Edit tour

Windows Analysis Report
mTGDPqzxwu.exe

Overview

General Information

Sample name:	mTGDPqzxwu.exe renamed because original name is a hash value
Original sample name:	fe4452262e67ec54bb64bc76b303b5b4.exe
Analysis ID:	1520460
MD5:	fe4452262e67ec54bb64bc76b303b5b4
SHA1:	2c0bdc07a45c65a736cd848b74c702f70a1c9bde
SHA256:	5d1ec27eb711dbafffe07dc8debb180abd22c3ebb0104a5c393252be6f65c5c0
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Searches for specific processes (likely to inject)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to create an SMB header

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query network adapater information

Contains functionality to read the clipboard data

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

PE file contains executable resources (Code or Archives)

Sample file is different than original file name gathered from version info

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

mTGDPqzxwu.exe (PID: 6028 cmdline: "C:\Users\user\Desktop\mTGDPqzxwu.exe" MD5: FE4452262E67EC54BB64BC76B303B5B4)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
mTGDPqzxwu.exe	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0xb2632:$generic_loader_x64: 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2165468102.000000000072D000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0xc032:$generic_loader_x64: 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0
00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0xc032:$generic_loader_x64: 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.mTGDPqzxwu.exe.7323d8.2.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x6c5a:$generic_loader_x64: 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0
0.0.mTGDPqzxwu.exe.680000.0.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0xb2432:$generic_loader_x64: 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0
0.0.mTGDPqzxwu.exe.7323d8.3.raw.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x6c5a:$generic_loader_x64: 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0
0.2.mTGDPqzxwu.exe.680000.0.unpack	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0xb2432:$generic_loader_x64: 89 44 24 20 48 8B 44 24 40 0F BE 00 8B 4C 24 20 03 C8 8B C1 89 44 24 20 48 8B 44 24 40 48 FF C0

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mTGDPqzxwu.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: mTGDPqzxwu.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 80.8% probability

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006F71E0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_006F71E0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006F7180 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,	0_2_006F7180
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006F7240 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_006F7240
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006CF49C _strdup,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strncmp,strchr,fopen,free,CertOpenStore,_strdup,GetLastError,free,free,free,CryptStringToBinaryA,free,CertCloseStore,CertFindCertificateInStore,free,CertCloseStore,free,fseek,ftell,fread,fclose,MultiByteToWideChar,fseek,fclose,PFXImportCertStore,GetLastError,CertFindCertificateInStore,GetLastError,CertCloseStore,CertFreeCertificateContext,CertCloseStore,memset,memset,strchr,strncmp,strncmp,strncmp,strncmp,strncmp,memset,strtol,strchr,strncmp,strncmp,strncmp,strncmp,strchr,CertFreeCertificateContext,free,	0_2_006CF49C
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006CD730 BCryptGenRandom,	0_2_006CD730
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006CD7F0 BCryptGenRandom,	0_2_006CD7F0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006F5860 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,	0_2_006F5860
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006F58E0 CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_006F58E0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006F58C0 CryptHashData,	0_2_006F58C0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006CD8A0 memset,BCryptGenRandom,	0_2_006CD8A0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006F0940 CryptQueryObject,CertAddCertificateContextToStore,CertFreeCertificateContext,GetLastError,GetLastError,	0_2_006F0940
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006F5D10 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,	0_2_006F5D10
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006F0E10 CertGetNameStringA,CertFindExtension,CryptDecodeObjectEx,	0_2_006F0E10
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006CEF40 memset,CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_006CEF40
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006F7FA0 CryptAcquireContextA,CryptCreateHash,CryptReleaseContext,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,	0_2_006F7FA0

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: -----BEGIN PUBLIC KEY-----		0_2_006AD8A0
Source: mTGDPqzxwu.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: mov dword ptr [ebx+04h], 424D53FFh

0_2_006E2B00

Source: mTGDPqzxwu.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: mTGDPqzxwu.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\netbios1.pdb7 source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\DriverInjectDll-master\bin\driver_inject_x64.pdb source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\ReplayClientTest.pdb source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\HookGameACE.pdb&& source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\Projects\InLineHookLib\Release\G_Game.pdb'' source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\Projects\InLineHookLib\Release\G_Game.pdb source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\netbios.pdb source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\netbios.pdb7 source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\JQMain.pdb source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\HookGameACE.pdb source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\netbios1.pdb source: mTGDPqzxwu.exe

Source: unknown

DNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: 0_2_006910C0 #266,#265,#266,#265,WSARecv,#111,EnterCriticalSection,LeaveCriticalSection,#266,

0_2_006910C0

Source: global traffic

DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa

Source: mTGDPqzxwu.exe	String found in binary or memory: http://27.25.156.102:9999/style.html
Source: mTGDPqzxwu.exe	String found in binary or memory: http://27.25.156.102:9999/style.htmlSoftware
Source: mTGDPqzxwu.exe	String found in binary or memory: http://sf.symcb.com/sf.crl0f
Source: mTGDPqzxwu.exe	String found in binary or memory: http://sf.symcb.com/sf.crt0
Source: mTGDPqzxwu.exe	String found in binary or memory: http://sf.symcd.com0&
Source: mTGDPqzxwu.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: mTGDPqzxwu.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: mTGDPqzxwu.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: mTGDPqzxwu.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: mTGDPqzxwu.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: mTGDPqzxwu.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: mTGDPqzxwu.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: mTGDPqzxwu.exe	String found in binary or memory: https://d.symcb.com/rpa0

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: 0_2_0068DB70 memset,memset,SHGetSpecialFolderPathA,_time64,OpenClipboard,GetClipboardData,GlobalSize,malloc,GlobalLock,memset,GlobalUnlock,CloseClipboard,SendMessageW,#296,#296,SendMessageW,#4815,SendMessageW,#8067,#290,#13656,#13656,#1045,#290,#13656,#1045,#290,#290,#4815,#1045,#1045,#290,GetPrivateProfileIntW,#1045,#13656,#290,#290,WritePrivateProfileStringW,WritePrivateProfileStringW,#1045,#1045,WritePrivateProfileStringW,#290,#290,WritePrivateProfileStringW,#1045,#1045,#13656,#1045,#1045,fopen,fclose,

0_2_0068DB70

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

0_2_0068DB70

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: 0_2_006F5D10 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,

0_2_006F5D10

System Summary

Malicious sample detected (through community Yara rule)

Source: mTGDPqzxwu.exe, type: SAMPLE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.mTGDPqzxwu.exe.7323d8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.0.mTGDPqzxwu.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.0.mTGDPqzxwu.exe.7323d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.mTGDPqzxwu.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000000.2165468102.000000000072D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: 0_2_006868F0: memset,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,memset,DeviceIoControl,memmove,malloc,free,

0_2_006868F0

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: 0_2_00685CE0 OpenSCManagerA,OpenServiceA,GetLastError,MessageBoxA,CloseServiceHandle,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,ControlService,DeleteService,GetLastError,

0_2_00685CE0

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006F1010	0_2_006F1010
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006C91E0	0_2_006C91E0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006EB240	0_2_006EB240
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006C02B0	0_2_006C02B0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006D1320	0_2_006D1320
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006A5300	0_2_006A5300
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006D43E0	0_2_006D43E0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006CC420	0_2_006CC420
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006E6410	0_2_006E6410
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006CF49C	0_2_006CF49C
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006DE500	0_2_006DE500
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006F3510	0_2_006F3510
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006866C0	0_2_006866C0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_00686720	0_2_00686720
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_00698710	0_2_00698710
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006B1A30	0_2_006B1A30
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006CAAE0	0_2_006CAAE0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006EFB00	0_2_006EFB00
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_00683E70	0_2_00683E70
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006C9E20	0_2_006C9E20
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006DEEF0	0_2_006DEEF0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006F7F50	0_2_006F7F50
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006E3F90	0_2_006E3F90
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_006E9F90	0_2_006E9F90

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: String function: 006B59A0 appears 38 times
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: String function: 006BC8B0 appears 38 times
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: String function: 006B5830 appears 299 times
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: String function: 006BC910 appears 77 times
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: String function: 006F4570 appears 32 times
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: String function: 006B5870 appears 81 times
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: String function: 006BF570 appears 43 times
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: String function: 006B5760 appears 427 times

Source: mTGDPqzxwu.exe	Static PE information: Resource name: DLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: mTGDPqzxwu.exe	Static PE information: Resource name: DRV type: PE32+ executable (native) x86-64, for MS Windows
Source: mTGDPqzxwu.exe	Static PE information: Resource name: G_GAMEE type: PE32 executable (console) Intel 80386, for MS Windows
Source: mTGDPqzxwu.exe	Static PE information: Resource name: OLDDLL type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

Source: mTGDPqzxwu.exe, 00000000.00000000.2165468102.000000000072D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameJQMain.exe8 vs mTGDPqzxwu.exe
Source: mTGDPqzxwu.exe, 00000000.00000000.2165468102.000000000072D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameInPut.dll: vs mTGDPqzxwu.exe
Source: mTGDPqzxwu.exe, 00000000.00000000.2165468102.000000000072D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewjs3.dll: vs mTGDPqzxwu.exe
Source: mTGDPqzxwu.exe	Binary or memory string: OriginalFilenameJQMain.exe8 vs mTGDPqzxwu.exe
Source: mTGDPqzxwu.exe	Binary or memory string: OriginalFilenameInPut.dll: vs mTGDPqzxwu.exe
Source: mTGDPqzxwu.exe	Binary or memory string: OriginalFilenamewjs3.dll: vs mTGDPqzxwu.exe

Source: mTGDPqzxwu.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: mTGDPqzxwu.exe, type: SAMPLE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.mTGDPqzxwu.exe.7323d8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.0.mTGDPqzxwu.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.0.mTGDPqzxwu.exe.7323d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.mTGDPqzxwu.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000000.2165468102.000000000072D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13

Source: mTGDPqzxwu.exe

Binary string: \Device\CrashDumpUpload\DosDevices\CrashDumpUpload

Source: classification engine

Classification label: mal72.evad.winEXE@1/0@1/0

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: OpenSCManagerA,OpenServiceA,GetLastError,MessageBoxA,CloseServiceHandle,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,ControlService,DeleteService,GetLastError,

0_2_00685CE0

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: 0_2_00685030 CreateToolhelp32Snapshot,memset,#290,#290,Process32FirstW,CloseHandle,#5110,StrCmpW,#296,#4815,OpenFileMappingW,#1045,#5110,StrCmpW,#296,#4815,OpenFileMappingW,MapViewOfFile,OpenProcess,GetProcessTimes,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,_time64,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,#1045,Process32NextW,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,TerminateProcess,#1045,CloseHandle,#1045,#1045,

0_2_00685030

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: 0_2_00687050 memset,memset,memset,memset,P_LoadSystem,P_UserLogin,P_GetLoginValue,P_GetLoginValue,#296,#296,#1526,P_GetLoginValue,#290,#4815,#1045,#13806,P_GetDataValue,VirtualQuery,FindResourceW,#1045,#1045,SizeofResource,LoadResource,LockResource,memset,memset,fopen,fwrite,fclose,fclose,fclose,#1045,#1045,#13806,

0_2_00687050

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

0_2_00685CE0

Source: mTGDPqzxwu.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mTGDPqzxwu.exe

ReversingLabs: Detection: 42%

Source: mTGDPqzxwu.exe	String found in binary or memory: :8085/add
Source: mTGDPqzxwu.exe	String found in binary or memory: iphlpapi.dllif_nametoindexws2_32FreeAddrInfoExWGetAddrInfoExCancelGetAddrInfoExWkernel32LoadLibraryExA\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %u
Source: mTGDPqzxwu.exe	String found in binary or memory: :8085/add
Source: mTGDPqzxwu.exe	String found in binary or memory: A%dUnknown exceptionbad cast1721829950816Timestampapplication/jsonContent-TypelsjCustom-Header:8085/addhttp://UIN{"id":"UIN","txt":"data"}data:8085/query{"id":"UIN"}vector<bool> too longmap/set<T> too longalnumalnumalphaalphablankblankcntrlcntrldddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacessupperupperwwxdigitxdigitabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_
Source: mTGDPqzxwu.exe	String found in binary or memory: Unknown exceptionbad cast1721829950816Timestampapplication/jsonContent-TypelsjCustom-Header:8085/addhttp://UIN{"id":"UIN","txt":"data"}data:8085/query{"id":"UIN"}vector<bool> too longmap/set<T> too longalnumalnumalphaalphablankblankcntrlcntrldddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacessupperupperwwxdigitxdigitabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_: httpslist<T> too long4

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Section loaded: mfc140u.dll	Jump to behavior
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Section loaded: plfl32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: mTGDPqzxwu.exe

Static file information: File size 5087232 > 1048576

Source: mTGDPqzxwu.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x43f800

Source: mTGDPqzxwu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: mTGDPqzxwu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: mTGDPqzxwu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: mTGDPqzxwu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: mTGDPqzxwu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: mTGDPqzxwu.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: mTGDPqzxwu.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: mTGDPqzxwu.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\netbios1.pdb7 source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\DriverInjectDll-master\bin\driver_inject_x64.pdb source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\ReplayClientTest.pdb source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\HookGameACE.pdb&& source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\Projects\InLineHookLib\Release\G_Game.pdb'' source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\Projects\InLineHookLib\Release\G_Game.pdb source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\netbios.pdb source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\netbios.pdb7 source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\JQMain.pdb source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\Projects\HookGameACE\HookGameACE\Release\HookGameACE.pdb source: mTGDPqzxwu.exe
Source:	Binary string: F:\VCtest\Projects\NEWGZXTEST\GZX\Release\netbios1.pdb source: mTGDPqzxwu.exe

Source: mTGDPqzxwu.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: mTGDPqzxwu.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: mTGDPqzxwu.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: mTGDPqzxwu.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: mTGDPqzxwu.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: 0_2_006B9100 #115,#116,GetModuleHandleA,GetProcAddress,GetProcAddress,strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,QueryPerformanceFrequency,

0_2_006B9100

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: 0_2_0069D1D6 push ecx; ret

0_2_0069D1E9

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: 0_2_0068AA10 memset,memset,memset,memset,SHGetFolderPathA,SHGetSpecialFolderPathA,memset,GetPrivateProfileIntA,_time64,fopen,fwrite,fclose,GetFileAttributesA,CreateDirectoryA,CreateDirectoryA,GetFileAttributesA,CreateDirectoryA,WritePrivateProfileStringA,memset,memset,memset,memset,memset,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,#13656,atoll,atoll,atoll,GetTickCount,GetTickCount,GetPrivateProfileIntA,GetTickCount,GetPrivateProfileIntA,#13656,memset,memset,memset,memset,memset,memset,memset,_access,_access,_access,#13656,memset,GetPrivateProfileStringA,memset,_time64,#13656,atoll,#13656,_access,GetPrivateProfileStringA,#13656,memset,GetPrivateProfileStringA,GetPrivateProfileStringA,memset,GetPrivateProfileStringA,_access,memset,GetPrivateProfileStringA,_access,#13656,memset,memcpy,_time64,#13656,

0_2_0068AA10

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

0_2_00685CE0

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: 0_2_00687B80 IsIconic,memset,#890,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,#1391,#11038,

0_2_00687B80

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: 0_2_00681620 memset,memset,LoadLibraryW,#296,#296,#4815,#4815,#4815,GetCurrentDirectoryW,#5110,SetCurrentDirectoryW,SetCurrentDirectoryW,#5110,LoadLibraryW,SetCurrentDirectoryW,#1045,#1045,GetProcAddress,GetProcAddress,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00681620

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: malloc,malloc,GetAdaptersInfo,GetAdaptersInfo,free,malloc,GetAdaptersInfo,strstr,strstr,free,

0_2_006867F0

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: 0_2_00691D70 P_GetLoginValue,#115,#111,CreateIoCompletionPort,CreateIoCompletionPort,CreateIoCompletionPort,CloseHandle,GetLastError,GetSystemInfo,CloseHandle,_beginthreadex,_beginthreadex,CloseHandle,_beginthreadex,CloseHandle,

0_2_00691D70

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: 0_2_0069D37B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0069D37B

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

0_2_006B9100

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_0069D37B IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0069D37B
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_0069D50D SetUnhandledExceptionFilter,	0_2_0069D50D
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_0069CC6C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0069CC6C

HIPS / PFW / Operating System Protection Evasion

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_00685030 CreateToolhelp32Snapshot,memset,#290,#290,Process32FirstW,CloseHandle,#5110,StrCmpW,#296,#4815,OpenFileMappingW,#1045,#5110,StrCmpW,#296,#4815,OpenFileMappingW,MapViewOfFile,OpenProcess,GetProcessTimes,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,_time64,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,#1045,Process32NextW,CloseHandle,UnmapViewOfFile,CloseHandle,CloseHandle,TerminateProcess,#1045,CloseHandle,#1045,#1045,	0_2_00685030
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_00689AC0 CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,#286,#5110,StrCmpW,#1045,Process32NextW,CloseHandle,	0_2_00689AC0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_00689BC0 CreateToolhelp32Snapshot,memset,Process32FirstW,CloseHandle,StrCmpW,StrCmpW,StrCmpW,StrCmpW,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,Process32NextW,CloseHandle,	0_2_00689BC0
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_00689D90 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateToolhelp32Snapshot,memset,Process32FirstW,StrCmpW,Process32NextW,CloseHandle,#296,memset,GetWindowTextW,StrCmpW,OpenProcess,TerminateProcess,CloseHandle,GetWindowThreadProcessId,CreateThread,GetTickCount,GetTickCount,OpenProcess,TerminateProcess,CloseHandle,#1045,	0_2_00689D90
Source: C:\Users\user\Desktop\mTGDPqzxwu.exe	Code function: 0_2_00684E60 CreateToolhelp32Snapshot,memset,#290,Process32FirstW,#5110,StrCmpW,#296,#4815,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,#1045,Process32NextW,CloseHandle,#1045,	0_2_00684E60

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: 0_2_0069D5B6 cpuid

0_2_0069D5B6

Source: C:\Users\user\Desktop\mTGDPqzxwu.exe

Code function: 0_2_0069D26D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0069D26D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	12 Windows Service	12 Windows Service	1 Process Injection	OS Credential Dumping	1 System Time Discovery	1 Exploitation of Remote Services	12 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	12 Service Execution	1 DLL Side-Loading	1 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	2 Clipboard Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 DLL Side-Loading	2 Obfuscated Files or Information	Security Account Manager	11 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
mTGDPqzxwu.exe	42%	ReversingLabs	Win32.Infostealer.Tinba
mTGDPqzxwu.exe	100%	Avira	TR/Hitbrovi.twnbc

Name	IP	Active	Malicious	Antivirus Detection	Reputation
206.23.85.13.in-addr.arpa	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://curl.se/docs/hsts.html	mTGDPqzxwu.exe	false	unknown
https://curl.se/docs/alt-svc.html#	mTGDPqzxwu.exe	false	unknown
https://curl.se/docs/http-cookies.html#	mTGDPqzxwu.exe	false	unknown
http://27.25.156.102:9999/style.html	mTGDPqzxwu.exe	false	unknown
https://curl.se/docs/alt-svc.html	mTGDPqzxwu.exe	false	unknown
https://curl.se/docs/http-cookies.html	mTGDPqzxwu.exe	false	unknown
https://curl.se/docs/hsts.html#	mTGDPqzxwu.exe	false	unknown
http://27.25.156.102:9999/style.htmlSoftware	mTGDPqzxwu.exe	false	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520460
Start date and time:	2024-09-27 11:22:53 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mTGDPqzxwu.exe renamed because original name is a hash value
Original Sample Name:	fe4452262e67ec54bb64bc76b303b5b4.exe
Detection:	MAL
Classification:	mal72.evad.winEXE@1/0@1/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 290
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mTGDPqzxwu.exe, PID 6028 because there are no executed function
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: mTGDPqzxwu.exe

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.652462911061133
TrID:	Win32 Executable (generic) a (10002005/4) 98.81% Windows ActiveX control (116523/4) 1.15% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mTGDPqzxwu.exe
File size:	5'087'232 bytes
MD5:	fe4452262e67ec54bb64bc76b303b5b4
SHA1:	2c0bdc07a45c65a736cd848b74c702f70a1c9bde
SHA256:	5d1ec27eb711dbafffe07dc8debb180abd22c3ebb0104a5c393252be6f65c5c0
SHA512:	e3f752d3cb18fd81ad085995fb3630e87b5da0f1e343f96e53d0e68f20eaacd13256a57fc56a8803a187a185b3a987ae8156b93e9285a84362e596c83c63e4ad
SSDEEP:	98304:HLsJDV9bD55mTEbek9rEdMQWlLYzjomp2vj6CwCV1hxT5MbkOO/glN4HuQlKn:a1BQyjYzjopaiHuQl+
TLSH:	1736BE227490807AC66B0334991DB37E77BDA9740B3441D7ABD46E7D3CB04D2AA397A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............w...w...w...s...w..;....w..u....w.......w.......w.x.t...w.x.s...w.x.r...w...v.H.w.x.v...w.o.~...w.o.....w.......w.o.u...w

File Icon


Icon Hash:	0e0f6acacc4c7113

Static PE Info

General

Entrypoint:	0x41c9b5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F523B0 [Thu Sep 26 09:04:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	dab2b776c2b3a97f800f38a1b96c16fb

Entrypoint Preview

Instruction
call 00007F75C45EE0C8h
jmp 00007F75C45ED695h
cmp ecx, dword ptr [00494014h]
jne 00007F75C45ED815h
ret
jmp 00007F75C45EDADAh
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000001h
push esi
mov esi, ecx
mov dword ptr [esi], 0047BAB4h
je 00007F75C45ED81Ch
push 0000000Ch
push esi
call 00007F75C45EDA89h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F75C45ED82Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F75C45ED81Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F75C45ED81Eh
add edx, 28h
cmp edx, esi
jne 00007F75C45ED7FCh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F75C45ED80Bh
call 00007F75C45EE530h
test eax, eax
jne 00007F75C45ED815h
xor al, al
ret
mov eax, dword ptr fs:[00000018h]
push esi
mov esi, 00495374h
mov edx, dword ptr [eax+04h]
jmp 00007F75C45ED816h
cmp edx, eax
je 00007F75C45ED822h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F75C45ED802h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F75C45ED819h
mov byte ptr [00495390h], 00000001h

Rich Headers

Programming Language:

[IMP] VS2012 UPD4 build 61030
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[RES] VS2015 build 23026
[LNK] VS2015 build 23026

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x90878	0x244	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9a000	0x43f6a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4da000	0x7034	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x8daf0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x8dbbc	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x8db60	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7b000	0xa4c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x799ab	0x79a00	461b8c87aef1cc4a9159e24d3aeddabb	False	0.5302403166752312	data	6.488433839865328	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7b000	0x1809a	0x18200	4bf36ed2b8fad5674e754d8745d0511a	False	0.37885565090673573	data	5.520388433299527	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x94000	0x4658	0x1400	09eba47acafa01f4fc363aeba0eb2bc3	False	0.410546875	DOS executable (block device driver @\273\)	5.835170282475183	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x99000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x9a000	0x43f6a8	0x43f800	74eb8211427341e29ea6f9a29d5fbf08	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4da000	0x7034	0x7200	c0b314887efbe7d2425329a55b0324ba	False	0.6990816885964912	data	6.706794313819381	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0xb1de0	0x2	data	Chinese	China	5.0
DLL	0xbb5d8	0x256e00	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	Chinese	China	0.564366340637207
DRV	0xb23d8	0x9200	PE32+ executable (native) x86-64, for MS Windows	Chinese	China	0.504254066780822
G_GAMEE	0x312548	0x3a00	PE32 executable (console) Intel 80386, for MS Windows	Chinese	China	0.5115167025862069
LONGPZ	0xb1de8	0x5ea	ASCII text, with CRLF line terminators	Chinese	China	0.4623513870541612
OLDDLL	0x315f48	0x1c3400	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	Chinese	China	0.5643634796142578
RT_ICON	0x9a630	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 128	Chinese	China	0.5986842105263158
RT_ICON	0x9a760	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	Chinese	China	0.4298780487804878
RT_ICON	0x9adc8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Chinese	China	0.5228494623655914
RT_ICON	0x9b0b0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Chinese	China	0.6047297297297297
RT_ICON	0x9b1d8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Chinese	China	0.5770255863539445
RT_ICON	0x9c080	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Chinese	China	0.6620036101083032
RT_ICON	0x9c928	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Chinese	China	0.4436416184971098
RT_ICON	0x9ce90	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	Chinese	China	0.15395421743759613
RT_ICON	0xad6b8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Chinese	China	0.3053941908713693
RT_ICON	0xafc60	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Chinese	China	0.3700750469043152
RT_ICON	0xb0d08	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Chinese	China	0.5141843971631206
RT_MENU	0x3123d8	0x16c	data	Chinese	China	0.45879120879120877
RT_DIALOG	0xb1210	0x118	data	Chinese	China	0.625
RT_DIALOG	0xb1328	0x7f8	data	Chinese	China	0.45245098039215687
RT_STRING	0x4d9348	0x40	data	Chinese	China	0.671875
RT_GROUP_ICON	0xb1170	0xa0	data	Chinese	China	0.625
RT_VERSION	0xb1b20	0x2bc	data	Chinese	China	0.4957142857142857
RT_MANIFEST	0x4d9388	0x31c	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (736), with CRLF line terminators	English	United States	0.5238693467336684

Imports

DLL	Import
mfc140u.dll
KERNEL32.dll	GetModuleHandleA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, IsProcessorFeaturePresent, ResetEvent, WaitForSingleObjectEx, CreateEventW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetFileSize, GlobalUnlock, GlobalLock, GlobalSize, LoadLibraryW, GetCurrentDirectoryW, SetCurrentDirectoryW, GetProcAddress, GetModuleHandleW, GetCurrentProcessId, VirtualProtect, GetFileAttributesW, CreateDirectoryW, WritePrivateProfileStringW, CreateDirectoryA, CreateEventA, CreateFileMappingA, MapViewOfFile, CreateProcessA, CloseHandle, SetEvent, CreateWaitableTimerA, TerminateThread, CancelWaitableTimer, WideCharToMultiByte, GetTickCount, CreateToolhelp32Snapshot, SizeofResource, CreateThread, GetQueuedCompletionStatus, LeaveCriticalSection, PostQueuedCompletionStatus, GetFileSizeEx, VerifyVersionInfoW, VerSetConditionMask, PeekNamedPipe, GetFileType, GetStdHandle, GetEnvironmentVariableA, SleepEx, LoadLibraryA, FreeLibrary, GetSystemDirectoryA, GetCurrentThread, QueryPerformanceFrequency, MultiByteToWideChar, InitializeCriticalSectionEx, FormatMessageW, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, MoveFileExA, WaitForSingleObject, GetPrivateProfileIntW, WritePrivateProfileStringA, GetPrivateProfileIntA, GetPrivateProfileStringW, GetFileAttributesA, CreateMutexW, OutputDebugStringW, GetVolumeInformationA, CreateFileA, Sleep, DeviceIoControl, CreateFileW, GetTempPathA, GetLastError, GetSystemInfo, SetLastError, LockResource, LoadResource, FindResourceW, Process32FirstW, OpenFileMappingW, UnmapViewOfFile, Process32NextW, OpenProcess, VirtualQuery, TerminateProcess, InitializeCriticalSection, GetProcessTimes, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, WaitForMultipleObjects, CreateIoCompletionPort, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, EnterCriticalSection, SetWaitableTimer, GetPrivateProfileStringA, ReadFile
USER32.dll	SetWindowLongA, PeekMessageW, TranslateMessage, DispatchMessageW, MsgWaitForMultipleObjects, EnableWindow, LoadIconW, MessageBoxA, CallWindowProcW, LoadMenuW, GetSubMenu, GetCursorPos, PostMessageA, GetSystemMenu, AppendMenuW, GetClientRect, MessageBoxW, GetSystemMetrics, DrawIcon, GetWindowRect, GetParent, MoveWindow, UpdateWindow, GetWindow, GetDesktopWindow, GetWindowThreadProcessId, IsWindowVisible, GetWindowTextA, SendMessageA, GetWindowTextW, OpenClipboard, GetClipboardData, CloseClipboard, SendMessageW, IsIconic
ADVAPI32.dll	RegCloseKey, RegQueryValueExW, OpenSCManagerA, OpenServiceA, CloseServiceHandle, CreateServiceA, StartServiceA, ControlService, DeleteService, RegQueryValueExA, RegOpenKeyExA, OpenThreadToken, CryptAcquireContextA, CryptReleaseContext, CryptGetHashParam, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptDestroyKey, CryptImportKey, CryptEncrypt, RegOpenKeyExW
SHELL32.dll	SHGetSpecialFolderPathA, SHGetFolderPathA, ShellExecuteW, SHFileOperationW, DragQueryFileA, SHGetSpecialFolderPathW
COMCTL32.dll	InitCommonControlsEx
SHLWAPI.dll	StrCmpW
MSVCP140.dll	?_Xbad_alloc@std@@YAXXZ, ?_Xout_of_range@std@@YAXPBD@Z, ?_Xlength_error@std@@YAXPBD@Z, ??0_Lockit@std@@QAE@H@Z, ??1_Lockit@std@@QAE@XZ, _Strcoll, _Strxfrm, ?_Init@locale@std@@CAPAV_Locimp@12@_N@Z, ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ, ?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z, ?id@?$ctype@D@std@@2V0locale@2@A, ?id@?$collate@D@std@@2V0locale@2@A, ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ?tolower@?$ctype@D@std@@QBEPBDPADPBD@Z, ?tolower@?$ctype@D@std@@QBEDD@Z, ??1facet@locale@std@@MAE@XZ, ??0facet@locale@std@@IAE@I@Z, ?_Decref@facet@locale@std@@UAEPAV_Facet_base@3@XZ, ?_Incref@facet@locale@std@@UAEXXZ, ??Bid@locale@std@@QAEIXZ, ?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ, ??1_Locinfo@std@@QAE@XZ, ??0_Locinfo@std@@QAE@PBD@Z, ?_Xbad_function_call@std@@YAXXZ
WS2_32.dll	freeaddrinfo, getaddrinfo, htonl, accept, __WSAFDIsSet, socket, WSACleanup, WSASetLastError, recvfrom, WSAResetEvent, WSAEventSelect, WSAEnumNetworkEvents, WSACreateEvent, WSACloseEvent, getsockopt, WSASend, send, gethostbyname, ioctlsocket, connect, inet_ntoa, select, recv, getpeername, getsockname, ntohs, shutdown, closesocket, WSAStartup, sendto, WSARecv, WSAIoctl, setsockopt, listen, bind, htons, inet_addr, WSAGetLastError, WSASocketW, WSAWaitForMultipleEvents, gethostname
plfl32.dll	P_UserReg, P_GetDataValue, P_GetLoginValue, P_UserLogin, P_LoadSystem, P_CardReCharge
PSAPI.DLL	GetProcessImageFileNameA
WININET.dll	InternetReadFile, InternetOpenUrlA, InternetOpenW, InternetCloseHandle
IPHLPAPI.DLL	GetAdaptersInfo
VCRUNTIME140.dll	__std_terminate, memmove, memchr, strstr, memset, __CxxFrameHandler3, __telemetry_main_invoke_trigger, __telemetry_main_return_trigger, __vcrt_InitializeCriticalSectionEx, _except_handler4_common, __std_exception_copy, __std_exception_destroy, strchr, _purecall, memcpy, strrchr, _CxxThrowException
api-ms-win-crt-stdio-l1-1-0.dll	fseek, __p__commode, _close, fread, _set_fmode, fputs, __stdio_common_vswprintf, ftell, __stdio_common_vsscanf, fputc, __stdio_common_vsprintf, fflush, _open, _lseeki64, _fseeki64, _read, fgets, feof, _write, _fileno, fclose, fwrite, fopen, __stdio_common_vfprintf, __acrt_iob_func, __stdio_common_vsprintf_s
api-ms-win-crt-time-l1-1-0.dll	_time64, _localtime64_s, strftime, _gmtime64
api-ms-win-crt-filesystem-l1-1-0.dll	_unlink, _fstat64, remove, _stat64, _access
api-ms-win-crt-string-l1-1-0.dll	_strdup, strtok, strncpy, strcspn, strspn, strpbrk, toupper, strncmp
api-ms-win-crt-runtime-l1-1-0.dll	_seh_filter_exe, _set_app_type, system, _configure_wide_argv, exit, _get_wide_winmain_command_line, _initterm, _initterm_e, _exit, __sys_nerr, __sys_errlist, _cexit, _c_exit, _beginthreadex, _initialize_wide_environment, _register_thread_local_exe_atexit_callback, _initialize_onexit_table, _errno, _controlfp_s, terminate, _crt_atexit, _register_onexit_function, _invalid_parameter_noinfo_noreturn
api-ms-win-crt-utility-l1-1-0.dll	qsort
api-ms-win-crt-heap-l1-1-0.dll	realloc, malloc, free, calloc, _set_new_mode
api-ms-win-crt-convert-l1-1-0.dll	strtol, strtoul, atoi, _wtoll, strtoll, atoll, _wtol, wcstombs
api-ms-win-crt-math-l1-1-0.dll	_fdopen, __setusermatherr, _except1
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
bcrypt.dll	BCryptGenRandom
CRYPT32.dll	CertFreeCertificateChainEngine, CertFreeCertificateChain, CryptQueryObject, CertGetNameStringA, CertFindExtension, CertCreateCertificateChainEngine, CertGetCertificateChain, CryptStringToBinaryA, CertAddCertificateContextToStore, CryptDecodeObjectEx, PFXImportCertStore, CertFreeCertificateContext, CertFindCertificateInStore, CertEnumCertificatesInStore, CertCloseStore, CertOpenStore
Normaliz.dll	IdnToAscii, IdnToUnicode
WLDAP32.dll

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 11:24:18.691026926 CEST	53	57473	162.159.36.2	192.168.2.6
Sep 27, 2024 11:24:19.179656029 CEST	63606	53	192.168.2.6	1.1.1.1
Sep 27, 2024 11:24:19.187035084 CEST	53	63606	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 27, 2024 11:24:19.179656029 CEST	192.168.2.6	1.1.1.1	0x9386	Standard query (0)	206.23.85.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 27, 2024 11:24:19.187035084 CEST	1.1.1.1	192.168.2.6	0x9386	Name error (3)	206.23.85.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	05:23:47
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\mTGDPqzxwu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\mTGDPqzxwu.exe"
Imagebase:	0x680000
File size:	5'087'232 bytes
MD5 hash:	FE4452262E67EC54BB64BC76B303B5B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000000.2165468102.000000000072D000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Function 006CF49C Relevance: 183.0, APIs: 56, Strings: 48, Instructions: 1037COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006CF772

Strings

schannel: certificate format compatibility error for %s, xrefs: 006CF758
schannel: Failed to get certificate location or file for %s, xrefs: 006D0264
SHA256, xrefs: 006CFEF6
LocalMachineEnterprise, xrefs: 006CF686
CurrentService, xrefs: 006CF601
(memory blob), xrefs: 006CF746
#, xrefs: 006CF961, 006CFA63
CurrentUserGroupPolicy, xrefs: 006CF652
TLS_CHACHA20_POLY1305_SHA256, xrefs: 006CFD37
p5p, xrefs: 006CFF89
TLS_AES_128_GCM_SHA256, xrefs: 006CFD0A
schannel: All available TLS 1.3 ciphers were disabled, xrefs: 006CFE1C
schannel: AcquireCredentialsHandle failed: %s, xrefs: 006D0217
(unknown), xrefs: 006CF7D9, 006CF7E1
schannel: unable to allocate memory, xrefs: 006CFB8D
d#, xrefs: 006CF772, 006CF86B, 006CF8AA, 006CF8F3, 006D0270
schannel: Failed setting algorithm cipher list, xrefs: 006D018A
, xrefs: 006CFE3C
<-, xrefs: 006CFCE0, 006CFD0F, 006CFD3C, 006CFD6C, 006CFDA0, 006D00F0
Services, xrefs: 006CF61E
TLS_AES_128_CCM_8_SHA256, xrefs: 006CFD67
schannel: Failed to read cert file %s, xrefs: 006CFA76
schannel: Failed to import cert file %s, last error is 0x%lx, xrefs: 006CFB0C
SCH_USE_STRONG_CRYPTO, xrefs: 006D012F
schannel: TLS 1.3 not supported on Windows prior to 11, xrefs: 006CF587
schannel: Failed to get certificate from file %s, last error is 0x%lx, xrefs: 006CFB4E
z-, xrefs: 006D0097
LocalMachineGroupPolicy, xrefs: 006CF66C
@, xrefs: 006CFE9D
Users, xrefs: 006CF638
schannel: Unknown TLS 1.3 cipher: %.*s, xrefs: 006CFDDD
AES, xrefs: 006CFF00
schannel: This version of Schannel does not support setting an algorithm cipher list and TLS 1.3 cipher list at the same time, xrefs: 006D0063
LocalMachine, xrefs: 006CF5E4
USE_STRONG_CRYPTO, xrefs: 006D011E
x2p, xrefs: 006CF8DA
05p, xrefs: 006CFEDC
schannel: Failed to import cert file %s, password is bad, xrefs: 006CFAEE
schannel: WARNING: This version of Schannel may negotiate a less-secure TLS version than TLS 1.3 because the user set an algorithm cipher list., xrefs: 006D004F
SHA384, xrefs: 006CFEF1
TLS_AES_256_GCM_SHA384, xrefs: 006CFCDB
$, xrefs: 006CFF7E
schannel: Failed to open cert store %lx %s, last error is 0x%lx, xrefs: 006CF7E3
P12, xrefs: 006CF730
CurrentUser, xrefs: 006CF5C7
, xrefs: 006CFED2
TLS_AES_128_CCM_SHA256, xrefs: 006CFD9B
Microsoft Unified Security Protocol Provider, xrefs: 006D01E2

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: free
String ID: $ $ #$$$(memory blob)$(unknown)$05p$<-$@$AES$CurrentService$CurrentUser$CurrentUserGroupPolicy$LocalMachine$LocalMachineEnterprise$LocalMachineGroupPolicy$Microsoft Unified Security Protocol Provider$P12$SCH_USE_STRONG_CRYPTO$SHA256$SHA384$Services$TLS_AES_128_CCM_8_SHA256$TLS_AES_128_CCM_SHA256$TLS_AES_128_GCM_SHA256$TLS_AES_256_GCM_SHA384$TLS_CHACHA20_POLY1305_SHA256$USE_STRONG_CRYPTO$Users$d#$p5p$schannel: AcquireCredentialsHandle failed: %s$schannel: All available TLS 1.3 ciphers were disabled$schannel: Failed setting algorithm cipher list$schannel: Failed to get certificate from file %s, last error is 0x%lx$schannel: Failed to get certificate location or file for %s$schannel: Failed to import cert file %s, last error is 0x%lx$schannel: Failed to import cert file %s, password is bad$schannel: Failed to open cert store %lx %s, last error is 0x%lx$schannel: Failed to read cert file %s$schannel: TLS 1.3 not supported on Windows prior to 11$schannel: This version of Schannel does not support setting an algorithm cipher list and TLS 1.3 cipher list at the same time$schannel: Unknown TLS 1.3 cipher: %.*s$schannel: WARNING: This version of Schannel may negotiate a less-secure TLS version than TLS 1.3 because the user set an algorithm cipher list.$schannel: certificate format compatibility error for %s$schannel: unable to allocate memory$x2p$z-
API String ID: 1294909896-3407971067
Opcode ID: dc1a207a99e1b47f7f891da34c27abcb8163e92b73cfe196019844594e755c89
Instruction ID: d1dc4b29ca1daffa1cdafe26820b138977714036aad57501bc78ea5008ad51c2
Opcode Fuzzy Hash: dc1a207a99e1b47f7f891da34c27abcb8163e92b73cfe196019844594e755c89
Instruction Fuzzy Hash: 1C82D070908340ABE7218F24DC45FABBBEBEF85704F04052DF98597392D7759A09CB96

Function 0068AA10 Relevance: 174.1, APIs: 75, Strings: 24, Instructions: 817fileCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000400), ref: 0068AA48
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068AA5F
memset.VCRUNTIME140(?,00000000,00000104), ref: 0068AA76
memset.VCRUNTIME140(?,00000000,00000104), ref: 0068AA8A
SHGetFolderPathA.SHELL32(00000000,00000005,00000000,00000000,?), ref: 0068AAA2
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000010,00000000), ref: 0068AAB6
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068AACB
GetPrivateProfileIntA.KERNEL32(?,time,00000000,?), ref: 0068AB04
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0068AB0E
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0070B98C), ref: 0068AB7B
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,00000000), ref: 0068AB98
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 0068ABA2
GetFileAttributesA.KERNEL32(?), ref: 0068ABD0
CreateDirectoryA.KERNEL32(?,00000000), ref: 0068ABE8
GetFileAttributesA.KERNEL32(?), ref: 0068AC0F
CreateDirectoryA.KERNEL32(?,00000000), ref: 0068AC21
WritePrivateProfileStringA.KERNEL32(Settings,Worldid,0070C294,?), ref: 0068AC9B
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068ACB0
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068ACC7
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068ACDE
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068ACF5
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068AD0C
GetPrivateProfileStringA.KERNEL32(?,bufTGT,0070BC68,?,00000400,?), ref: 0068AD36
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068AD79
GetPrivateProfileStringA.KERNEL32(?,bufTGT_GTKey,0070BC68,?,00000400,?), ref: 0068ADA1
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068ADD2
GetPrivateProfileStringA.KERNEL32(?,bufSessionKey,0070BC68,?,00000400,?), ref: 0068ADFA
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068AE2B
GetPrivateProfileStringA.KERNEL32(?,0107_0088,0070BC68,?,00000400,?), ref: 0068AE77
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068AEBA
GetPrivateProfileStringA.KERNEL32(?,0107_0001,0070BC68,?,00000400,?), ref: 0068AEE2
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068AF13
GetPrivateProfileStringA.KERNEL32(?,0109_0001,0070BC68,?,00000400,?), ref: 0068AF3B
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068AF6C
GetPrivateProfileStringA.KERNEL32(?,0109_0038,0070BC68,?,00000400,?), ref: 0068AF94
#13656.MFC140U(?,0000000B,0070C420), ref: 0068AFC4
atoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,0000000B,0070C420), ref: 0068AFE2
atoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0070C420), ref: 0068B00F
GetTickCount.KERNEL32 ref: 0068B024
GetPrivateProfileIntA.KERNEL32(?,time,00000000,?), ref: 0068B038
GetTickCount.KERNEL32 ref: 0068B046
GetPrivateProfileIntA.KERNEL32(?,time,00000000,?), ref: 0068B07B
#13656.MFC140U(?,0000000B,0070C42C,?,?,?,?,?,0000000B,0070C44C), ref: 0068B0AA
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068B0D6
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068B0ED
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068B104
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068B11B
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068B132
memset.VCRUNTIME140(?,00000000,00000400), ref: 0068B149
memset.VCRUNTIME140(?,00000000,00000800), ref: 0068B160
_access.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,00000000), ref: 0068B1B2
_access.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,00000000), ref: 0068B1E2
memset.VCRUNTIME140(?,00000000,00000800), ref: 0068B210
GetPrivateProfileStringA.KERNEL32(?,Soso,0070BC68,?,00000800,?), ref: 0068B238
memset.VCRUNTIME140(?,00000000,00000C00), ref: 0068B259
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0068B2A5
#13656.MFC140U(?,0000000B,0070C44C), ref: 0068B2D1
atoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,0000000B,0070C44C), ref: 0068B2ED
#13656.MFC140U(?,0000000B,0070C458), ref: 0068B329
_access.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,00000000), ref: 0068B335
GetPrivateProfileStringA.KERNEL32(?,buf16bytesGTKey_ST,0070BC68,?,00000400,?), ref: 0068B366
#13656.MFC140U(?,0000000B,0070C44C), ref: 0068B3A6
memset.VCRUNTIME140(?,00000000,00000400,?,0000000B,0070C44C), ref: 0068B3B7
GetPrivateProfileStringA.KERNEL32(?,bufServiceTicket,0070BC68,?,00000400,?), ref: 0068B3E5
memset.VCRUNTIME140(?,00000000,00000400,?,?,0000000B,0070C44C), ref: 0068B412
GetPrivateProfileStringA.KERNEL32(?,bufST_PTLOGIN,0070BC68,?,00000400,?), ref: 0068B43A
_access.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,00000000), ref: 0068B47B
memset.VCRUNTIME140(?,00000000,00000120), ref: 0068B49A
GetPrivateProfileStringA.KERNEL32(?,LoginData,0070BC68,?,00000C00,?), ref: 0068B4C2
_access.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 0068B4EA
#13656.MFC140U(?,0000000B,0070C44C), ref: 0068B50F
memset.VCRUNTIME140(?,00000000,00000400,?,0000000B,0070C44C), ref: 0068B520
memcpy.VCRUNTIME140(?,?,00000000,?,0000000B,0070C44C), ref: 0068B577
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,?,?,0000000B,0070C44C), ref: 0068B581
#13656.MFC140U(?,0000000B,0070C42C), ref: 0068B5C7

Strings

%s, xrefs: 0068AB50
bufTGT, xrefs: 0068AD30
bufSigSession, xrefs: 0068AE4D
bufServiceTicket, xrefs: 0068B3DF
%s%s%s, xrefs: 0068ABBD
%s\SosoAppdata.ini, xrefs: 0068B194
0107_0001, xrefs: 0068AEDC
LONGPZ, xrefs: 0068AC47
0109_0001, xrefs: 0068AF35
#, xrefs: 0068ABA2
0109_0038, xrefs: 0068AF8E
%s%s, xrefs: 0068AB3D
0107_0088, xrefs: 0068AE71
time, xrefs: 0068AAFE, 0068B032, 0068B075
%s\LoginData.ini, xrefs: 0068B177, 0068B1CA
%s\%s.ini, xrefs: 0068AAE6
bufTGT_GTKey, xrefs: 0068AD9B
bufSessionKey, xrefs: 0068ADF4
Settings, xrefs: 0068AC96
Soso, xrefs: 0068B232
Worldid, xrefs: 0068AC91
LoginData, xrefs: 0068B4BC
buf16bytesGTKey_ST, xrefs: 0068B360
bufST_PTLOGIN, xrefs: 0068B434

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memset$PrivateProfile$String$#13656$_access$_time64atoll$AttributesCountCreateDirectoryFileFolderPathTick$SpecialWritefclosefopenfwritememcpy
String ID: #$%s$%s%s$%s%s%s$%s\%s.ini$%s\LoginData.ini$%s\SosoAppdata.ini$0107_0001$0107_0088$0109_0001$0109_0038$LONGPZ$LoginData$Settings$Soso$Worldid$buf16bytesGTKey_ST$bufST_PTLOGIN$bufServiceTicket$bufSessionKey$bufSigSession$bufTGT$bufTGT_GTKey$time
API String ID: 651241447-910221409
Opcode ID: 5f93c2a5309a7e96ca5b6f9f9528dd5b5bd99e893da14b6f5007571ca02ee876
Instruction ID: 61739e7bd049a741360f9e8c7e368c1ab18e5f1db198f2865b2435db3301dca8
Opcode Fuzzy Hash: 5f93c2a5309a7e96ca5b6f9f9528dd5b5bd99e893da14b6f5007571ca02ee876
Instruction Fuzzy Hash: B65272F2644344ABD630EB50DC46FEB77DDAB84B04F040A2AB645E61C1EB74A709C7A7

Function 00681620 Relevance: 93.1, APIs: 32, Strings: 21, Instructions: 334libraryloaderCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000208,F74E5D36), ref: 00681678
memset.VCRUNTIME140(?,00000000,00000800,?,00000000,00000208,F74E5D36), ref: 0068168B

Part of subcall function 006812D0: RegOpenKeyExW.ADVAPI32(?,SOFTWARE\Tencent\QQGame\SYS,00000000,00020019,?), ref: 00681309
Part of subcall function 006812D0: memset.VCRUNTIME140(?), ref: 0068132E
Part of subcall function 006812D0: RegQueryValueExW.ADVAPI32(?,GameDirectory,00000000,?,?,00000400), ref: 00681361
Part of subcall function 006812D0: #265.MFC140U(00000400), ref: 00681374
Part of subcall function 006812D0: memset.VCRUNTIME140(00000000,00000000,00000400), ref: 00681385
Part of subcall function 006812D0: memcpy.VCRUNTIME140(00000000,?,00000400,00000000,00000000,00000400), ref: 00681398
Part of subcall function 006812D0: memcpy.VCRUNTIME140(?,00000000,00000400,00000000,?,00000400,00000000,00000000,00000400), ref: 006813A5
Part of subcall function 006812D0: #266.MFC140U(00000000,?,00000000,00000400,00000000,?,00000400,00000000,00000000,00000400), ref: 006813AB
Part of subcall function 006812D0: RegCloseKey.ADVAPI32(?), ref: 006813BF

LoadLibraryW.KERNEL32(SSOPlatform.dll,?,?,?,?,?,F74E5D36), ref: 006816C2
#296.MFC140U(?,?,?,?,?,F74E5D36), ref: 006816D5
#296.MFC140U(?,?,?,?,?,F74E5D36), ref: 006816E8
#4815.MFC140U(?,%wsTXSSO\Bin\,?,?,?,?,?,?,F74E5D36), ref: 0068170B
#4815.MFC140U(?,%wsTXSSO\Bin\SSOPlatform.dll,?,?,?,?,?,?,F74E5D36), ref: 00681720
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 00681731
#5110.MFC140U ref: 0068173D
SetCurrentDirectoryW.KERNEL32(00000000), ref: 0068174A
#5110.MFC140U ref: 00681752
LoadLibraryW.KERNEL32(00000000), ref: 00681759
SetCurrentDirectoryW.KERNEL32(?), ref: 00681768
#1045.MFC140U ref: 00681770
#1045.MFC140U ref: 00681783
GetProcAddress.KERNEL32(00000000,DllGetClassObject), ref: 0068179D
GetModuleHandleW.KERNEL32(SSOLUIControl.dll), ref: 0068187A
GetModuleHandleW.KERNEL32(SSOPlatform.dll), ref: 00681881
GetModuleHandleW.KERNEL32(SSOCommon.dll), ref: 0068188A
GetProcAddress.KERNEL32(00000000,?ConvertTXDataToTXSSOData@SSOConvert@Util@@YAJPAUITXData@@PAPAUITXSSOData@@@Z), ref: 0068189A
GetProcAddress.KERNEL32(00000000,?CreateTXData@Data@Util@@YAHPAPAUITXData@@@Z), ref: 006818A2
GetProcAddress.KERNEL32(00000000,?CreateTXData@SSOData@Util@@YAHPAPAUITXSSOData@@@Z), ref: 006818AA
GetProcAddress.KERNEL32(00000000,?CreateTXBuffer@Data@Util@@YAHPAPAUITXBuffer@@@Z), ref: 006818B7
GetProcAddress.KERNEL32(00000000,?CreateTXBuffer@SSOData@Util@@YAHPAPAUITXSSOBuffer@@@Z), ref: 006818BF
GetProcAddress.KERNEL32(00000000,?CreateTXArray@Data@Util@@YAHPAPAUITXArray@@@Z), ref: 006818CC
GetProcAddress.KERNEL32(00000000,??0CTXStringA@@QAE@PBDH@Z), ref: 006818D4
GetProcAddress.KERNEL32(00000000,??0CTXBSTR@@QAE@PB_W@Z), ref: 006818DC
GetProcAddress.KERNEL32(00000000,??1CTXBSTR@@QAE@XZ), ref: 006818E4
GetProcAddress.KERNEL32(00000000,??BCTXBSTR@@QBEPA_WXZ), ref: 006818EC
GetProcAddress.KERNEL32(00000000,?GetBSTR@CTXStringW@@QBEPA_WXZ), ref: 006818F4
GetProcAddress.KERNEL32(00000000,DllCanUnloadNow), ref: 006818FC
GetProcAddress.KERNEL32(?,?GetMemPoolStatus@@YAXPAUMEM_POOL_STATUS@@@Z), ref: 00681A40

Strings

??0CTXBSTR@@QAE@PB_W@Z, xrefs: 006818D6
??1CTXBSTR@@QAE@XZ, xrefs: 006818DE
SSOCommon.dll, xrefs: 00681883
?CreateTXData@SSOData@Util@@YAHPAPAUITXSSOData@@@Z, xrefs: 006818A4
??BCTXBSTR@@QBEPA_WXZ, xrefs: 006818E6
?CreateTXArray@Data@Util@@YAHPAPAUITXArray@@@Z, xrefs: 006818C1
?CreateTXBuffer@Data@Util@@YAHPAPAUITXBuffer@@@Z, xrefs: 006818AC
??0CTXStringA@@QAE@PBDH@Z, xrefs: 006818CE
DllCanUnloadNow, xrefs: 006818F6
?CreateTXData@Data@Util@@YAHPAPAUITXData@@@Z, xrefs: 0068189C
SSOPlatform.dll, xrefs: 006816BD, 0068187C
?GetBSTR@CTXStringW@@QBEPA_WXZ, xrefs: 006818EE
DllGetClassObject, xrefs: 00681797
pXq, xrefs: 006817AD, 006817BD
%wsTXSSO\Bin\, xrefs: 00681705
?ConvertTXDataToTXSSOData@SSOConvert@Util@@YAJPAUITXData@@PAPAUITXSSOData@@@Z, xrefs: 0068188E
SSOLUIControl.dll, xrefs: 00681875
%wsTXSSO\Bin\SSOPlatform.dll, xrefs: 0068171A
SSODadtaSDK Error, xrefs: 00681ADE
?CreateTXBuffer@SSOData@Util@@YAHPAPAUITXSSOBuffer@@@Z, xrefs: 006818B9
?GetMemPoolStatus@@YAXPAUMEM_POOL_STATUS@@@Z, xrefs: 00681A35

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: AddressProc$memset$CurrentDirectoryHandleModule$#1045#296#4815#5110LibraryLoadmemcpy$#265#266CloseOpenQueryValue
String ID: %wsTXSSO\Bin\$%wsTXSSO\Bin\SSOPlatform.dll$??0CTXBSTR@@QAE@PB_W@Z$??0CTXStringA@@QAE@PBDH@Z$??1CTXBSTR@@QAE@XZ$??BCTXBSTR@@QBEPA_WXZ$?ConvertTXDataToTXSSOData@SSOConvert@Util@@YAJPAUITXData@@PAPAUITXSSOData@@@Z$?CreateTXArray@Data@Util@@YAHPAPAUITXArray@@@Z$?CreateTXBuffer@Data@Util@@YAHPAPAUITXBuffer@@@Z$?CreateTXBuffer@SSOData@Util@@YAHPAPAUITXSSOBuffer@@@Z$?CreateTXData@Data@Util@@YAHPAPAUITXData@@@Z$?CreateTXData@SSOData@Util@@YAHPAPAUITXSSOData@@@Z$?GetBSTR@CTXStringW@@QBEPA_WXZ$?GetMemPoolStatus@@YAXPAUMEM_POOL_STATUS@@@Z$DllCanUnloadNow$DllGetClassObject$SSOCommon.dll$SSODadtaSDK Error$SSOLUIControl.dll$SSOPlatform.dll$pXq
API String ID: 2682656429-1550435736
Opcode ID: 61ff9429f96c8a84db837074bd9c1c57d3f22c1dca7e0ec9e9f8367c5c974414
Instruction ID: 378e3c5c1d020d0214f20e9fbb9191851d988ea7c645aea4dc7a78aa5935dd8e
Opcode Fuzzy Hash: 61ff9429f96c8a84db837074bd9c1c57d3f22c1dca7e0ec9e9f8367c5c974414
Instruction Fuzzy Hash: 6FD1F3B1E00708EFDB24EB64CC54BE977BAEF56310F098399E4056B2D0D7789A82CB55

Function 0068DB70 Relevance: 91.5, APIs: 48, Strings: 4, Instructions: 507windowclipboardfileCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000400,F74E5D36), ref: 0068DBB2
memset.VCRUNTIME140(?,00000000,00000400,?,00000000,00000400,F74E5D36), ref: 0068DBC5
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000010,00000000,?,?,F74E5D36), ref: 0068DBDA
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?,F74E5D36), ref: 0068DBE2

Part of subcall function 00690B20: _localtime64_s.API-MS-WIN-CRT-TIME-L1-1-0(?,?,00000060,?,?,?,?,?,?,?,?,00690BA9,?), ref: 00690B3D

OpenClipboard.USER32(?), ref: 0068DCFF
GetClipboardData.USER32(00000001), ref: 0068DD0F
GlobalSize.KERNEL32(00000000), ref: 0068DD20
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,F74E5D36), ref: 0068DD3F
GlobalLock.KERNEL32(00000000), ref: 0068DD4F
memset.VCRUNTIME140(?,00000000,00000001,?,?,?,?,?,?,?,?,?,?), ref: 0068DD64
GlobalUnlock.KERNEL32(00000000), ref: 0068DD7E
CloseClipboard.USER32 ref: 0068DD84
SendMessageW.USER32(?,00001009,00000000,00000000), ref: 0068DD9F
#296.MFC140U(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0068DE4B
#296.MFC140U(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0068DE57
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068DE72
#4815.MFC140U(FFFFFFFF,0070D718,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0068DE86
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068DEA6
#8067.MFC140U(00000001,00000000,FFFFFFFF,00000000,00000000,00000000,00000000), ref: 0068DEBE
#290.MFC140U(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0068DED4
#13656.MFC140U(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0068DEEF
#1045.MFC140U(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0068DEFB
#290.MFC140U(00000003,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0068DF0A
#13656.MFC140U(?,00000002,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0068DF24
#1045.MFC140U(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0068DF30
#290.MFC140U(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0068DF3E
#290.MFC140U(00715900,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0068DF55
#4815.MFC140U(FFFFFFFF,%ws%ws_log.txt,00000000,00000000), ref: 0068DF6F
#1045.MFC140U ref: 0068DF7E
#1045.MFC140U ref: 0068DF8E
#290.MFC140U(?), ref: 0068DF9C
GetPrivateProfileIntW.KERNEL32(00000000,0070BD6C,00000000,FFFFFFFF), ref: 0068DFB1
#1045.MFC140U ref: 0068DFBF
#290.MFC140U(?), ref: 0068DFF8
#290.MFC140U(?), ref: 0068E00C
WritePrivateProfileStringW.KERNEL32(00000000,0070BF88,00000000,FFFFFFFF), ref: 0068E027
#1045.MFC140U ref: 0068E02F
#1045.MFC140U ref: 0068E03F
#290.MFC140U(?), ref: 0068E05B
#290.MFC140U(?), ref: 0068E06F
WritePrivateProfileStringW.KERNEL32(00000000,0070C1F8,00000000,FFFFFFFF), ref: 0068E084
#1045.MFC140U ref: 0068E08C
#1045.MFC140U ref: 0068E09C
#13656.MFC140U(?,00000003,0070C170), ref: 0068E0D7
#1045.MFC140U ref: 0068E0E3
#1045.MFC140U ref: 0068E0EF
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0070C57C,00000000,00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?), ref: 0068E24E
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,0070BDF0,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0068E27E

Part of subcall function 00684CD0: #265.MFC140U(?,F74E5D36), ref: 00684D5D
Part of subcall function 00684CD0: memset.VCRUNTIME140(00000000,00000000), ref: 00684D6A
Part of subcall function 00684CD0: memcpy.VCRUNTIME140(?,?,?,00000000,00000000), ref: 00684D76
Part of subcall function 00684CD0: #265.MFC140U(?), ref: 00684D91
Part of subcall function 00684CD0: memset.VCRUNTIME140(00000000,00000000,?), ref: 00684D9E
Part of subcall function 00684CD0: memcpy.VCRUNTIME140(?,?,?,00000000,00000000,?), ref: 00684DAB
Part of subcall function 00684CD0: strtok.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00000000,00000000,?), ref: 00684DB4
Part of subcall function 00684CD0: strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 00684E1C

Strings

5uO:S, xrefs: 0068E0AC
%ws%ws_log.txt, xrefs: 0068DF69
#, xrefs: 0068E27E
----, xrefs: 0068DE16

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$#290$memset$#13656ClipboardGlobalMessagePrivateProfileSend$#265#296#4815StringWritememcpystrtok$#8067CloseDataFolderLockOpenPathSizeSpecialUnlock_localtime64_s_time64fclosefopenmalloc
String ID: #$%ws%ws_log.txt$----$5uO:S
API String ID: 1488822246-731142914
Opcode ID: b66aa52056784c7cf2779def6c90f58460b3b4613c83a9107c5a193481200d08
Instruction ID: fcba40bb95384a4580d7083516e2ccfd1baf80ef6bb9e70082d47a5b6bc7e067
Opcode Fuzzy Hash: b66aa52056784c7cf2779def6c90f58460b3b4613c83a9107c5a193481200d08
Instruction Fuzzy Hash: 1D227A71900219DFEB21AB24CC45BEDBBBABF05304F0492D8E549A7292DFB55A85CF90

Function 00687050 Relevance: 72.1, APIs: 32, Strings: 9, Instructions: 348fileCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000100,F74E5D36,?,?,?,?,006F9164,000000FF), ref: 006870A2
memset.VCRUNTIME140(?,00000000,00000400,?,00000000,00000100,F74E5D36,?,?,?,?,006F9164,000000FF), ref: 006870B5
memset.VCRUNTIME140(?,00000000,00000400,?,00000000,00000400,?,00000000,00000100,F74E5D36,?,?,?,?,006F9164,000000FF), ref: 006870C8
memset.VCRUNTIME140(?,00000000,00000400,?,00000000,00000400,?,00000000,00000400,?,00000000,00000100,F74E5D36), ref: 006870DB

Part of subcall function 00686B50: GetVolumeInformationA.KERNEL32(c:\,007185B8,00000080,00000000,00000000,00000000,?,00000080), ref: 00686B92

Part of subcall function 00686B50: memset.VCRUNTIME140(007185B8,00000000,00000080), ref: 00686C9B

P_LoadSystem.PLFL32(?,0000232A,?,?,00716250,00000000), ref: 006874FC
P_UserLogin.PLFL32(0071623C,0071623C), ref: 00687514
P_GetLoginValue.PLFL32(00000001), ref: 00687522
#296.MFC140U ref: 00687534
#296.MFC140U ref: 00687547
#1526.MFC140U(00000000), ref: 00687558
P_GetLoginValue.PLFL32(00000002), ref: 00687560
#290.MFC140U(00000000), ref: 00687569
#4815.MFC140U(?,%ws %ws,?,00000000), ref: 00687587
#1045.MFC140U ref: 0068759A
#13806.MFC140U(00000000,?,00000001), ref: 006875B0
P_GetDataValue.PLFL32(00000002), ref: 006875B8
VirtualQuery.KERNEL32(Function_00005E40,?,0000001C), ref: 00687610
FindResourceW.KERNEL32(?,00000084,DLL), ref: 00687627
#1045.MFC140U ref: 00687639
#1045.MFC140U ref: 00687645
SizeofResource.KERNEL32(?,00000000), ref: 00687652
LoadResource.KERNEL32(?,00000000), ref: 0068765C
LockResource.KERNEL32(00000000), ref: 00687663
memset.VCRUNTIME140(?,00000000,00000100), ref: 00687679
memset.VCRUNTIME140(?,00000000,00000100,?,00000000,00000100), ref: 0068768C
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0070B98C,?,%s%s,?,\Releasephysx27\netbios.dll,?,?), ref: 006876D7
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,00000100,?), ref: 006876EB
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,00000000,00000100,?,00000000,00000100), ref: 006876F8
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,00000000,00000100,?,00000000,00000100), ref: 006876FB
#1045.MFC140U ref: 0068770D
#1045.MFC140U ref: 00687719

Part of subcall function 00691D70: #115.WS2_32(00000202,?,000920A0,00000000), ref: 00691DA1
Part of subcall function 00691D70: #111.WS2_32 ref: 00691DAB

Part of subcall function 00686E20: InternetOpenW.WININET(UrlTest,00000000,00000000,00000000,00000000), ref: 00686E59
Part of subcall function 00686E20: InternetOpenUrlA.WININET(00000000,http://27.25.156.102:9999/style.html,00000000,00000000,04000000,00000000), ref: 00686E77
Part of subcall function 00686E20: InternetReadFile.WININET(00000000,?,000003FF,?), ref: 00686EA4
Part of subcall function 00686E20: #296.MFC140U ref: 00686EB5
Part of subcall function 00686E20: #290.MFC140U(?), ref: 00686ECF
Part of subcall function 00686E20: #4815.MFC140U(?,%ws,00000000), ref: 00686EE7
Part of subcall function 00686E20: #1045.MFC140U ref: 00686EF6
Part of subcall function 00686E20: InternetCloseHandle.WININET(00000000), ref: 00686EFD
Part of subcall function 00686E20: #1045.MFC140U ref: 00686F0E
Part of subcall function 00686E20: InternetCloseHandle.WININET(00000000), ref: 00686F15

#13806.MFC140U(00000000,0070BE64,00000001), ref: 00687730

Strings

d)M$, xrefs: 0068716C
\/f/, xrefs: 0068711C
UkT, xrefs: 0068722E
%ws %ws, xrefs: 00687581
dFrh, xrefs: 00687162
2L6, xrefs: 006872CE
DLL, xrefs: 0068761C
\Releasephysx27\netbios.dll, xrefs: 006876AE
%s%s, xrefs: 006876C0

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045memset$Internet$Resource$#296LoginValue$#13806#290#4815CloseHandleLoadOpenfclose$#111#115#1526DataFileFindInformationLockQueryReadSizeofSystemUserVirtualVolumefopenfwrite
String ID: %s%s$%ws %ws$2L6$DLL$\/f/$\Releasephysx27\netbios.dll$d)M$$dFrh$UkT
API String ID: 2242357779-2628588992
Opcode ID: 34c8ce93482a392c3a0f90dbccbaf843d7f40eb96f9488febbdab15abd0b1837
Instruction ID: 1bc3799bd7042b058754eff849c33808b1f1d4ec8494ffe4261cdba309b7a510
Opcode Fuzzy Hash: 34c8ce93482a392c3a0f90dbccbaf843d7f40eb96f9488febbdab15abd0b1837
Instruction Fuzzy Hash: 50F147B1D04268DBDB20EFA0DD45BDDBB79FB04700F1042D9E249AB281DBB45A85CFA4

Function 006DE500 Relevance: 68.9, APIs: 19, Strings: 20, Instructions: 628stringCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 006DE556
strchr.VCRUNTIME140(?,0000005D), ref: 006DE5BB
strchr.VCRUNTIME140(?,0000003A), ref: 006DE5DE
strchr.VCRUNTIME140(?,0000003A), ref: 006DE61E
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,00000000,0000000A,?,?,?,?,00000000,?,006DE001,?,?,?,006DCF63,?), ref: 006DE637
strchr.VCRUNTIME140(?,0000002D,00000000,?,?,?,?,00000000,?,006DE001,?,?,?,006DCF63,?), ref: 006DE64C
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,00000000,0000000A,?,?,?,?,?,?,?,?,?,?,00000000,?,006DE001), ref: 006DE65E
memcpy.VCRUNTIME140(?,?,00000000,?,?,?,?,00000000,?,006DE001,?,?,?,006DCF63,?), ref: 006DE6CF
#6.WS2_32(?,?,?), ref: 006DE788
#111.WS2_32(?,00000100), ref: 006DE79F
#111.WS2_32 ref: 006DE878
memcpy.VCRUNTIME140(?,?,006DABEB,?,[%s] ftp_state_use_port(), opened socket,???), ref: 006DE8DB
#2.WS2_32(?,?,?), ref: 006DE919
#111.WS2_32 ref: 006DE927
#6.WS2_32(?,?,00000080), ref: 006DE982

Part of subcall function 006D16D0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(006BB650,00000002,?,?,?), ref: 006D16DE

#6.WS2_32(?,?,?), ref: 006DEA09
#13.WS2_32(?,00000001), ref: 006DEA4C
#111.WS2_32(?,00000100), ref: 006DEA63
#15.WS2_32(?), ref: 006DEB3C

Strings

Failure sending EPRT command: %s, xrefs: 006DEC6D
PORT, xrefs: 006DEBF3
STOP, xrefs: 006DECE9
bind(port=%hu) on non-local address failed: %s, xrefs: 006DE958
PORT, xrefs: 006DEC82
failed to resolve the address provided to PORT: %s, xrefs: 006DECB4
%s |%d|%s|%hu|, xrefs: 006DEC4D
EPRT, xrefs: 006DEC48
bind(port=%hu) failed: %s, xrefs: 006DE9D5
Failure sending PORT command: %s, xrefs: 006DEC18
[%s] ftp_state_use_port(), listening on %d, xrefs: 006DEAA1
[%s] ftp_state_use_port(), socket bound to port %d, xrefs: 006DEA38
%s %s, xrefs: 006DEBF8
[%s] ftp_state_use_port(), opened socket, xrefs: 006DE8C5
,%d,%d, xrefs: 006DEBD7
[%s] -> [%s], xrefs: 006DEC88, 006DECEF
getsockname() failed: %s, xrefs: 006DE7AC
bind() failed, we ran out of ports, xrefs: 006DECA3
socket failure: %s, xrefs: 006DE895, 006DEA70
???, xrefs: 006DE8BF, 006DE8C4, 006DEA2E, 006DEA37, 006DEA9A, 006DEAA0, 006DEC7D, 006DEC87, 006DECE4, 006DECEE

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111strchr$memcpystrtoul$_errnomemset
String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$???$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$PORT$PORT$STOP$[%s] -> [%s]$[%s] ftp_state_use_port(), listening on %d$[%s] ftp_state_use_port(), opened socket$[%s] ftp_state_use_port(), socket bound to port %d$bind() failed, we ran out of ports$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
API String ID: 2468449368-3852301498
Opcode ID: 23bfb62b9bbee323b3301cd39d09db5a639b119bb70c2d395ac6af6c56cac762
Instruction ID: 83dbb71ce95a6f7daeb8085757f7825abf917cf682c1c38e45fc06b97b5a78ef
Opcode Fuzzy Hash: 23bfb62b9bbee323b3301cd39d09db5a639b119bb70c2d395ac6af6c56cac762
Instruction Fuzzy Hash: 2C2205B1A08345AFD760BF248C01BFB77EAAF95304F44051EF8859B382E776D90587A6

Function 00685030 Relevance: 68.5, APIs: 35, Strings: 4, Instructions: 243filetimeprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,F74E5D36), ref: 0068507D
memset.VCRUNTIME140(?,00000000,00000228), ref: 00685099
#290.MFC140U(GameApp.exe), ref: 006850B3
#290.MFC140U(G_Game.exe), ref: 006850C8
Process32FirstW.KERNEL32(00000000,0000022C), ref: 006850DA
#5110.MFC140U ref: 006850F3
StrCmpW.SHLWAPI(?,00000000), ref: 00685101
#296.MFC140U ref: 0068510E
#4815.MFC140U(?,KartMap_Shared1_%u), ref: 00685122
OpenFileMappingW.KERNEL32(00000004,00000000,?), ref: 00685132
#1045.MFC140U ref: 00685147
#5110.MFC140U ref: 00685150
StrCmpW.SHLWAPI(?,00000000), ref: 0068515E
#296.MFC140U ref: 0068516F
#4815.MFC140U(?,QQSPEEDMONITOR%d,?), ref: 00685188
OpenFileMappingW.KERNEL32(00000004,00000000,?), ref: 00685198
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 006851B7
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 0068522A
GetProcessTimes.KERNEL32(00000000,?,?,?,?), ref: 0068524F
FileTimeToSystemTime.KERNEL32(?,?), ref: 00685261
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00685271
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00685279
CloseHandle.KERNEL32(?), ref: 006852D9
UnmapViewOfFile.KERNEL32(00000000), ref: 006852EC
CloseHandle.KERNEL32(00000000), ref: 006852F9
#1045.MFC140U ref: 00685302

Part of subcall function 00683360: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00683383
Part of subcall function 00683360: TranslateMessage.USER32(?), ref: 006833A1
Part of subcall function 00683360: DispatchMessageW.USER32(?), ref: 006833A7
Part of subcall function 00683360: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006833B5

Process32NextW.KERNEL32(?,0000022C), ref: 00685329
CloseHandle.KERNEL32(00000000), ref: 00685346
UnmapViewOfFile.KERNEL32(00000000), ref: 0068534E
CloseHandle.KERNEL32(?), ref: 00685360
TerminateProcess.KERNEL32(?,00000000), ref: 0068536A
#1045.MFC140U ref: 00685373
CloseHandle.KERNEL32(?), ref: 0068537F
#1045.MFC140U ref: 00685384
#1045.MFC140U ref: 0068538D

Strings

QQSPEEDMONITOR%d, xrefs: 00685182
KartMap_Shared1_%u, xrefs: 0068511C
G_Game.exe, xrefs: 006850B9
GameApp.exe, xrefs: 006850AE

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: File$#1045CloseHandle$MessageTime$OpenProcessView$#290#296#4815#5110MappingPeekProcess32SystemUnmap$CreateDispatchFirstLocalNextSnapshotSpecificTerminateTimesToolhelp32Translate_time64memset
String ID: G_Game.exe$GameApp.exe$KartMap_Shared1_%u$QQSPEEDMONITOR%d
API String ID: 1009890425-261280088
Opcode ID: 217dd0474aaa052fde9fe6b931ff00bc8b894323d8268761bed5765134facaf9
Instruction ID: b8457335e794ecae0cf7ccead4e40305b07e21d27cc529f38047af58fecf7831
Opcode Fuzzy Hash: 217dd0474aaa052fde9fe6b931ff00bc8b894323d8268761bed5765134facaf9
Instruction Fuzzy Hash: 36A17171901219DFDB10DFA0DD59BFDB7BAFF08300F146199E606A6291EB709A84CF60

Function 006F1010 Relevance: 45.0, APIs: 1, Strings: 24, Instructions: 1253COMMON

Download Yara Rule

Strings

Failed extracting certificate chain, xrefs: 006F261B
%02x:, xrefs: 006F1220, 006F12A0, 006F171C, 006F17A4, 006F1BE0, 006F210F, 006F2191
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 006F1451, 006F236B
Expire Date, xrefs: 006F1C5C
Signature, xrefs: 006F21E3
Issuer, xrefs: 006F10F7
o, xrefs: 006F1515
Version, xrefs: 006F1168
-----BEGIN CERTIFICATE-----, xrefs: 006F223C
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 006F1551, 006F2467
TRUE, xrefs: 006F11A3, 006F11E2, 006F1568, 006F15D8, 006F16AE, 006F16DE, 006F1B91, 006F1BA0, 006F1C3A, 006F20DB
0, xrefs: 006F23A7
Signature Algorithm, xrefs: 006F1349
Public Key Algorithm, xrefs: 006F1CB9
Start Date, xrefs: 006F17FC
Serial Number, xrefs: 006F12F2
Subject, xrefs: 006F10A8
o, xrefs: 006F242B
GMT, xrefs: 006F141E, 006F142B, 006F2338, 006F2345
-----END CERTIFICATE-----, xrefs: 006F25D0
GMT, xrefs: 006F1509, 006F241F
FALSE, xrefs: 006F11A8, 006F16D6, 006F1B96, 006F20CF
%s%x, xrefs: 006F126A, 006F1766, 006F1C23, 006F2159
Cert, xrefs: 006F2606

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$%02x:$%s%x$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$-----BEGIN CERTIFICATE-----$-----END CERTIFICATE-----$0$Cert$Expire Date$FALSE$Failed extracting certificate chain$GMT$Issuer$Public Key Algorithm$Serial Number$Signature$Signature Algorithm$Start Date$Subject$TRUE$Version$o$o
API String ID: 0-1468756547
Opcode ID: b4dda06d2b88cd6b8f4a7842186932aace29d089f668e48995a8724f78f1bb70
Instruction ID: b593fd4c7b08a194c8adef5e73d3f8970d8ee4f06157adbcafba1b811ca243a7
Opcode Fuzzy Hash: b4dda06d2b88cd6b8f4a7842186932aace29d089f668e48995a8724f78f1bb70
Instruction Fuzzy Hash: 45925CB290825E9FC725DA648851AFF77DB9F86340F04052DFB82CB342E635DD458B92

Function 006B9100 Relevance: 43.9, APIs: 16, Strings: 9, Instructions: 188libraryloaderstringCOMMON

Download Yara Rule

APIs

#115.WS2_32(00000202,?), ref: 006B9128
#116.WS2_32 ref: 006B9141
GetModuleHandleA.KERNEL32(kernel32,?,00000000), ref: 006B9178
GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 006B919C
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(iphlpapi.dll,00700074), ref: 006B91AA
LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 006B91D2
GetProcAddress.KERNEL32(00000000,AddDllDirectory), ref: 006B91E9
GetSystemDirectoryA.KERNEL32(00000000,00000000), ref: 006B9208
GetSystemDirectoryA.KERNEL32(00000000,?), ref: 006B9232
LoadLibraryA.KERNEL32(00000000), ref: 006B928B
GetProcAddress.KERNEL32(00000000,if_nametoindex), ref: 006B92AE
GetModuleHandleA.KERNEL32(ws2_32), ref: 006B92C6
GetProcAddress.KERNEL32(00000000,FreeAddrInfoExW), ref: 006B92D8
GetProcAddress.KERNEL32(00000000,GetAddrInfoExCancel), ref: 006B92E5
GetProcAddress.KERNEL32(00000000,GetAddrInfoExW), ref: 006B92F2
QueryPerformanceFrequency.KERNEL32(00718650), ref: 006B9331

Strings

AddDllDirectory, xrefs: 006B91E3
iphlpapi.dll, xrefs: 006B91A3, 006B91BF, 006B91CD, 006B91F6, 006B9261
GetAddrInfoExCancel, xrefs: 006B92DA
if_nametoindex, xrefs: 006B92A8
kernel32, xrefs: 006B9171
LoadLibraryExA, xrefs: 006B9196
GetAddrInfoExW, xrefs: 006B92E7
ws2_32, xrefs: 006B92C1
FreeAddrInfoExW, xrefs: 006B92D2

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: AddressProc$DirectoryHandleLibraryLoadModuleSystem$#115#116FrequencyPerformanceQuerystrpbrk
String ID: AddDllDirectory$FreeAddrInfoExW$GetAddrInfoExCancel$GetAddrInfoExW$LoadLibraryExA$if_nametoindex$iphlpapi.dll$kernel32$ws2_32
API String ID: 659629491-760012282
Opcode ID: 584150bcf82870345da97658463bf7538aefdfd5f37c749c9b5be35b870aafe5
Instruction ID: 695bfa62c7bbb4608c682d1b8da247e77830aa78a9b383de90a4d9197c850bb1
Opcode Fuzzy Hash: 584150bcf82870345da97658463bf7538aefdfd5f37c749c9b5be35b870aafe5
Instruction Fuzzy Hash: 8D510570A40341ABD7205B389C1ABFA37D7AF85B54F048128FB05963D2EB798941C769

Function 00689D90 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 392threadprocessCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000010), ref: 00689DC6
GetSystemMetrics.USER32(00000011), ref: 00689DDC

Part of subcall function 00689AC0: CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,F74E5D36), ref: 00689AF2
Part of subcall function 00689AC0: memset.VCRUNTIME140(?,00000000,00000228), ref: 00689B09
Part of subcall function 00689AC0: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00689B23
Part of subcall function 00689AC0: #286.MFC140U(GameApp.exe), ref: 00689B48
Part of subcall function 00689AC0: #5110.MFC140U ref: 00689B58
Part of subcall function 00689AC0: StrCmpW.SHLWAPI(?,00000000), ref: 00689B66
Part of subcall function 00689AC0: #1045.MFC140U ref: 00689B7B
Part of subcall function 00689AC0: Process32NextW.KERNEL32(00000000,0000022C), ref: 00689B89
Part of subcall function 00689AC0: CloseHandle.KERNEL32(00000000), ref: 00689B90

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00689E61
memset.VCRUNTIME140(?,00000000,00000228), ref: 00689E7A
Process32FirstW.KERNEL32(?,0000022C), ref: 00689E99
StrCmpW.SHLWAPI(?,GameApp.exe), ref: 00689EBC
Process32NextW.KERNEL32(?,0000022C), ref: 0068A00C
CloseHandle.KERNEL32(?), ref: 0068A026
#296.MFC140U ref: 0068A032
memset.VCRUNTIME140(?,00000000,00000200), ref: 0068A08F
GetWindowTextW.USER32(?,?,00000100), ref: 0068A0A4
StrCmpW.SHLWAPI(?,0070C2F4), ref: 0068A0B6
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 0068A0CF
TerminateProcess.KERNEL32(00000000,00000000), ref: 0068A0E2
CloseHandle.KERNEL32(?), ref: 0068A0EE
GetWindowThreadProcessId.USER32(?,?), ref: 0068A10B
CreateThread.KERNEL32(00000000,00000000,Function_00009D50,?,00000000,00000000), ref: 0068A129
GetTickCount.KERNEL32 ref: 0068A12F
GetTickCount.KERNEL32 ref: 0068A150
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 0068A172
TerminateProcess.KERNEL32(00000000,00000000), ref: 0068A181
CloseHandle.KERNEL32(00000000), ref: 0068A188

Part of subcall function 00689CC0: GetDesktopWindow.USER32 ref: 00689CDF
Part of subcall function 00689CC0: GetWindow.USER32(00000000), ref: 00689CE6
Part of subcall function 00689CC0: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00689D05
Part of subcall function 00689CC0: IsWindowVisible.USER32(00000000), ref: 00689D10
Part of subcall function 00689CC0: GetWindow.USER32(00000000,00000002), ref: 00689D19

Part of subcall function 00690070: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,00000000,00000000,00000000,00684E05), ref: 006900A1

#1045.MFC140U ref: 0068A2EC

Strings

GameApp.exe, xrefs: 00689EB0

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Window$Process$CloseHandleProcess32$CreateThreadmemset$#1045CountFirstMetricsNextOpenSnapshotSystemTerminateTickToolhelp32$#286#296#5110DesktopTextVisibleXlength_error@std@@
String ID: GameApp.exe
API String ID: 1306716678-1538604750
Opcode ID: bba4ccebbd516cdc3a3428b44b9e3285cbc2701dfa89d125cf164aadde7eb1f9
Instruction ID: 296c493e29f2de36d4e0946bff0d00375518e3479852fcf30864e0afedbc2c05
Opcode Fuzzy Hash: bba4ccebbd516cdc3a3428b44b9e3285cbc2701dfa89d125cf164aadde7eb1f9
Instruction Fuzzy Hash: 44F194B1D002289BDB24EF64DD89BEDB7BAEB44300F0442D9E909E7251EB719E84CF54

Function 006AD8A0 Relevance: 37.1, APIs: 12, Strings: 9, Instructions: 377stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sha256//,00000008), ref: 006AD8EE
__vfprintf_l.LIBCMT ref: 006AD94C

Strings

-----END PUBLIC KEY-----, xrefs: 006ADBEA
Z, xrefs: 006AD8B8
<-, xrefs: 006AD8EE
#, xrefs: 006ADBA2
sha256//, xrefs: 006AD8E8, 006ADA37
Z, xrefs: 006ADCE7
public key hash: sha256//%s, xrefs: 006AD972
-----BEGIN PUBLIC KEY-----, xrefs: 006ADBBD
;sha256//, xrefs: 006AD9B0

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: __vfprintf_lstrncmp
String ID: -----END PUBLIC KEY-----$ #$ public key hash: sha256//%s$-----BEGIN PUBLIC KEY-----$;sha256//$<-$Z$Z$sha256//
API String ID: 775329323-1340482199
Opcode ID: ce318e180df30f34e237c8c2a85f2eb00c3e00f8632d23cd7904b16610b9cd0c
Instruction ID: 703e82ca05b0c9fdcb30250eb5282d931bd7891ee099957fd943ed59a902d95a
Opcode Fuzzy Hash: ce318e180df30f34e237c8c2a85f2eb00c3e00f8632d23cd7904b16610b9cd0c
Instruction Fuzzy Hash: A7C169B25083405BC721AF2CCC447AE7BA7AF97324F494698F996477A2D331DD068F62

Function 00684E60 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 128fileprocessCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,F74E5D36), ref: 00684E9F
memset.VCRUNTIME140(?,00000000,00000228), ref: 00684EBA
#290.MFC140U(GameApp.exe), ref: 00684ED4
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00684EE5
#5110.MFC140U ref: 00684EF6
StrCmpW.SHLWAPI(?,00000000), ref: 00684F04
#296.MFC140U ref: 00684F15
#4815.MFC140U(?,QQSPEEDMONITOR%d,?), ref: 00684F2E
OpenFileMappingW.KERNEL32(00000004,00000000,?), ref: 00684F3E
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00684F53
UnmapViewOfFile.KERNEL32(00000000), ref: 00684FBB
CloseHandle.KERNEL32(00000000), ref: 00684FC2
#1045.MFC140U ref: 00684FCF
Process32NextW.KERNEL32(00000000,0000022C), ref: 00684FE6
CloseHandle.KERNEL32(00000000), ref: 00684FF5
#1045.MFC140U ref: 00684FFE

Strings

QQSPEEDMONITOR%d, xrefs: 00684F28
GameApp.exe, xrefs: 00684ECF

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: File$#1045CloseHandleProcess32View$#290#296#4815#5110CreateFirstMappingNextOpenSnapshotToolhelp32Unmapmemset
String ID: GameApp.exe$QQSPEEDMONITOR%d
API String ID: 2197054282-2171256029
Opcode ID: bae6ba2586c514758d4d7690b13b60bfdc138d8b1f9017a85e389b04c8f20d19
Instruction ID: a7ed10ba3bfa2a4f3e898b0feccb2a0ffe77be856560655f34621ba21debd259
Opcode Fuzzy Hash: bae6ba2586c514758d4d7690b13b60bfdc138d8b1f9017a85e389b04c8f20d19
Instruction Fuzzy Hash: D951C17190121ADFDB20DF64DD49BBEBBB9FF48701F005299EA09A3291DB709A84CF50

Function 00685CE0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 116servicewindowCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00685CFE
OpenServiceA.ADVAPI32(00000000,injectx64,000F01FF), ref: 00685D1A
GetLastError.KERNEL32 ref: 00685D26
MessageBoxA.USER32(00000000,0070BCD4,00000000,00000000), ref: 00685D40
CloseServiceHandle.ADVAPI32(00000000), ref: 00685D47
CreateServiceA.ADVAPI32(00000000,injectx64,injectx64,000F01FF,00000001,00000003,00000001,00716108,00000000,00000000,00000000,00000000,00000000), ref: 00685D98
GetLastError.KERNEL32 ref: 00685DA4
CloseServiceHandle.ADVAPI32(00000000), ref: 00685DBB
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00685DD5
GetLastError.KERNEL32 ref: 00685DDF
CloseServiceHandle.ADVAPI32(00000000), ref: 00685DFC
ControlService.ADVAPI32(00000000,00000001,?), ref: 00685E07
DeleteService.ADVAPI32(00000000), ref: 00685E10
GetLastError.KERNEL32 ref: 00685E1A

Strings

injectx64, xrefs: 00685D14, 00685D8D, 00685D92

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Service$ErrorLast$CloseHandle$Open$ControlCreateDeleteManagerMessageStart
String ID: injectx64
API String ID: 4182649678-1825733348
Opcode ID: 7608fa99c8c6551b7ec96a07eacd00506b5ac37928296822d4c4e66b44854b4f
Instruction ID: b3c6993e3dc4d93eb75ca533c29d45116d8f46c4a481b61c82eb51e36dca78db
Opcode Fuzzy Hash: 7608fa99c8c6551b7ec96a07eacd00506b5ac37928296822d4c4e66b44854b4f
Instruction Fuzzy Hash: CD31F231740618ABC730AB64DC88BBF7BABEF05751F542229FE02E6690CB608900D798

Function 006CC420 Relevance: 24.9, APIs: 3, Strings: 11, Instructions: 417COMMON

Download Yara Rule

Strings

[DoH] A: %u.%u.%u.%u, xrefs: 006CC68B
[DoH] hostname: %s, xrefs: 006CC631
[DoH] AAAA: , xrefs: 006CC6A7
Could not DoH-resolve: %s, xrefs: 006CC48F
unknown, xrefs: 006CC590
AAAA, xrefs: 006CC597
%s%02x%02x, xrefs: 006CC6EF
CNAME: %s, xrefs: 006CC76C
bad error code, xrefs: 006CC5B1, 006CC5C1
[DoH] TTL: %u seconds, xrefs: 006CC643
DoH: %s type %s for %s, xrefs: 006CC5C2

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: %s%02x%02x$AAAA$CNAME: %s$Could not DoH-resolve: %s$DoH: %s type %s for %s$[DoH] A: %u.%u.%u.%u$[DoH] AAAA: $[DoH] TTL: %u seconds$[DoH] hostname: %s$bad error code$unknown
API String ID: 0-228328110
Opcode ID: b7cb6df7e71dce6282b68aa58667f15077176e8cf8160f09ee7309942fef8544
Instruction ID: a250f59206a24792e0850e584df51978799c2f3e4d625efd859e736b6517d5d4
Opcode Fuzzy Hash: b7cb6df7e71dce6282b68aa58667f15077176e8cf8160f09ee7309942fef8544
Instruction Fuzzy Hash: 49E1FEB19083409FD7609F28C889BBBB7E6FF84310F44492DF88D97242D735A945CB96

Function 00689BC0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 79processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00689BD9
memset.VCRUNTIME140(?,00000000,00000228), ref: 00689BEF
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00689C09
StrCmpW.SHLWAPI(?,bugreport.exe), ref: 00689C30
StrCmpW.SHLWAPI(?,TxBugReport.exe), ref: 00689C42
StrCmpW.SHLWAPI(?,WerFault.exe), ref: 00689C54
OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00689C67
TerminateProcess.KERNEL32(00000000,00000000), ref: 00689C76
CloseHandle.KERNEL32(00000000), ref: 00689C83
Process32NextW.KERNEL32(00000000,0000022C), ref: 00689C95
CloseHandle.KERNEL32(00000000), ref: 00689CA1

Strings

WerFault.exe, xrefs: 00689C48
TxBugReport.exe, xrefs: 00689C36
bugreport.exe, xrefs: 00689C24

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32memset
String ID: TxBugReport.exe$WerFault.exe$bugreport.exe
API String ID: 358923954-173928622
Opcode ID: 380d08624c3644b5c04058eca6b74b304c323973d73f9c2085d1d4571c2174d1
Instruction ID: 383ccef9e0baaf3b006c1a8e3b34625f4257a8877dbd4b2394ba76addec0f4ab
Opcode Fuzzy Hash: 380d08624c3644b5c04058eca6b74b304c323973d73f9c2085d1d4571c2174d1
Instruction Fuzzy Hash: C1219872A412186BDB20ABB5DD49FBE73EDAF04700F0812A5A505E7190E775DE00CBB0

Function 006F0940 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 149encryptionCOMMON

Download Yara Rule

APIs

CryptQueryObject.CRYPT32(00000002,?,00000002,0000000E,00000000,00000000,?,00000000,00000000,00000000,?), ref: 006F0A21
CertAddCertificateContextToStore.CRYPT32(?,?,00000004,00000000), ref: 006F0A42
CertFreeCertificateContext.CRYPT32(00000000), ref: 006F0A4E
GetLastError.KERNEL32(?,00000100), ref: 006F0A68

Strings

schannel: added %d certificate(s) from CA file '%s', xrefs: 006F0B08
schannel: failed to add certificate from CA file '%s' to certificate store: %s, xrefs: 006F0A79
-----BEGIN CERTIFICATE-----, xrefs: 006F099C
schannel: CA file '%s' is not correctly formatted, xrefs: 006F0AD4
-----END CERTIFICATE-----, xrefs: 006F09CA
schannel: unexpected content type '%lu' when extracting certificate from CA file '%s', xrefs: 006F0A85
schannel: did not add any certificates from CA file '%s', xrefs: 006F0AF4
schannel: failed to extract certificate from CA file '%s': %s, xrefs: 006F0AB8

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CertCertificateContext$CryptErrorFreeLastObjectQueryStore
String ID: -----END CERTIFICATE-----$-----BEGIN CERTIFICATE-----$schannel: CA file '%s' is not correctly formatted$schannel: added %d certificate(s) from CA file '%s'$schannel: did not add any certificates from CA file '%s'$schannel: failed to add certificate from CA file '%s' to certificate store: %s$schannel: failed to extract certificate from CA file '%s': %s$schannel: unexpected content type '%lu' when extracting certificate from CA file '%s'
API String ID: 854292303-2991118681
Opcode ID: f809bb80533b84089141d1c587b79f86ddca388c0b673dd7be4b60085a6de2a3
Instruction ID: 8954c41581451f6c951962c36bcdb16872f89d54a28477984019de8355e774b6
Opcode Fuzzy Hash: f809bb80533b84089141d1c587b79f86ddca388c0b673dd7be4b60085a6de2a3
Instruction Fuzzy Hash: 1041D2B1648308EFE3209F24CC02FBBBAEAEB88704F44091DF69596293D775D9158B46

Function 006867F0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 94stringCOMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000288), ref: 00686814
GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 00686840
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00686848
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000288), ref: 00686851
GetAdaptersInfo.IPHLPAPI(00000000,00000288), ref: 00686861
strstr.VCRUNTIME140(0000010C,Intel), ref: 0068687C
strstr.VCRUNTIME140(0000010C,Realtek), ref: 0068688F
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006868A7

Strings

Realtek, xrefs: 00686889
Null, xrefs: 00686820, 006868B2
Intel, xrefs: 00686876
d#, xrefs: 00686848, 006868A7

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: AdaptersInfofreemallocstrstr
String ID: Intel$Null$Realtek$d#
API String ID: 523960851-3463216569
Opcode ID: ae4929088c652fc564eaeb5742be83b081e4b47647a87aa3767ce1c00d6318bd
Instruction ID: 905084d7c888e7215ae0aed8deecdf2a622a01a1954cb2de00b04aa1f38ae3f2
Opcode Fuzzy Hash: ae4929088c652fc564eaeb5742be83b081e4b47647a87aa3767ce1c00d6318bd
Instruction Fuzzy Hash: 1421B772A00108ABDB10AF68ED419FEB7BADF85310F04126EFC0997351EB359E05CBA1

Function 006CAAE0 Relevance: 18.0, APIs: 6, Strings: 4, Instructions: 541stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,?,00000000), ref: 006CADAB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006CADB3
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,0000000A), ref: 006CADC7
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006CADD4
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006CADE0
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006CADEA

Strings

,$p, xrefs: 006CABB4
z-, xrefs: 006CADC7
GMT, xrefs: 006CAC7B, 006CAC9E
#p, xrefs: 006CABBD

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _errno$strtol
String ID: ,$p$GMT$z-$#p
API String ID: 3596500743-1103742081
Opcode ID: 71213118aae312fd1ad3230c56461c2f2dd829729c8682ceb08be4155d8d4fea
Instruction ID: 822a9769ae33e9bccfbc2ab41101dbfb576ed123989ceddd7c4b2008bfc36183
Opcode Fuzzy Hash: 71213118aae312fd1ad3230c56461c2f2dd829729c8682ceb08be4155d8d4fea
Instruction Fuzzy Hash: 7202C371A046094FC714CE68D895BBAB7E3EBC9328F14472EE5A6CB391D731DC468B42

Function 006D43E0 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 216COMMON

Download Yara Rule

APIs

#20.WS2_32(?,?,00000004,00000000,?,?,?,?), ref: 006D44B1
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,?), ref: 006D44DE
#20.WS2_32(?,?,00000004,00000000,?,?), ref: 006D4588
#20.WS2_32(?,?,00000004,00000000,?,?), ref: 006D46A7

Strings

Received unexpected DATA packet block %d, expecting block %d, xrefs: 006D4509
tftp_rx: internal error, xrefs: 006D46CD
Timeout waiting for block %d ACK. Retries = %d, xrefs: 006D45B5
Received last DATA packet block %d again., xrefs: 006D4451

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _time64
String ID: Received last DATA packet block %d again.$Received unexpected DATA packet block %d, expecting block %d$Timeout waiting for block %d ACK. Retries = %d$tftp_rx: internal error
API String ID: 1670930206-2691569196
Opcode ID: 86cdb340ae05d9318ffd7ed997e770141c7cc82bad2c2d73e39ac57136da8cbc
Instruction ID: a68b64db62746107ac30d303c576a94fa89dfd77e85cc6a2cabe6880032c2734
Opcode Fuzzy Hash: 86cdb340ae05d9318ffd7ed997e770141c7cc82bad2c2d73e39ac57136da8cbc
Instruction Fuzzy Hash: BE81BDB16007409FD7719F38D882BE7B7E6EF49300F44881EE69E8B2A2D775A844CB55

Function 006868F0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 182fileCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000100), ref: 00686913
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 0068694A
DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?,00000000), ref: 00686979
CloseHandle.KERNEL32(00000000), ref: 00686980
memset.VCRUNTIME140(?,00000000,00000400), ref: 006869D3
DeviceIoControl.KERNEL32(00000000,0007C088,00000200,00000020,?,00000220,?,00000000), ref: 006869FF
memmove.VCRUNTIME140(?,?,00000100), ref: 00686A14
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000004), ref: 00686A1C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00686ADA

Strings

d#, xrefs: 00686ADA

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: ControlDevicememset$CloseCreateFileHandlefreemallocmemmove
String ID: d#
API String ID: 2475429783-2011854123
Opcode ID: 1bdf672e69839287c3d678e1e06d993b6d99ada968bcd1a5a61733774ecb5415
Instruction ID: f5125cc99aa6b54684546afabbe0998008f6479e28dd8e63ab0ca4326b50722d
Opcode Fuzzy Hash: 1bdf672e69839287c3d678e1e06d993b6d99ada968bcd1a5a61733774ecb5415
Instruction Fuzzy Hash: 46614B315042589EDB21DF24CC11BF9FBB6AF46300F0842D9F949EB2C2D6755A84CF65

Function 006F0E10 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 157encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 006EC1E0: GetModuleHandleA.KERNEL32(ntdll,RtlVerifyVersionInfo,?), ref: 006EC20E
Part of subcall function 006EC1E0: GetProcAddress.KERNEL32(00000000), ref: 006EC215

CertGetNameStringA.CRYPT32(?,00000006,00010002,00000000,?,?), ref: 006F0E5E

Strings

schannel: CryptDecodeObjectEx() returned no alternate name information., xrefs: 006F0F02
schannel: Not enough memory to list all hostnames., xrefs: 006F0FE7
schannel: Null certificate info., xrefs: 006F0EA9
schannel: Empty DNS name., xrefs: 006F0F51
schannel: CertFindExtension() returned no extension., xrefs: 006F0EC5
2.5.29.17, xrefs: 006F0EB6, 006F0EEE
schannel: Null certificate context., xrefs: 006F0E9B

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: AddressCertHandleModuleNameProcString
String ID: 2.5.29.17$schannel: CertFindExtension() returned no extension.$schannel: CryptDecodeObjectEx() returned no alternate name information.$schannel: Empty DNS name.$schannel: Not enough memory to list all hostnames.$schannel: Null certificate context.$schannel: Null certificate info.
API String ID: 4138448956-4204188966
Opcode ID: ec3d6ee66f13d2d023e37a9bd793448d8ff1ccbc15c273edac305a80dbdcb715
Instruction ID: bba8d8ce78162d9a46dbb0684bf2b38d9691cfab0470f6cf1a95e74ab78eeca1
Opcode Fuzzy Hash: ec3d6ee66f13d2d023e37a9bd793448d8ff1ccbc15c273edac305a80dbdcb715
Instruction Fuzzy Hash: 2F51CE71209305EFE7208F04DC41BBAFBE2BF84708F54455DFA855A293D3B69989CB92

Function 00689AC0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 74processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,F74E5D36), ref: 00689AF2
memset.VCRUNTIME140(?,00000000,00000228), ref: 00689B09
Process32FirstW.KERNEL32(00000000,0000022C), ref: 00689B23
#286.MFC140U(GameApp.exe), ref: 00689B48
#5110.MFC140U ref: 00689B58
StrCmpW.SHLWAPI(?,00000000), ref: 00689B66
#1045.MFC140U ref: 00689B7B
Process32NextW.KERNEL32(00000000,0000022C), ref: 00689B89
CloseHandle.KERNEL32(00000000), ref: 00689B90

Strings

GameApp.exe, xrefs: 00689B40

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Process32$#1045#286#5110CloseCreateFirstHandleNextSnapshotToolhelp32memset
String ID: GameApp.exe
API String ID: 3763556310-1538604750
Opcode ID: 8f6235738f9fbe36629c7fe166ad4fb74275a5120d95a94b827369c7bfd813fe
Instruction ID: 6c88d1e46f4fc9159be3c3c9d14f685d4f5af4939bcf1fe4376d7c2550f1a706
Opcode Fuzzy Hash: 8f6235738f9fbe36629c7fe166ad4fb74275a5120d95a94b827369c7bfd813fe
Instruction Fuzzy Hash: 46218372A00209AFDB10DFA5EC49FBEB7BDFB45711F141269E616D3290EB349A04CB61

Function 00691D70 Relevance: 16.6, APIs: 11, Instructions: 106COMMON

Download Yara Rule

APIs

#115.WS2_32(00000202,?,000920A0,00000000), ref: 00691DA1
#111.WS2_32 ref: 00691DAB
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 00691DEA
CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000), ref: 00691DFD
CloseHandle.KERNEL32(00000000), ref: 00691E09
GetLastError.KERNEL32 ref: 00691E0F

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CompletionCreatePort$#111#115CloseErrorHandleLast
String ID:
API String ID: 402296374-0
Opcode ID: e10f35cf4643e19bbf0ca78a7108549f94fbc924812d2abc9ee8785b7bc9a45a
Instruction ID: 76bd744a31c3bde50c6ac9751dad684beb49718f4df2925c64fe7ec1c9417c1c
Opcode Fuzzy Hash: e10f35cf4643e19bbf0ca78a7108549f94fbc924812d2abc9ee8785b7bc9a45a
Instruction Fuzzy Hash: 39310C717843046BE720EB68EC47FA6779EEB45B21F21411AFE14DB2D1EB74A400C799

Function 006F7240 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000040), ref: 006F7253
CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 006F7278
CryptReleaseContext.ADVAPI32(?,00000000), ref: 006F7287

Strings

, xrefs: 006F72D8

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCreateHashRelease
String ID:
API String ID: 4045725610-3916222277
Opcode ID: 471292b06ff0946fc76435ec20e57cb3324440026fbca05eba1efa3496c11aaa
Instruction ID: 39be7618ee799a821e0c395992841e599c426d6561ae60b1d7c7c54443180bc8
Opcode Fuzzy Hash: 471292b06ff0946fc76435ec20e57cb3324440026fbca05eba1efa3496c11aaa
Instruction Fuzzy Hash: 9421AF70248305BBE7209F10DD0AFBB7BAABB54B41F445828FA44E51E0EB75D908DB52

Function 006DEEF0 Relevance: 15.5, Strings: 12, Instructions: 514COMMON

Download Yara Rule

Strings

AUTH %s, xrefs: 006DF081, 006DF0FC
Failed to figure out path, xrefs: 006DF39B
SYST, xrefs: 006DF427
[%s] protocol connect phase DONE, xrefs: 006DF3D6, 006DF4D0
Got a %03d ftp-server response when 220 was expected, xrefs: 006DEFD0
Failed to clear the command channel (CCC), xrefs: 006DF2E4
PROT %c, xrefs: 006DF221
Entry path is '%s', xrefs: 006DF46A, 006DF4AB
ACCT rejected by server: %03d, xrefs: 006DF1C6
unsupported parameter to CURLOPT_FTPSSLAUTH: %d, xrefs: 006DF037
CCC, xrefs: 006DF298
???, xrefs: 006DF4CA, 006DF4CF

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: ???$ACCT rejected by server: %03d$AUTH %s$CCC$Entry path is '%s'$Failed to clear the command channel (CCC)$Failed to figure out path$Got a %03d ftp-server response when 220 was expected$PROT %c$SYST$[%s] protocol connect phase DONE$unsupported parameter to CURLOPT_FTPSSLAUTH: %d
API String ID: 0-2007147950
Opcode ID: 8dfd6ffeb2126856f7912e3e300820e77657841e467ad3ffc0f612ef4b4c8462
Instruction ID: 03f5713430f50858557c094855d1c9fc0385384227adc8d6e40520f456dd84e6
Opcode Fuzzy Hash: 8dfd6ffeb2126856f7912e3e300820e77657841e467ad3ffc0f612ef4b4c8462
Instruction Fuzzy Hash: 51E16FB5E043046BD710AB24DC52BFB77D79F85364F48003BF54A8B382DA6A9A45839A

Function 00687B80 Relevance: 15.1, APIs: 10, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00687B9C
memset.VCRUNTIME140(?,00000000,00000054), ref: 00687BB3
#890.MFC140U ref: 00687BC0
SendMessageW.USER32(?,00000027,?,00000000), ref: 00687BD1
GetSystemMetrics.USER32(0000000B), ref: 00687BDF
GetSystemMetrics.USER32(0000000C), ref: 00687BE5
GetClientRect.USER32(?,?), ref: 00687BF9
DrawIcon.USER32(?,?,?,?), ref: 00687C2B
#1391.MFC140U ref: 00687C35
#11038.MFC140U ref: 00687C4F

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: MetricsSystem$#11038#1391#890ClientDrawIconIconicMessageRectSendmemset
String ID:
API String ID: 1369620942-0
Opcode ID: 26423e6ce7fccaa29e00f0ecb8f58d210f78296e950fe726026057407a40ac79
Instruction ID: 841053504f1d3ee37f68ba66490a22542e690536aa868c1114c54edb616b3a04
Opcode Fuzzy Hash: 26423e6ce7fccaa29e00f0ecb8f58d210f78296e950fe726026057407a40ac79
Instruction Fuzzy Hash: D121B5326083059FC700EF78DD49A7A7BEAFB88711F15162DFA95D61A0DB60E804CB82

Function 006F3510 Relevance: 14.6, Strings: 11, Instructions: 858COMMON

Download Yara Rule

Strings

GMT, xrefs: 006F37A8, 006F37B5, 006F3C46, 006F3C53
%02x:, xrefs: 006F3668, 006F36E3, 006F3B9C
%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s, xrefs: 006F37DB, 006F3C75
0, xrefs: 006F3CB0
GMT, xrefs: 006F388D, 006F3D28
FALSE, xrefs: 006F354A, 006F3AFB, 006F3EBA
%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s, xrefs: 006F38D5, 006F3D73
TRUE, xrefs: 006F3622, 006F362A, 006F3AF6, 006F3B03
o, xrefs: 006F3D34
%s%x, xrefs: 006F36AB, 006F3B62
o, xrefs: 006F3899

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: GMT$%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s$%02x:$%s%x$%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s$0$FALSE$GMT$TRUE$o$o
API String ID: 0-2675046348
Opcode ID: d0d52b78980b36bb4861c711f4d454ea582ed500c3ac80f453c8b8d82f3e6c7a
Instruction ID: 62ad132964fabe5af9b5d6c90a19196964e13490a80b5277e44848cb31d74bc8
Opcode Fuzzy Hash: d0d52b78980b36bb4861c711f4d454ea582ed500c3ac80f453c8b8d82f3e6c7a
Instruction Fuzzy Hash: 17429CB2A082696FCB159A388C45ABFBBDBDF85300F18056DFB82C7342E525DF058795

Function 006E6410 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 398fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 006E646A
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,006B1352,?), ref: 006E659C

Strings

login, xrefs: 006E67CB
default, xrefs: 006E665A
macdef, xrefs: 006E65DE
#, xrefs: 006E659C
machine, xrefs: 006E6641, 006E6809
password, xrefs: 006E67E8

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: fclosefopen
String ID: #$default$login$macdef$machine$password
API String ID: 1280645193-108777533
Opcode ID: d17797aac5d40774408dc82733d1f97c6538c47a70511acf9297317d52184347
Instruction ID: ed4ede5d83df4de739ee06719e1e788f77e9f0d52ea795561b2b3eed34463e99
Opcode Fuzzy Hash: d17797aac5d40774408dc82733d1f97c6538c47a70511acf9297317d52184347
Instruction Fuzzy Hash: 57D1B6A050E3C28ADB21DF29D8447ABBFD65F66388F08086DF8C543382D665D94DC7A3

Function 006910C0 Relevance: 13.7, APIs: 9, Instructions: 170networkCOMMON

Download Yara Rule

APIs

#266.MFC140U(00000000), ref: 0069115D
#265.MFC140U(?), ref: 00691167
#266.MFC140U(00000000), ref: 006911F0
#265.MFC140U(00000004), ref: 006911F8
WSARecv.WS2_32(?,?,00000001,?,?,?,00000000), ref: 0069126B
#111.WS2_32(?,?,00000002,00000000,?,?), ref: 00691275
EnterCriticalSection.KERNEL32(00000000), ref: 0069128D
LeaveCriticalSection.KERNEL32(00000000), ref: 00691297
#266.MFC140U(?,?,?,00000003,00000000,00000000,00000000), ref: 006912B3

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #266$#265CriticalSection$#111EnterLeaveRecv
String ID:
API String ID: 4047909676-0
Opcode ID: d09fe6356cfe4f34bfaab4a6382dead3b1a51aacd6812477318134b7c2fb667e
Instruction ID: 6c8f76776b778d145369bf5209c623641d6ada426bbdd45217eaf6ba5951cf54
Opcode Fuzzy Hash: d09fe6356cfe4f34bfaab4a6382dead3b1a51aacd6812477318134b7c2fb667e
Instruction Fuzzy Hash: D5615F71A0060AEFDF14DFA4C888B99BBB9FF09304F108259E605DAA90D374EA54CF94

Function 006EFB00 Relevance: 12.9, Strings: 10, Instructions: 365COMMON

Download Yara Rule

Strings

lower, xrefs: 006EFE50
space, xrefs: 006EFD5D
alpha, xrefs: 006EFC19
xdigit, xrefs: 006EFC6A
alnum, xrefs: 006EFBC8
digit, xrefs: 006EFB79
blank, xrefs: 006EFDAE
upper, xrefs: 006EFDFF
graph, xrefs: 006EFD0C
print, xrefs: 006EFCBB

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: alnum$alpha$blank$digit$graph$lower$print$space$upper$xdigit
API String ID: 0-2602438971
Opcode ID: 4dd36ea70012694e89c306a1d98afd929d6309262d9aba57d95b1557f1a0b756
Instruction ID: bba39814687adf4aaeed217a1045230caf27faad0be35d47ca6928dea04752a3
Opcode Fuzzy Hash: 4dd36ea70012694e89c306a1d98afd929d6309262d9aba57d95b1557f1a0b756
Instruction Fuzzy Hash: CDB138266193C50BC7218B3588A23F77BD7DFA6314FE848BAC8C5CB342E627D94D8251

Function 006A5300 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 434COMMON

Download Yara Rule

Strings

n,, xrefs: 006A55B0

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: n,
API String ID: 0-4259703858
Opcode ID: 082702f1554aad00baf3433c0a36b08be34232456e01ebd347f2ddb821a46e02
Instruction ID: 0640c439102483f3c4b507348b48c1cc35e352eb9f01803dddecec0232aad24f
Opcode Fuzzy Hash: 082702f1554aad00baf3433c0a36b08be34232456e01ebd347f2ddb821a46e02
Instruction Fuzzy Hash: 21F178706087519FDB24EF65C880BABB7E6BF89304F44482EF98A97261E774DC44CB52

Function 006C9E20 Relevance: 12.3, APIs: 8, Instructions: 265sleepCOMMON

Download Yara Rule

APIs

#112.WS2_32(00002726,?), ref: 006C9E8B
#112.WS2_32(00002726), ref: 006CA00C
#18.WS2_32(?,?,?,?,00000000,00000000,?,?), ref: 006CA084
#111.WS2_32(?,?), ref: 006CA095
#151.WS2_32(?,?), ref: 006CA0D7
#151.WS2_32(?,?,?,?), ref: 006CA115
#151.WS2_32(?,?,?,?,?,?), ref: 006CA133
Sleep.KERNEL32(FFFFFFFE), ref: 006CA190

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #151$#112$#111Sleep
String ID:
API String ID: 3134680308-0
Opcode ID: be73edf2e91e334f6ae489f541f1fb82707084ef71623c747119c5e54074e5fa
Instruction ID: 4c5e3906a4edabec2151bbbfaf773f476a00ce592e2583ad5c6d02add774a354
Opcode Fuzzy Hash: be73edf2e91e334f6ae489f541f1fb82707084ef71623c747119c5e54074e5fa
Instruction Fuzzy Hash: A0A191706043458BD7359F68C898BBEB6E7FF98314F154A2EE9A9C3290E734C940C756

Function 006CEF40 Relevance: 12.1, APIs: 8, Instructions: 72encryptionCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 006CEF73
CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000040,00000000,?,?,?,00000000,?,00000020,?,?,?,?), ref: 006CEF8B
CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?,?,?,?,?), ref: 006CEFAB
CryptHashData.ADVAPI32(?,?,?,00000000,?,?,?,?), ref: 006CEFC3
CryptGetHashParam.ADVAPI32(?,00000004,?,?,00000000,?,?,?,?), ref: 006CEFDF
CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,?,?,?), ref: 006CF000
CryptDestroyHash.ADVAPI32(?,?,?,?,?), ref: 006CF00F
CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?), ref: 006CF020

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyReleasememset
String ID:
API String ID: 2041421932-0
Opcode ID: a2fb9bdd60cd62635b943701a54e208e122cd41f7c4c2e1df0208cb07b6778b5
Instruction ID: b39295be1df73cff4fbe30f48fb9f486c7c04d845bda09679b8f3eb6d48e3ec9
Opcode Fuzzy Hash: a2fb9bdd60cd62635b943701a54e208e122cd41f7c4c2e1df0208cb07b6778b5
Instruction Fuzzy Hash: 00212C71204301ABE7209F10DD0AF6B7BEAFB44B44F04181CF684E61E1DB71D908CB66

Function 006B1A30 Relevance: 10.3, Strings: 8, Instructions: 303COMMON

Download Yara Rule

Strings

memory shortage, xrefs: 006B1AC8
all_proxy, xrefs: 006B1C32, 006B1C37
no_proxy, xrefs: 006B1B28, 006B1B2D
ALL_PROXY, xrefs: 006B1C4D, 006B1C52
http_proxy, xrefs: 006B1C01
Uses proxy env variable %s == '%s', xrefs: 006B1B67, 006B1C6D
%s_proxy, xrefs: 006B1BDC
NO_PROXY, xrefs: 006B1B45, 006B1B4A

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: EnvironmentVariable
String ID: %s_proxy$ALL_PROXY$NO_PROXY$Uses proxy env variable %s == '%s'$all_proxy$http_proxy$memory shortage$no_proxy
API String ID: 1431749950-4066991793
Opcode ID: 8dc622891721a2eace6d19da0b7d2332c9348225927203ddf2f4fce8b1282dce
Instruction ID: 83ad7d8d8bbfc6a84f17f576670dffa74b88150d1f4f9ce4da7de22048afde8c
Opcode Fuzzy Hash: 8dc622891721a2eace6d19da0b7d2332c9348225927203ddf2f4fce8b1282dce
Instruction Fuzzy Hash: D5B116B0904341AFD721CF758858BE77BE6AF46304F44882DF9898B351EB34D989CB52

Function 006C91E0 Relevance: 10.2, Strings: 8, Instructions: 222COMMON

Download Yara Rule

Strings

%4lldT, xrefs: 006C9407
%4lldP, xrefs: 006C9414
%4lldk, xrefs: 006C9232
%2lld.%0lldG, xrefs: 006C93BD
%2lld.%0lldM, xrefs: 006C92EA
%4lldM, xrefs: 006C931C
%5lld, xrefs: 006C9200
%4lldG, xrefs: 006C93ED

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
API String ID: 0-3476178709
Opcode ID: 80aa937d3f23f5c6b70e629684c82e201b8cceb30925afb6329257fa951e08c3
Instruction ID: 6547ea2e20022028bf9b575f79c0f5b6ffad4fd17cba43bcaaa825428c10bcc7
Opcode Fuzzy Hash: 80aa937d3f23f5c6b70e629684c82e201b8cceb30925afb6329257fa951e08c3
Instruction Fuzzy Hash: 4A513AB27103452BE708996CEC8AFBB71C6E784718F48463DF946D73D2F699CD0242A5

Function 006F5D10 Relevance: 9.1, APIs: 6, Instructions: 114encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32 ref: 006F5D3B
CryptImportKey.ADVAPI32(?,?,00000014,00000000,00000000,?,F0000040,?,0000000E,0000000E,00000000,0000000E,?,?,0000000E,?), ref: 006F5DFA
CryptReleaseContext.ADVAPI32(?,00000000,?,006E2022,?,?), ref: 006F5E0A
CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,?,?,?,?,006E2022,?,?), ref: 006F5E44
CryptDestroyKey.ADVAPI32(?,?,006E2022,?,?), ref: 006F5E4E
CryptReleaseContext.ADVAPI32(?,00000000,?,006E2022,?,?), ref: 006F5E5A

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Release$AcquireDestroyEncryptImport
String ID:
API String ID: 3016261861-0
Opcode ID: 584728d47544c79a390588b3fe9424c0f6369b87b7f56f7671eb7b48d4e91a2b
Instruction ID: 94d563d26a3d2d7b2c5446e0eacf2f013911edc771860140b5e628964bc44593
Opcode Fuzzy Hash: 584728d47544c79a390588b3fe9424c0f6369b87b7f56f7671eb7b48d4e91a2b
Instruction Fuzzy Hash: AA41AF34108340AFE7018F68C846B9BBFE5EF9A704F04594CF6D897292C725E50ADB5A

Function 006F71E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000), ref: 006F71FC
CryptGetHashParam.ADVAPI32(00000020,00000002,?,?,00000000), ref: 006F7219
CryptDestroyHash.ADVAPI32(00000020), ref: 006F7227
CryptReleaseContext.ADVAPI32(00000020,00000000), ref: 006F7237

Strings

, xrefs: 006F7202

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$Param$ContextDestroyRelease
String ID:
API String ID: 2110207923-3916222277
Opcode ID: 85c053ef8d4d8cc71c82620de73b20cb56699c9f26627ed61a16174e983509f5
Instruction ID: 9b216b2d92f8fc2e7195685ce22c99f55518c82d3d8c36dfb96c6cdb8fc531da
Opcode Fuzzy Hash: 85c053ef8d4d8cc71c82620de73b20cb56699c9f26627ed61a16174e983509f5
Instruction Fuzzy Hash: 73F01771245305EBEB208F50DD0AFAB7BEAEB48B41F105818F695E6190CBB0E944CB61

Function 00698710 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 368COMMON

Download Yara Rule

APIs

?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(0000000C,F74E5D36,?,?,?,00000000,006FA2E8,000000FF,?,0069717A,?,?,?,?,00000000,00000000), ref: 00698756
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(0000000B,F74E5D36,?,?,?,00000000,006FA2E8,000000FF,?,0069717A,?,?,?,?,00000000,00000000), ref: 0069876D
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(0000000D,F74E5D36,?,?,?,00000000,006FA2E8,000000FF,?,0069717A,?,?,?,?,00000000,00000000), ref: 00698B59

Part of subcall function 00699CF0: strchr.VCRUNTIME140(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_,0000000A,?,00698843,?,000000FF,F74E5D36,?,?,?,00000000,006FA2E8), ref: 00699D18

Part of subcall function 00699580: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,?,?,F74E5D36,?,00698906,?,?,?,?,F74E5D36,?,?,?,00000000,006FA2E8), ref: 006995CC
Part of subcall function 00699580: memmove.VCRUNTIME140(zqi,?,00000000,zqi,?,?,F74E5D36,?,00698906,?,?,?,?,F74E5D36,?,?), ref: 006995FC

Strings

zqi, xrefs: 006988DF, 00698930, 00698933

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: W4error_type@regex_constants@1@@Xregex_error@std@@$Xlength_error@std@@memmovestrchr
String ID: zqi
API String ID: 2912523191-2758649311
Opcode ID: 8d1f7be444e3479258e725d137042b55e32a63540eeecc0bf8976cd5100345b9
Instruction ID: e6fe97a535ad77da1c81cc13ee8cda9cae95f87a5d94046833f91e6e8337c854
Opcode Fuzzy Hash: 8d1f7be444e3479258e725d137042b55e32a63540eeecc0bf8976cd5100345b9
Instruction Fuzzy Hash: 6EE15B71A006049FDF25CF68C490AAEB7FAFF8A310F24055DE492ABB51DB71E841CB65

Function 006F58E0 Relevance: 6.0, APIs: 4, Instructions: 34encryptionCOMMON

Download Yara Rule

APIs

CryptGetHashParam.ADVAPI32(?,00000002,00000000,?,00000000), ref: 006F58FC
CryptGetHashParam.ADVAPI32(00000010,00000002,?,?,00000000), ref: 006F5919
CryptDestroyHash.ADVAPI32(00000010), ref: 006F5927
CryptReleaseContext.ADVAPI32(00000010,00000000), ref: 006F5937

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Crypt$Hash$Param$ContextDestroyRelease
String ID:
API String ID: 2110207923-0
Opcode ID: 6eb7ed0d1d75e0328b9c432eb7c43f9d4aa0001c8eee84285618067f9576ff38
Instruction ID: b175847f18bf0e108bd62535a7c8dbe7de34c3315cc09b71db72de26b16a024e
Opcode Fuzzy Hash: 6eb7ed0d1d75e0328b9c432eb7c43f9d4aa0001c8eee84285618067f9576ff38
Instruction Fuzzy Hash: 49F01D70204305EBE7208F50DD0AFAB77EDEB44B51F105808F656D6190DBB0EC04CB61

Function 006F7180 Relevance: 4.5, APIs: 3, Instructions: 32encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000018,F0000040), ref: 006F7191
CryptCreateHash.ADVAPI32(?,0000800C,00000000,00000000,?), ref: 006F71B1
CryptReleaseContext.ADVAPI32(?,00000000), ref: 006F71BE

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCreateHashRelease
String ID:
API String ID: 4045725610-0
Opcode ID: 5d405f867ee30789ed38ea1c59003a928ba99bc5c62ce26ce7e5600767337a8e
Instruction ID: a7b8e9c18a80a4e59a4f0a476b69df69cae2eab8743a80c9fa43942dea697303
Opcode Fuzzy Hash: 5d405f867ee30789ed38ea1c59003a928ba99bc5c62ce26ce7e5600767337a8e
Instruction Fuzzy Hash: 40F06D71344214BBFB705F14FC0AFE737AAAB44B40F145418F780EA1E4D764AC449B58

Function 006F5860 Relevance: 4.5, APIs: 3, Instructions: 32encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000040), ref: 006F5871
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 006F5891
CryptReleaseContext.ADVAPI32(?,00000000), ref: 006F589E

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireCreateHashRelease
String ID:
API String ID: 4045725610-0
Opcode ID: 4b9c1dfd7efde3b945c232daa99356c70f46f110ba909958610ac8f2c2c6b724
Instruction ID: 01615b946b314d9e2a46973322e4acad78c14bb0d9d67f55e411dfba0672daad
Opcode Fuzzy Hash: 4b9c1dfd7efde3b945c232daa99356c70f46f110ba909958610ac8f2c2c6b724
Instruction Fuzzy Hash: DEF06D71245210BBFB301F14FC0AFE737A9EB00B80F145428F791EA2E4D7A5AC418B48

Function 0069D5B6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0069D5CF

Strings

, xrefs: 0069D733

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-3916222277
Opcode ID: ea8bcb9b9f7968a625f02f47e60f86a0079cb920fda164c8d9a4b4b65470c824
Instruction ID: d540e4155d2a9a688050b7f26311fc4dea1e86950ea17d9df9a710c3d1b19712
Opcode Fuzzy Hash: ea8bcb9b9f7968a625f02f47e60f86a0079cb920fda164c8d9a4b4b65470c824
Instruction Fuzzy Hash: 59518EB1D046059FEB18CFA9D9857DABBF9EB48710F14C06AD419EB690D374A940CFA0

Function 006E2B00 Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

#9.WS2_32(?,?,?,?,006E2D4F,?,?,?,?,?,?,?,006E219B,?,00000073,?), ref: 006E2B2D
GetCurrentProcessId.KERNEL32 ref: 006E2B65

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: fe8e1a575e2d4739042bc01aa51098e1f973314b5dbcec4972bd577098f8f49e
Instruction ID: ef9a8cd44dca6a0789c809c175496e134aab1ab3e0464057510b0a80aa25e408
Opcode Fuzzy Hash: fe8e1a575e2d4739042bc01aa51098e1f973314b5dbcec4972bd577098f8f49e
Instruction Fuzzy Hash: F9011A695143508BCB40CF69C4806A6B7E4FF69310F09E68AEC888F367D374D590C766

Function 006CD8A0 Relevance: 3.0, APIs: 2, Instructions: 14COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?), ref: 006CD8AA
BCryptGenRandom.BCRYPT(00000000,?,?,00000002), ref: 006CD8BE

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CryptRandommemset
String ID:
API String ID: 642379960-0
Opcode ID: c05627d6f89828f1474a00a14b3ff978394a15c1a3464d770b4c42466f56ebf3
Instruction ID: e514edda1978bb598def42984ead97b8d8a91fc2a8c87a3ae336bf75bde4468d
Opcode Fuzzy Hash: c05627d6f89828f1474a00a14b3ff978394a15c1a3464d770b4c42466f56ebf3
Instruction Fuzzy Hash: 8ED012371983057EDB512AA0DC03F0A7B92AB84B50F84C91CF399540E2D67680649707

Function 006D1320 Relevance: 2.7, APIs: 2, Instructions: 174COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,0000002B,00000000,?), ref: 006D13EE
memset.VCRUNTIME140(?,000000FF,00000085,?,000000FF,0000002B,00000000,?), ref: 006D1405

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: dc1430ee23925b45fdcef367036de2f0f32b2e8ead59c9e2b535777fdb670852
Instruction ID: 9b04a2f7d0fbace89a979ff03488de65b37d86a6a5e6341174d88828e5786aa1
Opcode Fuzzy Hash: dc1430ee23925b45fdcef367036de2f0f32b2e8ead59c9e2b535777fdb670852
Instruction Fuzzy Hash: 36513371E083858BD725CF2CD8413FAB7E6AFDA300F04866EE586CB352EA749585C752

Function 006EB240 Relevance: 1.7, APIs: 1, Instructions: 231COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006EB47E

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 36e3d5fa08b30da2ca5e3b92e7720cebd306c3222514bddf6c10151e8b14d365
Instruction ID: fbc21ae28850cfcad47a084f59d034a3a297fba5be84ebaca9687fb4f9f69cd9
Opcode Fuzzy Hash: 36e3d5fa08b30da2ca5e3b92e7720cebd306c3222514bddf6c10151e8b14d365
Instruction Fuzzy Hash: D181F732A05791CBC725CE2DC4812AFB7E2ABC5320F14576DE8A5C73D5E7709949CB82

Function 006CD730 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

BCryptGenRandom.BCRYPT(00000000,?), ref: 006CD78A

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CryptRandom
String ID:
API String ID: 2662593985-0
Opcode ID: 235ebe47d34ea4bd8f49b29192e3685d66ac1b9b4cb3608f89e6a613adf44497
Instruction ID: d2554627ff22144d0b8dc9c827a4d7eacf1d02b11756f4fd8155a6b48712a01f
Opcode Fuzzy Hash: 235ebe47d34ea4bd8f49b29192e3685d66ac1b9b4cb3608f89e6a613adf44497
Instruction Fuzzy Hash: E411CE766097068EE710DE28D981FBBB7EADBC1314F04483EE981C7381E735DD098A62

Function 006CD7F0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

BCryptGenRandom.BCRYPT(00000000,?), ref: 006CD840

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CryptRandom
String ID:
API String ID: 2662593985-0
Opcode ID: 8339920da8fca39d2f8e47c82ad347992bdf7da0c0b772792b58906cfd28cb6c
Instruction ID: ea660569204653c2a99a999e5a0d8cc41cd13408986e5cb58d0429aa46b4db50
Opcode Fuzzy Hash: 8339920da8fca39d2f8e47c82ad347992bdf7da0c0b772792b58906cfd28cb6c
Instruction Fuzzy Hash: A81125726063018AE310CA29DD84FBAB7D9EBD1360F088A7EF540D7282D725DD49C765

Function 006F58C0 Relevance: 1.5, APIs: 1, Instructions: 7encryptionCOMMON

Download Yara Rule

APIs

CryptHashData.ADVAPI32(?,?,?,00000000), ref: 006F58D1

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CryptDataHash
String ID:
API String ID: 4245837645-0
Opcode ID: 13a0c61bdfad54e2b6f6c392a3c5c2f2e8d704c3c757c4cbfbf3292e36900880
Instruction ID: 975f988b98f670e1df0e67af7ea0e22a66a5ba7119116f8222461405a5d4e714
Opcode Fuzzy Hash: 13a0c61bdfad54e2b6f6c392a3c5c2f2e8d704c3c757c4cbfbf3292e36900880
Instruction Fuzzy Hash: 28C04832108341EFCF02CF80CE09F2ABBA2BB88700F189848F2A456070C732D824EB06

Function 0069D50D Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001D519,0069C832), ref: 0069D512

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: ad70d99ceccc3ae5f77174b1df76f6ebfa1a4e5df95900011203127403e9e920
Instruction ID: 400755bd8f7982e3cd678ebb0a450efeef7581aa652361d6fdfa267ac350dc42
Opcode Fuzzy Hash: ad70d99ceccc3ae5f77174b1df76f6ebfa1a4e5df95900011203127403e9e920
Instruction Fuzzy Hash:

Function 00683E70 Relevance: .7, Instructions: 672COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4a9b283e23cac6a77d0f3481ffba4c864f87496f73bc96b8b8136246f8b832
Instruction ID: 69e1dc2028b9c20e41fb0c05fb47f25a8d70fac51c3de16e4f31dec3afdcc7a0
Opcode Fuzzy Hash: ab4a9b283e23cac6a77d0f3481ffba4c864f87496f73bc96b8b8136246f8b832
Instruction Fuzzy Hash: E41271B7F515144BDB0CCA5DCCA23EDB2E3AFD4218B0E813DA40AE3745EA7DD9158688

Function 006C02B0 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dbc8ca4f314a103e13ded581f5d6c4451761b70181a907f9b54ed5906c6f6bb
Instruction ID: d12f059ad7c0c2463b7c5a4e4d88b3eb7004606af8ee42a37fb7f62946992b6a
Opcode Fuzzy Hash: 9dbc8ca4f314a103e13ded581f5d6c4451761b70181a907f9b54ed5906c6f6bb
Instruction Fuzzy Hash: 8622ACB1A08345CFE710CF19D480B7AFBE2EBC8354F58492EE59A87341E775D9468B82

Function 006866C0 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ff316fb95f827ec2ba616e115d7315a9312a14a28d95d6786ac39e528f4323
Instruction ID: 35c5019dead58ba8cbd2b1a65a5d41e3b22f249bae960c95b6f7aa163f5859e7
Opcode Fuzzy Hash: 39ff316fb95f827ec2ba616e115d7315a9312a14a28d95d6786ac39e528f4323
Instruction Fuzzy Hash: DE21F77902465946D61D253CE524BB536835B1230DF9807BEFAC6D93D2EA89C817C386

Function 00686720 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74077110831a501698697e9143e8dac6096e4a3e45d465b64240a1eadadb6340
Instruction ID: 90b3a519f3645bf9d7638c9b1bd4855508819e7d060d2dac2c41ea15d9af2d80
Opcode Fuzzy Hash: 74077110831a501698697e9143e8dac6096e4a3e45d465b64240a1eadadb6340
Instruction Fuzzy Hash: D311513A474E0D42D91D642CD424AB922825B0171DFD4076EFBC6E93D1EFC9D817C2CA

Function 006F7F50 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b6663c87e7b9c5c81edbc85a31dee72c2074cb08ee2059fbd346c7440ecd882
Instruction ID: bdb1e18b0ba89308e67ae3e436d9b2738777e3afb70e123d53a67fc775a5f29d
Opcode Fuzzy Hash: 1b6663c87e7b9c5c81edbc85a31dee72c2074cb08ee2059fbd346c7440ecd882
Instruction Fuzzy Hash: D6F0A01200AA2047AF13983D74D0AF397D3DFE7918BA128A594D8436D1874F380FD3A4

Function 006A0E60 Relevance: 164.8, APIs: 6, Strings: 88, Instructions: 272COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 006A0E85
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A0E8F

Strings

SEC_E_MULTIPLE_ACCOUNTS, xrefs: 006A1053
SEC_E_SECPKG_NOT_FOUND, xrefs: 006A1107
SEC_E_SMARTCARD_CERT_REVOKED, xrefs: 006A112F
SEC_E_DECRYPT_FAILURE, xrefs: 006A0F77
SEC_E_OUT_OF_SEQUENCE, xrefs: 006A10C1
SEC_E_INTERNAL_ERROR, xrefs: 006A0FC7
SEC_E_LOGON_DENIED, xrefs: 006A1035
SEC_E_PKINIT_CLIENT_FAILURE, xrefs: 006A10CB
SEC_E_SMARTCARD_LOGON_REQUIRED, xrefs: 006A1139
SEC_E_TIME_SKEW, xrefs: 006A1157
SEC_E_CANNOT_PACK, xrefs: 006A0F43
SEC_E_CROSSREALM_DELEGATION_FAILURE, xrefs: 006A0F66
SEC_I_RENEGOTIATE, xrefs: 006A1268
SEC_E_STRONG_CRYPTO_NOT_SUPPORTED, xrefs: 006A1143
CRYPT_E_REVOKED, xrefs: 006A11B1
SEC_E_UNTRUSTED_ROOT, xrefs: 006A1193
SEC_E_CERT_UNKNOWN, xrefs: 006A0F51
SEC_E_CRYPTO_SYSTEM_INVALID, xrefs: 006A0F6D
SEC_E_ISSUING_CA_UNTRUSTED_KDC, xrefs: 006A0FF9
SEC_E_POLICY_NLTM_ONLY, xrefs: 006A10DF
SEC_E_KDC_UNKNOWN_ETYPE, xrefs: 006A102B
SEC_E_SECURITY_QOS_FAILED, xrefs: 006A1111
SEC_E_INCOMPLETE_MESSAGE, xrefs: 006A0FB3
SEC_E_WRONG_CREDENTIAL_HANDLE, xrefs: 006A119D
SEC_E_UNSUPPORTED_PREAUTH, xrefs: 006A1189
SEC_I_NO_LSA_CONTEXT, xrefs: 006A125E
SEC_E_KDC_UNABLE_TO_REFER, xrefs: 006A1021
SEC_I_CONTEXT_EXPIRED, xrefs: 006A1236
SEC_E_UNKNOWN_CREDENTIALS, xrefs: 006A1175
SEC_E_MUST_BE_KDC, xrefs: 006A105D
%s (0x%08X), xrefs: 006A12A5
SEC_E_DOWNGRADE_DETECTED, xrefs: 006A0F95
SEC_E_NO_CREDENTIALS, xrefs: 006A107B
SEC_E_PKINIT_NAME_MISMATCH, xrefs: 006A10D5
SEC_E_UNFINISHED_CONTEXT_DELETED, xrefs: 006A116B
SEC_E_NO_S4U_PROT_SUPPORT, xrefs: 006A10AD
SEC_E_MESSAGE_ALTERED, xrefs: 006A1049
SEC_E_INCOMPLETE_CREDENTIALS, xrefs: 006A0FA9
No error, xrefs: 006A11FF
SEC_E_DELEGATION_REQUIRED, xrefs: 006A0F8B
SEC_E_SHUTDOWN_IN_PROGRESS, xrefs: 006A111B
SEC_E_REVOCATION_OFFLINE_C, xrefs: 006A10F3
SEC_I_COMPLETE_AND_CONTINUE, xrefs: 006A1222
%s (0x%08X) - %s, xrefs: 006A0F13
SEC_E_INVALID_PARAMETER, xrefs: 006A0FDB
SEC_E_NO_AUTHENTICATING_AUTHORITY, xrefs: 006A1071
CRYPT_E_REVOCATION_OFFLINE, xrefs: 006A11EB
SEC_E_NO_TGT_REPLY, xrefs: 006A10B7
SEC_I_INCOMPLETE_CREDENTIALS, xrefs: 006A124A
SEC_E_ALGORITHM_MISMATCH, xrefs: 006A0EEC
SEC_E_DELEGATION_POLICY, xrefs: 006A0F81
SEC_I_LOCAL_LOGON, xrefs: 006A1254
SEC_E_INSUFFICIENT_MEMORY, xrefs: 006A0FBD
SEC_E_INVALID_HANDLE, xrefs: 006A0FD1
CRYPT_E_NO_REVOCATION_CHECK, xrefs: 006A11E1
SEC_E_ISSUING_CA_UNTRUSTED, xrefs: 006A0FEF
SEC_E_NO_IP_ADDRESSES, xrefs: 006A108F
SEC_E_REVOCATION_OFFLINE_KDC, xrefs: 006A10FD
SEC_E_TOO_MANY_PRINCIPALS, xrefs: 006A1161
SEC_E_ENCRYPT_FAILURE, xrefs: 006A0F9F
SEC_E_BAD_BINDINGS, xrefs: 006A0F27
SEC_E_CERT_WRONG_USAGE, xrefs: 006A0F58
SEC_E_BAD_PKGID, xrefs: 006A0F2E
SEC_E_KDC_INVALID_REQUEST, xrefs: 006A1017
SEC_E_MAX_REFERRALS_EXCEEDED, xrefs: 006A103F
SEC_E_NOT_OWNER, xrefs: 006A1067
SEC_E_TARGET_UNKNOWN, xrefs: 006A114D
SEC_E_CANNOT_INSTALL, xrefs: 006A0F3C
SEC_E_WRONG_PRINCIPAL, xrefs: 006A11A7
Unknown error, xrefs: 006A127C, 006A12A4
CRYPT_E_NOT_IN_REVOCATION_DATABASE, xrefs: 006A11F5
SEC_I_SIGNATURE_NEEDED, xrefs: 006A1272
SEC_E_UNSUPPORTED_FUNCTION, xrefs: 006A117F
SEC_E_SMARTCARD_CERT_EXPIRED, xrefs: 006A1125
SEC_E_CERT_EXPIRED, xrefs: 006A0F4A
SEC_E_INVALID_TOKEN, xrefs: 006A0FE5
SEC_E_KDC_CERT_REVOKED, xrefs: 006A100D
SEC_I_CONTINUE_NEEDED, xrefs: 006A0F12, 006A1240
SEC_E_BUFFER_TOO_SMALL, xrefs: 006A0F35
SEC_E_NO_IMPERSONATION, xrefs: 006A1085
SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log., xrefs: 006A1292
CRYPT_E_NO_REVOCATION_DLL, xrefs: 006A11D7
SEC_E_CONTEXT_EXPIRED, xrefs: 006A0F5F
SEC_E_KDC_CERT_EXPIRED, xrefs: 006A1003
SEC_E_NO_KERB_KEY, xrefs: 006A1099
SEC_E_NO_PA_DATA, xrefs: 006A10A3
SEC_E_QOP_NOT_SUPPORTED, xrefs: 006A10E9
SEC_I_COMPLETE_NEEDED, xrefs: 006A122C

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: ErrorLast_errno
String ID: %s (0x%08X)$%s (0x%08X) - %s$CRYPT_E_NOT_IN_REVOCATION_DATABASE$CRYPT_E_NO_REVOCATION_CHECK$CRYPT_E_NO_REVOCATION_DLL$CRYPT_E_REVOCATION_OFFLINE$CRYPT_E_REVOKED$No error$SEC_E_ALGORITHM_MISMATCH$SEC_E_BAD_BINDINGS$SEC_E_BAD_PKGID$SEC_E_BUFFER_TOO_SMALL$SEC_E_CANNOT_INSTALL$SEC_E_CANNOT_PACK$SEC_E_CERT_EXPIRED$SEC_E_CERT_UNKNOWN$SEC_E_CERT_WRONG_USAGE$SEC_E_CONTEXT_EXPIRED$SEC_E_CROSSREALM_DELEGATION_FAILURE$SEC_E_CRYPTO_SYSTEM_INVALID$SEC_E_DECRYPT_FAILURE$SEC_E_DELEGATION_POLICY$SEC_E_DELEGATION_REQUIRED$SEC_E_DOWNGRADE_DETECTED$SEC_E_ENCRYPT_FAILURE$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_E_INCOMPLETE_CREDENTIALS$SEC_E_INCOMPLETE_MESSAGE$SEC_E_INSUFFICIENT_MEMORY$SEC_E_INTERNAL_ERROR$SEC_E_INVALID_HANDLE$SEC_E_INVALID_PARAMETER$SEC_E_INVALID_TOKEN$SEC_E_ISSUING_CA_UNTRUSTED$SEC_E_ISSUING_CA_UNTRUSTED_KDC$SEC_E_KDC_CERT_EXPIRED$SEC_E_KDC_CERT_REVOKED$SEC_E_KDC_INVALID_REQUEST$SEC_E_KDC_UNABLE_TO_REFER$SEC_E_KDC_UNKNOWN_ETYPE$SEC_E_LOGON_DENIED$SEC_E_MAX_REFERRALS_EXCEEDED$SEC_E_MESSAGE_ALTERED$SEC_E_MULTIPLE_ACCOUNTS$SEC_E_MUST_BE_KDC$SEC_E_NOT_OWNER$SEC_E_NO_AUTHENTICATING_AUTHORITY$SEC_E_NO_CREDENTIALS$SEC_E_NO_IMPERSONATION$SEC_E_NO_IP_ADDRESSES$SEC_E_NO_KERB_KEY$SEC_E_NO_PA_DATA$SEC_E_NO_S4U_PROT_SUPPORT$SEC_E_NO_TGT_REPLY$SEC_E_OUT_OF_SEQUENCE$SEC_E_PKINIT_CLIENT_FAILURE$SEC_E_PKINIT_NAME_MISMATCH$SEC_E_POLICY_NLTM_ONLY$SEC_E_QOP_NOT_SUPPORTED$SEC_E_REVOCATION_OFFLINE_C$SEC_E_REVOCATION_OFFLINE_KDC$SEC_E_SECPKG_NOT_FOUND$SEC_E_SECURITY_QOS_FAILED$SEC_E_SHUTDOWN_IN_PROGRESS$SEC_E_SMARTCARD_CERT_EXPIRED$SEC_E_SMARTCARD_CERT_REVOKED$SEC_E_SMARTCARD_LOGON_REQUIRED$SEC_E_STRONG_CRYPTO_NOT_SUPPORTED$SEC_E_TARGET_UNKNOWN$SEC_E_TIME_SKEW$SEC_E_TOO_MANY_PRINCIPALS$SEC_E_UNFINISHED_CONTEXT_DELETED$SEC_E_UNKNOWN_CREDENTIALS$SEC_E_UNSUPPORTED_FUNCTION$SEC_E_UNSUPPORTED_PREAUTH$SEC_E_UNTRUSTED_ROOT$SEC_E_WRONG_CREDENTIAL_HANDLE$SEC_E_WRONG_PRINCIPAL$SEC_I_COMPLETE_AND_CONTINUE$SEC_I_COMPLETE_NEEDED$SEC_I_CONTEXT_EXPIRED$SEC_I_CONTINUE_NEEDED$SEC_I_INCOMPLETE_CREDENTIALS$SEC_I_LOCAL_LOGON$SEC_I_NO_LSA_CONTEXT$SEC_I_RENEGOTIATE$SEC_I_SIGNATURE_NEEDED$Unknown error
API String ID: 3939687465-2809133380
Opcode ID: 0402e203418a3be14850aba929b23bfaea2d4e7af8a635b546b6f208adbecd8e
Instruction ID: 6dc0039081e35e2c13c3ee2778edb116badb92f4c13ae277bcbbe2e961601ce2
Opcode Fuzzy Hash: 0402e203418a3be14850aba929b23bfaea2d4e7af8a635b546b6f208adbecd8e
Instruction Fuzzy Hash: 9E911762C881AC97A3107E1CA5205752A9F7E47364B2A49F2BF0A6FB40D1A17D437ED3

Function 00681F00 Relevance: 147.4, APIs: 68, Strings: 16, Instructions: 426COMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 00681F5C
#296.MFC140U ref: 00681F6F
#296.MFC140U ref: 00681FA6
#4815.MFC140U(?,%ws,?), ref: 00681FC8
#290.MFC140U(dwSSO_Account_dwAccountUin), ref: 00681FD8
#2996.MFC140U(00000000), ref: 00681FEA
#1045.MFC140U ref: 00681FFF
memset.VCRUNTIME140(?,00000000,00000800), ref: 0068201B
#296.MFC140U ref: 00682029
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00682040
#4815.MFC140U(?,%ws\LogInfo,?), ref: 00682059
GetFileAttributesW.KERNEL32(?), ref: 00682064
CreateDirectoryW.KERNEL32(?,00000000), ref: 00682077
#4815.MFC140U(?,0070AA68,?), ref: 0068209B
#4815.MFC140U(?,%ws\%u%ws,?,?,.ini), ref: 006820C0
#1045.MFC140U ref: 006820CB
#1045.MFC140U ref: 006820DB
#290.MFC140U(SSO_Account_ServiceInfo), ref: 006820F1
#2996.MFC140U(00000000), ref: 00682103
#1045.MFC140U ref: 00682118
#296.MFC140U ref: 00682166
#4815.MFC140U(?,%ws,800009AD), ref: 0068218F
#290.MFC140U(bufServiceTicket), ref: 006821A3
#2996.MFC140U(00000000), ref: 006821C4
#290.MFC140U(buf16bytesGTKey_ST), ref: 006821D9
#2996.MFC140U(00000000), ref: 006821FD
#1045.MFC140U ref: 00682229
#1045.MFC140U ref: 0068224A
#296.MFC140U ref: 00682273
#2477.MFC140U(?,%02X ,00000009), ref: 006822B1
#5110.MFC140U(?), ref: 006822D1
#5110.MFC140U(00000000), ref: 006822DE
#5110.MFC140U(00000000), ref: 006822EB
WritePrivateProfileStringW.KERNEL32(00000000), ref: 006822F8
#296.MFC140U ref: 00682300
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 0068230C
#4815.MFC140U(?,%llu,00000000), ref: 00682320
#5110.MFC140U(?), ref: 00682335
#5110.MFC140U(time,00000000), ref: 00682347
WritePrivateProfileStringW.KERNEL32(00000000), ref: 0068234E
#1045.MFC140U ref: 00682356
#1045.MFC140U ref: 00682362
#1045.MFC140U ref: 00682378
#290.MFC140U(bufTGT), ref: 006823A8
#2996.MFC140U(00000000), ref: 006823C9
#290.MFC140U(bufSigSession), ref: 006823E2
#2996.MFC140U(00000000), ref: 00682406
#290.MFC140U(bufSessionKey), ref: 0068241F
#2996.MFC140U(00000000), ref: 00682443
#290.MFC140U(bufTGT_GTKey), ref: 00682458
#2996.MFC140U(00000000), ref: 0068247C
#290.MFC140U(bufST_PTLOGIN), ref: 00682491
#2996.MFC140U(00000000), ref: 006824B5
#1045.MFC140U ref: 006824E1
#1045.MFC140U ref: 006824FB
#1045.MFC140U ref: 00682515
#1045.MFC140U ref: 0068252F
#1045.MFC140U ref: 00682550
#296.MFC140U ref: 00682579
#2477.MFC140U(?,%02X ,00000010), ref: 006825B5
#5110.MFC140U(?), ref: 006825CF
#5110.MFC140U(00000000), ref: 006825DC
#5110.MFC140U(00000000), ref: 006825E9
WritePrivateProfileStringW.KERNEL32(00000000), ref: 006825F0
#1045.MFC140U ref: 006825FC
#1045.MFC140U ref: 0068260C
#1045.MFC140U ref: 0068263D
#1045.MFC140U ref: 00682649

Strings

bufTGT, xrefs: 0068239D
bufSigSession, xrefs: 006823D7
dwSSO_Account_dwAccountUin, xrefs: 00681FD3
bufServiceTicket, xrefs: 0068219E
SSO_Account_ServiceInfo, xrefs: 006820E6
.ini, xrefs: 006820A6
bufTGT_GTKey, xrefs: 0068244D
bufSessionKey, xrefs: 00682414
%ws, xrefs: 00681FC2, 00682189
%02X , xrefs: 006822AB, 006825AF
buf16bytesGTKey_ST, xrefs: 006821CE
%llu, xrefs: 0068231A
%ws\%u%ws, xrefs: 006820BA
time, xrefs: 0068233C
bufST_PTLOGIN, xrefs: 00682486
%ws\LogInfo, xrefs: 00682053

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$#290#2996$#296#5110$#4815$PrivateProfileStringWrite$#2477$AttributesCreateDirectoryFileFolderPathSpecial_time64memset
String ID: %02X $%llu$%ws$%ws\%u%ws$%ws\LogInfo$.ini$SSO_Account_ServiceInfo$buf16bytesGTKey_ST$bufST_PTLOGIN$bufServiceTicket$bufSessionKey$bufSigSession$bufTGT$bufTGT_GTKey$dwSSO_Account_dwAccountUin$time
API String ID: 1970964733-3797204913
Opcode ID: fe889217287afa230d578c4ba295e88d5c3bb275abda44bbff8658f545e4322f
Instruction ID: 80327dbaee9d848df8b0dfd14380ae28121d4a2c3934f492af7d10a3f9b30603
Opcode Fuzzy Hash: fe889217287afa230d578c4ba295e88d5c3bb275abda44bbff8658f545e4322f
Instruction Fuzzy Hash: AF220571901219DBCB20DF64DD99BE8BBF5BF09700F04A1D9E58AA22A1DF745B84CF90

Function 0068D460 Relevance: 130.0, APIs: 71, Strings: 3, Instructions: 474windowfileCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000400,F74E5D36), ref: 0068D49C
memset.VCRUNTIME140(?,00000000,00000400,?,00000000,00000400,F74E5D36), ref: 0068D4AF
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000010,00000000,?,?,F74E5D36), ref: 0068D4C4
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0070C57C,?,0070C5A8,?,?,?,F74E5D36), ref: 0068D4EE
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068D50B
#296.MFC140U ref: 0068D526
#5850.MFC140U(?,00000000,00000001), ref: 0068D543
#290.MFC140U(00715900), ref: 0068D554
#4815.MFC140U(?,%ws%ws_log.txt,00000000,?), ref: 0068D572
#1045.MFC140U ref: 0068D585
GetPrivateProfileIntW.KERNEL32(?,0070BD6C,00000000,?), ref: 0068D59E
memset.VCRUNTIME140(?,00000000,00000032), ref: 0068D5B7
memset.VCRUNTIME140(?,00000000,00000032,?,00000000,00000032), ref: 0068D5C7
memset.VCRUNTIME140(?,00000000,00000032,?,00000000,00000032,?,00000000,00000032), ref: 0068D5D7
memset.VCRUNTIME140(?,00000000,00000032,?,00000000,00000032,?,00000000,00000032,?,00000000,00000032), ref: 0068D5E7
memset.VCRUNTIME140(?,00000000,00000032,?,00000000,00000032,?,00000000,00000032,?,00000000,00000032,?,00000000,00000032), ref: 0068D5F7
memset.VCRUNTIME140(?,00000000,00000032,?,00000000,00000032,?,00000000,00000032,?,00000000,00000032,?,00000000,00000032,?), ref: 0068D607
memset.VCRUNTIME140(?,00000000,00000032), ref: 0068D617
memset.VCRUNTIME140(?,00000000,00000032,?,00000000,00000032), ref: 0068D624
#5850.MFC140U(?,00000000,00000001), ref: 0068D63C
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0068D659
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D664
#5110.MFC140U(?,?,00000000,00000000,00000000), ref: 0068D687
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D692
#1045.MFC140U ref: 0068D6AA
#5850.MFC140U(?,00000000,00000002), ref: 0068D6C0
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0068D6E1
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D6EC
#5110.MFC140U(?,?,00000000,00000000,00000000), ref: 0068D70F
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D71A
#1045.MFC140U ref: 0068D732
#5850.MFC140U(?,00000000,00000003), ref: 0068D748
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0068D769
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D774
#5110.MFC140U(?,?,00000000,00000000,00000000), ref: 0068D797
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D7A2
#1045.MFC140U ref: 0068D7BA
#5850.MFC140U(?,00000000,00000004), ref: 0068D7D0
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0068D7F1
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D7FC
#5110.MFC140U(?,?,00000000,00000000,00000000), ref: 0068D81F
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D82A
#1045.MFC140U ref: 0068D842
#5850.MFC140U(?,00000000,00000005), ref: 0068D858
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0068D879
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D884
#5110.MFC140U(?,?,00000000,00000000,00000000), ref: 0068D8A7
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D8B2
#1045.MFC140U ref: 0068D8CA
#5850.MFC140U(?,00000000,00000006), ref: 0068D8E0
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0068D901
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D90C
#5110.MFC140U(?,?,00000000,00000000,00000000), ref: 0068D92F
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D93A
#1045.MFC140U ref: 0068D952
#5850.MFC140U(?,00000000,0000000A), ref: 0068D968
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0068D989
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D994
#5110.MFC140U(?,?,00000000,00000000,00000000), ref: 0068D9B4
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D9BF
#1045.MFC140U ref: 0068D9D4
#5850.MFC140U(?,00000000,0000000D), ref: 0068D9EA
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0068DA0B
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068DA16
#5110.MFC140U(?,?,00000000,00000000,00000000), ref: 0068DA36
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068DA41
#1045.MFC140U ref: 0068DA52
#1045.MFC140U ref: 0068DAA4
#1045.MFC140U ref: 0068DAB7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068DACF
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 0068DADE

Strings

%s----%s----%s----%s----%s----%s----%s----%s, xrefs: 0068DA8A
#, xrefs: 0068DADE
%ws%ws_log.txt, xrefs: 0068D56C

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #5110ByteCharMultiWide$#1045$memset$#5850$MessageSend$#290#296#4815FolderPathPrivateProfileSpecialfclosefopen
String ID: #$%s----%s----%s----%s----%s----%s----%s----%s$%ws%ws_log.txt
API String ID: 3101541569-1383357023
Opcode ID: 41dd524749986c00bf97fac3bb4b2bac303b47ac3209624160e06d031d9996a1
Instruction ID: 6edc1ca7e0bef75961a48a95dfb5961cf24c4357ee54fb658a71cdd37a7d5f18
Opcode Fuzzy Hash: 41dd524749986c00bf97fac3bb4b2bac303b47ac3209624160e06d031d9996a1
Instruction Fuzzy Hash: 35127D71A42209EFFB20DB90DC4AFEEBB79EB49705F105095F605AA2D1CBB06A44CF54

Function 00688E40 Relevance: 112.4, APIs: 59, Strings: 5, Instructions: 434windowfileCOMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 00688E7F
#296.MFC140U ref: 00688E92
memset.VCRUNTIME140(?,00000000,00000400), ref: 00688EAA
DragQueryFileA.SHELL32(?,00000000,?,00000400), ref: 00688EC1
SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00688EDE
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0070C19C), ref: 00688F02
feof.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00688F1C
memset.VCRUNTIME140(?,00000000,00000400), ref: 00688F3E
fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000400,00000000,?,00000000,00000400), ref: 00688F50
#290.MFC140U(----,?), ref: 00688FC7
#290.MFC140U(?), ref: 00688FDB
#1045.MFC140U ref: 00689052
#296.MFC140U ref: 006890BD
#296.MFC140U ref: 006890C9
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006890E4
#4815.MFC140U(?,0070D718,00000001), ref: 006890F8
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00689118
#8067.MFC140U(00000001,00000000,?,00000000,00000000,00000000,00000000), ref: 00689130
#13656.MFC140U(00000000,00000001,00000000), ref: 00689149
#13656.MFC140U(00000000,00000002,?), ref: 0068915B
#290.MFC140U(00715900), ref: 0068916C
#4815.MFC140U(?,%ws%ws_log.txt,00000000,00000000), ref: 00689186
#1045.MFC140U ref: 00689199
#280.MFC140U(00000000), ref: 006891A6
GetPrivateProfileIntW.KERNEL32(00000000,0070BD6C,00000000,?), ref: 006891BB
#1045.MFC140U ref: 006891CD
WritePrivateProfileStringW.KERNEL32(00000000,`S(u,0070B524,?), ref: 006891E5
WritePrivateProfileStringW.KERNEL32(00000000,0070C1C8,0070C714,?), ref: 006891FD
WritePrivateProfileStringW.KERNEL32(00000000,0070C138,0070C714,?), ref: 00689215
#1523.MFC140U(00000000), ref: 00689241
#2457.MFC140U(00000000), ref: 0068924E
#2458.MFC140U(0070C1D0), ref: 0068925F
WritePrivateProfileStringW.KERNEL32(00000000,0070C1D4,?,?), ref: 00689278
#296.MFC140U ref: 00689291
#290.MFC140U(00715900), ref: 006892A6
#4815.MFC140U(?,%ws%ws_log.txt,00000000,?), ref: 006892C4
#1045.MFC140U ref: 006892D3
WritePrivateProfileStringW.KERNEL32(?,0070C1E0,?,?), ref: 006892F0
#4323.MFC140U ref: 00689304
#1045.MFC140U ref: 00689314
WritePrivateProfileStringW.KERNEL32(00000000,0070C1E8,0070B524,?), ref: 0068935A
#13656.MFC140U(00000000,0000000D,0070C1F4), ref: 0068937E
#280.MFC140U(00000000), ref: 00689396
WritePrivateProfileStringW.KERNEL32(00000000,0070BF88,?,?), ref: 006893AC
#1045.MFC140U ref: 006893B8
#280.MFC140U(00000000), ref: 006893CA
WritePrivateProfileStringW.KERNEL32(00000000,0070C1F8,?,?), ref: 006893E0
#1045.MFC140U ref: 006893EC
#13656.MFC140U(?,00000003,0070C170), ref: 00689434
memset.VCRUNTIME140(?,00000000,00000032), ref: 0068944B
#280.MFC140U(00000000,?,00000032), ref: 00689456
#1045.MFC140U ref: 00689477
#1045.MFC140U ref: 00689483
#1045.MFC140U ref: 00689499
feof.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 006894DD
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 006894F5
#3833.MFC140U ref: 00689500
#1045.MFC140U ref: 0068950C
#1045.MFC140U ref: 00689518

Strings

5uO:S, xrefs: 00689402
`S(u, xrefs: 006891DE
%ws%ws_log.txt, xrefs: 00689180, 006892BE
#, xrefs: 006894F5
----, xrefs: 00688FC2

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$PrivateProfile$StringWrite$#296$#13656#280#290$#4815MessageSendmemset$feof$#1523#2457#2458#3833#4323#8067DragFileQueryfclosefgetsfopen
String ID: #$%ws%ws_log.txt$----$5uO:S$`S(u
API String ID: 4229755739-808125612
Opcode ID: 0fdf184a66221dd03d277843e88b743d7eabd0c831a56cd9b6646eb6f3bb6fc5
Instruction ID: 3f32bd1f8004c7054e061c01a87905619973a30bd037a7f003019098ab90e364
Opcode Fuzzy Hash: 0fdf184a66221dd03d277843e88b743d7eabd0c831a56cd9b6646eb6f3bb6fc5
Instruction Fuzzy Hash: 9D128DB1900219DFDB20AF64DC49BADBBF6FB05301F149298E54AA22A0DF755A85CF90

Function 0068A340 Relevance: 110.7, APIs: 62, Strings: 1, Instructions: 425windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0068A376
#296.MFC140U ref: 0068A388
#296.MFC140U ref: 0068A397
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068A3F2
#5850.MFC140U(?,00000000,0000000D), ref: 0068A410
StrCmpW.SHLWAPI(00000000,0070BD6C), ref: 0068A42A
#5850.MFC140U(?,00000000,0000000C), ref: 0068A448
StrCmpW.SHLWAPI(00000000,0070BD74), ref: 0068A465
#5850.MFC140U(?,00000000,0000000C), ref: 0068A47F
StrCmpW.SHLWAPI(00000000,0070BD80), ref: 0068A49C
#5850.MFC140U(?,00000000,0000000C), ref: 0068A4B6
StrCmpW.SHLWAPI(00000000,0070BD88), ref: 0068A4C6
#1045.MFC140U ref: 0068A4EC
#1045.MFC140U ref: 0068A500
#1045.MFC140U ref: 0068A514
#1045.MFC140U ref: 0068A52F
#5850.MFC140U(?,00000000,00000001), ref: 0068A56C
#290.MFC140U(00715900), ref: 0068A591
#4815.MFC140U(?,%ws%ws_log.txt,00000000,?), ref: 0068A5AF
#1045.MFC140U ref: 0068A5C2
memset.VCRUNTIME140(?,00000000,000000C8), ref: 0068A5D6
#5110.MFC140U ref: 0068A5E4
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000), ref: 0068A5EB
#296.MFC140U ref: 0068A627
#13646.MFC140U(00000000,00000000,00000004,00000000,00000000,00000000,00000000,?), ref: 0068A64A
#290.MFC140U(?), ref: 0068A65D
#13656.MFC140U(00000000,00000004,00000000), ref: 0068A672
#1045.MFC140U ref: 0068A682
#4815.MFC140U(?,0070D718,00000001), ref: 0068A69A
#13656.MFC140U(00000000,00000005,?), ref: 0068A6B2
#4815.MFC140U(?,0070D718,?), ref: 0068A6CA
#13656.MFC140U(00000000,00000006,?), ref: 0068A6E2
#4815.MFC140U(?,0070D718,?), ref: 0068A6FA
#13656.MFC140U(00000000,00000007,?), ref: 0068A712
#4815.MFC140U(?,0070D718,?), ref: 0068A72A
#13656.MFC140U(00000000,00000008,?), ref: 0068A742
#4815.MFC140U(?,0070D718,?), ref: 0068A75A
#13656.MFC140U(00000000,00000012,?), ref: 0068A772
#4815.MFC140U(?,0070C340,?,?,?), ref: 0068A7C0
#13656.MFC140U(00000000,00000009,?), ref: 0068A7D8
#290.MFC140U(?), ref: 0068A7EB
#13656.MFC140U(00000000,0000000B,00000000), ref: 0068A800
#1045.MFC140U ref: 0068A810
#4815.MFC140U(?,0070D718,?), ref: 0068A828
#13656.MFC140U(00000000,0000000A,?), ref: 0068A840
memset.VCRUNTIME140(?,00000000,00000100), ref: 0068A854
#1045.MFC140U ref: 0068A879
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0068A88E
TranslateMessage.USER32(?), ref: 0068A8A4
DispatchMessageW.USER32(?), ref: 0068A8B1
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0068A8C6
#1045.MFC140U ref: 0068A8E2
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068A8FA
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0068A926
TranslateMessage.USER32(?), ref: 0068A940
DispatchMessageW.USER32(?), ref: 0068A94D
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0068A962
GetTickCount.KERNEL32 ref: 0068A96E
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0068A998
GetTickCount.KERNEL32 ref: 0068A9A7
#1045.MFC140U ref: 0068A9C2
#1045.MFC140U ref: 0068A9CE

Part of subcall function 00689BC0: CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00689BD9
Part of subcall function 00689BC0: memset.VCRUNTIME140(?,00000000,00000228), ref: 00689BEF
Part of subcall function 00689BC0: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00689C09
Part of subcall function 00689BC0: StrCmpW.SHLWAPI(?,bugreport.exe), ref: 00689C30
Part of subcall function 00689BC0: StrCmpW.SHLWAPI(?,TxBugReport.exe), ref: 00689C42
Part of subcall function 00689BC0: StrCmpW.SHLWAPI(?,WerFault.exe), ref: 00689C54
Part of subcall function 00689BC0: OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00689C67
Part of subcall function 00689BC0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00689C76
Part of subcall function 00689BC0: CloseHandle.KERNEL32(00000000), ref: 00689C83
Part of subcall function 00689BC0: Process32NextW.KERNEL32(00000000,0000022C), ref: 00689C95
Part of subcall function 00689BC0: CloseHandle.KERNEL32(00000000), ref: 00689CA1

Strings

%ws%ws_log.txt, xrefs: 0068A5A9

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045Message$#13656$#4815$#5850$Peek$#290#296CountSendTickmemset$CloseDispatchHandleProcessProcess32Translate$#13646#5110CreateFirstNextOpenSnapshotTerminateToolhelp32_wtoll
String ID: %ws%ws_log.txt
API String ID: 2156892781-2539948989
Opcode ID: 91f39b1d50f5cdd04454cec498e8212f768c369cf96f00d85e358911e9322ff9
Instruction ID: e18e446c1ab204e639a0190f4f28fd68fa92318c54a63c78d6de76625b54fbb6
Opcode Fuzzy Hash: 91f39b1d50f5cdd04454cec498e8212f768c369cf96f00d85e358911e9322ff9
Instruction Fuzzy Hash: E702C070A4021DEFDB24ABA4DC4AFED7BBABB09700F009195F605A22E0D7B45B84CF55

Function 0068EC00 Relevance: 103.7, APIs: 56, Strings: 3, Instructions: 446fileCOMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 0068EC34
memset.VCRUNTIME140(?,00000000,00000200), ref: 0068EC4F
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 0068EC64
#4815.MFC140U(?,%s\,?), ref: 0068EC7D
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 0068EC9B
GetFileSize.KERNEL32(00000000,?), ref: 0068ECB4
#265.MFC140U(00000001), ref: 0068ECC0
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0068ECDD
#266.MFC140U(00000000), ref: 0068ECF4
CloseHandle.KERNEL32(00000000), ref: 0068ED03
#296.MFC140U ref: 0068ED0F
#290.MFC140U(0070C60C), ref: 0068ED58
#290.MFC140U(00000000), ref: 0068ED66
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000), ref: 0068EE25
#296.MFC140U ref: 0068EE9E
#1045.MFC140U ref: 0068F309

Strings

`S(u, xrefs: 0068EF86, 0068F069
%s\, xrefs: 0068EC77
%ws%ws_log.txt, xrefs: 0068EF17, 0068EFD4, 0068F0FE, 0068F1D4, 0068F243

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #296File$#290$#1045#265#266#4815CloseCreateFolderHandlePathReadSizeSpecial_wtollmemset
String ID: %s\$%ws%ws_log.txt$`S(u
API String ID: 986897502-1182770663
Opcode ID: 04dbd53fada5a93b2c30bafe4d983178fb1cd0661988fbe4f622c6785c3da544
Instruction ID: aeaef10806bcc7deb2c2df902581b24b0c6fcb6bce281c36a1e6ff2360533c2f
Opcode Fuzzy Hash: 04dbd53fada5a93b2c30bafe4d983178fb1cd0661988fbe4f622c6785c3da544
Instruction Fuzzy Hash: 00126CB194121DEBCB21AFA4DD89BEDBBB6FB58300F0052D5F509A22A0DB755B84CF50

Function 0068B700 Relevance: 100.1, APIs: 55, Strings: 2, Instructions: 319windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068B745
#296.MFC140U ref: 0068B763
#5850.MFC140U(?,?,00000001), ref: 0068B77D
#290.MFC140U(00715900), ref: 0068B78F
#4815.MFC140U(?,%ws%ws_log.txt,00000000,?), ref: 0068B7A7
#1045.MFC140U ref: 0068B7B3
GetPrivateProfileIntW.KERNEL32(?,0070BD88,00000000,?), ref: 0068B7C6
GetPrivateProfileIntW.KERNEL32(?,`S(u,00000000,?), ref: 0068B7D7
GetPrivateProfileIntW.KERNEL32(?,0070BD74,00000000,?), ref: 0068B7E9
GetPrivateProfileIntW.KERNEL32(?,0070BD80,00000000,?), ref: 0068B7FB
#1045.MFC140U ref: 0068B812
#1045.MFC140U ref: 0068B822
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068B83A
WritePrivateProfileStringW.KERNEL32(?,`S(u,0070BF38,?), ref: 0068B85D
#296.MFC140U ref: 0068B866
#5850.MFC140U(?,?,00000001), ref: 0068B87F
#290.MFC140U(00715900), ref: 0068B891
#4815.MFC140U(?,%ws%ws_log.txt,00000000,?), ref: 0068B8A9
#1045.MFC140U ref: 0068B8B5
GetPrivateProfileIntW.KERNEL32(?,0070C138,00000000,?), ref: 0068B8C8
GetPrivateProfileIntW.KERNEL32(?,0070C1C8,00000000,?), ref: 0068B8D9
GetPrivateProfileIntW.KERNEL32(?,0070C4A4,00000000,?), ref: 0068B8EA
GetPrivateProfileIntW.KERNEL32(?,0070C4AC,00000000,?), ref: 0068B900
#296.MFC140U ref: 0068B90C
#4815.MFC140U(?,0070C4B4,?,?), ref: 0068B928
#13656.MFC140U(?,0000000C,?), ref: 0068B93D
#5850.MFC140U(?,?,0000000E), ref: 0068B952
#13656.MFC140U(?,0000000E,00000000), ref: 0068B967
#1045.MFC140U ref: 0068B974
#4815.MFC140U(?,0070AA68,00000000), ref: 0068B984
WritePrivateProfileStringW.KERNEL32(?,0070C138,?,?), ref: 0068B9A1
#4815.MFC140U(?,0070D718,00000000), ref: 0068B9B3
WritePrivateProfileStringW.KERNEL32(?,0070C1C8,?,?), ref: 0068B9C6
#4815.MFC140U(?,0070D718,?), ref: 0068B9D4
WritePrivateProfileStringW.KERNEL32(?,0070C4A4,?,?), ref: 0068B9E7
#4815.MFC140U(?,0070D718,?), ref: 0068B9F6
WritePrivateProfileStringW.KERNEL32(?,0070C4AC,?,?), ref: 0068BA09
#5850.MFC140U(?,?,00000001), ref: 0068BA1C
#13656.MFC140U(?,00000001,00000000), ref: 0068BA34
#1045.MFC140U ref: 0068BA41
#5850.MFC140U(?,?,00000001), ref: 0068BA5B
#290.MFC140U(00715900), ref: 0068BA6D
#4815.MFC140U(?,%ws%ws_log.txt,00000000,?), ref: 0068BA85
#1045.MFC140U ref: 0068BA8D
GetPrivateProfileIntW.KERNEL32(?,0070C138,?,?), ref: 0068BA9F
WritePrivateProfileStringW.KERNEL32(?,0070C138,?,?), ref: 0068BAB3
#1045.MFC140U ref: 0068BAC0
#13656.MFC140U(?,0000000B,0070C714), ref: 0068BADA
#13656.MFC140U(?,0000000C,0070C714), ref: 0068BAEA
#13656.MFC140U(?,0000000D,0070C714), ref: 0068BAFA
#1045.MFC140U ref: 0068BAFF
#1045.MFC140U ref: 0068BB08
#1045.MFC140U ref: 0068BB11
#1045.MFC140U ref: 0068BB1A
#1045.MFC140U ref: 0068BB23

Strings

`S(u, xrefs: 0068B7CF, 0068B855
%ws%ws_log.txt, xrefs: 0068B7A1, 0068B8A3, 0068BA7F

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: PrivateProfile$#1045$#4815$#13656StringWrite$#5850$#290#296$MessageSend
String ID: %ws%ws_log.txt$`S(u
API String ID: 2439010182-2036117652
Opcode ID: 14c112e08506120d245058b1cc102cd2bea90d497b95d5cc8ed768a2f7b7e43d
Instruction ID: 95fd8e325fa7e1061eccb202b33686675d9ad49f6a29041a1e738d7675266d2f
Opcode Fuzzy Hash: 14c112e08506120d245058b1cc102cd2bea90d497b95d5cc8ed768a2f7b7e43d
Instruction Fuzzy Hash: 71D1487194020AEFDF01DBA4DC4AEEDBBBAFB19711F106215F601B22E0D7B95A00CB60

Function 00685470 Relevance: 93.1, APIs: 52, Strings: 1, Instructions: 324windowCOMMON

Download Yara Rule

APIs

#462.MFC140U(00000066,00000000,F74E5D36,?,00000000,?,?,00684735,?,000018AC), ref: 006854A1
#1002.MFC140U(?,00000000), ref: 006854C5
#1002.MFC140U(?,00000000), ref: 006854DC
#1002.MFC140U(?,00000000), ref: 006854F3
#1002.MFC140U(?,00000000), ref: 0068550A
#1002.MFC140U(?,00000000), ref: 00685521
#1002.MFC140U(?,00000000), ref: 00685538
#1002.MFC140U(?,00000000), ref: 0068554F
#1002.MFC140U(?,00000000), ref: 00685566
#1002.MFC140U(?,00000000), ref: 0068557D
#1002.MFC140U(?,00000000), ref: 00685594
#1002.MFC140U(?,00000000), ref: 006855AB
#1002.MFC140U(?,00000000), ref: 006855D6
#968.MFC140U(?,00000000), ref: 006855E8
#1002.MFC140U(?,00000000), ref: 006855FD
#1002.MFC140U(?,00000000), ref: 00685614
#1002.MFC140U(?,00000000), ref: 0068562B
#1002.MFC140U(?,00000000), ref: 00685642
#1002.MFC140U(?,00000000), ref: 00685659
#1002.MFC140U(?,00000000), ref: 00685670
#1002.MFC140U(?,00000000), ref: 00685687
#1002.MFC140U(?,00000000), ref: 0068569E
#1002.MFC140U(?,00000000), ref: 006856B5
#1002.MFC140U(?,00000000), ref: 006856CC
#1002.MFC140U(?,00000000), ref: 006856E3
#1002.MFC140U(?,00000000), ref: 006856FA
#1002.MFC140U(?,00000000), ref: 00685711
#1002.MFC140U(?,00000000), ref: 00685728
#1002.MFC140U(?,00000000), ref: 0068573F
#1002.MFC140U(?,00000000), ref: 00685756
#1002.MFC140U(?,00000000), ref: 0068576D
#1002.MFC140U(?,00000000), ref: 00685784
#1002.MFC140U(?,00000000), ref: 0068579B
#1002.MFC140U(?,00000000), ref: 006857B2
#1002.MFC140U(?,00000000), ref: 006857C9
#1002.MFC140U(?,00000000), ref: 006857E0
#1002.MFC140U(?,00000000), ref: 006857F7
#1002.MFC140U(?,00000000), ref: 0068580E
#1002.MFC140U(?,00000000), ref: 00685825
#1002.MFC140U(?,00000000), ref: 0068583C
#1002.MFC140U(?,00000000), ref: 00685853
#1002.MFC140U(?,00000000), ref: 0068586A
#1002.MFC140U(?,00000000), ref: 00685881
#1002.MFC140U(?,00000000), ref: 00685898
#1002.MFC140U(?,00000000), ref: 006858AF
#1002.MFC140U(?,00000000), ref: 006858C6
#1002.MFC140U(?,00000000), ref: 006858DD
#1002.MFC140U(?,00000000), ref: 006858F4
#4360.MFC140U(?,00000000), ref: 00685902
#2246.MFC140U(?,00000000), ref: 00685908
#2215.MFC140U(00000080,0000000E,00000080,?,00000000), ref: 0068591A
LoadIconW.USER32(00000000), ref: 00685921

Strings

0, xrefs: 006858FE

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1002$#2215#2246#4360#462#968IconLoad
String ID: 0
API String ID: 2757930828-4108050209
Opcode ID: f08e3953a5a10c562bdac66de37d0427ef6eda197482b2b4c535dbc405efc62d
Instruction ID: f5157467b3f35af0f55860d0e8f6f1482b957b10e316779ee89746c91f900af0
Opcode Fuzzy Hash: f08e3953a5a10c562bdac66de37d0427ef6eda197482b2b4c535dbc405efc62d
Instruction Fuzzy Hash: 55F1E971911269CACF11DF988A0429DFBF9AF59704F2541AEDD847B381C7F81B058BA2

Function 00684790 Relevance: 72.1, APIs: 48, Instructions: 113COMMON

Download Yara Rule

APIs

#1133.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006847A1
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006847AF
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006847B7
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006847BF
#1133.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006847C7
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006847CF
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006847D7
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006847DF
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006847E7
#1133.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006847EF
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006847F7
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006847FF
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 00684807
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 0068480F
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 00684817
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 0068481F
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 00684827
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 0068482F
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 00684837
#1133.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 0068483F
#1133.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 00684847
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 0068484F
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 00684857
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 0068485F
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 00684867
#1133.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 0068486F
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 00684877
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 0068487F
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 00684887
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 0068488F
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 00684897
#1070.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 0068489F
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006848AB
#1133.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006848B3
#1447.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006848BB
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006848C7

Part of subcall function 00684AE0: #3882.MFC140U(F74E5D36,8000046D,8000042A,?), ref: 00684B1E

#1133.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006848E0
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006848E8
#1133.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006848F0
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 006848F8
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 00684900
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 00684908
#1133.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 00684910
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 00684918
#1133.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 00684920
#1066.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 00684928
#1180.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 00684930
#1113.MFC140U(?,00000000,?,00684765,?,000018AC), ref: 0068493C

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1066$#1133$#1070#1113#1180#1447#3882
String ID:
API String ID: 464004499-0
Opcode ID: e5393d3362ab75adbb3a0bcb5eba700854fc50f55e03b374272c49d8e113d44d
Instruction ID: 7d23492f4a6bf5448e91740aad58bc18721943a2f3bd0c0947469bc8a8042f38
Opcode Fuzzy Hash: e5393d3362ab75adbb3a0bcb5eba700854fc50f55e03b374272c49d8e113d44d
Instruction Fuzzy Hash: DF4110B65011198EDB18EF24FDD19E83769EFA5305F1951B9CC4B8E0AE9E302B08CE61

Function 00687770 Relevance: 70.2, APIs: 37, Strings: 3, Instructions: 221windowfilememoryCOMMON

Download Yara Rule

APIs

#10472.MFC140U(F74E5D36), ref: 006877B8
CreateMutexW.KERNEL32(00000000,00000000,GPXHMAIN.exe), ref: 006877C7
GetLastError.KERNEL32 ref: 006877CD
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 006877DC
GetSystemMenu.USER32(?,00000000), ref: 006877E5
#4885.MFC140U(00000000), ref: 006877EC
#296.MFC140U ref: 006877FE
#8464.MFC140U(00000065), ref: 00687813
AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 00687837
AppendMenuW.USER32(00000000,00000000,00000010,?), ref: 00687846
#1045.MFC140U ref: 00687855
SendMessageW.USER32(?,00000080,00000001,?), ref: 00687871
SendMessageW.USER32(?,00000080,00000000,?), ref: 00687883
#14137.MFC140U(JQ.1.18), ref: 0068788C
GetClientRect.USER32(?,?), ref: 006878BD
#8817.MFC140U(00000000,?,?,00000019,00000001,?,00000000,50008200,0000E801), ref: 006878DB
#13628.MFC140U(00714A5C,00000003,?,00000000,50008200,0000E801), ref: 006878EA
#5419.MFC140U(08000000,00000096,?,00000000,50008200,0000E801), ref: 00687902
#13800.MFC140U(00000000,00000000,?,00000000,50008200,0000E801), ref: 0068790F
#5419.MFC140U(08000000,0000012C,?,00000000,50008200,0000E801), ref: 0068791D
#13800.MFC140U(00000001,00000000,?,00000000,50008200,0000E801), ref: 00687924
#5419.MFC140U(08000000,0000001E,?,00000000,50008200,0000E801), ref: 0068792F
#13800.MFC140U(00000002,00000000,?,00000000,50008200,0000E801), ref: 00687936
#12793.MFC140U(0000E800,0000E8FF,00000000,00000000,00000000,00000000,00000001,?,00000000,50008200,0000E801), ref: 00687954
#14234.MFC140U(00000001,?,00000000,50008200,0000E801), ref: 00687964
#14234.MFC140U(00000000,?,00000000,50008200,0000E801), ref: 00687974
#14234.MFC140U(00000000,?,00000000,50008200,0000E801), ref: 0068797E
VirtualProtect.KERNEL32(00000563,00000040,?,?,00000000,50008200,0000E801), ref: 0068799E
memset.VCRUNTIME140(?,00000000,00000104,?,00000000,50008200,0000E801), ref: 006879B2
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00001000,?), ref: 006879E4
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00001000), ref: 006879FC
CloseHandle.KERNEL32(00000000), ref: 00687A03
#296.MFC140U ref: 00687A1B
P_GetDataValue.PLFL32(00000003), ref: 00687A2A
#4815.MFC140U(?,0070BEB8,00000000), ref: 00687A3D
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 00687A49
#1045.MFC140U ref: 00687A6D

Strings

JQ.1.18, xrefs: 00687885
GPXHMAIN.exe, xrefs: 006877BE
KartMap_Shared_gsppsl, xrefs: 006879B7

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #13800#14234#5419Menu$#1045#296AppendCreateFileMessageSend$#10472#12793#13628#14137#4815#4885#8464#8817ClientCloseDataErrorHandleLastMappingMutexProtectRectSystemValueViewVirtual_wtollexitmemset
String ID: GPXHMAIN.exe$JQ.1.18$KartMap_Shared_gsppsl
API String ID: 2732324625-1201768803
Opcode ID: 1636c95005fad6f316a40e6ce0e4bd01ca6554eee313bdc01871a171fdb714ff
Instruction ID: c18d3caf7712403e4ffc1ea36080056fadb598c8312d63ebd462be2ca607408e
Opcode Fuzzy Hash: 1636c95005fad6f316a40e6ce0e4bd01ca6554eee313bdc01871a171fdb714ff
Instruction Fuzzy Hash: EE818471B80219ABEB24AF60DC4AFED7B76FB48B10F105165F705AA2D0CBB06944CF94

Function 00685990 Relevance: 69.3, APIs: 46, Instructions: 263COMMON

Download Yara Rule

APIs

#3697.MFC140U(?,000003E8,?), ref: 006859B2
#3697.MFC140U(?,000003E9,?), ref: 006859C3
#3697.MFC140U(?,000003EB,?), ref: 006859D7
#3697.MFC140U(?,000003EC,?), ref: 006859EA
#3697.MFC140U(?,000003ED,?), ref: 006859FD
#3697.MFC140U(?,000003EE,?), ref: 00685A10
#3697.MFC140U(?,000003F5,?), ref: 00685A23
#3697.MFC140U(?,000003FA,?), ref: 00685A36
#3697.MFC140U(?,000003F9,?), ref: 00685A49
#3697.MFC140U(?,000003FB,?), ref: 00685A5C
#3697.MFC140U(?,000003FC,?), ref: 00685A6F
#3697.MFC140U(?,000003FD,?), ref: 00685A83
#3697.MFC140U(?,00000403,?), ref: 00685AB4
#3697.MFC140U(?,00000406,?), ref: 00685AC3
#3697.MFC140U(?,000003EF,?), ref: 00685AD2
#3697.MFC140U(?,00000407,?), ref: 00685AE1
#3697.MFC140U(?,00000408,?), ref: 00685AF0
#3697.MFC140U(?,00000409,?), ref: 00685AFF
#3697.MFC140U(?,0000040A,?), ref: 00685B0E
#3697.MFC140U(?,0000040B,?), ref: 00685B1D
#3697.MFC140U(?,0000040E,?), ref: 00685B2C
#3697.MFC140U(?,0000040F,?), ref: 00685B3B
#3697.MFC140U(?,00000410,?), ref: 00685B4A
#3697.MFC140U(?,00000411,?), ref: 00685B59
#3697.MFC140U(?,00000412,?), ref: 00685B68
#3697.MFC140U(?,00000413,?), ref: 00685B77
#3697.MFC140U(?,00000414,?), ref: 00685B86
#3697.MFC140U(?,00000415,?), ref: 00685B95
#3697.MFC140U(?,00000416,?), ref: 00685BA4
#3697.MFC140U(?,00000417,?), ref: 00685BB3
#3697.MFC140U(?,00000418,?), ref: 00685BC2
#3697.MFC140U(?,00000419,?), ref: 00685BD1
#3697.MFC140U(?,0000041A,?), ref: 00685BE0
#3697.MFC140U(?,0000041B,?), ref: 00685BEF
#3697.MFC140U(?,0000041C,?), ref: 00685BFE
#3697.MFC140U(?,0000041D,?), ref: 00685C0D
#3697.MFC140U(?,0000041E,?), ref: 00685C1C
#3697.MFC140U(?,0000041F,?), ref: 00685C2B
#3697.MFC140U(?,00000420,?), ref: 00685C3A
#3697.MFC140U(?,00000421,?), ref: 00685C49
#3697.MFC140U(?,00000422,?), ref: 00685C58
#3697.MFC140U(?,00000423,?), ref: 00685C67
#3697.MFC140U(?,00000424,?), ref: 00685C76
#3697.MFC140U(?,00000425,?), ref: 00685C85
#3697.MFC140U(?,00000426,?), ref: 00685C94
#3697.MFC140U(?,00000427,?), ref: 00685CA3

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #3697
String ID:
API String ID: 872563729-0
Opcode ID: 0081ee548e970057f780d2ddc559bd1c43617b4860ecf990d8b02120a84b9050
Instruction ID: 84b2f42ab1716cd1c32b517a36983106222a8499f26c29b68bf18a8eebb0683d
Opcode Fuzzy Hash: 0081ee548e970057f780d2ddc559bd1c43617b4860ecf990d8b02120a84b9050
Instruction Fuzzy Hash: 3481FFB2641919BFE7069BA8CC81EEEB76CEF09700F008522F705E6181D774AB554BED

Function 0068D0D0 Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 255windowfileCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000400,F74E5D36), ref: 0068D10C
memset.VCRUNTIME140(?,00000000,00000400,?,00000000,00000400,F74E5D36), ref: 0068D11F
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000010,00000000,?,?,F74E5D36), ref: 0068D134
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0070C57C,?,0070C590,?,?,?,F74E5D36), ref: 0068D15E
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068D17B
#296.MFC140U ref: 0068D196
#5850.MFC140U(?,00000000,00000001), ref: 0068D1B3
#290.MFC140U(00715900), ref: 0068D1C4
#4815.MFC140U(?,%ws%ws_log.txt,00000000,?), ref: 0068D1E2
#1045.MFC140U ref: 0068D1F5
GetPrivateProfileIntW.KERNEL32(?,0070BD6C,00000000,?), ref: 0068D20E
memset.VCRUNTIME140(?,00000000,00000032), ref: 0068D22E
memset.VCRUNTIME140(?,00000000,00000032,?,00000000,00000032), ref: 0068D23B
memset.VCRUNTIME140(?,00000000,00000032,?,00000000,00000032,?,00000000,00000032), ref: 0068D248
#5850.MFC140U(?,00000000,00000001), ref: 0068D260
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0068D27D
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D288
#5110.MFC140U(?,?,00000000,00000000,00000000), ref: 0068D2AB
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D2B6
#1045.MFC140U ref: 0068D2CE
#5850.MFC140U(?,00000000,00000002), ref: 0068D2E4
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0068D305
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D310
#5110.MFC140U(?,?,00000000,00000000,00000000), ref: 0068D330
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D33B
#1045.MFC140U ref: 0068D350
#5850.MFC140U(?,00000000,00000003), ref: 0068D366
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0068D387
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D392
#5110.MFC140U(?,?,00000000,00000000,00000000), ref: 0068D3B2
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D3BD
#1045.MFC140U ref: 0068D3CE
#1045.MFC140U ref: 0068D3FD
#1045.MFC140U ref: 0068D410
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068D428
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 0068D437

Strings

%s----%s----%s, xrefs: 0068D3E3
%ws%ws_log.txt, xrefs: 0068D1DC
#, xrefs: 0068D437

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045#5110ByteCharMultiWide$memset$#5850$MessageSend$#290#296#4815FolderPathPrivateProfileSpecialfclosefopen
String ID: #$%s----%s----%s$%ws%ws_log.txt
API String ID: 3895528739-2154562260
Opcode ID: e6a0cf62cd4f0bbb546260c959707eb490d2e39830750db3810b8d8092f80575
Instruction ID: c6ed1b4980e169278167dbfb61f7727b05122029ab7ee9d1da1d11271d37983a
Opcode Fuzzy Hash: e6a0cf62cd4f0bbb546260c959707eb490d2e39830750db3810b8d8092f80575
Instruction Fuzzy Hash: 79A16C71A40309EFEB20DB90DC4AFADBBB9FB05704F109194F645A62D1DBB06A44CFA4

Function 0068CD40 Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 255windowfileCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000400,F74E5D36), ref: 0068CD7C
memset.VCRUNTIME140(?,00000000,00000400,?,00000000,00000400,F74E5D36), ref: 0068CD8F
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000010,00000000,?,?,F74E5D36), ref: 0068CDA4
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0070C57C,?,0070C568,?,?,?,F74E5D36), ref: 0068CDCE
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068CDEB
#296.MFC140U ref: 0068CE06
#5850.MFC140U(?,00000000,00000001), ref: 0068CE23
#290.MFC140U(00715900), ref: 0068CE34
#4815.MFC140U(?,%ws%ws_log.txt,00000000,?), ref: 0068CE52
#1045.MFC140U ref: 0068CE65
GetPrivateProfileIntW.KERNEL32(?,0070BD6C,00000000,?), ref: 0068CE7E
memset.VCRUNTIME140(?,00000000,00000032), ref: 0068CE9F
memset.VCRUNTIME140(?,00000000,00000032,?,00000000,00000032), ref: 0068CEAC
memset.VCRUNTIME140(?,00000000,00000032,?,00000000,00000032,?,00000000,00000032), ref: 0068CEB9
#5850.MFC140U(?,00000000,00000001), ref: 0068CED1
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0068CEEE
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068CEF9
#5110.MFC140U(?,?,00000000,00000000,00000000), ref: 0068CF1C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068CF27
#1045.MFC140U ref: 0068CF3F
#5850.MFC140U(?,00000000,00000002), ref: 0068CF55
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0068CF76
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068CF81
#5110.MFC140U(?,?,00000000,00000000,00000000), ref: 0068CFA1
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068CFAC
#1045.MFC140U ref: 0068CFC1
#5850.MFC140U(?,00000000,00000003), ref: 0068CFD7
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0068CFF8
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D003
#5110.MFC140U(?,?,00000000,00000000,00000000), ref: 0068D023
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068D02E
#1045.MFC140U ref: 0068D03F
#1045.MFC140U ref: 0068D06E
#1045.MFC140U ref: 0068D081
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068D099
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 0068D0A8

Strings

%s----%s----%s, xrefs: 0068D054
%ws%ws_log.txt, xrefs: 0068CE4C
#, xrefs: 0068D0A8

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045#5110ByteCharMultiWide$memset$#5850$MessageSend$#290#296#4815FolderPathPrivateProfileSpecialfclosefopen
String ID: #$%s----%s----%s$%ws%ws_log.txt
API String ID: 3895528739-2154562260
Opcode ID: da4494dff4d0ac424bf1f249284014d4a0d82408143849a59097174dc412c2c5
Instruction ID: f5051e652093f9d0ae89b8a06c74802807c7191802f1c9df60ba36827783663b
Opcode Fuzzy Hash: da4494dff4d0ac424bf1f249284014d4a0d82408143849a59097174dc412c2c5
Instruction Fuzzy Hash: E1A17C71A40309EFEB20DB90DC4AFADBBB9FB05705F109194F645A62D1DBB06A44CFA4

Function 00685E40 Relevance: 52.7, APIs: 23, Strings: 7, Instructions: 207filewindowCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(00685E40,?,0000001C), ref: 00685E5E
GetTempPathA.KERNEL32(00000104,00716108), ref: 00685E71
FindResourceW.KERNEL32(?,00000083,DRV), ref: 00685EA4
SizeofResource.KERNEL32(?,00000000), ref: 00685EB2
LoadResource.KERNEL32(?,00000000), ref: 00685EBD
LockResource.KERNEL32(00000000), ref: 00685EC4
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00716108,0070B98C), ref: 00685ED7
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000001,?,00000000), ref: 00685EEF
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00685EFE
_access.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00716108,00000000), ref: 00685F0E
FindResourceW.KERNEL32(?,00000084,DLL), ref: 00685F42
SizeofResource.KERNEL32(?,00000000), ref: 00685F50
LoadResource.KERNEL32(?,00000000), ref: 00685F5A
LockResource.KERNEL32(00000000), ref: 00685F61
CreateFileW.KERNEL32(\\.\CrashDumpUpload,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 00685F8D
DeviceIoControl.KERNEL32(00000000,00222401,00000000,00000000,?,00000001,?,00000000), ref: 00685FB7
memset.VCRUNTIME140(?,00000000,00000032), ref: 00685FC4
memcpy.VCRUNTIME140(?,gameapp.exe,gameapp.exe), ref: 00685FE7
DeviceIoControl.KERNEL32(00000000,00222409,?,00000032,?,00000001,?,00000000), ref: 00686007
DeviceIoControl.KERNEL32(00000000,0022240D,00000001,00000032,?,00000001,?,00000000), ref: 0068602A
DeviceIoControl.KERNEL32(00000000,00222415,00000001,00000032,?,00000001,?,00000000), ref: 0068604B
CloseHandle.KERNEL32(00000000), ref: 0068604E
MessageBoxW.USER32(00000000,0070BD54,0070BD48,00000000), ref: 0068606C

Strings

gameapp.exe, xrefs: 00685FC9, 00685FE0, 00685FE1
DRV, xrefs: 00685E99
jqjectx641.sys, xrefs: 00685E77
\\.\CrashDumpUpload, xrefs: 00685F88
DLL, xrefs: 00685F37
#, xrefs: 00685EFE
%s%s, xrefs: 00685E81

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Resource$ControlDevice$FindLoadLockSizeof$CloseCreateFileHandleMessagePathQueryTempVirtual_accessfclosefopenfwritememcpymemset
String ID: #$%s%s$DLL$DRV$\\.\CrashDumpUpload$gameapp.exe$jqjectx641.sys
API String ID: 1091623664-760730522
Opcode ID: eaf6516ae28d76ada77d3569f977f94ad53114e882f1193f6027c69432570a2b
Instruction ID: f99ce54fa3afeb06fcb33ea010a6f5b74d00b63f1f9b1744967cfedb20c3cbc5
Opcode Fuzzy Hash: eaf6516ae28d76ada77d3569f977f94ad53114e882f1193f6027c69432570a2b
Instruction Fuzzy Hash: AA51A471A80208BBEB10EBA4DD4AFFE76BEEF44B00F151115FA01E62C1D7B55A05CBA5

Function 006BE3F0 Relevance: 49.4, APIs: 18, Strings: 10, Instructions: 378COMMON

Download Yara Rule

APIs

Part of subcall function 006A7A80: QueryPerformanceCounter.KERNEL32( #,00092320,?,?,00092320), ref: 006A7A93
Part of subcall function 006A7A80: __alldvrm.LIBCMT ref: 006A7AAD

Part of subcall function 006B7B70: #15.WS2_32(?), ref: 006B7BAC

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000007,?), ref: 006BE486
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000007,?), ref: 006BE490
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000007,?), ref: 006BE494

Part of subcall function 006A1500: GetLastError.KERNEL32 ref: 006A1503
Part of subcall function 006A1500: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A150B

#21.WS2_32(000000FF,00000029,0000001B,?,00000004,?,?,?,?,?,?,00000007,?), ref: 006BE531
#21.WS2_32(000000FF,00000006,00000001,?), ref: 006BE59B
#111.WS2_32(?,00000100), ref: 006BE5AF
#7.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 006BE64A
#21.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 006BE673
#21.WS2_32(?,0000FFFF,00000008,00000000,00000004), ref: 006BE6AB
#111.WS2_32 ref: 006BE6B5
#21.WS2_32(?,00000006,00000003,?,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 006BE6EB
#111.WS2_32(?,?,?,?,?,?,?,?,?,?,?,00000007,?), ref: 006BE6F5
#21.WS2_32(?,00000006,00000011,?,00000004,?,?,?,?,?,?,?,?,?,?,?), ref: 006BE72F
#111.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,00000007,?), ref: 006BE739
#21.WS2_32(?,00000006,00000010,?,00000004), ref: 006BE76D
#111.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000007,?), ref: 006BE777
#111.WS2_32 ref: 006BE83C
#3.WS2_32(?,?,?,00000007,?), ref: 006BE8AA

Strings

Failed to set TCP_KEEPIDLE on fd %d: errno %d, xrefs: 006BE6FD
sa_addr inet_ntop() failed with errno %d: %s, xrefs: 006BE4AB
Failed to set SO_KEEPALIVE on fd %d: errno %d, xrefs: 006BE6BD
Trying %s:%d..., xrefs: 006BE53E
@, xrefs: 006BE5E5
Failed to set TCP_KEEPCNT on fd %d: errno %d, xrefs: 006BE77F
Could not set TCP_NODELAY: %s, xrefs: 006BE5BC
Failed to set TCP_KEEPINTVL on fd %d: errno %d, xrefs: 006BE741
Trying [%s]:%d..., xrefs: 006BE537, 006BE550
cf_socket_open() -> %d, fd=%d, xrefs: 006BE8BB

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111$_errno$CounterErrorLastPerformanceQuery__alldvrm
String ID: Trying %s:%d...$ Trying [%s]:%d...$ @$Could not set TCP_NODELAY: %s$Failed to set SO_KEEPALIVE on fd %d: errno %d$Failed to set TCP_KEEPCNT on fd %d: errno %d$Failed to set TCP_KEEPIDLE on fd %d: errno %d$Failed to set TCP_KEEPINTVL on fd %d: errno %d$cf_socket_open() -> %d, fd=%d$sa_addr inet_ntop() failed with errno %d: %s
API String ID: 1724689287-2196228144
Opcode ID: 366e9111932459484ac61b121b6a009e3b03f03cad01045f5f75a49227af8be1
Instruction ID: a5a7f3ff4feaaba38ce9489e91158d46b1365f75cc18c1c9308b47b8fae8257c
Opcode Fuzzy Hash: 366e9111932459484ac61b121b6a009e3b03f03cad01045f5f75a49227af8be1
Instruction Fuzzy Hash: A0D114B1904341AFD7219F24CC45FEB77EAAF84704F04452CF9499B292E776E984CBA2

Function 00681B10 Relevance: 49.3, APIs: 11, Strings: 17, Instructions: 270memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(SSO_Program,?,00000100,00000000,00000000), ref: 00681C18
#1511.MFC140U(00000080), ref: 00681C87
memset.VCRUNTIME140(00000000,00000000,00000080), ref: 00681CA8
#1002.MFC140U ref: 00681CB2
#4886.MFC140U(?), ref: 00681CC9
#3296.MFC140U(0070B9C8,00000000,56000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00681CF0
#5289.MFC140U ref: 00681CFC
#5718.MFC140U(00000000), ref: 00681D20
SetWindowLongA.USER32(?,000000FC,Function_000013E0), ref: 00681D40
SetWindowLongA.USER32(?,000000FC,Function_00001460), ref: 00681D56
VirtualProtect.KERNEL32(?,00000004,00000040,?), ref: 00681E32

Strings

strSSOLUICtrl_Init_strAppName, xrefs: 00681D7D
strSSO_Init_strAccessKey, xrefs: 00681C46
QQSPEED, xrefs: 00681D78
bFlushLog, xrefs: 00681BDF
dwSSOLUICtrl_Init_dwServicePL, xrefs: 00681DAD
SSO_Program, xrefs: 00681C13
dwAppIMHeaderClientType, xrefs: 00681BA6
dwAppIMHeaderPubNo, xrefs: 00681BBB
cAppNonIMHeaderSubVer, xrefs: 00681B94
cAppIMHeaderMainVer, xrefs: 00681B67
dwSSO_Init_hAppHandle, xrefs: 00681C33
dwSSOLUICtrl_Init_dwAppClientVer, xrefs: 00681DC5
cAppIMHeaderSubVer, xrefs: 00681B76
dwAppHelloLockTimeoutInterval, xrefs: 00681BCD
bLockShareMemory, xrefs: 00681BEE
cAppNonIMHeaderMainVer, xrefs: 00681B85
dwSSOLUICtrl_Init_dwServiceID, xrefs: 00681D95

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: LongWindow$#1002#1511#3296#4886#5289#5718CurrentProcessProtectVirtualmemset
String ID: QQSPEED$SSO_Program$bFlushLog$bLockShareMemory$cAppIMHeaderMainVer$cAppIMHeaderSubVer$cAppNonIMHeaderMainVer$cAppNonIMHeaderSubVer$dwAppHelloLockTimeoutInterval$dwAppIMHeaderClientType$dwAppIMHeaderPubNo$dwSSOLUICtrl_Init_dwAppClientVer$dwSSOLUICtrl_Init_dwServiceID$dwSSOLUICtrl_Init_dwServicePL$dwSSO_Init_hAppHandle$strSSOLUICtrl_Init_strAppName$strSSO_Init_strAccessKey
API String ID: 1056245671-1844950982
Opcode ID: 64b979f004d12bc1cb48f4c012bd46904faa29d832000626e2cb5f88f50a55d5
Instruction ID: be65170f26a5894da932cbee082b7094674eaf9cd7a5abbba70e73751e3fbc37
Opcode Fuzzy Hash: 64b979f004d12bc1cb48f4c012bd46904faa29d832000626e2cb5f88f50a55d5
Instruction Fuzzy Hash: 10A104B1640604EFD744EBA8DC85F9A77E9BB8D700F108268F619EB2E1CB64A941CB14

Function 00681B40 Relevance: 49.3, APIs: 11, Strings: 17, Instructions: 258memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(SSO_Program,?,00000100,00000000,00000000), ref: 00681C18
#1511.MFC140U(00000080), ref: 00681C87
memset.VCRUNTIME140(00000000,00000000,00000080), ref: 00681CA8
#1002.MFC140U ref: 00681CB2
#4886.MFC140U(?), ref: 00681CC9
#3296.MFC140U(0070B9C8,00000000,56000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00681CF0
#5289.MFC140U ref: 00681CFC
#5718.MFC140U(00000000), ref: 00681D20
SetWindowLongA.USER32(?,000000FC,Function_000013E0), ref: 00681D40
SetWindowLongA.USER32(?,000000FC,Function_00001460), ref: 00681D56
VirtualProtect.KERNEL32(?,00000004,00000040,?), ref: 00681E32

Strings

strSSOLUICtrl_Init_strAppName, xrefs: 00681D7D
strSSO_Init_strAccessKey, xrefs: 00681C46
QQSPEED, xrefs: 00681D78
bFlushLog, xrefs: 00681BDF
dwSSOLUICtrl_Init_dwServicePL, xrefs: 00681DAD
SSO_Program, xrefs: 00681C13
dwAppIMHeaderClientType, xrefs: 00681BA6
dwAppIMHeaderPubNo, xrefs: 00681BBB
cAppNonIMHeaderSubVer, xrefs: 00681B94
cAppIMHeaderMainVer, xrefs: 00681B67
dwSSO_Init_hAppHandle, xrefs: 00681C33
dwSSOLUICtrl_Init_dwAppClientVer, xrefs: 00681DC5
cAppIMHeaderSubVer, xrefs: 00681B76
dwAppHelloLockTimeoutInterval, xrefs: 00681BCD
bLockShareMemory, xrefs: 00681BEE
cAppNonIMHeaderMainVer, xrefs: 00681B85
dwSSOLUICtrl_Init_dwServiceID, xrefs: 00681D95

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: LongWindow$#1002#1511#3296#4886#5289#5718CurrentProcessProtectVirtualmemset
String ID: QQSPEED$SSO_Program$bFlushLog$bLockShareMemory$cAppIMHeaderMainVer$cAppIMHeaderSubVer$cAppNonIMHeaderMainVer$cAppNonIMHeaderSubVer$dwAppHelloLockTimeoutInterval$dwAppIMHeaderClientType$dwAppIMHeaderPubNo$dwSSOLUICtrl_Init_dwAppClientVer$dwSSOLUICtrl_Init_dwServiceID$dwSSOLUICtrl_Init_dwServicePL$dwSSO_Init_hAppHandle$strSSOLUICtrl_Init_strAppName$strSSO_Init_strAccessKey
API String ID: 1056245671-1844950982
Opcode ID: 084ed56c8d815d5adaf5e3bed1f9603d1d4758a8c1f0b4eb8a4e52623d0ad652
Instruction ID: e609588a22a48722d49d238dc8629799c6768a9c4d97cbf697022c56bc8db1e4
Opcode Fuzzy Hash: 084ed56c8d815d5adaf5e3bed1f9603d1d4758a8c1f0b4eb8a4e52623d0ad652
Instruction Fuzzy Hash: 47A126B0740604EFD744EBACDC86F9A77E9BB8D700F108268F519EB2E1CB64A941CB14

Function 006861D2 Relevance: 48.4, APIs: 32, Instructions: 372windowsleepCOMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 00686216
#7820.MFC140U(?), ref: 00686229
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00686254
#5850.MFC140U(?,00000000,0000000D), ref: 0068627D
StrCmpW.SHLWAPI(00000000,0070BD6C), ref: 00686294
#5850.MFC140U(?,00000000,0000000C), ref: 006862AB
StrCmpW.SHLWAPI(00000000,0070BD74), ref: 006862C5
#5850.MFC140U(?,00000000,0000000C), ref: 006862D8
StrCmpW.SHLWAPI(00000000,0070BD80), ref: 006862F2
#5850.MFC140U(?,00000000,0000000C), ref: 00686305
StrCmpW.SHLWAPI(00000000,0070BD88), ref: 00686315
#1045.MFC140U ref: 0068632E
#1045.MFC140U ref: 0068633F
#1045.MFC140U ref: 00686350
#1045.MFC140U ref: 00686368
#5813.MFC140U(00000000), ref: 0068638F
PostMessageA.USER32(00000000,00002773), ref: 006863B8
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006863D0
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 006863F1
memset.VCRUNTIME140(?,00000000,000000C8,?,?), ref: 0068648E
#5850.MFC140U(?,00000000,00000001,?,?,?), ref: 006864A3
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?,?), ref: 006864AF
#1045.MFC140U(?,?,?,?), ref: 006864CE
memset.VCRUNTIME140(?,00000000,000000C8,?,?,?,?), ref: 0068651E
#5850.MFC140U(?,?,00000001,?,?,?,?,?,?,?), ref: 00686533
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?,?,?,?,?,?), ref: 0068653F
#1045.MFC140U(?,?,?,?,?,?,?,?), ref: 0068655E
PostMessageA.USER32(?,0000276E,00000001,00000000), ref: 0068663C
PostMessageA.USER32(00000000,0000276E,00000001,00000000), ref: 0068664E
PostMessageA.USER32(?,0000276E,00000001,00000000), ref: 00686661
Sleep.KERNEL32(000000C8,?,?,?,?), ref: 00686668
#1045.MFC140U(?,?), ref: 00686697

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$#5850Message$Post$Send_wtollmemset$#296#5813#7820Sleep_time64
String ID:
API String ID: 4251925634-0
Opcode ID: fbed7687e22f0ec1ab2cea44a7084680ca90f19c44ed343946587a4b8019a36a
Instruction ID: f195f9c1aab284b71f414b6fd2ceae41c3c507ceec1e8c7d2da909d1951c0452
Opcode Fuzzy Hash: fbed7687e22f0ec1ab2cea44a7084680ca90f19c44ed343946587a4b8019a36a
Instruction Fuzzy Hash: 00E19D71900259DFDF20EFA8DC88BEDBBBAAF08310F049269F905A72E1D7749944CB54

Function 006861E0 Relevance: 48.4, APIs: 32, Instructions: 371windowsleepCOMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 00686216
#7820.MFC140U(?), ref: 00686229
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00686254
#5850.MFC140U(?,00000000,0000000D), ref: 0068627D
StrCmpW.SHLWAPI(00000000,0070BD6C), ref: 00686294
#5850.MFC140U(?,00000000,0000000C), ref: 006862AB
StrCmpW.SHLWAPI(00000000,0070BD74), ref: 006862C5
#5850.MFC140U(?,00000000,0000000C), ref: 006862D8
StrCmpW.SHLWAPI(00000000,0070BD80), ref: 006862F2
#5850.MFC140U(?,00000000,0000000C), ref: 00686305
StrCmpW.SHLWAPI(00000000,0070BD88), ref: 00686315
#1045.MFC140U ref: 0068632E
#1045.MFC140U ref: 0068633F
#1045.MFC140U ref: 00686350
#1045.MFC140U ref: 00686368
#5813.MFC140U(00000000), ref: 0068638F
PostMessageA.USER32(00000000,00002773), ref: 006863B8
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006863D0
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 006863F1
memset.VCRUNTIME140(?,00000000,000000C8,?,?), ref: 0068648E
#5850.MFC140U(?,00000000,00000001,?,?,?), ref: 006864A3
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?,?), ref: 006864AF
#1045.MFC140U(?,?,?,?), ref: 006864CE
memset.VCRUNTIME140(?,00000000,000000C8,?,?,?,?), ref: 0068651E
#5850.MFC140U(?,?,00000001,?,?,?,?,?,?,?), ref: 00686533
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,?,?,?,?,?,?), ref: 0068653F
#1045.MFC140U(?,?,?,?,?,?,?,?), ref: 0068655E
PostMessageA.USER32(?,0000276E,00000001,00000000), ref: 0068663C
PostMessageA.USER32(00000000,0000276E,00000001,00000000), ref: 0068664E
PostMessageA.USER32(?,0000276E,00000001,00000000), ref: 00686661
Sleep.KERNEL32(000000C8,?,?,?,?), ref: 00686668
#1045.MFC140U(?,?), ref: 00686697

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$#5850Message$Post$Send_wtollmemset$#296#5813#7820Sleep_time64
String ID:
API String ID: 4251925634-0
Opcode ID: 5aae76602c4876d17064a2e568a2b5ed7eb0ed28420f26f04c9e29350ea0c4c1
Instruction ID: d1251db83bd57ea814b6982857d74f572fc610356ecfd626b516eebd2186b5ce
Opcode Fuzzy Hash: 5aae76602c4876d17064a2e568a2b5ed7eb0ed28420f26f04c9e29350ea0c4c1
Instruction Fuzzy Hash: 24E19D71D00259DFDF20EFA8DC88BEDBBBAAF04310F049259F905A72A1DB749944CB54

Function 006F0330 Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 294encryptionCOMMON

Download Yara Rule

APIs

CertOpenStore.CRYPT32(00000002,00000000,00000000,00002000,00000000), ref: 006F0441
GetLastError.KERNEL32(?,00000100), ref: 006F0457
memset.VCRUNTIME140(?,00000000,00000030), ref: 006F04CF
CertCreateCertificateChainEngine.CRYPT32(?,?), ref: 006F04ED
GetLastError.KERNEL32(?,00000100), ref: 006F0501

Part of subcall function 006A15F0: GetLastError.KERNEL32 ref: 006A15F3
Part of subcall function 006A15F0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A15FB

CertGetCertificateChain.CRYPT32(00000010,00000000,?,?,?,20000000), ref: 006F0566
GetLastError.KERNEL32(?,00000100,?,?,?,?,?,?,00000000,00000000), ref: 006F057A
CertFreeCertificateChainEngine.CRYPT32(?), ref: 006F06AA
CertCloseStore.CRYPT32(?,00000000), ref: 006F06BB
CertFreeCertificateChain.CRYPT32(?), ref: 006F06CA
CertFreeCertificateContext.CRYPT32(?), ref: 006F06D9

Strings

schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 006F03F7
schannel: CertGetCertificateChain error mask: 0x%08lx, xrefs: 006F0654
schannel: failed to create certificate chain user: %s, xrefs: 006F050E
schannel: CertGetCertificateChain failed: %s, xrefs: 006F0587
schannel: reusing certificate store from cache, xrefs: 006F041F
(memory blob), xrefs: 006F0483
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED, xrefs: 006F05CA
schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN, xrefs: 006F063E
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID, xrefs: 006F0624
schannel: Failed to read remote certificate context: %s, xrefs: 006F068E
schannel: failed to create certificate store: %s, xrefs: 006F0464
0, xrefs: 006F04D7
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN, xrefs: 006F05EA
schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT, xrefs: 006F0607

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Cert$Certificate$ChainErrorLast$Free$userStore$CloseContextCreateOpen_errnomemset
String ID: (memory blob)$0$schannel: CertGetCertificateChain error mask: 0x%08lx$schannel: CertGetCertificateChain failed: %s$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_NOT_TIME_VALID$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_PARTIAL_CHAIN$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_REVOKED$schannel: CertGetCertificateChain trust error CERT_TRUST_IS_UNTRUSTED_ROOT$schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN$schannel: Failed to read remote certificate context: %s$schannel: failed to create certificate chain user: %s$schannel: failed to create certificate store: %s$schannel: reusing certificate store from cache$schannel: this version of Windows is too old to support certificate verification via CA bundle file.
API String ID: 1917402479-929259813
Opcode ID: bae2c4c03356124858abc8ca02b440636e6eb8c4d3a073677d94022cd9d721cd
Instruction ID: 7e81c9ac4b11f29d4d2127083b5223a0bb77113217446de63ade3ce7ebdc67a0
Opcode Fuzzy Hash: bae2c4c03356124858abc8ca02b440636e6eb8c4d3a073677d94022cd9d721cd
Instruction Fuzzy Hash: D9A1D3B1604304EBE711AB20CC46FBB77DAAF85704F180428FA45E7293EB75D9158B6A

Function 00681E85 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 00681F5C
#296.MFC140U ref: 00681F6F
#296.MFC140U ref: 00681FA6
#4815.MFC140U(?,%ws,?), ref: 00681FC8
#290.MFC140U(dwSSO_Account_dwAccountUin), ref: 00681FD8
#2996.MFC140U(00000000), ref: 00681FEA
#1045.MFC140U ref: 00681FFF
memset.VCRUNTIME140(?,00000000,00000800), ref: 0068201B
#296.MFC140U ref: 00682029
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00682040
#4815.MFC140U(?,%ws\LogInfo,?), ref: 00682059
GetFileAttributesW.KERNEL32(?), ref: 00682064
CreateDirectoryW.KERNEL32(?,00000000), ref: 00682077

Strings

.ini, xrefs: 006820A6
dwSSO_Account_dwAccountUin, xrefs: 00681FD3
%ws, xrefs: 00681FC2
%ws\%u%ws, xrefs: 006820BA
%ws\LogInfo, xrefs: 00682053

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #296$#4815$#1045#290#2996AttributesCreateDirectoryFileFolderPathSpecialmemset
String ID: %ws$%ws\%u%ws$%ws\LogInfo$.ini$dwSSO_Account_dwAccountUin
API String ID: 3623380115-535625034
Opcode ID: aa3f5392d05d0a0a979b4add2c01454c0278110778569f2972189cc45c610d0c
Instruction ID: 207d346541482cea99fe36904e1fc20638c196824b9ef4ca85b3ccf78cc3d5ab
Opcode Fuzzy Hash: aa3f5392d05d0a0a979b4add2c01454c0278110778569f2972189cc45c610d0c
Instruction Fuzzy Hash: 5A614A7090021DDBCB24EF54DC99BE9BBF9FF05300F0492A9E549A7291DB745A86CF90

Function 00691380 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 180networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 006913AE
CreateIoCompletionPort.KERNEL32(00000000,00000000,00000000), ref: 006913CA
#21.WS2_32(/h,0000FFFF,00000080,?), ref: 006913F5
#22.WS2_32(/h,00000002), ref: 006913FE
#3.WS2_32(/h), ref: 00691405
GetLastError.KERNEL32 ref: 00691411
#2.WS2_32(00000000,?), ref: 00691448
#111.WS2_32 ref: 0069145A
#52.WS2_32(/h), ref: 00691484
memcpy.VCRUNTIME140(?,?,?), ref: 00691499
#12.WS2_32(?,?,?,00000010), ref: 006914A5
#11.WS2_32(00000000,?,?,00000010), ref: 006914AC
#9.WS2_32(00003877,?,?,00000010), ref: 006914BB
#10.WS2_32 ref: 006914DA
#4.WS2_32(00000000,?,00000010), ref: 006914E9
#18.WS2_32(00000000,00000000,?,00000000,?), ref: 0069151C
#21.WS2_32(/h,0000FFFF,00000080,?,00000004), ref: 00691548
#22.WS2_32(/h,00000002), ref: 00691551
#3.WS2_32(/h), ref: 00691558
#1511.MFC140U(00000030), ref: 0069157F
memset.VCRUNTIME140(00000000,00000000,00000030), ref: 0069158C
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000,?,00000000,8004667E,?,?,?,00000010), ref: 006915BE

Strings

/h, xrefs: 0069139C, 006913F4, 006913FD, 00691404, 00691477, 00691547, 00691550, 00691557

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Completion$#111#1511CreateErrorLastPortPostQueuedSocketStatusmemcpymemset
String ID: /h
API String ID: 1365589574-3618610708
Opcode ID: 38df64bcd0f627dccea25c34e0ac5ca30e8076d5d9a0f988e4aea93af8c37a07
Instruction ID: f0c448ff426108ef97e59c30a6457d99729d72a25a6c182004db4a703db3174a
Opcode Fuzzy Hash: 38df64bcd0f627dccea25c34e0ac5ca30e8076d5d9a0f988e4aea93af8c37a07
Instruction Fuzzy Hash: 1B612371204301AFE7209F20DD4AFAAB7EAFF49725F10161DF6559B2E1C7B09914CB92

Function 006D1DB0 Relevance: 37.1, APIs: 14, Strings: 7, Instructions: 364networkCOMMON

Download Yara Rule

APIs

WSACreateEvent.WS2_32 ref: 006D1E81
#111.WS2_32(?,00001CB4,0000FFFF), ref: 006D1E91

Strings

Time-out, xrefs: 006D2292
WSACloseEvent failed (%d), xrefs: 006D22BA
Q, xrefs: 006D20BF
, xrefs: 006D2226
n,, xrefs: 006D2060
WSAEnumNetworkEvents failed (%d), xrefs: 006D207D
WSACreateEvent failed (%d), xrefs: 006D1E98

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111CreateEvent
String ID: $Q$Time-out$WSACloseEvent failed (%d)$WSACreateEvent failed (%d)$WSAEnumNetworkEvents failed (%d)$n,
API String ID: 3860941545-3552979103
Opcode ID: bd8e6d77fdf94f55999185e88a6ca0864c7b1eee2f21d3bd77a30aa4d8839eec
Instruction ID: 42df286dc671e2281444356ee9cea6c63301e323d390dbdc72527e4d1fe28311
Opcode Fuzzy Hash: bd8e6d77fdf94f55999185e88a6ca0864c7b1eee2f21d3bd77a30aa4d8839eec
Instruction Fuzzy Hash: 5FD1E270D043029BD3219F24C954BFBB7EAFF69304F40452EF98586382DBB59A85CB92

Function 006BDF40 Relevance: 37.1, APIs: 14, Strings: 7, Instructions: 337stringCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000080), ref: 006BDFD3
memset.VCRUNTIME140(?,00000000,000000FF,00000000,000000FF,?), ref: 006BE013
#111.WS2_32 ref: 006BE0C6
strchr.VCRUNTIME140(?,00000025), ref: 006BE1DE
#9.WS2_32(?), ref: 006BE216
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,00000000,0000000A), ref: 006BE22A
#111.WS2_32 ref: 006BE28D

Part of subcall function 006D16D0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(006BB650,00000002,?,?,?), ref: 006D16DE

#9.WS2_32(?), ref: 006BE268
#9.WS2_32(?,00000000,000000FF,?), ref: 006BE2DE
#9.WS2_32(?,00000000,000000FF,?), ref: 006BE2FF
#2.WS2_32(?,?,00000000,00000000,000000FF,?), ref: 006BE32A
#15.WS2_32(?), ref: 006BE35F
#2.WS2_32(?,?,?), ref: 006BE376
#111.WS2_32 ref: 006BE3B8

Strings

Name '%s' family %i resolved to '%s' family %i, xrefs: 006BE19A
bind failed with errno %d: %s, xrefs: 006BE3DB
Local port: %hu, xrefs: 006BE384
Couldn't bind to interface '%s' with errno %d: %s, xrefs: 006BE0ED
Bind to local port %d failed, trying next, xrefs: 006BE350
Local Interface %s is ip %s using address family %i, xrefs: 006BE083
Couldn't bind to '%s' with errno %d: %s, xrefs: 006BE2B4

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111$memset$_errnostrchrstrtoul
String ID: Bind to local port %d failed, trying next$Couldn't bind to '%s' with errno %d: %s$Couldn't bind to interface '%s' with errno %d: %s$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s
API String ID: 677894942-2129795902
Opcode ID: 94b6c4440d1d6abb94ff14b9a2535517926fd0f78d86640d56c13c6e01c16164
Instruction ID: 45a3557e9f970635e5da419b23095420c93e5029e6ff482bca9249a69d77793f
Opcode Fuzzy Hash: 94b6c4440d1d6abb94ff14b9a2535517926fd0f78d86640d56c13c6e01c16164
Instruction Fuzzy Hash: B7C1C1B0608341ABD720DF64CD85BEBBBEAAF85304F04092DF58987252D776D984CB97

Function 0068C8D0 Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 198windowCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,0000020A), ref: 0068C92B
SHFileOperationW.SHELL32(00000000), ref: 0068C9FA

Part of subcall function 0069CD8F: ___report_securityfailure.LIBCMT ref: 0069CD94

SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0068CA5A
#296.MFC140U ref: 0068CA6E
#5850.MFC140U(00000001,00000000,00000001), ref: 0068CA88
#290.MFC140U(00715900), ref: 0068CA9A
#4815.MFC140U(00000000,%ws%ws_log.txt,00000000,?), ref: 0068CAB2
#1045.MFC140U ref: 0068CABE
WritePrivateProfileStringW.KERNEL32(?,0070BD6C,0070B524,?), ref: 0068CADA
WritePrivateProfileStringW.KERNEL32(?,0070C4CC,0070B524,?), ref: 0068CAEC
WritePrivateProfileStringW.KERNEL32(?,0070BD80,0070B524,?), ref: 0068CAFE
WritePrivateProfileStringW.KERNEL32(?,0070BD74,0070B524,?), ref: 0068CB10
WritePrivateProfileStringW.KERNEL32(?,0070C4D8,0070B524,?), ref: 0068CB22
WritePrivateProfileStringW.KERNEL32(?,0070BD88,0070B524,?), ref: 0068CB34
WritePrivateProfileStringW.KERNEL32(?,0070C4E0,0070B524,?), ref: 0068CB46
WritePrivateProfileStringW.KERNEL32(?,0070C560,0070B524,?), ref: 0068CB58
WritePrivateProfileStringW.KERNEL32(?,`S(u,0070B524,?), ref: 0068CB6A
#1045.MFC140U ref: 0068CB6F
#1045.MFC140U ref: 0068CB78

Strings

`S(u, xrefs: 0068CB62
%ws%ws_log.txt, xrefs: 0068CAAC

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: PrivateProfileStringWrite$#1045$#290#296#4815#5850FileMessageOperationSend___report_securityfailurememset
String ID: %ws%ws_log.txt$`S(u
API String ID: 230653811-2036117652
Opcode ID: 3fca67fe83309b337e4e307b481ec8fec49625b36bfcd197b6188affa3b99504
Instruction ID: c380c50fc25e7a812e162b35374384c1a327cee0199c6518e92f8cf94702b00f
Opcode Fuzzy Hash: 3fca67fe83309b337e4e307b481ec8fec49625b36bfcd197b6188affa3b99504
Instruction Fuzzy Hash: 4E718E71A4021DEBCF10EF94DC4AAFEBBB6FF19710F000299E505A22E0DBB51A51CB91

Function 0068CBA0 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 121windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068CBE2
#296.MFC140U ref: 0068CBF5
#5850.MFC140U(?,00000000,00000001), ref: 0068CC0F
#290.MFC140U(00715900), ref: 0068CC21
#4815.MFC140U(?,%ws%ws_log.txt,00000000,?), ref: 0068CC39
#1045.MFC140U ref: 0068CC45
WritePrivateProfileStringW.KERNEL32(?,0070BD6C,0070B524,?), ref: 0068CC5B
WritePrivateProfileStringW.KERNEL32(?,0070C4CC,0070B524,?), ref: 0068CC6D
WritePrivateProfileStringW.KERNEL32(?,0070BD80,0070B524,?), ref: 0068CC7F
WritePrivateProfileStringW.KERNEL32(?,0070BD74,0070B524,?), ref: 0068CC91
WritePrivateProfileStringW.KERNEL32(?,0070C4D8,0070B524,?), ref: 0068CCA3
WritePrivateProfileStringW.KERNEL32(?,0070BD88,0070B524,?), ref: 0068CCB5
WritePrivateProfileStringW.KERNEL32(?,0070C4E0,0070B524,?), ref: 0068CCC7
WritePrivateProfileStringW.KERNEL32(?,0070C560,0070B524,?), ref: 0068CCD9
WritePrivateProfileStringW.KERNEL32(?,`S(u,0070B524,?), ref: 0068CCEB
#1045.MFC140U ref: 0068CCF0
#1045.MFC140U ref: 0068CD00
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068CD18

Strings

`S(u, xrefs: 0068CCE3
%ws%ws_log.txt, xrefs: 0068CC33

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: PrivateProfileStringWrite$#1045$MessageSend$#290#296#4815#5850
String ID: %ws%ws_log.txt$`S(u
API String ID: 2458227497-2036117652
Opcode ID: 27fd97545e41af939b3f66f43382eb712654fa32f32a28db27bbf836d43b59be
Instruction ID: 3a391af337edc6e6223950e90f4c8c0e442a6a44305adc296e9147b2e4074498
Opcode Fuzzy Hash: 27fd97545e41af939b3f66f43382eb712654fa32f32a28db27bbf836d43b59be
Instruction Fuzzy Hash: 5C413AB1A4020AEBCF119B95DD46EFEBFB6FB49B15F104255F201B22E0C7B51A10DBA1

Function 006D19C0 Relevance: 33.2, APIs: 8, Strings: 14, Instructions: 236stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,0000002F), ref: 006D1A99
strchr.VCRUNTIME140(?,0000003A), ref: 006D1ADF
strchr.VCRUNTIME140(00000001,0000003A), ref: 006D1AF1
strchr.VCRUNTIME140(00000001,0000003A), ref: 006D1B06
strchr.VCRUNTIME140(?,0000003A), ref: 006D1B71
strchr.VCRUNTIME140(00000001,0000003A), ref: 006D1B83
strchr.VCRUNTIME140(00000001,0000003A), ref: 006D1B98
strchr.VCRUNTIME140(00000001,0000003A), ref: 006D1BAE

Strings

CLIENT libcurl 8.9.0DEFINE %s %sQUIT, xrefs: 006D1B58
@Bp, xrefs: 006D1B3A
/DEFINE:, xrefs: 006D1A50
/MATCH:, xrefs: 006D19FF
lookup word is missing, xrefs: 006D1B1E, 006D1BC6
/M:, xrefs: 006D1A1A
/LOOKUP:, xrefs: 006D1A7E
/D:, xrefs: 006D1A67
@Bp, xrefs: 006D1BE2
/FIND:, xrefs: 006D1A35
Failed sending DICT request, xrefs: 006D1C27
default, xrefs: 006D1B2C, 006D1B3F, 006D1BD4, 006D1BF6
CLIENT libcurl 8.9.0MATCH %s %s %sQUIT, xrefs: 006D1C13
CLIENT libcurl 8.9.0%sQUIT, xrefs: 006D1AC6

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strchr
String ID: /D:$/DEFINE:$/FIND:$/LOOKUP:$/M:$/MATCH:$@Bp$@Bp$CLIENT libcurl 8.9.0%sQUIT$CLIENT libcurl 8.9.0DEFINE %s %sQUIT$CLIENT libcurl 8.9.0MATCH %s %s %sQUIT$Failed sending DICT request$default$lookup word is missing
API String ID: 2830005266-752643918
Opcode ID: 2ceb353693e64c552ca49fd94200e7b22e0a68d85dca9d79010fba97f426452d
Instruction ID: ffd775796540bc28b49af4c6bb70ebc37149c8d27acc47d0196443dac7d5667c
Opcode Fuzzy Hash: 2ceb353693e64c552ca49fd94200e7b22e0a68d85dca9d79010fba97f426452d
Instruction Fuzzy Hash: 4C613BA1E4434077D72226205D03F9739DB9FA3755F19062AFD882E3C3F6EA8A518292

Function 00690C20 Relevance: 33.2, APIs: 22, Instructions: 203networkCOMMON

Download Yara Rule

APIs

#1511.MFC140U(00000034), ref: 00690C37
memset.VCRUNTIME140(00000000,00000000,00000034), ref: 00690C44
#265.MFC140U(00000000,00000000,00000034), ref: 00690C4F
WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 00690C87
#266.MFC140U(?), ref: 00690C9E
#266.MFC140U(00000000), ref: 00690CA8
#111.WS2_32 ref: 00690CAD
#21.WS2_32(00000000,0000FFFF,00001002,00714A58,00000004), ref: 00690CDC
#21.WS2_32(?,0000FFFF,00001001,00000001,00000004), ref: 00690CF8
#21.WS2_32(?,0000FFFF,00000004,FFFFFFFF,00000004), ref: 00690D11
CreateIoCompletionPort.KERNEL32(?,00000000,00000000), ref: 00690D20
PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000), ref: 00690D44
#266.MFC140U(?), ref: 00690D53
#266.MFC140U(00000000), ref: 00690D5D
GetLastError.KERNEL32 ref: 00690D62

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #266$Completion$#111#1511#265CreateErrorLastPortPostQueuedSocketStatusmemset
String ID:
API String ID: 3193823385-0
Opcode ID: e1b28edbc8fa61e796941067ba87d3501557b04bf66bafde3a6e317f5a3a52bb
Instruction ID: 2d6742695a9cde0f49fbb68c41803703428188983379b8696dc4da936dbcc987
Opcode Fuzzy Hash: e1b28edbc8fa61e796941067ba87d3501557b04bf66bafde3a6e317f5a3a52bb
Instruction Fuzzy Hash: BF71A770A40209BFDB10DF65EC45FA9BB7AFF09720F104229FA05AAAD0D7716954CF94

Function 006CB420 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 216COMMON

Download Yara Rule

APIs

#23.WS2_32 ref: 006CB44A
#8.WS2_32(7F000001), ref: 006CB46F
#21.WS2_32(00000000,0000FFFF,000000FB,00000006,00000004), ref: 006CB4A4
#2.WS2_32(00000000,?,00000010), ref: 006CB4BB
#6.WS2_32(00000000,?,00000002), ref: 006CB4D5
#13.WS2_32(00000000,00000001), ref: 006CB4F2
#23.WS2_32(00000002,00000001,00000000), ref: 006CB507
#4.WS2_32(00000000,?,00000010), ref: 006CB51C

Part of subcall function 006EC670: #10.WS2_32(00000018,8004667E,?,006CB533,00000000,00000001), ref: 006EC68B

Part of subcall function 006C9E20: #112.WS2_32(00002726,?), ref: 006C9E8B

#1.WS2_32(00000000,00000000,00000000,?,00000001,000003E8,00000000,?,?), ref: 006CB565

Part of subcall function 006A7A80: QueryPerformanceCounter.KERNEL32( #,00092320,?,?,00092320), ref: 006A7A93
Part of subcall function 006A7A80: __alldvrm.LIBCMT ref: 006A7AAD

Part of subcall function 006CD730: BCryptGenRandom.BCRYPT(00000000,?), ref: 006CD78A

#19.WS2_32(?,?,00000009,00000000), ref: 006CB5B3
#16.WS2_32(FFFFFFFF,?,00000009,00000000,?,00000001,000003E8,00000000), ref: 006CB5EC
#111.WS2_32(?,?,?,?,?,00000001,000003E8,00000000), ref: 006CB5F7
#3.WS2_32(00000000), ref: 006CB64D
#3.WS2_32(?), ref: 006CB651
#3.WS2_32(FFFFFFFF), ref: 006CB656
#3.WS2_32(00000000), ref: 006CB6C4

Strings

3', xrefs: 006CB638

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111#112CounterCryptPerformanceQueryRandom__alldvrm
String ID: 3'
API String ID: 355243310-280543908
Opcode ID: 5b8b79320eae9606b4d2407e86bc4545460678cb5786ade49d3e626d852aaabf
Instruction ID: 0e8a91432ce0b52b4916a06da15d65825f9b41d0ed4786ae23569d7779d7dfb8
Opcode Fuzzy Hash: 5b8b79320eae9606b4d2407e86bc4545460678cb5786ade49d3e626d852aaabf
Instruction Fuzzy Hash: 2C711230504701ABE320EF25CD86FBAB7ABEF45324F142B1CF664962E1E7719944CB96

Function 0068C580 Relevance: 29.8, APIs: 14, Strings: 3, Instructions: 97fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00685CE0: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00685CFE
Part of subcall function 00685CE0: OpenServiceA.ADVAPI32(00000000,injectx64,000F01FF), ref: 00685D1A
Part of subcall function 00685CE0: GetLastError.KERNEL32 ref: 00685D26
Part of subcall function 00685CE0: MessageBoxA.USER32(00000000,0070BCD4,00000000,00000000), ref: 00685D40
Part of subcall function 00685CE0: CloseServiceHandle.ADVAPI32(00000000), ref: 00685D47

GetTempPathA.KERNEL32(00000104,00716108), ref: 0068C5B3
remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00716108), ref: 0068C5BE
VirtualQuery.KERNEL32(Function_00005E40,?,0000001C), ref: 0068C5D5
FindResourceW.KERNEL32(?,00000087,OLDDLL), ref: 0068C5EC
SizeofResource.KERNEL32(?,00000000), ref: 0068C5FE
LoadResource.KERNEL32(?,00000000), ref: 0068C60C
LockResource.KERNEL32(00000000), ref: 0068C613
memset.VCRUNTIME140(?,00000000,00000100), ref: 0068C629
memset.VCRUNTIME140(?,00000000,00000100,?,00000000,00000100), ref: 0068C63C

Part of subcall function 00686F40: RegOpenKeyExA.ADVAPI32(?,0070BE2C,00000000,00020019,?), ref: 00686F79
Part of subcall function 00686F40: memset.VCRUNTIME140(?), ref: 00686F9E
Part of subcall function 00686F40: RegQueryValueExA.ADVAPI32(?,path,00000000,?,?,00000400), ref: 00686FD1
Part of subcall function 00686F40: #265.MFC140U(00000400), ref: 00686FE4
Part of subcall function 00686F40: memset.VCRUNTIME140(00000000,00000000,00000400), ref: 00686FF5
Part of subcall function 00686F40: memcpy.VCRUNTIME140(00000000,?,00000400,00000000,00000000,00000400), ref: 00687008
Part of subcall function 00686F40: memcpy.VCRUNTIME140(?,00000000,00000400,00000000,?,00000400,00000000,00000000,00000400), ref: 00687015
Part of subcall function 00686F40: #266.MFC140U(00000000,?,00000000,00000400,00000000,?,00000400,00000000,00000000,00000400), ref: 0068701B
Part of subcall function 00686F40: RegCloseKey.ADVAPI32(?), ref: 0068702F

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0070B98C,?,%s%s,?,\Releasephysx27\netbios.dll,?,?,?,00000000,00000100,?,00000000,00000100), ref: 0068C687
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,?,00000000), ref: 0068C6A0
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 0068C6AD
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 0068C6B0
#3833.MFC140U ref: 0068C6B7

Strings

\Releasephysx27\netbios.dll, xrefs: 0068C65E
%s%s, xrefs: 0068C670
OLDDLL, xrefs: 0068C5E1

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Resourcememset$Open$CloseQueryServicefclosememcpy$#265#266#3833ErrorFindHandleLastLoadLockManagerMessagePathSizeofTempValueVirtualfopenfwriteremove
String ID: %s%s$OLDDLL$\Releasephysx27\netbios.dll
API String ID: 3737089623-1634936166
Opcode ID: 192d0a2c81ff10933a074c16353247c0419f3eaf6d089a5f19e07dbf0b907b31
Instruction ID: 1529b65f1de5e7b12ba53fb20579e1a2d0cc1fd441bb1b53b6a22f8dda4f48a1
Opcode Fuzzy Hash: 192d0a2c81ff10933a074c16353247c0419f3eaf6d089a5f19e07dbf0b907b31
Instruction Fuzzy Hash: C131B8B5940218BBDB20BBA0DD4EFEE777EAB48710F001199F605A7181DBB49A44CFA4

Function 006CE530 Relevance: 28.9, APIs: 4, Strings: 15, Instructions: 406COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 006CEA3A
memmove.VCRUNTIME140(?,?,?,?,?,?), ref: 006CEA4C

Strings

schannel: failed to decrypt data, need more data, xrefs: 006CE921
schannel: renegotiating SSL/TLS connection, xrefs: 006CE899
schannel: cannot renegotiate, an error is pending, xrefs: 006CE96D
schannel: recv returned CURLE_RECV_ERROR, xrefs: 006CE6A5
schannel: renegotiation failed, xrefs: 006CE974
schannel: remote party requests renegotiation, xrefs: 006CE878
schannel: SSL/TLS connection renegotiated, xrefs: 006CE8E4
schannel: an unrecoverable error occurred in a prior call, xrefs: 006CE5D0
schannel: recv returned error %d, xrefs: 006CE6B6
schannel: unable to re-allocate memory, xrefs: 006CE640, 006CE957
schannel: server closed abruptly (missing close_notify), xrefs: 006CE9F3
schannel: failed to read data from server: %s, xrefs: 006CE939
schannel: enough decrypted data is already available, xrefs: 006CE5A2
schannel: server indicated shutdown in a prior call, xrefs: 006CE5DF
schannel: server close notification received (close_notify), xrefs: 006CE989

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memcpymemmove
String ID: schannel: SSL/TLS connection renegotiated$schannel: an unrecoverable error occurred in a prior call$schannel: cannot renegotiate, an error is pending$schannel: enough decrypted data is already available$schannel: failed to decrypt data, need more data$schannel: failed to read data from server: %s$schannel: recv returned CURLE_RECV_ERROR$schannel: recv returned error %d$schannel: remote party requests renegotiation$schannel: renegotiating SSL/TLS connection$schannel: renegotiation failed$schannel: server close notification received (close_notify)$schannel: server closed abruptly (missing close_notify)$schannel: server indicated shutdown in a prior call$schannel: unable to re-allocate memory
API String ID: 167125708-1798541782
Opcode ID: fc18c0c2b419f4f9020eb6fa601a654af1f83061df1cb6f80e96dcf0bbb6e014
Instruction ID: bca3e18a491f54a462d130fc24b89b5df18fe7a044d17ae8e373c73d8a525374
Opcode Fuzzy Hash: fc18c0c2b419f4f9020eb6fa601a654af1f83061df1cb6f80e96dcf0bbb6e014
Instruction Fuzzy Hash: CBF178B06043419FDB60CF25C840BABBBFAEF94704F54492DE98697381E776E944CB92

Function 006C7110 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

AWS_SIGV4, xrefs: 006C7137
%sAuthorization: Basic %s, xrefs: 006C7380
Basic, xrefs: 006C72E6
Negotiate, xrefs: 006C71D2
%s auth using %s with user '%s', xrefs: 006C741C
Digest, xrefs: 006C7221
Proxy-, xrefs: 006C7377, 006C737F
Server, xrefs: 006C740D
Proxy, xrefs: 006C7412, 006C741B
%s:%s, xrefs: 006C72F7
Authorization, xrefs: 006C7173, 006C72A6
Bearer, xrefs: 006C718F
NTLM, xrefs: 006C71F9
Authorization: Bearer %s, xrefs: 006C71A0
Proxy-authorization, xrefs: 006C7266

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memset
String ID: %s auth using %s with user '%s'$%s:%s$%sAuthorization: Basic %s$AWS_SIGV4$Authorization$Authorization: Bearer %s$Basic$Bearer$Digest$NTLM$Negotiate$Proxy$Proxy-$Proxy-authorization$Server
API String ID: 2221118986-3819500859
Opcode ID: 020e13b75edca8fe01bd855e0179d48ae99119860d3d21eff7b236954df471e3
Instruction ID: 097123f777025683ef9cc503fa3624063bd69bbd26f6d81bb72452b16789fa52
Opcode Fuzzy Hash: 020e13b75edca8fe01bd855e0179d48ae99119860d3d21eff7b236954df471e3
Instruction Fuzzy Hash: 5C813532B082109BD7109B289C40FBAB7E6EB94351F48867DFD4897341E72ADD099BD2

Function 006F0B40 Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 172fileCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00000000,00000000), ref: 006F0B7A
CloseHandle.KERNEL32(?), ref: 006F0D01
GetLastError.KERNEL32(?,00000100), ref: 006F0D47

Part of subcall function 006A15F0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A1648
Part of subcall function 006A15F0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A1652
Part of subcall function 006A15F0: GetLastError.KERNEL32 ref: 006A1656
Part of subcall function 006A15F0: SetLastError.KERNEL32(00000000), ref: 006A1661

GetLastError.KERNEL32(?,00000100), ref: 006F0B95

Part of subcall function 006A15F0: GetLastError.KERNEL32 ref: 006A15F3
Part of subcall function 006A15F0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A15FB

Part of subcall function 006F0940: CryptQueryObject.CRYPT32(00000002,?,00000002,0000000E,00000000,00000000,?,00000000,00000000,00000000,?), ref: 006F0A21
Part of subcall function 006F0940: CertAddCertificateContextToStore.CRYPT32(?,?,00000004,00000000), ref: 006F0A42
Part of subcall function 006F0940: CertFreeCertificateContext.CRYPT32(00000000), ref: 006F0A4E
Part of subcall function 006F0940: GetLastError.KERNEL32(?,00000100), ref: 006F0A68

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 006F0BD3
GetLastError.KERNEL32(?,00000100), ref: 006F0BEC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 006F0D15

Strings

schannel: CA file exceeds max size of %u bytes, xrefs: 006F0C73
schannel: failed to open CA file '%s': %s, xrefs: 006F0BFA
schannel: failed to determine size of CA file '%s': %s, xrefs: 006F0C42
schannel: failed to read from CA file '%s': %s, xrefs: 006F0D58
schannel: invalid path name for CA file '%s': %s, xrefs: 006F0BA3
d#, xrefs: 006F0D15

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: ErrorLast$_errno$CertCertificateContext$CloseCreateCryptFileFreeHandleObjectQueryStore_strdupfree
String ID: d#$schannel: CA file exceeds max size of %u bytes$schannel: failed to determine size of CA file '%s': %s$schannel: failed to open CA file '%s': %s$schannel: failed to read from CA file '%s': %s$schannel: invalid path name for CA file '%s': %s
API String ID: 3047215720-2530310106
Opcode ID: db4cac8927cf193472ba50da8c473adf26209c4f0e9530e45a7d2706c1a331bc
Instruction ID: 1cb8e8bb3fe317e5f49878d66a98cb64d1127bddfcae86f04500292e7813fdad
Opcode Fuzzy Hash: db4cac8927cf193472ba50da8c473adf26209c4f0e9530e45a7d2706c1a331bc
Instruction Fuzzy Hash: 3B51C6B1904304ABE710AB64DC45FBB76EEBF89704F440529FA45D6193DB74E900CB6A

Function 006E99E0 Relevance: 27.4, APIs: 1, Strings: 17, Instructions: 430COMMON

Download Yara Rule

Strings

cannot complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids., xrefs: 006E9EEE
Hostname '%s' was found, xrefs: 006E9BFA
cannot complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown., xrefs: 006E9F23
Too long SOCKS proxy username, xrefs: 006E9B97
SOCKS4%s: connecting to HTTP proxy %s port %d, xrefs: 006E9A69
cannot complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client., xrefs: 006E9EB9
SOCKS4 connect request, xrefs: 006E9D5A
SOCKS4 communication to %s:%d, xrefs: 006E9A83
Failed to resolve "%s" for SOCKS4 connect., xrefs: 006E9C94
SOCKS4 connection to %s not supported, xrefs: 006E9B48
SOCKS4 reply has wrong version, version should be 0., xrefs: 006E9DCD
SOCKS4%s request granted., xrefs: 006E9E3B
SOCKS4 connect to IPv4 %s (locally resolved), xrefs: 006E9C71
SOCKS4: too long hostname, xrefs: 006E9DF3
cannot complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed., xrefs: 006E9E81
SOCKS4 non-blocking resolve of %s, xrefs: 006E9AF1
connect request ack, xrefs: 006E9D95

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: Failed to resolve "%s" for SOCKS4 connect.$Hostname '%s' was found$SOCKS4 communication to %s:%d$SOCKS4 connect request$SOCKS4 connect to IPv4 %s (locally resolved)$SOCKS4 connection to %s not supported$SOCKS4 non-blocking resolve of %s$SOCKS4 reply has wrong version, version should be 0.$SOCKS4%s request granted.$SOCKS4%s: connecting to HTTP proxy %s port %d$SOCKS4: too long hostname$Too long SOCKS proxy username$cannot complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.$cannot complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.$cannot complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.$cannot complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.$connect request ack
API String ID: 0-3582918729
Opcode ID: dd9b8524c95eb450fc07394e1db84cc5568495e789e5742e05cad0a44fd2d33c
Instruction ID: c73ee7f5d37b0b42f8ab6374f35009c5917dc8571106d500b8700cc91fe65e50
Opcode Fuzzy Hash: dd9b8524c95eb450fc07394e1db84cc5568495e789e5742e05cad0a44fd2d33c
Instruction Fuzzy Hash: 0BE169B1608781AEC725DF29CC51BB7FBEAAF49300F48456DF4DA86283D729A504CB71

Function 006BB830 Relevance: 26.6, APIs: 6, Strings: 9, Instructions: 347stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,0000003A), ref: 006BB88E
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,00000000,0000000A), ref: 006BB8A9
strchr.VCRUNTIME140(?,0000003A), ref: 006BB99B
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,0000000A), ref: 006BB9BE
strchr.VCRUNTIME140(?,0000002C), ref: 006BB9F8
memcpy.VCRUNTIME140(?,?,00000000), ref: 006BBA4E

Strings

RESOLVE *:%d using wildcard, xrefs: 006BBBDA
Couldn't parse CURLOPT_RESOLVE entry '%s', xrefs: 006BBC40
RESOLVE %.*s:%d - old addresses discarded, xrefs: 006BBB37
+, xrefs: 006BBBA3
Added %.*s:%d:%s to DNS cache%s, xrefs: 006BBBC1
Bad syntax CURLOPT_RESOLVE removal entry '%s', xrefs: 006BB8C8, 006BB8E3
:%u, xrefs: 006BB924, 006BBAE4
Resolve address '%s' found illegal, xrefs: 006BBC2C
(non-permanent), xrefs: 006BBBA8

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strchr$strtoul$memcpy
String ID: (non-permanent)$+$:%u$Added %.*s:%d:%s to DNS cache%s$Bad syntax CURLOPT_RESOLVE removal entry '%s'$Couldn't parse CURLOPT_RESOLVE entry '%s'$RESOLVE %.*s:%d - old addresses discarded$RESOLVE *:%d using wildcard$Resolve address '%s' found illegal
API String ID: 1902193620-3374123344
Opcode ID: a5222ea62b9d6d81a24265a142103d3f1bc04eb3616477c3cc6853939c716e69
Instruction ID: bcf6366571e40c228a06f2807281c36688f7a29daa174adcab3ae67ea07d7e19
Opcode Fuzzy Hash: a5222ea62b9d6d81a24265a142103d3f1bc04eb3616477c3cc6853939c716e69
Instruction Fuzzy Hash: 60C1F0F2904245AFD7319E24CC45FEB7BEAEF85704F04152CF889A7242DBB5A944C7A2

Function 006D0500 Relevance: 26.6, APIs: 4, Strings: 11, Instructions: 314libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006EC1E0: GetModuleHandleA.KERNEL32(ntdll,RtlVerifyVersionInfo,?), ref: 006EC20E
Part of subcall function 006EC1E0: GetProcAddress.KERNEL32(00000000), ref: 006EC215

GetModuleHandleA.KERNEL32(ntdll,wine_get_version,?,?,?,?,?,?,?,00000000), ref: 006D0581
GetProcAddress.KERNEL32(00000000), ref: 006D0588
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 006D064B

Part of subcall function 006EC1E0: memset.VCRUNTIME140(?,00000000,0000010C,00000000), ref: 006EC27C
Part of subcall function 006EC1E0: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,?), ref: 006EC2E1
Part of subcall function 006EC1E0: VerSetConditionMask.KERNEL32(00000000,?,00000001,?), ref: 006EC2EB
Part of subcall function 006EC1E0: VerSetConditionMask.KERNEL32(00000000,?,00000010,?,?,00000020,?,?,00000001,?), ref: 006EC308
Part of subcall function 006EC1E0: VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000010,?,?,00000020,?,?,00000001,?), ref: 006EC314

memcpy.VCRUNTIME140(?,?,?), ref: 006D06CD

Part of subcall function 006AD630: memcpy.VCRUNTIME140(00000002,?,?), ref: 006AD697

Strings

schannel: this version of Windows is too old to support certificate verification via CA bundle file., xrefs: 006D091C
schannel: initial InitializeSecurityContext failed: %s, xrefs: 006D0860, 006D0890
schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc., xrefs: 006D0563
ntdll, xrefs: 006D057C
Error setting ALPN, xrefs: 006D06A6
schannel: SNI or certificate check failed: %s, xrefs: 006D0878
ALPN: curl offers %s, xrefs: 006D0734
schannel: failed to send initial handshake data: sent %zd of %lu bytes, xrefs: 006D0907
schannel: unable to allocate memory, xrefs: 006D07D7
wine_get_version, xrefs: 006D0577
schannel: using IP address, SNI is not supported by OS., xrefs: 006D066B

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: ConditionMask$AddressHandleModuleProcmemcpy$_strdupmemset
String ID: ALPN: curl offers %s$Error setting ALPN$ntdll$schannel: SNI or certificate check failed: %s$schannel: Windows version is old and may not be able to connect to some servers due to lack of SNI, algorithms, etc.$schannel: failed to send initial handshake data: sent %zd of %lu bytes$schannel: initial InitializeSecurityContext failed: %s$schannel: this version of Windows is too old to support certificate verification via CA bundle file.$schannel: unable to allocate memory$schannel: using IP address, SNI is not supported by OS.$wine_get_version
API String ID: 180741276-3097429119
Opcode ID: 9c56d0645811ba993f4c8ed56a22f5638f978bbabf56dd2bdacf572aced21e4e
Instruction ID: 63d7d57df8fb8c3637bcf8bdbd599f30a2f238bbaaba6d8125535b7e8bc4ab6b
Opcode Fuzzy Hash: 9c56d0645811ba993f4c8ed56a22f5638f978bbabf56dd2bdacf572aced21e4e
Instruction Fuzzy Hash: 21C18FB1904301AFE720DF24CC85B9BBBE9AF44304F44582EF5459B382D779E954CBA6

Function 006E1540 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 269stringCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,0000000A,?,?,?,?,?,?), ref: 006E1577

Strings

Unable to read the interleaved parameter from Transport header: [%s], xrefs: 006E17A1, 006E17E3
Unable to read the CSeq header: [%s], xrefs: 006E15A4
z-, xrefs: 006E1577, 006E1740, 006E1783
Transport:, xrefs: 006E16BB
CSeq:, xrefs: 006E154D
Got RTSP Session ID Line [%s], but wanted ID [%s], xrefs: 006E1679
Got a blank Session ID, xrefs: 006E1600
Session:, xrefs: 006E15C4
<-, xrefs: 006E1661
interleaved=, xrefs: 006E170A

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strtol
String ID: <-$CSeq:$Got RTSP Session ID Line [%s], but wanted ID [%s]$Got a blank Session ID$Session:$Transport:$Unable to read the CSeq header: [%s]$Unable to read the interleaved parameter from Transport header: [%s]$interleaved=$z-
API String ID: 76114499-1528300328
Opcode ID: 4a5678ded12cb42809e71e229c94b39fe10c06949b8c0e0970cd8d3b360e5cb8
Instruction ID: 5760d7532c2963899dfbf3dfa2ff2fc298941cf7d0cd84fd809bc986af6473c2
Opcode Fuzzy Hash: 4a5678ded12cb42809e71e229c94b39fe10c06949b8c0e0970cd8d3b360e5cb8
Instruction Fuzzy Hash: 3F71AF72B0134157DF205A19AC017FAB397AB87711F480139FC849B383E736994BE7A1

Function 006A8670 Relevance: 25.8, APIs: 17, Instructions: 280synchronizationCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(00000018,00000000), ref: 006A86FE
InitializeCriticalSectionEx.KERNEL32(00000000,00000000,00000001,?,?,?,00000090), ref: 006A8747

Part of subcall function 006CB420: #23.WS2_32 ref: 006CB44A
Part of subcall function 006CB420: #8.WS2_32(7F000001), ref: 006CB46F
Part of subcall function 006CB420: #21.WS2_32(00000000,0000FFFF,000000FB,00000006,00000004), ref: 006CB4A4
Part of subcall function 006CB420: #2.WS2_32(00000000,?,00000010), ref: 006CB4BB
Part of subcall function 006CB420: #6.WS2_32(00000000,?,00000002), ref: 006CB4D5
Part of subcall function 006CB420: #13.WS2_32(00000000,00000001), ref: 006CB4F2
Part of subcall function 006CB420: #23.WS2_32(00000002,00000001,00000000), ref: 006CB507
Part of subcall function 006CB420: #4.WS2_32(00000000,?,00000010), ref: 006CB51C
Part of subcall function 006CB420: #1.WS2_32(00000000,00000000,00000000,?,00000001,000003E8,00000000,?,?), ref: 006CB565

#3.WS2_32(?,?,?,?,00000090), ref: 006A8786
DeleteCriticalSection.KERNEL32(?,?,?,?,00000090), ref: 006A8797
#3.WS2_32(?,?,?,?,?,00000090), ref: 006A87CE
memset.VCRUNTIME140(00000018,00000000,00000090,?,?,?,?,00000090), ref: 006A87D8
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000018,00000000,00000090,?,?,?,?,00000090), ref: 006A87F1
MultiByteToWideChar.KERNEL32(0000FDE9,00000008,?,000000FF,00000000,00000000), ref: 006A88AE
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000000), ref: 006A88D3
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 006A891B
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000090), ref: 006A8949
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000090), ref: 006A895C
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000090), ref: 006A8971
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,00000090), ref: 006A89F4
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,00000090), ref: 006A8A17
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000090), ref: 006A8A1F
#3.WS2_32(?), ref: 006A8A63

Part of subcall function 006A8520: DeleteCriticalSection.KERNEL32(?,?,006A84D6,?,?,00000002,00000000,006B0137,00000002), ref: 006A852D
Part of subcall function 006A8520: #3.WS2_32(?), ref: 006A8564
Part of subcall function 006A8520: memset.VCRUNTIME140(?,00000000,00000090), ref: 006A8572

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CriticalSection$memset$ByteCharCloseDeleteHandleMultiWide_errno$CreateEnterEventInitializeLeaveObjectSingleWait
String ID:
API String ID: 3316284820-0
Opcode ID: bd8224b02497e06e37c28d2107bcf7375277abc6b226be058d5f8952c8530696
Instruction ID: 6e0654069978bb7f8eb4a51200ba965eef2be7399236e7abedb670b8a8febc72
Opcode Fuzzy Hash: bd8224b02497e06e37c28d2107bcf7375277abc6b226be058d5f8952c8530696
Instruction Fuzzy Hash: 96B1E670500701AFE720AF28CC49BA67BE9FF09305F144529FA45876E2EB75E814CFA6

Function 006D0950 Relevance: 24.9, APIs: 4, Strings: 10, Instructions: 425encryptionCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,00000000), ref: 006D0B75
memmove.VCRUNTIME140(?,00000000,?), ref: 006D0C6C
memset.VCRUNTIME140(?,00000000,000000F0), ref: 006D0D82
CertFreeCertificateContext.CRYPT32(?), ref: 006D0E23

Strings

schannel: failed to receive handshake, SSL/TLS connection failed, xrefs: 006D0C8C
SSL: public key does not match pinned public key, xrefs: 006D0DD0, 006D0E31
SSL: failed retrieving public key from server certificate, xrefs: 006D0DE4
schannel: SNI or certificate check failed: %s, xrefs: 006D0EE6
schannel: %s, xrefs: 006D0ECE
schannel: unable to allocate memory, xrefs: 006D0F46
schannel: unable to re-allocate memory, xrefs: 006D0A3B
schannel: next InitializeSecurityContext failed: %s, xrefs: 006D0EBB, 006D0EFE
schannel: Failed to read remote certificate context: %s, xrefs: 006D0E0C
schannel: failed to send next handshake data: sent %zd of %lu bytes, xrefs: 006D0CC0

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CertCertificateContextFreememcpymemmovememset
String ID: SSL: failed retrieving public key from server certificate$SSL: public key does not match pinned public key$schannel: %s$schannel: Failed to read remote certificate context: %s$schannel: SNI or certificate check failed: %s$schannel: failed to receive handshake, SSL/TLS connection failed$schannel: failed to send next handshake data: sent %zd of %lu bytes$schannel: next InitializeSecurityContext failed: %s$schannel: unable to allocate memory$schannel: unable to re-allocate memory
API String ID: 1319252513-413892695
Opcode ID: 94576cd0b810fcbc29e0b44d5dd1a1fa63e4d96b10ac655cfd112700cbaacac9
Instruction ID: b6404af63dffa243c07e3dedf13aace2d6a8c2fb404b8f27eecb47f989858de4
Opcode Fuzzy Hash: 94576cd0b810fcbc29e0b44d5dd1a1fa63e4d96b10ac655cfd112700cbaacac9
Instruction Fuzzy Hash: EAF1B1B1A04300DFEB60DF18C885BAB7BEAAF44304F14456EF9499B382D775E944CB96

Function 006B25B0 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 366COMMON

Download Yara Rule

Strings

http, xrefs: 006B26DE
socks4a, xrefs: 006B2698
z-, xrefs: 006B2884
socks, xrefs: 006B26C9
localhost, xrefs: 006B28E7
localhost%s, xrefs: 006B2998
https, xrefs: 006B2633
socks4, xrefs: 006B26B4
socks5h, xrefs: 006B265A
Unsupported proxy syntax in '%s': %s, xrefs: 006B2A2F
socks5, xrefs: 006B2679
Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support., xrefs: 006B2734
Unsupported proxy scheme for '%s', xrefs: 006B26F0

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support.$Unsupported proxy scheme for '%s'$Unsupported proxy syntax in '%s': %s$http$https$localhost$localhost%s$socks$socks4$socks4a$socks5$socks5h$z-
API String ID: 0-3490093991
Opcode ID: 370923c7bd2f39f6a7e172c0ef2378979eb429f802a51930a3ba8bd515673217
Instruction ID: 706f9be694bab78e049a9e85eefbe5a25ff9560083d9fab1d2ba73b496a82373
Opcode Fuzzy Hash: 370923c7bd2f39f6a7e172c0ef2378979eb429f802a51930a3ba8bd515673217
Instruction Fuzzy Hash: BBC114F19043429BDB20AF15CC55BEA7BE7AF58744F04043CFA84963A2E732D985CB56

Function 006D5A10 Relevance: 24.8, APIs: 8, Strings: 6, Instructions: 293stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,00000000,?,?,006D52A8,?,?,00000000), ref: 006D5AFA
strchr.VCRUNTIME140(00000000,0000003F,00000000,?,?,00000000,?,?,006D52A8,?,?,00000000,?,?,?,Microsoft Corporation.), ref: 006D5B21
strchr.VCRUNTIME140(?,0000002C,?,00000000,?,?,00000000,?,?,006D52A8,?,?,00000000), ref: 006D5B50
strchr.VCRUNTIME140(00000001,0000002C,?,?,?,00000000,?,?,00000000,?,?,006D52A8,?,?,00000000), ref: 006D5B65
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 006D5C1A
strchr.VCRUNTIME140(00000000,0000003F,?,00000000,?,?,00000000,?,?,006D52A8,?,?,00000000), ref: 006D5C5F
strchr.VCRUNTIME140(00000000,0000003F,?,?,?,00000000,?,?,00000000,?,?,006D52A8,?,?,00000000), ref: 006D5D14
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 006D5D4C

Strings

sub, xrefs: 006D5CCD
onetree, xrefs: 006D5C8D
base, xrefs: 006D5C9F
LDAP, xrefs: 006D5A46
one, xrefs: 006D5C7B
subtree, xrefs: 006D5CDF

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strchr$_strdup
String ID: LDAP$base$one$onetree$sub$subtree
API String ID: 2235204152-884163498
Opcode ID: 84755d60126a1d6455d2011e627624bcbb15d3aa3d61bb07ed8ae48d8692622f
Instruction ID: edb5aff600d1ca5047e4b6bf3ef51d8302042fcc2ea4219dc70b885576e4e3cf
Opcode Fuzzy Hash: 84755d60126a1d6455d2011e627624bcbb15d3aa3d61bb07ed8ae48d8692622f
Instruction Fuzzy Hash: 39A145B0D00B019FEB209F64DC45BA67AEAAF04305F08453EFE4796392E775D904CB65

Function 00690EA0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 164networksleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00690C20: #1511.MFC140U(00000034), ref: 00690C37
Part of subcall function 00690C20: memset.VCRUNTIME140(00000000,00000000,00000034), ref: 00690C44
Part of subcall function 00690C20: #265.MFC140U(00000000,00000000,00000034), ref: 00690C4F
Part of subcall function 00690C20: WSASocketW.WS2_32(00000002,00000001,00000006,00000000,00000000,00000001), ref: 00690C87
Part of subcall function 00690C20: #266.MFC140U(?), ref: 00690C9E
Part of subcall function 00690C20: #266.MFC140U(00000000), ref: 00690CA8
Part of subcall function 00690C20: #111.WS2_32 ref: 00690CAD

Sleep.KERNEL32(00000001), ref: 00690EC9

Part of subcall function 00690C20: #21.WS2_32(00000000,0000FFFF,00001002,00714A58,00000004), ref: 00690CDC
Part of subcall function 00690C20: #21.WS2_32(?,0000FFFF,00001001,00000001,00000004), ref: 00690CF8
Part of subcall function 00690C20: #21.WS2_32(?,0000FFFF,00000004,FFFFFFFF,00000004), ref: 00690D11
Part of subcall function 00690C20: CreateIoCompletionPort.KERNEL32(?,00000000,00000000), ref: 00690D20
Part of subcall function 00690C20: PostQueuedCompletionStatus.KERNEL32(00000000,00000000,00000000), ref: 00690D44
Part of subcall function 00690C20: #266.MFC140U(?), ref: 00690D53
Part of subcall function 00690C20: #266.MFC140U(00000000), ref: 00690D5D
Part of subcall function 00690C20: GetLastError.KERNEL32 ref: 00690D62

#21.WS2_32(?,0000FFFF,0000700B,?,00000004), ref: 00690EE6
WSAIoctl.WS2_32(00000001,98000004,?,0000000C,00000000,00000000,?,00000000,00000000), ref: 00690F22
EnterCriticalSection.KERNEL32(00000000,?,00000004), ref: 00690F2C
LeaveCriticalSection.KERNEL32(00000000,?,00000004), ref: 00690F36
#21.WS2_32(00000001,0000FFFF,00000080,?,00000004,?,00000001,00000003,00000000,00000000,00000000,?,00000001,00000001,00000000,00000000), ref: 00690F9F
#22.WS2_32(00000001,00000002,?,00000001,00000003,00000000,00000000,00000000,?,00000001,00000001,00000000,00000000,00000000,?,00000004), ref: 00690FA8
#3.WS2_32(00000001,?,00000001,00000003,00000000,00000000,00000000,?,00000001,00000001,00000000,00000000,00000000,?,00000004), ref: 00690FAF
#266.MFC140U(00000000,?,00000001,00000001,00000000,00000000,00000000,?,00000004), ref: 00690FCA
#265.MFC140U(00000004), ref: 00690FDC
WSARecv.WS2_32(00000001,?,00000001,00000000,?,?,00000000), ref: 0069102F
#111.WS2_32(?,00000001,00000001,00000000,00000000,00000000,?,00000004), ref: 00691039
#266.MFC140U(00000000,?,00000001,00000003,00000000,00000000,00000000,?,00000001,00000001,00000000,00000000,00000000,?,00000004), ref: 00691085

Strings

0u, xrefs: 00690F14

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #266$#111#265CompletionCriticalSection$#1511CreateEnterErrorIoctlLastLeavePortPostQueuedRecvSleepSocketStatusmemset
String ID: 0u
API String ID: 903272316-3203441087
Opcode ID: 3d83480de1b5fc7643b84477a94317363b569298b17b25c349c0ecb93ee4c06e
Instruction ID: 2829d8b5e519e0c6e6bce242474d2b7a09d2096220f4d86b77aa5851784423d2
Opcode Fuzzy Hash: 3d83480de1b5fc7643b84477a94317363b569298b17b25c349c0ecb93ee4c06e
Instruction Fuzzy Hash: EB51CFB0500305AFEB209F64DC89FAEBBBAFF08700F105618F606A6AD1D7B5A605CB54

Function 0068F820 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0068F861
memset.VCRUNTIME140(?,00000000,00000200), ref: 0068F87F
#296.MFC140U ref: 0068F88D
#296.MFC140U ref: 0068F8A0
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 0068F8B7
#5850.MFC140U(?,00000000,00000001), ref: 0068F8CD
#4815.MFC140U(?,%s\,?,00000000), ref: 0068F8EC
#1045.MFC140U ref: 0068F8FB
GetFileAttributesW.KERNEL32(?), ref: 0068F907
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 0068F925
#1045.MFC140U ref: 0068F931
#1045.MFC140U ref: 0068F93D

Strings

open, xrefs: 0068F91E
%s\, xrefs: 0068F8E6

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$#296$#4815#5850AttributesExecuteFileFolderMessagePathSendShellSpecialmemset
String ID: %s\$open
API String ID: 1297625082-3272434717
Opcode ID: ea53bb387abdb2ec39fc56e757cc9038ab12c3552e39321f94b62a44e2140830
Instruction ID: edf9b7378d91cb7540d523483c647994a0961405f1321845f3ec895dae6ac2db
Opcode Fuzzy Hash: ea53bb387abdb2ec39fc56e757cc9038ab12c3552e39321f94b62a44e2140830
Instruction Fuzzy Hash: 2F319E7198020DEBDB20DF50DD4AFE97BBAFB18710F005295F615A22E0DBB05A44CB50

Function 006B9540 Relevance: 23.2, APIs: 6, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 006B95AC

Part of subcall function 006BA1A0: memcpy.VCRUNTIME140(?,?,000001FF,?,?,006B95E4,?,?,0000000A), ref: 006BA1FD

Strings

Unknown alt-svc port number, ignoring., xrefs: 006B97DB
persist, xrefs: 006B9989
Added alt-svc: %s:%d over %s, xrefs: 006B9A7D
0123456789abcdefABCDEF:., xrefs: 006B96E8
Excessive alt-svc hostname, ignoring., xrefs: 006B976E
clear, xrefs: 006B9602
Excessive alt-svc header, ignoring., xrefs: 006B95EB

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memcpymemset
String ID: 0123456789abcdefABCDEF:.$Added alt-svc: %s:%d over %s$Excessive alt-svc header, ignoring.$Excessive alt-svc hostname, ignoring.$Unknown alt-svc port number, ignoring.$clear$persist
API String ID: 1297977491-3110261033
Opcode ID: fbe21c86e2f5851b5ff9b84a5cfca71d5312c9cc00cd087a017b85d320b65dcb
Instruction ID: d3e805a4f4ffd1f6ff80dec3702e87a1e3d10b8470a8aeede6660be786bf2a95
Opcode Fuzzy Hash: fbe21c86e2f5851b5ff9b84a5cfca71d5312c9cc00cd087a017b85d320b65dcb
Instruction Fuzzy Hash: D8F1F7F15483459BD7209F2888407EBBBE7AF96304F58092DFAD487342D635D986C7B2

Function 006C69D0 Relevance: 23.0, APIs: 4, Strings: 11, Instructions: 487stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,HTTP/,00000005), ref: 006C6A5A
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,RTSP/,00000005), ref: 006C6C18
memchr.VCRUNTIME140(?,00000000,?,?,?,?,?,?,006C6711,?,00000000,00000000), ref: 006C6E69
memchr.VCRUNTIME140(?,0000003A,?,?,?,?,?,006C6711,?,00000000,00000000,?,?,?,?,?), ref: 006C6EC3

Strings

Header without colon, xrefs: 006C6ECF, 006C6ED4
RTSP/, xrefs: 006C6C12
HTTP/, xrefs: 006C6A54
Unsupported HTTP version (%u.%d) in response, xrefs: 006C6CE9, 006C6D2F
Nul byte in header, xrefs: 006C6E75, 006C6E7A
HTTP 1.0, assume close after body, xrefs: 006C6DC5
Unsupported HTTP version in response, xrefs: 006C6A84
<-, xrefs: 006C6A5A, 006C6C18
gfff, xrefs: 006C6D04
Version mismatch (from HTTP/%u to HTTP/%u), xrefs: 006C6D28
Unsupported HTTP/1 subversion in response, xrefs: 006C6BCD

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memchrstrncmp
String ID: <-$HTTP 1.0, assume close after body$HTTP/$Header without colon$Nul byte in header$RTSP/$Unsupported HTTP version (%u.%d) in response$Unsupported HTTP version in response$Unsupported HTTP/1 subversion in response$Version mismatch (from HTTP/%u to HTTP/%u)$gfff
API String ID: 2166067702-1691758732
Opcode ID: b33dd465d0e35328dec73b3d4ba215cc6b50a93a38c4989a24f84f30e4e5d849
Instruction ID: d30b93cc5be3d1c4f4464a768cc4263c4558091aa68d2de5e58b0148098e9c1b
Opcode Fuzzy Hash: b33dd465d0e35328dec73b3d4ba215cc6b50a93a38c4989a24f84f30e4e5d849
Instruction Fuzzy Hash: 30F188352046455FDB249B28C840FFAFBDBFF02304F88056EF4A98B342E725B9568799

Function 006EC1E0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 172libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,RtlVerifyVersionInfo,?), ref: 006EC20E
GetProcAddress.KERNEL32(00000000), ref: 006EC215
memset.VCRUNTIME140(?,00000000,0000010C,00000000), ref: 006EC27C
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,?), ref: 006EC2E1
VerSetConditionMask.KERNEL32(00000000,?,00000001,?), ref: 006EC2EB
VerSetConditionMask.KERNEL32(00000000,?,00000010,?,?,00000020,?,?,00000001,?), ref: 006EC308
VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000010,?,?,00000020,?,?,00000001,?), ref: 006EC314
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 006EC33C
VerifyVersionInfoW.KERNEL32(?,00000004,00000000), ref: 006EC3C9

Strings

RtlVerifyVersionInfo, xrefs: 006EC204
ntdll, xrefs: 006EC209
x(, xrefs: 006EC321
b(, xrefs: 006EC2D5, 006EC2F6, 006EC2FE, 006EC387

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: ConditionMask$InfoVerifyVersion$AddressHandleModuleProcmemset
String ID: RtlVerifyVersionInfo$b($ntdll$x(
API String ID: 2720349688-3099320890
Opcode ID: db5ac0fa0e7bc50dee61982f69afecd339f5b9eacea8fc2631eb008fab08308c
Instruction ID: 170a7e79b265dc0061d8f1def2f54f5ed51ee78a2a6979bc3a30d5371ce42b8c
Opcode Fuzzy Hash: db5ac0fa0e7bc50dee61982f69afecd339f5b9eacea8fc2631eb008fab08308c
Instruction Fuzzy Hash: A5511871649380EFE720DB69DC45BAF7BDAAF89720F04841EF588972D1C6759801CB63

Function 00686E20 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 83networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(UrlTest,00000000,00000000,00000000,00000000), ref: 00686E59
InternetOpenUrlA.WININET(00000000,http://27.25.156.102:9999/style.html,00000000,00000000,04000000,00000000), ref: 00686E77
InternetReadFile.WININET(00000000,?,000003FF,?), ref: 00686EA4
#296.MFC140U ref: 00686EB5
#290.MFC140U(?), ref: 00686ECF
#4815.MFC140U(?,%ws,00000000), ref: 00686EE7
#1045.MFC140U ref: 00686EF6
InternetCloseHandle.WININET(00000000), ref: 00686EFD
#1045.MFC140U ref: 00686F0E
InternetCloseHandle.WININET(00000000), ref: 00686F15

Strings

UrlTest, xrefs: 00686E54
http://27.25.156.102:9999/style.html, xrefs: 00686E71
%ws, xrefs: 00686EE1

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Internet$#1045CloseHandleOpen$#290#296#4815FileRead
String ID: %ws$UrlTest$http://27.25.156.102:9999/style.html
API String ID: 588119949-1936685195
Opcode ID: 80f41c4675c4245af51dcbac776e03313adcef5e561507a816a3c6bcd0df4a26
Instruction ID: 64ccaa77beb9381499a5c48b1ad8620d54320d5a7c3c99496de296cd23b1cce9
Opcode Fuzzy Hash: 80f41c4675c4245af51dcbac776e03313adcef5e561507a816a3c6bcd0df4a26
Instruction Fuzzy Hash: D33193B190025DABCB20DB51EC49FEABBBEFB85714F0051A9F60593290DB745A84CBA4

Function 006E8200 Relevance: 22.7, APIs: 1, Strings: 14, Instructions: 223COMMON

Download Yara Rule

Strings

Transfer-Encoding:, xrefs: 006E8321, 006E8363
Ignoring Content-Length in CONNECT %03d response, xrefs: 006E82CC
HTTP/1., xrefs: 006E83BF
Proxy-authenticate:, xrefs: 006E8230
Ignoring Transfer-Encoding in CONNECT %03d response, xrefs: 006E8345
chunked, xrefs: 006E835C
CONNECT: fwd auth header '%s', xrefs: 006E8268
Proxy-Connection:, xrefs: 006E83AB
close, xrefs: 006E8302, 006E83A4
CONNECT responded chunked, xrefs: 006E8379
<-, xrefs: 006E83C5
Connection:, xrefs: 006E8309
WWW-Authenticate:, xrefs: 006E820E
Content-Length:, xrefs: 006E82A8

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: <-$CONNECT responded chunked$CONNECT: fwd auth header '%s'$Connection:$Content-Length:$HTTP/1.$Ignoring Content-Length in CONNECT %03d response$Ignoring Transfer-Encoding in CONNECT %03d response$Proxy-Connection:$Proxy-authenticate:$Transfer-Encoding:$WWW-Authenticate:$chunked$close
API String ID: 0-3864443169
Opcode ID: ba447327aacf81359c121d7f92d322169aa3eac63a4a7ea97c04ed6c8b473a53
Instruction ID: 183875ca7881aa4bd5b30e8e3afd7e6fc69b20f96d80ff8455a75e948957c103
Opcode Fuzzy Hash: ba447327aacf81359c121d7f92d322169aa3eac63a4a7ea97c04ed6c8b473a53
Instruction Fuzzy Hash: A6517C717423456EEA20A669AC42FFB73C6CF51711F40006AFA08E72C3EB56A5069365

Function 00688A40 Relevance: 22.6, APIs: 15, Instructions: 130COMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 00688AB3
#14364.MFC140U(?,?,00000000), ref: 00688ACB
#1523.MFC140U(00000000), ref: 00688AD9
#1045.MFC140U ref: 00688AE6
#14405.MFC140U ref: 00688AEF
#2990.MFC140U(0070C714), ref: 00688AFC
#280.MFC140U(?), ref: 00688B69
#14364.MFC140U(?,?,00000000), ref: 00688B85
#1523.MFC140U(00000000), ref: 00688B93
#1045.MFC140U ref: 00688BA0
#14405.MFC140U ref: 00688BA9
#2990.MFC140U(0070C714), ref: 00688BB6

Part of subcall function 006900E0: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,?,?,?,00688B5A), ref: 00690111

#1045.MFC140U ref: 00688BC7
#1045.MFC140U ref: 00688BD0
#1045.MFC140U ref: 00688BD9

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$#14364#14405#1523#2990$#280#296Xlength_error@std@@
String ID:
API String ID: 319254035-0
Opcode ID: 5f9ac308fb376e4ca7764e314e4bcfef2620fb1f15ffec684e565e7a63ba550d
Instruction ID: 52fa8c312d59df695de00ddf41cb93d9f5210a42b881bbb038a79b5b134c1305
Opcode Fuzzy Hash: 5f9ac308fb376e4ca7764e314e4bcfef2620fb1f15ffec684e565e7a63ba550d
Instruction Fuzzy Hash: 86515EB090114AEFDF04DF94C958BFEBBBAFF54304F109259E506A3290DB74AA05CBA1

Function 006EF200 Relevance: 21.5, APIs: 6, Strings: 6, Instructions: 473stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0(?,00708CDC), ref: 006EF34A
strchr.VCRUNTIME140(?,0000003A), ref: 006EF3F4
strchr.VCRUNTIME140(?,0000003B), ref: 006EF406
strcspn.API-MS-WIN-CRT-STRING-L1-1-0(00000000,006FDF38), ref: 006EF4A7
strchr.VCRUNTIME140(00000000,0000003A), ref: 006EF58B
strchr.VCRUNTIME140(?,0000003A), ref: 006EF6ED

Part of subcall function 0069CD8F: ___report_securityfailure.LIBCMT ref: 0069CD94

Strings

%s: %s, xrefs: 006EF5DC
x-%s-date:%s, xrefs: 006EF2BA
host:%s, xrefs: 006EF382
X-%s-Date, xrefs: 006EF292
Date, xrefs: 006EF59F
Host, xrefs: 006EF2CC

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strchr$strcspn$___report_securityfailure
String ID: %s: %s$Date$Host$X-%s-Date$host:%s$x-%s-date:%s
API String ID: 2725030704-2873700390
Opcode ID: cf74ee5b958340e3d9f950d1a07ad2b188b59e225bf79adeeefae0e8bad74a3a
Instruction ID: 6bd8b4ce9331d9f9a67d08c79d1e36bbb627c32488ce0c29b5138d8639ddada7
Opcode Fuzzy Hash: cf74ee5b958340e3d9f950d1a07ad2b188b59e225bf79adeeefae0e8bad74a3a
Instruction Fuzzy Hash: 29F1E5715053C19BDB219F258841BEBB7E7AFA6304F18097CE8C99B352E732D906C762

Function 006DD280 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 310stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(00000004,00000028), ref: 006DD2F4
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000004,?,0000000A), ref: 006DD320
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000004,?,0000000A), ref: 006DD3E2

Strings

Skip %u.%u.%u.%u for data connection, reuse %s instead, xrefs: 006DD421
Bad PASV/EPSV response: %03d, xrefs: 006DD6A7
Couldn't interpret the 227-response, xrefs: 006DD448
Weirdly formatted EPSV reply, xrefs: 006DD37A
Illegal port number in EPSV reply, xrefs: 006DD338
%u.%u.%u.%u, xrefs: 006DD470
Connecting to %s (%s) port %d, xrefs: 006DD640
cannot resolve new host %s:%hu, xrefs: 006DD5AD
cannot resolve proxy host %s:%hu, xrefs: 006DD4F6

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strtoul$strchr
String ID: %u.%u.%u.%u$Bad PASV/EPSV response: %03d$Connecting to %s (%s) port %d$Couldn't interpret the 227-response$Illegal port number in EPSV reply$Skip %u.%u.%u.%u for data connection, reuse %s instead$Weirdly formatted EPSV reply$cannot resolve new host %s:%hu$cannot resolve proxy host %s:%hu
API String ID: 2221958140-4292487287
Opcode ID: c376945db245d5546a2db362744360d60e81d3948d52504d18c184ae75b4ea24
Instruction ID: e809f80fd4ac12b5df8e9717297760b451da34410e0830f0fdf1aa6849de76ab
Opcode Fuzzy Hash: c376945db245d5546a2db362744360d60e81d3948d52504d18c184ae75b4ea24
Instruction Fuzzy Hash: 17B139B0E04282FFD721AB24CC05BEBBBDABF45304F04051AF94992392D374E964C7A6

Function 0068E820 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 78COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000400), ref: 0068E84B
memset.VCRUNTIME140(?,00000000,00000400,?,00000000,00000400), ref: 0068E85E

Part of subcall function 006811C0: RegOpenKeyExA.ADVAPI32(?,0070B920,00000000,00020019,?), ref: 006811F9
Part of subcall function 006811C0: memset.VCRUNTIME140(?), ref: 0068121E
Part of subcall function 006811C0: RegQueryValueExA.ADVAPI32(?,path,00000000,?,?,00000400), ref: 00681251
Part of subcall function 006811C0: #265.MFC140U(00000400), ref: 00681264
Part of subcall function 006811C0: memset.VCRUNTIME140(00000000,00000000,00000400), ref: 00681275
Part of subcall function 006811C0: memcpy.VCRUNTIME140(00000000,?,00000400,00000000,00000000,00000400), ref: 00681288
Part of subcall function 006811C0: memcpy.VCRUNTIME140(?,00000000,00000400,00000000,?,00000400,00000000,00000000,00000400), ref: 00681295
Part of subcall function 006811C0: #266.MFC140U(00000000,?,00000000,00000400,00000000,?,00000400,00000000,00000000,00000400), ref: 0068129B
Part of subcall function 006811C0: RegCloseKey.ADVAPI32(?), ref: 006812AF

#290.MFC140U(?), ref: 0068E8A7
#1045.MFC140U ref: 0068E8BA
#290.MFC140U(?), ref: 0068E8ED

Part of subcall function 0068C8D0: memset.VCRUNTIME140(?,00000000,0000020A), ref: 0068C92B
Part of subcall function 0068C8D0: SHFileOperationW.SHELL32(00000000), ref: 0068C9FA

#1045.MFC140U ref: 0068E900
#290.MFC140U(?), ref: 0068E933

Part of subcall function 0068C8D0: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0068CA5A
Part of subcall function 0068C8D0: #296.MFC140U ref: 0068CA6E
Part of subcall function 0068C8D0: #5850.MFC140U(00000001,00000000,00000001), ref: 0068CA88
Part of subcall function 0068C8D0: #290.MFC140U(00715900), ref: 0068CA9A
Part of subcall function 0068C8D0: #4815.MFC140U(00000000,%ws%ws_log.txt,00000000,?), ref: 0068CAB2
Part of subcall function 0068C8D0: #1045.MFC140U ref: 0068CABE
Part of subcall function 0068C8D0: WritePrivateProfileStringW.KERNEL32(?,0070BD6C,0070B524,?), ref: 0068CADA
Part of subcall function 0068C8D0: WritePrivateProfileStringW.KERNEL32(?,0070C4CC,0070B524,?), ref: 0068CAEC
Part of subcall function 0068C8D0: WritePrivateProfileStringW.KERNEL32(?,0070BD80,0070B524,?), ref: 0068CAFE
Part of subcall function 0068C8D0: WritePrivateProfileStringW.KERNEL32(?,0070BD74,0070B524,?), ref: 0068CB10
Part of subcall function 0068C8D0: WritePrivateProfileStringW.KERNEL32(?,0070C4D8,0070B524,?), ref: 0068CB22
Part of subcall function 0068C8D0: WritePrivateProfileStringW.KERNEL32(?,0070BD88,0070B524,?), ref: 0068CB34
Part of subcall function 0068C8D0: WritePrivateProfileStringW.KERNEL32(?,0070C4E0,0070B524,?), ref: 0068CB46
Part of subcall function 0068C8D0: WritePrivateProfileStringW.KERNEL32(?,0070C560,0070B524,?), ref: 0068CB58
Part of subcall function 0068C8D0: WritePrivateProfileStringW.KERNEL32(?,`S(u,0070B524,?), ref: 0068CB6A

#1045.MFC140U ref: 0068E946

Strings

\Releasephysx27\CefProcess, xrefs: 0068E906
\Releasephysx27\QQSpeedMonitor.exe, xrefs: 0068E8C0
\Releasephysx27\AwesomiumProcess.exe, xrefs: 0068E87A
%s%s, xrefs: 0068E88C, 0068E8D2, 0068E918

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: PrivateProfileStringWrite$memset$#1045#290$memcpy$#265#266#296#4815#5850CloseFileMessageOpenOperationQuerySendValue
String ID: %s%s$\Releasephysx27\AwesomiumProcess.exe$\Releasephysx27\CefProcess$\Releasephysx27\QQSpeedMonitor.exe
API String ID: 1584372538-1064650307
Opcode ID: 319f0362c1e31a5656f14521c5a2b44efe1e03e0bcb14419622b8de1a93543ea
Instruction ID: 5c698d25a5b273f8fd40b45963197f5067b1d576ef17bd296a7f8e931ddae9fd
Opcode Fuzzy Hash: 319f0362c1e31a5656f14521c5a2b44efe1e03e0bcb14419622b8de1a93543ea
Instruction Fuzzy Hash: C6314DF594011C9BCBA0EB60CD46AE973BDFB04300F4011D9A749A2182EF746B89CFA4

Function 006A8AA0 Relevance: 19.7, APIs: 13, Instructions: 210COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000020,00000000,00000005), ref: 006A8B79
#112.WS2_32(00002AF9,00000000,00000018,?,?,006A89D1,00000000,00000000,00000018), ref: 006A8BE6
#111.WS2_32(00000000,00000018,?,?,006A89D1,00000000,00000000,00000018), ref: 006A8C2E
#111.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000090), ref: 006A8C34
EnterCriticalSection.KERNEL32(?,00000000,00000018,?,?,006A89D1,00000000,00000000,00000018), ref: 006A8C4C
LeaveCriticalSection.KERNEL32(?), ref: 006A8C5B
DeleteCriticalSection.KERNEL32(?), ref: 006A8C69
#3.WS2_32(?), ref: 006A8CA0
memset.VCRUNTIME140(?,00000000,00000090), ref: 006A8CAE
#19.WS2_32(?,?), ref: 006A8CE2
#111.WS2_32 ref: 006A8CEC
LeaveCriticalSection.KERNEL32(?), ref: 006A8CFB
SetEvent.KERNEL32(00000000), ref: 006A8D0C

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CriticalSection$#111$Leave$#112DeleteEnterEventmemcpymemset
String ID:
API String ID: 2746829086-0
Opcode ID: 2ec31ce177877f3900ee805feec6b7e71897cdbddcbf0397947f1024fb2dc8e3
Instruction ID: 66feeffe2f41fad0f1b1056fb79016fc31fee3393b8b062665cd558db65d01d9
Opcode Fuzzy Hash: 2ec31ce177877f3900ee805feec6b7e71897cdbddcbf0397947f1024fb2dc8e3
Instruction Fuzzy Hash: D08168B06003058FDB20EF29D984AAABBF6FF49350F044929E94693351DB71ED58CFA1

Function 006D2330 Relevance: 19.5, APIs: 4, Strings: 7, Instructions: 271stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,0000003D,?,00000000,?,00000001), ref: 006D2433
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,0000000A,?,?,?,?,00000001), ref: 006D25EB
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A,?,?,?,?,?,?,?,?,00000001), ref: 006D2620
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 006D2690

Strings

Syntax error in telnet option: %s, xrefs: 006D265B
NEW_ENV, xrefs: 006D2571
Unknown telnet option %s, xrefs: 006D26C9
XDISPLOC, xrefs: 006D251D
BINARY, xrefs: 006D2679
USER,%s, xrefs: 006D238E
TTYPE, xrefs: 006D2474

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strtoul$atoistrchr
String ID: BINARY$NEW_ENV$Syntax error in telnet option: %s$TTYPE$USER,%s$Unknown telnet option %s$XDISPLOC
API String ID: 2093219069-1232391404
Opcode ID: ecf3e75e0417fef4ee2b8c064b7486306dcd00775cb6b0f59d6d9a73cd4110a9
Instruction ID: 18f7bd095cb9474e81c262f71b865547beeb86122bf795856d81d1c218b98133
Opcode Fuzzy Hash: ecf3e75e0417fef4ee2b8c064b7486306dcd00775cb6b0f59d6d9a73cd4110a9
Instruction Fuzzy Hash: A3A129709043028BEB109F14DCA1BE677E6BF69704F08057EEC899B343EB75D94987A1

Function 006D2E00 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 205stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,0000002C), ref: 006D2ED8
#19.WS2_32(?,?,00000006,00000000), ref: 006D2F6C
#111.WS2_32 ref: 006D2F76
#19.WS2_32(?,?,?,00000000), ref: 006D302D
#111.WS2_32 ref: 006D3037

Strings

%c%c, xrefs: 006D2F46
%c%c%c%c, xrefs: 006D2E8A
%c%s, xrefs: 006D2EF6
%c%.*s%c%s, xrefs: 006D2F15
Sending data failed (%d), xrefs: 006D2F7D, 006D303E
%c%c%c%c%s%c%c, xrefs: 006D3003

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111$strchr
String ID: %c%.*s%c%s$%c%c$%c%c%c%c$%c%c%c%c%s%c%c$%c%s$Sending data failed (%d)
API String ID: 2709257840-3373344002
Opcode ID: 913ca87e0f5cc681334dc63692edc4d19b08f125efea3a8d9e0eb9d9db94d6e8
Instruction ID: 428b968b3bd824716a6c975b62cd2c23d63f2b7eda5daadc9ff66bc5aee1ecaf
Opcode Fuzzy Hash: 913ca87e0f5cc681334dc63692edc4d19b08f125efea3a8d9e0eb9d9db94d6e8
Instruction Fuzzy Hash: 7E61F9B1A80305ABE7309F14DC52FF773EEEB58700F044929FA85972C3DA65A9058795

Function 006F0700 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 184encryptionCOMMON

Download Yara Rule

APIs

CertFreeCertificateContext.CRYPT32(?,?,?,?,00000001,?,?), ref: 006F0918

Strings

schannel: connection hostname (%s) did not match against certificate name (%s), xrefs: 006F0868
schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names, xrefs: 006F08CE
schannel: CertGetNameString() returned certificate name information of unexpected size, xrefs: 006F07E2
schannel: server certificate name verification failed, xrefs: 006F08BA
d#, xrefs: 006F089A
schannel: connection hostname (%s) validated against certificate name (%s), xrefs: 006F0856
schannel: CertGetNameString() returned no certificate name information, xrefs: 006F07A0
schannel: Failed to read remote certificate context: %s, xrefs: 006F08EF

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CertCertificateContextFree
String ID: d#$schannel: CertGetNameString() failed to match connection hostname (%s) against server certificate names$schannel: CertGetNameString() returned certificate name information of unexpected size$schannel: CertGetNameString() returned no certificate name information$schannel: Failed to read remote certificate context: %s$schannel: connection hostname (%s) did not match against certificate name (%s)$schannel: connection hostname (%s) validated against certificate name (%s)$schannel: server certificate name verification failed
API String ID: 3080675121-1530400523
Opcode ID: 95f82395dac4d28eadb862379c4c29fc2a2306e3a2aefb1868912e0079122d65
Instruction ID: 583adeeb488470011b0522dcc7839a3a6a0ab714a8e8b717db78a4e91d025e0a
Opcode Fuzzy Hash: 95f82395dac4d28eadb862379c4c29fc2a2306e3a2aefb1868912e0079122d65
Instruction Fuzzy Hash: 7F51F5B1A043089FEB109F24DC41FBB77EBAB85344F04456CFA5A93343E675A9058BE2

Function 00681460 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

#296.MFC140U ref: 0068152D
#286.MFC140U(?), ref: 0068154E
#290.MFC140U(bSSO_Result_bSucceed), ref: 00681560
#2996.MFC140U(00000000), ref: 0068156F
#1045.MFC140U ref: 00681581
#1045.MFC140U ref: 0068159E
#1045.MFC140U ref: 006815B3
#1045.MFC140U ref: 006815C0
#1045.MFC140U ref: 006815C9
CallWindowProcW.USER32(?,?,?,?,F74E5D36), ref: 006815F1

Strings

bSSO_Result_bSucceed, xrefs: 00681554

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$#286#290#296#2996CallProcWindow
String ID: bSSO_Result_bSucceed
API String ID: 1652504514-431560583
Opcode ID: 90d51197bbf560c1b44227de06b80cb28ef5ce2e1a15adcd123ee4c2100cc980
Instruction ID: 9eb51db6d315d35eefd74d3cc416cfe9301d31265dd6cb1bd2015b7cb98d6dae
Opcode Fuzzy Hash: 90d51197bbf560c1b44227de06b80cb28ef5ce2e1a15adcd123ee4c2100cc980
Instruction Fuzzy Hash: 715138B1A00109DFCB14DF98D884FEEBBFAFB49310F144159E516AB2A0DB75AD06CB61

Function 0068EBDE Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 115fileCOMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 0068EC34
memset.VCRUNTIME140(?,00000000,00000200), ref: 0068EC4F
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000000,00000000), ref: 0068EC64
#4815.MFC140U(?,%s\,?), ref: 0068EC7D
CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 0068EC9B
GetFileSize.KERNEL32(00000000,?), ref: 0068ECB4
#265.MFC140U(00000001), ref: 0068ECC0
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0068ECDD
#266.MFC140U(00000000), ref: 0068ECF4
CloseHandle.KERNEL32(00000000), ref: 0068ED03
#296.MFC140U ref: 0068ED0F
#290.MFC140U(0070C60C), ref: 0068ED58
#290.MFC140U(00000000), ref: 0068ED66
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000), ref: 0068EE25
#296.MFC140U ref: 0068EE9E
#1045.MFC140U ref: 0068F309

Strings

%s\, xrefs: 0068EC77

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #296File$#290$#1045#265#266#4815CloseCreateFolderHandlePathReadSizeSpecial_wtollmemset
String ID: %s\
API String ID: 986897502-2802346739
Opcode ID: 9f5fdca2059f5c9169c36096643ec987a1539116618ee7ad47dd5389ed52b1e1
Instruction ID: 699559ff9cf38ca9ebf161b9f4667ab4b9157579fcdcd2ee187d96923bca2bc2
Opcode Fuzzy Hash: 9f5fdca2059f5c9169c36096643ec987a1539116618ee7ad47dd5389ed52b1e1
Instruction Fuzzy Hash: 7B31E871901208ABD720DB54DC4DFFE777DFB44710F1012A6FA1AA22D0DB716A44CB94

Function 006A1500 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 97stringCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 006A1503
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A150B
__sys_nerr.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A1536
__sys_errlist.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A1540
strrchr.VCRUNTIME140(?,0000000A), ref: 006A158D
strrchr.VCRUNTIME140(?,0000000D), ref: 006A15A8
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A15C6
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A15D0
GetLastError.KERNEL32 ref: 006A15D4
SetLastError.KERNEL32(00000000), ref: 006A15DF

Strings

Unknown error %d (%#x), xrefs: 006A157B

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: ErrorLast_errno$strrchr$__sys_errlist__sys_nerr
String ID: Unknown error %d (%#x)
API String ID: 3904614065-2414550090
Opcode ID: db495ba3499eaa5f3af0592675570c77cfdbdb4567eacf5fc450c53a32d2ce3f
Instruction ID: 9a1df7ef37c71cc24be03dc02adea8e5b53f71f239a36c25d8f7094d04abbbbe
Opcode Fuzzy Hash: db495ba3499eaa5f3af0592675570c77cfdbdb4567eacf5fc450c53a32d2ce3f
Instruction Fuzzy Hash: 8221E1F1A042046FD7107F249C49A7B779FAFD3355F051068F9038A2A2EB20ED01CAB1

Function 006812D0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,SOFTWARE\Tencent\QQGame\SYS,00000000,00020019,?), ref: 00681309
memset.VCRUNTIME140(?), ref: 0068132E
RegQueryValueExW.ADVAPI32(?,GameDirectory,00000000,?,?,00000400), ref: 00681361
#265.MFC140U(00000400), ref: 00681374
memset.VCRUNTIME140(00000000,00000000,00000400), ref: 00681385
memcpy.VCRUNTIME140(00000000,?,00000400,00000000,00000000,00000400), ref: 00681398
memcpy.VCRUNTIME140(?,00000000,00000400,00000000,?,00000400,00000000,00000000,00000400), ref: 006813A5
#266.MFC140U(00000000,?,00000000,00000400,00000000,?,00000400,00000000,00000000,00000400), ref: 006813AB
RegCloseKey.ADVAPI32(?), ref: 006813BF

Strings

GameDirectory, xrefs: 00681356
SOFTWARE\Tencent\QQGame\SYS, xrefs: 006812FF

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memcpymemset$#265#266CloseOpenQueryValue
String ID: GameDirectory$SOFTWARE\Tencent\QQGame\SYS
API String ID: 2010162712-2735627741
Opcode ID: 36d3497aaad2bdd0e16bd0a62c00379dd5120dc12439d39ae45ff4344fa35da2
Instruction ID: dd408f14dc87076c5d54e9669a773164a13f0f139afc9e7da16d587226979280
Opcode Fuzzy Hash: 36d3497aaad2bdd0e16bd0a62c00379dd5120dc12439d39ae45ff4344fa35da2
Instruction Fuzzy Hash: 6E21A1B5A00128ABDB229F51CD45FEAB7BDEF08341F0041E5F648E2141DBB45E80CFA4

Function 006B8590 Relevance: 17.9, APIs: 1, Strings: 9, Instructions: 446COMMON

Download Yara Rule

APIs

Part of subcall function 006A7A80: QueryPerformanceCounter.KERNEL32( #,00092320,?,?,00092320), ref: 006A7A93
Part of subcall function 006A7A80: __alldvrm.LIBCMT ref: 006A7AAD

#112.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 006B873E

Strings

%s connect timeout after %lldms, move on!, xrefs: 006B86B8
%s starting (timeout=%lldms), xrefs: 006B8971
%s connect -> %d, connected=%d, xrefs: 006B86E9
%s assess started=%d, result=%d, xrefs: 006B89B4
%s trying next, xrefs: 006B87EE
Failed to connect to %s port %u after %lld ms: %s, xrefs: 006B8A52
Connection timeout after %lld ms, xrefs: 006B8AAA
%s done, xrefs: 006B87DD, 006B891C
all eyeballers failed, xrefs: 006B898F

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #112CounterPerformanceQuery__alldvrm
String ID: %s assess started=%d, result=%d$%s connect -> %d, connected=%d$%s connect timeout after %lldms, move on!$%s done$%s starting (timeout=%lldms)$%s trying next$Connection timeout after %lld ms$Failed to connect to %s port %u after %lld ms: %s$all eyeballers failed
API String ID: 3425774887-3359130258
Opcode ID: 95cd67afdf2d94e5763b3934077ff1091f1c657696c6137ad6eba2df42e2e480
Instruction ID: fcfd0faac1200b036b541fe3af7ef8704101fdd10919ed8e3617eea381104155
Opcode Fuzzy Hash: 95cd67afdf2d94e5763b3934077ff1091f1c657696c6137ad6eba2df42e2e480
Instruction Fuzzy Hash: E7F1D1B09083509FE721EF28C841BABBBEAEF85704F44491DF98557252DB71E8C5CB92

Function 006BBD30 Relevance: 17.9, APIs: 2, Strings: 8, Instructions: 393COMMON

Download Yara Rule

APIs

Part of subcall function 006D16D0: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(006BB650,00000002,?,?,?), ref: 006D16DE

#9.WS2_32(00000002,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006BC009
#9.WS2_32(?), ref: 006BC0D0

Strings

::1, xrefs: 006BC0E0
Not resolving .onion address (RFC 7686), xrefs: 006BBDAB
localhost, xrefs: 006BBF24
Hostname %s was found in DNS cache, xrefs: 006BBE0E
.localhost, xrefs: 006BBF56
.onion, xrefs: 006BBD84
.onion., xrefs: 006BBD99
127.0.0.1, xrefs: 006BC019

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _errno
String ID: .localhost$.onion$.onion.$127.0.0.1$::1$Hostname %s was found in DNS cache$Not resolving .onion address (RFC 7686)$localhost
API String ID: 2918714741-2421204314
Opcode ID: 7097c4fde9cb32b4456d90a54d91db50cb78f18a4d323b16a3e4b910e7ddccc6
Instruction ID: 6dc52230ac0fccec5420bb16724c653784c87cc1eb4616cb5cb903176dbb7e58
Opcode Fuzzy Hash: 7097c4fde9cb32b4456d90a54d91db50cb78f18a4d323b16a3e4b910e7ddccc6
Instruction Fuzzy Hash: B3E102B09043459FD711DF24C841BFBB7E9AF45318F04462DF88497382E7B5AA89CBA2

Function 006BA810 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 233COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.,?,00000002,000006B6,?,00000000), ref: 006BA8A3
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 006BA968
_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?), ref: 006BA995

Strings

# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk., xrefs: 006BA89E
%d%02d%02d %02d:%02d:%02d, xrefs: 006BAA86
unlimited, xrefs: 006BA8DE
#, xrefs: 006BA968, 006BAA43
%s%s "%d%02d%02d %02d:%02d:%02d", xrefs: 006BA94B
%s%s "%s", xrefs: 006BA8EF

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _unlinkfclosefputs
String ID: #$# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.$%d%02d%02d %02d:%02d:%02d$%s%s "%d%02d%02d %02d:%02d:%02d"$%s%s "%s"$unlimited
API String ID: 498794310-2493195894
Opcode ID: 43ae9345108b2b33fa11e2bee1489befca0585642f9af5e531a27f3e1b57d1f2
Instruction ID: c95870e36abce8f4e1998ddebae11a59b42cef5e431118f200954fe529a67be9
Opcode Fuzzy Hash: 43ae9345108b2b33fa11e2bee1489befca0585642f9af5e531a27f3e1b57d1f2
Instruction Fuzzy Hash: 9F816AB1504305ABDB10DFA4C981AABB7EAFF88310F044A2DFD9583351E735E994DB92

Function 006DBE60 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 186stringCOMMON

Download Yara Rule

APIs

strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,0000000A,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006DBFDA

Strings

FTP code: %03d, xrefs: 006DC021
Accept timeout occurred while waiting server connect, xrefs: 006DBEB1
There is negative response in cache while serv connect, xrefs: 006DBEED
z-, xrefs: 006DBFDA
Ready to accept data connection from server, xrefs: 006DBF44
Error while waiting for server connect, xrefs: 006DBF6E
Got 226 before data activity, xrefs: 006DBFF0
Checking for server connect, xrefs: 006DBE90
Ctrl conn has data while waiting for data conn, xrefs: 006DBF89

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strtol
String ID: Accept timeout occurred while waiting server connect$Checking for server connect$Ctrl conn has data while waiting for data conn$Error while waiting for server connect$FTP code: %03d$Got 226 before data activity$Ready to accept data connection from server$There is negative response in cache while serv connect$z-
API String ID: 76114499-2434861692
Opcode ID: 1ccb948a55ed9e5420a3f9804da41b8cda8640b617e80d1b2ef5529c43eb7947
Instruction ID: 4b68691b2af00a980bb2c248cd31b55a6987105ffd7ad3afd28a9bc8523450fa
Opcode Fuzzy Hash: 1ccb948a55ed9e5420a3f9804da41b8cda8640b617e80d1b2ef5529c43eb7947
Instruction Fuzzy Hash: 33517FB2E00204DBDB116624AC427EF7796EB81725F48027BFD449A383E71A954987F7

Function 006A7420 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006A7493
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(# Netscape HTTP Cookie File# https://curl.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.,?,?,?,?,00000000,?), ref: 006A74D2
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,00000000,00000004,006A7700,?,?,?,?,?,?,?,00000000,?), ref: 006A752F
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 006A758E

Strings

%s, xrefs: 006A7552
#, xrefs: 006A7486, 006A757A, 006A75CF
<o, xrefs: 006A7458
# Netscape HTTP Cookie File# https://curl.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk., xrefs: 006A74CD

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: __acrt_iob_funcfclosefputsqsort
String ID: #$# Netscape HTTP Cookie File# https://curl.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.$%s$<o
API String ID: 2230866234-3917551784
Opcode ID: bd41802bf4a2bb10bd785d2552ead2900d0e9f2d59b73df1641ae3eae5d31435
Instruction ID: e2ff8b648b2b0c50242df3dae496dffc449a94bae2d6bd06a42f11b23d09755b
Opcode Fuzzy Hash: bd41802bf4a2bb10bd785d2552ead2900d0e9f2d59b73df1641ae3eae5d31435
Instruction Fuzzy Hash: 3751E371A082015FD710AF28EC45BAB7BEAEF46345F044478E94582352EB26DD19CBA7

Function 006BD910 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 150COMMON

Download Yara Rule

APIs

#3.WS2_32(?), ref: 006BD9AD
memset.VCRUNTIME140(?), ref: 006BDA09
#5.WS2_32(?,?,?), ref: 006BDA21
#111.WS2_32 ref: 006BDA2B
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006BDA78
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006BDA7C

Strings

getpeername() failed with errno %d: %s, xrefs: 006BDA48
accepted_set(sock=%d, remote=%s port=%d), xrefs: 006BDAE8
hBq, xrefs: 006BD94F
ssrem inet_ntop() failed with errno %d: %s, xrefs: 006BDA96

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _errno$#111memset
String ID: accepted_set(sock=%d, remote=%s port=%d)$getpeername() failed with errno %d: %s$hBq$ssrem inet_ntop() failed with errno %d: %s
API String ID: 3571256713-4153906920
Opcode ID: 68f5c473597d67dfe95234687c833aee5318d547dd8ff14a6394afe407000a14
Instruction ID: f72b902d1cd8c76c8131c5c04e07ebf7e96455ae581e51df881363f95de00a71
Opcode Fuzzy Hash: 68f5c473597d67dfe95234687c833aee5318d547dd8ff14a6394afe407000a14
Instruction Fuzzy Hash: D451C1B1604341AFD761EF24CC41BEBB7EDBF49304F04491EF98997242EB75A9448BA2

Function 006EC420 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 126stringCOMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,?,?,?,006EB7CC,?,?,?), ref: 006EC43F
strchr.VCRUNTIME140(00000000,0000005C), ref: 006EC455
strchr.VCRUNTIME140(00000000,0000002F), ref: 006EC464
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,00000000), ref: 006EC4D3
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000), ref: 006EC4F0
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 006EC4F6
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006EC514
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000001), ref: 006EC543
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006EC558

Strings

d#, xrefs: 006EC4E6, 006EC558

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: free$_strdupstrchr$strncpy
String ID: d#
API String ID: 3628420716-2011854123
Opcode ID: 18bfde9fcfd5432a799fe1ffeba14089f71bc2bd79dc77bf34f237536c36049d
Instruction ID: 12e363752263a613e302c7a2f82eeeae2acea70bf2c12a04391961c955960036
Opcode Fuzzy Hash: 18bfde9fcfd5432a799fe1ffeba14089f71bc2bd79dc77bf34f237536c36049d
Instruction Fuzzy Hash: 233125B19063149BDB106F39EC48AEB7BDAEF85321F044169F801CB242EB75D615C7E2

Function 006CB130 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006A7A80: QueryPerformanceCounter.KERNEL32( #,00092320,?,?,00092320), ref: 006A7A93
Part of subcall function 006A7A80: __alldvrm.LIBCMT ref: 006A7AAD

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00000000,?,00092320), ref: 006CB153
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 006CB15B
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 006CB16C
Sleep.KERNEL32(00000001), ref: 006CB1B9
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 006CB1BF
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006CB1D0
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006CB1DA

Part of subcall function 006A7A80: GetTickCount.KERNEL32 ref: 006A7AF1

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006CB1F4
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006CB1FE

Strings

d#, xrefs: 006CB1C5

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: free$FileMove_strdup$CountCounterPerformanceQuerySleepTick__alldvrm
String ID: d#
API String ID: 3160879797-2011854123
Opcode ID: 75e988ef129abe203f3f223684f646a1f2e9d51f572c5596371c989bd0f706b8
Instruction ID: ee8570f090cf45892249795f546b5291089a0b3307a2bd2962d78e3361d2ee06
Opcode Fuzzy Hash: 75e988ef129abe203f3f223684f646a1f2e9d51f572c5596371c989bd0f706b8
Instruction Fuzzy Hash: 8A212D31D0035457E3216B34AC82FFF7716DF85750F082128ED0852211EB29EA9586E6

Function 0068B5E0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 81processCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000100), ref: 0068B604
memset.VCRUNTIME140(?,00000000,00000100,?,00000000,00000100), ref: 0068B617
memset.VCRUNTIME140(?,00000000,00000100,?,00000000,00000100,?,00000000,00000100), ref: 0068B62A
memset.VCRUNTIME140(?,00000000,00000044,?,00000000,00000100,?,00000000,00000100,?,00000000,00000100), ref: 0068B63A
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000000,00000000), ref: 0068B663

Part of subcall function 006853C0: VirtualQuery.KERNEL32(006853C0,?,0000001C), ref: 006853E6
Part of subcall function 006853C0: FindResourceW.KERNEL32(?,?,?), ref: 006853F6
Part of subcall function 006853C0: SizeofResource.KERNEL32(?,00000000), ref: 00685405
Part of subcall function 006853C0: LoadResource.KERNEL32(?,00000000), ref: 0068540F
Part of subcall function 006853C0: LockResource.KERNEL32(00000000), ref: 00685416
Part of subcall function 006853C0: remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?), ref: 00685422
Part of subcall function 006853C0: fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0070B98C), ref: 0068542E
Part of subcall function 006853C0: fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,00000000), ref: 00685442
Part of subcall function 006853C0: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00685449

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0068B6DE

Strings

D, xrefs: 0068B642
G_Gamee, xrefs: 0068B681
%s\G_Game.exe, xrefs: 0068B676
%s %s %d, xrefs: 0068B6AA

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Resourcememset$CreateFindFolderLoadLockPathProcessQuerySizeofSpecialVirtualfclosefopenfwriteremove
String ID: %s %s %d$%s\G_Game.exe$D$G_Gamee
API String ID: 4277507693-3023222371
Opcode ID: b6795e391f18ce860f00b77d0056275bb0b72969d49715210ed527cdae3d2afc
Instruction ID: 29ee71b2b4f8eec63be2e68e70df104b35519ef2edd9904ce15b62a6f035152e
Opcode Fuzzy Hash: b6795e391f18ce860f00b77d0056275bb0b72969d49715210ed527cdae3d2afc
Instruction Fuzzy Hash: 792126B5E4031C77EB61DB60CD47FD973AD9B08B40F500596B744B60C1EAF46B848B55

Function 0068FB40 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068FB82
#296.MFC140U ref: 0068FB95
#5850.MFC140U(?,00000000,00000001), ref: 0068FBAF
#290.MFC140U(00715900), ref: 0068FBBD
#4815.MFC140U(?,%ws%ws_log.txt,00000000,?), ref: 0068FBD5
#1045.MFC140U ref: 0068FBE1
#1045.MFC140U ref: 0068FBF2
#1045.MFC140U ref: 0068FC02
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068FC1A

Strings

%ws%ws_log.txt, xrefs: 0068FBCF

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$MessageSend$#290#296#4815#5850
String ID: %ws%ws_log.txt
API String ID: 1915077210-2539948989
Opcode ID: 41ac40ef7fcab8b40c4021973fad655e7813d86974055dcef311fe8bed011a36
Instruction ID: 588853be3c1f111b3eeb358b2a8703f612cefd22c6e3138f4891ad6ee27b51b1
Opcode Fuzzy Hash: 41ac40ef7fcab8b40c4021973fad655e7813d86974055dcef311fe8bed011a36
Instruction Fuzzy Hash: EF216FB190020AEFDB14DF94DD45FEEBBB9FB49720F105255E611A32E0DB745A00CBA0

Function 006811C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,0070B920,00000000,00020019,?), ref: 006811F9
memset.VCRUNTIME140(?), ref: 0068121E
RegQueryValueExA.ADVAPI32(?,path,00000000,?,?,00000400), ref: 00681251
#265.MFC140U(00000400), ref: 00681264
memset.VCRUNTIME140(00000000,00000000,00000400), ref: 00681275
memcpy.VCRUNTIME140(00000000,?,00000400,00000000,00000000,00000400), ref: 00681288
memcpy.VCRUNTIME140(?,00000000,00000400,00000000,?,00000400,00000000,00000000,00000400), ref: 00681295
#266.MFC140U(00000000,?,00000000,00000400,00000000,?,00000400,00000000,00000000,00000400), ref: 0068129B
RegCloseKey.ADVAPI32(?), ref: 006812AF

Strings

path, xrefs: 00681246

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memcpymemset$#265#266CloseOpenQueryValue
String ID: path
API String ID: 2010162712-190089999
Opcode ID: 1a5974162f77dab9c9a2facfbf3c824b06051704801ab7122db2456b95045a6d
Instruction ID: 963c73f629e0ea10addc4ba6fce1419c65728e8b6fe57f3ffe1440663499ae54
Opcode Fuzzy Hash: 1a5974162f77dab9c9a2facfbf3c824b06051704801ab7122db2456b95045a6d
Instruction Fuzzy Hash: 1721AC75A00128ABDF229B51CC45FEAB7BDEF08351F0001E5F648E2241DBB45EC49FA4

Function 00686F40 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 76registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,0070BE2C,00000000,00020019,?), ref: 00686F79
memset.VCRUNTIME140(?), ref: 00686F9E
RegQueryValueExA.ADVAPI32(?,path,00000000,?,?,00000400), ref: 00686FD1
#265.MFC140U(00000400), ref: 00686FE4
memset.VCRUNTIME140(00000000,00000000,00000400), ref: 00686FF5
memcpy.VCRUNTIME140(00000000,?,00000400,00000000,00000000,00000400), ref: 00687008
memcpy.VCRUNTIME140(?,00000000,00000400,00000000,?,00000400,00000000,00000000,00000400), ref: 00687015
#266.MFC140U(00000000,?,00000000,00000400,00000000,?,00000400,00000000,00000000,00000400), ref: 0068701B
RegCloseKey.ADVAPI32(?), ref: 0068702F

Strings

path, xrefs: 00686FC6

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memcpymemset$#265#266CloseOpenQueryValue
String ID: path
API String ID: 2010162712-190089999
Opcode ID: 0f00c6c994d4fb917ab09863641561bc4138941edcd2db8ef489a0db673db79b
Instruction ID: 80920263f33734822691d06233c366f2cfac6ca360ed5d3dbb35956302a991c9
Opcode Fuzzy Hash: 0f00c6c994d4fb917ab09863641561bc4138941edcd2db8ef489a0db673db79b
Instruction Fuzzy Hash: 90219076A00128ABDB229B51DC45FEABBBDEF0C351F0041E5F648E2241DBB45EC49FA4

Function 006853C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63fileCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(006853C0,?,0000001C), ref: 006853E6
FindResourceW.KERNEL32(?,?,?), ref: 006853F6
SizeofResource.KERNEL32(?,00000000), ref: 00685405
LoadResource.KERNEL32(?,00000000), ref: 0068540F
LockResource.KERNEL32(00000000), ref: 00685416
remove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?), ref: 00685422
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,0070B98C), ref: 0068542E
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000001,00000000,00000000), ref: 00685442
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00685449

Strings

#, xrefs: 00685449

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockQuerySizeofVirtualfclosefopenfwriteremove
String ID: #
API String ID: 2534417835-7950391
Opcode ID: 952d5febfe0c7ff66bc1aedf05f3fedd51ec2c9c7f7ce3b76ad5dd4f665f0d7c
Instruction ID: 7937d40bbfc1830ce37764899fc7e96167f4d024d8cddef174ef1d3ffb30ea7f
Opcode Fuzzy Hash: 952d5febfe0c7ff66bc1aedf05f3fedd51ec2c9c7f7ce3b76ad5dd4f665f0d7c
Instruction Fuzzy Hash: 3F118F72901128ABCB10AFA5EC489FFBBBDEF09721B056155FD05A3210D7389E01CBA1

Function 0068C7B0 Relevance: 16.6, APIs: 11, Instructions: 70windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0068C7EA
#296.MFC140U ref: 0068C7FE
#5850.MFC140U(00000000,00000000,00000010), ref: 0068C818
#1523.MFC140U(00000000), ref: 0068C826
#1045.MFC140U ref: 0068C833
#5110.MFC140U ref: 0068C83C
_wtol.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000), ref: 0068C843
OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 0068C858
TerminateProcess.KERNEL32(00000000,00000000), ref: 0068C867
CloseHandle.KERNEL32(00000000), ref: 0068C86E
#1045.MFC140U ref: 0068C877

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045Process$#1523#296#5110#5850CloseHandleMessageOpenSendTerminate_wtol
String ID:
API String ID: 2317457787-0
Opcode ID: f676d8cb6f4d51ac1d7e3ebcd7c8b41a7c89b0aeded7eac99652eea7f3d30401
Instruction ID: 9e7d2d8544062e1314931808a9a4f8f6eeee06881e09dace5ba446161d7d5583
Opcode Fuzzy Hash: f676d8cb6f4d51ac1d7e3ebcd7c8b41a7c89b0aeded7eac99652eea7f3d30401
Instruction Fuzzy Hash: F221C471945219EFDB10DBA4DD09BBE7BB9EB09721F005315F912A32E0DB705A04CBA1

Function 0069C78A Relevance: 16.6, APIs: 11, Instructions: 51COMMON

Download Yara Rule

APIs

_set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000002), ref: 0069C78D
_set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 0069C798
__p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 0069C79D
___scrt_initialize_onexit_tables.LIBCMT ref: 0069C7AD

Part of subcall function 0069CAA5: _initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0(00715378), ref: 0069CACA

__RTC_Initialize.LIBCMT ref: 0069C7BC

Part of subcall function 0069CC49: __onexit.LIBCMT ref: 0069CC4F

_configure_wide_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,0069D585), ref: 0069C7D1

Part of subcall function 0069D313: InitializeSListHead.KERNEL32(007156E0,0069C7E1), ref: 0069D318

__setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_000049A0), ref: 0069C7EF
_configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 0069C80A
_initialize_wide_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0069C810
___scrt_fastfail.LIBCMT ref: 0069C81F
___scrt_initialize_default_local_stdio_options.LIBCMT ref: 0069C825

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Initialize$HeadList___scrt_fastfail___scrt_initialize_default_local_stdio_options___scrt_initialize_onexit_tables__onexit__p__commode__setusermatherr_configthreadlocale_configure_wide_argv_initialize_onexit_table_initialize_wide_environment_set_app_type_set_fmode
String ID:
API String ID: 2645771224-0
Opcode ID: 70915650b2c6983b5b1f3a50ad77849a30eca40c5d038d7c6601eaae814f75c7
Instruction ID: be088c5dff7c17e801ae616b32fabb459874aa2b5f2b09efdafabbe933ec64bc
Opcode Fuzzy Hash: 70915650b2c6983b5b1f3a50ad77849a30eca40c5d038d7c6601eaae814f75c7
Instruction Fuzzy Hash: EDF0F491A0021264EDE47BF56A07B8E168F0F527A2B14097DF544AAEC3FD2AD040427F

Function 006E0110 Relevance: 16.1, APIs: 3, Strings: 6, Instructions: 328COMMON

Download Yara Rule

APIs

_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,?), ref: 006E016D

Part of subcall function 006E0720: strchr.VCRUNTIME140(?,0000005C,?,?), ref: 006E0743

Strings

Content-Length: %lld, xrefs: 006E01E9
cannot get the size of file., xrefs: 006E032D
Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 006E02A0
Directory listing not yet implemented on this platform., xrefs: 006E04F4
failed to resume file:// transfer, xrefs: 006E03AE
Accept-ranges: bytes, xrefs: 006E021B

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _fstat64strchr
String ID: Accept-ranges: bytes$Content-Length: %lld$Directory listing not yet implemented on this platform.$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT$cannot get the size of file.$failed to resume file:// transfer
API String ID: 2257945287-2450215276
Opcode ID: cd4bd874de33c47e6e765e2db8d529ffc8250ab04afa0bdb39c5b87a62768587
Instruction ID: ad549ec0e413fb9a20fe5df58e38aca94d87626b1ca147cf98842c0c378b0d16
Opcode Fuzzy Hash: cd4bd874de33c47e6e765e2db8d529ffc8250ab04afa0bdb39c5b87a62768587
Instruction Fuzzy Hash: A8B12570606381DFF721AA29DD41FEBB7DAAF50304F04082DFA8593382E7B599848767

Function 006D478D Relevance: 16.1, APIs: 2, Strings: 7, Instructions: 313COMMON

Download Yara Rule

APIs

#20.WS2_32(?,?,?,00000000,?,?), ref: 006D4AFE
#111.WS2_32(?,00000100,?,00000000,?,?), ref: 006D4B12

Strings

%s%c%s%c, xrefs: 006D4860
tsize, xrefs: 006D48FA
blksize, xrefs: 006D49BE
TFTP buffer too small for options, xrefs: 006D495A, 006D4A0D
TFTP filename too long, xrefs: 006D482C
%lld, xrefs: 006D48C9
timeout, xrefs: 006D4A72

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111
String ID: %lld$%s%c%s%c$TFTP buffer too small for options$TFTP filename too long$blksize$timeout$tsize
API String ID: 568940515-1082497253
Opcode ID: 6507adac0651df248e17d34b800864f3d2c74508c5fce7b988cc81436f5c0d8e
Instruction ID: 5e49df7c2db619c376419ca3e6bc4839bb933f872350705bed560b27b034ced5
Opcode Fuzzy Hash: 6507adac0651df248e17d34b800864f3d2c74508c5fce7b988cc81436f5c0d8e
Instruction Fuzzy Hash: FAC1D4755083419FCB15CF28C891FF6B7A7AF42308F08869DE59A5B353DA32E90ACB54

Function 006DC9C0 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 221COMMON

Download Yara Rule

APIs

#111.WS2_32 ref: 006DCB9A

Strings

STOP, xrefs: 006DCC0B
We got a 421 - timeout, xrefs: 006DCBDB
QUOT string not accepted: %s, xrefs: 006DCBC0
FTP response aborted due to select/poll error: %d, xrefs: 006DCBA1
[%s] -> [%s], xrefs: 006DCC11
*, xrefs: 006DCB5D
FTP response timeout, xrefs: 006DCC3B
???, xrefs: 006DCC06, 006DCC10

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111
String ID: *$???$FTP response aborted due to select/poll error: %d$FTP response timeout$QUOT string not accepted: %s$STOP$We got a 421 - timeout$[%s] -> [%s]
API String ID: 568940515-236139339
Opcode ID: 4ba95824a18d7c1800f46cac5323562d5d17a2ee61a30d08b8d69fb5b10e6b93
Instruction ID: 17585085335a3685ff307f6648bde2dadd3987825c4a8a5631de1074b0b556d6
Opcode Fuzzy Hash: 4ba95824a18d7c1800f46cac5323562d5d17a2ee61a30d08b8d69fb5b10e6b93
Instruction Fuzzy Hash: 1E615AB1E0834E9BD310DA18DC42BEBB7D6AF81324F48052FFD5586342E725D909C7A6

Function 006B20D0 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 199stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(%25,00000001,00000003,?,?,00000000,?,?), ref: 006B217C
strchr.VCRUNTIME140(00000000,0000003A,?,?,00000000,?,?), ref: 006B2200

Strings

Please URL encode %% as %%25, see RFC 6874., xrefs: 006B2189
z-, xrefs: 006B2221
No valid port number in connect to host string (%s), xrefs: 006B2242
%25, xrefs: 006B2177
Invalid IPv6 address format, xrefs: 006B21EF
<-, xrefs: 006B217C

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strchrstrncmp
String ID: %25$<-$Invalid IPv6 address format$No valid port number in connect to host string (%s)$Please URL encode %% as %%25, see RFC 6874.$z-
API String ID: 1699326466-2714339957
Opcode ID: f7bc9eaf38f55e8f2e5b62ac147b2df0ed760cbfa7fec95b055fcb432f1e7c4f
Instruction ID: bd3a38b737c205ac5f8877140c0f5ffc5ecb9216af1e24186e8d4babe1083bb2
Opcode Fuzzy Hash: f7bc9eaf38f55e8f2e5b62ac147b2df0ed760cbfa7fec95b055fcb432f1e7c4f
Instruction Fuzzy Hash: 8C5154F09842075BCB315B1CAC616E677D7AF4A355F444039EF85C6356E2248ACB83A7

Function 006D0F60 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 182encryptionCOMMON

Download Yara Rule

APIs

CertFreeCertificateContext.CRYPT32(?), ref: 006D1181

Strings

schannel: server selected an ALPN protocol too late, xrefs: 006D10A1
schannel: failed to setup confidentiality, xrefs: 006D0FE0
schannel: failed to setup replay detection, xrefs: 006D0FCC
schannel: failed to setup sequence detection, xrefs: 006D0FB8
schannel: failed to setup stream orientation, xrefs: 006D100E
schannel: failed to retrieve ALPN result, xrefs: 006D1058
schannel: failed to retrieve remote cert context, xrefs: 006D1192
schannel: failed to setup memory allocation, xrefs: 006D0FF7

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CertCertificateContextFree
String ID: schannel: failed to retrieve ALPN result$schannel: failed to retrieve remote cert context$schannel: failed to setup confidentiality$schannel: failed to setup memory allocation$schannel: failed to setup replay detection$schannel: failed to setup sequence detection$schannel: failed to setup stream orientation$schannel: server selected an ALPN protocol too late
API String ID: 3080675121-3239075801
Opcode ID: 2ca116f1307cf94ff496a82bbec5a2bef3fff74f7a673d9c655ccc5437accd0d
Instruction ID: cb47bfd135c9c8b09d7c5eb97427785b44ae0edb4dd29b4ead139ab4974211cc
Opcode Fuzzy Hash: 2ca116f1307cf94ff496a82bbec5a2bef3fff74f7a673d9c655ccc5437accd0d
Instruction Fuzzy Hash: 7F513AB0A04740BBD321EB14DD41FEB7BDAAF46304F040419F9459A382DBB4EA94CBA6

Function 006CB210 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 166fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00702848,?,?,?,00092320), ref: 006CB258
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,00092320), ref: 006CB274
_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000), ref: 006CB27E
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 006CB2AA

Part of subcall function 006CD7F0: BCryptGenRandom.BCRYPT(00000000,?), ref: 006CD840

_fdopen.API-MS-WIN-CRT-MATH-L1-1-0(00000000,00702848), ref: 006CB3B8
_close.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 006CB3CC
_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000), ref: 006CB3D3

Strings

%s%s.tmp, xrefs: 006CB372
#, xrefs: 006CB2AA

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CryptRandom_close_fdopen_fileno_fstat64_unlinkfclosefopen
String ID: #$%s%s.tmp
API String ID: 3843148919-1238685805
Opcode ID: d0cc1f923aec1fbeceb8cb843f2cd68dff0cbbca8f59fcda5d69982baa69dedc
Instruction ID: bbff2f06f74604ec94f67299b9b2ed0a3f9d19b9c54ca9b4c8eeb1c503f48e72
Opcode Fuzzy Hash: d0cc1f923aec1fbeceb8cb843f2cd68dff0cbbca8f59fcda5d69982baa69dedc
Instruction Fuzzy Hash: 7251CE719043849BD7209B24DC86FBB77EAEF45300F44192DF98997292E734DD098BA6

Function 00684B40 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 45COMMON

Download Yara Rule

APIs

#296.MFC140U ref: 00684B46
#4815.MFC140U(?,%Ts (%Ts:%d)%Ts,Exception thrown in destructor,D:\VS2015\VC\atlmfc\include\afxwin1.inl,0000004D,?), ref: 00684B8E
#4815.MFC140U(?,%Ts (%Ts:%d),Exception thrown in destructor,D:\VS2015\VC\atlmfc\include\afxwin1.inl,0000004D), ref: 00684BB1
#2304.MFC140U(?,00000000,00000000), ref: 00684BC4
#1045.MFC140U ref: 00684BD4

Strings

%Ts (%Ts:%d), xrefs: 00684BAB
%Ts (%Ts:%d)%Ts, xrefs: 00684B88
D:\VS2015\VC\atlmfc\include\afxwin1.inl, xrefs: 00684B78, 00684B9B
Exception thrown in destructor, xrefs: 00684B7D, 00684BA0

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #4815$#1045#2304#296
String ID: %Ts (%Ts:%d)$%Ts (%Ts:%d)%Ts$D:\VS2015\VC\atlmfc\include\afxwin1.inl$Exception thrown in destructor
API String ID: 3171837016-3670023387
Opcode ID: b6a8b035dd800cb855646900fccfbcceb2ca1c351cb3e1d02b5627a177696cc9
Instruction ID: 6e1c60fcc43492539a14b3b4cb0d780ca93e6666ebcd4bb48189eca5c49ab90f
Opcode Fuzzy Hash: b6a8b035dd800cb855646900fccfbcceb2ca1c351cb3e1d02b5627a177696cc9
Instruction Fuzzy Hash: 681125F0B40219EBDB20DB54CC4AFD87BB9AB14701F0091D4B709A32D1DBB89B85CB69

Function 006E2E30 Relevance: 15.5, APIs: 5, Strings: 5, Instructions: 472COMMON

Download Yara Rule

Strings

Got DISCONNECT, xrefs: 006E3008
Expected %02x%02x but got %02x%02x, xrefs: 006E3367
State not handled yet, xrefs: 006E33AC
mqtt_doing: state [%d], xrefs: 006E2E8B
Connection disconnected, xrefs: 006E2ED3

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: Connection disconnected$Expected %02x%02x but got %02x%02x$Got DISCONNECT$State not handled yet$mqtt_doing: state [%d]
API String ID: 0-464562646
Opcode ID: c3c810e00b8242c512292174705794b219ea308ab09aaf201917d6ac34815b77
Instruction ID: e64bdadb05391f0bfec8e8b259324862bb51261956e1fbd2bcc912be607ad908
Opcode Fuzzy Hash: c3c810e00b8242c512292174705794b219ea308ab09aaf201917d6ac34815b77
Instruction Fuzzy Hash: 80F110716043809FC7019F65CC84AEBBBE9EF49314F44457DFA8887342E739EA488B96

Function 006C0C60 Relevance: 15.4, APIs: 1, Strings: 9, Instructions: 376COMMON

Download Yara Rule

APIs

atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?,?,?,?,?,?,?,00000000), ref: 006C0F02

Strings

Switch from POST to GET, xrefs: 006C1126
Switch to %s, xrefs: 006C108C
HEAD, xrefs: 006C107C, 006C108B
Maximum (%ld) redirects followed, xrefs: 006C10D5
Clear auth, redirects to port from %u to %u, xrefs: 006C0F23
The redirect target URL could not be parsed: %s, xrefs: 006C0E29
GET, xrefs: 006C1077
Issue another request to this URL: '%s', xrefs: 006C1018
Clear auth, redirects scheme from %s to %s, xrefs: 006C0F7D

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: atoi
String ID: Clear auth, redirects scheme from %s to %s$Clear auth, redirects to port from %u to %u$GET$HEAD$Issue another request to this URL: '%s'$Maximum (%ld) redirects followed$Switch from POST to GET$Switch to %s$The redirect target URL could not be parsed: %s
API String ID: 657269090-2860807360
Opcode ID: 7bc12a31a5831b142aee112436daa8c6929d701bed790754ceed6a5a2daed673
Instruction ID: 64e29e61115b68a7c59467919dce194da5b86aa1e3c6c7a8563f838838ef52e8
Opcode Fuzzy Hash: 7bc12a31a5831b142aee112436daa8c6929d701bed790754ceed6a5a2daed673
Instruction Fuzzy Hash: 38C14970644340AAF7316B388C45FFB7BD7DF42300F44082DFA9A86392DA75A995C796

Function 006C3720 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 245stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(00000000,0000003A,?,00000000,?,?), ref: 006C37B6
strchr.VCRUNTIME140(00000000,0000003B,?,?,006C32FF,?,00000000,?), ref: 006C37C8

Strings

Transfer-Encoding:, xrefs: 006C3946
Content-Type:, xrefs: 006C38B7, 006C38DC
Host:, xrefs: 006C3892
Cookie:, xrefs: 006C396E
Authorization:, xrefs: 006C395A
Connection:, xrefs: 006C3925
%s, xrefs: 006C3991
Content-Length:, xrefs: 006C3901

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strchr
String ID: %s$Authorization:$Connection:$Content-Length:$Content-Type:$Cookie:$Host:$Transfer-Encoding:
API String ID: 2830005266-2985882615
Opcode ID: 50fde92fd50241583d11b9f464767d6ca01f7e24d7209e1c87ed379cc43a49da
Instruction ID: 50aae0584dca8d1c9219f11de352987c0d103617b86898773445ba97730929a8
Opcode Fuzzy Hash: 50fde92fd50241583d11b9f464767d6ca01f7e24d7209e1c87ed379cc43a49da
Instruction Fuzzy Hash: 1A8135B0A043206BE7209B189846FF677D7DF51348F08C5ACF8889B347F6B68B458796

Function 006860A0 Relevance: 15.1, APIs: 10, Instructions: 82windowCOMMON

Download Yara Rule

APIs

#4886.MFC140U(?,F74E5D36), ref: 006860D6
#2215.MFC140U(00000085,00000004,00000085), ref: 00686121
LoadMenuW.USER32(00000000), ref: 00686128
#2526.MFC140U(00000000), ref: 00686132
GetSubMenu.USER32(00000000,00000000), ref: 0068613D
#4885.MFC140U(00000000), ref: 00686144
GetCursorPos.USER32(00000000), ref: 0068615E
SendMessageW.USER32(00000000,0000100C,000000FF,00000002), ref: 00686170
#14377.MFC140U(00000000,00000000,00000000,?,00000000), ref: 00686185
#3932.MFC140U ref: 0068619C

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Menu$#14377#2215#2526#3932#4885#4886CursorLoadMessageSend
String ID:
API String ID: 1337069456-0
Opcode ID: 015a1050537b83f7768cf423b1824453d14e20e2979d4fcf89964ce27a601f27
Instruction ID: 993e9a5ad41b9a00f09acc8791f5be45b7f065ea1647823e34431ce9c61ecd5e
Opcode Fuzzy Hash: 015a1050537b83f7768cf423b1824453d14e20e2979d4fcf89964ce27a601f27
Instruction Fuzzy Hash: B4315A72940209EBDB119FA4DC49BAEBBBAFB08711F205219FA01A72D0DBB55904CB90

Function 00684660 Relevance: 15.1, APIs: 10, Instructions: 81COMMON

Download Yara Rule

APIs

InitCommonControlsEx.COMCTL32(?,F74E5D36,?,?,?,006F8BB6,000000FF), ref: 006846A5
#7997.MFC140U(?,?,?,006F8BB6,000000FF), ref: 006846AD
#2205.MFC140U(00000000,?,?,?,006F8BB6,000000FF), ref: 006846B5
#1511.MFC140U(0000000C,?,?,?,006F8BB6,000000FF), ref: 006846BD
#952.MFC140U ref: 006846E7
#7313.MFC140U ref: 006846FA
#13442.MFC140U(00000000), ref: 00684701
#13911.MFC140U(0070B9D8), ref: 0068470E
memset.VCRUNTIME140(?,00000000,000018AC), ref: 00684722
#4092.MFC140U(?,000018AC), ref: 00684747

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #13442#13911#1511#2205#4092#7313#7997#952CommonControlsInitmemset
String ID:
API String ID: 82765627-0
Opcode ID: 4be9f9ac93dec50b77d1135306115a2898ce843f33715b71d6c66b0dccb81fc3
Instruction ID: 8ceb4de55d2c48532252ab7a661a1ee44edd0438f706691157f6a11032fbbcb4
Opcode Fuzzy Hash: 4be9f9ac93dec50b77d1135306115a2898ce843f33715b71d6c66b0dccb81fc3
Instruction Fuzzy Hash: A9319171A002099FDB50DFA4DD49BADBBFAEF48711F0452AAE556932C0EF745A40CBA0

Function 0068FE80 Relevance: 15.1, APIs: 10, Instructions: 72COMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 0068FEAE
#7820.MFC140U(?), ref: 0068FEC5
#280.MFC140U(?), ref: 0068FED2
#5110.MFC140U(?,00000000,00000000,00000000,00000000), ref: 0068FEED
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068FEF8
#5110.MFC140U(?,00716208,00000000,00000000,00000000), ref: 0068FF13
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000), ref: 0068FF1E
#1045.MFC140U ref: 0068FF2E
WritePrivateProfileStringA.KERNEL32(0070BFB0,0070C6F4,00716208,00715D00), ref: 0068FF48
#1045.MFC140U ref: 0068FF51

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045#5110ByteCharMultiWide$#280#296#7820PrivateProfileStringWrite
String ID:
API String ID: 163277067-0
Opcode ID: dfc93849bb9ba33ae70d1029a89cb965b93927deb52a854fa003d2fe5a4fd3b9
Instruction ID: b8283fdf381e0bd8a96c528f70945c4f33890c141fcbc7e4bd2518cdc3d88b44
Opcode Fuzzy Hash: dfc93849bb9ba33ae70d1029a89cb965b93927deb52a854fa003d2fe5a4fd3b9
Instruction Fuzzy Hash: EC219F71A4020AEFDB10DB90DC5AFFEBBB9FB05715F101219F602A62D0DBB42904CB54

Function 00690240 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 321COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,?,?,0068DB4D,00000000,?,?,00000000,000000FF,?,?,?), ref: 0069029F
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,0068DB4D,00000000,?,?,00000000,000000FF), ref: 006902FF
memcpy.VCRUNTIME140(00000010,00000010,?,?,?,?,?,?,0068DB4D,00000000,?,?,00000000,000000FF), ref: 00690332
memmove.VCRUNTIME140(00000010,00000010,?,?,?,?,?,?,0068DB4D,00000000,?,?,00000000,000000FF), ref: 00690376
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,0068DB4D,00000000,?,?,00000000,000000FF), ref: 006903B9
?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,?,?,?,0068DB4D,00000000,?,?,00000000,000000FF,?,?,?), ref: 0069054D

Strings

string too long, xrefs: 0069029A
invalid string position, xrefs: 00690548

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memmove$Xlength_error@std@@Xout_of_range@std@@memcpy
String ID: invalid string position$string too long
API String ID: 2530380750-4289949731
Opcode ID: 8c9e4df16ce85526340a35398d2609adb4bf727cbaf2801c731ed9e98e5af14d
Instruction ID: 5b78fa21db7e082379c36d7569bdf3845c04f4aecf214107d675ca67995081c7
Opcode Fuzzy Hash: 8c9e4df16ce85526340a35398d2609adb4bf727cbaf2801c731ed9e98e5af14d
Instruction Fuzzy Hash: DEB16831704109DFEF28CF0CD8C499EB7EBEF447047248929E996CBA85DB30E9958B95

Function 006DC3E0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 240stringCOMMON

Download Yara Rule

APIs

strrchr.VCRUNTIME140(?,0000002F,?,?,00000003,?,?), ref: 006DC473

Strings

Request has same path as previous transfer, xrefs: 006DC6A0
<-, xrefs: 006DC693
path contains control characters, xrefs: 006DC433
Uploading to a URL without a filename, xrefs: 006DC536

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strrchr
String ID: <-$Request has same path as previous transfer$Uploading to a URL without a filename$path contains control characters
API String ID: 3418686817-2357675496
Opcode ID: 2e6323bbfc09a46ee2787250158748ca86ba47b42cd21587031c22942d322d26
Instruction ID: 742fd9566b491c7791e9bd241f5aaff605159389a9049ec004830b17f4a19edd
Opcode Fuzzy Hash: 2e6323bbfc09a46ee2787250158748ca86ba47b42cd21587031c22942d322d26
Instruction Fuzzy Hash: 128127B0A043474BDB208F24D854BF67BE3AF85329F18017DE94697382D736E919C765

Function 006E56B0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 238stringCOMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(?,00000040,?,00000000,00000001,?,00000000), ref: 006E56D1
strchr.VCRUNTIME140(00000000,0000005D), ref: 006E581C
strchr.VCRUNTIME140(00000000,0000003A), ref: 006E585B
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006E58AF
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,0000000A), ref: 006E58BF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006E58CA
strchr.VCRUNTIME140(00000000,00000025), ref: 006E5987

Strings

%ld, xrefs: 006E58FC
, xrefs: 006E57AE

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strchr$_errno$memchrstrtoul
String ID: $%ld
API String ID: 1397462512-2510480785
Opcode ID: bcfedb00018ab1c75a7573f764e0cd5bd7b79b8c6db31a86b026a0100f6d6be3
Instruction ID: 006af14ac3135a0d9f0df4616584e899bcda036fd37d2b2dda0d4a9d2eb1ced0
Opcode Fuzzy Hash: bcfedb00018ab1c75a7573f764e0cd5bd7b79b8c6db31a86b026a0100f6d6be3
Instruction Fuzzy Hash: 59711571A043409BDB109F1AEC847EABBD69F44359F04403AFD4697252D639CD1ACB92

Function 006A7140 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 172fileCOMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,0069F2D7), ref: 006A7210
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0069F2D7), ref: 006A72D6
fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,006FE040,?,?,?,?,?,?,?,?,?,0069F2D7), ref: 006A731F

Strings

<o, xrefs: 006A71DB
ignoring failed cookie_init for %s, xrefs: 006A71A4
WARNING: failed to open cookie file "%s", xrefs: 006A732E
#, xrefs: 006A72D6
Set-Cookie:, xrefs: 006A7263

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: __acrt_iob_funcfclosefopen
String ID: #$<o$Set-Cookie:$WARNING: failed to open cookie file "%s"$ignoring failed cookie_init for %s
API String ID: 4110152555-2248043782
Opcode ID: 75f6efa20fa20e1267b67ef47d41664d65eb47b31a702bc971cc22199c857d79
Instruction ID: dd334d0572e25ac7aac0d745cf53d537887e50736ba162e7c72ae502912315bd
Opcode Fuzzy Hash: 75f6efa20fa20e1267b67ef47d41664d65eb47b31a702bc971cc22199c857d79
Instruction Fuzzy Hash: 75517C715083855ADB21BB644C42BE77BDB6F66308F080558FD8897343E762EE058BE6

Function 006BD550 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 117COMMON

Download Yara Rule

Strings

cf_udp_connect(), opened socket=%d (unconnected), xrefs: 006BD688
cf_udp_connect(), open failed -> %d, xrefs: 006BD598
cf_udp_connect(), opened socket=%d (%s:%d), xrefs: 006BD661
UDP, xrefs: 006BD628
QUIC, xrefs: 006BD634, 006BD63C
%s socket %d connected: [%s:%d] -> [%s:%d], xrefs: 006BD63D

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: %s socket %d connected: [%s:%d] -> [%s:%d]$QUIC$UDP$cf_udp_connect(), open failed -> %d$cf_udp_connect(), opened socket=%d (%s:%d)$cf_udp_connect(), opened socket=%d (unconnected)
API String ID: 0-3567288102
Opcode ID: d0070f13d25fdf3df2e0dad5c0c0f56bb47a347293455719c2e215e126e76f21
Instruction ID: d6f111f25b3bf64be02f4c175ed0cea4018362f4ed4a1a05128209ddc09cf11f
Opcode Fuzzy Hash: d0070f13d25fdf3df2e0dad5c0c0f56bb47a347293455719c2e215e126e76f21
Instruction Fuzzy Hash: E041E0B2200645FFD7219A28DC40FE7BBEEEF81324F040629F51D86252E776A99487F1

Function 0068E5C0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 111sleepCOMMON

Download Yara Rule

APIs

#1511.MFC140U(00000010), ref: 0068E5FB
Sleep.KERNEL32(000003E8), ref: 0068E655
GetTickCount.KERNEL32 ref: 0068E660
GetTickCount.KERNEL32 ref: 0068E667
GetTickCount.KERNEL32 ref: 0068E68E
memset.VCRUNTIME140(?,00000000,00000100), ref: 0068E6B0

Strings

10082|%d|%d|%d|%s%s, xrefs: 0068E6D7
103.7.141.207, xrefs: 0068E625

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CountTick$#1511Sleepmemset
String ID: 10082|%d|%d|%d|%s%s$103.7.141.207
API String ID: 3682973178-1213140457
Opcode ID: 24352e76152d1d617e95cad72aa5b4362d5e5de333e79d450c9410a0fe199465
Instruction ID: 5bbe7bd5dfd19ce89e0f1881c481adc8b4770513f6e451edef70b2a6bfde187f
Opcode Fuzzy Hash: 24352e76152d1d617e95cad72aa5b4362d5e5de333e79d450c9410a0fe199465
Instruction Fuzzy Hash: 39312770D00214DBCB28AF6CDC457E577EAEBA9750F14821AE844972E0EBB959C0CF98

Function 006B6360 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 97COMMON

Download Yara Rule

Strings

cr_in, rewind via set.seek_func -> %d, xrefs: 006B63A7
cr_in, rewind via fseek -> %d(%d), xrefs: 006B6453
necessary data rewind was not possible, xrefs: 006B6466
ioctl callback returned error %d, xrefs: 006B6414
cr_in, rewind via set.ioctl_func -> %d, xrefs: 006B6401
seek callback returned error %d, xrefs: 006B63BE

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: cr_in, rewind via fseek -> %d(%d)$cr_in, rewind via set.ioctl_func -> %d$cr_in, rewind via set.seek_func -> %d$ioctl callback returned error %d$necessary data rewind was not possible$seek callback returned error %d
API String ID: 0-2618464099
Opcode ID: cf371278d66a6e05c9511cd04c8d4e610bf4fc535b2c4c73cbeddc2c2890e5ba
Instruction ID: 4238ae00e40da07308ca4b3ea2ee0d8382593df2fc8de962552c4debf9959e98
Opcode Fuzzy Hash: cf371278d66a6e05c9511cd04c8d4e610bf4fc535b2c4c73cbeddc2c2890e5ba
Instruction Fuzzy Hash: EF212C717406107BD6613738EC46FFBB7A69F86B24F050128F608A61D3C7A86CC187A5

Function 006814A7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

#296.MFC140U ref: 0068152D
#286.MFC140U(?), ref: 0068154E
#290.MFC140U(bSSO_Result_bSucceed), ref: 00681560
#2996.MFC140U(00000000), ref: 0068156F
#1045.MFC140U ref: 00681581
#1045.MFC140U ref: 0068159E
#1045.MFC140U ref: 006815B3
#1045.MFC140U ref: 006815C0
#1045.MFC140U ref: 006815C9
CallWindowProcW.USER32(?,?,?,?,F74E5D36), ref: 006815F1

Strings

bSSO_Result_bSucceed, xrefs: 00681554

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$#286#290#296#2996CallProcWindow
String ID: bSSO_Result_bSucceed
API String ID: 1652504514-431560583
Opcode ID: 721fdb0b536f5d2881b520225ae070868c3ff16afd9bd5eb7923306cfcb46014
Instruction ID: 4d327c8be4514d8cb0332c36671edfd52216a4ac012cd3c8c7363814f74d388b
Opcode Fuzzy Hash: 721fdb0b536f5d2881b520225ae070868c3ff16afd9bd5eb7923306cfcb46014
Instruction Fuzzy Hash: 35419871A01009CFCB14DF98C894FFDBBF6AF4A304F104199E506AB2A1CB75AE06CB61

Function 0068E3D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 0068E3FE
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0068E41E
#5882.MFC140U(00000000), ref: 0068E42B
#2996.MFC140U(5uO:S), ref: 0068E439
#2996.MFC140U(0070C168), ref: 0068E45D
#2996.MFC140U(0070C170), ref: 0068E481
#1045.MFC140U ref: 0068E4A0

Strings

5uO:S, xrefs: 0068E431

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #2996$#1045#296#5882MessageSend
String ID: 5uO:S
API String ID: 3941439538-550488547
Opcode ID: 68cf05d5d8e4a5bc501dc2d5066b4bd6dd06527cd6cd79584d4620ef992691e4
Instruction ID: 88f669a675d369a5d0947dc06050346190b893ae096731f0f06d06129fe6815f
Opcode Fuzzy Hash: 68cf05d5d8e4a5bc501dc2d5066b4bd6dd06527cd6cd79584d4620ef992691e4
Instruction Fuzzy Hash: 9E214F71600208EFDB09CFA5DC56BFAB7B9FB48710F10812EE90A926E0DB746904CF54

Function 00689540 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 13processCOMMON

Download Yara Rule

APIs

system.API-MS-WIN-CRT-RUNTIME-L1-1-0(taskkill /f /t /im GameApp.exe), ref: 0068954C
system.API-MS-WIN-CRT-RUNTIME-L1-1-0(taskkill /f /t /im QQSpeed_loader_New.exe), ref: 00689553
system.API-MS-WIN-CRT-RUNTIME-L1-1-0(taskkill /f /t /im QQSpeed_loader.exe), ref: 0068955A
system.API-MS-WIN-CRT-RUNTIME-L1-1-0(taskkill /f /t /im G_Game.exe), ref: 00689561

Strings

taskkill /f /t /im QQSpeed_loader_New.exe, xrefs: 0068954E
taskkill /f /t /im GameApp.exe, xrefs: 00689547
taskkill /f /t /im G_Game.exe, xrefs: 0068955C
taskkill /f /t /im QQSpeed_loader.exe, xrefs: 00689555

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: system
String ID: taskkill /f /t /im G_Game.exe$taskkill /f /t /im GameApp.exe$taskkill /f /t /im QQSpeed_loader.exe$taskkill /f /t /im QQSpeed_loader_New.exe
API String ID: 3377271179-749155772
Opcode ID: 471d5e22bfe6cf9ac717f0eb899fb5dbb56622c6cdf3ddf201c081050e4ba2af
Instruction ID: a7fb23120e54efa78fdc0adefedeb3cb2318fc9b5bbfeade8a691699e22cf793
Opcode Fuzzy Hash: 471d5e22bfe6cf9ac717f0eb899fb5dbb56622c6cdf3ddf201c081050e4ba2af
Instruction Fuzzy Hash: 12C04C91EC5238E6D51277ED7C5789A2D84BD07B603051343E458569D559C814508DE2

Function 006D8E10 Relevance: 13.8, APIs: 3, Strings: 6, Instructions: 332COMMON

Download Yara Rule

Strings

Access denied. %c, xrefs: 006D90B0, 006D9112
STARTTLS denied, xrefs: 006D8FAA
Got unexpected pop3-server response, xrefs: 006D8ECB
Authentication failed: %d, xrefs: 006D9081
PASS %s, xrefs: 006D90DF
Authentication cancelled, xrefs: 006D9061

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: Access denied. %c$Authentication cancelled$Authentication failed: %d$Got unexpected pop3-server response$PASS %s$STARTTLS denied
API String ID: 0-2527238549
Opcode ID: 19789c8dbbf71c7680e4a54cf3101ec23f11e273b97596e89f02821ac6237710
Instruction ID: eb106c7bc29ead5ebdf576dba78e558475cfe12a8e207fa3bb1256f510a99ab4
Opcode Fuzzy Hash: 19789c8dbbf71c7680e4a54cf3101ec23f11e273b97596e89f02821ac6237710
Instruction Fuzzy Hash: 40A129B1D00201AFD711AB149C8ABFB379AAB45354F48027EFD09AB342E7359E4587F5

Function 006C3DB0 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 251stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(00000000,0000003A), ref: 006C3E45
strchr.VCRUNTIME140(?,0000003B), ref: 006C3E9F

Strings

Transfer-Encoding:, xrefs: 006C3FEE
Content-Type:, xrefs: 006C3F36, 006C3F64
Host:, xrefs: 006C3F08
Cookie:, xrefs: 006C402C
Authorization:, xrefs: 006C400D
Connection:, xrefs: 006C3FC0
Content-Length:, xrefs: 006C3F92

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strchr
String ID: Authorization:$Connection:$Content-Length:$Content-Type:$Cookie:$Host:$Transfer-Encoding:
API String ID: 2830005266-1531314743
Opcode ID: cc85d8dd45656019be59c8ef9737971b3f84fb483d3c6dd2f7d39c4a51c436e2
Instruction ID: 98748a0945a92e4df4bae4a8a9a39ff4cd39718e7cd85f8e62faa21a9c25bc23
Opcode Fuzzy Hash: cc85d8dd45656019be59c8ef9737971b3f84fb483d3c6dd2f7d39c4a51c436e2
Instruction Fuzzy Hash: 9A715470A043556BEB209B249845FF67BDBDF55388F18846DEC888B353EB368E86C711

Function 006ECAC0 Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 226stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,0000003A,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006ECCC4

Strings

0, xrefs: 006ECC5C
operation aborted by trailing headers callback, xrefs: 006ECC9F
%zx, xrefs: 006ECB64
Malformatted trailing header, skipping trailer, xrefs: 006ECD1C
http_chunk, added last chunk with trailers from client -> %d, xrefs: 006ECD52
http_chunk, made chunk of %zu bytes -> %d, xrefs: 006ECBF0
0, xrefs: 006ECC40
http_chunk, added last, empty chunk, xrefs: 006ECC2E

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strchr
String ID: %zx$0$0$Malformatted trailing header, skipping trailer$http_chunk, added last chunk with trailers from client -> %d$http_chunk, added last, empty chunk$http_chunk, made chunk of %zu bytes -> %d$operation aborted by trailing headers callback
API String ID: 2830005266-126491959
Opcode ID: 8b88ec003910be0ae4c7bc4199f0f7e15468f48c8253444c6a67f6f3be8bc0a9
Instruction ID: 28c88b8a3e0458e7c0f3bccb23aa8bc6353907d8ebf8a4ca8e6f789171eb5a0d
Opcode Fuzzy Hash: 8b88ec003910be0ae4c7bc4199f0f7e15468f48c8253444c6a67f6f3be8bc0a9
Instruction Fuzzy Hash: 0C7156B1604340ABD361EA24CC42FBB77DEEF94720F44092DF98597242E775E906C7A6

Function 006E3450 Relevance: 13.7, APIs: 4, Strings: 5, Instructions: 219COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(00000000,00000000,?), ref: 006E3551
memcpy.VCRUNTIME140(00000001,?,00000000,00000000,00000000,?), ref: 006E3563
memcpy.VCRUNTIME140(?,?,?), ref: 006E3629
memcpy.VCRUNTIME140(00000002,?,006FDFA2), ref: 006E3660

Strings

Password is too large: [%zu], xrefs: 006E3682
Using client id '%s', xrefs: 006E35CE
Client ID length mismatched: [%zu], xrefs: 006E369A
Username is too large: [%zu], xrefs: 006E367B
curl, xrefs: 006E345E

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memcpy$memset
String ID: Client ID length mismatched: [%zu]$Password is too large: [%zu]$Username is too large: [%zu]$Using client id '%s'$curl
API String ID: 438689982-613767030
Opcode ID: 559d840f19ec4a9733fa21c2706b53838e774652ef6449787f97afe3c4412f43
Instruction ID: 3fa82b13275591a0714899df41f2c522e95e79ecff35614b0c8b54340afd4539
Opcode Fuzzy Hash: 559d840f19ec4a9733fa21c2706b53838e774652ef6449787f97afe3c4412f43
Instruction Fuzzy Hash: 39811471608342AFC704CF29C844AABBBE6EF89304F04866DF44597352EB75E609CB96

Function 00686CF0 Relevance: 13.6, APIs: 9, Instructions: 84windowCOMMON

Download Yara Rule

APIs

_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,Function_000061E0,00000000,00000000,00000000,F74E5D36), ref: 00686D75
#290.MFC140U(?), ref: 00686D87
#8360.MFC140U(?,?), ref: 00686D9C
#12921.MFC140U(?,?), ref: 00686DB1
#1523.MFC140U(00000000), ref: 00686DBF
#1045.MFC140U ref: 00686DC8
SendMessageW.USER32(?,0000040B,00000002,?), ref: 00686DE0
#1045.MFC140U ref: 00686DE9
#1045.MFC140U ref: 00686DF2

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$#12921#1523#290#8360MessageSend_beginthreadex
String ID:
API String ID: 3319011129-0
Opcode ID: 19d969d22f62663324ab3fdec07570c4ddb3f2a0d9ee3e72f913dd4f3cd4efb7
Instruction ID: 90c299825d1c6ce3d902bb7cd549b6fb4f06c3efdff9c7cfcc253e8573af511d
Opcode Fuzzy Hash: 19d969d22f62663324ab3fdec07570c4ddb3f2a0d9ee3e72f913dd4f3cd4efb7
Instruction Fuzzy Hash: AE316F71A0020AEBDB21DF54DD09FEE7BBAEF04711F109229F512A6290DBB46904CB55

Function 006B22C0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 238stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,0000003A), ref: 006B239B
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,0000000A,?,?,00000000), ref: 006B23B5

Strings

Connecting to hostname: %s, xrefs: 006B240C
Connecting to port: %d, xrefs: 006B2441
z-, xrefs: 006B23B5
%s%s%s, xrefs: 006B232F
Alt-svc connecting from [%s]%s:%d to [%s]%s:%d, xrefs: 006B2552

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strchrstrtol
String ID: %s%s%s$Alt-svc connecting from [%s]%s:%d to [%s]%s:%d$Connecting to hostname: %s$Connecting to port: %d$z-
API String ID: 1008397618-939228412
Opcode ID: 86872f0d7f3f2f825fd0d371705033fb74d1862453ac07b34715fb7e6980025b
Instruction ID: 091a02dcedbf51ec142311ff9ccd53d8c72b96ac2056d09b4c7dffe440a66edf
Opcode Fuzzy Hash: 86872f0d7f3f2f825fd0d371705033fb74d1862453ac07b34715fb7e6980025b
Instruction Fuzzy Hash: 838122F1604302AFD7149B28C851AEBBBE6FF49314F04062CF99887342D335E9958BA2

Function 006E0720 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,0000005C,?,?), ref: 006E0743
_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000,?), ref: 006E0800
_close.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 006E080E
_write.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?), ref: 006E0925
_close.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 006E09A2

Strings

cannot get the size of %s, xrefs: 006E0816
cannot open %s for writing, xrefs: 006E07A0

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _close$_fstat64_writestrchr
String ID: cannot get the size of %s$cannot open %s for writing
API String ID: 3285556867-864107740
Opcode ID: 28eaa66289d3140185ebb05cdcb593d336057bff022930b224604dfeb89e55bd
Instruction ID: 1938ee28b0e71f8b29810738afd572b5ee655d2893a689598cfe85b343d95aa4
Opcode Fuzzy Hash: 28eaa66289d3140185ebb05cdcb593d336057bff022930b224604dfeb89e55bd
Instruction Fuzzy Hash: 297138716053409FF7109F65CC41BABB3EAFF88304F54092EF49997302EB75A9848B96

Function 006B9B00 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(# Your alt-svc cache. https://curl.se/docs/alt-svc.html# This file was generated by libcurl! Edit at your own risk.,?,000006BA), ref: 006B9B7D
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000), ref: 006B9CDC
_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?), ref: 006B9D0C
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000000), ref: 006B9D42

Strings

%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %u, xrefs: 006B9CBF
# Your alt-svc cache. https://curl.se/docs/alt-svc.html# This file was generated by libcurl! Edit at your own risk., xrefs: 006B9B78
#, xrefs: 006B9CDC, 006B9D42

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: fclose$_unlinkfputs
String ID: #$# Your alt-svc cache. https://curl.se/docs/alt-svc.html# This file was generated by libcurl! Edit at your own risk.$%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %u
API String ID: 1930359506-1623550003
Opcode ID: a184cc10e8b53a263f46427da35daa27b52d72f796496f5a517522fce03a27ac
Instruction ID: 854e3375f7cd64f7058da8554ea0f65e8865f55ba1fb6bb07e215f49b19b8a81
Opcode Fuzzy Hash: a184cc10e8b53a263f46427da35daa27b52d72f796496f5a517522fce03a27ac
Instruction Fuzzy Hash: 5C6191B1508700AFDB108F55D841AABBBEAFF88704F14492DFA85C7351E735E894CBA2

Function 006DBB80 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 182COMMON

Download Yara Rule

APIs

#111.WS2_32(?,?,?,?,?,?,?,?,?,?,?), ref: 006DBCEE

Strings

STOP, xrefs: 006DBD40
We got a 421 - timeout, xrefs: 006DBD10
FTP response aborted due to select/poll error: %d, xrefs: 006DBCF5
[%s] -> [%s], xrefs: 006DBD46
FTP response timeout, xrefs: 006DBD72
???, xrefs: 006DBD3B, 006DBD45

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111
String ID: ???$FTP response aborted due to select/poll error: %d$FTP response timeout$STOP$We got a 421 - timeout$[%s] -> [%s]
API String ID: 568940515-3824067452
Opcode ID: 145643771399b1e5fc7ceb8341877db8c0cb15e6ca15bf9475033f9f5841ac01
Instruction ID: 2d9737b2150502ab3bd8ea274189fb30bf9681944d63b2da9e7400240de92a81
Opcode Fuzzy Hash: 145643771399b1e5fc7ceb8341877db8c0cb15e6ca15bf9475033f9f5841ac01
Instruction Fuzzy Hash: 4F5145B1A04700DBE300AE18DC41BAB77D6FFC1314F88156EF84487396EB35D9098BAA

Function 006BCC60 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 173COMMON

Download Yara Rule

APIs

#4.WS2_32(000000FF,?,00000000), ref: 006BCD05
#111.WS2_32 ref: 006BCD0F
#112.WS2_32(00000000), ref: 006BCD8A

Strings

local address %s port %d..., xrefs: 006BCD2D
connect to %s port %u from %s port %d failed: %s, xrefs: 006BCDC0
connected, xrefs: 006BCEA5
not connected yet, xrefs: 006BCE1C

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111#112
String ID: connect to %s port %u from %s port %d failed: %s$connected$local address %s port %d...$not connected yet
API String ID: 3591145537-3816509080
Opcode ID: c2591d3500c4eca80be1cc9f1f8f73ff4187b4f759997254fcf03051d5f0478d
Instruction ID: a46e1321260f2d746a30c414e912281e2bd4abdda6c6c4e01c9d3c00288478c8
Opcode Fuzzy Hash: c2591d3500c4eca80be1cc9f1f8f73ff4187b4f759997254fcf03051d5f0478d
Instruction Fuzzy Hash: 9D61F7F0504745EFD7219B74CC41FE7BBEAAF06324F000A2CF56A42292D735AA95C7A2

Function 00688C00 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

#13656.MFC140U(?,0000000B,0070C178), ref: 00688D7B
memset.VCRUNTIME140(?,00000000,00000400), ref: 00688D8F
memset.VCRUNTIME140(?,00000000,00000400,?,00000000,00000400), ref: 00688DA2
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000010,00000000), ref: 00688DB7
WritePrivateProfileStringA.KERNEL32(?,Soso,?,?), ref: 00688DFA

Strings

Soso, xrefs: 00688DF4
%s\SosoAppdata.ini, xrefs: 00688DCA

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memset$#13656FolderPathPrivateProfileSpecialStringWrite
String ID: %s\SosoAppdata.ini$Soso
API String ID: 155243410-318351428
Opcode ID: eef853a01068d10cb7bac86758305654b8323cb13b14da7102391e69cff1221a
Instruction ID: 6a3b34ec628e5a94d919fe8dfc8b03895bbae8ecccb2ffab2951e84f5788785e
Opcode Fuzzy Hash: eef853a01068d10cb7bac86758305654b8323cb13b14da7102391e69cff1221a
Instruction Fuzzy Hash: 8451F6B1A042089FDF24EF28CC457A97BBAFB05704F4046E8E5456B2C2CBB59A85CBD5

Function 006DE010 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 159COMMON

Download Yara Rule

Strings

NLST, xrefs: 006DE0FF, 006DE122
%s%s%s, xrefs: 006DE123
Couldn't set desired mode, xrefs: 006DE02B
Got a %03d response code instead of the assumed 200, xrefs: 006DE049
o, xrefs: 006DE119
LIST, xrefs: 006DE104

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: %s%s%s$Couldn't set desired mode$Got a %03d response code instead of the assumed 200$LIST$NLST$o
API String ID: 0-1103140983
Opcode ID: 7f8801ae17c3b51c34fe59edee1bc3a8a766b7bf58c8c89b43f8f4ddcee79e6c
Instruction ID: 0237945027813a4c8eb5577f54df47bbefe4ff21f0ac9591b7252f72ccb36549
Opcode Fuzzy Hash: 7f8801ae17c3b51c34fe59edee1bc3a8a766b7bf58c8c89b43f8f4ddcee79e6c
Instruction Fuzzy Hash: EC414DB6B402046BE710AB69AC41BF773DBDBD4351F44003EF645C7382E662DD5A83A5

Function 006A6EA0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 152COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000003,00000000,?,00000000,0069AF76,00000000,00000001,00000003,00000003,00000000), ref: 006A6F3E
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00000003,00000000,?,00000000,0069AF76,00000000,00000001,00000003,00000003,00000000), ref: 006A7006

Strings

<o, xrefs: 006A6F08
WARNING: failed to open cookie file "%s", xrefs: 006A703C
#, xrefs: 006A7006
Set-Cookie:, xrefs: 006A6F93

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: __acrt_iob_funcfclose
String ID: #$<o$Set-Cookie:$WARNING: failed to open cookie file "%s"
API String ID: 4244885452-1376971835
Opcode ID: 591aa828de0a9c9dc0d08d97daec0d5e399c891639ba71726a249a1eb26a3684
Instruction ID: b4f2aa145ddd263c2d86560b40434061d9cfc4ba4e57c607ca4fb4fe3324554f
Opcode Fuzzy Hash: 591aa828de0a9c9dc0d08d97daec0d5e399c891639ba71726a249a1eb26a3684
Instruction Fuzzy Hash: B3416B706083856ED721BB749C42BE7BB8B6F17304F4C055CF99497382E7A2DD098BA6

Function 006D2CA0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

#9.WS2_32(?), ref: 006D2CFF
#9.WS2_32(?), ref: 006D2D10
#19.WS2_32(?,?,00000003,00000000), ref: 006D2D96
#111.WS2_32 ref: 006D2DA2
#19.WS2_32(?,?,00000002,00000000), ref: 006D2DDA
#111.WS2_32 ref: 006D2DE0

Strings

Sending data failed (%d), xrefs: 006D2DA5, 006D2DE3

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111
String ID: Sending data failed (%d)
API String ID: 568940515-2319402659
Opcode ID: a61058faac27f7c69f6ecc652bc554d883259da14ee034431917cd236a18310f
Instruction ID: c78def7376b23d6830a1318b972f37d2c6a058c8dde46c9818ce8f16ab926e92
Opcode Fuzzy Hash: a61058faac27f7c69f6ecc652bc554d883259da14ee034431917cd236a18310f
Instruction Fuzzy Hash: F941D471604246DFD712CF28CC81EAA7BAAFF69310F240596F95ACB392D770D911CBA4

Function 006BE8F0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000), ref: 006BE951
#6.WS2_32(000000FF,?,?,?,?,?), ref: 006BE964
#111.WS2_32 ref: 006BE96E

Part of subcall function 006A1500: GetLastError.KERNEL32 ref: 006A1503
Part of subcall function 006A1500: _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A150B

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006BE9DF
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006BE9E3

Strings

ssloc inet_ntop() failed with errno %d: %s, xrefs: 006BE9FD
getsockname() failed with errno %d: %s, xrefs: 006BE98B

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _errno$#111ErrorLastmemset
String ID: getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s
API String ID: 2462052209-2605427207
Opcode ID: 21f16a1848f7146f5c58713addeb1bd8ba5bed3f6c008f16c54595e4e9c9d659
Instruction ID: 7eb13ee2fa50f254681296556c7309f30a76c9b817e6bb301125903c532d81dd
Opcode Fuzzy Hash: 21f16a1848f7146f5c58713addeb1bd8ba5bed3f6c008f16c54595e4e9c9d659
Instruction Fuzzy Hash: 64319CB66002046FD760EB64DC42FEB73DDBF89310F44442EF549D7182EE75A90887A6

Function 0068E960 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(F74E5D36,00000000,00000100,F74E5D36), ref: 0068E9AE
GetWindowTextA.USER32(?,F74E5D36,00000100), ref: 0068E9D2
P_UserReg.PLFL32(0071623C,0071623C,F74E5D36,llk,llk,llk,?,F74E5D36), ref: 0068E9F8
#290.MFC140U(00000000,?,F74E5D36), ref: 0068EA05
#13806.MFC140U(00000000,?,00000001,?,F74E5D36), ref: 0068EA22
#1045.MFC140U(?,F74E5D36), ref: 0068EA3E

Strings

llk, xrefs: 0068E9D8, 0068E9DD, 0068E9E2

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045#13806#290TextUserWindowmemset
String ID: llk
API String ID: 2154680559-2913236781
Opcode ID: ed54396b91b5feee5f90c7634614c197056c38cd7434e86a8243add837118332
Instruction ID: b795c4384ba2aec45eff43f283b7740e45b32b8d8a4dfda6c47f3bd5452c948b
Opcode Fuzzy Hash: ed54396b91b5feee5f90c7634614c197056c38cd7434e86a8243add837118332
Instruction Fuzzy Hash: 67216072E44208ABDB15EB54CD06FF977B9FB08B00F000699F606A22C0DBB56940CB54

Function 006A15F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 006A15F3
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A15FB
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A1648
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 006A1652
GetLastError.KERNEL32 ref: 006A1656
SetLastError.KERNEL32(00000000), ref: 006A1661

Strings

Unknown error %lu (0x%08lX), xrefs: 006A1633

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: ErrorLast_errno
String ID: Unknown error %lu (0x%08lX)
API String ID: 3939687465-1512744739
Opcode ID: 8f95a4837d20ff089b72ff4e9aff6cea7b72d41e0c596342099c5d9b6fe980e7
Instruction ID: f56ed085eeaad68ad548862a963ee64c4af8c8893ecf47cec158808ff0a97092
Opcode Fuzzy Hash: 8f95a4837d20ff089b72ff4e9aff6cea7b72d41e0c596342099c5d9b6fe980e7
Instruction Fuzzy Hash: 1E0184B6604209AFC700AF69EC8496FBBAEEB47365F151469F945C7211EB31DC00CA75

Function 00684CD0 Relevance: 12.1, APIs: 8, Instructions: 144stringCOMMON

Download Yara Rule

APIs

#265.MFC140U(?,F74E5D36), ref: 00684D5D
memset.VCRUNTIME140(00000000,00000000), ref: 00684D6A
memcpy.VCRUNTIME140(?,?,?,00000000,00000000), ref: 00684D76
#265.MFC140U(?), ref: 00684D91
memset.VCRUNTIME140(00000000,00000000,?), ref: 00684D9E
memcpy.VCRUNTIME140(?,?,?,00000000,00000000,?), ref: 00684DAB
strtok.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,00000000,00000000,?), ref: 00684DB4
strtok.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 00684E1C

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #265memcpymemsetstrtok
String ID:
API String ID: 2723456201-0
Opcode ID: 1e963a171a83c9b4f64ad5c4b0780b38603950ed1db076f23d2c4a8a8cf795a7
Instruction ID: 57a4d6ab147a7f3c070efb2d7bde484c991b10ec7dc4c1b6dc95ed8a65caabc7
Opcode Fuzzy Hash: 1e963a171a83c9b4f64ad5c4b0780b38603950ed1db076f23d2c4a8a8cf795a7
Instruction Fuzzy Hash: 2D514AB2D0021A9FCB11DFA5C884AEEFBB6FF48710F15426AE815B7340DB356941CBA4

Function 00689570 Relevance: 12.1, APIs: 8, Instructions: 54windowthreadCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00689589
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0068959F
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,Function_0000A340,?,00000000,00000000), ref: 006895B9
_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,Function_0000BB50,?,00000000,00000000,?,00000000,00000000), ref: 006895CE
TerminateThread.KERNEL32(00000000), ref: 006895E7
TerminateThread.KERNEL32(00000000), ref: 006895F1
CloseHandle.KERNEL32 ref: 006895FF
CloseHandle.KERNEL32 ref: 00689607

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CloseHandleMessageSendTerminateThread_beginthreadex
String ID:
API String ID: 79264856-0
Opcode ID: bfcd9aaa5b8c140add15582f95e514ca06d2c775dfae856e8bd1febbeedabcaa
Instruction ID: e6554c348f8fe33cfef7669fb64bfde0e8aa36087db14a80b266673b2774b387
Opcode Fuzzy Hash: bfcd9aaa5b8c140add15582f95e514ca06d2c775dfae856e8bd1febbeedabcaa
Instruction Fuzzy Hash: BD114431B80614F6E7245B25EC06F9A7FB5E780B10F158116F6047B1F0D7B92811DF88

Function 006E68F0 Relevance: 10.8, APIs: 7, Instructions: 337stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,0000005D), ref: 006E6985
memcpy.VCRUNTIME140(?,?,00000000,?,00000000), ref: 006E69B4
memcpy.VCRUNTIME140(?,?,00000000,?,?,00000000), ref: 006E6A90
strchr.VCRUNTIME140(?,0000002F,?,?,00000000,?,?,00000000), ref: 006E6AA0
atoi.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,?,?,?,?,?,?,00000000), ref: 006E6AB2
#8.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 006E6C1E
#8.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 006E6C26

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memcpystrchr$atoi
String ID:
API String ID: 1929349925-0
Opcode ID: 332fd2afa5b04bade577f8c2fd3e6dc52195654200b8dcaedb13962268e0a562
Instruction ID: 542559df60d3dc9784a6bef860e1dfaf8a8e74debcbfa30a7835c08ccf1ae6e9
Opcode Fuzzy Hash: 332fd2afa5b04bade577f8c2fd3e6dc52195654200b8dcaedb13962268e0a562
Instruction Fuzzy Hash: DCB17E7150A3C54BDB308E6AC4847FA7B97EBB27D8F68496CF4C547342D631D84A8311

Function 006F7840 Relevance: 10.8, APIs: 4, Strings: 3, Instructions: 297COMMON

Download Yara Rule

Strings

GSSAPI handshake failure (invalid security data), xrefs: 006F7936
GSSAPI handshake failure (invalid security layer), xrefs: 006F7974
GSSAPI handshake failure (empty security message), xrefs: 006F7C06

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: GSSAPI handshake failure (empty security message)$GSSAPI handshake failure (invalid security data)$GSSAPI handshake failure (invalid security layer)
API String ID: 0-3320144510
Opcode ID: 0141afa7f32062ea71abe63b4d30daf1c097d2eb78b3c77d5206b97273a1258f
Instruction ID: cb5d4a8de631e128c7e4c87235c675d75ae848f142aa1808d8480635658a8fcd
Opcode Fuzzy Hash: 0141afa7f32062ea71abe63b4d30daf1c097d2eb78b3c77d5206b97273a1258f
Instruction Fuzzy Hash: 1AB1BEB29083049FD710DF68DC45BAABBE9BF88301F14886DF689C7262DB79D504CB56

Function 006AB580 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 287COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00000A0D,?,?,?), ref: 006AB719
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?), ref: 006AB7F5
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 006AB8C7

Strings

Content-Type, xrefs: 006AB5F3
#, xrefs: 006AB8C7

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: fclosememcpymemmove
String ID: #$Content-Type
API String ID: 1772006735-3201630470
Opcode ID: 77025ef4233b3f0e30f11e832d4e0b96cada1a9f254795fccff785aee483f305
Instruction ID: 145c03c813abbb5ea633b4e7310e4828bf7dacad57bd83bf3737d04e02227b18
Opcode Fuzzy Hash: 77025ef4233b3f0e30f11e832d4e0b96cada1a9f254795fccff785aee483f305
Instruction Fuzzy Hash: B0B1AFB1A00762AFD720EF29C8446A6BBAAFF46714F04121AE85497B52D375FC64CFC1

Function 006B3350 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 224stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(localhost/,?,0000000A,?,00000000,00000000,?), ref: 006B3378

Strings

localhost/, xrefs: 006B3373
Couldn't resolve proxy '%s', xrefs: 006B3449
Could not resolve host: %s, xrefs: 006B355C
<-, xrefs: 006B3378
Failed to resolve host '%s' with timeout after %lld ms, xrefs: 006B3527
Unix socket path too long: '%s', xrefs: 006B35BD

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strncmp
String ID: <-$Could not resolve host: %s$Couldn't resolve proxy '%s'$Failed to resolve host '%s' with timeout after %lld ms$Unix socket path too long: '%s'$localhost/
API String ID: 1114863663-4274137876
Opcode ID: c57bb64bdb8cfacffcf9441deb738a4c1bd9354669280d0364662059e0f2a2fe
Instruction ID: ddb368e9e3178febf01b214d18e01957f91dae23469e222afb9616beec06507b
Opcode Fuzzy Hash: c57bb64bdb8cfacffcf9441deb738a4c1bd9354669280d0364662059e0f2a2fe
Instruction Fuzzy Hash: 9C7178B17007409BE7105B28DC41BFB77E6EF81315F84047DF98686392EB26E9488765

Function 006E76B0 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 193stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,0000003A), ref: 006E7712

Strings

Keep-Alive, xrefs: 006E7886
CONNECT, xrefs: 006E777F
%s%s%s:%d, xrefs: 006E7742
User-Agent, xrefs: 006E7824, 006E7850
Host, xrefs: 006E77C5, 006E77E5
Proxy-Connection, xrefs: 006E786D, 006E788E

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strchr
String ID: %s%s%s:%d$CONNECT$Host$Keep-Alive$Proxy-Connection$User-Agent
API String ID: 2830005266-3503046744
Opcode ID: 9e75afcde27fa25a769a169f93410d609430a4ceb462bf7324b141a52e5ecce1
Instruction ID: 69e72a4a5e427b2630c97f39b765b5245370b59b3a258f28cde56bc934a3e7ce
Opcode Fuzzy Hash: 9e75afcde27fa25a769a169f93410d609430a4ceb462bf7324b141a52e5ecce1
Instruction Fuzzy Hash: B15129B1909390ABDF258B168C46FAB33DAAF50714F0984B8FD44AB392E375ED41C791

Function 006E3C20 Relevance: 10.7, APIs: 7, Instructions: 184stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140 ref: 006E3C44
strchr.VCRUNTIME140(00000000,0000003F), ref: 006E3C67
strrchr.VCRUNTIME140(00000000,0000002F), ref: 006E3C8B
strchr.VCRUNTIME140(00000000,0000002F), ref: 006E3C9D
strrchr.VCRUNTIME140(00000000,0000002F), ref: 006E3CE8

Part of subcall function 006E61E0: strstr.VCRUNTIME140(00000000,007074FC,?,?,?,?,006E429C,?,?,?,00000001,?), ref: 006E61FF
Part of subcall function 006E61E0: strchr.VCRUNTIME140(-00000002,0000003F), ref: 006E6217
Part of subcall function 006E61E0: strchr.VCRUNTIME140(-00000002,0000002F,-00000002,0000003F), ref: 006E6221

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strchr$strrchrstrstr
String ID:
API String ID: 2821825659-0
Opcode ID: 5e01aaa05e64b21ad86409ef611e6f94d30be1e3191953af802e4effa0ddfe08
Instruction ID: c48b32a676f5e774ff5c6cdb1065d875d2f65c8f9910afd41d624789710b4bbc
Opcode Fuzzy Hash: 5e01aaa05e64b21ad86409ef611e6f94d30be1e3191953af802e4effa0ddfe08
Instruction Fuzzy Hash: EB5177619093D16AEB3196268C4D7B77BCB9FA1700F1D04BCE8849B343F365DE0A8762

Function 006ADE70 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 171COMMON

Download Yara Rule

APIs

#111.WS2_32 ref: 006AE006

Strings

shutdown and remove SSL, done -> %d, xrefs: 006ADFED
select/poll on SSL socket, errno: %d, xrefs: 006AE00D
SSL shutdown timeout, xrefs: 006ADFA3, 006AE02A
8@q, xrefs: 006ADE98
shutdown and remove SSL, start, xrefs: 006ADEB1

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111
String ID: 8@q$SSL shutdown timeout$select/poll on SSL socket, errno: %d$shutdown and remove SSL, done -> %d$shutdown and remove SSL, start
API String ID: 568940515-1587203735
Opcode ID: 51847ba4f168d9cd4ab612a8e5221d217818e373eebc1d16f5d1a8cf6fd794fc
Instruction ID: 21e1278837e3196271b4738a5959b464d952fde31619b267a4a362118bafe44e
Opcode Fuzzy Hash: 51847ba4f168d9cd4ab612a8e5221d217818e373eebc1d16f5d1a8cf6fd794fc
Instruction Fuzzy Hash: DC512271208301AFC700AF149C40FA7BBABAF96314F4805ADF94A57313E722ED548BA6

Function 006BAB80 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 170fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,007000C0), ref: 006BABE4

Strings

., xrefs: 006BACE4
unlimited, xrefs: 006BAC93
%256s "%64[^"]", xrefs: 006BAC7C
#, xrefs: 006BAD5E

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: fopen
String ID: #$%256s "%64[^"]"$.$unlimited
API String ID: 1432627528-2668097490
Opcode ID: 1315f127c1d80a78d3aab81261e085635e95815deb3cde16b5c9e835fbce3359
Instruction ID: 912064a90887faceb00343cef9c8aa9576656f9e3a6979dfa2b69633b9030495
Opcode Fuzzy Hash: 1315f127c1d80a78d3aab81261e085635e95815deb3cde16b5c9e835fbce3359
Instruction Fuzzy Hash: 0A5122B18083459BC7209FA49C41AEB7BEBAF46314F44496DE89487342E736D989C7A3

Function 006BDC40 Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 137stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(if!,?,00000003,?,?,?,0069F79F,?,?,?,?,?), ref: 006BDC55
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(host!,?,00000005), ref: 006BDC9A

Strings

ifhost!, xrefs: 006BDCDA
if!, xrefs: 006BDC50
host!, xrefs: 006BDC95

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strncmp
String ID: host!$if!$ifhost!
API String ID: 1114863663-1045667623
Opcode ID: c129e4b8b55b190a8795e5187ace954b75f7110c9c258d5765abcceff1e53cad
Instruction ID: 80cf0a5bbaf2df3a96264260d8a0f8d73ed0dd777db37c18f4682965f0b18a9b
Opcode Fuzzy Hash: c129e4b8b55b190a8795e5187ace954b75f7110c9c258d5765abcceff1e53cad
Instruction Fuzzy Hash: A331D5B37042105BE7219B29AC01BDB3BDADFC5728F044129F88C9B285F626D95687A6

Function 00691970 Relevance: 10.6, APIs: 7, Instructions: 116networkCOMMON

Download Yara Rule

APIs

#1511.MFC140U(00000030,0009182E,000916B8,00000000,?,?,0068E713,?,?), ref: 006919BD
memset.VCRUNTIME140(00000000,00000000,00000030,?,?,0068E713,?,?), ref: 006919CA
#265.MFC140U(0068E70F,?,?,?,?,?,?,0068E713,?,?), ref: 006919E6
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,0068E713,?,?), ref: 00691A0B
WSASend.WS2_32(00000000,0068E713,00000001,00000024,00000000,00000000,00000000), ref: 00691A38
#111.WS2_32(?,?,?,?,?,?,0068E713,?,?), ref: 00691A42

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111#1511#265Sendmemcpymemset
String ID:
API String ID: 427405811-0
Opcode ID: 8988dee271864c3390377be4eddc301f3cb55a50dd1a510a9848049f3fecfd74
Instruction ID: e6598a9f6bd8f3368f7236a10af8f3e004a9ffe8a131cae2535e2ce0c00e5f60
Opcode Fuzzy Hash: 8988dee271864c3390377be4eddc301f3cb55a50dd1a510a9848049f3fecfd74
Instruction Fuzzy Hash: 5B4171B1E01209AFDB00DF58D885BAAB7BDFF09320F20416AE9099B781D7759E50CBD1

Function 006D5DB0 Relevance: 10.6, APIs: 7, Instructions: 104COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 006D5DDB
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 006D5DE0
#60.WLDAP32(?,00000000,00000000), ref: 006D5DEA
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,00000000,00000000,800000D3,?,?,006D54B6,?,?,?,?), ref: 006D5E00
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000000,00000000,800000D3,?,?,006D54B6,?,?,?,?), ref: 006D5E0B
#45.WLDAP32(?,00000000,?,00004086,00000000,00000000,800000D3,?,?,006D54B6,?,?,?,?), ref: 006D5E7F
#45.WLDAP32(?,00000000,00000000,00000486), ref: 006D5EAA

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _strdupfree
String ID:
API String ID: 1865132094-0
Opcode ID: fca9daf6fcb682da24170897602cbee00b9ce2d813fb47a19ab34cda4cd721eb
Instruction ID: d268ccd2c00ebd5c4ae21bd801317dccb1cd7410e0933ed42479f19dc33738e1
Opcode Fuzzy Hash: fca9daf6fcb682da24170897602cbee00b9ce2d813fb47a19ab34cda4cd721eb
Instruction Fuzzy Hash: C531F432E047105BD310AB59DC49BEB779ADF803A0F49442BFE4687351FA2ADE1587A2

Function 00693740 Relevance: 10.6, APIs: 7, Instructions: 85COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,F74E5D36,?,?,?,000000FF,?,00696405,F74E5D36,F74E5D36,?,F74E5D36,?,?), ref: 00693772
??Bid@locale@std@@QAEIXZ.MSVCP140(?,00696405,F74E5D36,F74E5D36), ref: 0069378D
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,00696405,F74E5D36,F74E5D36), ref: 006937B1
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,00000000,?,00696405,F74E5D36,F74E5D36), ref: 006937D2
_CxxThrowException.VCRUNTIME140(0070DA54,0071084C), ref: 006937FF
std::_Facet_Register.LIBCPMT ref: 00693815
??1_Lockit@std@@QAE@XZ.MSVCP140(?,00696405,F74E5D36,F74E5D36), ref: 00693820

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@D@std@@ExceptionFacet_Getcat@?$ctype@Getgloballocale@locale@std@@Locimp@12@RegisterThrowV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 240979420-0
Opcode ID: e5bc84cebf4c746d551b940e921221626c63dd54da82a661c868543c370a5c19
Instruction ID: 0ae28a91367e777972d89cf9a29a9c687d4be69236620548f5905e411e2e852c
Opcode Fuzzy Hash: e5bc84cebf4c746d551b940e921221626c63dd54da82a661c868543c370a5c19
Instruction Fuzzy Hash: BE317071E00228CFCF10DFA4D945ABEB7BAEF08720F15425AE911A7791D774AE44CB94

Function 006A8580 Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 006CB710: getaddrinfo.WS2_32(?,?,?,?), ref: 006CB731
Part of subcall function 006CB710: memcpy.VCRUNTIME140(00000020,00000000,?), ref: 006CB7F3
Part of subcall function 006CB710: memcpy.VCRUNTIME140(00000000,00000000,?), ref: 006CB810

#111.WS2_32 ref: 006A85D4
#111.WS2_32 ref: 006A85DA
EnterCriticalSection.KERNEL32(?), ref: 006A85F3
LeaveCriticalSection.KERNEL32(?), ref: 006A8602
#19.WS2_32(?,?,00000001,00000000), ref: 006A8631
#111.WS2_32 ref: 006A863B
LeaveCriticalSection.KERNEL32(?), ref: 006A864A

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111CriticalSection$Leavememcpy$Entergetaddrinfo
String ID:
API String ID: 592510336-0
Opcode ID: 41523aff284fefc8879b527b4ac59597ba94909c0c81e9227d901a2917591a58
Instruction ID: 07f1f6d9c3a5116c16c5f219bc751c52a8508f662db44a37f839845d55d4f212
Opcode Fuzzy Hash: 41523aff284fefc8879b527b4ac59597ba94909c0c81e9227d901a2917591a58
Instruction Fuzzy Hash: E5216D715007049FD720AF69CC45AABB7EAFF49704F00092DE98683661EB71E944CF66

Function 0068EA60 Relevance: 10.6, APIs: 7, Instructions: 64COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000100,F74E5D36), ref: 0068EAAE
memset.VCRUNTIME140(F74E5D36,00000000,00000100,?,00000000,00000100,F74E5D36), ref: 0068EAC1
GetWindowTextA.USER32(?,?,00000100), ref: 0068EAE3
P_CardReCharge.PLFL32(0071623C,?,F74E5D36,?,?,?,?,F74E5D36), ref: 0068EAFC
#290.MFC140U(00000000,?,?,?,?,F74E5D36), ref: 0068EB09
#13806.MFC140U(00000000,?,00000001,?,?,?,?,F74E5D36), ref: 0068EB26
#1045.MFC140U(?,?,?,?,F74E5D36), ref: 0068EB42

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memset$#1045#13806#290CardChargeTextWindow
String ID:
API String ID: 593434437-0
Opcode ID: 69d12a408f53fa51bff960e6fec1a732ecec791166d39b955496cb545be9ceee
Instruction ID: 9c64ffa959d5ee7ba2d4d6773e5e2f290ca3516161e4a85ae2154d20c24383af
Opcode Fuzzy Hash: 69d12a408f53fa51bff960e6fec1a732ecec791166d39b955496cb545be9ceee
Instruction Fuzzy Hash: 2721817194021DAFDB14EB94CD4AFF977BDFB08700F0005AAF616962C0DBB46A44CB64

Function 00689620 Relevance: 10.5, APIs: 7, Instructions: 48COMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 0068964E
#7820.MFC140U(?), ref: 00689665
#290.MFC140U(00715D00), ref: 00689673
WritePrivateProfileStringW.KERNEL32(0070BEF4,0070BEE8,00000000,00000000), ref: 00689688
#1045.MFC140U ref: 00689691
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0068969A
#1045.MFC140U ref: 006896AB

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$#290#296#7820PrivateProfileStringWrite_wtoll
String ID:
API String ID: 57011291-0
Opcode ID: 90d3f36cade79f9e53ed9cda8ee05cf4cb628c2e04bf17a3e3ef5898acf94464
Instruction ID: e08d3b16c20572bc69ba267f5fda116bc53ff4bb6f774cc18680101224e5051e
Opcode Fuzzy Hash: 90d3f36cade79f9e53ed9cda8ee05cf4cb628c2e04bf17a3e3ef5898acf94464
Instruction Fuzzy Hash: 3B11527190010ADFCB05DF94DD4ABFEBBB9FB05711F10522AF512A26E0DB742A04CB95

Function 0068FA30 Relevance: 10.5, APIs: 7, Instructions: 47COMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 0068FA5E
#7820.MFC140U(?), ref: 0068FA75
#290.MFC140U(00715D00), ref: 0068FA83
WritePrivateProfileStringW.KERNEL32(0070BEF4,0070BF14,00000000,00000000), ref: 0068FA98
#1045.MFC140U ref: 0068FAA1
_wtoll.API-MS-WIN-CRT-CONVERT-L1-1-0(?), ref: 0068FAAA
#1045.MFC140U ref: 0068FAB6

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$#290#296#7820PrivateProfileStringWrite_wtoll
String ID:
API String ID: 57011291-0
Opcode ID: 5fdd31f83086582be909aeb8364a3797e6243eac514846d306b5977629161371
Instruction ID: 784aea70ef8ea0208ba3905d97ea6d301166e0ef5f355e058282a855579fa478
Opcode Fuzzy Hash: 5fdd31f83086582be909aeb8364a3797e6243eac514846d306b5977629161371
Instruction Fuzzy Hash: F511307190410ADFCB04DF94DD4AAFEBBB9FB05711F10122AF512A26E0DB742A04CB91

Function 0068C8A0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 11processCOMMON

Download Yara Rule

APIs

system.API-MS-WIN-CRT-RUNTIME-L1-1-0(taskkill /f /t /im GameApp.exe), ref: 0068C8AC
system.API-MS-WIN-CRT-RUNTIME-L1-1-0(taskkill /f /t /im QQSpeed_loader_New.exe), ref: 0068C8B3
system.API-MS-WIN-CRT-RUNTIME-L1-1-0(taskkill /f /t /im QQSpeed_loader.exe), ref: 0068C8BA

Strings

taskkill /f /t /im QQSpeed_loader_New.exe, xrefs: 0068C8AE
taskkill /f /t /im GameApp.exe, xrefs: 0068C8A7
taskkill /f /t /im QQSpeed_loader.exe, xrefs: 0068C8B5

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: system
String ID: taskkill /f /t /im GameApp.exe$taskkill /f /t /im QQSpeed_loader.exe$taskkill /f /t /im QQSpeed_loader_New.exe
API String ID: 3377271179-4231470170
Opcode ID: 7e0be78c37426a3d5d3abf761df4d675feee8b0fd1b6567d4a698e8c934bc93f
Instruction ID: 89f0df9b4b99e636c58b797787c4640a2d3a84c88f3ee1a04a0e6e9dfdf2e35d
Opcode Fuzzy Hash: 7e0be78c37426a3d5d3abf761df4d675feee8b0fd1b6567d4a698e8c934bc93f
Instruction Fuzzy Hash: AAB092A2E85238E6D51267EDBC1788B2E84BD46B603051343E408969E459C81850CAE2

Function 006E1890 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 309stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,RTSP/,00000005), ref: 006E195E

Strings

RTSP/, xrefs: 006E1958
Cannot pause RTP, xrefs: 006E1BDC
Cannot write a 0 size RTP packet., xrefs: 006E1BE3
<-, xrefs: 006E195E
Failed writing RTP data, xrefs: 006E1BD5

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strncmp
String ID: <-$Cannot pause RTP$Cannot write a 0 size RTP packet.$Failed writing RTP data$RTSP/
API String ID: 1114863663-3352764837
Opcode ID: 2fbc16cae1940ceeaa22f54c8d1990281c18dbc3b5e55a81ffe2f31b669301ba
Instruction ID: dfc90a9ac325c1f590541e82d114d9018352dcdef52727ca2f7bed42a4a958e3
Opcode Fuzzy Hash: 2fbc16cae1940ceeaa22f54c8d1990281c18dbc3b5e55a81ffe2f31b669301ba
Instruction Fuzzy Hash: A2B1E170A093809BDB10DF2AD881BAB77E7EF86704F04052DFC499B242E735D945DBA2

Function 006DCC60 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 186stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140(00000000, bytes,?), ref: 006DCD2E

Strings

Data conn was not available immediately, xrefs: 006DCE45
RETR response: %03d, xrefs: 006DCCB1
Maxdownload = %lld, xrefs: 006DCDDA, 006DCE83
Getting file with size: %lld, xrefs: 006DCDF8
bytes, xrefs: 006DCD28

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strstr
String ID: bytes$Data conn was not available immediately$Getting file with size: %lld$Maxdownload = %lld$RETR response: %03d
API String ID: 1392478783-1361617395
Opcode ID: 74994845bbd12f9fee8816eb7e9392011f7519046717f1c3a38ee76e27e67368
Instruction ID: 259bf1478559838aa7294eed7b3b3477a44781b96afef1107ba14278ccf82e5d
Opcode Fuzzy Hash: 74994845bbd12f9fee8816eb7e9392011f7519046717f1c3a38ee76e27e67368
Instruction Fuzzy Hash: 7B5107B1D0474A9EE7209F289C017E67B97AF81330F48463FF9A9823C2D3349945C7A6

Function 006C5AE0 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 168stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140(?,;type=), ref: 006C5C39

Strings

http, xrefs: 006C5B7A
;type=, xrefs: 006C5C30
;type=%c, xrefs: 006C5C7E
ftp, xrefs: 006C5C0E
?%s, xrefs: 006C5CC1

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strstr
String ID: ;type=$;type=%c$?%s$ftp$http
API String ID: 1392478783-3547414
Opcode ID: 624cf88b3ebf78b0a0a4470e6c7c493be5b6bf49451fbd2db71e53e626e1883d
Instruction ID: fc71ae8d8dc900e9e34e97bb6c5cd71924f765f027314e078d41da39e747c3a7
Opcode Fuzzy Hash: 624cf88b3ebf78b0a0a4470e6c7c493be5b6bf49451fbd2db71e53e626e1883d
Instruction Fuzzy Hash: 3A4124B1A41B012BEB20A635AD42FBA769AEF01755F08016CFD06D6382FB15FE918295

Function 00691690 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

#266.MFC140U(?), ref: 006916ED
#265.MFC140U(00000000), ref: 006916FA

Part of subcall function 00691870: #266.MFC140U(?,?,?), ref: 0069188A
Part of subcall function 00691870: #21.WS2_32(?,0000FFFF,00000080,?,00000004,?,?,00000003,00000000,00000000,?,?,?), ref: 006918D0
Part of subcall function 00691870: #22.WS2_32(?,00000002,?,?,00000003,00000000,00000000,?,?,?), ref: 006918D9
Part of subcall function 00691870: #3.WS2_32(?,?,?,00000003,00000000,00000000,?,?,?), ref: 006918E0

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #266$#265
String ID:
API String ID: 4253771692-0
Opcode ID: 5ba4f11f1757aee00d6c6d69816bc73792ba3f8b436a1343c93dd5cb39ba5864
Instruction ID: 73bc9a6bd244af6c6516816c607abfa9a7b948e3131182227a0c1bdeb6a592de
Opcode Fuzzy Hash: 5ba4f11f1757aee00d6c6d69816bc73792ba3f8b436a1343c93dd5cb39ba5864
Instruction Fuzzy Hash: DD41C2B1500602AFDF209F55D885B66BBFAFF05324F20C62DF50A8AA51D731F855CB54

Function 006A82A0 Relevance: 9.1, APIs: 6, Instructions: 92synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 006A82CE
CloseHandle.KERNEL32(?), ref: 006A82D6
EnterCriticalSection.KERNEL32(?,000006B6,?,00000002,00000000,006B0137,00000002), ref: 006A8450
LeaveCriticalSection.KERNEL32(?,?,00000002,00000000,006B0137,00000002), ref: 006A8463
CloseHandle.KERNEL32(00000000,?,00000002,00000000,006B0137,00000002), ref: 006A8474
#3.WS2_32(?), ref: 006A84F0

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CloseCriticalHandleSection$EnterLeaveObjectSingleWait
String ID:
API String ID: 607221738-0
Opcode ID: 0a6f1ee0543f4d2a04a4dfd76a72a492b314d92a6fcf191b551e77ee5194d32f
Instruction ID: 28ac1a11b886cfd8b8a345fb882bed080f4894d8de70344bddacedb4a31ee5a7
Opcode Fuzzy Hash: 0a6f1ee0543f4d2a04a4dfd76a72a492b314d92a6fcf191b551e77ee5194d32f
Instruction Fuzzy Hash: 7B31A1B5501602EFEB10AF68DD09B96BBEAFF4A740F144028E81583361DB35EC60CFA1

Function 00697250 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,F74E5D36,?,?,?,000000FF,?,00696498,F74E5D36,F74E5D36,?,?,00000000,?,?,00693FBA), ref: 00697285
??Bid@locale@std@@QAEIXZ.MSVCP140(?,00696498,F74E5D36,F74E5D36,?), ref: 006972A1
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,00696498,F74E5D36,F74E5D36,?), ref: 006972C5
??1_Lockit@std@@QAE@XZ.MSVCP140(?,00696498,F74E5D36,F74E5D36,?), ref: 00697332

Part of subcall function 00697720: #1511.MFC140U(00000010,F74E5D36,?,00000000,?), ref: 00697766
Part of subcall function 00697720: ??0_Locinfo@std@@QAE@PBD@Z.MSVCP140(00000000,?), ref: 0069779D
Part of subcall function 00697720: ??0facet@locale@std@@IAE@I@Z.MSVCP140(00000000), ref: 006977B8
Part of subcall function 00697720: ?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ.MSVCP140(?), ref: 006977CD
Part of subcall function 00697720: ??1_Locinfo@std@@QAE@XZ.MSVCP140 ref: 006977F2

_CxxThrowException.VCRUNTIME140(0070DA54,0071084C), ref: 00697311
std::_Facet_Register.LIBCPMT ref: 00697327

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Locinfo@std@@$??0_??1_Lockit@std@@$#1511??0facet@locale@std@@Bid@locale@std@@Collvec@@ExceptionFacet_Getcoll@_Getgloballocale@locale@std@@Locimp@12@RegisterThrowstd::_
String ID:
API String ID: 3263588663-0
Opcode ID: 07a49e1589beda12ac526d29a7a87f37977a23b30f54e478e00eb6f197a5ffb6
Instruction ID: f62a3d4c82cbee1e638c1539e059338e75d6bc61fb273e7e5bc99300856ed2fe
Opcode Fuzzy Hash: 07a49e1589beda12ac526d29a7a87f37977a23b30f54e478e00eb6f197a5ffb6
Instruction Fuzzy Hash: E4318D71E18219CFCB10DF94D844AAEB7BAFF08720F55426AE815A7790DB70AE41CBD4

Function 006A6AD0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 323stringCOMMON

Download Yara Rule

APIs

Part of subcall function 006A78C0: _time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,00000000,006A6FFA,?,?,00000003,00000000,?,00000000,0069AF76,00000000,00000001,00000003,00000003,00000000), ref: 006A78C7

strchr.VCRUNTIME140(00000000,0000003F), ref: 006A6BFC
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?), ref: 006A6C5D
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,?,00000004,006A7620), ref: 006A6DC9

Strings

<-, xrefs: 006A6C5D
Included max number of cookies (%zu) in request!, xrefs: 006A6D74

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _time64qsortstrchrstrncmp
String ID: <-$Included max number of cookies (%zu) in request!
API String ID: 3608267583-2331075272
Opcode ID: 8d9fb2362184002d816d598542b235ce9a8b80c9c9364b921406dd65778dede0
Instruction ID: 5ead13d5ad390412f06bd4dbf5648f80e5f5862ac16f7c5b704dce58eb28331f
Opcode Fuzzy Hash: 8d9fb2362184002d816d598542b235ce9a8b80c9c9364b921406dd65778dede0
Instruction Fuzzy Hash: DFB1F3755043018BDB21AF28D844AAA7BE6EF4A340F0C45ACFD8687352EB35ED15CFA5

Function 006A8430 Relevance: 9.1, APIs: 6, Instructions: 72synchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,000006B6,?,00000002,00000000,006B0137,00000002), ref: 006A8450
LeaveCriticalSection.KERNEL32(?,?,00000002,00000000,006B0137,00000002), ref: 006A8463
CloseHandle.KERNEL32(00000000,?,00000002,00000000,006B0137,00000002), ref: 006A8474
WaitForSingleObject.KERNEL32(?,000000FF,?,00000002,00000000,006B0137,00000002), ref: 006A84A7
CloseHandle.KERNEL32(?,?,00000002,00000000,006B0137,00000002), ref: 006A84AF
#3.WS2_32(?), ref: 006A84F0

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CloseCriticalHandleSection$EnterLeaveObjectSingleWait
String ID:
API String ID: 607221738-0
Opcode ID: 71bfd7d8482ed90db06270459f70eee896d289143dcd657e8b8466c8dbe390f1
Instruction ID: 4aa22474a97db8eb5b526f0c7e05dd941a44c8b28c0ec2eb5e303a2ef8451c53
Opcode Fuzzy Hash: 71bfd7d8482ed90db06270459f70eee896d289143dcd657e8b8466c8dbe390f1
Instruction Fuzzy Hash: 042139B5500606AFDB10AF64DD49B96BBEAFF0A301F145024F91987662EB35E824CFA1

Function 006833D0 Relevance: 9.1, APIs: 6, Instructions: 60timeCOMMON

Download Yara Rule

APIs

CreateWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 00683406
SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0068341C
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000004FF), ref: 00683437
MsgWaitForMultipleObjects.USER32(00000001,00000000,00000000,000000FF,000004FF), ref: 00683454
CancelWaitableTimer.KERNEL32(00000000), ref: 0068345D
CloseHandle.KERNEL32(00000000), ref: 00683466

Part of subcall function 00683360: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00683383
Part of subcall function 00683360: TranslateMessage.USER32(?), ref: 006833A1
Part of subcall function 00683360: DispatchMessageW.USER32(?), ref: 006833A7
Part of subcall function 00683360: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006833B5

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Message$TimerWaitable$MultipleObjectsPeekWait$CancelCloseCreateDispatchHandleTranslate
String ID:
API String ID: 999329613-0
Opcode ID: cd57c92471ca6ed00f9de2a321051e593a568b0cd2b11003f917ac6af4acb7d7
Instruction ID: cfc07b03720ecf861059d1e027210a69c31016e80b2c02ba1f14cf0658ea3b15
Opcode Fuzzy Hash: cd57c92471ca6ed00f9de2a321051e593a568b0cd2b11003f917ac6af4acb7d7
Instruction Fuzzy Hash: FD113370A4121ABFEB10EB54CD06FBD7B75EF04B10F205265BA10B62D0DB706A00CBA5

Function 00687AB0 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,000000D0,F74E5D36), ref: 00687AF6
#462.MFC140U(00000064,00000000,?,?,F74E5D36), ref: 00687B08
#4092.MFC140U ref: 00687B25
#1113.MFC140U ref: 00687B2E

Part of subcall function 00684AE0: #3882.MFC140U(F74E5D36,8000046D,8000042A,?), ref: 00684B1E

#1111.MFC140U ref: 00687B49
#3833.MFC140U(F74E5D36), ref: 00687B51

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1111#1113#3833#3882#4092#462memset
String ID:
API String ID: 1166868588-0
Opcode ID: d1752b8ce0be4b76fb3a6a23fbadf55610b99e7a8279f7ab88ad3f312cebc1e0
Instruction ID: 173895b1cdab01b0ac1e108db817500e4c4c3665cf23117c6f1bd3193092a362
Opcode Fuzzy Hash: d1752b8ce0be4b76fb3a6a23fbadf55610b99e7a8279f7ab88ad3f312cebc1e0
Instruction Fuzzy Hash: 9711917190420DDFDB14EFA4DC45BBCB7B9FB04740F00866AE916A22D0DB746648CF55

Function 006CA690 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000008,\nn,000000FF,00000000,00000000,00000000,00000000,?,006E6E5C,?,?,?), ref: 006CA6A9
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006CA6B9
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,\nn,000000FF,00000000,00000000), ref: 006CA6D4
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006CA6DF

Strings

d#, xrefs: 006CA6DF
\nn, xrefs: 006CA693, 006CA6A1, 006CA6CC

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID: \nn$d#
API String ID: 2605342592-3390992363
Opcode ID: c74d357980a5b8ba30efee20f53e80f90cf29712a9bda8444cac6efb50674d3e
Instruction ID: 1c23cd9852443f642343bac9724b3849121ad728bb8cc81ff9cb06c9c65ed77f
Opcode Fuzzy Hash: c74d357980a5b8ba30efee20f53e80f90cf29712a9bda8444cac6efb50674d3e
Instruction Fuzzy Hash: 19F0967174222537D7305AEB9C48FA7AA6EDF82B75F181235F914D62D4EB50C804C1E2

Function 0068F480 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 0068F4AE
#7820.MFC140U(?), ref: 0068F4C5
#290.MFC140U(00715D00), ref: 0068F4D3
WritePrivateProfileStringW.KERNEL32(0070BEF4,0070BF4C,00000000,00000000), ref: 0068F4E8
#1045.MFC140U ref: 0068F4F1
#1045.MFC140U ref: 0068F4FA

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$#290#296#7820PrivateProfileStringWrite
String ID:
API String ID: 2785259809-0
Opcode ID: 2942b7e0985ea06ebe768f03efecabab40dfbefe6b6b670fb2842eb6348e38b5
Instruction ID: e905a72bf960f459ad5f6d14d1489d7ae3451aece9167badb6f2c91e6f60060f
Opcode Fuzzy Hash: 2942b7e0985ea06ebe768f03efecabab40dfbefe6b6b670fb2842eb6348e38b5
Instruction Fuzzy Hash: 24111E7190410ADFCB04DF95DD55BFEBBB9FB05710F10126AE512A26D0DB742A04CB90

Function 0068F520 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 0068F54E
#7820.MFC140U(?), ref: 0068F565
#290.MFC140U(00715D00), ref: 0068F573
WritePrivateProfileStringW.KERNEL32(0070BEF4,0070BF60,00000000,00000000), ref: 0068F588
#1045.MFC140U ref: 0068F591
#1045.MFC140U ref: 0068F59A

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$#290#296#7820PrivateProfileStringWrite
String ID:
API String ID: 2785259809-0
Opcode ID: b753106b35fcbbaeed58c58a8cafbec96ebd0c69ba1bf0969b47635398cc2ef6
Instruction ID: 11ac16578e0aebc8c9aa9d154aef49ebbf6e55334a17ca70f5ef6c1170a1cb51
Opcode Fuzzy Hash: b753106b35fcbbaeed58c58a8cafbec96ebd0c69ba1bf0969b47635398cc2ef6
Instruction Fuzzy Hash: 66111E7190410ADFCB04DFA5DD55BFEBBB9FB09710F10122AE512A26E0DB742A04CB91

Function 006896D0 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 006896FE
#7820.MFC140U(?), ref: 00689715
#290.MFC140U(00715D00), ref: 00689723
WritePrivateProfileStringW.KERNEL32(0070BEF4,0070BF6C,00000000,00000000), ref: 00689738
#1045.MFC140U ref: 00689741
#1045.MFC140U ref: 0068974A

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$#290#296#7820PrivateProfileStringWrite
String ID:
API String ID: 2785259809-0
Opcode ID: 798760003209ebaf1d506a9e600fc809a6668ee9e319f329ac88dff5386aad7f
Instruction ID: 9b778372912ef3e22f59891e7b87e66c8fd97eda94d5428bd50e26ae4f1dd213
Opcode Fuzzy Hash: 798760003209ebaf1d506a9e600fc809a6668ee9e319f329ac88dff5386aad7f
Instruction Fuzzy Hash: 62111B7190410AEFCB04DF95DD5ABFEBBB9FB09710F10122AE512A26E0DB742A04CB90

Function 00689770 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 0068979E
#7820.MFC140U(?), ref: 006897B5
#290.MFC140U(00715D00), ref: 006897C3
WritePrivateProfileStringW.KERNEL32(0070BEF4,0070BF00,00000000,00000000), ref: 006897D8
#1045.MFC140U ref: 006897E1
#1045.MFC140U ref: 006897EA

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$#290#296#7820PrivateProfileStringWrite
String ID:
API String ID: 2785259809-0
Opcode ID: 821dab1b94abf9be2a9221f1ee92d31451b9f7fec486402cd6a20b98ca076ec1
Instruction ID: def4d8f5e6f79a0872266b5837e197589c82045fe4826e34d6d8a81bcee7d4a6
Opcode Fuzzy Hash: 821dab1b94abf9be2a9221f1ee92d31451b9f7fec486402cd6a20b98ca076ec1
Instruction Fuzzy Hash: 36111E7190410ADFCB04DF95DD56BFEBBB9FB05710F10122AE512A26E0DB742A04CB94

Function 0068C710 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 0068C73E
#7820.MFC140U(?), ref: 0068C755
#290.MFC140U(00715D00), ref: 0068C763
WritePrivateProfileStringW.KERNEL32(0070BEF4,0070BF3C,00000000,00000000), ref: 0068C778
#1045.MFC140U ref: 0068C781
#1045.MFC140U ref: 0068C78A

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$#290#296#7820PrivateProfileStringWrite
String ID:
API String ID: 2785259809-0
Opcode ID: 865ea4a94fe2164ce496ac245311ecf2ba5a6fea92f7bdcdb2b296dcd88eb91e
Instruction ID: 881723ded511c655581267778cc1b2e290eda92353a4e0e4f24ca52368ce5443
Opcode Fuzzy Hash: 865ea4a94fe2164ce496ac245311ecf2ba5a6fea92f7bdcdb2b296dcd88eb91e
Instruction Fuzzy Hash: 1C111B7190420AEFCB05DF95DD5ABFEBBB9FB05710F10122AE512A26E0DB742A04CB91

Function 00689930 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 0068995E
#7820.MFC140U(?), ref: 00689975
#290.MFC140U(00715D00), ref: 00689983
WritePrivateProfileStringW.KERNEL32(0070BEF4,0070BF88,00000000,00000000), ref: 00689998
#1045.MFC140U ref: 006899A1
#1045.MFC140U ref: 006899AA

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$#290#296#7820PrivateProfileStringWrite
String ID:
API String ID: 2785259809-0
Opcode ID: 948d956171770facbbf04ff38a14b23e9dde8b8fdb41b8f7167616699873e3bf
Instruction ID: 2932a8b22f55ae1d2ec9d8914f2da53c969f373fbd5761ada2cb6fe39181114e
Opcode Fuzzy Hash: 948d956171770facbbf04ff38a14b23e9dde8b8fdb41b8f7167616699873e3bf
Instruction Fuzzy Hash: 2A111B7190450AEFCB14DF95DD5ABFEBBB9FB05711F10122AE512A26E0DB742A04CB90

Function 0068FD00 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

#296.MFC140U(F74E5D36), ref: 0068FD2E
#7820.MFC140U(?), ref: 0068FD45
#290.MFC140U(00715D00), ref: 0068FD53
WritePrivateProfileStringW.KERNEL32(0070BEF4,0070BF28,00000000,00000000), ref: 0068FD68
#1045.MFC140U ref: 0068FD71
#1045.MFC140U ref: 0068FD7A

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045$#290#296#7820PrivateProfileStringWrite
String ID:
API String ID: 2785259809-0
Opcode ID: b796c8e75dee00e2cfa5a9691db80fceb3acb2e6222f6b0c660209533f6151cb
Instruction ID: e780719e261a38cb4b2b53ee2816de460b871c6c10dbb71722195a397b6d9821
Opcode Fuzzy Hash: b796c8e75dee00e2cfa5a9691db80fceb3acb2e6222f6b0c660209533f6151cb
Instruction Fuzzy Hash: DA111E7190450ADFCB04DF95DD55BFEBBB9FB09711F10122AE512A26D0DB742A04CB90

Function 00694C90 Relevance: 9.0, APIs: 6, Instructions: 31COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00697EA8,?,?,?,?,?,?,?,?,?,?,?,?,00000000,F74E5D36), ref: 00694CA0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00697EA8,?,?,?,?,?,?,?,?,?,?,?,?,00000000,F74E5D36), ref: 00694CB8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00697EA8,?,?,?,?,?,?,?,?,?,?,?,?,00000000,F74E5D36), ref: 00694CC5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00697EA8,?,?,?,?,?,?,?,?,?,?,?,?,00000000,F74E5D36), ref: 00694CD2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00697EA8,?,?,?,?,?,?,?,?,?,?,?,?,00000000,F74E5D36), ref: 00694CDD
#1513.MFC140U(?,?,00697EA8,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00694CE6

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$#1513
String ID:
API String ID: 1592141129-0
Opcode ID: c6fb5aac3dcf438024ea19202a7e927380ca4ffc9fec799932aea9c23999bb03
Instruction ID: 964b24bfef5e1544cf7f4d1666390c4e514ca11c2767603e89acb5de1daf5ea5
Opcode Fuzzy Hash: c6fb5aac3dcf438024ea19202a7e927380ca4ffc9fec799932aea9c23999bb03
Instruction Fuzzy Hash: 41F05E741010048FEB28AFA8E98CA7D77ABEB08315B102455E80BC2A25DF25AC91CA11

Function 00690560 Relevance: 9.0, APIs: 6, Instructions: 30COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0069060C,?,?,00000000,00000000,00684E05), ref: 00690570
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0069060C,?,?,00000000,00000000,00684E05), ref: 00690585
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0069060C,?,?,00000000,00000000,00684E05), ref: 00690592
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0069060C,?,?,00000000,00000000,00684E05), ref: 0069059F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,0069060C,?,?,00000000,00000000,00684E05), ref: 006905AA
#1513.MFC140U(?,?,0069060C,?,?,00000000,00000000,00684E05), ref: 006905B3

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$#1513
String ID:
API String ID: 1592141129-0
Opcode ID: 4b53cd142549d61de6b2c95d9fbbaaab7719dabd7ce69ce06c3542907bbc1273
Instruction ID: 7db58218277c269be3f27f9da0a1f55bf6b31710afe5d52ed6f7a73e843443a5
Opcode Fuzzy Hash: 4b53cd142549d61de6b2c95d9fbbaaab7719dabd7ce69ce06c3542907bbc1273
Instruction Fuzzy Hash: 01F0A0B01001044FFB286FA8EA5C57D7B5BEB0C326B116515F81BC1B66DB35AC80CE22

Function 00696640 Relevance: 9.0, APIs: 6, Instructions: 30COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006967AD,?,00000000,?,?,?,?,?,?,?,?), ref: 00696650
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006967AD,?,00000000,?,?,?,?,?,?,?,?), ref: 00696665
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006967AD,?,00000000,?,?,?,?,?,?,?,?), ref: 00696672
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006967AD,?,00000000,?,?,?,?,?,?,?,?), ref: 0069667F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,006967AD,?,00000000,?,?,?,?,?,?,?,?), ref: 0069668A
#1513.MFC140U(?,?,006967AD,?,00000000,?,?,?,?,?,?,?,?), ref: 00696693

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$#1513
String ID:
API String ID: 1592141129-0
Opcode ID: 1a36a73ee3ce0b27d3be03ee8394ca6f6b671b32924fed7700df66aa4e0cf508
Instruction ID: b89bc3875b848d7b7416a8af00f429482d52774228d40ef72c46221fa521933c
Opcode Fuzzy Hash: 1a36a73ee3ce0b27d3be03ee8394ca6f6b671b32924fed7700df66aa4e0cf508
Instruction Fuzzy Hash: F8F0A7701002044FEF286F78EA5C57C7B6BEB48315B102119F81BC1B66CB349C90CE13

Function 006839C0 Relevance: 9.0, APIs: 6, Instructions: 29COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00683783,00682F0C,?,00682F0C,00000000,00000000,?,00683A6D,00000001,?,00000000,?,00683823,00682F0C,00000000), ref: 006839CE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00683783,00682F0C,?,00682F0C,00000000,00000000,?,00683A6D,00000001,?,00000000,?,00683823,00682F0C,00000000), ref: 006839E0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00683783,00682F0C,?,00682F0C,00000000,00000000,?,00683A6D,00000001,?,00000000,?,00683823,00682F0C,00000000), ref: 006839ED
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00683783,00682F0C,?,00682F0C,00000000,00000000,?,00683A6D,00000001,?,00000000,?,00683823,00682F0C,00000000), ref: 006839FA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00683783,00682F0C,?,00682F0C,00000000,00000000,?,00683A6D,00000001,?,00000000,?,00683823,00682F0C,00000000), ref: 00683A05
#1513.MFC140U(00000000,?,00683783,00682F0C,?,00682F0C,00000000,00000000,?,00683A6D,00000001,?,00000000,?,00683823,00682F0C), ref: 00683A0E

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _invalid_parameter_noinfo_noreturn$#1513
String ID:
API String ID: 1592141129-0
Opcode ID: d7166ff8cc04d0fdfa1e55e176df810ec2c81a1201b6e9746435daac902c09c3
Instruction ID: 13142084db8700d411ddc1efb9b94abfe6c29de1a64701ce3570e4dcb5030253
Opcode Fuzzy Hash: d7166ff8cc04d0fdfa1e55e176df810ec2c81a1201b6e9746435daac902c09c3
Instruction Fuzzy Hash: 49F0A0701001108FEB187FA8E99C17C7B57EF087257002254F85BC2765DB78AE80CB11

Function 006E5500 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 162stringCOMMON

Download Yara Rule

APIs

strspn.API-MS-WIN-CRT-STRING-L1-1-0(?,0123456789abcdefABCDEF:.,00000000,eNn,?,?,?,?,?,006E52B4,eNn,?,eNn,00000000,006E4E65), ref: 006E5535
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000001,0070750C,00000002,?,?,?,?,?,006E52B4,eNn,?,eNn,00000000,006E4E65,?,00000000), ref: 006E5564

Strings

eNn, xrefs: 006E5518
0123456789abcdefABCDEF:., xrefs: 006E552F
<-, xrefs: 006E5564

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strncmpstrspn
String ID: 0123456789abcdefABCDEF:.$<-$eNn
API String ID: 392059205-4078901777
Opcode ID: 061a417551342c4ff8db39d286b423f80d2083054d42088e58fbee7e2e83512a
Instruction ID: d4e8e22384ab6df0376b382ffbaf6cdc5481eb38d1db6a55e85d06de80271912
Opcode Fuzzy Hash: 061a417551342c4ff8db39d286b423f80d2083054d42088e58fbee7e2e83512a
Instruction Fuzzy Hash: DC419D716047854FDB20CF29C8417BBBBD6AF96358F88046EE88687352E725D909C763

Function 006D41F0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON

Download Yara Rule

APIs

#17.WS2_32(?,?,?,00000000,?), ref: 006D4240
memcpy.VCRUNTIME140(?,?,?), ref: 006D4264

Part of subcall function 006D4D40: memchr.VCRUNTIME140(?,00000000,MCm,?,006D434D,?,?), ref: 006D4D4C

Strings

Internal error: Unexpected packet, xrefs: 006D4381
Received too short packet, xrefs: 006D4281
TFTP error: %s, xrefs: 006D4358

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memchrmemcpy
String ID: Internal error: Unexpected packet$Received too short packet$TFTP error: %s
API String ID: 3039221550-343195773
Opcode ID: faa5cf93a11dc9e98418ddb70e80c3bfb98a1d77845b63d13e13d0758dd7b57f
Instruction ID: 25d2f3ec3d22b036a0461fe9121e71ef1eee7d5ddb586bd83296610a012cd1a7
Opcode Fuzzy Hash: faa5cf93a11dc9e98418ddb70e80c3bfb98a1d77845b63d13e13d0758dd7b57f
Instruction Fuzzy Hash: 0F4117B1A04206AFD354DF24DC81BBAF7E9BB04301F05422AF55D92242EB39E958C7A1

Function 00686B50 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 116COMMON

Download Yara Rule

APIs

GetVolumeInformationA.KERNEL32(c:\,007185B8,00000080,00000000,00000000,00000000,?,00000080), ref: 00686B92

Part of subcall function 006867F0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000288), ref: 00686814

Part of subcall function 006868F0: memset.VCRUNTIME140(?,00000000,00000100), ref: 00686913
Part of subcall function 006868F0: CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000000,00000000), ref: 0068694A
Part of subcall function 006868F0: DeviceIoControl.KERNEL32(00000000,00074080,00000000,00000000,?,00000018,?,00000000), ref: 00686979
Part of subcall function 006868F0: CloseHandle.KERNEL32(00000000), ref: 00686980

memset.VCRUNTIME140(007185B8,00000000,00000080), ref: 00686C9B

Strings

%d%d%s, xrefs: 00686BAC
c:\, xrefs: 00686B8D
XDq, xrefs: 00686C38

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memset$CloseControlCreateDeviceFileHandleInformationVolumemalloc
String ID: %d%d%s$XDq$c:\
API String ID: 3801620809-1228629411
Opcode ID: a05d4a2c641f67bae5f11e1be70afcd877eb9aed60fbf6964bf8dfa3add1092a
Instruction ID: 02b781217dd147be4fd3acc57af6eee68461710026097714c4345f94fca02643
Opcode Fuzzy Hash: a05d4a2c641f67bae5f11e1be70afcd877eb9aed60fbf6964bf8dfa3add1092a
Instruction Fuzzy Hash: F14102B15083019FD750FF18D852BEAB796EF84344F008A2DF8954A292EF70A618CBD7

Function 006DB950 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON

Download Yara Rule

APIs

#6.WS2_32 ref: 006DB992
#1.WS2_32(?,FFFFFFFF,?), ref: 006DB9AF

Part of subcall function 006EC670: #10.WS2_32(00000018,8004667E,?,006CB533,00000000,00000001), ref: 006EC68B

Part of subcall function 006BD910: memset.VCRUNTIME140(?), ref: 006BDA09
Part of subcall function 006BD910: #5.WS2_32(?,?,?), ref: 006BDA21
Part of subcall function 006BD910: #111.WS2_32 ref: 006BDA2B

#3.WS2_32(?), ref: 006DBA27

Strings

Connection accepted from server, xrefs: 006DB9EF
Error accept()ing server connect, xrefs: 006DB9C4

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111memset
String ID: Connection accepted from server$Error accept()ing server connect
API String ID: 209243800-1795061160
Opcode ID: 8f93f661421b756f6d400d21edb5bb8ee1eddfe2bd638c85ed0b0e0ced101c0b
Instruction ID: 24275034f5046fb141bda8d5dde90d380cd6d59bb65b5bf5336480494ab9145c
Opcode Fuzzy Hash: 8f93f661421b756f6d400d21edb5bb8ee1eddfe2bd638c85ed0b0e0ced101c0b
Instruction Fuzzy Hash: 8B31BB71A04201ABD720DB24DC42FEFB7E9BF89720F84451EF599C6281DB74544587A6

Function 00693100 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,00000001,?,?,?,0069306F,?,00000001,?,?,?,?,00693AE1,http://,00000007,F74E5D36), ref: 0069311A
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00000001,?,?,?,0069306F,?,00000001,?,?,?,?,00693AE1,http://,00000007,F74E5D36), ref: 0069313E
memcpy.VCRUNTIME140(?,?,F74E5D36,?,00000000,00000001,?,?,?,0069306F,?,00000001,?,?,?), ref: 0069317E

Strings

string too long, xrefs: 00693139
invalid string position, xrefs: 00693115

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Xlength_error@std@@Xout_of_range@std@@memcpy
String ID: invalid string position$string too long
API String ID: 4248180022-4289949731
Opcode ID: 777904893ec159c064c586395f317315954b50a41e95d95389d92e7fd9dcbc97
Instruction ID: 4e2466574efd64bf160ae9b4fc7651716548873c5e64d6c9d2bae66b9bfdf1e6
Opcode Fuzzy Hash: 777904893ec159c064c586395f317315954b50a41e95d95389d92e7fd9dcbc97
Instruction Fuzzy Hash: AE21AE713002149BDB288F6CDC84B6AB7AAEB40B64B100A2DE516C77A1C7B0EA45C798

Function 00693270 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,00000000,?,00000000,?,00695C00,?,?,?,F74E5D36,?,00000000,?), ref: 00693287
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00000000,?,00000000,?,00695C00,?,?,?,F74E5D36,?,00000000,?), ref: 0069329C
memmove.VCRUNTIME140(?,?,?,?,00000000,00000000,?,00000000,?,00695C00,?,?,?,F74E5D36,?,00000000), ref: 006932DE

Strings

string too long, xrefs: 00693297
invalid string position, xrefs: 00693282

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Xlength_error@std@@Xout_of_range@std@@memmove
String ID: invalid string position$string too long
API String ID: 1352685159-4289949731
Opcode ID: 4e25a7306c03c734f4459726bf28e5a12f7bc1be30c8a088f0910c2a206b392c
Instruction ID: 9ee34661487621eb80870b248675cd7b3faa41594963cea5580bb24e474db160
Opcode Fuzzy Hash: 4e25a7306c03c734f4459726bf28e5a12f7bc1be30c8a088f0910c2a206b392c
Instruction Fuzzy Hash: A51196313102249BDB249F6CDC85A6AF7AFEB41710B200A5EF082CBB91D761EA418794

Function 006CA700 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,00000002,?,006E6EA4,?), ref: 006CA71A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006CA727
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 006CA746
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006CA751

Strings

d#, xrefs: 006CA751

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$freemalloc
String ID: d#
API String ID: 2605342592-2011854123
Opcode ID: be4966513c29de6866f908df06c7a9812076c5c7a921699ba83990e0dff90a0f
Instruction ID: 97b183edb6370d666fd503dda679714c5d265b76e9ea15c64d6a477ed4323650
Opcode Fuzzy Hash: be4966513c29de6866f908df06c7a9812076c5c7a921699ba83990e0dff90a0f
Instruction Fuzzy Hash: 07F0967930223577D23026AA5D8DFA76E6DEF82BB5F181235B914E53D0D6509801C1F6

Function 006C80B4 Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 297COMMON

Download Yara Rule

Strings

, xrefs: 006C80C7
rwx-tTsS, xrefs: 006C7C41
0123456789-, xrefs: 006C78BD
<DIR>, xrefs: 006C7999

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: $0123456789-$<DIR>$rwx-tTsS
API String ID: 0-2610395233
Opcode ID: 1dc8c843127a33f91f1d42acde397f1a56aea87ea74fa1542acdb27a874da2a7
Instruction ID: 8ce662bedb485c7d162c8a2a146dc5952775b7fc3ff3f549aceadfce48168801
Opcode Fuzzy Hash: 1dc8c843127a33f91f1d42acde397f1a56aea87ea74fa1542acdb27a874da2a7
Instruction Fuzzy Hash: 42C14DB0508B418FD730CF28D588B76BBF2EB56304F04491DE4C687752D779EA499BA2

Function 006C802D Relevance: 7.8, APIs: 1, Strings: 4, Instructions: 262COMMON

Download Yara Rule

Strings

, xrefs: 006C80C7
rwx-tTsS, xrefs: 006C7C41
0123456789-, xrefs: 006C78BD
<DIR>, xrefs: 006C7999

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strstr
String ID: $0123456789-$<DIR>$rwx-tTsS
API String ID: 1392478783-2610395233
Opcode ID: 0476b9c12a86aa7cc3d7cffbee57c9b15197227ba67de2abaed4f73406516bc9
Instruction ID: 3493474c4ef3bccc31f922db4816ed37e71b917c50517635a3040f23d0790a33
Opcode Fuzzy Hash: 0476b9c12a86aa7cc3d7cffbee57c9b15197227ba67de2abaed4f73406516bc9
Instruction Fuzzy Hash: 3FA16EB0508B418FD730CF28C548FB6BBF2EB56304F04491DE48687752D77AEA499BA2

Function 006D79D0 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 166COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(00000000,0000007B,?), ref: 006D7A2C

Strings

*, xrefs: 006D79EE
Found %lld bytes to download, xrefs: 006D7A80
Written %zu bytes, %llu bytes are left for transfer, xrefs: 006D7B18
Failed to parse FETCH response., xrefs: 006D7BAA

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memchr
String ID: *$Failed to parse FETCH response.$Found %lld bytes to download$Written %zu bytes, %llu bytes are left for transfer
API String ID: 3297308162-2609606168
Opcode ID: b203a195d7fe77f2bd42b2b5e7b4175016b1b911bffb4377f621e5ede89212ab
Instruction ID: f291b71dea0a5f98c204a0a7a750de627bef4ef5c4e6e05f99e4d96f83297f6b
Opcode Fuzzy Hash: b203a195d7fe77f2bd42b2b5e7b4175016b1b911bffb4377f621e5ede89212ab
Instruction Fuzzy Hash: C851A2B19082019BD720AE64DC41FAB73EAEF85314F44062EF94996342F775E9098BA7

Function 006ED6E0 Relevance: 7.7, APIs: 6, Instructions: 161COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(?,0000003A,?,?,?,00000000,?,00000000,006ED886,?,?,00000000,006E7815,?,?), ref: 006ED70B
memchr.VCRUNTIME140(00000001,0000000D,?), ref: 006ED73D
memchr.VCRUNTIME140(00000001,0000000A,?), ref: 006ED74F
memcpy.VCRUNTIME140(00000010,?,00000000), ref: 006ED7E5
memcpy.VCRUNTIME140(00000010,?,?,00000010,?,00000000), ref: 006ED804
memcpy.VCRUNTIME140(?,?,?,00000010,?,?,00000010,?,00000000), ref: 006ED815

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memchrmemcpy
String ID:
API String ID: 3039221550-0
Opcode ID: ec2898cf3e613769b2db9680527e682b7dd971d05e0f84e65170e550239dac3d
Instruction ID: 6b074d09e14e3f79d407023d30e332c9f652534b31c6892b1b1bfb504cf40d7d
Opcode Fuzzy Hash: ec2898cf3e613769b2db9680527e682b7dd971d05e0f84e65170e550239dac3d
Instruction Fuzzy Hash: 47412177A063446FCB109F29DC80AEABBAAEB86360F14856DF9458B342D731CC028790

Function 006CB710 Relevance: 7.6, APIs: 5, Instructions: 140COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,?,?,?), ref: 006CB731
memcpy.VCRUNTIME140(00000020,00000000,?), ref: 006CB7F3
memcpy.VCRUNTIME140(00000000,00000000,?), ref: 006CB810
freeaddrinfo.WS2_32(?,?), ref: 006CB846
#112.WS2_32(00002AF9,?), ref: 006CB890

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memcpy$#112freeaddrinfogetaddrinfo
String ID:
API String ID: 211351288-0
Opcode ID: e9775c943cc1ce8b71a063879f3441d7aeb11e11b9f2b9c1ece7a4b94e66c6c1
Instruction ID: 83523848e5d18d8e34017c8f1ae854e63c6c96de60db5fedafab31175548c98e
Opcode Fuzzy Hash: e9775c943cc1ce8b71a063879f3441d7aeb11e11b9f2b9c1ece7a4b94e66c6c1
Instruction Fuzzy Hash: 17516A71A013018BCB24CF19D985A7ABBEAFF88710F09586DEC8997311D731E904CB92

Function 006E61E0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 124stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140(00000000,007074FC,?,?,?,?,006E429C,?,?,?,00000001,?), ref: 006E61FF
strchr.VCRUNTIME140(-00000002,0000003F), ref: 006E6217
strchr.VCRUNTIME140(-00000002,0000002F,-00000002,0000003F), ref: 006E6221

Strings

%, xrefs: 006E62D2
%20, xrefs: 006E626C

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strchr$strstr
String ID: %$%20
API String ID: 1654209344-360484822
Opcode ID: 9c9f3371d70a24ba0aefbdd178cc0b92b44a8a0f3a353a3c1d35faa8e8200c6c
Instruction ID: 6207ee0665853f809fea4abb7840bb3cd0df4635cc61d16bf26ce69c3ea70bef
Opcode Fuzzy Hash: 9c9f3371d70a24ba0aefbdd178cc0b92b44a8a0f3a353a3c1d35faa8e8200c6c
Instruction Fuzzy Hash: 08318A2064D3C44EDB294A29D8107FA3BCB8BF2388F18046CF5C59F342D1669F0B9391

Function 006DB7D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 109COMMON

Download Yara Rule

Strings

;type=, xrefs: 006DB879, 006DB88D
[%s] setup connection -> %d, xrefs: 006DB92F
???, xrefs: 006DB927, 006DB92E

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: ;type=$???$[%s] setup connection -> %d
API String ID: 0-290136605
Opcode ID: 411305f22ee98cc3a3db107d1bf53434d0e2475581acef591ba546bb244bacd9
Instruction ID: 4c0d1ed1dae74ff84e4ec47891decd4261c8367ce91229a4885d93236e1b7787
Opcode Fuzzy Hash: 411305f22ee98cc3a3db107d1bf53434d0e2475581acef591ba546bb244bacd9
Instruction Fuzzy Hash: 924125F0A00741DFE7109F78AC44BD3BBA9BB04316F04427AE969CA3C2D774E4219BA5

Function 00691B30 Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

GetQueuedCompletionStatus.KERNEL32(00000000,?,?,000000FF), ref: 00691B7B
#266.MFC140U(?), ref: 00691BBD
#21.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 00691BF6
#22.WS2_32(?,00000002), ref: 00691BFF
#3.WS2_32(?), ref: 00691C06

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #266CompletionQueuedStatus
String ID:
API String ID: 2861454604-0
Opcode ID: 5fd2cabc0e3192203541ef8a42a0beadae51f6ee244f2e65ff8f9b9bc60297bf
Instruction ID: 78910435958fa833b09f75e1b4a1f78d97cdd530f2199afae22519d3043a6616
Opcode Fuzzy Hash: 5fd2cabc0e3192203541ef8a42a0beadae51f6ee244f2e65ff8f9b9bc60297bf
Instruction Fuzzy Hash: 4131A1B0900206AFDF209F54CD49BBFBBBEBF06310F244118E505B7691D774AA05DBA5

Function 00682E40 Relevance: 7.6, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000400,F74E5D36), ref: 00682E8E
#296.MFC140U(?,F74E5D36), ref: 00682E9C
#4815.MFC140U(?,0070AA68,?,00000000,00000001), ref: 00682F1D
#5110.MFC140U(00000000,00000000,00000000), ref: 00682F41
#1045.MFC140U(00000000,00000010), ref: 00682FAD

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1045#296#4815#5110memset
String ID:
API String ID: 1750025313-0
Opcode ID: 09afe4de4e7c214b36a3dbe2d6b313909debff69faf47918fe841347de39f80d
Instruction ID: 8b0f6aad84b5aaafea63b018f2ec829321e758b16e4ca6783b54ea6e28d9fce6
Opcode Fuzzy Hash: 09afe4de4e7c214b36a3dbe2d6b313909debff69faf47918fe841347de39f80d
Instruction Fuzzy Hash: 7741BFF180021DDFDB24DB54CC55BE9B7B9EB05304F0082E8E609A7291DB755B88CFA8

Function 00697720 Relevance: 7.6, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

#1511.MFC140U(00000010,F74E5D36,?,00000000,?), ref: 00697766
??0_Locinfo@std@@QAE@PBD@Z.MSVCP140(00000000,?), ref: 0069779D
??0facet@locale@std@@IAE@I@Z.MSVCP140(00000000), ref: 006977B8
?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ.MSVCP140(?), ref: 006977CD
??1_Locinfo@std@@QAE@XZ.MSVCP140 ref: 006977F2

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Locinfo@std@@$#1511??0_??0facet@locale@std@@??1_Collvec@@Getcoll@_
String ID:
API String ID: 4266503187-0
Opcode ID: 7033df5103ec1f94a41190137cd0b0c114566d03c3459f8d9efee79a6b5e599f
Instruction ID: 4f6048d0f5d94d1f42ec537e18122454ccd28e3714d683b7919bf9ee31a80d6c
Opcode Fuzzy Hash: 7033df5103ec1f94a41190137cd0b0c114566d03c3459f8d9efee79a6b5e599f
Instruction Fuzzy Hash: 5B317CB1A04209DFDB10CF99D988BEEBBF9FF48710F10416AE416977A0D7759A00CBA0

Function 00697470 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,0069785B), ref: 0069748A

Part of subcall function 0069CC5E: #1513.MFC140U(?,?,0069B7E0,?,00000001), ref: 0069CC64

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 006974BC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 006974D3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 006974EF

Strings

d#, xrefs: 0069748A, 006974AF, 006974EF

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: free$#1513
String ID: d#
API String ID: 2839934560-2011854123
Opcode ID: 2fa7aa8318fe7f6c326360f449777228162c1156ab8658e857655decce5ca4c8
Instruction ID: 895dc0b5a1dd5306cde018eb43197669fd0c22f6bd0e063428ae7d0b212743a6
Opcode Fuzzy Hash: 2fa7aa8318fe7f6c326360f449777228162c1156ab8658e857655decce5ca4c8
Instruction Fuzzy Hash: 1B11A372500600ABCF225F04DC41B56BF6BAFC4B30F1A4118E91C5B766D776AC21AAD1

Function 00689CC0 Relevance: 7.6, APIs: 5, Instructions: 58threadwindowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00689CDF
GetWindow.USER32(00000000), ref: 00689CE6
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00689D05
IsWindowVisible.USER32(00000000), ref: 00689D10
GetWindow.USER32(00000000,00000002), ref: 00689D19

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Window$DesktopProcessThreadVisible
String ID:
API String ID: 41763606-0
Opcode ID: 1f7e56d65b6bfa606b48ff8e85b3700ca5946ee7caf173693e9da9dbf4f3a1f5
Instruction ID: 9fd7bd12c1dc7907091bcefab4e2a5597f4cc8b0c356992682f63345f8d52f66
Opcode Fuzzy Hash: 1f7e56d65b6bfa606b48ff8e85b3700ca5946ee7caf173693e9da9dbf4f3a1f5
Instruction Fuzzy Hash: E101D632E01619ABCB10AFA9EC44ABEB7B9EF45311F0551AAE805D7300DB309D00CBA8

Function 00683480 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

#5110.MFC140U(?,00000000,00000000,00000000,00000000,F74E5D36,?,?,?,006F8B59,000000FF), ref: 006834BE
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,?,?,006F8B59,000000FF), ref: 006834C9
#5110.MFC140U(?,?,00000000,00000000,00000000,?,?,?,006F8B59,000000FF), ref: 006834E0
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,006F8B59,000000FF), ref: 006834EB
#1045.MFC140U(?,00000000,00000000,00000000,?,?,?,006F8B59,000000FF), ref: 006834F8

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #5110ByteCharMultiWide$#1045
String ID:
API String ID: 193322377-0
Opcode ID: 4f5dae790e3d0350f4e395f3dc0e448a8860f745923ce6aa4231ac4ba53fa87b
Instruction ID: 598762fc3a1231c95b959833f0e834d3d330b1f3eb6cbe184d401917bfc34229
Opcode Fuzzy Hash: 4f5dae790e3d0350f4e395f3dc0e448a8860f745923ce6aa4231ac4ba53fa87b
Instruction Fuzzy Hash: DA112971644209FFE710CF84DC4AFB9BBA9EB09B65F105159FA059B2D0DBB16900CB94

Function 00689A30 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00689A5D
GetParent.USER32 ref: 00689A69
GetWindowRect.USER32(00000000), ref: 00689A70
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?,?), ref: 00689A9D
UpdateWindow.USER32 ref: 00689AA4

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Window$Rect$MoveParentUpdate
String ID:
API String ID: 2365021593-0
Opcode ID: 7759f9866f423aa179660311f9b01a6aab9c70b8ff68126d1a604245d6d677f7
Instruction ID: 376215f55ffb2b3bd9445e9189c8947324ece395afdada9e8b545e6439c1f84a
Opcode Fuzzy Hash: 7759f9866f423aa179660311f9b01a6aab9c70b8ff68126d1a604245d6d677f7
Instruction Fuzzy Hash: 4C113932608309AF9704DF65DD8597FB7AAEBC9B14F00A61DF95592250EB30A940CB62

Function 006C9650 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 346COMMON

Download Yara Rule

APIs

fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 006C9AD4

Strings

%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 006C96E1
** Resuming transfer from byte position %lld, xrefs: 006C96CE
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s, xrefs: 006C9ABE

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: fflush
String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$** Resuming transfer from byte position %lld
API String ID: 497872470-1872798829
Opcode ID: 73c09ea30b4280166d3ccf3f81caa13664d6e5ca34001d984365cfc22324f593
Instruction ID: 32f3b52a8b0df9b4f3f977c5c73e1d5c1cebacc0084aeecf76f2848820f1667b
Opcode Fuzzy Hash: 73c09ea30b4280166d3ccf3f81caa13664d6e5ca34001d984365cfc22324f593
Instruction Fuzzy Hash: 81D18A75608745AFD7609F24C849FBBB7EBFFC8700F04091DFA9993251DA32A8108B66

Function 006CE290 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 211COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 006CE3E1

Strings

schannel: timed out sending data (bytes sent: %zd), xrefs: 006CE4D6
select/poll on SSL socket, errno: %d, xrefs: 006CE4BB

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memcpy
String ID: schannel: timed out sending data (bytes sent: %zd)$select/poll on SSL socket, errno: %d
API String ID: 3510742995-3891197721
Opcode ID: 44d138bb859e0b81df39c620b23f6b142619ccc2a8acdf356c553542a275af38
Instruction ID: 8903e26dcd5209cc9951f7352515733226ecb8f5bfaa3dff8d4709169dba01a3
Opcode Fuzzy Hash: 44d138bb859e0b81df39c620b23f6b142619ccc2a8acdf356c553542a275af38
Instruction Fuzzy Hash: 5C718CB16043409FD714DF18C841B6ABBF6FF88728F148A2DF95987391DB76E9048B52

Function 006BB340 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000008,?,00000007,:%u,?,?,?,?,?,?), ref: 006BB55F
memcpy.VCRUNTIME140(00000018,?,?), ref: 006BB58F

Strings

Shuffling %i addresses, xrefs: 006BB3B7
:%u, xrefs: 006BB53D

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _time64memcpy
String ID: :%u$Shuffling %i addresses
API String ID: 1622878224-338667637
Opcode ID: d3a81c746df2ed14f5f8ce857bc9fb58ff015b31ca5847e71ade5201a9b6d962
Instruction ID: 4809f3a8a9fbc05d4dd791a41e6ca1188e935ab319973500b1c454675d944f94
Opcode Fuzzy Hash: d3a81c746df2ed14f5f8ce857bc9fb58ff015b31ca5847e71ade5201a9b6d962
Instruction Fuzzy Hash: 31819DB19043059FCB20DF29D884BDABBEAFF88304F04496DE98587352E775E945CB92

Function 006B9F20 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,007000C0), ref: 006B9F82

Strings

%10s %512s %u %10s %512s %u "%64[^"]" %u %u, xrefs: 006BA027
#, xrefs: 006BA17E

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: fopen
String ID: #$%10s %512s %u %10s %512s %u "%64[^"]" %u %u
API String ID: 1432627528-2127723014
Opcode ID: b683900e45a1dbf957bd2150fa060db19ecab0f91ffb72a00df4bc1421006a4e
Instruction ID: 49455afbacc91c4729964105c194a956b61836d89acce4069f53d81ce809a168
Opcode Fuzzy Hash: b683900e45a1dbf957bd2150fa060db19ecab0f91ffb72a00df4bc1421006a4e
Instruction Fuzzy Hash: FB6182F2904305ABD7509BA4DC41FEB77EEAF58314F04492DF58983242E635D688C7A7

Function 006F4330 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

#111.WS2_32 ref: 006F4405
memchr.VCRUNTIME140(00000000,0000000A,00000000,?,?,?,?,?), ref: 006F446D
memchr.VCRUNTIME140(00000000,0000000A,00000000,?,?), ref: 006F44F9

Strings

response reading failed (errno: %d), xrefs: 006F440C

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memchr$#111
String ID: response reading failed (errno: %d)
API String ID: 4263430975-1140215186
Opcode ID: 6f366e8908b6b6e75f10d1499ebde3681f8363e5a48e66a32d7eddc6efa18f85
Instruction ID: 931d5df2d318da4bc65c42a2f26795a8f67ee5ce321f8d0056a3890c5b190a1a
Opcode Fuzzy Hash: 6f366e8908b6b6e75f10d1499ebde3681f8363e5a48e66a32d7eddc6efa18f85
Instruction Fuzzy Hash: A151D3B1904304AFD761BF64DC42BBF77EEAF86714F00006DF94996202EB7999058BA7

Function 006E52E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 162stringCOMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,?,?,?,006E5941,?), ref: 006E5333
strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(00000000,?,00000000), ref: 006E5362
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,006E5941,?), ref: 006E536D

Strings

%u.%u.%u.%u, xrefs: 006E5481

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _errno$strtoul
String ID: %u.%u.%u.%u
API String ID: 2478088314-1542503432
Opcode ID: 0d216436a765165ba110451b1359865601b6e94124c7c9324c5ad2be96b05d43
Instruction ID: 2b647eb21e82e825ebbcfdb25c305382f872f889b5295e11bf7e02e55563dc56
Opcode Fuzzy Hash: 0d216436a765165ba110451b1359865601b6e94124c7c9324c5ad2be96b05d43
Instruction Fuzzy Hash: 6C510771509742ABD210EF1A985167BB3DBAFC5716F44082EF48A5B6C2D334AC4987E2

Function 006BC360 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 006BC442

Strings

Hostname in DNS cache does not have needed family, zapped, xrefs: 006BC4CC
Hostname in DNS cache was stale, zapped, xrefs: 006BC475
:%u, xrefs: 006BC3BB, 006BC405

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _time64
String ID: :%u$Hostname in DNS cache does not have needed family, zapped$Hostname in DNS cache was stale, zapped
API String ID: 1670930206-1335658360
Opcode ID: 45559f4839984418c0028a7079ceceaee06401d0bdd9abd61a50e1fdc7a91438
Instruction ID: 66d8643732bf61471bf212de0cff17f19255c4d5c4f59dbbfe3ffdf0fa2a5b28
Opcode Fuzzy Hash: 45559f4839984418c0028a7079ceceaee06401d0bdd9abd61a50e1fdc7a91438
Instruction Fuzzy Hash: 3341E3B2944305ABC725EF24CC51FE7BBEAAF49760F04066DF88887251E771EA44C7A1

Function 006E6F40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

IdnToAscii.NORMALIZ(00000000,00000000,-00000001,?,000000FF,00000000), ref: 006E6FD0
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006E6FD9
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006E7003

Strings

d#, xrefs: 006E6FD9, 006E7003

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: free$Ascii
String ID: d#
API String ID: 3930554191-2011854123
Opcode ID: c4516ef44796c858b29e4cb98d6898e9ae64772800775155727db735327561eb
Instruction ID: f32ffc2118f927b7b676be44869c4940b782b414654b82a3d16c87cc9db5092a
Opcode Fuzzy Hash: c4516ef44796c858b29e4cb98d6898e9ae64772800775155727db735327561eb
Instruction Fuzzy Hash: 67213B769043404BDB209F29D445BFBB3B7AFC8710F48816EE9198F352D7369805C7A1

Function 006D4BC0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 93COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,?,set timeouts for state %d; Total % lld, retry %d maxtry %d,?,00000000,?,00000000,?,00000000,?,?,00000000,?,-000001F4,?,000003E8), ref: 006D4CAD

Strings

gfff, xrefs: 006D4C3F
set timeouts for state %d; Total % lld, retry %d maxtry %d, xrefs: 006D4C9E
Connection time-out, xrefs: 006D4BEC

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _time64
String ID: Connection time-out$gfff$set timeouts for state %d; Total % lld, retry %d maxtry %d
API String ID: 1670930206-2826722092
Opcode ID: 1268cf2061cb8350faa9fcbd4c530fa9b22a7edd2dc8bc89f713f80c69c730ac
Instruction ID: 97da967549b79d213ab636f261e8a1d7a30a1213dc65e8aae15bc73e4b6a3901
Opcode Fuzzy Hash: 1268cf2061cb8350faa9fcbd4c530fa9b22a7edd2dc8bc89f713f80c69c730ac
Instruction Fuzzy Hash: 8421F1B1A107085BE7205F55CC41B6776AAEB80300F000A3EF545CA3C1DFB6AC088B84

Function 00683870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,00000000,00000000,?,?,0068380F,00000000,00000000,00682F0C,?,?,?,00682F0C,00000000,00000001), ref: 0068388A

Part of subcall function 006835F0: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,00000000,?,006838E2,00000000,00682F0C,00000000,00000000,?,?,0068380F,00000000,00000000,00682F0C), ref: 00683606

?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,00000000,00000000,?,?,0068380F,00000000,00000000,00682F0C,?,?,?,00682F0C,00000000,00000001), ref: 006838AA

Strings

invalid string position, xrefs: 00683885, 006838A5

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Xout_of_range@std@@
String ID: invalid string position
API String ID: 1960685668-1799206989
Opcode ID: c5be4a7de94d4fdda01822ee54d635606c911f1a6279704200187647a49c4e42
Instruction ID: bb146aea9c10d6699b30c2dcd56e30518b4938073b46f43e67128ab52b64cfee
Opcode Fuzzy Hash: c5be4a7de94d4fdda01822ee54d635606c911f1a6279704200187647a49c4e42
Instruction Fuzzy Hash: 4221D672304224DFDB24AF5CE840B6AF7AAEB91B51F00066FF5518B381D7F1AA40C7A5

Function 006BD190 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

#16.WS2_32(?,?,?,00000000), ref: 006BD1E1
#111.WS2_32 ref: 006BD1EE

Strings

recv(len=%zu) -> %d, err=%d, xrefs: 006BD20F, 006BD259, 006BD278
Recv failure: %s, xrefs: 006BD237

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111
String ID: Recv failure: %s$recv(len=%zu) -> %d, err=%d
API String ID: 568940515-2495832097
Opcode ID: fa12868d4eb6338a62d108de79a2b8cc1bd614ea1406dcced8b520d3f9afec4b
Instruction ID: 7a6cd1db370dccaa12170de334aa64227377e12cec3981fe87b1c3ee3e826b4c
Opcode Fuzzy Hash: fa12868d4eb6338a62d108de79a2b8cc1bd614ea1406dcced8b520d3f9afec4b
Instruction Fuzzy Hash: B231E7B1504384AFD731AB54CC41FEBBBE9BF4D310F100519FA4996292E775AA90CBA2

Function 006E6D10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 006CA690: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,\nn,000000FF,00000000,00000000,00000000,00000000,?,006E6E5C,?,?,?), ref: 006CA6A9
Part of subcall function 006CA690: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006CA6B9
Part of subcall function 006CA690: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,\nn,000000FF,00000000,00000000), ref: 006CA6D4
Part of subcall function 006CA690: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006CA6DF

IdnToAscii.NORMALIZ(00000000,00000000,-00000001,?,000000FF,00000000,?), ref: 006E6D71
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006E6D7A
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006E6DA4

Strings

d#, xrefs: 006E6D7A, 006E6DA4

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: free$ByteCharMultiWide$Asciimalloc
String ID: d#
API String ID: 4178543518-2011854123
Opcode ID: 308dce5505fc4bd62e64c74bd750e37da433eb218e881abba8b5dd0b68b324ed
Instruction ID: 68da8a7ddd73d02711ffb546b33f318f5a9547def84edf8f65dc94509a62b9a1
Opcode Fuzzy Hash: 308dce5505fc4bd62e64c74bd750e37da433eb218e881abba8b5dd0b68b324ed
Instruction Fuzzy Hash: 18210176A003045BD7305B69DC197FFB3E9AFC8710F88452EF9198B352DB359500C696

Function 006A1BA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59stringwindowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001200,00000000,?,00000000,00000100,00000100,00000000,?,Unknown error), ref: 006A1BEC
wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,?), ref: 006A1C00
strchr.VCRUNTIME140(?,0000000A), ref: 006A1C1A

Strings

Unknown error, xrefs: 006A1BB4

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: FormatMessagestrchrwcstombs
String ID: Unknown error
API String ID: 4171340688-83687255
Opcode ID: f4693c8aa73d7464692ca56fbf8b421c3e7409149ea9cc13257b569373a0b470
Instruction ID: 96b9c3649334c3fdce7e8a784c7306f3397d80082511017ef14595bbecbdf11f
Opcode Fuzzy Hash: f4693c8aa73d7464692ca56fbf8b421c3e7409149ea9cc13257b569373a0b470
Instruction Fuzzy Hash: 79110830288380AEE731AB248C09BEAB7DD6F47710F04091EE491CB292D7789C44C767

Function 006A7A80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32( #,00092320,?,?,00092320), ref: 006A7A93
__alldvrm.LIBCMT ref: 006A7AAD
GetTickCount.KERNEL32 ref: 006A7AF1

Strings

#, xrefs: 006A7A8E, 006A7A92

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CountCounterPerformanceQueryTick__alldvrm
String ID: #
API String ID: 20263764-7950391
Opcode ID: 1dcd5eadcd1705c9109a74d1c46f19227a0d112772e6cba48b0939e827df661f
Instruction ID: 9819fad8dada1b0ffd9f23f33e4dfd657b493740464ef241efbb349e5a11b361
Opcode Fuzzy Hash: 1dcd5eadcd1705c9109a74d1c46f19227a0d112772e6cba48b0939e827df661f
Instruction Fuzzy Hash: 1611C671604309AFC784DF68ED4162A7BE5FB88300F54C46DF508C72A1EE36E908CB5A

Function 00699580 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,?,?,F74E5D36,?,00698906,?,?,?,?,F74E5D36,?,?,?,00000000,006FA2E8), ref: 006995CC
memmove.VCRUNTIME140(zqi,?,00000000,zqi,?,?,F74E5D36,?,00698906,?,?,?,?,F74E5D36,?,?), ref: 006995FC

Strings

zqi, xrefs: 006995D2, 006995FA
vector<T> too long, xrefs: 006995C7

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Xlength_error@std@@memmove
String ID: vector<T> too long$zqi
API String ID: 1146228739-1064868893
Opcode ID: a73c8476d849cbd785e2d31eaae7a0bd1c4ab3964b3a591d64daf11c18db0440
Instruction ID: 20be6cc325e22662589593e86344ed9629fb20bac6906e345c609b39b70bf8cb
Opcode Fuzzy Hash: a73c8476d849cbd785e2d31eaae7a0bd1c4ab3964b3a591d64daf11c18db0440
Instruction Fuzzy Hash: 641129B2901212EFDB00CF5DD984B56FBA9FF48314F15821AE918DB794D771A820CBE0

Function 006EC5E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 006EC1E0: GetModuleHandleA.KERNEL32(ntdll,RtlVerifyVersionInfo,?), ref: 006EC20E
Part of subcall function 006EC1E0: GetProcAddress.KERNEL32(00000000), ref: 006EC215

Part of subcall function 006B8F10: GetModuleHandleA.KERNEL32(kernel32,?,?,security.dll,006EC60D,security.dll,00000004,00000000,00000000,00000002,00000002,006B9166), ref: 006B8F1A

GetProcAddress.KERNEL32(00000000,InitSecurityInterfaceA), ref: 006EC61F

Strings

InitSecurityInterfaceA, xrefs: 006EC619
secur32.dll, xrefs: 006EC5FA
security.dll, xrefs: 006EC5FF, 006EC607

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: InitSecurityInterfaceA$secur32.dll$security.dll
API String ID: 1646373207-3788156360
Opcode ID: 0531377613b0da3ebaea32389f13099228f013a928315a9d763a35a8da6c94c9
Instruction ID: ddacb5816b9220cfc02ddc965d55fa09d2b658c993e5a027450936b3983706c3
Opcode Fuzzy Hash: 0531377613b0da3ebaea32389f13099228f013a928315a9d763a35a8da6c94c9
Instruction Fuzzy Hash: 3FF0A7B03417019EEFA8677D4C1B7A722D657C0700F94A17C7909D62C6EF78C801C60D

Function 00691900 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

#21.WS2_32(00000000,0000FFFF,00000080,?,00000004,00000000,/h), ref: 00691933
#22.WS2_32(00000000,00000002), ref: 0069193C
#3.WS2_32(00000000), ref: 00691943

Strings

/h, xrefs: 00691910

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: /h
API String ID: 0-3618610708
Opcode ID: 3e943d417e630c8318a18b88a252154254a93d7aaf79c48e7500695c8a3177bd
Instruction ID: 4b5e46e262dc93fdfee6bcd5a5c951232c77e10792b930993375f7741afa8472
Opcode Fuzzy Hash: 3e943d417e630c8318a18b88a252154254a93d7aaf79c48e7500695c8a3177bd
Instruction Fuzzy Hash: 79F09031600108ABE7109F68DD45ABDB7FDEB46720F500369F550A72D0DBB059058795

Function 0068F330 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0068F342
SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0068F35C

Part of subcall function 00691EB0: #1511.MFC140U(00000010), ref: 00691EBA

Strings

8.134.97.62, xrefs: 0068F37C
8.134.116.215, xrefs: 0068F38C

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: MessageSend$#1511
String ID: 8.134.116.215$8.134.97.62
API String ID: 4088099771-1512378642
Opcode ID: f91fd320413e75711703139705d64a9e06f1c9567929fcdddc09103a3cb69c9d
Instruction ID: d6d816f56678bebaf91433f0db8add77ebab9490c4da248d1c62406252cca112
Opcode Fuzzy Hash: f91fd320413e75711703139705d64a9e06f1c9567929fcdddc09103a3cb69c9d
Instruction Fuzzy Hash: B0F01271290702DBEB286B28EC5AB9576E2E780741F309339E504896E0DFB85450DB9D

Function 006ED980 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,00000000,?,?,?,?,?,?,?,?,006CE1EC,?,?,?), ref: 006ED99E
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,006CE1EC,?), ref: 006ED9BE

Strings

%s/%s, xrefs: 006ED98A
d#, xrefs: 006ED9BE

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _strdupfree
String ID: %s/%s$d#
API String ID: 1865132094-2074973838
Opcode ID: a8e8dfd7b94b4e4c89c83342aebf4f169d8579257faf171a97a4713f58322c12
Instruction ID: e0e0893372d1d5c6140e96bb89624d67472a201df9d9d7327422a3b43bf91e76
Opcode Fuzzy Hash: a8e8dfd7b94b4e4c89c83342aebf4f169d8579257faf171a97a4713f58322c12
Instruction Fuzzy Hash: A1E02B3390122057C7102BBEBC088DF7EA59FC5762B0D0439F904C2211D729881187F2

Function 006D2AF0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

#19.WS2_32(?,?,00000003,00000000,00000408,00000000,006D21FC,?,000000FD,00000000), ref: 006D2B1D
#111.WS2_32 ref: 006D2B27

Strings

Sending data failed (%d), xrefs: 006D2B2E
SENT, xrefs: 006D2B41

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111
String ID: SENT$Sending data failed (%d)
API String ID: 568940515-3459338696
Opcode ID: cff6759ff0ca5009ac208149a7c328383903d861629aaa96c6b81fe1cf19ba3c
Instruction ID: 2170fd3342b0cf81e154c6aa8182bb3ee9368526d828121a9ae986ab1e575500
Opcode Fuzzy Hash: cff6759ff0ca5009ac208149a7c328383903d861629aaa96c6b81fe1cf19ba3c
Instruction Fuzzy Hash: 8BF0B4B2609341EFC302DF94DC51E6BBBEAAF99310F04494CF29587193D3219618C7A7

Function 006E5290 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON

Download Yara Rule

Strings

/:#?!@{}[]\$'"^`*<>=;,+&()%, xrefs: 006E52B9
eNn, xrefs: 006E5291, 006E52AB, 006E52A9
2-, xrefs: 006E52BF

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: /:#?!@{}[]\$'"^`*<>=;,+&()%$2-$eNn
API String ID: 0-1878802609
Opcode ID: fd15ae792a7802d135a89a787b4300866b10ba216100c5caee7483bdf66bad2a
Instruction ID: ec54ba01f21452ce1c29e96874082d5f4d372231dc33e9ed9b7a68618bbe1ebf
Opcode Fuzzy Hash: fd15ae792a7802d135a89a787b4300866b10ba216100c5caee7483bdf66bad2a
Instruction Fuzzy Hash: 7AE0DF71A09BA06FDF54A62CBC016DB37C69BC0325F4A4869F859DB291E320DD9086E1

Function 006C65F0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(?,0000000A,?), ref: 006C6633

Strings

Invalid status line, xrefs: 006C6828
RTSP/, xrefs: 006C66BE
Received HTTP/0.9 when not allowed, xrefs: 006C680D

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memchr
String ID: Invalid status line$RTSP/$Received HTTP/0.9 when not allowed
API String ID: 3297308162-903287913
Opcode ID: b26e2e5e55151d55e30660a8875790821f06001724229828e0acf7a7f14aaa28
Instruction ID: d97d6064715597fb82275d2212ff416a01ec34644da22fe49537442890a1686c
Opcode Fuzzy Hash: b26e2e5e55151d55e30660a8875790821f06001724229828e0acf7a7f14aaa28
Instruction Fuzzy Hash: B351D8B1A083016FE701AA24DC45FFBB7DAEF56318F04056CF84492242E765ED598BBB

Function 00694D90 Relevance: 6.2, APIs: 4, Instructions: 188COMMON

Download Yara Rule

APIs

?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(00000005,?,?,?,006943C4,?,?,00000000,?,?,00693FBA,00000000,F74E5D36,?,?), ref: 00694FA1
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(00000006,?,?,?,006943C4,?,?,00000000,?,?,00693FBA,00000000,F74E5D36,?,?), ref: 00694FA9
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(00000004,?,?,?,006943C4,?,?,00000000,?,?,00693FBA,00000000,F74E5D36,?,?), ref: 00694FB1
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(0000000A,?,?,?,006943C4,?,?,00000000,?,?,00693FBA,00000000,F74E5D36,?,?), ref: 00694FB9

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: W4error_type@regex_constants@1@@Xregex_error@std@@
String ID:
API String ID: 61775176-0
Opcode ID: 02903ff9d8e0813229e7fa15631c69db240f5cf76bf3519b1368c19e7d4d66dd
Instruction ID: 638c103e705cbb1c244185cfea7bdebb6a535bca53e8de00433fc11194eed256
Opcode Fuzzy Hash: 02903ff9d8e0813229e7fa15631c69db240f5cf76bf3519b1368c19e7d4d66dd
Instruction Fuzzy Hash: DA519D30600A114BDE39AB25C496FBA339F6F95715F64080DE2838BFE1CF559C878786

Function 006D17C0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 166stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,?,0123456789abcdef,00000000,00000000), ref: 006D1830
strchr.VCRUNTIME140 ref: 006D184A

Part of subcall function 006D1710: strchr.VCRUNTIME140(0123456789,00000001,00000000,?,00000001,?,00000000,006D170C,?,?,006BB650), ref: 006D173C

Strings

0123456789abcdef, xrefs: 006D1822, 006D1828
0123456789ABCDEF, xrefs: 006D183D, 006D1842

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strchr
String ID: 0123456789ABCDEF$0123456789abcdef
API String ID: 2830005266-885041942
Opcode ID: 56acfe38faa6a9ffcf1da94b2ddc72975dc0742ab9c9642e15a02288b5ac8cef
Instruction ID: a55149553994596bc4b080d16dcdcdab0aae9d56053f13dd41fe5990ebbc2fb2
Opcode Fuzzy Hash: 56acfe38faa6a9ffcf1da94b2ddc72975dc0742ab9c9642e15a02288b5ac8cef
Instruction Fuzzy Hash: 8E51C271E083459BC714CF29C4A05AEB7E6AF9A344F445A2EF4C99F301E7B0E989C752

Function 00699620 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(?,?,?,?,?,?,?,?,?), ref: 006996CE
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 006996FD
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(00000000,?,?,?,?,?,?,?,?), ref: 00699720
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(00000000,?,?,?,?,?,?,?,?), ref: 00699740

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: W4error_type@regex_constants@1@@Xregex_error@std@@
String ID:
API String ID: 61775176-0
Opcode ID: dea7ac8cad8f8fdbe964d9a878a32d67cf3ed8a52692877e90edbf4840448baf
Instruction ID: c2840dace64723688244132b089bc3215cf76befd466b459ae5a40c27b38c80d
Opcode Fuzzy Hash: dea7ac8cad8f8fdbe964d9a878a32d67cf3ed8a52692877e90edbf4840448baf
Instruction Fuzzy Hash: DC41DE356042009FEF308F1CC881BBA77BFAB55354F60481EF5868BA91DA759C81CBB1

Function 006B8DA0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 128stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,0000003F), ref: 006B8E55

Strings

%.*s, xrefs: 006B8E65
Proxy-, xrefs: 006B8ECA, 006B8ED2
%sAuthorization: Digest %s, xrefs: 006B8ED3

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strchr
String ID: %.*s$%sAuthorization: Digest %s$Proxy-
API String ID: 2830005266-541442569
Opcode ID: d17b099ecdf2597b48c71ce6824c24e0cb9a14f35aa87a374e9362719d652fbb
Instruction ID: 45d3724f120b56f72b8accab4cb75be246a8d84dab96fcbf12cc5d35a53e8fc2
Opcode Fuzzy Hash: d17b099ecdf2597b48c71ce6824c24e0cb9a14f35aa87a374e9362719d652fbb
Instruction Fuzzy Hash: DE4190716043459FE7009F68DC80BAB77EAEF88305F440579FA44C7252EB76E9498BA2

Function 006F7320 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 97stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,0070A858,00000002,?,?,?,00000000,006F084D,00000000,00000001,?,?), ref: 006F7375
memchr.VCRUNTIME140(?,0000002E,0000002E), ref: 006F7393
memchr.VCRUNTIME140(006F084D,0000002E,-00000001), ref: 006F73B9

Strings

<-, xrefs: 006F7375

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memchr$strncmp
String ID: <-
API String ID: 952964621-2345019309
Opcode ID: 82ba91ded864e5a1187561b6e74cf876363bbb22d213274af0a83930f5da79c3
Instruction ID: a69a6e091d070ed4a3113542f8dc1f2b066f59fa4e360801aecc5904603cac18
Opcode Fuzzy Hash: 82ba91ded864e5a1187561b6e74cf876363bbb22d213274af0a83930f5da79c3
Instruction Fuzzy Hash: D6213DA3A4834D37DB309A68AD8ABFB7BCECB81355F0404AEFE0553143D6668C5DD261

Function 006C3C50 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 76stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(8wl,0000000D,00000012,chunked,00000007), ref: 006C3C90
strchr.VCRUNTIME140(8wl,0000000A,?,?,00000012,chunked,00000007), ref: 006C3CA1
strchr.VCRUNTIME140(8wl,00000000,?,?,?,?,00000012,chunked,00000007), ref: 006C3CB1

Strings

8wl, xrefs: 006C3C53, 006C3C5C, 006C3C8F, 006C3CA0, 006C3CB0, 006C3CD2

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strchr
String ID: 8wl
API String ID: 2830005266-4047744888
Opcode ID: 6878b6811dbce9e77cce5b6fa833ee7345d163e895554c5662537321fb90c2e5
Instruction ID: 6a2b8822066fee1320c9118b2c2dad9d1c87dd0409f62efdc698ebc41c676029
Opcode Fuzzy Hash: 6878b6811dbce9e77cce5b6fa833ee7345d163e895554c5662537321fb90c2e5
Instruction Fuzzy Hash: E311E72310022126DA115A586D42FFE678FDBD63A9F09442DF98477306E6129B4743AA

Function 006915E0 Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

#21.WS2_32(?,0000FFFF,00007010,00000000,00000000), ref: 006915F6
#266.MFC140U(?,?,?,?,00000001,00000000,00000000,?,0000FFFF,00007010,00000000,00000000), ref: 00691628
#265.MFC140U(00000004), ref: 00691639

Part of subcall function 00691870: #266.MFC140U(?,?,?), ref: 0069188A
Part of subcall function 00691870: #21.WS2_32(?,0000FFFF,00000080,?,00000004,?,?,00000003,00000000,00000000,?,?,?), ref: 006918D0
Part of subcall function 00691870: #22.WS2_32(?,00000002,?,?,00000003,00000000,00000000,?,?,?), ref: 006918D9
Part of subcall function 00691870: #3.WS2_32(?,?,?,00000003,00000000,00000000,?,?,?), ref: 006918E0

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #266$#265
String ID:
API String ID: 4253771692-0
Opcode ID: ba4507d1daef0491ebc49a873ea935dfd4ffad0c29cbf2dae2fb5e3d666d769b
Instruction ID: c26970a2435a9323c0aa083a4e8d8198a2d54f751d4431c8f3fc71e42b01560c
Opcode Fuzzy Hash: ba4507d1daef0491ebc49a873ea935dfd4ffad0c29cbf2dae2fb5e3d666d769b
Instruction Fuzzy Hash: 4811E971640302BBEF201F45DC49B6A7BAAAF46720F244139F20659AD0C7B16495DB59

Function 006912E0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

#266.MFC140U(?), ref: 006912FE

Part of subcall function 0069CC5E: #1513.MFC140U(?,?,0069B7E0,?,00000001), ref: 0069CC64

#21.WS2_32(?,0000FFFF,00000080,00000000,00000004), ref: 00691339
#22.WS2_32(?,00000002), ref: 00691342
#3.WS2_32(?), ref: 00691349

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1513#266
String ID:
API String ID: 337662018-0
Opcode ID: 5fd09b1e40f4d950301fdf105e12bb5d63eb529a6a218799ac3d8139ed59fd78
Instruction ID: 7a08c977d0e8445c3348d4cc25577eecdd3091669c6b852e79265ee8325786d0
Opcode Fuzzy Hash: 5fd09b1e40f4d950301fdf105e12bb5d63eb529a6a218799ac3d8139ed59fd78
Instruction Fuzzy Hash: 0F01D631600308BBEB205F64DD4AFBE7BBDEB49710F108119FA455A6D1D7B06904DB61

Function 00691870 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

#266.MFC140U(?,?,?), ref: 0069188A

Part of subcall function 0069CC5E: #1513.MFC140U(?,?,0069B7E0,?,00000001), ref: 0069CC64

#21.WS2_32(?,0000FFFF,00000080,?,00000004,?,?,00000003,00000000,00000000,?,?,?), ref: 006918D0
#22.WS2_32(?,00000002,?,?,00000003,00000000,00000000,?,?,?), ref: 006918D9
#3.WS2_32(?,?,?,00000003,00000000,00000000,?,?,?), ref: 006918E0

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1513#266
String ID:
API String ID: 337662018-0
Opcode ID: 9d5c638d81fcae2ea43ed8b666d3057aa6bead2b48e2cfa9aaac4b13695005f1
Instruction ID: f4af8a10df207f74687a5c9a7584a74936a1f693242a44885d50bce18f898e38
Opcode Fuzzy Hash: 9d5c638d81fcae2ea43ed8b666d3057aa6bead2b48e2cfa9aaac4b13695005f1
Instruction Fuzzy Hash: 3A01FC31501215BFD7206F54DD06FADBBBDEF06720F104229FA51672D0DBB02A15DB99

Function 00683360 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00683383
TranslateMessage.USER32(?), ref: 006833A1
DispatchMessageW.USER32(?), ref: 006833A7
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006833B5

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: ec860e3a1f11be1acd91ac598feb3e389480c3fae97a39ebc86bd1bbf4cc184d
Instruction ID: 6a8cf397d9e34856ea9b50e3573fcbc489615b94abda3cae17a9f5dfd79ac92d
Opcode Fuzzy Hash: ec860e3a1f11be1acd91ac598feb3e389480c3fae97a39ebc86bd1bbf4cc184d
Instruction Fuzzy Hash: 0A011731B4121DA7DF10EBA5DD41FFDB7ADAB48B00F550155E600FB1D0DB64EA058B64

Function 0068F600 Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068F619
#5813.MFC140U(00000000), ref: 0068F637
PostMessageA.USER32(00000000,0000276F,00000001,00000001), ref: 0068F64B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0068F65F

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Message$Send$#5813Post
String ID:
API String ID: 4025728936-0
Opcode ID: 987ea735508f85fff5f73d9316047bbb74bcb4f973a115f46073eff31c3f57e9
Instruction ID: a04216bac4ffab4ebbdf3147ea9391ce77518a9c4eb396914f51f490a971ea98
Opcode Fuzzy Hash: 987ea735508f85fff5f73d9316047bbb74bcb4f973a115f46073eff31c3f57e9
Instruction Fuzzy Hash: 8BF0B432740321BBD7306B59DC85FD67BAAAB48750F015161F304EB1F0D7909840C798

Function 006BF9A5 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 278COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 006BFC9B

Strings

0123456789abcdefghijklmnopqrstuvwxyz, xrefs: 006BFA6C
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 006BFA67

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$0123456789abcdefghijklmnopqrstuvwxyz
API String ID: 1302938615-2201779707
Opcode ID: 8ac425cac513b6725ca60145743dddde22d5a5a0f404c8bbd9d147c2cc3b4d61
Instruction ID: 91767b54cecb06d93fdc52b153dd10ae0cf7adbe5aa26f6db1d7160aaaacd928
Opcode Fuzzy Hash: 8ac425cac513b6725ca60145743dddde22d5a5a0f404c8bbd9d147c2cc3b4d61
Instruction Fuzzy Hash: BEA16DB06083459BE724DF199854BEBBAE6FF84344F04093DF98986361E774D985CB82

Function 006BA5C0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 222COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 006BA5E0

Strings

includesubdomains, xrefs: 006BA6AC
max-age=, xrefs: 006BA617

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _time64
String ID: includesubdomains$max-age=
API String ID: 1670930206-1235841791
Opcode ID: ab220b81759de65e245d1fbf185a4e623fb2157d2d4e7495f00f81ba8bfde3b1
Instruction ID: dd059797ad06d010b34c691e91e23a1a50709314c9dc86b046335844b22457b5
Opcode Fuzzy Hash: ab220b81759de65e245d1fbf185a4e623fb2157d2d4e7495f00f81ba8bfde3b1
Instruction Fuzzy Hash: 3A6159F55083405BDA208EA8AD017EB7BE79F56360F1C0569ECD057383E616D8CAC7A3

Function 006D0340 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

SSL/TLS connection timeout, xrefs: 006D04CC
select/poll on SSL/TLS socket, errno: %d, xrefs: 006D04A6

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: SSL/TLS connection timeout$select/poll on SSL/TLS socket, errno: %d
API String ID: 0-3791222319
Opcode ID: 90a1c69359ca2db381192d55894bc90f99536343b3b211f755ed22f7a8b2b359
Instruction ID: f036262ae4c515b2e754623a928c55779382f0b8325aa9a19ebad4f0e038dfb6
Opcode Fuzzy Hash: 90a1c69359ca2db381192d55894bc90f99536343b3b211f755ed22f7a8b2b359
Instruction Fuzzy Hash: 6A414575E00341DFE7609A29AD45FAB77EAEBC1329F54092EFA4486342E221E908C765

Function 00695230 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

#1513.MFC140U(0069553D,00000000,?,?,?,0069553D,-00000010,00000000,00000000,?,?,00000000,-00000010,?,00000000,F74E5D36), ref: 0069524E
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long,?,00000000,-00000010,?,00000000,F74E5D36,?,F74E5D36,?,00000000), ref: 0069525C

Strings

map/set<T> too long, xrefs: 00695257

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1513Xlength_error@std@@
String ID: map/set<T> too long
API String ID: 8514700-1285458680
Opcode ID: d505fcce72d4237170e205a9c6d560748c339c81a3d109849eb74ec53e43e8f8
Instruction ID: 51bc28a520c56fccf5f52aeb24088a490162d56ad718ddd55c7213d4e130fb6d
Opcode Fuzzy Hash: d505fcce72d4237170e205a9c6d560748c339c81a3d109849eb74ec53e43e8f8
Instruction Fuzzy Hash: 0261E270604A41CFCB16CF19C188A55FBE6BF49324B29C099E84E8B762D775EC82CF90

Function 006D3AA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

#2.WS2_32(?,00000030,?), ref: 006D3BCD
#111.WS2_32(?,00000100), ref: 006D3BE1

Strings

bind() failed; %s, xrefs: 006D3BEE

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111
String ID: bind() failed; %s
API String ID: 568940515-1141498939
Opcode ID: de40cad61a94d1f2c411b671de24d66dfef0af3129958b6385679d542dc86559
Instruction ID: b9cb000821935800be3a07cfd060c74d3f865d3a16b60d2ebb1ca52f02f53950
Opcode Fuzzy Hash: de40cad61a94d1f2c411b671de24d66dfef0af3129958b6385679d542dc86559
Instruction Fuzzy Hash: CD51C2B0A103459FD720DF28DC45BEABBE5AF05304F04452EF94A9B391E374EA44CB92

Function 006BA250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,7FFFFFFF,00000000,00000000,0000002E), ref: 006BA284
memcpy.VCRUNTIME140(?,?,?), ref: 006BA2C4

Strings

., xrefs: 006BA352

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _time64memcpy
String ID: .
API String ID: 1622878224-248832578
Opcode ID: 6c9f6d99b9f475abd12de4230047e098e5ed2c38ae153c341abd33290407087b
Instruction ID: 3f6a60cd9ca536af305d35c29240e75ba98ab8b5d0a2b745598a5dd22a67d8cb
Opcode Fuzzy Hash: 6c9f6d99b9f475abd12de4230047e098e5ed2c38ae153c341abd33290407087b
Instruction Fuzzy Hash: 824118B55043409BD721DF64C845BEBBBEAAF85300F08452DE885C3742E375D989C793

Function 006D38A6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

#2.WS2_32(?,00000030,?), ref: 006D39D4
#111.WS2_32(?,00000100), ref: 006D39E8

Strings

bind() failed; %s, xrefs: 006D39F5

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #111
String ID: bind() failed; %s
API String ID: 568940515-1141498939
Opcode ID: 62cd7fd4e93d4608ea86505ffc7cd7831d95c25ed2441c9aa8ddf9b68908710a
Instruction ID: f30d0df55082d3cac9302f4f89c0f746590ceecd558da62297035326ab04e3ee
Opcode Fuzzy Hash: 62cd7fd4e93d4608ea86505ffc7cd7831d95c25ed2441c9aa8ddf9b68908710a
Instruction Fuzzy Hash: 9441C0B0A047019FD7209F29DC85BD6BBE5BF05700F04452EF59A8B392E775E944CBA2

Function 00693010 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,?,?,?,?,00693AE1,http://,00000007,F74E5D36,?), ref: 0069308D
memcpy.VCRUNTIME140(?,00000001,?,?,00000000,?,?,?,?,00693AE1,http://,00000007,F74E5D36,?), ref: 006930C0

Part of subcall function 00693100: ?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,00000001,?,?,?,0069306F,?,00000001,?,?,?,?,00693AE1,http://,00000007,F74E5D36), ref: 0069311A
Part of subcall function 00693100: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(string too long,00000001,?,?,?,0069306F,?,00000001,?,?,?,?,00693AE1,http://,00000007,F74E5D36), ref: 0069313E
Part of subcall function 00693100: memcpy.VCRUNTIME140(?,?,F74E5D36,?,00000000,00000001,?,?,?,0069306F,?,00000001,?,?,?), ref: 0069317E

Strings

string too long, xrefs: 00693088

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Xlength_error@std@@memcpy$Xout_of_range@std@@
String ID: string too long
API String ID: 433638341-2556327735
Opcode ID: ae47676c189c27d47a4dc6e147c06b552eaeb36868551d1fc7ed265739da5cf3
Instruction ID: 29a5fe842154cdd4844bfddfe6b586b1a643e88cda40765584af463e41dd1402
Opcode Fuzzy Hash: ae47676c189c27d47a4dc6e147c06b552eaeb36868551d1fc7ed265739da5cf3
Instruction Fuzzy Hash: E931E5323002209BDF349E5CE8849AAF7AFEF81750710452EF596CBB91CB72DA45C794

Function 006D67B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95stringCOMMON

Download Yara Rule

APIs

strcspn.API-MS-WIN-CRT-STRING-L1-1-0(?,() {%*]\",?,00000000,00000000,?,?,?,?,00000000), ref: 006D67D6

Strings

2-, xrefs: 006D67D6
() {%*]\", xrefs: 006D67CE

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: strcspn
String ID: () {%*]\"$2-
API String ID: 2841400061-2557649146
Opcode ID: 5a216b6f5f123c96c2d353d81d37e1705f29dc0fe5ff1a70b6009851dd1c1887
Instruction ID: bf64de9371682021284ac514d9695211d9bfead13c14da25d73f0bec0cd9e606
Opcode Fuzzy Hash: 5a216b6f5f123c96c2d353d81d37e1705f29dc0fe5ff1a70b6009851dd1c1887
Instruction Fuzzy Hash: E3213872D443042ADA106A64EC05BE6778B9F11754F48047BFDC8E3392F226E90A96E6

Function 006E6E30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 006CA690: MultiByteToWideChar.KERNEL32(0000FDE9,00000008,\nn,000000FF,00000000,00000000,00000000,00000000,?,006E6E5C,?,?,?), ref: 006CA6A9
Part of subcall function 006CA690: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006CA6B9
Part of subcall function 006CA690: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,\nn,000000FF,00000000,00000000), ref: 006CA6D4
Part of subcall function 006CA690: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006CA6DF

IdnToUnicode.NORMALIZ(00000000,00000000,-00000001,?,000000FF,00000000,?), ref: 006E6E90
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 006E6EB7

Strings

d#, xrefs: 006E6EB7

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWidefree$Unicodemalloc
String ID: d#
API String ID: 3874135925-2011854123
Opcode ID: 23a9c0a90e144092e6545d2c3370462842039161952cb5043910a2a04fcf6f63
Instruction ID: bedbf1d6c818397edd81a80e1ae3616f959d74524e2b5874ae58c3fd46e99f87
Opcode Fuzzy Hash: 23a9c0a90e144092e6545d2c3370462842039161952cb5043910a2a04fcf6f63
Instruction Fuzzy Hash: 5921F0766043405BD724DB79D8567FF73EAEFC8310F44803EE51AC7282DA359905C696

Function 006D9B00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000), ref: 006D9BAD
strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(0000000A,00000000,0000000A,?,?,00000000), ref: 006D9BBB

Strings

z-, xrefs: 006D9BBB

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memcpystrtol
String ID: z-
API String ID: 3451350234-4291942111
Opcode ID: c0000705c62f18acda36bde023528a6cafb561fcb408d8c711f2b6916e0de6b6
Instruction ID: fc1825decb7cfed4fbb673dc7597c679ea1d1978fd5b41c0887f4377912a2217
Opcode Fuzzy Hash: c0000705c62f18acda36bde023528a6cafb561fcb408d8c711f2b6916e0de6b6
Instruction Fuzzy Hash: 4F213AB59042011ECB10DF38E4A67EBB7EBEB9A310F95884FE0858B311D6319486C726

Function 0069A330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON

Download Yara Rule

APIs

?tolower@?$ctype@D@std@@QBEDD@Z.MSVCP140(00000000,F74E5D36,alnum,00000000,00000000,?,?,00000000,?), ref: 0069A3AA
?tolower@?$ctype@D@std@@QBEDD@Z.MSVCP140(?), ref: 0069A402

Part of subcall function 00693740: ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,F74E5D36,?,?,?,000000FF,?,00696405,F74E5D36,F74E5D36,?,F74E5D36,?,?), ref: 00693772
Part of subcall function 00693740: ??Bid@locale@std@@QAEIXZ.MSVCP140(?,00696405,F74E5D36,F74E5D36), ref: 0069378D
Part of subcall function 00693740: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,00696405,F74E5D36,F74E5D36), ref: 006937B1
Part of subcall function 00693740: ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,00000000,?,00696405,F74E5D36,F74E5D36), ref: 006937D2
Part of subcall function 00693740: _CxxThrowException.VCRUNTIME140(0070DA54,0071084C), ref: 006937FF
Part of subcall function 00693740: std::_Facet_Register.LIBCPMT ref: 00693815
Part of subcall function 00693740: ??1_Lockit@std@@QAE@XZ.MSVCP140(?,00696405,F74E5D36,F74E5D36), ref: 00693820

Strings

alnum, xrefs: 0069A346

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: D@std@@$?tolower@?$ctype@Lockit@std@@$??0_??1_Bid@locale@std@@ExceptionFacet_Getcat@?$ctype@Getgloballocale@locale@std@@Locimp@12@RegisterThrowV42@@Vfacet@locale@2@std::_
String ID: alnum
API String ID: 1228821664-813864743
Opcode ID: 5ddb2a4b0f26a3c5f70a4a4cad18311aaaa26f1a51305d53d951f1dafc9d4024
Instruction ID: 459d5f0d6261afb708a974ca4ad4a8878834d374b3a8359e7b701dcb1827206c
Opcode Fuzzy Hash: 5ddb2a4b0f26a3c5f70a4a4cad18311aaaa26f1a51305d53d951f1dafc9d4024
Instruction Fuzzy Hash: C1317C74A01204DFDB14DFA4C549BAEBBFAEF45710F10856DE4269BB90DB30A904CB90

Function 006BCB40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

#3.WS2_32(?), ref: 006BCBEC

Strings

cf_socket_close(%d), xrefs: 006BCB66
destroy, xrefs: 006BCC2E

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID:
String ID: cf_socket_close(%d)$destroy
API String ID: 0-1402715136
Opcode ID: 48ffaaaaeb351af35de7b2f26076a32c63fb92bfa88ab26d448a9791a15c3a1f
Instruction ID: 7fea2df90624ce07cffe90a259b45cd895db1622cb17fc90ed3c0208265767d8
Opcode Fuzzy Hash: 48ffaaaaeb351af35de7b2f26076a32c63fb92bfa88ab26d448a9791a15c3a1f
Instruction Fuzzy Hash: 9D31AEB0600741AFD3209B29C885FE7B7AABF16324F148A4DF46D57292D770B9948BA4

Function 006CEDE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73encryptionCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 006CEE41
CertCloseStore.CRYPT32(?,00000000), ref: 006CEE5B

Strings

d#, xrefs: 006CEE41

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CertCloseStorefree
String ID: d#
API String ID: 2727206334-2011854123
Opcode ID: 29301930fc5a4b69928e047826e5da7f34467d27fbe83106492286d0e5678bbc
Instruction ID: 779ced16d803c8129eb5c90f70fafe8ec421168f85447225f9b4dce516fa9ab5
Opcode Fuzzy Hash: 29301930fc5a4b69928e047826e5da7f34467d27fbe83106492286d0e5678bbc
Instruction Fuzzy Hash: EB2104B06007009FEB208F29D948B57B7F9BF48704F04892CE89A876A1D77AF954CB95

Function 006835F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,?,00000000,?,006838E2,00000000,00682F0C,00000000,00000000,?,?,0068380F,00000000,00000000,00682F0C), ref: 00683606

Strings

invalid string position, xrefs: 00683601

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Xout_of_range@std@@
String ID: invalid string position
API String ID: 1960685668-1799206989
Opcode ID: fdae328ae6dc26843b40f5f472468a84468f6928dd4d0ac148cb1ba5f721ff7f
Instruction ID: 2fc2b3c28a5da16a76df0bca0d6425fd627aa3281091b05bc1e60edb44ff23f6
Opcode Fuzzy Hash: fdae328ae6dc26843b40f5f472468a84468f6928dd4d0ac148cb1ba5f721ff7f
Instruction Fuzzy Hash: EB1104323002609FC330AE5CE840A96FBEAEB95B11F10467FE581CB351E7B1D984C7A4

Function 006B37F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringCOMMON

Download Yara Rule

APIs

strtoul.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,0000000A,?,?,?,?), ref: 006B3840
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?), ref: 006B386A

Strings

Invalid zoneid: %s; %s, xrefs: 006B3886

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: _errnostrtoul
String ID: Invalid zoneid: %s; %s
API String ID: 660391088-3603716281
Opcode ID: b37f77d19ede62a98d624e11a84f15489d2e15f932d0cf06654da2597570e62b
Instruction ID: 15a7105655676b70ae84fc7e68ce7aa89da12179be3bac4004a8548489fb9352
Opcode Fuzzy Hash: b37f77d19ede62a98d624e11a84f15489d2e15f932d0cf06654da2597570e62b
Instruction Fuzzy Hash: 051172B1A04201AFDB24DF64DC46BEA77E6AF95300F04491DF645C62A2E770A984CB97

Function 006D7770 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 006D77A2

Strings

%s %s, xrefs: 006D77CF
%c%03d, xrefs: 006D77B4

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: __allrem
String ID: %c%03d$%s %s
API String ID: 2933888876-883683383
Opcode ID: d8625562e786ed2f06822a45034a496be92710228eef50591560aa78edd0a385
Instruction ID: 1a32dc7acfbe5ddd56b1581b996b9ef0c491ffb0d5679bed81220c728c6bf595
Opcode Fuzzy Hash: d8625562e786ed2f06822a45034a496be92710228eef50591560aa78edd0a385
Instruction Fuzzy Hash: F001F7F3A011057FD680BB619C42FA7B75EEF55314F040054FA0992153E621F9228BE9

Function 0069ACF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,0069AA6D,?,?,?,?,?), ref: 0069AD28
memmove.VCRUNTIME140(?,?,?,?,0069AA6D,?,?,?,?,?), ref: 0069AD4E

Strings

vector<T> too long, xrefs: 0069AD23

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Xlength_error@std@@memmove
String ID: vector<T> too long
API String ID: 1146228739-3788999226
Opcode ID: f99feaa254d7977de01efd1d9efe47a64942d2fd0d34d56d022bcedf840003ae
Instruction ID: 4684940f0a075bb0009cdd121f282af7819cd9c5091948b18631494e4fb0a062
Opcode Fuzzy Hash: f99feaa254d7977de01efd1d9efe47a64942d2fd0d34d56d022bcedf840003ae
Instruction Fuzzy Hash: 47014CB2901115AFDB009F6CD901AA9BBF9EF08320F11821AE818D3B50DB70AA20CBD5

Function 006BDD90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

#7.WS2_32(?,0000FFFF,00001001,00004020,?), ref: 006BDDFE
#21.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 006BDE26

Part of subcall function 006EC1E0: GetModuleHandleA.KERNEL32(ntdll,RtlVerifyVersionInfo,?), ref: 006EC20E
Part of subcall function 006EC1E0: GetProcAddress.KERNEL32(00000000), ref: 006EC215

Strings

@, xrefs: 006BDD98

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: @
API String ID: 1646373207-2726393805
Opcode ID: 86eb93d82f26aa4a310f5dc4aa3fa4a672a504c1f2f2108b964e7f1478224c23
Instruction ID: 28098015760ceb274e8f04ea4f2ce45197b168fc1b2f6de5b2be33c880e2a51c
Opcode Fuzzy Hash: 86eb93d82f26aa4a310f5dc4aa3fa4a672a504c1f2f2108b964e7f1478224c23
Instruction Fuzzy Hash: 0F0175B0108301ABE7109F04DC46BE677EABF40704F404428FA849E2E1E3B5C988DB06

Function 0069AD70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

?_Xlength_error@std@@YAXPBD@Z.MSVCP140(vector<T> too long,?,?,?,?,0069AB32,F74E5D36,?,?,F74E5D36,?,?), ref: 0069ADA0
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,0069AB32,F74E5D36,?,?,F74E5D36,?,?), ref: 0069ADBE

Strings

vector<T> too long, xrefs: 0069AD9B

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: Xlength_error@std@@memmove
String ID: vector<T> too long
API String ID: 1146228739-3788999226
Opcode ID: 05f655c6ca58e27ed697225b282ec31b807f563156c6564ce75939c5d4aa7b09
Instruction ID: b5e8f030a62f71a11b82acb31083ec5c559d05f89c037871d8b84ddf1504754f
Opcode Fuzzy Hash: 05f655c6ca58e27ed697225b282ec31b807f563156c6564ce75939c5d4aa7b09
Instruction Fuzzy Hash: 13F062B36002009FD7209F5DDC44B6AFBEEEF94724F14851EE599C3B90D37199008B91

Function 006D11C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29encryptionCOMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 006D11E2
CertCloseStore.CRYPT32(?,00000000), ref: 006D11FC

Strings

d#, xrefs: 006D11E2

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CertCloseStorefree
String ID: d#
API String ID: 2727206334-2011854123
Opcode ID: 91a3be9cef4d575e951b258ae6d487690e37096e2bcdc2aac04c8d6672d585e7
Instruction ID: 4cc62f70c6a5e4fa78ff791d3d45c4ebe24a064d8fb798a4879721b433eb3d95
Opcode Fuzzy Hash: 91a3be9cef4d575e951b258ae6d487690e37096e2bcdc2aac04c8d6672d585e7
Instruction Fuzzy Hash: 6DF03A70E00B10ABD730CF28EC08B8773F9AF05720F054A19E466DB390C7B5EA448BA5

Function 0069D76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0069D7BD: memset.VCRUNTIME140(?,00000000,00000018,?,?,0069D772,?,0068116F), ref: 0069D7CA

Part of subcall function 00690BF0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00690B8F,80004005,00000060,?,?,?,?,?,?,?,?,00690BA9,?), ref: 00690BF3
Part of subcall function 00690BF0: GetLastError.KERNEL32(?,00000000,?,00690B8F,80004005,00000060,?,?,?,?,?,?,?,?,00690BA9,?), ref: 00690BFD

IsDebuggerPresent.KERNEL32(?,?,?,0068116F), ref: 0069D79D
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0068116F), ref: 0069D7AC

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0069D7A7

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinStringmemset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 1128651283-631824599
Opcode ID: 71ab0a900f18c516caa5f691089c4e3d29bd4987a908b2f39760010f72fc031e
Instruction ID: 2efe7c49f6b7d05c2891f738ce435869e51cadb7b818c16cf1500d43a0ac012b
Opcode Fuzzy Hash: 71ab0a900f18c516caa5f691089c4e3d29bd4987a908b2f39760010f72fc031e
Instruction Fuzzy Hash: E3E092702003148FD760AF68E4153627BEABF04304F00DC2CE856C7B94EBB8E444CB91

Function 00692F70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00692F7F
??1facet@locale@std@@MAE@XZ.MSVCP140 ref: 00692F8A

Part of subcall function 0069CC5E: #1513.MFC140U(?,?,0069B7E0,?,00000001), ref: 0069CC64

Strings

d#, xrefs: 00692F7F

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: #1513??1facet@locale@std@@free
String ID: d#
API String ID: 228653464-2011854123
Opcode ID: 29fb6e54d17b6f94d89a74112588e5d5fd3fcfff944c8bce70d4d5936e2beb67
Instruction ID: 1ae99fe7609561ef82b1da852d652690074ef029b27060c69098ea509110f2d4
Opcode Fuzzy Hash: 29fb6e54d17b6f94d89a74112588e5d5fd3fcfff944c8bce70d4d5936e2beb67
Instruction Fuzzy Hash: 13E0C2712002286BCB111F44EC09BAABF99DF01765F045029FD8986341E7B6AA60E7EA

Function 006E71E0 Relevance: 5.2, APIs: 4, Instructions: 248stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,0000000D,?,?,?,?,?,006E70CE,?,?,?), ref: 006E71FE
strchr.VCRUNTIME140(?,0000000A), ref: 006E720F
memcpy.VCRUNTIME140(?,?,00000000), ref: 006E72F4
memcpy.VCRUNTIME140(00000019,?,00000000), ref: 006E7375

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memcpystrchr
String ID:
API String ID: 1636856459-0
Opcode ID: 5b419c1eb779b3d758727e785a069546e5b0dbfdfe8a3b5249ca6f91fedb7655
Instruction ID: 2e3f9482e219e5dfb95f0239aaf515f2e7a7f8f0835ceaab659c5b7f634180f1
Opcode Fuzzy Hash: 5b419c1eb779b3d758727e785a069546e5b0dbfdfe8a3b5249ca6f91fedb7655
Instruction Fuzzy Hash: D5716E72A0E3C64FDB208F6E98447EABB97EB92310F480169FD804B302D7259D4397E5

Function 00699460 Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,00000000,?,?,F74E5D36,?,?,?,F74E5D36,?,?,?,00000000,006FA2E8), ref: 006994B1

Memory Dump Source

Source File: 00000000.00000002.3431778971.0000000000681000.00000020.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000000.00000002.3431760228.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431821515.00000000006FB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431835882.00000000006FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431856327.0000000000714000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000071A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3431871604.000000000072D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_680000_mTGDPqzxwu.jbxd

Yara matches

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 465eb4aef4b5ea8e14c6045d9c6fd4dca120b08879c5460eddbdd2bd2307a778
Instruction ID: b905160271bdf9d99e4b109fce00414f7882697e9247ae6854b645e0aeb59d45
Opcode Fuzzy Hash: 465eb4aef4b5ea8e14c6045d9c6fd4dca120b08879c5460eddbdd2bd2307a778
Instruction Fuzzy Hash: AF3192727111049FCB24DF6CEE819AAFBA9EB84310B19826EE949C7745D631FD14CBA0

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
Tactics:	Lateral Movement
Data Sources:	Application Log: Application Log Content, Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mTGDPqzxwu.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
mTGDPqzxwu.exe