004361B4
WARNING: failed to open cookie file "%s", xrefs: 0043633E
Set-Cookie:, xrefs: 00436273
<H, xrefs: 004361EB

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: __acrt_iob_funcfclosefopen
String ID: <H$Set-Cookie:$WARNING: failed to open cookie file "%s"$ignoring failed cookie_init for %s
API String ID: 4110152555-4089046933
Opcode ID: 8b3b5b1189a5648a3a89316203091838d71e4fa52204b678e2cac1783a4f2cc2
Instruction ID: bc716e1ecbde2c8de2e90a91e8779312e01fef2ff0be75b0c7d0b1a661e34e1e
Opcode Fuzzy Hash: 8b3b5b1189a5648a3a89316203091838d71e4fa52204b678e2cac1783a4f2cc2
Instruction Fuzzy Hash: 22518C715043467ADB20AB255C01BDB7B985F5D30CF06445EFD8857343D7ADE90883AE

Function 0041CA60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000100,BEE31567), ref: 0041CA9C
memset.VCRUNTIME140(?,00000000,00000100,?,00000000,00000100,BEE31567), ref: 0041CAAF
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,BEE31567), ref: 0041CAC4
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0049B6D0,?,?,?,?,?,BEE31567), ref: 0041CC22
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,00000000,?,?,?,?,?,?,?,BEE31567), ref: 0041CC39
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,BEE31567), ref: 0041CC40

Part of subcall function 0040D850: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,?,Et@,?,0040D7FF,?,?,?,?,00407445,?), ref: 0040D881

Strings

%s\GZXIP.db, xrefs: 0041CAD7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: memset$FolderPathSpecialXlength_error@std@@fclosefopenfwrite
String ID: %s\GZXIP.db
API String ID: 1743414663-1600395696
Opcode ID: 263fc70bc1bcd9470de833f8150b0167740eba032dab044f91e78d03e9c5d4dc
Instruction ID: f19e30922cd898f1899c6fdca0abea80191b500f1cef74c052483a5aab8d29da
Opcode Fuzzy Hash: 263fc70bc1bcd9470de833f8150b0167740eba032dab044f91e78d03e9c5d4dc
Instruction Fuzzy Hash: 5851C771E802289BDB20DF58DDC5BDEB7B8EB58700F1501AEE91DA3241D7746E808F98

Function 004104C0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 150COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,?,?), ref: 0041056E
inet_ntop.WS2_32(00000002,?,?,00000041), ref: 004105EB
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(004205D0,?,?,BEE31567), ref: 00410656
freeaddrinfo.WS2_32(?,?,?,BEE31567), ref: 00410693

Strings

"!, xrefs: 00410621
IPv6, xrefs: 004105D7
IPv4, xrefs: 004105CD

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@freeaddrinfogetaddrinfoinet_ntop
String ID: "!$IPv4$IPv6
API String ID: 522950934-3298937247
Opcode ID: f56b2e5b0738bfaca1b43b14ce5e0fbce617cab55a42f1b50fbb89bf62de9723
Instruction ID: 35e6abf3ce107621189b11c6a38b3b2b590cb1b0984561b3214c7e9aea1cc206
Opcode Fuzzy Hash: f56b2e5b0738bfaca1b43b14ce5e0fbce617cab55a42f1b50fbb89bf62de9723
Instruction Fuzzy Hash: 2151C131E002589FDF24DB60C915BEEBBB5EF45704F1081AEE446A7242DBB95DC48F94

Function 0040F020 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 81stringsleepCOMMON

Download Yara Rule

APIs

#52.WS2_32(8004667E,00000000,-00000001), ref: 0040F03E
lstrcpyA.KERNEL32(?,?), ref: 0040F0AE
lstrlenA.KERNEL32(?), ref: 0040F0B5
#19.WS2_32(00000000,00000104,-00000009,00000000), ref: 0040F0CA
Sleep.KERNEL32(00000050), ref: 0040F0DA
#16.WS2_32(00000000,00000104,00000400,00000000), ref: 0040F0F0

Strings

Z, xrefs: 0040F110

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Sleeplstrcpylstrlen
String ID: Z
API String ID: 3101173748-1505515367
Opcode ID: edc9eae5f8fdbc54f7df3f9a4d89b2893bf081d19cc57df6b6549213e35c9f82
Instruction ID: 858a4e28f38b8658fa3ef749aa2f1c59197c817ac6fed5a0b7191ba8bcc2bc1e
Opcode Fuzzy Hash: edc9eae5f8fdbc54f7df3f9a4d89b2893bf081d19cc57df6b6549213e35c9f82
Instruction Fuzzy Hash: 4721B1B1A002589FDB20DF689C04B9E7BB8EF55300F0085FAE605EB292D7749A49CB94

Function 0040B970 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

#360.MFC140U(BEE31567), ref: 0040B9C7
#8.WS2_32(00000001,00000003,00000000), ref: 0040B9E1
GetTickCount.KERNEL32 ref: 0040B9F4
#8.WS2_32(00000000), ref: 0040B9FB

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

#8.WS2_32(00000000,00000003,00000000), ref: 0040BA0F

Part of subcall function 00401E60: #13253.MFC140U(?,00000000), ref: 00401EEA

#1067.MFC140U(?,00000000,?,?), ref: 0040BA35

Strings

Nr, xrefs: 0040B9A8

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$#1067#360CountTick
String ID: Nr
API String ID: 968516752-2435342436
Opcode ID: c8fb828f44971607f0350b145d55be6c0f2a84e5116a7f7f6893d950d1ab34d9
Instruction ID: 8ec309e6f01a503b4e892a2d61983517f19221b801598074037f9938b81cb166
Opcode Fuzzy Hash: c8fb828f44971607f0350b145d55be6c0f2a84e5116a7f7f6893d950d1ab34d9
Instruction Fuzzy Hash: 00217F72D00218ABDB01DFA4DD56BDEB7B8EF58704F20412AF90577290EB752A048BA8

Function 0040BDB0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

#360.MFC140U(BEE31567), ref: 0040BE07
#8.WS2_32(00000001,00000003,00000000), ref: 0040BE21
GetTickCount.KERNEL32 ref: 0040BE34
#8.WS2_32(00000000), ref: 0040BE3B

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

#8.WS2_32(00000000,00000003,00000000), ref: 0040BE4F

Part of subcall function 00401E60: #13253.MFC140U(?,00000000), ref: 00401EEA

Part of subcall function 0040BA60: #360.MFC140U(BEE31567,00000000), ref: 0040BAAE
Part of subcall function 0040BA60: #13960.MFC140U(?,000000FF), ref: 0040BAC7
Part of subcall function 0040BA60: #13253.MFC140U(?,000000FF), ref: 0040BAF3
Part of subcall function 0040BA60: #13253.MFC140U(?,000000FF), ref: 0040BB00
Part of subcall function 0040BA60: #13960.MFC140U(00000000,000000FF), ref: 0040BB0E
Part of subcall function 0040BA60: #9.WS2_32(0040BE75), ref: 0040BB26
Part of subcall function 0040BA60: #13960.MFC140U(00000000,000000FF), ref: 0040BB3E
Part of subcall function 0040BA60: #13960.MFC140U(?,000000FF), ref: 0040BB5B
Part of subcall function 0040BA60: memcpy.VCRUNTIME140(?,?,0040BE73), ref: 0040BB6B
Part of subcall function 0040BA60: memset.VCRUNTIME140(?,00000000), ref: 0040BB85

#1067.MFC140U(?,00000000,?,?), ref: 0040BE76

Strings

PP@, xrefs: 0040BDB0

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253#13960$#360$#1067CountTickmemcpymemset
String ID: PP@
API String ID: 1337588413-1603988326
Opcode ID: d592203cb5a116f82257798a6b9abcf1c513b2ab5cee43a9a1f1bdbe6c89b97a
Instruction ID: f1accca3225bd5d9e4361ef89b006b7aff21d24f93d4c5a0f92acdb66e4bbc57
Opcode Fuzzy Hash: d592203cb5a116f82257798a6b9abcf1c513b2ab5cee43a9a1f1bdbe6c89b97a
Instruction Fuzzy Hash: AF216D72D0021CABDB01DFA4DD56BDEB7B9FF58704F10412AF90577290EB756A048BA8

Function 004191F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(BEE31567,00000000,00000100,BEE31567), ref: 0041922C
GetWindowTextA.USER32(?,BEE31567,00000100), ref: 0041924E
P_UserReg.PLFL32(004A6468,004A6468,BEE31567,llk,llk,llk,?,BEE31567), ref: 00419274
#290.MFC140U(00000000,?,BEE31567), ref: 00419281
#13806.MFC140U(00000000,?,00000001,?,BEE31567), ref: 0041929E
#1045.MFC140U(?,BEE31567), ref: 004192AA

Strings

llk, xrefs: 00419254, 00419259, 0041925E

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#13806#290TextUserWindowmemset
String ID: llk
API String ID: 2154680559-2913236781
Opcode ID: 7a1030f733d61f67438cd43369f2166828f2703583b6d8990824659c22f33f67
Instruction ID: 88bf3b98155fbcef51d5aef397abbad5b5a2ac696c2391c08c98e5f30e29800f
Opcode Fuzzy Hash: 7a1030f733d61f67438cd43369f2166828f2703583b6d8990824659c22f33f67
Instruction Fuzzy Hash: CC119371A40218AFD714DB90DD46FE977B8FB08B00F40056EFA15962D0DBB46944CB69

Function 004177E0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 55networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(UrlTest,00000000,00000000,00000000,00000000), ref: 00417800
InternetOpenUrlA.WININET(00000000,http://27.25.156.102:9999/style.html,00000000,00000000,04000000,00000000), ref: 0041781B
InternetReadFile.WININET(00000000,?,000003FF,?), ref: 00417844
InternetCloseHandle.WININET(00000000), ref: 00417850
InternetCloseHandle.WININET(00000000), ref: 0041785C

Strings

UrlTest, xrefs: 004177FB
http://27.25.156.102:9999/style.html, xrefs: 00417815

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: UrlTest$http://27.25.156.102:9999/style.html
API String ID: 3121278467-1624257775
Opcode ID: dc396adc7c40723c1e89c5254ec080ff89f9ea35c3a4cd3e80657b090f96f083
Instruction ID: dacabea4e082084eb5ea37119036031ddfebf488a364f33117ce2a605e42dad7
Opcode Fuzzy Hash: dc396adc7c40723c1e89c5254ec080ff89f9ea35c3a4cd3e80657b090f96f083
Instruction Fuzzy Hash: BB012D71A00219AFD7205A66AD48FAB7B7CEBC6B10F10047DFE05A2250DB749D45CBA8

Function 00419ED0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(00000200,00000000,00000200,BEE31567), ref: 00419F09
#296.MFC140U(?,?,BEE31567), ref: 00419F17
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000,?,?,BEE31567), ref: 00419F31
#4815.MFC140U(?,%s\IPsET.ini,?,?,?,BEE31567), ref: 00419F4A
WritePrivateProfileStringW.KERNEL32(0049B89C,0049BA40,0049C0B0,?), ref: 00419F68
#1045.MFC140U ref: 00419F7E

Strings

%s\IPsET.ini, xrefs: 00419F44

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296#4815FolderPathPrivateProfileSpecialStringWritememset
String ID: %s\IPsET.ini
API String ID: 4053994538-2680549692
Opcode ID: a8665c0ace77e9db201b11a140beb222e240eaa8d5e3b8522824ae010e5693b5
Instruction ID: 61ea65277ffcaa7ac63a19f9d693b7c303d9effc35b1696a315aa2254083f30c
Opcode Fuzzy Hash: a8665c0ace77e9db201b11a140beb222e240eaa8d5e3b8522824ae010e5693b5
Instruction Fuzzy Hash: DC11427198021CAFDB10EF90ED49BDDBB78FB14704F5005BAF919A22D0DBB466448F99

Function 00412EA0 Relevance: 12.2, APIs: 8, Instructions: 153stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000010,BEE31567), ref: 00412F30
memset.VCRUNTIME140(00000000,00000000,BEE31567,00000000,?,BEE31567,004886A8,000000FF), ref: 00412F4B
memcpy.VCRUNTIME140(00000000,?,BEE31566,00000000,00000000,BEE31567,00000000,?,BEE31567,004886A8,000000FF), ref: 00412F5A
#265.MFC140U(004886AA,?,?,?,?,?,?,00000000,?,BEE31567,004886A8,000000FF), ref: 00412F78
memset.VCRUNTIME140(00000000,00000000,004886AA,?,?,?,?,?,?,00000000,?,BEE31567,004886A8,000000FF), ref: 00412F85
memcpy.VCRUNTIME140(BEE31567,004886A8,?,00000000,00000000,004886AA,?,?,?,?,?,?,00000000,?,BEE31567,004886A8), ref: 00412F94
strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,BEE31567,BEE31567,004886A8,?,00000000,00000000,004886AA,?,?,?,?,?,?,00000000), ref: 00412F9D
strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 00413009

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: memcpymemsetstrtok$#265malloc
String ID:
API String ID: 625984484-0
Opcode ID: 76f59d0ca67e3f384cb80cc8fb038b353ebb3f73c53b186db78c1be116d4f034
Instruction ID: 0056f798f9c5918aa1b9a933eddf05062e7cb2a14d614bf940511b506d21ec0c
Opcode Fuzzy Hash: 76f59d0ca67e3f384cb80cc8fb038b353ebb3f73c53b186db78c1be116d4f034
Instruction Fuzzy Hash: FF515972D002199BCF11CFA9D980AEEFBB4FF48310F24416EE805B7310D77969469BA8

Function 0040B620 Relevance: 12.1, APIs: 8, Instructions: 81COMMON

Download Yara Rule

APIs

#360.MFC140U ref: 0040B671
#8.WS2_32(00000001,00000003,00000000), ref: 0040B68B
GetTickCount.KERNEL32 ref: 0040B69E
#8.WS2_32(00000000), ref: 0040B6A5

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

Part of subcall function 00401E60: #13253.MFC140U(?,00000000), ref: 00401EEA

#13253.MFC140U(00000000,00000001,?,?,?,?,?,?,?,?,00000000,00487F09), ref: 0040B6D0
#13253.MFC140U(00000000,00000000,?,?,?,?,?,?,?,?,00000000,00487F09), ref: 0040B6DA
#13253.MFC140U(00000000,00000002,?,?,?,?,?,?,?,?,00000000,00487F09), ref: 0040B6E4
#1067.MFC140U(?,00000000,?,00000000,?,?,?,?,?,?,?,?,00000000,00487F09), ref: 0040B6FC

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$#1067#360CountTick
String ID:
API String ID: 968516752-0
Opcode ID: 98a24c6b7892dba0d762c6ef1c5de26fc49252729f63082c14d22fe606bdb2e9
Instruction ID: 2111efccd8f8337e44c975f3a9b1a1bbe6717611579a07efc47c4ad0670370b7
Opcode Fuzzy Hash: 98a24c6b7892dba0d762c6ef1c5de26fc49252729f63082c14d22fe606bdb2e9
Instruction Fuzzy Hash: DE319C31E0021DABDF11DFA1DD56BEEBBB5EB48704F20416AE501762D0EB752A04CB98

Function 0040D080 Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

#360.MFC140U ref: 0040D0D1
#8.WS2_32(00000000,00000003,00000000), ref: 0040D0EB
GetTickCount.KERNEL32 ref: 0040D0FE
#8.WS2_32(00000000), ref: 0040D105

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

#13253.MFC140U(?,00000000), ref: 0040D122
#13253.MFC140U(?,00000000), ref: 0040D12C
#13253.MFC140U(?,00000000), ref: 0040D136
#1067.MFC140U(?,?,?,?), ref: 0040D154

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$#1067#360CountTick
String ID:
API String ID: 968516752-0
Opcode ID: dd39f7aaa9a8f28af6c756f1c1a36b3e77bbd440508a9e62e34df4a11d44e2df
Instruction ID: 56d81be1ad41b2600791e1cc00f36e85c5443b99f17de02336ec947df468ad06
Opcode Fuzzy Hash: dd39f7aaa9a8f28af6c756f1c1a36b3e77bbd440508a9e62e34df4a11d44e2df
Instruction Fuzzy Hash: C6319E72D0021DABDB01DFA1DD55BEEBBB8FF48704F20412AE91577290EB752A14CBA4

Function 0040C620 Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

#360.MFC140U ref: 0040C671
#8.WS2_32(?,00000003,00000000), ref: 0040C68B
GetTickCount.KERNEL32 ref: 0040C69E
#8.WS2_32(00000000), ref: 0040C6A5

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

#13253.MFC140U(?,00000000), ref: 0040C6C2
#13253.MFC140U(?,00000004), ref: 0040C6CC
#13253.MFC140U(?,00000000), ref: 0040C6D6
#1067.MFC140U(?,?,?,?), ref: 0040C6F4

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$#1067#360CountTick
String ID:
API String ID: 968516752-0
Opcode ID: d58fe33ba138681c1cc8e985f48f085ebc0bee42b7ddb24d263be1948b4fa11e
Instruction ID: 3af266108e253e287a89911e4ac9bd88bd856a2c94d2be180498154f354608c5
Opcode Fuzzy Hash: d58fe33ba138681c1cc8e985f48f085ebc0bee42b7ddb24d263be1948b4fa11e
Instruction Fuzzy Hash: 2531CE72D0021DABDB01DFA1DD45BEEBBB8FF48710F10412AE90173290EB752A04CBA8

Function 0040B440 Relevance: 12.1, APIs: 8, Instructions: 73COMMON

Download Yara Rule

APIs

#360.MFC140U(BEE31567), ref: 0040B494
#8.WS2_32(00000000), ref: 0040B4A4
#13960.MFC140U(00000000,000000FF), ref: 0040B4B8
GetTickCount.KERNEL32 ref: 0040B4C4
#8.WS2_32(00000000), ref: 0040B4CB
#13960.MFC140U(00000000,000000FF), ref: 0040B4DF
#13253.MFC140U(?,00000001), ref: 0040B4F3
#1067.MFC140U(00009700,00000000,?,?), ref: 0040B510

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13960$#1067#13253#360CountTick
String ID:
API String ID: 186925754-0
Opcode ID: 021ef694387947eb0a964129ebb8517a7bc3a1b77328d49908e50fbc869bb662
Instruction ID: 8ff5b150676e8532470ea9bf45f644fc2dca5c68495d56934e9b01f1a464ec5a
Opcode Fuzzy Hash: 021ef694387947eb0a964129ebb8517a7bc3a1b77328d49908e50fbc869bb662
Instruction Fuzzy Hash: C9313A76800219DFDB05DFA0DD44BEDBBB4FB48714F20466EE922B3290DB356904CB64

Function 004412F0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 238stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,0000003A), ref: 004413CB
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,0000000A,?,?,00000000), ref: 004413E5

Strings

Alt-svc connecting from [%s]%s:%d to [%s]%s:%d, xrefs: 00441582
Connecting to hostname: %s, xrefs: 0044143C
Connecting to port: %d, xrefs: 00441471
%s%s%s, xrefs: 0044135F

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: strchrstrtol
String ID: %s%s%s$Alt-svc connecting from [%s]%s:%d to [%s]%s:%d$Connecting to hostname: %s$Connecting to port: %d
API String ID: 1008397618-2774090736
Opcode ID: dd6d4d808e430f29948e3f2d7965659838a6cbe2c0a53b3bf545a4630dbb2c73
Instruction ID: 776daa33b80536f1b8375fa695c268cb56dd35bcb945eaf3d42aa28034d5a4de
Opcode Fuzzy Hash: dd6d4d808e430f29948e3f2d7965659838a6cbe2c0a53b3bf545a4630dbb2c73
Instruction Fuzzy Hash: E1810370604741AFF710AF28C841BABBBD4FF85318F04062EE95987352E779E9548B96

Function 00420180 Relevance: 10.7, APIs: 7, Instructions: 188COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140(BEE31567,BEE31567,?,?,?,00410631,004205D0,?,?,BEE31567), ref: 0042023B
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,BEE31567,BEE31567,?,?,?,00410631,004205D0,?,?,BEE31567), ref: 0042029D
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,004205D0,00000000,BEE31567,BEE31567,?,?,?,00410631,004205D0,?,?,BEE31567), ref: 004202CB
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,?,00410631,004205D0,?,?,BEE31567), ref: 00420300
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000,?,?,00410631,004205D0,?,?,BEE31567), ref: 00420378
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,00410631,004205D0,?,?,BEE31567), ref: 00420385
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,?,00410631,004205D0,?,?,BEE31567), ref: 00420394

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 1492985063-0
Opcode ID: 065aa37963a8d3883ac57b8217eb857055697fedf7bec91c131bae640028bb45
Instruction ID: 4ee8db516767a09eaf5f7f5b995cf0fd5ad34dad2cdec68557661945325209fb
Opcode Fuzzy Hash: 065aa37963a8d3883ac57b8217eb857055697fedf7bec91c131bae640028bb45
Instruction Fuzzy Hash: 2A719035B01215CFDB14CF58D588BAEBBF1BF49314F6882AAD815AB3A2C7359C01CB58

Function 004203D0 Relevance: 10.7, APIs: 7, Instructions: 161COMMON

Download Yara Rule

APIs

?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ.MSVCP140(BEE31567,BEE31567,?,?,?,0041063E,004205D0,?,?,BEE31567), ref: 00420464
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,BEE31567,BEE31567,?,?,?,0041063E,004205D0,?,?,BEE31567), ref: 004204B8
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,?,00000000,BEE31567,BEE31567,?,?,?,0041063E,004205D0,?,?,BEE31567), ref: 004204EC
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,?,0041063E,004205D0,?,?,BEE31567), ref: 00420517
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000,?,?,0041063E,004205D0,?,?,BEE31567), ref: 00420582
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,0041063E,004205D0,?,?,BEE31567), ref: 0042058F
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,?,0041063E,004205D0,?,?,BEE31567), ref: 0042059E

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
String ID:
API String ID: 1492985063-0
Opcode ID: 48e716f2e67e21c8c189d406d40b919a8f346a62e494afdbdf139e44c4b74dc8
Instruction ID: 5940f1f903015ff34e418d3bbb19381ab95f595740b39aad3ae9a0c43959f585
Opcode Fuzzy Hash: 48e716f2e67e21c8c189d406d40b919a8f346a62e494afdbdf139e44c4b74dc8
Instruction Fuzzy Hash: 5E616975A002109FCB14CF58D594BA9BBF1EF48314FA5819AD905AB3A6C739DC42CF58

Function 00435EB0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000003,00000000,?,00000000,00429E86,00000000,00000001,00000003,00000003,00000000), ref: 00435F4E
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00000003,00000000,?,00000000,00429E86,00000000,00000001,00000003,00000003,00000000), ref: 00436016

Strings

<H, xrefs: 00435F18
WARNING: failed to open cookie file "%s", xrefs: 0043604C
Set-Cookie:, xrefs: 00435FA3

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: __acrt_iob_funcfclose
String ID: <H$Set-Cookie:$WARNING: failed to open cookie file "%s"
API String ID: 4244885452-964704302
Opcode ID: 00d197e43d2235577e8d58bf19b2dcfb981c936bc97171dd278a2b65fc01bbe8
Instruction ID: a91a4e8a2879c098c0b76dd0f4f2db555e6086a3fa2d83dfd5d7a538aec8d7f7
Opcode Fuzzy Hash: 00d197e43d2235577e8d58bf19b2dcfb981c936bc97171dd278a2b65fc01bbe8
Instruction Fuzzy Hash: C9418B70604B467AD7209B385C427DBBBD85F5D308F48186EF99497383E7ADD80983AE

Function 0044CC80 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 137stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(if!,?,00000003,?,?,?,0042E7BF,?,?,?,?,?), ref: 0044CC95
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(host!,?,00000005), ref: 0044CCDA

Strings

if!, xrefs: 0044CC90
ifhost!, xrefs: 0044CD1A
host!, xrefs: 0044CCD5

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: strncmp
String ID: host!$if!$ifhost!
API String ID: 1114863663-1045667623
Opcode ID: ae66567f28c230862684402427f6e2d48a928bf00934517741344bfda0911319
Instruction ID: 57cba18577ff12e5789f00a21d00569cca71ebebd0d455c79261c7f738f2686d
Opcode Fuzzy Hash: ae66567f28c230862684402427f6e2d48a928bf00934517741344bfda0911319
Instruction Fuzzy Hash: 6E311672B092106FF7109B2DEC41B5B3FD9DFC5769F08403AF84C9B281E626D91587AA

Function 0040EED0 Relevance: 10.6, APIs: 7, Instructions: 116networkCOMMON

Download Yara Rule

APIs

#1511.MFC140U(00000030,?,?,00000000,?,?,0040BD6A,00000000,?), ref: 0040EF1D
memset.VCRUNTIME140(00000000,00000000,00000030,?,?,0040BD6A,00000000,?), ref: 0040EF2A
#265.MFC140U(0040BD66,?,?,?,?,?,?,0040BD6A,00000000,?), ref: 0040EF46
memcpy.VCRUNTIME140(-00000004,?,?,?,?,?,?,?,?,0040BD6A,00000000,?), ref: 0040EF6B
WSASend.WS2_32(00000000,0040BD6A,00000001,00000024,00000000,00000000,00000000), ref: 0040EF98
#111.WS2_32(?,?,?,?,?,?,0040BD6A,00000000,?), ref: 0040EFA2

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #111#1511#265Sendmemcpymemset
String ID:
API String ID: 427405811-0
Opcode ID: 05abd8a05e47607547a0b237ba5e9421fbc1212fa3ab13e374f24d361be2be42
Instruction ID: 050b380f5066d000b2825aef8fd7ec2c1868d245564647fe467a49339307afcc
Opcode Fuzzy Hash: 05abd8a05e47607547a0b237ba5e9421fbc1212fa3ab13e374f24d361be2be42
Instruction Fuzzy Hash: 344182B1A00214AFE700DF59D885BAEB7A8FF08314F10457BE909AB382D7799950CBD5

Function 0040C720 Relevance: 10.6, APIs: 7, Instructions: 88COMMON

Download Yara Rule

APIs

#360.MFC140U(BEE31567,00000000,?,?,00000000,00487FE9,000000FF), ref: 0040C76D
#13253.MFC140U(00487FE9,00000000,?,?,00000000,00487FE9,000000FF), ref: 0040C79E
#13253.MFC140U(00487FE9,0000001E,?,?,00000000,00487FE9,000000FF), ref: 0040C7A8
#8.WS2_32(00000012,00000003,00000000,?,?,00000000,00487FE9,000000FF), ref: 0040C7B5

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

#8.WS2_32(?,00000003,00000000,?,?,?,?,?,00000000,00487FE9,000000FF), ref: 0040C7DA

Part of subcall function 00401E60: #13253.MFC140U(?,00000000), ref: 00401EEA

#8.WS2_32(?,00000003,00000000,?,?,?,?,?,?,?,00000000,00487FE9,000000FF), ref: 0040C7F0

Part of subcall function 0040A460: #360.MFC140U ref: 0040A4AB
Part of subcall function 0040A460: #13960.MFC140U(00000000,000000FF), ref: 0040A4C7
Part of subcall function 0040A460: memcpy.VCRUNTIME140(?,?,0040C80D), ref: 0040A4D7
Part of subcall function 0040A460: memset.VCRUNTIME140(?,00000000,?,?,?,00001000,?,?,0040C80D), ref: 0040A4F1
Part of subcall function 0040A460: #360.MFC140U ref: 0040A532
Part of subcall function 0040A460: #9.WS2_32(00004C68), ref: 0040A541
Part of subcall function 0040A460: #13960.MFC140U(?,000000FF), ref: 0040A55F
Part of subcall function 0040A460: #13960.MFC140U(?,000000FF), ref: 0040A578
Part of subcall function 0040A460: #8.WS2_32(00000000), ref: 0040A591
Part of subcall function 0040A460: #13960.MFC140U(00000004,000000FF), ref: 0040A5A5

#1067.MFC140U(00000000,00487FE9,?,?,?,?,?,?,?,?,?,00000000,00487FE9,000000FF), ref: 0040C810

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253#13960$#360$#1067memcpymemset
String ID:
API String ID: 3371183394-0
Opcode ID: 71a98a8e21b9694bc9dcfe4899383a03b633e16959baf9acff6157b2c21e9f73
Instruction ID: 9b80563345f757a87a9f95fb70b066f320fbc416a6386d99ec76c316e2b4ec20
Opcode Fuzzy Hash: 71a98a8e21b9694bc9dcfe4899383a03b633e16959baf9acff6157b2c21e9f73
Instruction Fuzzy Hash: 69313531E2021DABDB01DFA4EC51FEEBBB5EF58714F10412AF911762A1EBB42604CB94

Function 00405DB0 Relevance: 10.6, APIs: 7, Instructions: 78COMMON

Download Yara Rule

APIs

_Mtx_lock.MSVCP140(?,BEE31567,?,?,?,?,00487A5F,000000FF,?,004062DF,?,?,?), ref: 00405DEA
?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000,?,?,?,?,?,?,?,?,?,00402D8D,?,?,?,?,?), ref: 00405DF8
IsBadReadPtr.KERNEL32(?,00000001), ref: 00405E1E
#13960.MFC140U(00010000,000000FF), ref: 00405E41
memcpy.VCRUNTIME140(00000001,?,00010000), ref: 00405E59
_Mtx_unlock.MSVCP140 ref: 00405E72
?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 00405E80

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: C_error@std@@Throw_$#13960Mtx_lockMtx_unlockReadmemcpy
String ID:
API String ID: 3090807381-0
Opcode ID: 808f91c6fe87b69100032aa09447d0180856836a165dc131a9ac75a83afea729
Instruction ID: 9029385c600dc6f4144f136c491260e42bf11bb60041f39ccd1be3f476ec020f
Opcode Fuzzy Hash: 808f91c6fe87b69100032aa09447d0180856836a165dc131a9ac75a83afea729
Instruction Fuzzy Hash: 73218D72A04604AFDB108F59DC48B5F77A8EB44394F08453AFC09DB292D77AEA50CF99

Function 0040C1A0 Relevance: 10.6, APIs: 7, Instructions: 77COMMON

Download Yara Rule

APIs

#360.MFC140U(BEE31567), ref: 0040C1F7
#8.WS2_32(00000001,00000003,00000000), ref: 0040C211
GetTickCount.KERNEL32 ref: 0040C224
#8.WS2_32(00000000), ref: 0040C22B

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

#8.WS2_32(?,00000003,00000000), ref: 0040C23F

Part of subcall function 00401E60: #13253.MFC140U(?,00000000), ref: 00401EEA

#13253.MFC140U(?,00000008), ref: 0040C256
#1067.MFC140U(?,00000000,?,?), ref: 0040C273

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$#1067#360CountTick
String ID:
API String ID: 968516752-0
Opcode ID: 727f09506c2c7b9d22191759defa9971d4bc8cbfc4b761966937463d8fc1da99
Instruction ID: 18ecc3bb18ceb2d3fe352474357d8a081f2fd9fddaba3c4dc6f6dd723c3257cb
Opcode Fuzzy Hash: 727f09506c2c7b9d22191759defa9971d4bc8cbfc4b761966937463d8fc1da99
Instruction Fuzzy Hash: 54316172D00218EBDB01DFA0DD55BEEB7B4EB58704F10412AF901B7290EB752A04CB94

Function 0040C400 Relevance: 10.6, APIs: 7, Instructions: 66sleepCOMMON

Download Yara Rule

APIs

#360.MFC140U ref: 0040C450
#8.WS2_32(00000001,00000003,00000000), ref: 0040C464
GetTickCount.KERNEL32 ref: 0040C47B
#8.WS2_32(00000000), ref: 0040C482

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

#13253.MFC140U(?,00000000,?,?,?,?,?,?,?,00487E29), ref: 0040C49D
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,00487E29), ref: 0040C4A8
#1067.MFC140U(?,?,?,?,?,?,?,?,?,?,?,00487E29), ref: 0040C4C5

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$#1067#360CountSleepTick
String ID:
API String ID: 2122152419-0
Opcode ID: 17d018f57e341f4e57cebe3f67fa180ffb43dbca3e1e1e5a9736893d7a8f088f
Instruction ID: 91ba8f31ba63169bdee977bfb622044a798384abe507a99a57afd483e1dafdc8
Opcode Fuzzy Hash: 17d018f57e341f4e57cebe3f67fa180ffb43dbca3e1e1e5a9736893d7a8f088f
Instruction Fuzzy Hash: E5218171D00209EFDB01DFA0DD49BEDB7B5FB58700F10452AF50276290EB755A04CB98

Function 004192D0 Relevance: 10.6, APIs: 7, Instructions: 62COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000100,BEE31567), ref: 0041930C
memset.VCRUNTIME140(BEE31567,00000000,00000100,?,00000000,00000100,BEE31567), ref: 0041931F
GetWindowTextA.USER32(?,?,00000100), ref: 00419341
P_CardReCharge.PLFL32(004A6468,?,BEE31567,?,?,?,?,BEE31567), ref: 0041935A
#290.MFC140U(00000000,?,?,?,?,BEE31567), ref: 00419367
#13806.MFC140U(00000000,?,00000001,?,?,?,?,BEE31567), ref: 00419384
#1045.MFC140U(?,?,?,?,BEE31567), ref: 00419390

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: memset$#1045#13806#290CardChargeTextWindow
String ID:
API String ID: 593434437-0
Opcode ID: 8ed0763e18610266b980b1f3602ed6c5b17fb731e9ed56f2f0bacb2316d4129c
Instruction ID: 0a0526654255b2416e1eeac4891359ec65049e8438e7a35ae875d29a13c501a0
Opcode Fuzzy Hash: 8ed0763e18610266b980b1f3602ed6c5b17fb731e9ed56f2f0bacb2316d4129c
Instruction Fuzzy Hash: CC216F7194021CAFDB10EB94DC4AFEE77BCFB08700F4005AEE61596290DBB46A44CFA8

Function 00411920 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 46COMMON

Download Yara Rule

APIs

GetDriveTypeA.KERNEL32(?), ref: 0041195D
GetFileAttributesA.KERNEL32(004A66D0), ref: 00411995
CreateDirectoryA.KERNEL32(004A66D0,00000000), ref: 004119A7

Strings

C:\LogInfo, xrefs: 0041196B
%sLogInfo, xrefs: 0041197E
:\, xrefs: 0041194D

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: AttributesCreateDirectoryDriveFileType
String ID: %sLogInfo$:\$C:\LogInfo
API String ID: 2909124512-3053162047
Opcode ID: 7ebb0effb263893ec3680a63180a142731c509904f34942ff7c3e4b713aa9e5f
Instruction ID: b83a676dce036d825943f061077a9905d0ccc9a6b475467ad77f29c0e8bffc60
Opcode Fuzzy Hash: 7ebb0effb263893ec3680a63180a142731c509904f34942ff7c3e4b713aa9e5f
Instruction Fuzzy Hash: 35014C70A4421C9FD7109F54AD46BEEBBA8DB12300F2400E7E454A23A2C7B859C5CF9E

Function 0040EBF0 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

#266.MFC140U(?), ref: 0040EC4D
#265.MFC140U(00000000), ref: 0040EC5A

Part of subcall function 0040EDD0: #266.MFC140U(?,?,?), ref: 0040EDEA
Part of subcall function 0040EDD0: #21.WS2_32(?,0000FFFF,00000080,?,00000004,?,?,00000003,00000000,00000000,?,?,?), ref: 0040EE30
Part of subcall function 0040EDD0: #22.WS2_32(?,00000002,?,?,00000003,00000000,00000000,?,?,?), ref: 0040EE39
Part of subcall function 0040EDD0: #3.WS2_32(?,?,?,00000003,00000000,00000000,?,?,?), ref: 0040EE40

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #266$#265
String ID:
API String ID: 4253771692-0
Opcode ID: f886a7b471827ee4836f509f14f7f844698135c8190e7a710fc5fbb44683d065
Instruction ID: a5d84c493bdb525a39e984c30a47f7398a80d10c584c5655942ddb8f407c8ff5
Opcode Fuzzy Hash: f886a7b471827ee4836f509f14f7f844698135c8190e7a710fc5fbb44683d065
Instruction Fuzzy Hash: B641B5B1100601AFEB209F16D885B1BFBB5FF04314F148A3EE54A96691C336F865CF99

Function 00426180 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,BEE31567), ref: 004261B5
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 004261D1
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140 ref: 004261F5
??1_Lockit@std@@QAE@XZ.MSVCP140 ref: 00426262

Part of subcall function 00426650: #1511.MFC140U(00000010,BEE31567,?,00000000,?), ref: 00426696
Part of subcall function 00426650: ??0_Locinfo@std@@QAE@PBD@Z.MSVCP140(00000000), ref: 004266CD
Part of subcall function 00426650: ??0facet@locale@std@@IAE@I@Z.MSVCP140(00000000), ref: 004266E8
Part of subcall function 00426650: ?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ.MSVCP140(?), ref: 004266FD
Part of subcall function 00426650: ??1_Locinfo@std@@QAE@XZ.MSVCP140 ref: 00426722

_CxxThrowException.VCRUNTIME140(0049B58C,004A0B90), ref: 00426241
std::_Facet_Register.LIBCPMT ref: 00426257

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Locinfo@std@@$??0_??1_Lockit@std@@$#1511??0facet@locale@std@@Bid@locale@std@@Collvec@@ExceptionFacet_Getcoll@_Getgloballocale@locale@std@@Locimp@12@RegisterThrowstd::_
String ID:
API String ID: 3263588663-0
Opcode ID: 7e2abe1366e75677c320db6fe7976c6f44ddd4ab9ce7c9a4e7eade267635a345
Instruction ID: 6bd2b7af95da0fde611d7f066ddd8310f4c0f6922d7b01c9427b0fdba838900b
Opcode Fuzzy Hash: 7e2abe1366e75677c320db6fe7976c6f44ddd4ab9ce7c9a4e7eade267635a345
Instruction Fuzzy Hash: BA31C631E00125CFCB10EF94E944AAEBBB5EF58720F5645AEE815A7391D734AD00CBE8

Function 0040D5A0 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

#360.MFC140U ref: 0040D5F3
#8.WS2_32(00000000,00000003,00000000), ref: 0040D60D
GetTickCount.KERNEL32 ref: 0040D620
#8.WS2_32(00000000), ref: 0040D627

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

Part of subcall function 00401E60: #13253.MFC140U(?,00000000), ref: 00401EEA

GetTickCount.KERNEL32 ref: 0040D6B8
#1067.MFC140U ref: 0040D6F9

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253CountTick$#1067#360
String ID:
API String ID: 2502622452-0
Opcode ID: 829bf2d2adde86618a9c96e0201533f149e381afe0760f3c042a18a23d2581d6
Instruction ID: cea5fbc630a1f6563afa85d548f726513b583770615cf108786b5fee276cd2ab
Opcode Fuzzy Hash: 829bf2d2adde86618a9c96e0201533f149e381afe0760f3c042a18a23d2581d6
Instruction Fuzzy Hash: 9F411CB19047089BEB10DFA4D8557DFBBF4EB04704F00851EE92667291DBB526488FD8

Function 004182D0 Relevance: 9.1, APIs: 6, Instructions: 76sleepwindowCOMMON

Download Yara Rule

APIs

#296.MFC140U(BEE31567), ref: 004182FE

Part of subcall function 004151D0: IsBadReadPtr.KERNEL32(?,00000001), ref: 0041521F

SendMessageW.USER32(?), ref: 00418361
#296.MFC140U(00000000,0049BF74), ref: 0041837E
#1045.MFC140U ref: 00418387
Sleep.KERNEL32(00000064), ref: 0041838F
#1045.MFC140U ref: 004183AD

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296$MessageReadSendSleep
String ID:
API String ID: 3293461695-0
Opcode ID: 6ac22cc56a18e587d7967f951d5bcb5ce4771e47af8bd845afd10acae56860ed
Instruction ID: e50d6de2f0124382896c21cefbe6789f2f9919c58ec2b07ccf9f052700394421
Opcode Fuzzy Hash: 6ac22cc56a18e587d7967f951d5bcb5ce4771e47af8bd845afd10acae56860ed
Instruction Fuzzy Hash: 6021D171604209EFC714DFA4DD89BAEBBB4FB45B00F54063EE921972A0DB396844CF99

Function 0040B7F0 Relevance: 9.1, APIs: 6, Instructions: 76COMMON

Download Yara Rule

APIs

#360.MFC140U(BEE31567), ref: 0040B847
#8.WS2_32(00000001,00000003,00000000), ref: 0040B861
GetTickCount.KERNEL32 ref: 0040B874
#8.WS2_32(00000000), ref: 0040B87B

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

#13960.MFC140U(00000006,000000FF), ref: 0040B896
#1067.MFC140U(?,00000000,?,00000000), ref: 0040B8C4

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1067#13253#13960#360CountTick
String ID:
API String ID: 3313798002-0
Opcode ID: 2d505da1a59e96fc8509630951fe175527ba349197d3620cc93f6670d97c343b
Instruction ID: 8e20217356bbd0446603831de4be1848e012a16fb2f9a1dc19614b4276ea8fe5
Opcode Fuzzy Hash: 2d505da1a59e96fc8509630951fe175527ba349197d3620cc93f6670d97c343b
Instruction Fuzzy Hash: 39316B71D00219EBDB00DFA4DD45BDEB7B8FF48714F20462AE915B7290EB756A04CBA4

Function 0040AEB0 Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

#360.MFC140U(BEE31567), ref: 0040AF01
#9.WS2_32(000006A6), ref: 0040AF13
#8.WS2_32(00000000,00000003,00000000), ref: 0040AF2A
GetTickCount.KERNEL32 ref: 0040AF3D
#8.WS2_32(00000000), ref: 0040AF44

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

Part of subcall function 00401E60: #13253.MFC140U(?,00000000), ref: 00401EEA

#1067.MFC140U(?,00000000,?,?), ref: 0040AF78

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$#1067#360CountTick
String ID:
API String ID: 968516752-0
Opcode ID: 14e5569fdd34311817b0e77a3fe4d8d3f0ce664172f3e3b70a26ccbfbbb741c5
Instruction ID: af78f35212905b58d4779ca79a211f35ff3991149153a2cf1bc65f01aaba7b63
Opcode Fuzzy Hash: 14e5569fdd34311817b0e77a3fe4d8d3f0ce664172f3e3b70a26ccbfbbb741c5
Instruction Fuzzy Hash: DB218B72E00218ABDB00DFA4DD06BDEB7B9EB48700F10452AF901B72D1EB752A04CB98

Function 0040C840 Relevance: 9.1, APIs: 6, Instructions: 64COMMON

Download Yara Rule

APIs

#360.MFC140U ref: 0040C890
#8.WS2_32(00000004,00000003,00000000), ref: 0040C8A4
GetTickCount.KERNEL32 ref: 0040C8BB
#8.WS2_32(00000000), ref: 0040C8C2

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

#13253.MFC140U(?,00000000,?,?,?,?,?,00403D86,?,?), ref: 0040C8DD
#1067.MFC140U(?,00000012,00403D86,?,?,?,?,?,?,00403D86,?,?), ref: 0040C8FA

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$#1067#360CountTick
String ID:
API String ID: 968516752-0
Opcode ID: e089dac6a87c8938255725bb948ff68d0f2485602c62b51e787709e78194e19f
Instruction ID: c1033af2a760dce671122f76a28f2f5ac726f7c457301c40e71e38b1005636b1
Opcode Fuzzy Hash: e089dac6a87c8938255725bb948ff68d0f2485602c62b51e787709e78194e19f
Instruction Fuzzy Hash: 6C216071D00209EFDB05DFA0DD55BEDB7B5FB58700F20452AE90272290EB755A04CB98

Function 00412CD0 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,000000D0,BEE31567), ref: 00412D16
#462.MFC140U(00000064,00000000,?,?,BEE31567), ref: 00412D28
#4092.MFC140U ref: 00412D45
#1113.MFC140U ref: 00412D4E

Part of subcall function 00410020: #3882.MFC140U(BEE31567,0040FC45,8000042E,8000042A), ref: 0041005E

#1111.MFC140U ref: 00412D69
#3833.MFC140U(BEE31567), ref: 00412D71

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1111#1113#3833#3882#4092#462memset
String ID:
API String ID: 1166868588-0
Opcode ID: 2b7ec35187e8d3db87b02e486deb89e5c435b9233f91ff591982f17598328ce4
Instruction ID: 4ea680675a46fd2230b691eb6e63a8eb0ea576660b7ca58c0613f9f27f94022a
Opcode Fuzzy Hash: 2b7ec35187e8d3db87b02e486deb89e5c435b9233f91ff591982f17598328ce4
Instruction Fuzzy Hash: 00119431D00248DFDB14EFA4DC45BACB7B4FB04704F40896EE816A2290DBB85644CF99

Function 00420EC0 Relevance: 9.0, APIs: 6, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?), ref: 00420EE1
GetProcessHeap.KERNEL32(00000000,?), ref: 00420EEA
HeapFree.KERNEL32(00000000), ref: 00420EF1
DeleteCriticalSection.KERNEL32(?), ref: 00420F21
GetProcessHeap.KERNEL32(00000000,?), ref: 00420F2A
HeapFree.KERNEL32(00000000), ref: 00420F31

Part of subcall function 00420DE0: GetProcessHeap.KERNEL32(00000000), ref: 00420DF7
Part of subcall function 00420DE0: HeapFree.KERNEL32(00000000), ref: 00420DFE

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Heap$FreeProcess$CriticalDeleteSection
String ID:
API String ID: 4183614560-0
Opcode ID: 559e632ae26f34d34b2c7bb1c725450116adf4d8d99605f69b4279c03fc1180f
Instruction ID: fb88725d057759e1f839bb9d6f059676377d9461af6b5c1c476eae776808a19b
Opcode Fuzzy Hash: 559e632ae26f34d34b2c7bb1c725450116adf4d8d99605f69b4279c03fc1180f
Instruction Fuzzy Hash: 681115712022209FE714AFA1FD1C76B3AA4EB8A755F49851DE9018B2A5C7BD6840CB9C

Function 00420F90 Relevance: 9.0, APIs: 6, Instructions: 31COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00420F6B,?), ref: 00420FA0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00420F6B,?), ref: 00420FB8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00420F6B,?), ref: 00420FC5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00420F6B,?), ref: 00420FD2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00420F6B,?), ref: 00420FDD
#1513.MFC140U(?,?,00420F6B,?), ref: 00420FE6

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$#1513
String ID:
API String ID: 1592141129-0
Opcode ID: cbbc445d418a9a1fd920fb09428f20b4fab01b12e77c91566321a62038825394
Instruction ID: d200e7751e1f95916d8398f0a5325839c7420e60ce9eb59c2d1b0ca356586b90
Opcode Fuzzy Hash: cbbc445d418a9a1fd920fb09428f20b4fab01b12e77c91566321a62038825394
Instruction Fuzzy Hash: 2DF0B4302003146FD7286B6CF6AC52E7795EF09305B91482AE803C2312D7759898CF5D

Function 0040D940 Relevance: 9.0, APIs: 6, Instructions: 30COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00402481,?,?), ref: 0040D951
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00402481,?,?), ref: 0040D966
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00402481,?,?), ref: 0040D973
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00402481,?,?), ref: 0040D980
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00402481,?,?), ref: 0040D98B
#1513.MFC140U(?,?,00402481,?,?), ref: 0040D994

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$#1513
String ID:
API String ID: 1592141129-0
Opcode ID: 4949a385fdce5751d75d73055355b56f33fe30fe2b100f2c8d5f62b00bdf8784
Instruction ID: a75e082c867d9bbd300bbde6b9297d650ef75904f0e87f0188a30037f68c338f
Opcode Fuzzy Hash: 4949a385fdce5751d75d73055355b56f33fe30fe2b100f2c8d5f62b00bdf8784
Instruction Fuzzy Hash: 65F054709003005FD7085BECA85C52EB715EB06315B50443AE957D1391C7349888CF5D

Function 0041FBF0 Relevance: 9.0, APIs: 6, Instructions: 30COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0041FC9C,?,?,00000000,00000000,00412FF2), ref: 0041FC00
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0041FC9C,?,?,00000000,00000000,00412FF2), ref: 0041FC15
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0041FC9C,?,?,00000000,00000000,00412FF2), ref: 0041FC22
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0041FC9C,?,?,00000000,00000000,00412FF2), ref: 0041FC2F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0041FC9C,?,?,00000000,00000000,00412FF2), ref: 0041FC3A
#1513.MFC140U(?,?,0041FC9C,?,?,00000000,00000000,00412FF2), ref: 0041FC43

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$#1513
String ID:
API String ID: 1592141129-0
Opcode ID: dd38b506b76a30606e866da599ddace4a4336826b37b5cabd1f27949efaf4009
Instruction ID: 3eba2bd769b8af03677063960d6cb1b0cbe11a9a74daddfd90ce9cfe02cb09bd
Opcode Fuzzy Hash: dd38b506b76a30606e866da599ddace4a4336826b37b5cabd1f27949efaf4009
Instruction Fuzzy Hash: 85F09A300002085FD7186B68E4684AE7715EB0A315B50483AED17C1350E72898CA9ADD

Function 0041FB90 Relevance: 9.0, APIs: 6, Instructions: 30COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0041FBA0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0041FBB4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0041FBC1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0041FBCE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0041FBD9
#1513.MFC140U(?), ref: 0041FBE2

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$#1513
String ID:
API String ID: 1592141129-0
Opcode ID: eaedcd2db1afbedfb52d3d3965e1143e117b2f234a58270ea367681082688990
Instruction ID: 3e475e195c3f69aa148b8ade3e03d9ce09d0908b8b8296b46734a103d7daa9e5
Opcode Fuzzy Hash: eaedcd2db1afbedfb52d3d3965e1143e117b2f234a58270ea367681082688990
Instruction Fuzzy Hash: 6FF082301043049FC7086B78F87C5AE7755EB0A319B60483BE817C1351DB39A8D98B5D

Function 0041FCC0 Relevance: 9.0, APIs: 6, Instructions: 30COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0041FCD0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0041FCE5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0041FCF2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0041FCFF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0041FD0A
#1513.MFC140U(?), ref: 0041FD13

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$#1513
String ID:
API String ID: 1592141129-0
Opcode ID: 0b0ff9af222b20d1ee840e66fbb704a3616d8408f328bd14a4cd7afd9f6c3046
Instruction ID: 4ea208d784b7e0193c70871825a4eb045366b84bc954ad6be47031e40fa9017a
Opcode Fuzzy Hash: 0b0ff9af222b20d1ee840e66fbb704a3616d8408f328bd14a4cd7afd9f6c3046
Instruction Fuzzy Hash: 37F0BE302002085FC7086B68B8AC1BEBB55FB4A305B90483BED07C5310EB29D8D99A9D

Function 00425570 Relevance: 9.0, APIs: 6, Instructions: 30COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,004256DD,?,00000000,?,?,?,?,?,?,?,?), ref: 00425580
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,004256DD,?,00000000,?,?,?,?,?,?,?,?), ref: 00425595
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,004256DD,?,00000000,?,?,?,?,?,?,?,?), ref: 004255A2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,004256DD,?,00000000,?,?,?,?,?,?,?,?), ref: 004255AF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,004256DD,?,00000000,?,?,?,?,?,?,?,?), ref: 004255BA
#1513.MFC140U(?,?,004256DD,?,00000000,?,?,?,?,?,?,?,?), ref: 004255C3

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$#1513
String ID:
API String ID: 1592141129-0
Opcode ID: 1344864982c78acdce0d4948b0402930ee131c8f0017419f241af34afd062d1b
Instruction ID: 562b7ea03698045c75421d1d10881dc58065b59e467efaabc0cc8aec8c962d22
Opcode Fuzzy Hash: 1344864982c78acdce0d4948b0402930ee131c8f0017419f241af34afd062d1b
Instruction Fuzzy Hash: BEF05E702007146FD7186B68B46C12E77A6EF4A326BD0492AE917C1364DB3899C48B9D

Function 0041FE40 Relevance: 9.0, APIs: 6, Instructions: 29COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0041F7B3,BEE31567,?,BEE31567,?,?,?,0041FEED,00000001,?,00000000,?,0041F983,BEE31567,00000000), ref: 0041FE4E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0041F7B3,BEE31567,?,BEE31567,?,?,?,0041FEED,00000001,?,00000000,?,0041F983,BEE31567,00000000), ref: 0041FE60
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0041F7B3,BEE31567,?,BEE31567,?,?,?,0041FEED,00000001,?,00000000,?,0041F983,BEE31567,00000000), ref: 0041FE6D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0041F7B3,BEE31567,?,BEE31567,?,?,?,0041FEED,00000001,?,00000000,?,0041F983,BEE31567,00000000), ref: 0041FE7A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0041F7B3,BEE31567,?,BEE31567,?,?,?,0041FEED,00000001,?,00000000,?,0041F983,BEE31567,00000000), ref: 0041FE85
#1513.MFC140U(00000000,?,0041F7B3,BEE31567,?,BEE31567,?,?,?,0041FEED,00000001,?,00000000,?,0041F983,BEE31567), ref: 0041FE8E

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$#1513
String ID:
API String ID: 1592141129-0
Opcode ID: a29094ba9f150e8ef1aacdbfab15528cc3b5ba4a696f6329a1c0f7cec739a8b0
Instruction ID: 969fbb3fe51e3989e1ce2d01edc7179b0b46fc11bb5fa891feb75af6601ad868
Opcode Fuzzy Hash: a29094ba9f150e8ef1aacdbfab15528cc3b5ba4a696f6329a1c0f7cec739a8b0
Instruction Fuzzy Hash: CAF082305003045F9B086BA8F86C0AE7B15EF0A319790493AF917C1372C734A8C9CF9D

Function 0041FFD1 Relevance: 9.0, APIs: 6, Instructions: 29COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0041FFE0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0041FFF8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00420005
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00420012
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0042001D
#1513.MFC140U(?), ref: 00420026

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$#1513
String ID:
API String ID: 1592141129-0
Opcode ID: d801edb55cde2cddfb58222fa5ff1da8fccca175c69848dfb7360cecf8da448c
Instruction ID: 4168dad11b0260cb09c617aaa2d28c905a6896292ee26c3e17786fc5e8023ade
Opcode Fuzzy Hash: d801edb55cde2cddfb58222fa5ff1da8fccca175c69848dfb7360cecf8da448c
Instruction Fuzzy Hash: 21F054306003045FE7086B68B5AC66E7B51EB0A305B90483BE806C1352DB38D8958F9D

Function 00449BC0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 170fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,004900C0), ref: 00449C24

Strings

unlimited, xrefs: 00449CD3
%256s "%64[^"]", xrefs: 00449CBC
., xrefs: 00449D24

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: fopen
String ID: %256s "%64[^"]"$.$unlimited
API String ID: 1432627528-3006405630
Opcode ID: cce83c820440a4f9490b6c44b5709a309fdc225237df74f6d048afb98ac058d0
Instruction ID: e26a4f51543b31dfa4d1b1d77b0f25f455ae995e12e8835398acbf0a2d246325
Opcode Fuzzy Hash: cce83c820440a4f9490b6c44b5709a309fdc225237df74f6d048afb98ac058d0
Instruction Fuzzy Hash: 6A513CB18043419FE720DF20DC81AAB7BD9AF86308F54096BE89587352E73ADD09D796

Function 00410BD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNEL32(c:\,007A8AB8,00000080,00000000,00000000,00000000,?,00000080), ref: 00410C12

Part of subcall function 00410870: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000288), ref: 00410894

Part of subcall function 00410970: memset.VCRUNTIME140(?,00000000,00000100), ref: 00410993
Part of subcall function 00410970: CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 004109CA
Part of subcall function 00410970: DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?,00000000), ref: 004109F9
Part of subcall function 00410970: CloseHandle.KERNEL32(00000000), ref: 00410A00

memset.VCRUNTIME140(007A8AB8,00000000,00000080), ref: 00410D1B

Strings

%d%d%s, xrefs: 00410C2C
c:\, xrefs: 00410C0D
XDJ, xrefs: 00410CB8

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: memset$CloseControlCreateDeviceFileHandleInformationVolumemalloc
String ID: %d%d%s$XDJ$c:\
API String ID: 3801620809-2680876084
Opcode ID: 883f7223383b324232415a176ffd992e611a37fef0f839e034311e65209c1073
Instruction ID: df3f701a1b56551c6db1e30e491979457ce9f0bc1e558c83535afe045ac72815
Opcode Fuzzy Hash: 883f7223383b324232415a176ffd992e611a37fef0f839e034311e65209c1073
Instruction Fuzzy Hash: F24109715083005BD714EF14D842BEB7794BFC4344F00862EF89546291EBB4A54CCBDB

Function 004220E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,00000001,?,?,?,0042204F,?,00000001,?,?,?,?,00422AC1,http://,00000007,BEE31567), ref: 004220FA
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00000001,?,?,?,0042204F,?,00000001,?,?,?,?,00422AC1,http://,00000007,BEE31567), ref: 0042211E
memcpy.VCRUNTIME140(?,?,BEE31567,?,00000000,00000001,?,?,?,0042204F,?,00000001,?,?,?), ref: 0042215E

Strings

invalid string position, xrefs: 004220F5
string too long, xrefs: 00422119

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Xlength_error@std@@Xout_of_range@std@@memcpy
String ID: invalid string position$string too long
API String ID: 4248180022-4289949731
Opcode ID: 0cd770a78e39d36fb5768ba6e0a2505ff85bc174f2d532fa014bda4777f836b9
Instruction ID: 06e85a6e4a1492a5b9369e9163dd2bfeba61a3701ce3605055c1da7f4da622a0
Opcode Fuzzy Hash: 0cd770a78e39d36fb5768ba6e0a2505ff85bc174f2d532fa014bda4777f836b9
Instruction Fuzzy Hash: 6E21D131300321AFDB248F5CEE84E6ABBA9EB41750B50093EFA05C7391C7B4E954C799

Function 00422250 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,00000000,?,00000000,?,00424B30,?,?,?,BEE31567,?,00000000,?), ref: 00422267
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00000000,?,00000000,?,00424B30,?,?,?,BEE31567,?,00000000,?), ref: 0042227C
memmove.VCRUNTIME140(?,?,?,?,00000000,00000000,?,00000000,?,00424B30,?,?,?,BEE31567,?,00000000), ref: 004222BE

Strings

invalid string position, xrefs: 00422262
string too long, xrefs: 00422277

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Xlength_error@std@@Xout_of_range@std@@memmove
String ID: invalid string position$string too long
API String ID: 1352685159-4289949731
Opcode ID: 5a677766bf5b1efa71fbdd46d68b7952f982e14e4bb140cd4a923d20b4dec96f
Instruction ID: b943e46259ef4742ac7836a79ee4d9f22ec2901fcba61e9b2243a56644a60a05
Opcode Fuzzy Hash: 5a677766bf5b1efa71fbdd46d68b7952f982e14e4bb140cd4a923d20b4dec96f
Instruction Fuzzy Hash: 7411DA31300221EFD7248F5CED84A5AF7AAEF51710B600A6FF441C7691C7E6E841C7A9

Function 00417880 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

_Mtx_lock.MSVCP140(007A6A38,BEE31567,?,?,?,?,00488A4F,000000FF,?,00402E5B,?,?), ref: 004178B5
?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000,?), ref: 004178C3
_Mtx_unlock.MSVCP140(007A6A38), ref: 004178FD
?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 0041790B

Strings

8jz, xrefs: 004178AE

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: C_error@std@@Throw_$Mtx_lockMtx_unlock
String ID: 8jz
API String ID: 973703179-4210783797
Opcode ID: 57ce1c559bb5892b5d62fc2f598cbb50bb0071fb4d94280aff9221a377322553
Instruction ID: 6d44323d025ba2f2914a3db2ae520bfb31e67bf469db02533ad70ffe428b654b
Opcode Fuzzy Hash: 57ce1c559bb5892b5d62fc2f598cbb50bb0071fb4d94280aff9221a377322553
Instruction Fuzzy Hash: D511C2B5500208BFDB008F58DC09B9FBBB8FB49714F048539FD0592261DB7699248BA5

Function 004118A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(D:\360MoveData\Users\87170\Desktop\TerSafe1.dll), ref: 004118B6
GetProcAddress.KERNEL32(00000000,CreateObj), ref: 004118C4
VirtualProtect.KERNEL32(-000E21E1,0000000A,00000040,00000000), ref: 004118F5

Strings

D:\360MoveData\Users\87170\Desktop\TerSafe1.dll, xrefs: 004118B1
CreateObj, xrefs: 004118BE

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: AddressLibraryLoadProcProtectVirtual
String ID: CreateObj$D:\360MoveData\Users\87170\Desktop\TerSafe1.dll
API String ID: 3509694964-2828147702
Opcode ID: 8b4bcd4f80a8d5d90a2fa6e504549b717a8d614c2177bfcc36557112f8d86d1f
Instruction ID: b3ef9a6faa3169c62a1e11a10af804663737387357ea32d0dab2fa0b6380a92a
Opcode Fuzzy Hash: 8b4bcd4f80a8d5d90a2fa6e504549b717a8d614c2177bfcc36557112f8d86d1f
Instruction Fuzzy Hash: E8018670901318AFD710DF64AC55BAEBFB8EF15704F0004ADE919A7351E7745A04CBDA

Function 0041CD90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

#296.MFC140U(BEE31567), ref: 0041CDBE
#7820.MFC140U(?), ref: 0041CDD5
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0041CDDE
#1045.MFC140U ref: 0041CDEF

Strings

N', xrefs: 0041CDDE

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#296#7820_wtoll
String ID: N'
API String ID: 2978073790-3210027683
Opcode ID: 933b569e5f12e7b079c855bd6f1e133ef878807e84a78780bf0502157d83fcd8
Instruction ID: dc80378263883ae28bf179ff0aedc57b686fc73d1d89be1c751cd8da76ffffb3
Opcode Fuzzy Hash: 933b569e5f12e7b079c855bd6f1e133ef878807e84a78780bf0502157d83fcd8
Instruction Fuzzy Hash: 6C016771904149DFCB15DF64ED45BEEBBB8FB04711F10063EE516A36A0DB342A08CB95

Function 00413F50 Relevance: 7.6, APIs: 5, Instructions: 134COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,BEE31567,?,00000000), ref: 00413FB5
#296.MFC140U ref: 00413FE1

Part of subcall function 0040DC90: _localtime64_s.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,0040DC29,?), ref: 0040DCAD

#4815.MFC140U(00488739,0049BC08,00000000,00000000,00000000,FFFFFFFF,FFFFFFFF,?,?,?,?,?), ref: 004140B7
#13656.MFC140U(?,00000012,00488739), ref: 004140D1
#1045.MFC140U ref: 004140E7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#13656#296#4815_localtime64_s_time64
String ID:
API String ID: 1507352268-0
Opcode ID: fdbfc36c8bf3a31b35b349986ee10f2565f9ee759c8773e82a7029c9b7110e7b
Instruction ID: cbed1a4de2f00dd5e56486d2dc3b8ba19055f82245c7571e01b566c147fd7491
Opcode Fuzzy Hash: fdbfc36c8bf3a31b35b349986ee10f2565f9ee759c8773e82a7029c9b7110e7b
Instruction Fuzzy Hash: AE51C371C04119DFDB11CF95DD44BEEBBB4FB44304F1481AAE909A7291EB39AA84CF94

Function 00475200 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 124stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140(00000000,004974FC,?,?,?,?,004732BC,?,?,?,00000001,?), ref: 0047521F
strchr.VCRUNTIME140(-00000002,0000003F), ref: 00475237
strchr.VCRUNTIME140(-00000002,0000002F,-00000002,0000003F), ref: 00475241

Strings

%20, xrefs: 0047528C
%, xrefs: 004752F2

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: strchr$strstr
String ID: %$%20
API String ID: 1654209344-360484822
Opcode ID: 1e6a9350b287256125bb0eda92866d02eef101464e9313bc64ceae663fbfbe2b
Instruction ID: 73cd16fc3ca49fb1a8426f6ef58c0cd8060c01a23114769ad2264fe42511e94b
Opcode Fuzzy Hash: 1e6a9350b287256125bb0eda92866d02eef101464e9313bc64ceae663fbfbe2b
Instruction Fuzzy Hash: 25318A206487441ADB25592898007FB3BD58BD2314F2884EFE4C95F343E2AD890B9B9D

Function 0040BFD0 Relevance: 7.6, APIs: 5, Instructions: 105COMMON

Download Yara Rule

APIs

#360.MFC140U ref: 0040C02F
#8.WS2_32(00000001,00000003,00000000), ref: 0040C043
GetTickCount.KERNEL32 ref: 0040C05A
#8.WS2_32(00000000), ref: 0040C061

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

#1067.MFC140U(?,00000000,?,?), ref: 0040C172

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1067#13253#360CountTick
String ID:
API String ID: 2618717255-0
Opcode ID: a20ef3c28c5375edb4039ab5149230e4005e3a8f1d8a174050b9c6d030991cd2
Instruction ID: 254bd0926f0fbfde457e8f7c6c1d4e8e49b59281b4ae151b81250dae02727f02
Opcode Fuzzy Hash: a20ef3c28c5375edb4039ab5149230e4005e3a8f1d8a174050b9c6d030991cd2
Instruction Fuzzy Hash: 9E51E2B0E04348DAEB11DFE0D859BDEBBB5EF54308F10412DE5157B292D7BA1608CBA9

Function 0040F660 Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

GetQueuedCompletionStatus.KERNEL32(00000000,?,?,000000FF), ref: 0040F6AB
#266.MFC140U(?), ref: 0040F6ED
#21.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 0040F726
#22.WS2_32(?,00000002), ref: 0040F72F
#3.WS2_32(?), ref: 0040F736

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #266CompletionQueuedStatus
String ID:
API String ID: 2861454604-0
Opcode ID: fc81ec6c87abfb4dbd322bab3ef8b46646d41e9cbc1dc8aa2c658f15ee492973
Instruction ID: fc76a454b74128018bec2c6cb20df6869a9c5e669cff467231900bd8b727a995
Opcode Fuzzy Hash: fc81ec6c87abfb4dbd322bab3ef8b46646d41e9cbc1dc8aa2c658f15ee492973
Instruction Fuzzy Hash: B231A2B0900204AFDB218F64CC85B7FBBB8FB04300F140A39E901776D1D7796909DBA9

Function 00426650 Relevance: 7.6, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

#1511.MFC140U(00000010,BEE31567,?,00000000,?), ref: 00426696
??0_Locinfo@std@@QAE@PBD@Z.MSVCP140(00000000), ref: 004266CD
??0facet@locale@std@@IAE@I@Z.MSVCP140(00000000), ref: 004266E8
?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ.MSVCP140(?), ref: 004266FD
??1_Locinfo@std@@QAE@XZ.MSVCP140 ref: 00426722

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Locinfo@std@@$#1511??0_??0facet@locale@std@@??1_Collvec@@Getcoll@_
String ID:
API String ID: 4266503187-0
Opcode ID: c234c619c95eedae74985185eb27bddad221e4228d167b39b60cd1b0341ed866
Instruction ID: 9ad20535072836f609b551967f1edac32f48bce2a8429510722debcd2005482d
Opcode Fuzzy Hash: c234c619c95eedae74985185eb27bddad221e4228d167b39b60cd1b0341ed866
Instruction Fuzzy Hash: 4B315AB1A00219DFDB10CF99E888B9EBBB8FB84314F11457AE415A73A0D7799A44CB94

Function 0040D180 Relevance: 7.6, APIs: 5, Instructions: 82COMMON

Download Yara Rule

APIs

#360.MFC140U(BEE31567), ref: 0040D1D7
#8.WS2_32(00000001,00000003,00000000), ref: 0040D1F1
GetTickCount.KERNEL32 ref: 0040D204
#8.WS2_32(00000000), ref: 0040D20B

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

Part of subcall function 00401E60: #13253.MFC140U(?,00000000), ref: 00401EEA

#1067.MFC140U(?,00000000,?,?), ref: 0040D26F

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$#1067#360CountTick
String ID:
API String ID: 968516752-0
Opcode ID: 5f98fbd6ac1924d027eb4361fbd3f85ff91d78b69ef8b14a2643b5e021f44814
Instruction ID: a31dd3d5f7008c9cdfa9824def705cc878c9b8c89cf162fe94223b29856a8879
Opcode Fuzzy Hash: 5f98fbd6ac1924d027eb4361fbd3f85ff91d78b69ef8b14a2643b5e021f44814
Instruction Fuzzy Hash: EB316D71D4025CDBDB10DFA4DD56B9EB7B5EF54704F10422AE901772D1EBB42A05CB88

Function 0040CA00 Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

#360.MFC140U(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000012,0049AB64), ref: 0040CA50
#8.WS2_32(00000000,00000003,00000000), ref: 0040CA7C
GetTickCount.KERNEL32 ref: 0040CA93
#8.WS2_32(00000000), ref: 0040CA9A

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

Part of subcall function 00401E60: #13253.MFC140U(?,00000000), ref: 00401EEA

#1067.MFC140U(?,?,?,?), ref: 0040CAD8

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$#1067#360CountTick
String ID:
API String ID: 968516752-0
Opcode ID: 998887aa6e9e597019a832d653908c979d450688b1bba3c11fb8a96e6ace3735
Instruction ID: 6d711fac20f8e65de4b340562b3ed932e964eb487e8fcd61307f8ef30a4b0b5a
Opcode Fuzzy Hash: 998887aa6e9e597019a832d653908c979d450688b1bba3c11fb8a96e6ace3735
Instruction Fuzzy Hash: 90218D71D10219EBDB00DFA0DC55BAEBBB4FF44704F10452EF911662E1EB781604CB98

Function 0040B09D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 0040B0B7
memcpy.VCRUNTIME140(?), ref: 0040B107
#13960.MFC140U(?,000000FF), ref: 0040B11B
IsBadReadPtr.KERNEL32(?,00000001), ref: 0040B141
#1067.MFC140U(?,00000000,?,?), ref: 0040B161

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: memcpy$#1067#13960Read
String ID:
API String ID: 993286478-0
Opcode ID: 5d1d8247e27fed9aab1f1f93eb4ce41b9035a3fe34ac29589f50f656928e686a
Instruction ID: 1237d527f900e8423d8070e4b18a8b41f5d92a3a8ba0e161a11ccb6d4edd5ec3
Opcode Fuzzy Hash: 5d1d8247e27fed9aab1f1f93eb4ce41b9035a3fe34ac29589f50f656928e686a
Instruction Fuzzy Hash: A221B376D00218EFCF04DFA4E8549EDB779EF48314F10426EE80277641E7366A46CB94

Function 00413050 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

#14.WS2_32(89A63DC1,000A274E,00417D26,00000090,?,?,00413152,EBDDB8A1,?,000A1DDC), ref: 00413066
#14.WS2_32(?,?,?,00413152,EBDDB8A1,?,000A1DDC), ref: 0041306D
#14.WS2_32(?,?,?,00413152,EBDDB8A1,?,000A1DDC), ref: 00413087
#8.WS2_32(00000000,?,?,00413152,EBDDB8A1,?,000A1DDC), ref: 004130E8
#8.WS2_32(?,?,?,00413152,EBDDB8A1,?,000A1DDC), ref: 004130F0

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 406aca864f8dda35827bd250baee291dcef2e1fee33ec607aa2e8c99d74a88b3
Instruction ID: d64d992f0cf2945cdfe693986d6dc509b0f9f66609f158fabcd5227c40004d49
Opcode Fuzzy Hash: 406aca864f8dda35827bd250baee291dcef2e1fee33ec607aa2e8c99d74a88b3
Instruction Fuzzy Hash: 4C217F72E001199FCB04DFA8D9859AEFBF8FB4C310B42417AD906E7241EA30AE45CBD0

Function 0041AD20 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0041AD43
memset.VCRUNTIME140(?,00000000,00000400), ref: 0041AD61
memset.VCRUNTIME140(?,00000000,00000400,?,00000000,00000400), ref: 0041AD74
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000000,00000000), ref: 0041ADA4
WritePrivateProfileStringA.KERNEL32(0049AC88,00000000,0049AD6C,?), ref: 0041ADF7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: memset$FolderMessagePathPrivateProfileSendSpecialStringWrite
String ID:
API String ID: 4016975835-0
Opcode ID: 15cfbae35540ae1b4d5273c0bf6a78be53f317284727921e2494015161e6c82d
Instruction ID: e8c843662f9f8a2fd5d74de85ae756925fc98a914fa9d11048bf7b8e996a9a4d
Opcode Fuzzy Hash: 15cfbae35540ae1b4d5273c0bf6a78be53f317284727921e2494015161e6c82d
Instruction Fuzzy Hash: 09218A71E40218ABDB10DB94DD46FDD77FCDB08704F5041AAF604BA1C1DB79AA448BD9

Function 00405EF0 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

#14.WS2_32(?,?,00402D8D,?,00405FF1,?,?,?), ref: 00405F03
#14.WS2_32(00000001,?,00402D8D,?,00405FF1,?,?,?), ref: 00405F0A
#14.WS2_32(00405FF1,?,00402D8D,?,00405FF1,?,?,?), ref: 00405F27
#8.WS2_32(00000000,?,00402D8D,?,00405FF1,?,?,?), ref: 00405F88
#8.WS2_32(?,?,00402D8D,?,00405FF1,?,?,?), ref: 00405F90

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6dafe501f48d2b3fd5b9ae9c7e26e487d851648f67e49f6187af59b95e34cb
Instruction ID: 9b10f6367e6a42ab7b79714b6eada7c0ffaa8b81bd485dee5ce41d9bb99dc65a
Opcode Fuzzy Hash: ba6dafe501f48d2b3fd5b9ae9c7e26e487d851648f67e49f6187af59b95e34cb
Instruction Fuzzy Hash: D7114F72E001199BDB04DFA8D9859AEB7F8FB48214B42457AD906E7241EA30AE05CBD0

Function 0040B540 Relevance: 7.6, APIs: 5, Instructions: 65COMMON

Download Yara Rule

APIs

#360.MFC140U(?,?,?,?,?,?,?,?,?,?,00487E29,000000FF), ref: 0040B590
#8.WS2_32(00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,?,00487E29,000000FF), ref: 0040B5A4
GetTickCount.KERNEL32 ref: 0040B5BB
#8.WS2_32(00000000), ref: 0040B5C2

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

Part of subcall function 00401E60: #13253.MFC140U(?,00000000), ref: 00401EEA

#1067.MFC140U(?,00000000,?,?), ref: 0040B5F9

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13253$#1067#360CountTick
String ID:
API String ID: 968516752-0
Opcode ID: 55b612eb9c046b9b247849f12dc7052233806799a4045dfc4c6169629a46914f
Instruction ID: 8ce4fc196e8c0b0dfeb97e5397c74f40cda5904cc24c05c1dd888bfec450abcf
Opcode Fuzzy Hash: 55b612eb9c046b9b247849f12dc7052233806799a4045dfc4c6169629a46914f
Instruction Fuzzy Hash: BA217172D002089BDB00DFA1DD56BEDB7B5EB48704F20416EF912762D1EB752A04CB98

Function 0040C920 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

#360.MFC140U ref: 0040C970
#8.WS2_32(00000001,00000003,00000000), ref: 0040C984
GetTickCount.KERNEL32 ref: 0040C99B
#8.WS2_32(00000000), ref: 0040C9A2

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

#1067.MFC140U(?,?,?,?), ref: 0040C9D1

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1067#13253#360CountTick
String ID:
API String ID: 2618717255-0
Opcode ID: 649dd8bfd86a2dfb5f5000d7a2e9133495a110b66aba6c52815e2a8a3c6c5db2
Instruction ID: 6ff019d1d7e9edeb58b9ac2e2528493aa4ac321e5fa7685248735a08463aeafe
Opcode Fuzzy Hash: 649dd8bfd86a2dfb5f5000d7a2e9133495a110b66aba6c52815e2a8a3c6c5db2
Instruction Fuzzy Hash: 9C215071D04208DBDB01DFA1DD45BEEB7B8FB48704F10422EE91576291EB755A04CB98

Function 0040A850 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

#360.MFC140U(?,?,?,?,?,?,?,?,?,?,00487E29,000000FF), ref: 0040A8A0
#8.WS2_32(00000000,00000003,00000000,?,?,?,?,?,?,?,?,?,?,00487E29,000000FF), ref: 0040A8B4
GetTickCount.KERNEL32 ref: 0040A8CB
#8.WS2_32(00000000), ref: 0040A8D2

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

#1067.MFC140U(?,00000000,?,?), ref: 0040A8FB

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1067#13253#360CountTick
String ID:
API String ID: 2618717255-0
Opcode ID: a2d8ccbf4ad60865a7a94b1cf7b8b3a498b761f9791b2fe99d9705bfffe7bbfa
Instruction ID: 10d9b022ef7d5a82cce7da14036379992123d63eb8579d032ac4bb0979f79524
Opcode Fuzzy Hash: a2d8ccbf4ad60865a7a94b1cf7b8b3a498b761f9791b2fe99d9705bfffe7bbfa
Instruction Fuzzy Hash: FE218171D04208DFDB01DFA1DD46BADB7F4FB48704F10452EE902B2291EB756A04CB98

Function 00418B40 Relevance: 7.6, APIs: 5, Instructions: 60windowCOMMON

Download Yara Rule

APIs

#4886.MFC140U(?), ref: 00418B4A
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00418B70
SendMessageW.USER32(?,0000108C,?,00000000), ref: 00418B8F
#13646.MFC140U(00000000,00000000,00000004,00000000,00000000,00000000,00000000,00000000), ref: 00418BB1
SendMessageW.USER32(?,00001030,00000000,Function_00018A20), ref: 00418BC7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$#13646#4886
String ID:
API String ID: 2699335531-0
Opcode ID: 4f71266acb5347e424adf62211782dbec87c49fae71ad54253b440d36bdba7f2
Instruction ID: 6eb57066235de513305fe04337cf36d91911929bb40fbe6edc22c39a8d8eb18e
Opcode Fuzzy Hash: 4f71266acb5347e424adf62211782dbec87c49fae71ad54253b440d36bdba7f2
Instruction Fuzzy Hash: 6A115E71240310BFE7205F24DD46F9A7BA9FB89B51F20442EFA45AB6E0D7B078408B9C

Function 0040B720 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

#360.MFC140U ref: 0040B770
#8.WS2_32(00000000,00000003,00000000), ref: 0040B784
GetTickCount.KERNEL32 ref: 0040B79B
#8.WS2_32(00000000), ref: 0040B7A2

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

#1067.MFC140U(?,00000000,?,?), ref: 0040B7CB

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1067#13253#360CountTick
String ID:
API String ID: 2618717255-0
Opcode ID: 3279644ef8363b4b1821f76eae83321c9a5c31c72e9128fe693048b7380c33a1
Instruction ID: 1f1fd4b19444f8b28c29f1ee80ce58047c9d14d86593186f9ab83f68839da440
Opcode Fuzzy Hash: 3279644ef8363b4b1821f76eae83321c9a5c31c72e9128fe693048b7380c33a1
Instruction Fuzzy Hash: 8D218E71D04208EFDB04DFA1DD56BAEB7F5FB48704F20452EE902B2291EB756A04CB98

Function 0040CFB0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

#360.MFC140U ref: 0040D000
#8.WS2_32(00000001,00000003,00000000), ref: 0040D014
GetTickCount.KERNEL32 ref: 0040D02B
#8.WS2_32(00000000), ref: 0040D032

Part of subcall function 00401E60: #13253.MFC140U(?), ref: 00401E97

#1067.MFC140U(?,00000000,?,00000000,?,?,?,?,?,?,00000000,00487E29), ref: 0040D05B

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1067#13253#360CountTick
String ID:
API String ID: 2618717255-0
Opcode ID: 4e5b3aa21bfb6b778bf7c7326444a96e03a4c98ca3a62e7490f1114e03e48f41
Instruction ID: ce9ab996c84006365998bb7db75764691cb30005c3e98ce4cd6d738f1aa71c92
Opcode Fuzzy Hash: 4e5b3aa21bfb6b778bf7c7326444a96e03a4c98ca3a62e7490f1114e03e48f41
Instruction Fuzzy Hash: 22216F71D04208DBDB00DFA1DD46BEDB7B4FB48704F10452EE902B2291EB755A04CB98

Function 004163E0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

#5110.MFC140U(?,00000000,00000000,00000000,00000000,BEE31567,?,00000000,00000000,00488929,000000FF), ref: 0041641E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 00416429
#5110.MFC140U(?,?,00000000,00000000,00000000), ref: 00416440
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0041644B
#1045.MFC140U ref: 00416458

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #5110ByteCharMultiWide$#1045
String ID:
API String ID: 193322377-0
Opcode ID: a303a0f8923b10d7fb65308ef7d9b2ec0e1b29139aa5fd458991e09d2a7056c1
Instruction ID: 487597a7797ca661f59ba85e413668b6d7cdf2d4ed3471e02a03718b3c85068d
Opcode Fuzzy Hash: a303a0f8923b10d7fb65308ef7d9b2ec0e1b29139aa5fd458991e09d2a7056c1
Instruction Fuzzy Hash: 0F118071644208FFEB108F54DC49FA97BA8EB08B90F204169FE059B2D0DBB16940CB98

Function 004030F0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

_Mtx_lock.MSVCP140(-004A6928,BEE31567,00000000,?,00000000,0048788F,000000FF,?,004030B6,?), ref: 00403129
?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 00403137
#13960.MFC140U(00000000,000000FF), ref: 00403151
_Mtx_unlock.MSVCP140(-004A6928), ref: 0040315F
?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 0040316D

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: C_error@std@@Throw_$#13960Mtx_lockMtx_unlock
String ID:
API String ID: 3760923024-0
Opcode ID: 7bbd6aac2a38f9e7a498c798d62c31e20b88905bd777e14f2b3e4a10e6fb46e2
Instruction ID: 367ad245c89b56615f5e55c4f67ed47d274a05014821720b49a2c321eda6f96e
Opcode Fuzzy Hash: 7bbd6aac2a38f9e7a498c798d62c31e20b88905bd777e14f2b3e4a10e6fb46e2
Instruction Fuzzy Hash: 0601C4B1904214AFD7008F58DC48B5F7BACEB08354F10457AF909D72A1D775AA14CBD9

Function 00459690 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000008,|^G,000000FF,00000000,00000000,00000000,00000000,?,00475E7C,?,?,?), ref: 004596A9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 004596B9
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,|^G,000000FF,00000000,00000000), ref: 004596D4
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 004596DF

Strings

|^G, xrefs: 00459693, 004596A1, 004596CC

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID: |^G
API String ID: 2605342592-1848306895
Opcode ID: 030114c2c44cf196ae6f707563ef49118758260f978dfcb4ec64a82df1a02b14
Instruction ID: ccdcd09e05bd24bbe062648ef28a1f773634d9f956b8b44ac12c67d2cf0a2bd7
Opcode Fuzzy Hash: 030114c2c44cf196ae6f707563ef49118758260f978dfcb4ec64a82df1a02b14
Instruction Fuzzy Hash: 31F09C3170512267D23156A65C4DE5BAA5CDF85BB2F140636FE14D62D1DB64CC0C82E9

Function 00415160 Relevance: 7.5, APIs: 5, Instructions: 31fileCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(004A5F68,00000000,00000400), ref: 00415172
DragQueryFileA.SHELL32(?,00000000,004A5F68,00000400), ref: 00415189
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,Function_00014860,00000000,00000000,00000000), ref: 004151A2
CloseHandle.KERNEL32(00000000), ref: 004151AC
#3833.MFC140U ref: 004151B4

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #3833CloseDragFileHandleQuery_beginthreadexmemset
String ID:
API String ID: 4229182384-0
Opcode ID: f7e2275be75e2559c72f1bc5405be90cec4f5209159e2fbcd4bf6d8d5d989770
Instruction ID: de9083da3f50eb8ae16102208a1d0c0af1bf6bf89617ceacdda8ca138f2382a2
Opcode Fuzzy Hash: f7e2275be75e2559c72f1bc5405be90cec4f5209159e2fbcd4bf6d8d5d989770
Instruction Fuzzy Hash: B7F06D717C07007BE22027616C0FF4E3A18DB51F56F24442ABB05B82D2C7E5641187DC

Function 0044A380 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000008,?,00000007,:%u,?,?,?,?,?,?), ref: 0044A59F
memcpy.VCRUNTIME140(00000018,?,?), ref: 0044A5CF

Strings

:%u, xrefs: 0044A57D
Shuffling %i addresses, xrefs: 0044A3F7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: _time64memcpy
String ID: :%u$Shuffling %i addresses
API String ID: 1622878224-338667637
Opcode ID: 6e71cf8153e6009efaa98f0b16b01f7b977dc70c5fe1d08baeeef0f71ccb47c3
Instruction ID: 319810789f384b5cf5fede68437ca1031316a1010341291b7d2a26a825c6e02c
Opcode Fuzzy Hash: 6e71cf8153e6009efaa98f0b16b01f7b977dc70c5fe1d08baeeef0f71ccb47c3
Instruction Fuzzy Hash: 60819F719043019FEB20DF29D984B9BBBE8FF89304F04056EE98587311E779E915CB96

Function 0044B3A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0044B482

Strings

Hostname in DNS cache does not have needed family, zapped, xrefs: 0044B50C
:%u, xrefs: 0044B3FB, 0044B445
Hostname in DNS cache was stale, zapped, xrefs: 0044B4B5

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: _time64
String ID: :%u$Hostname in DNS cache does not have needed family, zapped$Hostname in DNS cache was stale, zapped
API String ID: 1670930206-1335658360
Opcode ID: 688c102de31d4c1085f16e7527b950e364f6c4d2dfc2d37780d9f90ac756e2a0
Instruction ID: 3f927d319455e93483222fe18ee6d1e50fa4f6a4440596dc35f62df5e4d7e085
Opcode Fuzzy Hash: 688c102de31d4c1085f16e7527b950e364f6c4d2dfc2d37780d9f90ac756e2a0
Instruction Fuzzy Hash: 3B41A371904305BBE730DF61C841BA7BBE8EF49748F04062AF88897252E779E90487E5

Function 0041F9D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,00000000,?,?,0041F96F,00000000,?,BEE31567,?,?,?,00410526,?,?,BEE31567), ref: 0041F9EA

Part of subcall function 0041F7E0: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,00000000,?,0041FA42,00000000,BEE31567,?,00000000,?,?,0041F96F,00000000,?,BEE31567), ref: 0041F7F6

?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,00000000,?,?,0041F96F,00000000,?,BEE31567,?,?,?,00410526,?,?,BEE31567), ref: 0041FA0A

Strings

invalid string position, xrefs: 0041F9E5, 0041FA05

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Xout_of_range@std@@
String ID: invalid string position
API String ID: 1960685668-1799206989
Opcode ID: 101bb2fa07dc49f8e9061bf87eb4616a76097274655e5d585571ef3765483aaa
Instruction ID: cd114730c60b7fa1a3bb02cde1fc4c374479c36872939e4f269d115434d02df0
Opcode Fuzzy Hash: 101bb2fa07dc49f8e9061bf87eb4616a76097274655e5d585571ef3765483aaa
Instruction Fuzzy Hash: 5E21E7323002119FD7249F5CE840B9AF7A9EF95B91F10053FE5498B292C7B99C86C7E9

Function 00442820 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,0000000A,?,?,?,?), ref: 00442870
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?), ref: 0044289A

Strings

Invalid zoneid: %s; %s, xrefs: 004428B6
2', xrefs: 0044289A

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: _errnostrtoul
String ID: 2'$Invalid zoneid: %s; %s
API String ID: 660391088-2520061955
Opcode ID: 88d6089bc449ee9292f31c8528ab8707fce550a1f2b80873c34186811f0ce55f
Instruction ID: 9221ddb6a43499188605cdc023d27a84de7b56b65a97af3ccb521205cf742883
Opcode Fuzzy Hash: 88d6089bc449ee9292f31c8528ab8707fce550a1f2b80873c34186811f0ce55f
Instruction Fuzzy Hash: 6D11B771A04201AFE724EB25DD46BAF77E4EF95304F40092EF545C7191E7B49448CB9B

Function 00430BC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001200,00000000,?,00000000,00000100,00000100,00000000,?,Unknown error), ref: 00430C0C
wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?), ref: 00430C20
strchr.VCRUNTIME140(?,0000000A), ref: 00430C3A

Strings

Unknown error, xrefs: 00430BD4

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: FormatMessagestrchrwcstombs
String ID: Unknown error
API String ID: 4171340688-83687255
Opcode ID: 410008559ede78961807d4ae502f70e9bb928d2a68c66863e9f1105c8a796d93
Instruction ID: 2530b719fb6764391bef767f256622c55e47e68e94330adee52b8d2f12887bce
Opcode Fuzzy Hash: 410008559ede78961807d4ae502f70e9bb928d2a68c66863e9f1105c8a796d93
Instruction Fuzzy Hash: D0110D702083809EE7319B288C59BAFB7D8AF59700F181B5FE594C7291D778D444C7AB

Function 0047B5D0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0047B1D0: GetModuleHandleA.KERNEL32(ntdll,RtlVerifyVersionInfo), ref: 0047B1FE
Part of subcall function 0047B1D0: GetProcAddress.KERNEL32(00000000), ref: 0047B205

Part of subcall function 00447F50: GetModuleHandleA.KERNEL32(kernel32,?,?,security.dll,0047B5FD,security.dll,00000004,00000000,00000000,00000002,00000002,004481A6), ref: 00447F5A

GetProcAddress.KERNEL32(00000000,InitSecurityInterfaceA), ref: 0047B60F

Strings

InitSecurityInterfaceA, xrefs: 0047B609
secur32.dll, xrefs: 0047B5EA
security.dll, xrefs: 0047B5EF, 0047B5F7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: InitSecurityInterfaceA$secur32.dll$security.dll
API String ID: 1646373207-3788156360
Opcode ID: 05ca372c18fc97ebc5f02525d545b0a9a877a9ac93a60350787b08a903b0518b
Instruction ID: 06001e06ca687c9f0b5853ef035e8bd455b0a2a85dfecaf4e2509d64b517cd7a
Opcode Fuzzy Hash: 05ca372c18fc97ebc5f02525d545b0a9a877a9ac93a60350787b08a903b0518b
Instruction Fuzzy Hash: 4CF0A7B074070166FF149B794C1BB6B2688C781704F64847E7E09DA2C2EF7CC800C64D

Function 00423CC0 Relevance: 6.2, APIs: 4, Instructions: 188COMMON

Download Yara Rule

APIs

?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(00000005,?,?,?,00423364,?,?,00000000,?,?,00422F5A,00000000,BEE31567,?,?), ref: 00423ED1
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(00000006,?,?,?,00423364,?,?,00000000,?,?,00422F5A,00000000,BEE31567,?,?), ref: 00423ED9
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(00000004,?,?,?,00423364,?,?,00000000,?,?,00422F5A,00000000,BEE31567,?,?), ref: 00423EE1
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(0000000A,?,?,?,00423364,?,?,00000000,?,?,00422F5A,00000000,BEE31567,?,?), ref: 00423EE9

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: W4error_type@regex_constants@1@@Xregex_error@std@@
String ID:
API String ID: 61775176-0
Opcode ID: 83019312973742c490ecf8cf61274517e2587041710a8a22ad4dc49dad73351e
Instruction ID: 8e6da02a8bda6e7b25f8ddcdf0edc5e4a78b2c437b113fb7bd87e4aa1e62e7bd
Opcode Fuzzy Hash: 83019312973742c490ecf8cf61274517e2587041710a8a22ad4dc49dad73351e
Instruction Fuzzy Hash: 5851B1207106304BDB34AE15F49672F33B2AF15B17FD0090FE2828A2D1CB5D9E89874E

Function 00407490 Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

_Mtx_lock.MSVCP140(?,BEE31567,?,?,?,?,00487B37,000000FF), ref: 004074C7
?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 004074D5
_Mtx_unlock.MSVCP140(?,?,?), ref: 00407610
?_Throw_C_error@std@@YAXH@Z.MSVCP140(00000000), ref: 0040761E

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: C_error@std@@Throw_$Mtx_lockMtx_unlock
String ID:
API String ID: 973703179-0
Opcode ID: e02691ca629f53c8a870bbd268e790b0da1261aa0efe321e20abc646dbffef9e
Instruction ID: ccf22ba3c8438859f079e2f94c4669dae65eecdf5ff85032bc57409654abc7a0
Opcode Fuzzy Hash: e02691ca629f53c8a870bbd268e790b0da1261aa0efe321e20abc646dbffef9e
Instruction Fuzzy Hash: 93417371E08902ABDB1CCB2CCD95AA9F364FB51314F140636D42BD3650D739F964CB8A

Function 00428540 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(00000001), ref: 004285DE
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(00000001,?,?,?), ref: 0042860D
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(00000000), ref: 00428630
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(00000000), ref: 00428650

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: W4error_type@regex_constants@1@@Xregex_error@std@@
String ID:
API String ID: 61775176-0
Opcode ID: 47844714975e77d8be72914e9e6138b2eb46383db1727bc5156e028ee8fa72d8
Instruction ID: 509a96aeccf43f93ab0432513e9aa259408c84742391d22e99bc96b1508d8ed0
Opcode Fuzzy Hash: 47844714975e77d8be72914e9e6138b2eb46383db1727bc5156e028ee8fa72d8
Instruction Fuzzy Hash: BA31B130701624AFDB308B14E895B7F77A2AF64305FD4881FE58286291CF7D9C81CB99

Function 00414700 Relevance: 6.1, APIs: 4, Instructions: 76COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000400,?), ref: 0041473E
memset.VCRUNTIME140(?,00000000,00000400,?,00000000,00000400,?), ref: 00414751
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,?,?,?,?), ref: 00414781
GetPrivateProfileIntA.KERNEL32(0049AC88,00000000,00000000,?), ref: 004147C3

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: memset$FolderPathPrivateProfileSpecial
String ID:
API String ID: 3955296239-0
Opcode ID: d7bf2edbe9e029c12514a215288e47d6f6969dd29aba2f01393dbcdfae60b5cd
Instruction ID: 679d23db633836a804db2755987c0855d30e127926218a96617cd41fe1476ce2
Opcode Fuzzy Hash: d7bf2edbe9e029c12514a215288e47d6f6969dd29aba2f01393dbcdfae60b5cd
Instruction Fuzzy Hash: B321D871E0020866DB20EBA49D46FDE73ACDB49304F5001ABF604F61C1DB78AA8487E9

Function 00410220 Relevance: 6.1, APIs: 4, Instructions: 70windowCOMMON

Download Yara Rule

APIs

#296.MFC140U(BEE31567), ref: 00410250
#2477.MFC140U(?,0049B5CC,00000000,00000000), ref: 004102A6
MessageBoxW.USER32(00000000,?,0049B5F0,00000000), ref: 004102C2
#1045.MFC140U ref: 004102CB

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#2477#296Message
String ID:
API String ID: 376175170-0
Opcode ID: 9020e7ecb1fb23cfb571baa9547d4cb7efcb9ba354f2b19fc7406fb6faecaa4d
Instruction ID: 06ac7fbfc967939edac0973e853096268adfe1aa3a53faf15d8dda5652fe091f
Opcode Fuzzy Hash: 9020e7ecb1fb23cfb571baa9547d4cb7efcb9ba354f2b19fc7406fb6faecaa4d
Instruction Fuzzy Hash: E32174719006099FDB20DF54D949FAFB7F4FB04710F1406AAE916A7390DB746D448B98

Function 0040B07D Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?), ref: 0040B107
#13960.MFC140U(?,000000FF), ref: 0040B11B
IsBadReadPtr.KERNEL32(?,00000001), ref: 0040B141
#1067.MFC140U(?,00000000,?,?), ref: 0040B161

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1067#13960Readmemcpy
String ID:
API String ID: 68214652-0
Opcode ID: 298f9c040b2af44e55d38632d863fe12b4979bd139e01d7a1ceac0cf6f610333
Instruction ID: 17fad1c8bd525f3c9696469272aee4520d196b03679fc79cad14e8949b56b4e0
Opcode Fuzzy Hash: 298f9c040b2af44e55d38632d863fe12b4979bd139e01d7a1ceac0cf6f610333
Instruction Fuzzy Hash: 5F11E635D00248EFCF14DFE4E855AEEBB74EF04324F10416EE81267652EB356A46CB95

Function 0040EB40 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

#21.WS2_32(?,0000FFFF,00007010,00000000,00000000), ref: 0040EB56
#266.MFC140U(?,?,?,?,00000001,00000000,00000000,?,0000FFFF,00007010,00000000,00000000), ref: 0040EB88
#265.MFC140U(00000004), ref: 0040EB99

Part of subcall function 0040EDD0: #266.MFC140U(?,?,?), ref: 0040EDEA
Part of subcall function 0040EDD0: #21.WS2_32(?,0000FFFF,00000080,?,00000004,?,?,00000003,00000000,00000000,?,?,?), ref: 0040EE30
Part of subcall function 0040EDD0: #22.WS2_32(?,00000002,?,?,00000003,00000000,00000000,?,?,?), ref: 0040EE39
Part of subcall function 0040EDD0: #3.WS2_32(?,?,?,00000003,00000000,00000000,?,?,?), ref: 0040EE40

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #266$#265
String ID:
API String ID: 4253771692-0
Opcode ID: 4879d9c12519915bc8f6a9e129fa3b663b7ad14f401b63b8c6078f47b6e390cb
Instruction ID: bfbdbadcbca1b14ac3437fdceecd64396f6689f139306e7fad7524f9b5d67e0e
Opcode Fuzzy Hash: 4879d9c12519915bc8f6a9e129fa3b663b7ad14f401b63b8c6078f47b6e390cb
Instruction Fuzzy Hash: D71102B1240201BFEB205F06EC49F2E7BA5EF44310F10493EF606696D0C7B964A9DB9E

Function 0040B0D8 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?), ref: 0040B107
#13960.MFC140U(?,000000FF), ref: 0040B11B
IsBadReadPtr.KERNEL32(?,00000001), ref: 0040B141
#1067.MFC140U(?,00000000,?,?), ref: 0040B161

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1067#13960Readmemcpy
String ID:
API String ID: 68214652-0
Opcode ID: 8ca867cdb87a950801bc3622ac7eb2d3ccdd3718ac042720d0912ebbcf44b014
Instruction ID: caf0b6f6cf7f58d7839d905a8bf7a567d58cc8f6079ab6232a0992b2fbf2af2b
Opcode Fuzzy Hash: 8ca867cdb87a950801bc3622ac7eb2d3ccdd3718ac042720d0912ebbcf44b014
Instruction Fuzzy Hash: 13118E76D00209EFCF05DFA0E8449EEBB74EF04314F10422EE91677651EB366A46CB58

Function 0040B0EF Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?), ref: 0040B107
#13960.MFC140U(?,000000FF), ref: 0040B11B
IsBadReadPtr.KERNEL32(?,00000001), ref: 0040B141
#1067.MFC140U(?,00000000,?,?), ref: 0040B161

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1067#13960Readmemcpy
String ID:
API String ID: 68214652-0
Opcode ID: 31d5bc68f31eb5e8ab8c23a625163b1ee25cab435bfd46f2d1fb2e507cddc6df
Instruction ID: fef52ab3c8ffca62830d9e756440b92e96a162218579d0e8a9e2349ec9c145a8
Opcode Fuzzy Hash: 31d5bc68f31eb5e8ab8c23a625163b1ee25cab435bfd46f2d1fb2e507cddc6df
Instruction Fuzzy Hash: 5C118E35E00208EFCF04DFA0E8549EDB775EF48314F10422EE91263651EB326946CB54

Function 0040E5A0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

#266.MFC140U(?), ref: 0040E5BE

Part of subcall function 0042BD38: #1513.MFC140U(00000000,?,0040EFB7,00000000,00000030,?,?,?,?,?,?,0040BD6A,00000000,?), ref: 0042BD3E

#21.WS2_32(?,0000FFFF,00000080,00000000,00000004), ref: 0040E5F9
#22.WS2_32(?,00000002), ref: 0040E602
#3.WS2_32(?), ref: 0040E609

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1513#266
String ID:
API String ID: 337662018-0
Opcode ID: 7f6a352299b38e3b03a1e9a6852b54d0c5af56cba23c4301913fd6216dcd651b
Instruction ID: 13655be33d9467c633ebb2a9538695dad653864057840451f2a1a46d2eb5cc81
Opcode Fuzzy Hash: 7f6a352299b38e3b03a1e9a6852b54d0c5af56cba23c4301913fd6216dcd651b
Instruction Fuzzy Hash: 9201F971600308BFE7205F64EC4AF6E7B78EB49710F10452DFA41662D1D7B56808CBA9

Function 00459700 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,00000002,?,00475EC4,?), ref: 0045971A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00459727
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00459746
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00459751

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID:
API String ID: 2605342592-0
Opcode ID: 11ef0b5f2fd547b8297f865c2b2d3def71b30bead140d628269b9e911dd4f16a
Instruction ID: af0866757033d6fb767d9bc5dea675596ecc5d4963677d89ca26a311079909d8
Opcode Fuzzy Hash: 11ef0b5f2fd547b8297f865c2b2d3def71b30bead140d628269b9e911dd4f16a
Instruction Fuzzy Hash: 53F04435302221B6E23036675C8DF576E5CDF85AB2F140636BD15D62D2D7549804C2E9

Function 0040EDD0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

#266.MFC140U(?,?,?), ref: 0040EDEA

Part of subcall function 0042BD38: #1513.MFC140U(00000000,?,0040EFB7,00000000,00000030,?,?,?,?,?,?,0040BD6A,00000000,?), ref: 0042BD3E

#21.WS2_32(?,0000FFFF,00000080,?,00000004,?,?,00000003,00000000,00000000,?,?,?), ref: 0040EE30
#22.WS2_32(?,00000002,?,?,00000003,00000000,00000000,?,?,?), ref: 0040EE39
#3.WS2_32(?,?,?,00000003,00000000,00000000,?,?,?), ref: 0040EE40

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1513#266
String ID:
API String ID: 337662018-0
Opcode ID: 0d4e229edee4b5026dd7c9137ac44110bb258412b50f953007281bc3a47547a5
Instruction ID: 4fbf652efba8741f4a5838c17cf86d7efa9122e28c210198fba8c665da3f6e5b
Opcode Fuzzy Hash: 0d4e229edee4b5026dd7c9137ac44110bb258412b50f953007281bc3a47547a5
Instruction Fuzzy Hash: 53012831601214BFE7206F64DC06F5EBB78EF05720F504229FA51672D0DBB02A198BDD

Function 00403F9E Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

#296.MFC140U ref: 00403FB7
#4815.MFC140U(?,0049AB78,00000000), ref: 00403FD6
#13656.MFC140U(?,0000000B,?), ref: 00404001
#1045.MFC140U(?,0000000B,?), ref: 0040400D

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #1045#13656#296#4815
String ID:
API String ID: 3894341202-0
Opcode ID: b6bf04e07a570dfa9b24cbb116226975506cf420b9c22b4b20f2895d75df1a3f
Instruction ID: 9a5cce075ffaedfbd803993b8c3a3f69fabbe75a56ee38833185e1c2519adae7
Opcode Fuzzy Hash: b6bf04e07a570dfa9b24cbb116226975506cf420b9c22b4b20f2895d75df1a3f
Instruction Fuzzy Hash: 51115EB0505B09CFE720DF60D809BABBBB1FB44305F0008AEE55656291C7792658DF59

Function 004199C0 Relevance: 6.0, APIs: 4, Instructions: 33windowthreadCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004199D2
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 004199EC
CreateThread.KERNEL32(00000000,00000000,Function_00019810,00000000,00000000,00000000), ref: 00419A10
CloseHandle.KERNEL32(00000000), ref: 00419A17

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: MessageSend$CloseCreateHandleThread
String ID:
API String ID: 2432244359-0
Opcode ID: 4902b7eee3efa6a04807fef440f6cd7d84e6a6cbcbad7acf4c9c68d3ccef1095
Instruction ID: fb6a9064e9a6cfa12296ef886716f8bb0192a9b2411345937256170265f52106
Opcode Fuzzy Hash: 4902b7eee3efa6a04807fef440f6cd7d84e6a6cbcbad7acf4c9c68d3ccef1095
Instruction Fuzzy Hash: 05F030303803027AFA245B219D2AF5A3A61AB44B01F500439F601691E1CBB574108B5C

Function 00449290 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,7FFFFFFF,00000000,00000000,0000002E), ref: 004492C4
memcpy.VCRUNTIME140(?,?,?), ref: 00449304

Strings

., xrefs: 00449392

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: _time64memcpy
String ID: .
API String ID: 1622878224-248832578
Opcode ID: 43a4304900a72b2776d3ddf7a54c109e37398c79805e6a72804e6e40fd3edf41
Instruction ID: d18bcf14c72e1e90cdb5ad96f6bc13b2785b43ea75a0fe09e4a3ecb2fa24b6b7
Opcode Fuzzy Hash: 43a4304900a72b2776d3ddf7a54c109e37398c79805e6a72804e6e40fd3edf41
Instruction Fuzzy Hash: 234117715047419BFB31DF25D844BABBBE4AF8A304F04482EED8583682D379DD05D79A

Function 00421FF0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,?,00422AC1,http://,00000007,BEE31567), ref: 0042206D
memcpy.VCRUNTIME140(?,00000001,?,?,00000000,?,?,?,?,00422AC1,http://,00000007,BEE31567), ref: 004220A0

Part of subcall function 004220E0: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,00000001,?,?,?,0042204F,?,00000001,?,?,?,?,00422AC1,http://,00000007,BEE31567), ref: 004220FA
Part of subcall function 004220E0: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00000001,?,?,?,0042204F,?,00000001,?,?,?,?,00422AC1,http://,00000007,BEE31567), ref: 0042211E
Part of subcall function 004220E0: memcpy.VCRUNTIME140(?,?,BEE31567,?,00000000,00000001,?,?,?,0042204F,?,00000001,?,?,?), ref: 0042215E

Strings

string too long, xrefs: 00422068

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Xlength_error@std@@memcpy$Xout_of_range@std@@
String ID: string too long
API String ID: 433638341-2556327735
Opcode ID: e34230d7280d2ffc4a62f29b71617b110c688bce779b3b8e5b0b0fca5e2dc684
Instruction ID: f0f3352ca6eb086112ef729548fb8e2a2dfc096a595325020cbe667ee801933c
Opcode Fuzzy Hash: e34230d7280d2ffc4a62f29b71617b110c688bce779b3b8e5b0b0fca5e2dc684
Instruction Fuzzy Hash: 7A313832300220ABDB349E1CFA8096FFBA9EF86750790442FE685C7380C7B59845C79C

Function 0041F7E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,00000000,?,0041FA42,00000000,BEE31567,?,00000000,?,?,0041F96F,00000000,?,BEE31567), ref: 0041F7F6

Strings

invalid string position, xrefs: 0041F7F1

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Xout_of_range@std@@
String ID: invalid string position
API String ID: 1960685668-1799206989
Opcode ID: da6abdc686c30d607d1572aef74cbe11b7b88390d20296d9f6fda1965caa2d0a
Instruction ID: c3d4e1070346aefdf7bb81a86825ba3bb109009727cc518b758b2a42666b5511
Opcode Fuzzy Hash: da6abdc686c30d607d1572aef74cbe11b7b88390d20296d9f6fda1965caa2d0a
Instruction Fuzzy Hash: 8011C4323002118FD720AE5CE944A96FBA9EF92711F14493FE581CB361D7B5D88AC7E9

Function 0047A180 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0047A210

Strings

2', xrefs: 0047A210
%d.%d.%d.%d, xrefs: 0047A1AF

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: _errno
String ID: %d.%d.%d.%d$2'
API String ID: 2918714741-2336916028
Opcode ID: 1021d8740bdae8040ab781f69fa708d0bce2be084c069b30373cde68b5935a1a
Instruction ID: 160f3d4b49577d4a1bf8233078f2ce135c6fa9ec9df2a3ba66b13a317c89b397
Opcode Fuzzy Hash: 1021d8740bdae8040ab781f69fa708d0bce2be084c069b30373cde68b5935a1a
Instruction Fuzzy Hash: A711E4741083805FC704DF28C451A7BBBE8AF9A304F8848DEE489C7253D72BD509C766

Function 0042B8BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0042BB6C
___raise_securityfailure.LIBCMT ref: 0042BC53

Strings

8UJ, xrefs: 0042BC4E

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 8UJ
API String ID: 3761405300-2231135397
Opcode ID: f130837453212573f6a32c6c40adc2a45d37b76a9b6b4e727c1f015f40594076
Instruction ID: 72c9417ce76a9449ab54a3f2e2e08efbb6d777ad2a8a675690f5ea7e44d05636
Opcode Fuzzy Hash: f130837453212573f6a32c6c40adc2a45d37b76a9b6b4e727c1f015f40594076
Instruction Fuzzy Hash: 352125B4941A10AAD724DF15FB816587FB4FB4A320F90403AE90C8B3B1E3B459818F4D

Function 0041F6E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,?,BPA,?,?,?,0041F49C,?,BEE31567,?,?,?,004890FA,000000FF,?,00415042), ref: 0041F737

Strings

vector<T> too long, xrefs: 0041F732
BPA, xrefs: 0041F6F0

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Xlength_error@std@@
String ID: BPA$vector<T> too long
API String ID: 1004598685-3935150443
Opcode ID: d98930b7cc9fa5345aec00407d1f47d5bb8f0bb12442f54fd8d0a37314604c79
Instruction ID: f3d9f769a254d4245098849fda0c1737e93d1037e0ed0d2a5b003febcbd91369
Opcode Fuzzy Hash: d98930b7cc9fa5345aec00407d1f47d5bb8f0bb12442f54fd8d0a37314604c79
Instruction Fuzzy Hash: 9801F972B11215578B0CCB2E9E5487DB75AE7C6214349823EEC05EBBD4DC30BD0582C4

Function 00428490 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,?,?,?,?,00427836,?), ref: 004284DC
memmove.VCRUNTIME140(?,?,00000000,?,?,?,?,?,00427836,?), ref: 0042850C

Strings

vector<T> too long, xrefs: 004284D7

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Xlength_error@std@@memmove
String ID: vector<T> too long
API String ID: 1146228739-3788999226
Opcode ID: ceb2c653081f193e52e7cbe604f7ae387320b706041a15fbf15b253240b99b58
Instruction ID: 0c228f88afab18f5d5ffd4255aa112e49e63f6b8b8b9113ca4f5c4bf1f475632
Opcode Fuzzy Hash: ceb2c653081f193e52e7cbe604f7ae387320b706041a15fbf15b253240b99b58
Instruction Fuzzy Hash: 1A1184B1A01222EFD700CF5DE944B4AFBA4FF04314F14862AE918C7341D775A820CBD4

Function 0040D850 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,?,Et@,?,0040D7FF,?,?,?,?,00407445,?), ref: 0040D881

Strings

vector<T> too long, xrefs: 0040D87C
Et@, xrefs: 0040D853

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Xlength_error@std@@
String ID: Et@$vector<T> too long
API String ID: 1004598685-1862436110
Opcode ID: 1a8032846452db4677893eb3bebd2b48b44f66fee0c2285e49f829072b371324
Instruction ID: f10dbfa9b4949dfa52947423c16be139508e9726fe1e5bd40f2234e34908fa99
Opcode Fuzzy Hash: 1a8032846452db4677893eb3bebd2b48b44f66fee0c2285e49f829072b371324
Instruction Fuzzy Hash: A5F0BE327105110FEB18A97DAE8843D679AEBD52207298B3EE463D72C8C9A0FC048658

Function 00429C80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,?,?,?,?,00429A42,BEE31567,?,?,BEE31567,?,?), ref: 00429CB0
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,00429A42,BEE31567,?,?,BEE31567,?,?), ref: 00429CCE

Strings

vector<T> too long, xrefs: 00429CAB

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: Xlength_error@std@@memmove
String ID: vector<T> too long
API String ID: 1146228739-3788999226
Opcode ID: 4caa7528c98e9c527cb3c3d8f7a0467c251120b2a90d19d715ac7aba033cd7c5
Instruction ID: 520dced25ee16fdafa300ce13fd42d9a0780474279a1d4c3dbb7611566033965
Opcode Fuzzy Hash: 4caa7528c98e9c527cb3c3d8f7a0467c251120b2a90d19d715ac7aba033cd7c5
Instruction Fuzzy Hash: BDF062B26002009FD7209F5AED44B1FFBE9EF84764F14892FE9A9C3751D77568408B94

Function 00405EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

#13960.MFC140U(?,000000FF,?,00000000,?,?,00402CE8,?,?,?,?), ref: 00405EC1
memcpy.VCRUNTIME140(00000001,?,,@,?,00000000,?,?,00402CE8,?,?,?,?), ref: 00405ED1

Strings

,@, xrefs: 00405EA4, 00405ECA

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: #13960memcpy
String ID: ,@
API String ID: 2005591505-2883370658
Opcode ID: a8c6f2b2f9ef2a3fa1d73f1edec7292a14cfee0fcaa5628af313feeaa17e7fb7
Instruction ID: 5b84dd7a66ff7d8a73b5e207351a110c126bba3098ba0885529eb2143f85b375
Opcode Fuzzy Hash: a8c6f2b2f9ef2a3fa1d73f1edec7292a14cfee0fcaa5628af313feeaa17e7fb7
Instruction Fuzzy Hash: C3F0A07220015A6BDB10DE59ECC4D9BB75CEB84338B104A37F519C7281D232E824DBA4

Function 0042C6DA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0042C72D: memset.VCRUNTIME140(004A58B0,00000000,00000018,?,004A589C,0042C6E2,?,0040154F), ref: 0042C73A

Part of subcall function 00420DB0: InitializeCriticalSectionEx.KERNEL32(004A58B0,00000000,00000000,0042C709,?,?,?,0040154F), ref: 00420DB5
Part of subcall function 00420DB0: GetLastError.KERNEL32(?,?,?,0040154F), ref: 00420DBF

IsDebuggerPresent.KERNEL32(?,?,?,0040154F), ref: 0042C70D
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040154F), ref: 0042C71C

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0042C717

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionStringmemset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 4206453544-631824599
Opcode ID: f0c780aaba008d8a11b12b8ea3fa40ab07975ea96297c707b737657eaf61d562
Instruction ID: 93fc7cbc91301ec72602ec3fcaccc9b8497bbba4d437893d7284413899d9d26f
Opcode Fuzzy Hash: f0c780aaba008d8a11b12b8ea3fa40ab07975ea96297c707b737657eaf61d562
Instruction Fuzzy Hash: 90E039702007228EC320AF25E85834A7AE4EB04394F84CC2FE486C6651EBB8E444CF9A

Function 00428370 Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?), ref: 004283C1

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 25806d049a8d119e9b4f9425de28206107c9f1ff37464ac46f33845b0af6f96f
Instruction ID: 18c6c54d414b9b4f94d037243a38ff223c5768ac633675478410aa31eb015310
Opcode Fuzzy Hash: 25806d049a8d119e9b4f9425de28206107c9f1ff37464ac46f33845b0af6f96f
Instruction Fuzzy Hash: 4F3190727011149FCB24DF6DED8195AFBA8EB89310758826EED44C7315DA31E914CBA4

Function 004263A0 Relevance: 5.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 004263BA

Part of subcall function 0042BD38: #1513.MFC140U(00000000,?,0040EFB7,00000000,00000030,?,?,?,?,?,?,0040BD6A,00000000,?), ref: 0042BD3E

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 004263EC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00426403
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 0042641F

Memory Dump Source

Source File: 00000000.00000002.2559982332.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2559969718.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560024495.000000000048B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560039260.000000000048C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560058534.00000000004A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.00000000007AA000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2560148015.0000000000A0C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_4V6Beh3FOX.jbxd

Similarity

API ID: free$#1513
String ID:
API String ID: 2839934560-0
Opcode ID: dc7fd578617ac30675b654f4558fb9c8ac9a4ae4657a38a1b359c27814b0a3f5
Instruction ID: 2c564a66962c75bcefbe8f8cc94375697f303114be15e5d6ab7fa83ce33b9fee
Opcode Fuzzy Hash: dc7fd578617ac30675b654f4558fb9c8ac9a4ae4657a38a1b359c27814b0a3f5
Instruction Fuzzy Hash: 0511AB726006206BCB126F05AC41B57BB25EFC4B20B5A456AED1817317D779FC218FD8

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 4V6Beh3FOX.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: 4V6Beh3FOX.exePID: 8104, Parent PID: 3968

General

Chronological Activities

Disassembly

Analysis Process: 4V6Beh3FOX.exePID: 8104, Parent PID: 3968COMMON

Non-executed Functions

Function 004119C0 Relevance: 433.6, APIs: 230, Strings: 17, Instructions: 1325windowtimeCOMMON

Windows Analysis Report
4V6Beh3FOX.exe