Edit tour

Windows Analysis Report
SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
Analysis ID:	1522188
MD5:	e3c955967b61afd68ffdf50f9d4e085a
SHA1:	76ca40cb78f2d155217464072bd29f453bce16c3
SHA256:	c3caf1714085fbbc73fecccbd68193c2ac033833cef055e8e8948f28e62b89f4
Tags:	exe
Infos:

Detection

Score:	26
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

Creates HTA files

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

File is packed with WinRar

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for the Microsoft Outlook file path

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe (PID: 2296 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe" MD5: E3C955967B61AFD68FFDF50F9D4E085A)

mshta.exe (PID: 2220 cmdline: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\start.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} MD5: 06B02D5C097C7DB1F109749C45F3F505)

Xr5XVue.exe (PID: 7148 cmdline: "C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe" -O o9iQbd0.exe https://download.yandex.ru/yandex-pack/downloader/downloader.exe MD5: E314B40A188DE73B6A16A8197F80EE68)

conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\start.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , CommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\start.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, ParentProcessId: 2296, ParentProcessName: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, ProcessCommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\start.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , ProcessId: 2220, ProcessName: mshta.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\start.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , CommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\start.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, ParentProcessId: 2296, ParentProcessName: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, ProcessCommandLine: "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\start.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} , ProcessId: 2220, ProcessName: mshta.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: Xr5XVue.exe, 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_63f5faab-4

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Static PE information: certificate valid

Source: unknown	HTTPS traffic detected: 5.45.205.243:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.45.200.105:443 -> 192.168.2.5:49710 version: TLS 1.2

Source:	Binary string: wextract.pdb source: setup.exe
Source:	Binary string: wextract.pdbU source: setup.exe
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
Source:	Binary string: C:\BuildAgent\work\4a73c29f3c4e6ac\downloader\Release\downloader.pdb source: o9iQbd0.exe.4.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Code function: 0_2_00404492 FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,		0_2_00404492
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Code function: 0_2_004097ED SendDlgItemMessageA,DestroyIcon,EndDialog,SetDlgItemTextA,SetDlgItemTextA,SHGetFileInfoA,SendDlgItemMessageA,FindFirstFileA,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatA,GetDateFormatA,wsprintfA,wsprintfA,SetDlgItemTextA,FindClose,wsprintfA,SetDlgItemTextA,SendDlgItemMessageA,DosDateTimeToFileTime,FileTimeToSystemTime,GetTimeFormatA,GetDateFormatA,wsprintfA,SetDlgItemTextA,wsprintfA,SetDlgItemTextA,		0_2_004097ED

Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Local\Temp\RarSFX0\img\	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Local\Temp\RarSFX0\	Jump to behavior

Source: Joe Sandbox View

IP Address: 5.45.205.243 5.45.205.243

Source: Joe Sandbox View

JA3 fingerprint: 0c9457ab6f0d6a14fc8a3d1d149547fb

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Code function: 4_2_00468EC9 _errno,recv,

4_2_00468EC9

Source: global traffic	HTTP traffic detected: GET /yandex-pack/downloader/downloader.exe HTTP/1.1User-Agent: Wget/1.19.2 (mingw32)Accept: /Accept-Encoding: gzipHost: download.yandex.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download.yandex.ru/yandex-pack/downloader/downloader.exe?lid=299 HTTP/1.1User-Agent: Wget/1.19.2 (mingw32)Accept: /Accept-Encoding: gzipHost: cachev2-fra-02.cdn.yandex.netConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: download.yandex.ru
Source: global traffic	DNS traffic detected: DNS query: cachev2-fra-02.cdn.yandex.net

Source: Xr5XVue.exe	String found in binary or memory: http://bibnum.bnf.fr/WARC/WARC_ISO_28500_version1_latestdraft.pdf
Source: Xr5XVue.exe, 00000004.00000002.2130542848.0000000000F61000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Xr5XVue.exe	String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: Xr5XVue.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: Xr5XVue.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, o9iQbd0.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, o9iQbd0.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: Xr5XVue.exe, 00000004.00000002.2130542848.0000000000F61000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: o9iQbd0.exe.4.dr	String found in binary or memory: http://downloader.yandex.net/yandex-pack/YandexPackSetup.exeYandexSearch.exedownloader.yandex.netdow
Source: Xr5XVue.exe	String found in binary or memory: http://netpreserve.org/warc/1.0/revisit/identical-payload-digest
Source: Xr5XVue.exe	String found in binary or memory: http://netpreserve.org/warc/1.0/revisit/identical-payload-digestWARC-ProfilelengthWARC-Truncatedappl
Source: Xr5XVue.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: Xr5XVue.exe, 00000004.00000002.2130542848.0000000000F61000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, o9iQbd0.exe.4.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, o9iQbd0.exe.4.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, o9iQbd0.exe.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, o9iQbd0.exe.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Xr5XVue.exe	String found in binary or memory: http://www.gnu.org/licenses/gpl.html
Source: Xr5XVue.exe	String found in binary or memory: http://www.metalinker.org/
Source: Xr5XVue.exe	String found in binary or memory: http://www.metalinker.org/typedynamicoriginurn:ietf:params:xml:ns:metalinktagsidentityfilesfilenames
Source: mshta.exe, 00000002.00000002.3324628787.0000000003274000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://download.yF
Source: Xr5XVue.exe, 00000004.00000003.2129598773.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000002.2130499484.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dr.yandex.net/strm
Source: Xr5XVue.exe, 00000004.00000003.2129598773.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000002.2130499484.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dr2.yandex.net/strm
Source: gam-page.html, last-page.html, start.hta, ya-page.html	String found in binary or memory: https://openbox.su/app1/
Source: mshta.exe, 00000002.00000002.3324628787.00000000032C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://openbox.su/app1/K
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, o9iQbd0.exe.4.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Xr5XVue.exe	String found in binary or memory: https://www.openssl.org/docs/faq.html
Source: Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	String found in binary or memory: https://yandex.com0

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown	HTTPS traffic detected: 5.45.205.243:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.45.200.105:443 -> 192.168.2.5:49710 version: TLS 1.2

System Summary

Creates HTA files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\start.hta

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Code function: 0_2_00402011	0_2_00402011
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Code function: 0_2_0040621D	0_2_0040621D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Code function: 0_2_0040168A	0_2_0040168A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Code function: 0_2_00405D4D	0_2_00405D4D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_004253D0	4_2_004253D0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0041C4B7	4_2_0041C4B7
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_005CF16C	4_2_005CF16C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_005CF100	4_2_005CF100
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0040724D	4_2_0040724D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_004DF270	4_2_004DF270
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_005CE2C0	4_2_005CE2C0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0053E360	4_2_0053E360
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_004E7470	4_2_004E7470
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0053F400	4_2_0053F400
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00441595	4_2_00441595
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00670670	4_2_00670670
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_004D48E0	4_2_004D48E0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_004258F6	4_2_004258F6
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425893	4_2_00425893
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_004DB8B0	4_2_004DB8B0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_005CE9E0	4_2_005CE9E0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00444991	4_2_00444991
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00447A68	4_2_00447A68
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425A72	4_2_00425A72
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0044BACC	4_2_0044BACC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425A98	4_2_00425A98
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425B43	4_2_00425B43
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425B62	4_2_00425B62
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425B09	4_2_00425B09
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425B1C	4_2_00425B1C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0052EB20	4_2_0052EB20
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425BD0	4_2_00425BD0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425BF2	4_2_00425BF2
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425B8C	4_2_00425B8C
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425BAE	4_2_00425BAE
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425C14	4_2_00425C14
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0042AC1D	4_2_0042AC1D
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425CD5	4_2_00425CD5
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00443CFC	4_2_00443CFC
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00467D61	4_2_00467D61
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_004FAD60	4_2_004FAD60
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0065AD20	4_2_0065AD20
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_004D7DD0	4_2_004D7DD0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_004CFDE0	4_2_004CFDE0
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00425D86	4_2_00425D86
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0053EE50	4_2_0053EE50
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_0044AE6F	4_2_0044AE6F

Source: setup.exe.0.dr

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 224531 bytes, 5 files, at 0x2c "dsetup.dll" "dsetup32.dll", ID 5930, number 1, 69 datablocks, 0x1503 compression

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, 00000000.00000002.3325630626.00000000006FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSHTA.EXE.MUID vs SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, 00000000.00000002.3325630626.00000000006FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSHTA.EXED vs SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: sus26.winEXE@6/23@2/2

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Code function: 4_2_0043F831 CertOpenSystemStoreA,GetProcAddress,CertOpenSystemStoreA,CertOpenSystemStoreA,CertOpenSystemStoreA,

4_2_0043F831

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Code function: 4_2_00672100 _get_osfhandle,GetFileType,_telli64,GetFileSizeEx,SetFilePointer,SetEndOfFile,_lseeki64,GetFileInformationByHandle,calloc,calloc,FindFirstVolumeW,FindNextVolumeW,GetVolumeInformationW,FindVolumeClose,free,GetDiskFreeSpaceExW,free,GetLastError,FindVolumeClose,free,

4_2_00672100

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Code function: 0_2_00404AB5 CLSIDFromString,CoCreateInstance,

0_2_00404AB5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Code function: 0_2_0040879E GetModuleHandleA,FindResourceA,

0_2_0040879E

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0

Jump to behavior

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	String found in binary or memory: OOO DIGITAL-START1
Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	String found in binary or memory: OOO DIGITAL-START1#0!
Source: 7z.exe	String found in binary or memory: Check charset encoding and -scs switch.*BLEDARVUANAXAIXIWOMPYTBDBA-HELPHasut0-SSCSSWSLTSCSSLPADSEMLAOSOSISFXPQRXYZW0123cannot find archivethere is no such archiveCannot use absolute pathnames for this commandReading archives from stdin is not implementedstdout mode and email mode cannot be combineddata errorIncorrect mapping dataMapViewOfFile errorCan not open mappingIncorrect volume size
Source: Xr5XVue.exe	String found in binary or memory: bind-address
Source: Xr5XVue.exe	String found in binary or memory: Try `%s --help' for more options.
Source: Xr5XVue.exe	String found in binary or memory: Try `%s --help' for more options.
Source: Xr5XVue.exe	String found in binary or memory: WARC output does not work with --continue or --start-pos, they will be disabled.
Source: Xr5XVue.exe	String found in binary or memory: Compression does not work with --continue or --start-pos, they will be disabled.
Source: Xr5XVue.exe	String found in binary or memory: Specifying both --start-pos and --continue is not recommended; --continue will be disabled.
Source: Xr5XVue.exe	String found in binary or memory: acceptaccept-regexacceptregexadjust-extensionadjustextensionappend-outputask-passwordaskpasswordauth-no-challengeauthnochallengebackgroundbackup-convertedbackupconvertedbackupsbasebind-addressbindaddressbody-databodydatabody-filebodyfileca-certificatecacertificateca-directorycadirectorycachecertificatecertificate-typecertificatetypecheck-certificatecheckcertificateclobbercompressionconfigchooseconfigconnect-timeoutconnecttimeoutcontinueconvert-file-onlyconvertfileonlyconvert-linksconvertlinkscontent-dispositioncontentdispositioncontent-on-errorcontentonerrorcookiescrl-filecrlfilecut-dirscutdirsdebugdefault-pagedefaultpagedelete-afterdeleteafterdirectoriesdirstructdirectory-prefixdirprefixdns-cachednscachedns-timeoutdnstimeoutdomainsdont-remove-listingdot-styledotstyleegd-fileegdfileexclude-directoriesexcludedirectoriesexclude-domainsexcludedomainsexecutefollow-ftpfollowftpfollow-tagsfollowtagsforce-directoriesforce-htmlforcehtmlftp-passwordftppasswordftp-userftpuserftps-clear-data-connectionftpscleardataconnectionftps-fallback-to-ftpftpsfallbacktoftpftps-implicitftpsimplicitftps-resume-sslftpsresumesslglobheaderhelphost-directoriesaddhostdirhstshsts-filehstsfilehtml-extensionhtmlifyhttp-keep-alivehttpkeepalivehttp-passwdhttppasswordhttp-passwordhttp-userhttpuserhttps-onlyhttpsonlyignore-caseignorecaseignore-lengthignorelengthignore-tagsignoretagsinclude-directoriesincludedirectoriesinet4-onlyinet4onlyinet6-onlyinet6onlyinput-fileinputinput-metalinkinputmetalinkirikeep-badhashkeepbadhashkeep-session-cookieskeepsessioncookieslevelreclevellimit-ratelimitrateload-cookiesloadcookieslocal-encodinglocalencodingrejected-logrejectedlogmax-redirectmaxredirectmetalink-indexmetalinkindexmetalink-over-httpmetalinkoverhttpmethodmirrornetrcnono-clobbernoclobberno-confignoconfigno-parentnoparentoutput-documentoutputdocumentoutput-filelogfilepage-requisitespagerequisitesparentpassive-ftppassiveftppasswordpinnedpubkeypost-datapostdatapost-filepostfileprefer-familypreferfamilypreferred-locationpreferredlocationpreserve-permissionspreservepermissionsprivate-keyprivatekeyprivate-key-typeprivatekeytypeprogressshow-progressshowprogressprotocol-directoriesprotocoldirectoriesproxyuseproxyproxy__compatproxy-passwdproxypasswordproxy-passwordproxy-userproxyuserquietquotarandom-filerandomfilerandom-waitrandomwaitread-timeoutreadtimeoutrecursiverefererregex-typeregextyperejectreject-regexrejectregexrelativerelativeonlyremote-encodingremoteencodingremove-listingremovelistingreport-speedreportspeedrestrict-file-namesrestrictfilenamesretr-symlinksretrsymlinksretry-connrefusedretryconnrefusedretry-on-http-errorretryonhttperrorsave-cookiessavecookiessave-headerssaveheaderssecure-protocolsecureprotocolserver-responseserverresponsespan-hostsspanhostsspiderstart-posstartposstrict-commentsstrictcommentstimeouttimestampingif-modified-sinceifmodifiedsincetriesunlinktrust-server-namestrustservernamesuse-askpassuseaskpassuse-server-timestampsuseservertimestampsuseruser-agentuseragentverbo
Source: Xr5XVue.exe	String found in binary or memory: dotCompression does not work with --continue or --start-pos, they will be disabled.
Source: Xr5XVue.exe	String found in binary or memory: -h, --help print this help
Source: Xr5XVue.exe	String found in binary or memory: -h, --help print this help
Source: Xr5XVue.exe	String found in binary or memory: --start-pos=OFFSET start downloading from zero-based position OFFSET
Source: Xr5XVue.exe	String found in binary or memory: --bind-address=ADDRESS bind to ADDRESS (hostname or IP) on local host
Source: Xr5XVue.exe	String found in binary or memory: WARC-IP-Address
Source: Xr5XVue.exe	String found in binary or memory: WARC-DateWARC-IP-Addresssha1:WARC-Block-DigestWARC-Payload-Digest%Y-%m-%dT%H:%M:%SZRpcrt4.dllUuidCreateUuidToStringARpcStringFreeA<urn:uuid:%s><urn:uuid:%02x%02x%02x%02x-%02x%02x-%02x%02x-%02x%02x-%02x%02x%02x%02x%02x%02x>warcinfoWARC-Typeapplication/warc-fieldsContent-TypeWARC-Record-IDWARC-Filenamemingw32software: Wget/%s (%s)
Source: Xr5XVue.exe	String found in binary or memory: id-cmc-addExtensions
Source: Xr5XVue.exe	String found in binary or memory: set-addPolicy
Source: Xr5XVue.exe	String found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe "C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\start.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe" -O o9iQbd0.exe https://download.yandex.ru/yandex-pack/downloader/downloader.exe
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\start.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe" -O o9iQbd0.exe https://download.yandex.ru/yandex-pack/downloader/downloader.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: riched32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windowscodecsext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: icm32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Window found: window name: RichEdit

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

File opened: C:\Windows\SysWOW64\riched32.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Static PE information: certificate valid

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Static file information: File size 2685976 > 1048576

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: setup.exe
Source:	Binary string: wextract.pdbU source: setup.exe
Source:	Binary string: d:\Projects\WinRAR\SFX\build\sfxzip32\Release\sfxzip.pdb source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
Source:	Binary string: C:\BuildAgent\work\4a73c29f3c4e6ac\downloader\Release\downloader.pdb source: o9iQbd0.exe.4.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Code function: 0_2_0040CC30 LoadLibraryA,LoadLibraryA,LoadLibraryA,#17,LoadLibraryA,GetProcAddress,FreeLibrary,SHGetMalloc,

0_2_0040CC30

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

File created: C:\Users\user\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_6327046

Jump to behavior

Source: Xr5XVue.exe.0.dr

Static PE information: section name: /4

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Code function: 4_2_004E37B0 push eax; mov dword ptr [esp], ebx

4_2_004E3803

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\o9iQbd0.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	File created: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\7z.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RarSFX0\o9iQbd0.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

API coverage: 5.5 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Code function: 0_2_00404492 FindFirstFileW,GetLastError,FindNextFileW,GetLastError,FindFirstFileA,GetLastError,FindNextFileA,GetLastError,		0_2_00404492
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Code function: 0_2_004097ED SendDlgItemMessageA,DestroyIcon,EndDialog,SetDlgItemTextA,SetDlgItemTextA,SHGetFileInfoA,SendDlgItemMessageA,FindFirstFileA,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatA,GetDateFormatA,wsprintfA,wsprintfA,SetDlgItemTextA,FindClose,wsprintfA,SetDlgItemTextA,SendDlgItemMessageA,DosDateTimeToFileTime,FileTimeToSystemTime,GetTimeFormatA,GetDateFormatA,wsprintfA,SetDlgItemTextA,wsprintfA,SetDlgItemTextA,		0_2_004097ED

Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Local\Temp\RarSFX0\img\	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Local\Temp\RarSFX0\	Jump to behavior

Source: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, 00000000.00000002.3325630626.00000000006A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ya
Source: mshta.exe, 00000002.00000002.3324628787.00000000032B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: Xr5XVue.exe, 00000004.00000002.2130409199.0000000000A2E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	API call chain: ExitProcess graph end node			graph_0-7534
Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	API call chain: ExitProcess graph end node			graph_0-8493

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Code function: 0_2_0040CC30 LoadLibraryA,LoadLibraryA,LoadLibraryA,#17,LoadLibraryA,GetProcAddress,FreeLibrary,SHGetMalloc,

0_2_0040CC30

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Code function: 0_2_00408A5F GetProcessHeap,RtlAllocateHeap,

0_2_00408A5F

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Code function: 4_2_004011FD SetUnhandledExceptionFilter,_acmdln,malloc,strlen,malloc,memcpy,__initenv,_cexit,_amsg_exit,_initterm,exit,

4_2_004011FD

Source: C:\Windows\SysWOW64\mshta.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\start.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}			Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe "C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe" -O o9iQbd0.exe https://download.yandex.ru/yandex-pack/downloader/downloader.exe			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Code function: 4_2_005974A0 cpuid

4_2_005974A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Code function: GetLocaleInfoA,

0_2_004091C2

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RarSFX0\o9iQbd0.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Code function: 4_2_0066F740 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

4_2_0066F740

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Code function: 4_2_00670C30 GetTimeZoneInformation,GetSystemTimeAsFileTime,

4_2_00670C30

Source: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Code function: 0_2_004050C9 lstrlenA,GlobalAlloc,GetVersionExA,MultiByteToWideChar,WideCharToMultiByte,CreateStreamOnHGlobal,

0_2_004050C9

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00461409 _errno,bind,		4_2_00461409
Source: C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	Code function: 4_2_00466CC5 _errno,listen,		4_2_00466CC5

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Mshta	NTDS	36 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Install Root Certificate	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\RarSFX0\7z.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\7z.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\o9iQbd0.exe	8%	ReversingLabs
C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe	0%	ReversingLabs

Name	IP	Active	Malicious	Reputation
cdn.yandex.net	5.45.205.243	true	false	unknown
cachev2-fra-02.cdn.yandex.net	5.45.200.105	true	false	unknown
download.yandex.ru	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cachev2-fra-02.cdn.yandex.net/download.yandex.ru/yandex-pack/downloader/downloader.exe?lid=299	false		unknown
https://download.yandex.ru/yandex-pack/downloader/downloader.exe	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://download.yF	mshta.exe, 00000002.00000002.3324628787.0000000003274000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://dr.yandex.net/strm	Xr5XVue.exe, 00000004.00000003.2129598773.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000002.2130499484.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://openbox.su/app1/K	mshta.exe, 00000002.00000002.3324628787.00000000032C6000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://www.openssl.org/docs/faq.html	Xr5XVue.exe	false	unknown
https://dr2.yandex.net/strm	Xr5XVue.exe, 00000004.00000003.2129598773.0000000000F2B000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000002.2130499484.0000000000F2D000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://yandex.com0	Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp, Xr5XVue.exe, 00000004.00000003.2129424844.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, o9iQbd0.exe.4.dr	false	unknown
http://www.gnu.org/licenses/gpl.html	Xr5XVue.exe	false	unknown
http://netpreserve.org/warc/1.0/revisit/identical-payload-digest	Xr5XVue.exe	false	unknown
http://www.metalinker.org/typedynamicoriginurn:ietf:params:xml:ns:metalinktagsidentityfilesfilenames	Xr5XVue.exe	false	unknown
http://www.metalinker.org/	Xr5XVue.exe	false	unknown
http://netpreserve.org/warc/1.0/revisit/identical-payload-digestWARC-ProfilelengthWARC-Truncatedappl	Xr5XVue.exe	false	unknown
http://bibnum.bnf.fr/WARC/WARC_ISO_28500_version1_latestdraft.pdf	Xr5XVue.exe	false	unknown
https://openbox.su/app1/	gam-page.html, last-page.html, start.hta, ya-page.html	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
5.45.200.105	cachev2-fra-02.cdn.yandex.net	Russian Federation		13238	YANDEXRU	false
5.45.205.243	cdn.yandex.net	Russian Federation		13238	YANDEXRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522188
Start date and time:	2024-09-29 14:18:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
Detection:	SUS
Classification:	sus26.winEXE@6/23@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 92% Number of executed functions: 142 Number of non-executed functions: 146
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 2220 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
5.45.205.243	9pPxhYpKVN.exe	Get hash	malicious	Unknown	Browse	download.yandex.ru/yandex-pack/downloader/downloader.exe
5.45.205.243	$RDBZ32V.exe	Get hash	malicious	Unknown	Browse	downloader.yandex.net/yandex-pack/11000/YandexPackSetup.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cdn.yandex.net	9ytcSfQVR6.exe	Get hash	malicious	Unknown	Browse	5.45.192.142
	wHtiaQ7bcs.exe	Get hash	malicious	Unknown	Browse	149.5.241.42
	B0aVuWY5pd.exe	Get hash	malicious	Unknown	Browse	185.70.202.15
	NCkAC6yIng.exe	Get hash	malicious	Unknown	Browse	185.70.202.13
	XpafLMpvHT.exe	Get hash	malicious	Unknown	Browse	149.5.241.43
	MewexCfLwT.exe	Get hash	malicious	Unknown	Browse	185.70.202.15
	MMmchy1Kjl.exe	Get hash	malicious	Unknown	Browse	185.70.202.15
	WJu022GU7T.exe	Get hash	malicious	Unknown	Browse	149.5.241.42
	y1tgNJbpEA.exe	Get hash	malicious	Unknown	Browse	149.5.241.43
	Tmpsy49V8c.exe	Get hash	malicious	Unknown	Browse	185.70.202.13

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
YANDEXRU	http://www.goo.su/c1Rnox/	Get hash	malicious	Unknown	Browse	87.250.250.58
	https://jbrizuelablplegal.taplink.ws/	Get hash	malicious	HTMLPhisher	Browse	87.250.251.119
	http://instagram.totalh.net/	Get hash	malicious	Unknown	Browse	87.250.250.119
	http://cl41155.tw1.ru/clients/	Get hash	malicious	Unknown	Browse	77.88.21.179
	https://uhcdenal.com/	Get hash	malicious	Unknown	Browse	87.250.251.119
	http://clck.ru/3DSS5H	Get hash	malicious	Unknown	Browse	213.180.204.232
	https://www.google.com.ai/amp/clck.ru/3DSSCz?hghghghHGVGvbbgffGFHGJdgddghfhghfgdgdgdgfhgg?sdfsewsrewrettfg	Get hash	malicious	Unknown	Browse	213.180.204.221
	http://bk.ru	Get hash	malicious	HTMLPhisher	Browse	77.88.21.179
	https://sucursal-virtual03.w3spaces.com/	Get hash	malicious	Unknown	Browse	77.88.21.90
	xBneIooWzQjjOOg.exe	Get hash	malicious	AgentTesla	Browse	77.88.21.158
YANDEXRU	http://www.goo.su/c1Rnox/	Get hash	malicious	Unknown	Browse	87.250.250.58
	https://jbrizuelablplegal.taplink.ws/	Get hash	malicious	HTMLPhisher	Browse	87.250.251.119
	http://instagram.totalh.net/	Get hash	malicious	Unknown	Browse	87.250.250.119
	http://cl41155.tw1.ru/clients/	Get hash	malicious	Unknown	Browse	77.88.21.179
	https://uhcdenal.com/	Get hash	malicious	Unknown	Browse	87.250.251.119
	http://clck.ru/3DSS5H	Get hash	malicious	Unknown	Browse	213.180.204.232
	https://www.google.com.ai/amp/clck.ru/3DSSCz?hghghghHGVGvbbgffGFHGJdgddghfhghfgdgdgdgfhgg?sdfsewsrewrettfg	Get hash	malicious	Unknown	Browse	213.180.204.221
	http://bk.ru	Get hash	malicious	HTMLPhisher	Browse	77.88.21.179
	https://sucursal-virtual03.w3spaces.com/	Get hash	malicious	Unknown	Browse	77.88.21.90
	xBneIooWzQjjOOg.exe	Get hash	malicious	AgentTesla	Browse	77.88.21.158

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
0c9457ab6f0d6a14fc8a3d1d149547fb	SecuriteInfo.com.Trojan.Siggen21.26224.12889.14076.exe	Get hash	malicious	Unknown	Browse	5.45.205.243 5.45.200.105
	SecuriteInfo.com.Trojan.Siggen21.26224.12889.14076.exe	Get hash	malicious	Unknown	Browse	5.45.205.243 5.45.200.105
	SecuriteInfo.com.Trojan.Siggen19.8867.11258.22969.exe	Get hash	malicious	Unknown	Browse	5.45.205.243 5.45.200.105
	SecuriteInfo.com.Trojan.Siggen19.8867.11258.22969.exe	Get hash	malicious	Unknown	Browse	5.45.205.243 5.45.200.105
	W0ICYWz3Jx.exe	Get hash	malicious	Unknown	Browse	5.45.205.243 5.45.200.105
	swarow.dll	Get hash	malicious	BumbleBee	Browse	5.45.205.243 5.45.200.105
	swarow.dll	Get hash	malicious	BumbleBee	Browse	5.45.205.243 5.45.200.105
	rustam.dll	Get hash	malicious	BumbleBee	Browse	5.45.205.243 5.45.200.105
	rustam.dll	Get hash	malicious	BumbleBee	Browse	5.45.205.243 5.45.200.105
	swarow.dll	Get hash	malicious	BumbleBee	Browse	5.45.205.243 5.45.200.105

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\RarSFX0\7z.exe	SecuriteInfo.com.Adware.Downware.20477.7420.2049.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\RarSFX0\7z.exe	SecuriteInfo.com.Application.Generic.3599906.6358.27359.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\RarSFX0\7z.dll	SecuriteInfo.com.Adware.Downware.20477.7420.2049.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\RarSFX0\7z.dll	SecuriteInfo.com.Application.Generic.3599906.6358.27359.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe	SecuriteInfo.com.Application.Generic.3599906.6358.27359.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	data
Category:	dropped
Size (bytes):	49120
Entropy (8bit):	0.0017331682157558962
Encrypted:	false
SSDEEP:	3:Ztt:T
MD5:	0392ADA071EB68355BED625D8F9695F3
SHA1:	777253141235B6C6AC92E17E297A1482E82252CC
SHA-256:	B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
SHA-512:	EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\7z.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	599552
Entropy (8bit):	6.472768244081584
Encrypted:	false
SSDEEP:	12288:iIlGEaNP38Fk/Pai5LJC8NCnrNeqMO7APj5HBv:LkE2PMF/AJC8NCnrNeqP7Adhv
MD5:	AACD9B8E5E5E369C3518B86486CFC9D4
SHA1:	5DD895158C2EED2ECE1D5E0EA4C7B8BCAE32A511
SHA-256:	E876CAB250EB2B0AAB976FF9922A3945E2B4724166B0EFB64690B46FE470CD3C
SHA-512:	6E07165C3EB4FE5532F87D693E309F872925A21C08F1CBCDA3FDBDA3A803C5BAFCD4146B2DFBA5E1E0DCE13AB8B8E274AD4BEFF3FE3F9ADC2FA4C074C8088D51
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Adware.Downware.20477.7420.2049.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Application.Generic.3599906.6358.27359.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............q...q...q..z...q.@.....q..{...q..u...q.M.....q...p..q.@.,...q...z...q.......q...{...q...w...q.<.u...q.Rich..q.................PE..L....WG...........!.................}.............................................................................. ....... ...d....p.......................p...G...................................................... ............................text............................... ..`.rdata..............................@..@.data...p........2..................@....rsrc........p......................@..@.reloc...U...p...V..................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\7z.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	147968
Entropy (8bit):	6.253072345314039
Encrypted:	false
SSDEEP:	3072:IyWefGKx1iHMBBclb8BNNNTLEF+6PP2Up4YgZ:IyBkQc98BBIF9204L
MD5:	2D1C72072FEC74FB0ECA850EF8F9F93E
SHA1:	53B09AD4E564F9D392F3B781033404D92581F6D0
SHA-256:	B93149E44239DBDD5E6705C73AE14EE11285923E963E41E8D142E4171F20F4EB
SHA-512:	1D936DB9B5D85098298A05717BEA012BE696398A88177D5D0BBF7AB2BFD22BF449240B34205B64E52F1BEF34783C13DEF5F2E8D4CA0767FE8300AC5FC161CC26
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Adware.Downware.20477.7420.2049.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Application.Generic.3599906.6358.27359.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........NDWL/.L/.L/.73&.N/.#0!.O/..3$.D/.#0 .G/.#0..N/..'u.M/.L/+../..'w.E/.z.!.p/.k.W.M/.z. .O/..),.M/.RichL/.........................PE..L.....WG............................6.............@.........................................................................@...x....................................................................................................................text...R........................... ..`.rdata...X.......Z..................@..@.data...lB...0..."..................@....rsrc................>..............@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3501408
Entropy (8bit):	6.5144557104886704
Encrypted:	false
SSDEEP:	98304:+FWNUq6wVUCTWmTRugpAVa7mZjJPMOBQUHodMwQjZoL6nGeWv:+FKUpwVU4WmTRugpAVa7mZjJPDKmod/n
MD5:	E314B40A188DE73B6A16A8197F80EE68
SHA1:	1123817BA6CA46873ACE186DE35D0AEE3D6075BC
SHA-256:	D6E2656521CA76AD47AD2C503C9F71B3D00820E8B05275D048F7DEA0C9C30BEB
SHA-512:	2EA6A95111F0B5EB0AAF044DAC811C1D5F0E04605D048A5B861D8BA1D15D3B02B5DDA39FD704A67320B06AE89C1C54847B6CE8DC589B5DBCE5D82B8C0CA14E3D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: SecuriteInfo.com.Application.Generic.3599906.6358.27359.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........5.P.............'...4...............'...@...........................5......O6....... ...............................5.p"...................>5.......................................5.......................5..............................text...X.'.......'.................`..`.data.........'.......'.............@.`..rdata...:....(..<....(.............@.p@.bss..........4.......................`..idata..p"....5..$....4.............@.0..CRT....4.....5.......5.............@.0..tls.... .....5.......5.............@.0./4............5.......5.............@.0B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\anim.gif

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	GIF image data, version 89a, 500 x 27
Category:	dropped
Size (bytes):	15241
Entropy (8bit):	7.747098926005111
Encrypted:	false
SSDEEP:	384:hj9U2idIHG5qlDmnFAtB50tJb3Js+/uqsviRS:hj2SsqlmFyB5+ds+/5S
MD5:	7E62AEBA4E8BD8A4D1C5C33F1961DCDB
SHA1:	DC04FD14C679059E9422ABA2E7950D95C83C7FFE
SHA-256:	BAD6F9186B0DBA551360CC446EEC00CEB73B244F635BF0D30BECF541E2C3F8CE
SHA-512:	FD037F6CB439B9BFB6D4F66ECD730DD4777B23529496CC8FDBF2E50E56813ED7AD90DD9CF72AA4F64FF6259955188E9912840B193148E66DF2193BD08D37309A
Malicious:	false
Preview:	GIF89a.......6.x..........b..P...u............).t..p..g.........t....T..>........6.......'...........}....s...v........l...._..........j...................:.. ...................................................................................................................................J..............].........................?.{..............,...............................................................D..[...........4..$...l....................M.........V.....................................................................................^..........L......................D.}...................................X..................r...............n........................................................!..NETSCAPE2.0.....!..XMP DataXMP<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="ht

C:\Users\user\AppData\Local\Temp\RarSFX0\gam-page.html

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	4981
Entropy (8bit):	5.789649011305478
Encrypted:	false
SSDEEP:	48:d3saNY9YvvL0mXIdCZHdHWAjh44PpPRzPnhBeQPcJBZ55G7JagcmA3y1ru+NiwTi:29qIYIAcWC4bzPn/bPaBgNpimggwgxk3
MD5:	A067948794DB9574F0621DFC7636082E
SHA1:	1A923819120B0E2CF16264F191096B7248F9FD0E
SHA-256:	D4B7FBA81AF4C531E4C64C07C986B6333263329E5B66DCB954675F3B3857B906
SHA-512:	216D6007F6ACEBD34E6199A04A931B3249ACD10FAF636D00A8064090998476D7886806CF927DB9932337189A2E4931C70C95A21B5932858E82E57F256AF1F233
Malicious:	false
Preview:	.<html>..<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<title>OpenBox - DirectX 12</title>..<style>...selPage {background: #fff;width: 100%;height: 86%;display: block;}...Logo2 {position: absolute;z-index: 99;width: 64px;height: 64px;margin-left: 503px;}...text {width: 555px;background: #fff;padding-left: 20px;padding-top: 16px;font-size: 14px;}...border {width: 372px;height: 175px;float: left;}...windo {position: absolute;z-index: 98;height: 86%;background: #eeeeee;font-size: 14px;width: 100%;padding-top: 10px;border-top: 1px solid #b6b6b6;}...license {width: 546px;padding-top: 3px;padding-bottom: 5px;padding-left: 35px;}...foter {position: absolute;z-index: 99;display: block;width: 100%;height: 14%;background: #eeeeee;border-top: 1px solid #b6b6b6;}...button {background-color: #e1e1e1;width: 18%;height: 29px;cursor: pointer;font-size: 15px;border: 1px solid #b9b9b9;outline: none;box-shadow: none;color: #000000;margin-left: 15px;float: right;}...button

C:\Users\user\AppData\Local\Temp\RarSFX0\gtea.vbs

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	837
Entropy (8bit):	5.361946331258647
Encrypted:	false
SSDEEP:	12:ky97ahl3vAGThYX/Qc3K/ycaHM7B2ISj/ceo8PkJVfFR8Zk81M2F3Y690MmfHpBR:3hav/AEK/LZHgy/lnOfH8vxjuMmvpkTG
MD5:	AE3CA246EE2FED14750C4EE3CD393F73
SHA1:	753C4434F233D28943957110F5A1CAD4BD01D780
SHA-256:	BE7E73448F59EE005A18A7EE8262C13FAE998693A2BEECA64A26E3922C2A6010
SHA-512:	09C71DE6F1796034D692DD8E13FD73B873DC057B51EC2EEA628E224568E7E142E59C258A494719ACBFC65BA1CDC3D23724B9350A68BC1298598B9FED64281AEA
Malicious:	false
Preview:	Option Explicit....Dim WshShell, RetCode, objWMIService, Running, colItems, objItem, Progress, k....Set WshShell = CreateObject("WScript.Shell")....Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")..k = 1..Do.. Running = False.. Set colItems = objWMIService.ExecQuery("Select * from Win32_Process").. For Each objItem in colItems.. If objItem.Name = "browser.exe" Then.. Running = True.. Exit For.. End If.. Next.. If Not Running Then.. WScript.Sleep 4175.. k = k + 1.. If k = 800 Then Exit Do ' .... 800 .... .. 5 ... = 66 ..., .. ..... .. ....... End If..Loop While Not Running....RetCode = WshShell.Run("o9iQbd0.exe --partner 42966 --distr /quiet /msicl ""YAHOMEPAGE=y YAQSEARCH=y VID=31""", 0, False)....Set WshShell = Nothing..WScript.Quit

C:\Users\user\AppData\Local\Temp\RarSFX0\gteb.vbs

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	812
Entropy (8bit):	5.29031611826752
Encrypted:	false
SSDEEP:	12:ky97ahl3vAGThYX/Qc3K/ycaHM7B2ISj/ceo8PkJVfFR8Zk81M2F3Y690MmgLHpr:3hav/AEK/LZHgy/lnOfH8vxjuMm8pkTG
MD5:	C4E879015718C781663012BE2F2F887D
SHA1:	865194450151F8B202FC9152E100FADB0EC29E1C
SHA-256:	1702E48476565B4FC6790FA5D166E3DBC4FFC45D31A321C47D129ECA2D6FC3EC
SHA-512:	A83A1BA81CEFDF8FDD4C4A7B45A4F571F5051D679E926FC48BA7AFAB88D22944089CD6CA8A7F3643B1D9744C3DCFAF142EA59318D705246614E5917B7DDD36BA
Malicious:	false
Preview:	Option Explicit....Dim WshShell, RetCode, objWMIService, Running, colItems, objItem, Progress, k....Set WshShell = CreateObject("WScript.Shell")....Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")..k = 1..Do.. Running = False.. Set colItems = objWMIService.ExecQuery("Select * from Win32_Process").. For Each objItem in colItems.. If objItem.Name = "browser.exe" Then.. Running = True.. Exit For.. End If.. Next.. If Not Running Then.. WScript.Sleep 4175.. k = k + 1.. If k = 800 Then Exit Do ' .... 800 .... .. 5 ... = 66 ..., .. ..... .. ....... End If..Loop While Not Running....RetCode = WshShell.Run("o9iQbd0.exe --partner 42966 --distr /quiet /msicl ""VID=31""", 0, False)....Set WshShell = Nothing..WScript.Quit

C:\Users\user\AppData\Local\Temp\RarSFX0\gtec.vbs

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	846
Entropy (8bit):	5.376679260256603
Encrypted:	false
SSDEEP:	12:ky97ahl3vAGThYX/Qc3K/ycaHM7B2ISj/ceo8PkJVfFR8Zk81M2F3Y690Mm+1Hpr:3hav/AEK/LZHgy/lnOfH8vxjuMmypkTG
MD5:	7DADC31D1FEA3B71C7CED456FE086A92
SHA1:	3D2B52BB6327A989EFD3BB5CEF8D48C40CA3C49D
SHA-256:	52502DEE343AD85F7E20FC8E1990E19F611A0AA3E48286CF97144C4B6F807DAD
SHA-512:	66AF2447B91E154188279B56017DDFB54B059C1BC0559862A4EC0DA1E96FF458D167FC5982BE34B74F706FE39B4FB8DE41966560D67BECC206C484531EFC33BA
Malicious:	false
Preview:	Option Explicit....Dim WshShell, RetCode, objWMIService, Running, colItems, objItem, Progress, k....Set WshShell = CreateObject("WScript.Shell")....Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")..k = 1..Do.. Running = False.. Set colItems = objWMIService.ExecQuery("Select * from Win32_Process").. For Each objItem in colItems.. If objItem.Name = "browser.exe" Then.. Running = True.. Exit For.. End If.. Next.. If Not Running Then.. WScript.Sleep 4175.. k = k + 1.. If k = 800 Then Exit Do ' .... 800 .... .. 5 ... = 66 ..., .. ..... .. ....... End If..Loop While Not Running....RetCode = WshShell.Run("o9iQbd0.exe --partner 42966 --distr /quiet /msicl ""YAHOMEPAGE=y YAQSEARCH=y ILIGHT=1 VID=31""", 0, False)....Set WshShell = Nothing..WScript.Quit

C:\Users\user\AppData\Local\Temp\RarSFX0\icon.ico

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	MS Windows icon resource - 7 icons, 16x16 with PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, 24x24 with PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced, 32 bits/pixel
Category:	dropped
Size (bytes):	19845
Entropy (8bit):	7.934612446295257
Encrypted:	false
SSDEEP:	384:ZX7H7GlB9+MWyLpqW1K9Go38QiVME/cyKfKahZTFbK565QfY/:Zb7u9kyLZAKME/cmaDFbSTA/
MD5:	B325F7303BD23599C800A9C709E306D7
SHA1:	EB5DA5533A14B4CFD10CEEB44EBAD9138795E598
SHA-256:	9E7F76EC0B09AB6D2614D085776F0D6245BFCD012BC310578F73BD2BC6D38CD8
SHA-512:	18937F0C4BC50FD23BB891041FB64E15DBFBF850A1A2F9337B66A7C0B6B205AE8FBC73F6C365155D12B74C7BD0469CECBA27222924D0658680B4C2CE921A0A55
Malicious:	false
Preview:	............ .....v......... .....E... .... .m.......00.... .....v...@@.... ............... ......"........ ......4...PNG........IHDR................a....IDATx.}..nSW......c._.;.(.h.QHH!A...D.VU...>M;./..7`...H ...PnJ "..0!.....e...Fm.k....O.Z.....9.....hQD._E.:.z.9w.K..G....pB......SXQ..Y\.....~........ .t.[Z)....&...k..&..jE...e(M..1(...K.y.U.Y..-..-.I...i.0m.16.+.........wy....../.....I.T...wbP.p...>..1..0.....).%..1.c.c....z...6..w".]n.n&D..-XN..r..1.+).......6y..7.x..q.T...\...`9..(.##....\|...bc.C....\|..Z.z.8....8\|..cv9Gy......gYZ)2...Sj.=.V..O...r.v#&I.....d..?....Q..B.^o..i.c...J...}z.Gen......s....w/B..D...,....a..........j...f.sx..%....n.k;.6.t.Y.r...&./Y^..l?..OUw.f^.u.....w..+..2G'RD.....z% _...........^j...j7bj[=.SiIe.d..er.......\A..b~..>....'.t9.1...:....../.-'.V..I....IEND.B`..PNG........IHDR..............w=.....IDATx....n\....U...wl......-.."..... 8..1s.o.. $$^..L@.1B.(.....\|.8.c...{.j1.i.q.`I.`.J...U........$0../"..PJ.m.~..zcy9

C:\Users\user\AppData\Local\Temp\RarSFX0\icon.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	PNG image data, 128 x 128, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	1708
Entropy (8bit):	7.276947516168709
Encrypted:	false
SSDEEP:	48:vQ5Z4dsjk4eZ0Ib91TeXPqFNywL0ZyyFUIam:v/dsjkVt76XyFNyaSXFt
MD5:	8287BD736F2F5CFBAFB4A3C4DD0A2D88
SHA1:	12458D9A239F6E8335B9AA79C3EE867D111BBFE3
SHA-256:	DDE526182580315F4197E1576BD00516C2D17EFD0DEAA4BFCEDFD823B5025971
SHA-512:	DB6E6FD9B5E447CDF79577022E127F4C26F7494379CCAF3282CF72A5E5963A6E6084D9E10CFE33099114B8D8C66BBB70F66D73123A29EB922103F612AD34021B
Malicious:	false
Preview:	.PNG........IHDR.....................PLTE.........U..333+++$$$ 9.....+++'''$$$(((1$$...,,,)))/&&..$+++)))(((.''+++))).''--&+++-((+++*-((,,',,(++'+++))),))++(,,(+++,)),,(,))+)),))+))++(,,))+)),))++)++((,))+))++)+))++)++))(+))++)++)(,(+++))+)))+++)++)+++)),)++))+))+)+))+)+),)+)+(+))+)+)++)+)++)+)+)+)+(++)+)+)+)+(+)+)+)+)+)+)++)+)+)+)+)+)+),+),,),,--)..///0+01+12+23+34+35+46,57,58,69,7;,8<-9<-9=-:>.;@.<A.<B/=B.=B/=C.>D/?E/?F/?F0AG/BI0CJ0EM1FN2GO1GQ2HQ2KU3LW3MX4NY4P\5Q]4Tb5Vd6Wf6Wg7Yg7\l8]o8^o9_p9_q9_r9bt:bu9bv:cv:fz;gz;g{<h};j.<l.=m.=n.=p.>q.>u.@w.A{.B{.A..B..C..E..E..F..G..F..G..H..H..J..J..J..K..L..L....0'b...ytRNS...................... !$%'(-/134:;<DEGLNQRVWXcdfhijoqrsuvw\|}...........................................................=V.e....bKGD........VIDATx...[La..O..&..o...^..d)!!.d.....".Z...B....R...J.;3...f...y??....t.gf......_XT.6.1...`_.....X.'+'...._...fG..R..\|=jA..&.GlE...`\.j6jH.8...Q[..d....5.d..

C:\Users\user\AppData\Local\Temp\RarSFX0\icons.zip

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	50973
Entropy (8bit):	7.9867854885130996
Encrypted:	false
SSDEEP:	1536:coxB7ECE7ex2Orm00hOAXvWvWT9BbB93fAoDG:c87Q7iRrmyAXeeJ17nC
MD5:	8E19D23C6D6FE77B8DF29A016BC949A9
SHA1:	AF61E7B7D9E070C1237DD5C65B8C339FBD72DF6D
SHA-256:	EB569E329EF77A425D7EC5E5CE36D4BEB1659E10DCA76731A863DBAE52DA1EBC
SHA-512:	7DCD3C6C9BA7E1FE4D75E10802367B61B3480F6B679ADFC2884AFA2D5C4ECCAF6658522CD599F3CA7086CBAD984CDE44224BB3132643FD6E2A3713A2DC7384EB
Malicious:	false
Preview:	PK........i..V...}....>.......icons.ico..X.[....0....I....A...........EE@BQBZ.S.NE..g..`.T..7.....n.-13.o...1..!......F..3...A_;9}.'...X.a0q..}.I..S........0.......>......;\|.C..&..Z......7G.~...v]]Un?.1.tW...!....:tcp..,.f. -...3yr.g..:(>.Np.]15.....^1.........w...87fn.439{...z.e..8y..P2..TU...u.U...ih`]....a....J...xD.w....3..$.^..bU..$.T...{W......./.b<5..mG ......v[=..M..@..-e...'...&>kB..t....Z..k.h....ln.')....p.....-U\|G.J.Z..M.YU.>.Q^.w..".<...W,..h.5...6.....c?f.xaOk..!....i.q...E....F..P1]..6`X,u...G.E.$N.....;.A.&..xk.2...b.....A.+.#.+..(9x}.x?...fv.......L....#..G1.F.M.X'9...C..._......D.<.P'p....5.j..6....2i.&...!o..&._c..rU)}."-.j..T.?..p...9.'...LsF.....>4...".;a..\|.$f\|.Z&Wr#...,..p<...{......R.GL_j.......I5.=3..j....S....=..r..@.....A1.Cb-.b.T.T......Y.K.8..x....2..x..4y...{..]B......8$x.IP..t.l'q..l...`..C.B.K.....n...0....q,...L^....kS...0/....r...~.....g................=..A92.43}?..+.....8.5......x.+m...Ol..>P.z.~fs.

C:\Users\user\AppData\Local\Temp\RarSFX0\img\log-game.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	PNG image data, 171 x 33, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	4108
Entropy (8bit):	7.918365556983603
Encrypted:	false
SSDEEP:	96:E3Sw+dWeu3vXLMO91ipdUTHTL/kUguslvkJEUZrW:E3SwQWemD21uMvlUA
MD5:	0FD141306E06EF59CABCE6F76D4F3D7E
SHA1:	1CB2189EBA8E7146C068B4670458EB350644EDD7
SHA-256:	F19B0E9FEFD718789D8316566AED028B13F43955071F2A4C422EA5C09FBDBEFA
SHA-512:	6FEDEAE61D50673BC4E52B2C991C0667A7E12FBAE3C57E36D75C8A4FFE590FE45F594BFB2579363B01886AFE71A94A3D5CDC47DDE2A4BCF9DFD328B9E771F04A
Malicious:	false
Preview:	.PNG........IHDR.......!.......[.....pHYs................6iCCPPhotoshop ICC profile..x...J.P.@...P+.qpx.((..`.-E...!...Ji.^^.~..[..w...QpP...@q...!........r...u.a.a.k.n:..\|9...S.....n....$....+..y.;...\|..L..n.. @.B....0.~.A...:i.@<..^./@)...()..A\|.f..\|0..3.}.0ut..jI:Rg.S-..eI....<.e:.dr?...&........b..n:r.jY{..3.......Xz,ZA8T........x..oazR..+....V...../..O..ZOb... cHRM..z%..............R....X..:....o.Z.....PIDATx..{p\.}.?..jW..,.z.-.m.ml......@...N)..<...R..4$qH..`b.%SR .fB..I..O...8....6X.1~..e.......?.\..rW.A.0......sV..s...........}....A..`.[..`.[..y.[..y...X8W.R?:..9......I$..#.aA9.h..B)}....j..I@.h..V..5...&...! ...;M.q.....G.<Y{N.i.....a.._...T. ..%.#Dq..."......:x".g=.+....a/.#@.....#...nE. ....<...\D.E.2......r8.2.....>.4.M.*g..<...........1.... ..E.mhu..FDN......5h.... .Z.j..E..A7{..k....K.....s5..k...[..@a>Y....PhQ/kW..= ....Y0j..e.P..K..j-d\..Q.gJ...#..%..q........Q..W....`..x.,....,....U..$.........Q.<..KD4..$.P....).9.].T...........

C:\Users\user\AppData\Local\Temp\RarSFX0\img\logo-offer.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	PNG image data, 171 x 211, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	18280
Entropy (8bit):	7.949056459897015
Encrypted:	false
SSDEEP:	384:2JXE05D0ZMF5TNd1DBFCOZ0chJIc2Q8xQWm:G35DyC5TNnDfZ0Zc2QJd
MD5:	072679C20456E6B83EA3707A7C4E7B6F
SHA1:	EAD8FCDD16976C9220E289A1D666349D0EB4A72F
SHA-256:	8A0087C2D38FA04F54E2F8A39310EB6FBDC8849C61A55AE235D4B121052A2E6A
SHA-512:	C7EEDB48D3E2B186C49D2CA95D9B444B73BBC393BF4279EEEAA5EFF0FE5FB6754166EAB7DE01EF2FD7AC286BFC211B0D7D8F92C56048753E20D1DF46E2120963
Malicious:	false
Preview:	.PNG........IHDR.............q.t.....pHYs................OiCCPPhotoshop ICC profile..x.SgTS..=...BK...KoR.. RB....&!..J.!...Q..EE..........Q,......!.........{.k.......>........H3Q5...B..........@..$p....d!s.#...~<<+".....x.....M..0.....B.\.....t.8K....@z.B..@F....&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH.............0Q..)..{.`.##x.....F.W<.+.....x..<.$9E.[.-q.WW..(.I.+.6a.a.@..y..2.4..............x.....6..._-..."bb....p@...t~..,/...;..m..%..h^..u..f..@.....W.p.~<<E.........J.B[a.W}.g._.W.l.~<.....$.2].G......L.....b..G.......".Ib.X..Q.q.D...2.".B.).%..d..,..>.5..j>.{.-.]c..K'.Xt......o..(...h...w..?.G.%..fI.q..^D$.T.?....D...A....,.........`6.B$..B.B.d..r`)..B(...*`/.@.4.Qh..p...U..=p..a...(....A...a!..b.X#......!.H...$ ..Q"K.5H1R.T UH..=r.9.\F..;..2....G1...Q=...C..7..F...dt1......r..=.6...h..>C.0....3.l0...B.8,..c."......V.....c.w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.XH,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,

C:\Users\user\AppData\Local\Temp\RarSFX0\img\master-logo.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	PNG image data, 191 x 422, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	24154
Entropy (8bit):	7.9763836300607585
Encrypted:	false
SSDEEP:	384:Vwg33+QHoWa5vUP9oOf5/Es9mmROevxAKlW0kpmfZ9Fom9WDC/+iHYd2IP7lj5E2:1H+dW9S4BEs9lROevxipmh9OjDC2i49F
MD5:	22DA1EB67A59553F524C6099F1ACC6D6
SHA1:	BE42B06D5189FD1CB99DB84F506908732540239E
SHA-256:	6F17CF57C88B6D08344231094E10B4B1B689FA05EB26A89323FCE43ABA7322F6
SHA-512:	D4FE413FDD1DF644F1FC2AD3FB13679B7CE70C548C7EBCCB34ABE9394E853C2D83854279F93B4703558484B282E2FD576E5BF9ADCCF9A7ED5B70A462BCBBC5E9
Malicious:	false
Preview:	.PNG........IHDR.............-DU.....pHYs................6iCCPPhotoshop ICC profile..x...J.P.@...P+.qpx.((..`.-E...!...Ji.^^.~..[..w...QpP...@q...!........r...u.a.a.k.n:..\|9...S.....n....$....+..y.;...\|..L..n.. @.B....0.~.A...:i.@<..^./@)...()..A\|.f..\|0..3.}.0ut..jI:Rg.S-..eI....<.e:.dr?...&........b..n:r.jY{..3.......Xz,ZA8T........x..oazR..+....V...../..O..ZOb... cHRM..z%..............R....X..:....o.Z....\.IDATx..w...y/.;.m.kU..........c.t.fL\.....c_.77qL...g......4..c..L.`.cz. !$.^@Bmw%m...s.....3...3...<......s~O'.c.H.2......!@.PJA)-."xd.!d..C..I.!`..ql$.)....o2.:nb.O..l?..#..;'e.B.(! Y........(@)...`.C..(6..... .z.,.~).\....#..EQ......$..6T.~)...A.@).!..}...."Ii.%......d=)./......9....2.~).-B.._...@z{.4...1...,.K./....~A.@.Jr././..7.@.>...$..48.=.C.....2H.K...'..M._Jc..L...w.2h.J.Kil.....g.:].E:...w.B!h.&.Pb..9.....Y.9.....Ji...w&...yB..f..8N..m....c,.14.....ct2.F\|kf.(..<..z.5.d2HI.s..u%.jL....<.....PU5x..3..fC@(..nE.i~.v$.jh.v.gT.\Mj.Y...B.4..Z...

C:\Users\user\AppData\Local\Temp\RarSFX0\img\screen-002-min.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	PNG image data, 1125 x 586, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	225104
Entropy (8bit):	7.9850008295885475
Encrypted:	false
SSDEEP:	3072:MvR5U30D4hcL5p0unLQwfJBcxDpNBbZlWaGy04p24UHVUe8ugV9yaxijlmnwvD:8LO7cdznUAGd/bHWY24CUe895xiFvD
MD5:	BAB614B92E1F655D29F6418FC9BC2651
SHA1:	AD9F36A962AFD70410C0020FE45F71F48D979E88
SHA-256:	328DA045E0E974CA57385C137D54ADA72FF0DE8D1DC3661326D6D80F3014968B
SHA-512:	B0C0504B315201BABE7B44C57547328514FF834E618728655E5E5DCF735B0B788705BA92ADA3D290557052B98A53C85C6BA8AC040A42419982DF73A06FFBFD38
Malicious:	false
Preview:	.PNG........IHDR...e...J.............gAMA......a.....sRGB.........pHYs...t...t..f.x....PLTE................................................................................... ........SQJ...........................xul......{yq...mkc...JIF+,srm&&'rog..../0223hg`VUQ........$...ec\OMF......................DDC............BOc...llkZWN~\|tfgg$(/........abca_X@@?...IG@uus.........)-5DB;MMM[ZU........N\r......""#HVk.....\|..566.#..\|yyy99:...>=;...27?...SZf]]^......$-O...86/.3;.....w...~..WX[ 9...31+MUcCFLW_l=AHQRU~}{><5..._[QIP\8<C...x...........\do...?IZr{.984FKTcjs.,&;CRn\|.$,Hcn\|...........v..\|~....gu.......%/A...nu}...........mot...Vex......3;K............$....~..1......................4......4.......9..N...2x..H.=.($....... ...Y...h....@...z....&_...........X.?..N.9.../.......b..8g-K}?.!.I.4...}....u._.};.$&.b.O./L.{].^5....H4..k.IDATx..}L.g./Z.sL.....Rk..(..n.r"..@.....Z.......`t....p..........cp.fm.8$.D..8...8g..R...Z...D7..............V....L.N..........z

C:\Users\user\AppData\Local\Temp\RarSFX0\last-page.html

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	6869
Entropy (8bit):	5.538532237704157
Encrypted:	false
SSDEEP:	96:+U7J/U1jQIkzACBF/Nuck7kryZNMGiFLkUCsbrpiigxkM:8HCBlEB7kGu2UCsbrp12kM
MD5:	1A5F5C559FAB7519D0EE43B1EA928AD2
SHA1:	6180D0CE153894D843B5CE5A25B0DD2B33328CFC
SHA-256:	D2218AE1B51426685188830C897BEDF51DAFF8DC57163374D57C8261DDC6BE19
SHA-512:	CBD7C760AD40EA92452989361019AC2FD2E4DFF530472513F02626EB2C90730DCA91C56B1C40CC772CDC972D7A5B3FF4CB6A0205E945FC4FA7480746BBE4F5EA
Malicious:	false
Preview:	.<html>..<head>....<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">......<title>OpenBox - DirectX 12</title>......<style>...selPage {background: #fff;width: 100%;height: 86%;display: block;}.....text {width: 470px;padding-left: 20px;padding-top: 16px;font-size: 14px;}.....border {/border: 1px solid #8b8b8b;/width: 372px;height: 180px;/background-color: #fff;/float: left;}.....jot li {padding-top: 5px;padding-buttom: 5px;}...jot2 li {list-style-type: none;padding-top: 5px;padding-right: 0px;padding-bottom: 5px;padding-left: 0px;width: 440px;}...jot2 {padding-left: 0px;margin-top: 5px;margin-right: 0px;margin-bottom: 5px;margin-left: 20px;}...content {height: 180px;}...jot{margin-top: 10px;}...second {font-size: 13px;padding-left: 10px;margin-top: 7px;margin-bottom: 5px;}...first {font-size: 13px;padding-left: 30px;margin-top: 5px;margin-bottom: 5px;}.....Logo2 {position: absolute;z-index: 99;width: 64px;height: 64px;margin-left: 503px;}.....windo {position: abso

C:\Users\user\AppData\Local\Temp\RarSFX0\o9iQbd0.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	208544
Entropy (8bit):	6.614980777339889
Encrypted:	false
SSDEEP:	3072:IWF1Sss2XaOvu+v7QC2mCAbtoJOBW0rArwrkut57cIrDjy6Hy2BKbY64IrHLzMxI:IWF0+XaOvuyycWNrwrk6y2ZJIrrzr
MD5:	B9314504E592D42CB36534415A62B3AF
SHA1:	059D2776F68BCC4D074619A3614A163D37DF8B62
SHA-256:	C60C3A7D20B575FDEEB723E12A11C2602E73329DC413FC6D88F72E6F87E38B49
SHA-512:	E50ADB690E2F6767001031E83F40CC067C9351D466051E45A40A9E7FF49049E35609F1E70DD7BB4A4721A112479F79090DECCA6896DEAC2680E7D107E3355DAE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......G.............z,.....z......z/....8.....8.....8../....N.................."......J..........Rich...................PE..L...p.~d.................:...................P....@..........................p............@..........................................@..(................(...P..0.......p...............................@............P...............................text....8.......:.................. ..`.rdata......P.......>..............@..@.data....6..........................@....gfids..4....0......................@..@.rsrc...(....@......................@..@.reloc..0....P......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
Category:	dropped
Size (bytes):	295320
Entropy (8bit):	7.749011498049896
Encrypted:	false
SSDEEP:	6144:kWK8fc2liXmrLxcdRDLiH1vVRGVOhMp421/7YQV:VcvgLARDI1KIOzO0
MD5:	2CBD6AD183914A0C554F0739069E77D7
SHA1:	7BF35F2AFCA666078DB35CA95130BEB2E3782212
SHA-256:	2CF71D098C608C56E07F4655855A886C3102553F648DF88458DF616B26FD612F
SHA-512:	FF1AF2D2A883865F2412DDDCD68006D1907A719FE833319C833F897C93EE750BAC494C0991170DC1CF726B3F0406707DAA361D06568CD610EEB4ED1D9C0FBB10
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......->..i_.i_.i_..\|.d_.i_.._..\|..h_..\|.q_..\|.h_.Richi_.........PE..L...!.};............................^Z...............................................J...............................................................^...#...........................................................................................text............................... ..`.data...............................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RarSFX0\start.hta

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	3621
Entropy (8bit):	5.780862584035253
Encrypted:	false
SSDEEP:	48:WVgm7WVQHviMsE6DioJEYZWdHWAwXcTU+Zahqi4I6waG7FcOFi+lmxRevf:9IobExivdLXcTUcCqjI6wP9i+gxk3
MD5:	EA6F841C0422F623A1CD5A41F0247E81
SHA1:	D4908CFE3AF2BB07F3F03FA73EB2ABB91A4C1AF6
SHA-256:	93EF3B613EF2BC8B3224409488BDCA649758A25FAE3254519C027A545589A07C
SHA-512:	15FB353DFCE76384B3EB0701419D39BC109793E73639205CF52A9360667F633027C78ED5D6AEAECDBFDB2773E8C8BA7AF8171442800A992E2E0ACFF0CC3FD371
Malicious:	true
Preview:	.<html>..<script language=javascript>..var winWidth=596;..var winHeight=489;..window.resizeTo(winWidth, winHeight);..var winPosX=screen.width/2-winWidth/2;..var winPosY=screen.height/2.109-winHeight/2.109;..window.moveTo(winPosX, winPosY);..</script>..<head>..<hta:application..applicationName="O-DirectX12-W1"..border="dialog"..borderStyle="static"..minimizeButton="yes"..maximizeButton="no"..windowState="sunken"..caption="yes"..innerBorder="no"..selection="yes"..scroll="no"..sysMenu="yes"..contextmenu="no"..icon="icon.ico"..singleInstance="yes"..navigable="yes"../>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<title>OpenBox - DirectX 12</title>..<style>...selPage { background: #fff;width: 100%;height: 86%;display: block; }...Logo {width: 191px;}...text {padding-left: 210px;position: absolute;padding-top: 60px;padding-right: 20px;padding-bottom: 20px;font-size: 15px;}...foter {position: absolute;z-index: 99;background: #eeeeee;border-top: 1px solid #b6b6b6;wid

C:\Users\user\AppData\Local\Temp\RarSFX0\vid-31.txt

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Tn:T
MD5:	C16A5320FA475530D9583C34FD356EF5
SHA1:	632667547E7CD3E0466547863E1207A8C0C0C549
SHA-256:	EB1E33E8A81B697B75855AF6BFCDBCBF7CBBDE9F94962CEAEC1ED8AF21F5A50F
SHA-512:	5305F867C631E8335813A103A4942A93037C3D3B1982EAB342FB495047DCC79E13299AB65B5F4A34400F15AF384EDA2ED7144671E83996334C0669FC8377A130
Malicious:	false
Preview:	31

C:\Users\user\AppData\Local\Temp\RarSFX0\ya-page.html

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	7620
Entropy (8bit):	5.879682557619017
Encrypted:	false
SSDEEP:	96:29SIYOAFWC4bzPXgWp/9RQ3anRWFv4mDam6mBm2mECmGmpyi9gxke:maW5gWp7RWFvjxlwBGxQs2ke
MD5:	AF11A6D72D4B302C88D38DE717E2B770
SHA1:	6ABD03BCB4088C6A06467C1DE21AED77685BFC9A
SHA-256:	9A54C65A5D59DE5372601D8A82F0335C99E379EA5ABCC3102F25E857D22C0F0A
SHA-512:	F018734FD9DCEE6F5941943AE55AFF7BC9EFCE66EFE00D95168F1BEA2763C10442705F4710679C5AE64B62D10F78F9FBB418883E5D890A7025E125B8E39DC0A9
Malicious:	false
Preview:	.<html>..<head>..<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">..<title>OpenBox - DirectX 12</title>..<style>...selPage {background: #fff;width: 100%;height: 86%;display: block;}...Logo2 {position: absolute;z-index: 99;width: 64px;height: 64px;margin-left: 503px;}...text {width: 555px;background: #fff;padding-left: 20px;padding-top: 16px;font-size: 14px;}...border {width: 372px;height: 180px;float: left;}...windo {position: absolute;z-index: 98;height: 86%;background: #eeeeee;font-size: 14px;width: 100%;padding-top: 10px;border-top: 1px solid #b6b6b6;}...license {width: 546px;padding-top: 0px;padding-bottom: 15px;padding-left: 35px;}...foter {position: absolute;z-index: 99;display: block;width: 100%;height: 14%;background: #eeeeee;border-top: 1px solid #b6b6b6;}...button {background-color: #e1e1e1;width: 18%;height: 29px;cursor: pointer;font-size: 15px;border: 1px solid #b9b9b9;outline: none;box-shadow: none;color: #000000;margin-left: 15px;float: right;}...butto

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	1344
Entropy (8bit):	4.929565013787063
Encrypted:	false
SSDEEP:	24:x2NGXxePnx7ovS/xPHLxePgWlIedgeRNJgjIJgfPkOc:kNqsZxPLfiQTfjc
MD5:	08D5E9F3327E308A13609731A1132614
SHA1:	457EEB6723D167AD5AE281FA8D54A7EB07E0B4B7
SHA-256:	E6B52563196567CBE26B5298D2051869C6327AC0EB97F81E215692BCE639B698
SHA-512:	3CA558763622EEDBF07A9DCE0A3279D718CDDCD2A6BA941B14F40C9117948D256CAA0BC62DFEAAA8A1272CF1E4A0ABDB945B78024BAD27EAA84E6C076D7604FB
Malicious:	false
Preview:	--2024-09-29 08:19:01-- https://download.yandex.ru/yandex-pack/downloader/downloader.exe..Resolving download.yandex.ru (download.yandex.ru)... 5.45.205.243, 5.45.205.244, 5.45.205.245, .....Connecting to download.yandex.ru (download.yandex.ru)\|5.45.205.243\|:443... connected...HTTP request sent, awaiting response... 302 Found..Location: https://cachev2-fra-02.cdn.yandex.net/download.yandex.ru/yandex-pack/downloader/downloader.exe?lid=299 [following]..--2024-09-29 08:19:03-- https://cachev2-fra-02.cdn.yandex.net/download.yandex.ru/yandex-pack/downloader/downloader.exe?lid=299..Resolving cachev2-fra-02.cdn.yandex.net (cachev2-fra-02.cdn.yandex.net)... 5.45.200.105..Connecting to cachev2-fra-02.cdn.yandex.net (cachev2-fra-02.cdn.yandex.net)\|5.45.200.105\|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: 208544 (204K) [application/octet-stream]..Saving to: 'o9iQbd0.exe'.....o9iQbd0.exe 0%[ ]

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9946933298924625
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
File size:	2'685'976 bytes
MD5:	e3c955967b61afd68ffdf50f9d4e085a
SHA1:	76ca40cb78f2d155217464072bd29f453bce16c3
SHA256:	c3caf1714085fbbc73fecccbd68193c2ac033833cef055e8e8948f28e62b89f4
SHA512:	f500465c89dd3c2b9e326d4a08693c4387e8d8b2a85664609d55046c3140a085177a974ae5913fc53cd815c752dd10d83f6c9c62a874f8278cf4bf5b21bed4bc
SSDEEP:	49152:qVIZfUzAOOaeAnn3grmYl3SKB5HfzhovA/nGFDll1+KAP7bCY:mI5UzAxdQ3gr1Jf5VucQt+uY
TLSH:	1AC533176AE811B3D7C1BA706D7C7304E87E9818E7FCB405EB1106299F76216A89DB83
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}zQ.9.?U9.?U9.?U..RU1.?U..DU*.?U9.>U..?U'I.U?.?U0c.U8.?U0c.U..?U0c.U8.?U'I.U8.?U0c.U8.?URich9.?U........PE..L......J...........

File Icon


Icon Hash:	45cccc70f8cccc41

Static PE Info

General

Entrypoint:	0x40912e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4A87E807 [Sun Aug 16 11:05:43 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	e731a0eb5a871c8e2bac936ab9cfdd3d

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	20/06/2023 17:36:07 20/06/2025 17:36:07
Subject Chain	E=digitalstart@mail.ru, CN=OOO DIGITAL-START, O=OOO DIGITAL-START, L=Tulun, S=Irkutsk Oblast, C=RU, OID.1.3.6.1.4.1.311.60.2.1.2=Irkutsk Oblast, OID.1.3.6.1.4.1.311.60.2.1.3=RU, SERIALNUMBER=1213800011622, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	A133A50531B977F623CBD8834B723F3E
Thumbprint SHA-1:	12DE85094A43566B446946E3ED71ABA2844282E9
Thumbprint SHA-256:	F93A445F360F91ED81BD07C6B241D8409063906CD121CE032818DAFD6578D686
Serial:	07302D716DA7520EA65D6C48

Entrypoint Preview

Instruction
call 00007FDE888BE183h
xor eax, eax
push eax
push eax
push eax
push eax
call 00007FDE888C0CBAh
ret
push esi
push edi
mov edi, dword ptr [esp+0Ch]
mov esi, ecx
mov ecx, edi
mov dword ptr [esi], edi
call 00007FDE888B8072h
mov dword ptr [esi+08h], eax
mov dword ptr [esi+0Ch], edx
mov eax, dword ptr [edi+00000C1Ch]
mov dword ptr [esi+10h], eax
pop edi
mov eax, esi
pop esi
retn 0004h
mov eax, ecx
mov ecx, dword ptr [eax]
mov edx, dword ptr [eax+10h]
cmp edx, dword ptr [ecx+00000C1Ch]
jne 00007FDE888BE26Fh
push 00000000h
push dword ptr [eax+0Ch]
push dword ptr [eax+08h]
call 00007FDE888B84D9h
ret
push ebp
mov ebp, esp
sub esp, 1Ch
push esi
xor esi, esi
push esi
push esi
push esi
push esi
lea eax, dword ptr [ebp-1Ch]
push eax
call dword ptr [0040D208h]
test eax, eax
je 00007FDE888BE283h
push esi
push esi
push esi
lea eax, dword ptr [ebp-1Ch]
push eax
call dword ptr [0040D20Ch]
lea eax, dword ptr [ebp-1Ch]
push eax
call dword ptr [0040D210h]
lea eax, dword ptr [ebp-1Ch]
push eax
call dword ptr [0040D258h]
pop esi
leave
ret
push ebp
mov ebp, esp
sub esp, 64h
push 00000064h
lea eax, dword ptr [ebp-64h]
push eax
push 0000000Fh
push 00000400h
call dword ptr [0040D14Ch]
movsx eax, byte ptr [ebp-64h]
leave
ret
push ebp
mov ebp, esp
sub esp, 34h
push ebx
xor ebx, ebx
push esi
push edi
cmp dword ptr [0040F028h], ebx
jne 00007FDE888BE27Ch
call 00007FDE888BE32Eh

Rich Headers

Programming Language:

[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[ASM] VS2008 build 21022
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[EXP] VS2008 SP1 build 30729
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xe750	0x33	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd9dc	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2a000	0x79ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x28d2e8	0x2930
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xd280	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xd000	0x278	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xbdb7	0xbe00	14e0e667d420ec1a3ff4a7622469c762	False	0.6052631578947368	data	6.5462226527058744	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xd000	0x17d5	0x1800	cfc3d62e1d5821e2defe2196840909ea	False	0.4817708333333333	data	5.384019730141905	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xf000	0x19cb8	0x200	0fdd92fffc3dedd0d6504bffc2229aa1	False	0.197265625	data	1.2979945737040552	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x29000	0x10	0x200	d9f91643921952c7bc8c7ea02a29dd4f	False	0.044921875	data	0.21310128450968063	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2a000	0x79ec	0x7a00	b46b582f743a69594d02fe80dc871b2e	False	0.7465099897540983	data	7.147346224646645	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_BITMAP	0x2a51c	0xbb6	Device independent bitmap graphic, 93 x 302 x 4, 2 compression, image size 2894, resolution 2835 x 2835 px/m	English	United States	0.2581721147431621
RT_ICON	0x2b0d4	0x2cf	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced			1.015299026425591
RT_ICON	0x2b3a4	0x4c4	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced			1.009016393442623
RT_ICON	0x2b868	0x66d	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced			1.0066869300911854
RT_ICON	0x2bed8	0x98b	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced			1.004502660663119
RT_ICON	0x2c864	0xa14	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced			1.004263565891473
RT_ICON	0x2d278	0x12b8	PNG image data, 128 x 128, 8-bit/color RGBA, non-interlaced			0.9995826377295493
RT_ICON	0x2e530	0x18b8	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.938685208596713
RT_DIALOG	0x2fde8	0x282	data	English	United States	0.5062305295950156
RT_DIALOG	0x3006c	0x136	data	English	United States	0.6064516129032258
RT_DIALOG	0x301a4	0xe8	data	English	United States	0.6939655172413793
RT_DIALOG	0x3028c	0x12a	data	English	United States	0.587248322147651
RT_DIALOG	0x303b8	0x334	data	English	United States	0.43414634146341463
RT_DIALOG	0x306ec	0x21e	data	English	United States	0.5645756457564576
RT_STRING	0x3090c	0x22c	data	English	United States	0.420863309352518
RT_STRING	0x30b38	0x3b2	data	English	United States	0.3964059196617336
RT_STRING	0x30eec	0x212	data	English	United States	0.4339622641509434
RT_STRING	0x31100	0x27e	data	English	United States	0.4122257053291536
RT_STRING	0x31380	0x4c	data	English	United States	0.631578947368421
RT_GROUP_ICON	0x313cc	0x68	data			0.7403846153846154
RT_MANIFEST	0x31434	0x5b8	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.44193989071038253

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	SetFileAttributesW, GetFullPathNameA, MoveFileA, DeleteFileA, DeleteFileW, CreateDirectoryA, CreateDirectoryW, FindClose, FindNextFileA, FindFirstFileA, FindNextFileW, FindFirstFileW, GetTickCount, WideCharToMultiByte, MultiByteToWideChar, GetVersionExA, GlobalAlloc, lstrlenA, GetModuleFileNameA, FindResourceA, GetModuleHandleA, HeapAlloc, GetProcessHeap, HeapFree, HeapReAlloc, CompareStringA, ExitProcess, SetFileAttributesA, GetNumberFormatA, lstrcmpiA, GetProcAddress, DosDateTimeToFileTime, GetDateFormatA, GetTimeFormatA, FileTimeToSystemTime, FileTimeToLocalFileTime, ExpandEnvironmentStringsA, WaitForSingleObject, SetCurrentDirectoryA, Sleep, GetTempPathA, MoveFileExA, GetModuleFileNameW, SetEnvironmentVariableA, GetCommandLineA, LocalFileTimeToFileTime, SystemTimeToFileTime, IsDBCSLeadByte, GetCPInfo, FreeLibrary, LoadLibraryA, GetCurrentDirectoryA, GetFileAttributesW, GetFileAttributesA, WriteFile, SetFileTime, GetStdHandle, ReadFile, SetLastError, CreateFileW, CreateFileA, GetFileType, SetFilePointer, CloseHandle, SetEndOfFile, GetLastError, GetLocaleInfoA
USER32.dll	OemToCharBuffA, CharLowerA, wvsprintfA, FindWindowExA, GetClassNameA, ReleaseDC, GetDC, SendMessageA, wsprintfA, SetDlgItemTextA, EndDialog, DestroyIcon, SendDlgItemMessageA, GetDlgItemTextA, DialogBoxParamA, IsWindowVisible, WaitForInputIdle, GetSysColor, PostMessageA, SetMenu, SetFocus, LoadBitmapA, CharToOemBuffA, CharToOemA, OemToCharA, MapWindowPoints, CreateWindowExA, UpdateWindow, SetWindowTextA, LoadCursorA, RegisterClassExA, SetWindowLongA, GetWindowLongA, DefWindowProcA, PeekMessageA, GetMessageA, TranslateMessage, DestroyWindow, GetClientRect, CopyRect, IsWindow, MessageBoxA, ShowWindow, GetDlgItem, LoadStringA, SetWindowPos, GetWindowTextA, GetSystemMetrics, GetWindow, CharUpperA, GetWindowRect, LoadIconA, GetParent, EnableWindow, DispatchMessageA
GDI32.dll	GetDeviceCaps, CreateCompatibleDC, GetObjectA, CreateCompatibleBitmap, SelectObject, StretchBlt, DeleteObject, DeleteDC
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegQueryValueExA, RegCreateKeyExA, RegSetValueExA
SHELL32.dll	ShellExecuteExA, SHFileOperationA, SHGetFileInfoA, SHGetSpecialFolderLocation, SHGetMalloc, SHBrowseForFolderA, SHGetPathFromIDListA, SHChangeNotify
ole32.dll	CreateStreamOnHGlobal, OleInitialize, CoCreateInstance, OleUninitialize, CLSIDFromString
OLEAUT32.dll	VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2024 14:19:03.181365013 CEST	49707	443	192.168.2.5	5.45.205.243
Sep 29, 2024 14:19:03.181420088 CEST	443	49707	5.45.205.243	192.168.2.5
Sep 29, 2024 14:19:03.181550026 CEST	49707	443	192.168.2.5	5.45.205.243
Sep 29, 2024 14:19:03.185308933 CEST	49707	443	192.168.2.5	5.45.205.243
Sep 29, 2024 14:19:03.185324907 CEST	443	49707	5.45.205.243	192.168.2.5
Sep 29, 2024 14:19:03.915730000 CEST	443	49707	5.45.205.243	192.168.2.5
Sep 29, 2024 14:19:03.915817976 CEST	49707	443	192.168.2.5	5.45.205.243
Sep 29, 2024 14:19:03.917654991 CEST	49707	443	192.168.2.5	5.45.205.243
Sep 29, 2024 14:19:03.917665958 CEST	443	49707	5.45.205.243	192.168.2.5
Sep 29, 2024 14:19:03.918000937 CEST	443	49707	5.45.205.243	192.168.2.5
Sep 29, 2024 14:19:03.919110060 CEST	49707	443	192.168.2.5	5.45.205.243
Sep 29, 2024 14:19:03.959441900 CEST	443	49707	5.45.205.243	192.168.2.5
Sep 29, 2024 14:19:04.277251005 CEST	443	49707	5.45.205.243	192.168.2.5
Sep 29, 2024 14:19:04.277400970 CEST	443	49707	5.45.205.243	192.168.2.5
Sep 29, 2024 14:19:04.277755022 CEST	49707	443	192.168.2.5	5.45.205.243
Sep 29, 2024 14:19:04.281090021 CEST	49707	443	192.168.2.5	5.45.205.243
Sep 29, 2024 14:19:04.281125069 CEST	443	49707	5.45.205.243	192.168.2.5
Sep 29, 2024 14:19:04.332137108 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:04.332185984 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:04.332290888 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:04.333626032 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:04.333642960 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.142306089 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.142411947 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.143887043 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.143898964 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.144320011 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.147196054 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.191402912 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.567442894 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.567465067 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.567490101 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.567563057 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.567589998 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.567676067 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.671494961 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.671523094 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.671669960 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.671689987 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.671710014 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.671761990 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.725737095 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.725764036 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.725894928 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.725913048 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.725960970 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.780508041 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.780531883 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.780694008 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.780710936 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.780818939 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.815164089 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.815207005 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.815287113 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.815296888 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.815336943 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.815337896 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.832767963 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.841720104 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.841766119 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.841808081 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.841821909 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.841866016 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.841866016 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.874455929 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.874511003 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.874552965 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.874562979 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.874572992 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.874607086 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.904558897 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.904604912 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.904675007 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.904683113 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.904697895 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.904738903 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.926418066 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.926460981 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.926526070 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.926534891 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.926557064 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.926597118 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.944030046 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.944082022 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.944158077 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.944165945 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.944201946 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.944226027 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.960299969 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.960355043 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.960438967 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.960445881 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.960522890 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.975621939 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.975691080 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.975747108 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.975758076 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.975804090 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.975812912 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.985487938 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.985542059 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.985609055 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.985615969 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.985661030 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.985661983 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.985730886 CEST	443	49710	5.45.200.105	192.168.2.5
Sep 29, 2024 14:19:05.985816956 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.989145041 CEST	49710	443	192.168.2.5	5.45.200.105
Sep 29, 2024 14:19:05.989161015 CEST	443	49710	5.45.200.105	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2024 14:19:02.561244011 CEST	60134	53	192.168.2.5	1.1.1.1
Sep 29, 2024 14:19:02.608131886 CEST	53	60134	1.1.1.1	192.168.2.5
Sep 29, 2024 14:19:04.293725014 CEST	51861	53	192.168.2.5	1.1.1.1
Sep 29, 2024 14:19:04.329056025 CEST	53	51861	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 29, 2024 14:19:02.561244011 CEST	192.168.2.5	1.1.1.1	0x6e0d	Standard query (0)	download.yandex.ru	A (IP address)	IN (0x0001)	false
Sep 29, 2024 14:19:04.293725014 CEST	192.168.2.5	1.1.1.1	0x4929	Standard query (0)	cachev2-fra-02.cdn.yandex.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 29, 2024 14:19:02.608131886 CEST	1.1.1.1	192.168.2.5	0x6e0d	No error (0)	download.yandex.ru	cdn.yandex.net		CNAME (Canonical name)	IN (0x0001)	false
Sep 29, 2024 14:19:02.608131886 CEST	1.1.1.1	192.168.2.5	0x6e0d	No error (0)	cdn.yandex.net		5.45.205.243	A (IP address)	IN (0x0001)	false
Sep 29, 2024 14:19:02.608131886 CEST	1.1.1.1	192.168.2.5	0x6e0d	No error (0)	cdn.yandex.net		5.45.205.244	A (IP address)	IN (0x0001)	false
Sep 29, 2024 14:19:02.608131886 CEST	1.1.1.1	192.168.2.5	0x6e0d	No error (0)	cdn.yandex.net		5.45.205.245	A (IP address)	IN (0x0001)	false
Sep 29, 2024 14:19:02.608131886 CEST	1.1.1.1	192.168.2.5	0x6e0d	No error (0)	cdn.yandex.net		5.45.205.241	A (IP address)	IN (0x0001)	false
Sep 29, 2024 14:19:02.608131886 CEST	1.1.1.1	192.168.2.5	0x6e0d	No error (0)	cdn.yandex.net		5.45.205.242	A (IP address)	IN (0x0001)	false
Sep 29, 2024 14:19:04.329056025 CEST	1.1.1.1	192.168.2.5	0x4929	No error (0)	cachev2-fra-02.cdn.yandex.net		5.45.200.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

download.yandex.ru

cachev2-fra-02.cdn.yandex.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49707	5.45.205.243	443	7148	C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-29 12:19:03 UTC	176	OUT	GET /yandex-pack/downloader/downloader.exe HTTP/1.1 User-Agent: Wget/1.19.2 (mingw32) Accept: / Accept-Encoding: gzip Host: download.yandex.ru Connection: Keep-Alive
2024-09-29 12:19:04 UTC	527	IN	HTTP/1.1 302 Found Server: nginx/1.17.9 Date: Sun, 29 Sep 2024 12:19:04 GMT Content-Length: 0 Connection: close Location: https://cachev2-fra-02.cdn.yandex.net/download.yandex.ru/yandex-pack/downloader/downloader.exe?lid=299 X-Request-Id: 1727612344168658-15258422541223674988 X-Strm-Request-Id: 1727612344168658-15258422541223674988 X_h: strm-cacto-production-3.sas.yp-c.yandex.net Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache Cache-Control: no-store,no-cache,must-revalidate Pragma: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49710	5.45.200.105	443	7148	C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-29 12:19:05 UTC	214	OUT	GET /download.yandex.ru/yandex-pack/downloader/downloader.exe?lid=299 HTTP/1.1 User-Agent: Wget/1.19.2 (mingw32) Accept: / Accept-Encoding: gzip Host: cachev2-fra-02.cdn.yandex.net Connection: Keep-Alive
2024-09-29 12:19:05 UTC	907	IN	HTTP/1.1 200 OK Server: nginx Date: Sun, 29 Sep 2024 12:19:05 GMT Content-Type: application/octet-stream Content-Length: 208544 Connection: close Etag: "b9314504e592d42cb36534415a62b3af" Last-Modified: Mon, 22 Jul 2024 09:35:20 GMT X-Amz-Meta-Origin-Date-Iso8601: 2024-07-22T09:04:09.431Z X-Amz-Request-Id: 756b0a3c97fef450 Access-Control-Allow-Origin: * X-Robots-Tag: noindex, noarchive, nofollow X-Strm-Log-Split: 6 X_h: cachev2-fra-02.cdn.yandex.net X-Strm-Request-Id: b6da3bd147178737 X-Request-Id: b6da3bd147178737 Report-To: {"group": "network-errors", "max_age": 1200, "include_subdomains": true, "endpoints": [ {"url": "https://dr.yandex.net/strm", "priority": 1}, {"url": "https://dr2.yandex.net/strm", "priority": 2} ]} NEL: {"report_to": "network-errors", "max_age": 1200, "success_fraction": 0.005, "failure_fraction": 0.05, "include_subdomains": true} Accept-Ranges: bytes
2024-09-29 12:19:05 UTC	15477	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 47 87 b3 f5 03 e6 dd a6 03 e6 dd a6 03 e6 dd a6 b7 7a 2c a6 09 e6 dd a6 b7 7a 2e a6 88 e6 dd a6 b7 7a 2f a6 1a e6 dd a6 38 b8 de a7 17 e6 dd a6 38 b8 d9 a7 10 e6 dd a6 38 b8 d8 a7 2f e6 dd a6 0a 9e 4e a6 1a e6 dd a6 03 e6 dc a6 98 e6 dd a6 a9 b8 d4 a7 07 e6 dd a6 a9 b8 22 a6 02 e6 dd a6 03 e6 4a a6 02 e6 dd a6 a9 b8 df a7 02 e6 dd a6 52 69 63 68 03 e6 dd a6 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$Gz,z.z/888/N"JRich
2024-09-29 12:19:05 UTC	16384	IN	Data Raw: 05 c9 ff ff 59 6b 45 08 18 5f 03 c3 89 46 08 6b 45 f8 18 03 c3 89 46 04 89 1e 5e 5b 8b e5 5d c2 04 00 55 8b ec 53 56 57 33 d2 8b f1 51 8b 4d 08 42 e8 86 c8 ff ff 8b 4e 04 8b f8 2b 0e 51 ff 36 57 e8 95 3d 00 00 8b 0e 83 c4 10 8b 5e 04 2b d9 85 c9 74 0d 8b 56 08 6a 01 2b d1 e8 a9 c8 ff ff 59 8b 45 08 03 c7 89 46 08 8d 04 3b 89 46 04 89 3e 5f 5e 5b 5d c2 04 00 55 8b ec 8b 41 10 3b 45 08 72 04 5d c2 04 00 68 dc bb 42 00 e8 0b 2c 00 00 cc 55 8b ec 8b 55 08 85 d2 74 2c 83 79 14 08 72 04 8b 01 eb 02 8b c1 3b d0 72 1c 83 79 14 08 56 72 04 8b 31 eb 02 8b f1 8b 41 10 8d 04 46 5e 3b c2 76 04 b0 01 eb 02 32 c0 5d c2 04 00 55 8b ec 56 8b 75 08 81 fe fe ff ff 7f 77 4b 39 71 14 73 0b ff 71 10 56 e8 59 06 00 00 eb 31 80 7d 0c 00 74 17 83 fe 08 73 12 8b 41 10 3b f0 0f 42 Data Ascii: YkE_FkEF^[]USVW3QMBN+Q6W=^+tVj+YEF;F>_^[]UA;Er]hB,UUt,yr;ryVr1AF^;v2]UVuwK9qsqVY1}tsA;B
2024-09-29 12:19:05 UTC	16384	IN	Data Raw: ff e0 f7 c7 03 00 00 00 74 13 8a 06 88 07 49 83 c6 01 83 c7 01 f7 c7 03 00 00 00 75 ed 8b d1 83 f9 20 0f 82 ae 02 00 00 c1 e9 02 f3 a5 83 e2 03 ff 24 95 b4 88 40 00 ff 24 8d c4 88 40 00 90 c4 88 40 00 cc 88 40 00 d8 88 40 00 ec 88 40 00 8b 44 24 0c 5e 5f c3 90 8a 06 88 07 8b 44 24 0c 5e 5f c3 90 8a 06 88 07 8a 46 01 88 47 01 8b 44 24 0c 5e 5f c3 8d 49 00 8a 06 88 07 8a 46 01 88 47 01 8a 46 02 88 47 02 8b 44 24 0c 5e 5f c3 90 8d 34 31 8d 3c 39 83 f9 20 0f 82 51 01 00 00 0f ba 25 2c f0 42 00 01 0f 82 94 00 00 00 f7 c7 03 00 00 00 74 14 8b d7 83 e2 03 2b ca 8a 46 ff 88 47 ff 4e 4f 83 ea 01 75 f3 83 f9 20 0f 82 1e 01 00 00 8b d1 c1 e9 02 83 e2 03 83 ee 04 83 ef 04 fd f3 a5 fc ff 24 95 60 89 40 00 90 70 89 40 00 78 89 40 00 88 89 40 00 9c 89 40 00 8b 44 24 0c Data Ascii: tIu $@$@@@@@D$^_D$^_FGD$^_IFGFGD$^_41<9 Q%,Bt+FGNOu $`@p@x@@@D$
2024-09-29 12:19:05 UTC	16384	IN	Data Raw: eb 02 33 c9 8b 45 0c 0f b6 84 c8 d8 5b 42 00 c1 e8 04 5d c2 08 00 8b ff 55 8b ec 8a 4d 08 8d 41 e0 3c 5a 77 0f 0f be c1 0f b6 80 18 5c 42 00 83 e0 0f eb 02 33 c0 6b c8 09 8b 45 0c 0f b6 84 01 38 5c 42 00 c1 e8 04 5d c2 08 00 8b ff 55 8b ec 8b 4d 08 8d 41 e0 66 83 f8 5a 77 0f 0f b7 c1 0f b6 88 b8 5b 42 00 83 e1 0f eb 02 33 c9 8b 45 0c 0f b6 84 c8 d8 5b 42 00 c1 e8 04 5d c2 08 00 8b ff 55 8b ec 8b 4d 08 8d 41 e0 66 83 f8 5a 77 0f 0f b7 c1 0f b6 80 18 5c 42 00 83 e0 0f eb 02 33 c0 6b c8 09 8b 45 0c 0f b6 84 01 38 5c 42 00 c1 e8 04 5d c2 08 00 8b ff 55 8b ec 56 8b 75 08 0f be 06 50 e8 92 a9 00 00 83 f8 65 eb 0c 46 0f b6 06 50 e8 a8 a7 00 00 85 c0 59 75 f1 0f be 06 50 e8 75 a9 00 00 59 83 f8 78 75 03 83 c6 02 8b 45 0c 8a 0e 8b 00 8b 80 88 00 00 00 8b 00 8a 00 Data Ascii: 3E[B]UMA<Zw\B3kE8\B]UMAfZw[B3E[B]UMAfZw\B3kE8\B]UVuPeFPYuPuYxuE
2024-09-29 12:19:05 UTC	16384	IN	Data Raw: 4a ea ff ff 32 c0 e9 32 01 00 00 8b 06 83 e0 01 83 c8 00 74 0b 8d 41 04 89 46 64 8b 78 fc eb 03 83 cf ff 85 ff 75 2a 8b 06 83 e0 04 0b c7 74 14 ff 76 08 e8 84 88 00 00 59 83 f8 ff 74 03 ff 46 0c c6 03 00 e8 6e ed ff ff c7 00 0c 00 00 00 eb b3 83 7d 08 00 8b 46 28 89 45 f0 8b 46 2c 89 45 ec 89 5d e8 89 7d fc 74 0b 83 ff ff 74 06 8d 47 ff 89 45 fc 33 d2 33 c9 8b 45 f0 0b 45 ec 89 4d f8 89 55 f4 74 0a 3b 55 f0 75 05 3b 4d ec 74 6e ff 76 08 e8 24 88 00 00 89 45 e4 59 83 f8 ff 74 03 ff 46 0c 50 ff 75 08 8b ce e8 71 2e 00 00 84 c0 74 39 80 7e 26 00 75 17 8b 4d fc 85 c9 74 1e 8b 55 e8 8b 45 e4 88 02 42 49 89 55 e8 89 4d fc 8b 55 f4 8b 4d f8 83 c2 01 83 d1 00 eb 9a 83 ff ff 0f 84 5d ff ff ff e9 55 ff ff ff 8b 45 e4 8d 4e 08 50 e8 a3 37 00 00 8b 4d f8 8b 55 f4 8b Data Ascii: J22tAFdxu*tvYtFn}F(EF,E]}ttGE33EEMUt;Uu;Mtnv$EYtFPuq.t9~&uMtUEBIUMUM]UENP7MU
2024-09-29 12:19:05 UTC	16384	IN	Data Raw: 10 c7 46 08 85 00 00 00 eb 07 c7 46 08 8a 00 00 00 ff 76 08 8b cf 6a 08 ff 15 14 52 42 00 ff d7 59 89 5e 08 eb 10 ff 71 04 89 59 08 8b cf ff 15 14 52 42 00 ff d7 8b 45 f8 59 89 46 04 83 c8 ff 5f 5b 8b 4d fc 33 cd 5e e8 23 30 ff ff 8b e5 5d c3 8b ff 55 8b ec 33 c0 81 7d 08 63 73 6d e0 0f 94 c0 5d c3 6a 0c 68 a8 d6 42 00 e8 4b d4 00 00 8b 75 10 85 f6 75 12 e8 d0 3a ff ff 84 c0 74 09 ff 75 08 e8 36 01 00 00 59 6a 02 e8 33 18 00 00 59 83 65 fc 00 80 3d b0 fe 42 00 00 0f 85 99 00 00 00 33 c0 40 b9 a8 fe 42 00 87 01 c7 45 fc 01 00 00 00 8b 7d 0c 85 ff 75 3c 8b 1d 24 f0 42 00 8b d3 83 e2 1f 6a 20 59 2b ca 33 c0 d3 c8 33 c3 8b 0d ac fe 42 00 3b c8 74 15 33 d9 33 c0 50 50 50 8b ca d3 cb 8b cb ff 15 14 52 42 00 ff d3 68 d4 00 43 00 eb 0a 83 ff 01 75 0b 68 e0 00 43 Data Ascii: FFvjRBY^qYRBEYF_[M3^#0]U3}csm]jhBKuu:tu6Yj3Ye=B3@BE}u<$Bj Y+33B;t33PPPRBhCuhC
2024-09-29 12:19:05 UTC	16384	IN	Data Raw: 8b 4d 0c 8b f8 8b 49 0c f6 c1 06 75 21 e8 a5 6d ff ff c7 00 09 00 00 00 8b 45 0c 6a 10 59 83 c0 0c f0 09 08 b8 ff ff 00 00 e9 d5 00 00 00 8b 45 0c 8b 40 0c c1 e8 0c a8 01 74 0d e8 77 6d ff ff c7 00 22 00 00 00 eb d0 8b 45 0c 8b 40 0c a8 01 74 28 8b 45 0c 83 60 08 00 8b 45 0c 8b 40 0c c1 e8 03 a8 01 8b 45 0c 74 b2 8b 48 04 89 08 8b 45 0c 6a fe 59 83 c0 0c f0 21 08 8b 45 0c 53 56 6a 02 5b 83 c0 0c f0 09 18 8b 45 0c 6a f7 59 83 c0 0c f0 21 08 8b 45 0c 83 60 08 00 8b 45 0c 8b 40 0c a9 c0 04 00 00 75 31 8b 75 0c 6a 01 e8 35 bb ff ff 59 3b f0 74 0e 8b 75 0c 53 e8 27 bb ff ff 59 3b f0 75 0b 57 e8 bc 37 00 00 59 85 c0 75 09 ff 75 0c e8 26 51 00 00 59 ff 75 0c 8b 75 08 56 e8 ed 00 00 00 59 59 84 c0 75 13 8b 45 0c 6a 10 59 83 c0 0c f0 09 08 b8 ff ff 00 00 eb 03 0f Data Ascii: MIu!mEjYE@twm"E@t(E`E@EtHEjY!ESVj[EjY!E`E@u1uj5Y;tuS'Y;uW7Yuu&QYuuVYYuEjY
2024-09-29 12:19:05 UTC	16384	IN	Data Raw: ff ff 00 00 10 00 89 b5 8c fa ff ff 3b de 0f 85 00 02 00 00 33 c9 8b 84 0d 90 fa ff ff 3b 84 0d 30 fe ff ff 0f 85 ea 01 00 00 83 c1 04 83 f9 08 75 e4 8b 85 b4 f8 ff ff 33 d2 83 c0 02 8b f0 83 e0 1f 6a 20 59 2b c8 89 85 a4 f8 ff ff 33 c0 c1 ee 05 40 89 b5 b0 f8 ff ff 89 8d 90 f8 ff ff e8 37 53 00 00 83 a5 9c f8 ff ff 00 48 0f bd cf 89 85 a8 f8 ff ff f7 d0 89 85 8c f8 ff ff 74 03 41 eb 02 33 c9 6a 20 58 2b c1 8d 56 02 39 85 a4 f8 ff ff 89 95 ac f8 ff ff 0f 97 c0 83 fa 73 88 85 bb f8 ff ff 0f 97 c1 83 fa 73 75 08 84 c0 74 04 b0 01 eb 02 32 c0 84 c9 0f 85 ef 00 00 00 84 c0 0f 85 e7 00 00 00 6a 72 59 3b d1 72 08 8b d1 89 8d ac f8 ff ff 8b ca 89 8d a0 f8 ff ff 83 fa ff 0f 84 96 00 00 00 8b f2 8d 85 30 fe ff ff 8b 95 b0 f8 ff ff 2b f2 8d 04 b0 89 85 b4 f8 ff ff Data Ascii: ;3;0u3j Y+3@7SHtA3j X+V9ssut2jrY;r0+
2024-09-29 12:19:05 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc d9 c0 d9 fc dc e1 d9 c9 d9 e0 d9 f0 d9 e8 de c1 d9 fd dd d9 c3 8b 54 24 04 81 e2 00 03 00 00 83 ca 7f 66 89 54 24 06 d9 6c 24 06 c3 a9 00 00 08 00 74 06 b8 00 00 00 00 c3 dc 05 c0 a0 42 00 b8 00 00 00 00 c3 8b 42 04 25 00 00 f0 7f 3d 00 00 f0 7f 74 03 dd 02 c3 8b 42 04 83 ec 0a 0d 00 00 ff 7f 89 44 24 06 8b 42 04 8b 0a 0f a4 c8 0b c1 e1 0b 89 44 24 04 89 0c 24 db 2c 24 83 c4 0a a9 00 00 00 00 8b 42 04 c3 8b 44 24 08 25 00 00 f0 7f 3d 00 00 f0 7f 74 01 c3 8b 44 24 08 c3 66 81 3c 24 7f 02 74 03 d9 2c 24 5a c3 66 8b 04 24 66 3d 7f 02 74 1e 66 83 e0 20 74 15 9b df e0 66 83 e0 20 74 0c b8 08 00 00 00 e8 d9 00 00 00 5a c3 d9 2c 24 5a c3 83 ec 08 dd 14 24 8b 44 24 04 83 c4 08 25 00 00 f0 7f eb 14 83 ec 08 dd 14 24 8b 44 24 04 83 Data Ascii: T$fT$l$tBB%=tBD$BD$$,$BD$%=tD$f<$t,$Zf$f=tf tf tZ,$Z$D$%$D$
2024-09-29 12:19:05 UTC	16384	IN	Data Raw: 8b 4a e8 33 c8 e8 66 30 fe ff b8 ec d1 42 00 e9 94 58 fe ff 8b 54 24 08 8d 42 0c 8b 4a bc 33 c8 e8 4b 30 fe ff b8 18 d2 42 00 e9 79 58 fe ff 8b 54 24 08 8d 42 0c 8b 4a ec 33 c8 e8 30 30 fe ff b8 e0 d4 42 00 e9 5e 58 fe ff cc 6a 00 6a 01 b9 28 f9 42 00 e8 ee f7 fd ff c3 cc 68 08 f0 42 00 ff 15 68 51 42 00 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: J3f0BXT$BJ3K0ByXT$BJ300B^Xjj(BhBhQB

Target ID:	0
Start time:	08:19:00
Start date:	29/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe"
Imagebase:	0x400000
File size:	2'685'976 bytes
MD5 hash:	E3C955967B61AFD68FFDF50F9D4E085A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	08:19:01
Start date:	29/09/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\AppData\Local\Temp\RarSFX0\start.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Imagebase:	0xcb0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	08:19:01
Start date:	29/09/2024
Path:	C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe" -O o9iQbd0.exe https://download.yandex.ru/yandex-pack/downloader/downloader.exe
Imagebase:	0x400000
File size:	3'501'408 bytes
MD5 hash:	E314B40A188DE73B6A16A8197F80EE68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 2%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	08:19:01
Start date:	29/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	21.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.3%
Total number of Nodes:	1688
Total number of Limit Nodes:	31

Executed Functions

Function 0040CC30 Relevance: 21.0, APIs: 7, Strings: 5, Instructions: 41
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(riched32.dll,00000000,C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe,?,?,?,0040BC45), ref: 0040CC4B
LoadLibraryA.KERNEL32(riched20.dll,?,0040BC45), ref: 0040CC54
#17.COMCTL32(?,0040BC45), ref: 0040CC59
LoadLibraryA.KERNEL32(COMCTL32.DLL,?,0040BC45), ref: 0040CC72
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0040CC80
FreeLibrary.KERNEL32(00000000,?,0040BC45), ref: 0040CC91
SHGetMalloc.SHELL32(00428CB4), ref: 0040CC9C

Strings

riched20.dll, xrefs: 0040CC4D
riched32.dll, xrefs: 0040CC46
COMCTL32.DLL, xrefs: 0040CC5F
InitCommonControlsEx, xrefs: 0040CC7A
C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, xrefs: 0040CC35

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Library$Load$AddressFreeMallocProc
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe$COMCTL32.DLL$InitCommonControlsEx$riched20.dll$riched32.dll
API String ID: 253899923-253133091
Opcode ID: 5a91941a0addb607f5fcc8110f23b5a7d799d54039f373a3bebda7828aad3d5f
Instruction ID: 40b2a487f0d0e0410aa7aa7d932e37ff4c66b6169e0ba79eb739e80cc2a3369a
Opcode Fuzzy Hash: 5a91941a0addb607f5fcc8110f23b5a7d799d54039f373a3bebda7828aad3d5f
Instruction Fuzzy Hash: C4F08172E00304ABD3106FE5DD09B6ABAA8EF90B15F11813EE045B3290DFB895088B68

Function 00402011 Relevance: 16.8, APIs: 2, Strings: 7, Instructions: 1009COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 004024ED
__allrem.LIBCMT ref: 0040256D

Part of subcall function 004089E6: LoadStringA.USER32(00409150,-0042171C,00000200,00000000), ref: 00408A35
Part of subcall function 004089E6: LoadStringA.USER32(00409150,-0042171C,00000200,00000000), ref: 00408A47

Part of subcall function 00409BFF: GetLastError.KERNEL32(00424098,?,0040187A,00000000,00000000,00000076,?,00000000,00402F22,00000017,00000000,00000000,004033B2,?), ref: 00409C1E
Part of subcall function 00409BFF: wvsprintfA.USER32(?,?,84@), ref: 00409C34
Part of subcall function 00409BFF: SetLastError.KERNEL32(00000000,?,0040187A,00000000,00000000,00000076,?,00000000,00402F22,00000017,00000000,00000000,004033B2,?), ref: 00409C52

Part of subcall function 00408A78: GetProcessHeap.KERNEL32(00000000,00000000,?,0040BF56,00000000,00000000,00401571,?,00000000,00401657), ref: 00408A86
Part of subcall function 00408A78: RtlFreeHeap.NTDLL(00000000,?,0040BF56,00000000,00000000,00401571,?,00000000,00401657), ref: 00408A8D

Part of subcall function 0040C7AA: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,00000000,?,?,00403106,?,?,01000000,?), ref: 0040C7C4

Part of subcall function 004038FD: CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,?,?,?,000000A0,00000400), ref: 004039A3
Part of subcall function 004038FD: SetFileTime.KERNELBASE(00000000,?,?,?), ref: 00403A0E

Strings

ya-page.html, xrefs: 004028BC, 004028C1, 004028EE, 004029C0, 00402B03, 00402BB1, 00402BDB
ya-page.html, xrefs: 00402090, 004021C3, 004021D3, 004021F9, 0040225F, 004022AE, 004022F1, 00402394, 00402786, 004027FB, 00402825, 0040284C, 0040285B, 0040286C, 00402872, 0040288A, 0040288B, 004028BB, 004028E7, 0040293A, 00402965, 00402A44, 00402A4A, 00402A94, 00402ABD, 00402AD6, 00402AE3, 00402AF9, 00402B62, 00402B69
zip, xrefs: 00402489
C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, xrefs: 00402402
C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, xrefs: 0040235F, 0040239D, 004023F0, 0040248E, 0040249B, 00402519, 00402591, 0040268D, 00402747, 0040278F, 00402B10, 00402BBE, 00402D2E, 00402DAE
3, xrefs: 00402325
z01, xrefs: 004023EB

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileHeapLastLoadString__allrem$ByteCharCreateFreeMultiProcessTimeWidewvsprintf
String ID: 3$C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe$C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe$ya-page.html$ya-page.html$z01$zip
API String ID: 3030403831-3764212960
Opcode ID: a288cc43e52d33bfa1aab8eaf8196ec0822421c08c9c09e4e6d59b43c35a172e
Instruction ID: 80dd58e2a7b30b1c2b97e499b99d795e6e0012d48562e64806d4ea0cc67e6acf
Opcode Fuzzy Hash: a288cc43e52d33bfa1aab8eaf8196ec0822421c08c9c09e4e6d59b43c35a172e
Instruction Fuzzy Hash: 8D82A170608341ABD730DB659E49B2B77E4AB84704F54083FF984B22D2DBBC9846CB5E

Function 00404492 Relevance: 12.2, APIs: 8, Instructions: 249
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004069F0: GetVersionExA.KERNEL32(?), ref: 00406A14

FindFirstFileW.KERNELBASE(?,?,00000000,?,01000000,?,?,00000000), ref: 004044F7
GetLastError.KERNEL32 ref: 00404504
FindNextFileW.KERNEL32(?,?,00000000,?,01000000,?,?,00000000), ref: 00404527
GetLastError.KERNEL32 ref: 00404534

Part of subcall function 0040C7AA: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,00000000,?,?,00403106,?,?,01000000,?), ref: 0040C7C4

FindFirstFileA.KERNEL32(?,?,00000002,?,01000000,?,?,00000000), ref: 004046B2
GetLastError.KERNEL32 ref: 004046BF
FindNextFileA.KERNEL32(?,?,00000002,?,01000000,?,?,00000000), ref: 004046E4
GetLastError.KERNEL32 ref: 004046F1

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileFindLast$FirstNext$ByteCharMultiVersionWide
String ID:
API String ID: 3067395930-0
Opcode ID: f27d4cb0a927c155c8f22fa7272525b34f707b169e3375ec0edd0061d46a9ae6
Instruction ID: e97bb144311f20fdbc8aa469a7062481502839e879d3f6c58a1f7c72b00e072c
Opcode Fuzzy Hash: f27d4cb0a927c155c8f22fa7272525b34f707b169e3375ec0edd0061d46a9ae6
Instruction Fuzzy Hash: 26A11AB5900258DBDB20DF74CC81BDA77E8AF45304F104A6BE65AF3291DB38AA85CF54

Function 00408A5F Relevance: 3.0, APIs: 2, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,0040900F,?,?,0040159F), ref: 00408A67
RtlAllocateHeap.NTDLL(00000000,?,0040900F,?,?,0040159F), ref: 00408A6E

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 9e4d253b0ce5362a1981724ce4722cb9db70110a1f633c449c30fe5922a103a7
Instruction ID: 874871f01d306ea12a689bd2b79c727d8db13f7b45d536dc5076a0c78b13f2b9
Opcode Fuzzy Hash: 9e4d253b0ce5362a1981724ce4722cb9db70110a1f633c449c30fe5922a103a7
Instruction Fuzzy Hash: 35C09272854208FBDA002BF1ED0DF8ABF2CEB19766F008021F70D95164CA7290699BBD

Function 0040B47B Relevance: 95.0, APIs: 44, Strings: 10, Instructions: 543
windowsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDlgItemTextA.USER32(?,00000065,?), ref: 0040B4F0
GetDlgItemTextA.USER32(?,00000065,?,00000400), ref: 0040B534
EndDialog.USER32(?,00000001), ref: 0040B557
GetDlgItem.USER32(?,00000067), ref: 0040B57C
SendMessageA.USER32(00000000,000000B1,00000000,000000FF), ref: 0040B59C
SendMessageA.USER32(?,000000C2,00000000,0040D69E), ref: 0040B5AC
SetFocus.USER32(?), ref: 0040B5B1
GetLastError.KERNEL32(?,00000000,00000000), ref: 0040B5D2
SetCurrentDirectoryA.KERNELBASE(?,?,00000000,00000000), ref: 0040B5E9
GetLastError.KERNEL32(?), ref: 0040B5FA
GetTickCount.KERNEL32 ref: 0040B61B
wsprintfA.USER32 ref: 0040B62E
GetLastError.KERNEL32(?,00000000,00000001), ref: 0040B660
GetModuleFileNameA.KERNEL32(00000000,?,00000400,?), ref: 0040B6B3
wsprintfA.USER32 ref: 0040B6D6
ShellExecuteExA.SHELL32 ref: 0040B71A
WaitForInputIdle.USER32(?,00002710), ref: 0040B72C
Sleep.KERNEL32(000001F4), ref: 0040B737
wsprintfA.USER32 ref: 0040B765
MessageBoxA.USER32(?,?,00000000,0000007E), ref: 0040B78B
EndDialog.USER32(?,00000000), ref: 0040B799
SetDlgItemTextA.USER32(?,00000001,00000000), ref: 0040B865
MessageBoxA.USER32(?,00000000,-00000080,00000000), ref: 0040B89B
SendMessageA.USER32(?,00000080,00000001,000E02F3), ref: 0040B8C4
SendDlgItemMessageA.USER32(?,00000069,00000172,00000000,06050E1C), ref: 0040B8DD
GetDlgItem.USER32(?,00000067), ref: 0040B8EC
GetWindowRect.USER32(?,?), ref: 0040B8FC
MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0040B90A
SetMenu.USER32(?,00000000), ref: 0040B91A
CreateWindowExA.USER32(00000000,RichEdit,0040D69E,50A10844,?,?,?,?,?,00000067,00000000), ref: 0040B94C
SetMenu.USER32(?,00000067), ref: 0040B95E
SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000203), ref: 0040B972
DestroyWindow.USER32(?), ref: 0040B97B
SendMessageA.USER32(?,00000031,00000000,00000000), ref: 0040B989
SendMessageA.USER32(?,00000030,00000000,00000000), ref: 0040B998
SendMessageA.USER32(?,00000435,00000000,00400000), ref: 0040B9AA
GetCurrentDirectoryA.KERNEL32(00000400,?), ref: 0040B9BC
GetDlgItem.USER32(?,00000065), ref: 0040B9C5
SetWindowTextA.USER32(?,004237FA), ref: 0040B9E5
DialogBoxParamA.USER32(LICENSEDLG,00000000,0040B382,00000000,?), ref: 0040BAF2
EnableWindow.USER32(?,00000000), ref: 0040BB27
SendMessageA.USER32(?,00000111,00000001,00000000), ref: 0040BB64
SetDlgItemTextA.USER32(?,00000001,00000000), ref: 0040BB84

Part of subcall function 0040A886: lstrcmpiA.KERNEL32(?,?), ref: 0040A91F

PostMessageA.USER32(?,00000111,00000001,00000000), ref: 0040BB6C

Part of subcall function 004055BD: OleInitialize.OLE32(00000000), ref: 004055D0
Part of subcall function 004055BD: #17.COMCTL32 ref: 004055D6
Part of subcall function 004055BD: ShowWindow.USER32(?,00000000,?,?), ref: 004055EF
Part of subcall function 004055BD: GetWindowRect.USER32(?,?), ref: 00405608
Part of subcall function 004055BD: GetParent.USER32(?), ref: 0040561D
Part of subcall function 004055BD: MapWindowPoints.USER32(00000000,00000000), ref: 00405622
Part of subcall function 004055BD: DestroyWindow.USER32(?), ref: 00405630
Part of subcall function 004055BD: GetParent.USER32(?), ref: 0040563E
Part of subcall function 004055BD: CreateWindowExA.USER32(00000000,RarHtmlClassName,00000000,40000000,?,?,?,?,00000000), ref: 00405666
Part of subcall function 004055BD: ShowWindow.USER32(00000000,00000005), ref: 00405676
Part of subcall function 004055BD: UpdateWindow.USER32(?), ref: 0040567B

Part of subcall function 00408A78: GetProcessHeap.KERNEL32(00000000,00000000,?,0040BF56,00000000,00000000,00401571,?,00000000,00401657), ref: 00408A86
Part of subcall function 00408A78: RtlFreeHeap.NTDLL(00000000,?,0040BF56,00000000,00000000,00401571,?,00000000,00401657), ref: 00408A8D

Strings

"%s"%s, xrefs: 0040B75F
__tmp_rar_sfx_access_check_%u, xrefs: 0040B628
-el -s2 "-d%s" "-p%s" "-sp%s", xrefs: 0040B6D0
STARTDLG, xrefs: 0040B492
RichEdit, xrefs: 0040B946
LICENSEDLG, xrefs: 0040BAE7
C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, xrefs: 0040B7EC, 0040B9FD
C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, xrefs: 0040B7F1, 0040BA02
<, xrefs: 0040B6F5
@, xrefs: 0040B6FC

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Message$ItemSend$Text$DialogErrorLastwsprintf$CreateCurrentDestroyDirectoryHeapMenuParentPointsRectShow$CountEnableExecuteFileFocusFreeIdleInitializeInputModuleNameParamPostProcessShellSleepTickUpdateWaitlstrcmpi
String ID: "%s"%s$-el -s2 "-d%s" "-p%s" "-sp%s"$<$@$C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe$C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe$LICENSEDLG$RichEdit$STARTDLG$__tmp_rar_sfx_access_check_%u
API String ID: 3722753439-1474653501
Opcode ID: 4d0a8d296b642de40719cfbe7829b209be868cd5fdda321e9883d8b65464c8fd
Instruction ID: e6494916b842a05db7fff26a60cc9694ef77a765034e1d69f81cd0cd456eefe0
Opcode Fuzzy Hash: 4d0a8d296b642de40719cfbe7829b209be868cd5fdda321e9883d8b65464c8fd
Instruction Fuzzy Hash: 4112A3B1A00205BFDB21AFA19D85EAE377CEB44345F40803BF605B61A1CB7D4A46CB6D

Function 0040A886 Relevance: 42.4, APIs: 18, Strings: 6, Instructions: 379
windowfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00409F89: ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00001000,?,00000000,?,0040A8C1,00000000,?,?,?,?,?,?,0040BAA4,?), ref: 0040A031

lstrcmpiA.KERNEL32(?,?), ref: 0040A91F
GetCurrentDirectoryA.KERNEL32(00000400,?,?,0040BAA4,?,00000000,C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe,C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe,00424080,0042408C,?), ref: 0040A961
SetFileAttributesA.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,0040BAA4,?,00000000,C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe,C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe), ref: 0040A9EB
SHFileOperationA.SHELL32(?,?,00000000), ref: 0040AAA2
GetFileAttributesA.KERNEL32(?), ref: 0040AAAF
DeleteFileA.KERNEL32(?), ref: 0040AABD
SetWindowTextA.USER32(?,?), ref: 0040ABF5
GetDlgItem.USER32(?,00000065), ref: 0040ACA1
SetWindowTextA.USER32(00000000,00000000), ref: 0040ACB1
SendMessageA.USER32(00000000,00000143,00000000,%s.%d.tmp), ref: 0040ACC0
SendMessageA.USER32(00000000,00000143,00000000,00000000), ref: 0040ACEA

Strings

", xrefs: 0040AC17
ProgramFilesDir, xrefs: 0040AD38
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040AD13
%s.%d.tmp, xrefs: 0040A9DD, 0040AAE0, 0040AC8A, 0040ACB7, 0040ACCD
<br>, xrefs: 0040AB6B
0'B, xrefs: 0040A8E0

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesMessageSendTextWindow$CurrentDeleteDirectoryEnvironmentExpandItemOperationStringslstrcmpi
String ID: "$%s.%d.tmp$0'B$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 297094968-3110843699
Opcode ID: ad9881eb60ecf4e40f5eb87bf9aaf5069529f978e967c2332dadf0200d52760a
Instruction ID: e532cde6a54c0812a4c2896cd8f0b0094d9095bfe9d2bede31cbc51e4878631f
Opcode Fuzzy Hash: ad9881eb60ecf4e40f5eb87bf9aaf5069529f978e967c2332dadf0200d52760a
Instruction Fuzzy Hash: 1CE14FB1901218AAEB21EBA0CE45FDE77BCAF44304F5444B7A605B21D1DB38AF49CB59

Function 0040BB93 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 120
comwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OleInitialize.OLE32(00000000), ref: 0040BB9F

Part of subcall function 0040C9EA: GetCPInfo.KERNEL32(00000000,?,?,00000000,?,?,0040CAA4,?,00409079), ref: 0040C9FB
Part of subcall function 0040C9EA: IsDBCSLeadByte.KERNEL32(00000000,?,00000000), ref: 0040CA0F

GetCommandLineA.KERNEL32 ref: 0040BBAF
SetEnvironmentVariableA.KERNELBASE(sfxcmd,00000000,00000000), ref: 0040BBCD
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe,00000400), ref: 0040BBDB
SetEnvironmentVariableA.KERNEL32(sfxname,C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe), ref: 0040BBE7
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe,00000400), ref: 0040BBFD
GetModuleHandleA.KERNEL32(00000000), ref: 0040BC0E
LoadIconA.USER32(00000000,00000064), ref: 0040BC1F
LoadBitmapA.USER32(00000065), ref: 0040BC32
DialogBoxParamA.USER32(00000000,STARTDLG,00000000,0040B47B,00000000), ref: 0040BC91
DeleteObject.GDI32(00423748), ref: 0040BCFD
DeleteObject.GDI32(06050E1C), ref: 0040BD09
OleUninitialize.OLE32(?), ref: 0040BD43
ExitProcess.KERNEL32 ref: 0040BD4F

Strings

sfxcmd, xrefs: 0040BBC8
STARTDLG, xrefs: 0040BC83
C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, xrefs: 0040BBD4, 0040BBD9, 0040BBE1, 0040BC45
C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, xrefs: 0040BBF7, 0040BC07
sfxname, xrefs: 0040BBE2

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Module$DeleteEnvironmentFileLoadNameObjectVariable$BitmapByteCommandDialogExitHandleIconInfoInitializeLeadLineParamProcessUninitialize
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe$C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe$STARTDLG$sfxcmd$sfxname
API String ID: 2002691505-26728688
Opcode ID: 25de2e379bb4a2dac78b8de149dd17325aa5a6461b003803d4565ea70dcf20c6
Instruction ID: 602dd282836062a9e95ed226bde597151c23db5c86117f4610ebf4301bc9e256
Opcode Fuzzy Hash: 25de2e379bb4a2dac78b8de149dd17325aa5a6461b003803d4565ea70dcf20c6
Instruction Fuzzy Hash: 014183B0A00305ABDB20BFB19D8596A7AB8EF44704B50403FF605B22E1DF7C59468B6D

Function 0040969C Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(00000067,00000000), ref: 004096AD
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,004097E5), ref: 004096DA
SendMessageA.USER32(00000000,000000B1,00000000,000000FF), ref: 004096E6
SendMessageA.USER32(00000000,000000C2,00000000,0040D69E), ref: 004096F5
SendMessageA.USER32(?,000000B1,05F5E100,05F5E100), ref: 00409709
SendMessageA.USER32(?,0000043A,00000000,?), ref: 00409720
SendMessageA.USER32(?,00000444,00000001,0000003C), ref: 0040975B
SendMessageA.USER32(?,000000C2,00000000,004097E5), ref: 0040976A
SendMessageA.USER32(?,000000B1,05F5E100,05F5E100), ref: 00409772
SendMessageA.USER32(?,00000444,00000001,0000003C), ref: 00409796
SendMessageA.USER32(?,000000C2,00000000,0040D6D4), ref: 004097A7

Part of subcall function 00404D05: DestroyWindow.USER32(?,75A73EB0,004096D7), ref: 00404D10

Strings

<, xrefs: 00409719

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$DestroyItemShow
String ID: <
API String ID: 2996232536-4251816714
Opcode ID: d2ed91d05ed92170f47cc865000474b81b48a96e1b26d4ecd22111942a845a3b
Instruction ID: 1cfedca269036db5144a91bc2ba3ad1b1fc9f4ba96cb8ef93fbf643324b13451
Opcode Fuzzy Hash: d2ed91d05ed92170f47cc865000474b81b48a96e1b26d4ecd22111942a845a3b
Instruction Fuzzy Hash: 0331B171E00208FAEB219BA1EC46FAEBF78EB85754F10412AF201BA1E1C7B55D04DF58

Function 004087FD Relevance: 18.2, APIs: 12, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowRect.USER32(?,?), ref: 0040882C
GetClientRect.USER32(?,?), ref: 00408835
SetWindowPos.USER32(?,00000000,00000000,00000000,00000110,?,00000206,?,?,00000000), ref: 00408884
GetWindowTextA.USER32(?,?,00000400), ref: 0040889F
SetWindowTextA.USER32(?,?), ref: 004088C4
GetSystemMetrics.USER32(00000008), ref: 004088CC
GetWindow.USER32(?,00000005), ref: 004088D9
GetWindowTextA.USER32(00000000,?,00000400), ref: 0040890A
SetWindowTextA.USER32(00000000,00000000), ref: 00408938
GetWindowRect.USER32(00000000,?), ref: 0040894B
SetWindowPos.USER32(00000000,00000000,00000110,00000200,00000110,00000200,00000204,?,?,00000000), ref: 004089A4
GetWindow.USER32(00000000,00000002), ref: 004089AF

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Text$Rect$ClientMetricsSystem
String ID:
API String ID: 3650388129-0
Opcode ID: faca216a1dcb33224c703451065d3c60774ac75acd78e2cc14356325e53d913a
Instruction ID: 3c0fa240956a75fafcd93903c7412f44bd8a6b4282d5e5c37f1dc69354168fbe
Opcode Fuzzy Hash: faca216a1dcb33224c703451065d3c60774ac75acd78e2cc14356325e53d913a
Instruction Fuzzy Hash: 55510DB2900209AFDB05DFA8CE49BEEBBB9FB48300F00406AFA15F6190D7759A55CB55

Function 0040A66D Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 176
sleepwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteExA.SHELL32(?,?,00000000,?,?,00000000,0000003C), ref: 0040A7AE
ShellExecuteExA.SHELL32(?), ref: 0040A7C7
IsWindowVisible.USER32(0001044C), ref: 0040A7F6
ShowWindow.USER32(00000000), ref: 0040A807
WaitForInputIdle.USER32(?,000007D0), ref: 0040A815
CloseHandle.KERNEL32(?,?), ref: 0040A826
Sleep.KERNEL32(-000003E9), ref: 0040A86A
ShowWindow.USER32(00000001), ref: 0040A87D

Strings

.inf, xrefs: 0040A727
.exe, xrefs: 0040A77E, 0040A831

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$ExecuteShellShow$CloseHandleIdleInputSleepVisibleWait
String ID: .exe$.inf
API String ID: 1160896117-3750412487
Opcode ID: 2ab9f337a5b6e8a1668299270ab8c08760d5ae03d587617850bf50579065b8bc
Instruction ID: 68701d704771509ae696e04923340ccdf5c263dbf73e4ebe15a6ca16498e9c3a
Opcode Fuzzy Hash: 2ab9f337a5b6e8a1668299270ab8c08760d5ae03d587617850bf50579065b8bc
Instruction Fuzzy Hash: 2651C771C043887EDF21ABB0DC44A9E7FB9AB11304F18847BE081B72D2D73D8956971A

Function 00409452 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 56
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004069F0: GetVersionExA.KERNEL32(?), ref: 00406A14

GetModuleHandleA.KERNEL32(shlwapi.dll), ref: 0040947D
GetProcAddress.KERNEL32(00000000,SHAutoComplete), ref: 0040948D
GetClassNameA.USER32(?,?,00000050), ref: 004094B7
lstrcmpiA.KERNEL32(?,EDIT), ref: 004094CC
FindWindowExA.USER32(?,00000000,EDIT,00000000), ref: 004094DC
SHAutoComplete.SHLWAPI(?,00000010), ref: 004094EC

Strings

shlwapi.dll, xrefs: 00409478
@Ut`, xrefs: 00409466, 00409493, 00409498, 004094EC
EDIT, xrefs: 004094C2, 004094C7, 004094D8
SHAutoComplete, xrefs: 00409487

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressAutoClassCompleteFindHandleModuleNameProcVersionWindowlstrcmpi
String ID: @Ut`$EDIT$SHAutoComplete$shlwapi.dll
API String ID: 1963989359-433668771
Opcode ID: a8aca2b51ebe74a8744aeef060c9871b4e30c1f74efe8451fe561da48a0306e0
Instruction ID: a61fc90452b2747a4dece4e1903550f335c03aa5f2dfc347bd0213304e817644
Opcode Fuzzy Hash: a8aca2b51ebe74a8744aeef060c9871b4e30c1f74efe8451fe561da48a0306e0
Instruction Fuzzy Hash: CE11A971705201A7E7205FA59C49B6F7B6C6B41755F04803EF908F22D2DE78E8079A6D

Function 00401A97 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 257
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00401B2D
SetEndOfFile.KERNELBASE(00000000,00000000,00001DC4,00000000,00000800,00000000,000000A0,00000000,ya-page.html,ya-page.html,?,00402BF3,ya-page.html,00000000,?,?), ref: 00401B8D
SetEndOfFile.KERNEL32(00000000), ref: 00401E0E

Strings

ya-page.html, xrefs: 00401AA0, 00401BE9, 00401DBE
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>OpenBox - DirectX 12</title><style>.selPage {background: #fff;width: 100%;height: 86%;display: block;}.Logo2 {position: absolute;z-index: 99;width: 64px;heig, xrefs: 00401C2C, 00401CEC, 00401D0A
ya-page.html, xrefs: 00401A9F, 00401AE0, 00401AE5, 00401AF4, 00401C1B, 00401D4B, 00401E2B
2, xrefs: 00401D5B
C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, xrefs: 00401AF5, 00401BF6, 00401D2F, 00401D50, 00401DD1

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: 2$C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe$ya-page.html$ya-page.html$<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>OpenBox - DirectX 12</title><style>.selPage {background: #fff;width: 100%;height: 86%;display: block;}.Logo2 {position: absolute;z-index: 99;width: 64px;heig
API String ID: 3274179905-1110260606
Opcode ID: dfd71b1c035072518b4429ee5a6eb897a38ce6e25368e1dccc68a3928d57d3cc
Instruction ID: 790f21c7648a6a54d6e08746217e848a9b8a4c4992f2efa155b466baa9dd1123
Opcode Fuzzy Hash: dfd71b1c035072518b4429ee5a6eb897a38ce6e25368e1dccc68a3928d57d3cc
Instruction Fuzzy Hash: F791D270704240ABE731EF61AC45B2A3BA4EB91358F94063FF441722F2D77C988ACA1D

Function 0040AEA6 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000400,?), ref: 0040AEBC
GetFileAttributesA.KERNELBASE(?), ref: 0040AF02
SetDlgItemTextA.USER32(?,00000065,?), ref: 0040AF15
MessageBoxA.USER32(?,00000000,00000000,00000024), ref: 0040AFE1
EndDialog.USER32(?,00000001), ref: 0040B003

Strings

@, xrefs: 0040AF59
%s%s%d, xrefs: 0040AED4, 0040AEF4

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesDialogFileItemMessagePathTempText
String ID: %s%s%d$@
API String ID: 2503492625-3206671281
Opcode ID: 56f6d99ac6cd2b41f4ef18d96aa85cd5b31b88cf4e8533409da801ee134c92ff
Instruction ID: 210e8b69b2827a3e9138e461dd506d73e93fb64149f1f853348d1e255540e3a0
Opcode Fuzzy Hash: 56f6d99ac6cd2b41f4ef18d96aa85cd5b31b88cf4e8533409da801ee134c92ff
Instruction Fuzzy Hash: 1B4161B190125DAAEF21EBA0DD48FDA77BCAB04304F4041F7E518A2181DB7CDB89CB59

Function 0040B07B Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00408AC3: OemToCharBuffA.USER32(00000000,00000000,00000001), ref: 00408AD1
Part of subcall function 00408AC3: CharUpperA.USER32(00000000,?,?,00409EB3,?,00000000,00000000,75934B60,00000000,00000000), ref: 00408ADC
Part of subcall function 00408AC3: CharToOemBuffA.USER32(00000000,00000000,00000001), ref: 00408AEF

SHChangeNotify.SHELL32(00001000,00000001,00000000,00000000), ref: 0040B302

Strings

", xrefs: 0040B0E2
/, xrefs: 0040B154
/, xrefs: 0040B170
.lnk, xrefs: 0040B26A, 0040B279
, xrefs: 0040B14F

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Buff$ChangeNotifyUpper
String ID: $"$.lnk$/$/
API String ID: 3722132714-4221205064
Opcode ID: 6619a6f9d5a9f45fbb99335d61d0f439ce373efd95a9af5d5494a63e3791d3a8
Instruction ID: bd0797479db99a0ca917e3c754409d51eb667b884bde05fde9435a7c3dada4da
Opcode Fuzzy Hash: 6619a6f9d5a9f45fbb99335d61d0f439ce373efd95a9af5d5494a63e3791d3a8
Instruction Fuzzy Hash: 41716172815258A9DF21DBA0CD45FDAB7BC9B44344F0445FBA144F61C2DB3CAB88CBA9

Function 00408382 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000400,?,0000005C,004240A4,?,004089DB,?,C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe,0040BC50,C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe), ref: 004083AE

Part of subcall function 00402F5D: SetFilePointer.KERNELBASE(00020000,00000000,00000000,00000001,?,?,?,?,00409150,?,?,00403438,?,?), ref: 00402F74
Part of subcall function 00402F5D: GetLastError.KERNEL32(?,00409150,?,?,00403438,?,?), ref: 00402F81

Strings

*messages***, xrefs: 00408469
@, xrefs: 004084DC
a, xrefs: 00408484

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$ErrorLastModuleNamePointer
String ID: *messages***$@$a
API String ID: 1624790276-2848287086
Opcode ID: e1b871ba8ffeaec35f3805fdb173917e8423bdf63b956cc2860dc9c6f8c03166
Instruction ID: ee81cbbac638f01f9b8209de7353cbacdcb51723e5205a1c7d40c46315c3d538
Opcode Fuzzy Hash: e1b871ba8ffeaec35f3805fdb173917e8423bdf63b956cc2860dc9c6f8c03166
Instruction Fuzzy Hash: F1610371A00244EEEB319B24CE85F9F3BA89F55304F1081BFE5C5B62D2DE788A45CB19

Function 00409183 Relevance: 6.0, APIs: 4, Instructions: 29
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(00409150,00000000,00000000,00000000,00000000), ref: 00409194
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004091A5
TranslateMessage.USER32(?), ref: 004091AF
DispatchMessageA.USER32(?), ref: 004091B9

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$DispatchPeekTranslate
String ID:
API String ID: 4217535847-0
Opcode ID: afaf3087cb666496c5163fc92712ff53c9da7392d7584f1ff17fad6e648aa3b7
Instruction ID: bbee532699f8ad28efd2de4a7c9c002f9528d582780755867b06f4146c1423a8
Opcode Fuzzy Hash: afaf3087cb666496c5163fc92712ff53c9da7392d7584f1ff17fad6e648aa3b7
Instruction Fuzzy Hash: 15E0ED72C0212AA7CB106BE19D4CCDB7F6CEE452557004565B515E2015E638D109C7F4

Function 00407672 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__allrem.LIBCMT ref: 0040774E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00407854

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, xrefs: 00407677, 00407944

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
API String ID: 1992179935-155749501
Opcode ID: b502c1565fc35334906623c52601b483b236646a181e7f3573ad700c15608a10
Instruction ID: 65aa1f6507e59cbd8b3e8bfdfcbf3e2e5ed747c4d97ae4fcb689316f97527a5c
Opcode Fuzzy Hash: b502c1565fc35334906623c52601b483b236646a181e7f3573ad700c15608a10
Instruction Fuzzy Hash: E5A160B1B08204AFD720DF65DC81A267BE5BB84384F50453FF545A32A2D738A986CF5E

Function 00403687 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000002,08000000,00000000,00000000,?,ya-page.html,?,004043AE,?,?,0040D2C4,00000000), ref: 004036F7
CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,08000000,00000000,00000000,?,ya-page.html,?,004043AE,?,?,0040D2C4,00000000), ref: 0040370E

Part of subcall function 00408A5F: GetProcessHeap.KERNEL32(00000000,?,?,0040900F,?,?,0040159F), ref: 00408A67
Part of subcall function 00408A5F: RtlAllocateHeap.NTDLL(00000000,?,0040900F,?,?,0040159F), ref: 00408A6E

Strings

ya-page.html, xrefs: 0040368D

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFileHeap$AllocateProcess
String ID: ya-page.html
API String ID: 309167171-1422493052
Opcode ID: e72a5ce6ee02279a866871135493fa24c5545f729771c8a93d98c3862982ed34
Instruction ID: c4024580770db4df0eaf3e470a6b6a0a6e29912d06a97666d708c465047953e1
Opcode Fuzzy Hash: e72a5ce6ee02279a866871135493fa24c5545f729771c8a93d98c3862982ed34
Instruction Fuzzy Hash: 921136B25041057FEB209F649C49FAB3F9CDB00359F15043AF906A72D1CA788D109779

Function 004038FD Relevance: 4.6, APIs: 3, Instructions: 115filetimeCOMMON

Download Yara Rule

APIs

Part of subcall function 004069F0: GetVersionExA.KERNEL32(?), ref: 00406A14

CreateFileW.KERNELBASE(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,?,?,?,000000A0,00000400), ref: 004039A3
SetFileTime.KERNELBASE(00000000,?,?,?), ref: 00403A0E
CloseHandle.KERNELBASE(00000000), ref: 00403A15

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseCreateHandleTimeVersion
String ID:
API String ID: 2096772557-0
Opcode ID: dde4e9d746702b92719c994da3b68826e47346583927db2c2dae50f0528f9765
Instruction ID: f207c6610f53771ba2ce6f0a31f2e346213553a76b78c95586d98d8d8bf296a9
Opcode Fuzzy Hash: dde4e9d746702b92719c994da3b68826e47346583927db2c2dae50f0528f9765
Instruction Fuzzy Hash: 4A419C71904289BECF11DFA5C886EEE7F7CAF05305F04406AF581AB2C1D6788A49CB68

Function 00403005 Relevance: 4.6, APIs: 3, Instructions: 95fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,-00000001,00000000,00000000,?,00000000,?,?,004083F8,?,00000000,00000001), ref: 00403076
CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,-00000001,00000000,00000000,?,00000000,?,?,004083F8,?,00000000,00000001), ref: 0040308C

Part of subcall function 0040C7AA: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,?,00000000,00000000,00000000,?,?,00403106,?,?,01000000,?), ref: 0040C7C4

GetLastError.KERNEL32(?,00000000,?,?,004083F8,?,00000000,00000001,00000000,00000000,?,?,?,0000005C,004240A4), ref: 00403099

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile$ByteCharErrorLastMultiWide
String ID:
API String ID: 158210224-0
Opcode ID: af10931bdbb176d30935f34151671f269cbe9b40b507738c884e5c0bb04d891b
Instruction ID: ebbf1adf7b90decd23ad8bf1878d161f662b80f0a5bc9b47ec4b1aebb82d9056
Opcode Fuzzy Hash: af10931bdbb176d30935f34151671f269cbe9b40b507738c884e5c0bb04d891b
Instruction Fuzzy Hash: C031E371401289AFDB318F60C944ADB3FADEB01355F14853EF45167281C7798F58EBA4

Function 004031DB Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6,?,00424098,?,?,00403495,000000FF,?,00000000,?,00000000), ref: 004031F8
ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,?,00424098,?,?,00403495,000000FF,?,00000000,?,00000000), ref: 00403210
GetLastError.KERNEL32(?,00403495,000000FF,?,00000000,?,00000000), ref: 0040323D

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileHandleLastRead
String ID:
API String ID: 1699850967-0
Opcode ID: 88a5197ecc10e1213c5bbc6eb8161a0fc5e7389ca732e6fe9824e13263fb5573
Instruction ID: d97fb1be74091e8e0dfbcb1d20818462f773b3f525731a4401b7db928910f3a3
Opcode Fuzzy Hash: 88a5197ecc10e1213c5bbc6eb8161a0fc5e7389ca732e6fe9824e13263fb5573
Instruction Fuzzy Hash: BA018031900114BBCF20AF56C9048AEBF6DAB45372B00817BF829A92D0D739DB54DF5A

Function 00403738 Relevance: 4.5, APIs: 3, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 004069F0: GetVersionExA.KERNEL32(?), ref: 00406A14

CreateDirectoryW.KERNEL32(00000400,00000000,00000000,?,00403854,00000400,00000002,00000001,00000000,00000000,00000400,00000000), ref: 00403755
CreateDirectoryA.KERNELBASE(00000000,00000000,00000000,?,00403854,00000400,00000002,00000001,00000000,00000000,00000400,00000000), ref: 00403762
GetLastError.KERNEL32(?,00403854,00000400,00000002,00000001,00000000,00000000,00000400,00000000), ref: 00403782

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectory$ErrorLastVersion
String ID:
API String ID: 4238167203-0
Opcode ID: bab4a4a95524de5edf0a9529830d3beffe0f6de94d6a2c7dde51d56a6abf06e3
Instruction ID: cd1252257da40e281d0c892e3724dfebaa738d948abf9cd30508313064fbef4d
Opcode Fuzzy Hash: bab4a4a95524de5edf0a9529830d3beffe0f6de94d6a2c7dde51d56a6abf06e3
Instruction Fuzzy Hash: 11F0AFF150024476DB352F658C09B5B3F5CAB02747F148837F806B61E1C7788A81D29D

Function 0040A060 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationwindowCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A,00000000,75FD5780,?,?,0040BD43,?), ref: 0040A073
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 0040A088
WaitForSingleObject.KERNEL32(?,0000000A,?,?,0040BD43,?), ref: 0040A093

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ObjectSingleWait$MessagePeek
String ID:
API String ID: 1965964400-0
Opcode ID: a64f1a15171521071f4b72d5140481421728f92988c813ae16cbaac56395b02e
Instruction ID: 0743c94296e6c6f76c3eebb8396b936a7481fd78c5cef0164505e376630f9a64
Opcode Fuzzy Hash: a64f1a15171521071f4b72d5140481421728f92988c813ae16cbaac56395b02e
Instruction Fuzzy Hash: 22E04F32F4031876EA216A98DC4AFCB7A6D9795B00F144033B705BA0E1D6F4A49687AA

Function 004032CE Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73timeCOMMON

Download Yara Rule

APIs

SetFileTime.KERNELBASE(?,00000000,?,?,00000002,ya-page.html,00000000,00000000,00000000,?,00080000,?,00000000,00000001), ref: 0040336E

Strings

ya-page.html, xrefs: 004032EC

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileTime
String ID: ya-page.html
API String ID: 1425588814-1422493052
Opcode ID: 7ffa1a22639acc01bb27118cdbdfae9e7e311b997b7d604a8ca1faf10e60fb5f
Instruction ID: 0b118d8c4d20204d34d794ba84b1bf36ac431eb3243a1d5b35bdfc5cd5ad5a51
Opcode Fuzzy Hash: 7ffa1a22639acc01bb27118cdbdfae9e7e311b997b7d604a8ca1faf10e60fb5f
Instruction Fuzzy Hash: 47219531504189EECF15DFB8C8819FE7FA85B15341B08817BE856EB1C1EA38DB44D729

Function 004048C7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00000000,000000FF,?,?,?), ref: 004048FC

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, xrefs: 004048CA

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseFind
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
API String ID: 1863332320-155749501
Opcode ID: fca0ead96407fe8075e0cf041a11b76e83536c3ca67a5ceff3ad34bbcd832bad
Instruction ID: 8a12143cdef05c1c7e4d69814bc8b47a818622de5212b61bf2305d30c0ee3ac1
Opcode Fuzzy Hash: fca0ead96407fe8075e0cf041a11b76e83536c3ca67a5ceff3ad34bbcd832bad
Instruction Fuzzy Hash: B4F0B436004288B6CF116FB58C05BDB7F54AF02334F148A1AF9BD262E2C6755195EB65

Function 0040A49F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

wvsprintfA.USER32(?,?,00000033), ref: 0040A4B6

Part of subcall function 0040969C: GetDlgItem.USER32(00000067,00000000), ref: 004096AD
Part of subcall function 0040969C: ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,?,?,?,?,?,?,004097E5), ref: 004096DA
Part of subcall function 0040969C: SendMessageA.USER32(00000000,000000B1,00000000,000000FF), ref: 004096E6
Part of subcall function 0040969C: SendMessageA.USER32(00000000,000000C2,00000000,0040D69E), ref: 004096F5
Part of subcall function 0040969C: SendMessageA.USER32(?,000000B1,05F5E100,05F5E100), ref: 00409709
Part of subcall function 0040969C: SendMessageA.USER32(?,0000043A,00000000,?), ref: 00409720
Part of subcall function 0040969C: SendMessageA.USER32(?,00000444,00000001,0000003C), ref: 0040975B
Part of subcall function 0040969C: SendMessageA.USER32(?,000000C2,00000000,004097E5), ref: 0040976A
Part of subcall function 0040969C: SendMessageA.USER32(?,000000B1,05F5E100,05F5E100), ref: 00409772
Part of subcall function 0040969C: SendMessageA.USER32(?,00000444,00000001,0000003C), ref: 00409796
Part of subcall function 0040969C: SendMessageA.USER32(?,000000C2,00000000,0040D6D4), ref: 004097A7

Strings

ya-page.html, xrefs: 0040A49F

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$ItemShowWindowwvsprintf
String ID: ya-page.html
API String ID: 3976247692-1422493052
Opcode ID: 39e8e7601f42f12eb563b086270f8b184365c8c846bf8294fe2826315c7ea1fa
Instruction ID: 00fb64793b2c812fe07c046961ad1a35c9ba54b287911efe8264966e17a3b797
Opcode Fuzzy Hash: 39e8e7601f42f12eb563b086270f8b184365c8c846bf8294fe2826315c7ea1fa
Instruction Fuzzy Hash: C7D09EB540010D6BDF10EB90DD45FA9776CAB0430CF440465BB14E5091D674DA5A8B69

Function 0040311A Relevance: 3.1, APIs: 2, Instructions: 73fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000002,00000000,00000000,00000001,?,00000000), ref: 0040315B
CreateFileA.KERNELBASE(00000000,C0000000,00000001,00000000,00000002,00000000,00000000,00000001,?,00000000), ref: 00403173

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a8bf52f74f291430304b61347a647f37332e05485a901d418b79aa43fbc1e418
Instruction ID: f26c9e973fe8a1a94615afeb92aafe1d0eca067d2bae859e5aa40708e95315dd
Opcode Fuzzy Hash: a8bf52f74f291430304b61347a647f37332e05485a901d418b79aa43fbc1e418
Instruction Fuzzy Hash: 6821F671000349BFDB209F748C84FAB7AACAB04305F04893FF596AB1C1C7789E5597A8

Function 0040325A Relevance: 3.0, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,000000FF,?,?,?,00000000,?,?,0040340A,?,?,?,?,0040850B,000000FF), ref: 004032AD
GetLastError.KERNEL32(0040340A,?,?,?,?,0040850B,000000FF,?,00000000,00000000,?,00000000,00000001,00000000,00000000,?), ref: 004032B9

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 4c62d04d34de322403b164957e347d2a5a02f16adae733e083c85ab0e063d424
Instruction ID: 8482b3cca0055b85e18c8a0ac0c3c46c03365b449785198e7e425a99c4c8998a
Opcode Fuzzy Hash: 4c62d04d34de322403b164957e347d2a5a02f16adae733e083c85ab0e063d424
Instruction Fuzzy Hash: 09019E31410215EBCF109F58D8086AE7B6CBB02726F14437FE824B62D0C7789A95DA98

Function 00402F5D Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00020000,00000000,00000000,00000001,?,?,?,?,00409150,?,?,00403438,?,?), ref: 00402F74
GetLastError.KERNEL32(?,00409150,?,?,00403438,?,?), ref: 00402F81

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: be283c988be8f6fb0ce076a53a1bd0dbc50cdd071f3aa7e768c3b8afc3c3d1e7
Instruction ID: 621faf9fcb299c4ec65833a3be0d4699690608b331a720da51217413aca78cf1
Opcode Fuzzy Hash: be283c988be8f6fb0ce076a53a1bd0dbc50cdd071f3aa7e768c3b8afc3c3d1e7
Instruction Fuzzy Hash: 68F0F672B002107FE72456698E0EB9E76ADCBC07A4F14423AB511F22D0DAF89D40926D

Function 00403525 Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

Part of subcall function 004069F0: GetVersionExA.KERNEL32(?), ref: 00406A14

GetFileAttributesW.KERNEL32(?,00402AC3,ya-page.html,00420A84,ya-page.html,00000000,?,?,00000000,ya-page.html,ya-page.html,ya-page.html,ya-page.html,?,ya-page.html,00000000), ref: 0040353D
GetFileAttributesA.KERNELBASE(?,00402AC3,ya-page.html,00420A84,ya-page.html,00000000,?,?,00000000,ya-page.html,ya-page.html,ya-page.html,ya-page.html,?,ya-page.html,00000000), ref: 00403549

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile$Version
String ID:
API String ID: 3849939888-0
Opcode ID: 961f062c825d6c9ad15bd14a059cfa6ed80eb732ea30975ada6b6294ce339c6d
Instruction ID: cc54d4ceb277eac2792532d156fd3e7eab2a29589f2a61389633fa725e88c4a9
Opcode Fuzzy Hash: 961f062c825d6c9ad15bd14a059cfa6ed80eb732ea30975ada6b6294ce339c6d
Instruction Fuzzy Hash: 42D0C2741001106BC6181F308D4952F3AA85F45B55B15493AA012F61F0FB38CA80E629

Function 004035D7 Relevance: 3.0, APIs: 2, Instructions: 18COMMON

Download Yara Rule

APIs

Part of subcall function 004069F0: GetVersionExA.KERNEL32(?), ref: 00406A14

SetFileAttributesW.KERNEL32(00000000,00000400,0040377E,00000000,00000400,00000000,?,00403854,00000400,00000002,00000001,00000000), ref: 004035F3
SetFileAttributesA.KERNELBASE(00000000,00000400,0040377E,00000000,00000400,00000000,?,00403854,00000400,00000002,00000001,00000000), ref: 00403603

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile$Version
String ID:
API String ID: 3849939888-0
Opcode ID: 3c9490751f9aa692b43cae3b87f54cfe17fa8b83dc49bbc6ac9cad4fea6d8b75
Instruction ID: c10135f9f6f8482c6ff9de241fdf629d0664201622af6aef7c99d90df5f07037
Opcode Fuzzy Hash: 3c9490751f9aa692b43cae3b87f54cfe17fa8b83dc49bbc6ac9cad4fea6d8b75
Instruction Fuzzy Hash: 91E0EC70508201FEDB111F61CE45A1B7FADAF40351F05883AB585A11F1DB39C951E61A

Function 00403655 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

Part of subcall function 004069F0: GetVersionExA.KERNEL32(?), ref: 00406A14

DeleteFileW.KERNEL32(?,00402F5B,-00000017,00000418,00000000,004033AB,?,?,?,00401837,?,00424098,004018B8,00000002,?,00402F9F), ref: 0040366D
DeleteFileA.KERNELBASE(00000000,00402F5B,-00000017,00000418,00000000,004033AB,?,?,?,00401837,?,00424098,004018B8,00000002,?,00402F9F), ref: 00403679

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DeleteFile$Version
String ID:
API String ID: 3886669992-0
Opcode ID: f00a620a06b31a8d554556f86b053ca07d667832fa265912218e6944bea97885
Instruction ID: 3b1235e188b4fecbaad99a6eb259a1f92905023f64da7879ccf6d159b5a5da1f
Opcode Fuzzy Hash: f00a620a06b31a8d554556f86b053ca07d667832fa265912218e6944bea97885
Instruction Fuzzy Hash: 2DD01730600201B6D6202F318A08F1B7AAC6F0234AF45887AA906E62E4EB3DC995E619

Function 004035AA Relevance: 3.0, APIs: 2, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 004069F0: GetVersionExA.KERNEL32(?), ref: 00406A14

GetFileAttributesW.KERNEL32(000000A0,00403959,?,?,000000A0,00000400), ref: 004035C2
GetFileAttributesA.KERNELBASE(00000400,00403959,?,?,000000A0,00000400), ref: 004035CE

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile$Version
String ID:
API String ID: 3849939888-0
Opcode ID: 86af4e26e3443b3d1fb2edd1d75133b0cd6dbdd31cad5123012d4efa4410501e
Instruction ID: 7c069dd6841c2fbe2b24bed3de2b5f6c7c3aebb61fb9b548087ffe310ca97bdf
Opcode Fuzzy Hash: 86af4e26e3443b3d1fb2edd1d75133b0cd6dbdd31cad5123012d4efa4410501e
Instruction Fuzzy Hash: 94D05E70520201BACA105F61CE099177FECAB40B06B068436A001F51F1DF38CA40D62A

Function 00408A78 Relevance: 3.0, APIs: 2, Instructions: 11memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,0040BF56,00000000,00000000,00401571,?,00000000,00401657), ref: 00408A86
RtlFreeHeap.NTDLL(00000000,?,0040BF56,00000000,00000000,00401571,?,00000000,00401657), ref: 00408A8D

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 4b965ebc6f3007ed98476dc1a34515f2f32a2cf3477594961decf9cee8b4f876
Instruction ID: a69156a5714b5ed64581fe4d1ff4c4454b911fe3be31deeab2f0e1ea067e17c7
Opcode Fuzzy Hash: 4b965ebc6f3007ed98476dc1a34515f2f32a2cf3477594961decf9cee8b4f876
Instruction Fuzzy Hash: 44C01231404208EBDB005BD4E90CB957A68A704305F408031B70C545A0C6744154CA68

Function 0040176E Relevance: 3.0, APIs: 2, Instructions: 8COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 0040177C
KiUserCallbackDispatcher.NTDLL(00000000), ref: 00401783

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherItemUser
String ID:
API String ID: 4250310104-0
Opcode ID: 8c475cce1b49c80f717a381c24c42c7f76a63ee5cdab3e819b4335c1b6b8bb45
Instruction ID: 189c9e826543f5475fcf031bfc7ca5163a40211e3e4d4646e11576dcbd2e1a9c
Opcode Fuzzy Hash: 8c475cce1b49c80f717a381c24c42c7f76a63ee5cdab3e819b4335c1b6b8bb45
Instruction Fuzzy Hash: FFC04C76808240BFCB016BE1AE08C2FBFA9AB98321F00C85DF1A990024C735C414EB15

Function 00409F89 Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

ExpandEnvironmentStringsA.KERNELBASE(00000000,?,00001000,?,00000000,?,0040A8C1,00000000,?,?,?,?,?,?,0040BAA4,?), ref: 0040A031

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 1d776ba661262157005108bf3189f16b3a1d364e5a921b55746a6244af760944
Instruction ID: 3b75960a99977025eef47e0d0ef2c6327a4cdb7878e5a9b6acdd1e45141c4e82
Opcode Fuzzy Hash: 1d776ba661262157005108bf3189f16b3a1d364e5a921b55746a6244af760944
Instruction Fuzzy Hash: BD31A7351042CEDFCB128E58C480AEB3BA4AF16344B044077F985EB392C339DD95C76A

Function 0040837B Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000400,?,0000005C,004240A4,?,004089DB,?,C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe,0040BC50,C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe), ref: 004083AE

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 297951219909d283c8e0493189c97bff9c253311c24c220aa8e2a427cd76bfd7
Instruction ID: 2c17aa090bac423a36c81e224beabcf8e14dbe8590a885a876d69ca3c3a39f2a
Opcode Fuzzy Hash: 297951219909d283c8e0493189c97bff9c253311c24c220aa8e2a427cd76bfd7
Instruction Fuzzy Hash: 64017176500204E5EF20AB61DE46FDB777C9F50744F0041BEBA85B60C1DAB89A49CAA8

Function 00408AFC Relevance: 1.5, APIs: 1, Instructions: 43fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,40000000,00000001,00000000,00000002,08000000,00000000), ref: 00408B4B

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 55b95f86380a71234201eb493696debaa6cf9c0a7378202440496f87df6e8a5e
Instruction ID: 8f44e3b2519bf4aed55b040dd87cc615e69ea971b40be2eeb733e3817faeb5e9
Opcode Fuzzy Hash: 55b95f86380a71234201eb493696debaa6cf9c0a7378202440496f87df6e8a5e
Instruction Fuzzy Hash: EF012170A40208BFDB14DF64D985BADBBB1EB05311F2080AAF995EB2D1C674AB41DF08

Function 0040B032 Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,00000000), ref: 0040B04B

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: e6abbd2c69c2498883a618b95845aa2fa68efd718059b75887c68eb41e0a02c0
Instruction ID: 2e6f010f2aa66c735c6dd8d789d3d29af80346808616cd9c3561aa594f8e7b9e
Opcode Fuzzy Hash: e6abbd2c69c2498883a618b95845aa2fa68efd718059b75887c68eb41e0a02c0
Instruction Fuzzy Hash: DCF0377290010DAADB11DF60DC40ADB77A8EB04319F0080B7E919E6191DB74CB99CB99

Function 00408BED Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00408C09

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 8eb145980de5dfbf9c1601719b9a0cb118d2da9b0921019d45f8f18b24f89fdf
Instruction ID: 15462d07efcad52f13e430d49a2d82f51cb65c113c95511546f31ae43e82392a
Opcode Fuzzy Hash: 8eb145980de5dfbf9c1601719b9a0cb118d2da9b0921019d45f8f18b24f89fdf
Instruction Fuzzy Hash: 76F01C75D0020DFFDB00DF94D544B9EBBF8EB18314F008465E851AA290C7749A58DF51

Function 00408BAA Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00408BC6

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: fe46fa547ab66e6c84667d1ba9fc6cc43a26cbc1f32aa7a1f99cfeb6a2e3b0bd
Instruction ID: ec1a145b56f262cb1d504e24ff2e465bb0343d3be6ef529da89be42bb198565c
Opcode Fuzzy Hash: fe46fa547ab66e6c84667d1ba9fc6cc43a26cbc1f32aa7a1f99cfeb6a2e3b0bd
Instruction Fuzzy Hash: C3F0F2B590020DFFCB00DF94CA85B9EBBB9FB18304F108066B851AA290C774AA19DF51

Function 00408C30 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,?,00000000,?,?,?,00409D4B,00000000,00000000,00000002,00008000,?,00000000,?,0040D71C,?), ref: 00408C41

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ebd97ba896a91c82026dd7218fd07a1cddb2ac9771e46cc77dad052757bb931d
Instruction ID: 238847d84854112dcf927b5e1fb3e581298e29784674f07722f397358053ec65
Opcode Fuzzy Hash: ebd97ba896a91c82026dd7218fd07a1cddb2ac9771e46cc77dad052757bb931d
Instruction Fuzzy Hash: 8FD09E3A511208FFCF11DFA4CD05E8EBBB5EB05760F108665B921AB1E0D6719A10DB54

Function 00408C57 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000001,?,?,00409D51,00000000,00000000,00000000,00000002,00008000,?,00000000,?,0040D71C), ref: 00408C66

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: b910ca9b58e415e0483fa90e358b07836260a2bca3e27586fbaca0058981619d
Instruction ID: de39520d9b412b1551756af76527d90be092fd73287dc3dd87c7b4cc629030f4
Opcode Fuzzy Hash: b910ca9b58e415e0483fa90e358b07836260a2bca3e27586fbaca0058981619d
Instruction Fuzzy Hash: B3D0C970640208BFDB00CB94DD46F89BBA5AB05744F104065B604AB290D6B1AA009B94

Function 0040BDC4 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000400,00001001,00000033,000000FF,?,?,0040282C,004258D0,ya-page.html,00000000,004258D0,00000000,004205BC,00000000,00000003,00000000), ref: 0040BDDE

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: cb99025cad4ef06dae0155907f382c892ca128e9b46435639123d319c6b637f8
Instruction ID: 06e684b1484b4b435cbc2260346b85c7e7423e09f31fb79ff44072ebd8b7ef0e
Opcode Fuzzy Hash: cb99025cad4ef06dae0155907f382c892ca128e9b46435639123d319c6b637f8
Instruction Fuzzy Hash: 2DC00236148745BFDE025F809D09D1ABBA2EB98716F00C809B39454060C7728065AB16

Function 00409BD9 Relevance: 1.5, APIs: 1, Instructions: 10windowCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(00000068,00000402,00000000,?,00000033), ref: 00409BF6

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemMessageSend
String ID:
API String ID: 3015471070-0
Opcode ID: 2300c5eabf336862cff72199354f85596b6357724a769cd78d97ed8f2155a273
Instruction ID: 9f1db68636c907afd69080988e8095375c3fed245d9b1fc05636d19bcf59f41e
Opcode Fuzzy Hash: 2300c5eabf336862cff72199354f85596b6357724a769cd78d97ed8f2155a273
Instruction Fuzzy Hash: 68C080701403007FDB125F00DD06F167665FB40701F10C9287350340F1C7B30825D708

Function 0040912E Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Module$EnvironmentFileLoadNameVariable$BitmapCommandDeleteDialogHandleIconInitializeLineObjectParam
String ID:
API String ID: 376930393-0
Opcode ID: 7d94e7bcd816fb2caf8a202f2491b4eafc195a22dedd36280315d73f248914ec
Instruction ID: 0fab015d5cc09046d8c0b018f6c0f306927c1e26c407acc019314e01f0f25e0c
Opcode Fuzzy Hash: 7d94e7bcd816fb2caf8a202f2491b4eafc195a22dedd36280315d73f248914ec
Instruction Fuzzy Hash: 93A002D45141003DF9C171B20C0AE3B209CD5412087C0087A3C04E5487DD3CEC40117C

Function 00406A41 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

CharUpperA.USER32(?,00406AB0,00000000,?,00000000,00000000,?,?,00406D01,00000000,00000000,?,__rar_,00000000,00000006,?), ref: 00406A4E

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharUpper
String ID:
API String ID: 9403516-0
Opcode ID: 36d9582e391a7b169da90b8670f0b3679454f109d9cac4d4313aca544b5b5192
Instruction ID: 68f4501d2770310b3adee048ab760fd0d789c79889ed28d6e79b771074185475
Opcode Fuzzy Hash: 36d9582e391a7b169da90b8670f0b3679454f109d9cac4d4313aca544b5b5192
Instruction Fuzzy Hash: 9BB092A09082D129EB02F361861872BBED49BA2305F06C89AF0C9A0091C278C458DB29

Function 00402EAF Relevance: 1.3, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,00000000,00000000,004033B2,?,?,?,00401837,?,00424098,004018B8,00000002,?,00402F9F,?), ref: 00402ED0

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 99f4512754d56fb71ee4e54f604aefb4d90c204e8b750cf2088513e878863a12
Instruction ID: 66f89242a10f0ef0e9794aad02c0059161495a2ea60dd606aa4d1ec9f998c065
Opcode Fuzzy Hash: 99f4512754d56fb71ee4e54f604aefb4d90c204e8b750cf2088513e878863a12
Instruction Fuzzy Hash: 1201D4304416018ED7309A34D74C7A3B3E4E726322F144A3BD5E6A26D0C3F8A88EAB58

Function 00408B77 Relevance: 1.3, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,?,?,00409D7B,?,00000000,00000001,00008000,00000000,00000000,-FFFF8000,00000000,00000000,00000000,00000000,00000002), ref: 00408B8B

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: cf6b5449e04981574f94b3d250bcf7de03a075bd7df71e3d0a04e3587adc9ad1
Instruction ID: 75cddef4f60534730d4415bfd9d585623a734d9e946874878867f7a54898517d
Opcode Fuzzy Hash: cf6b5449e04981574f94b3d250bcf7de03a075bd7df71e3d0a04e3587adc9ad1
Instruction Fuzzy Hash: B2E0EC7065010DEFCB00DF75CA0996D7BB4AB22369F10423AB915EA1E0DE78DA449B49

Non-executed Functions

Function 004097ED Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265timewindowfileCOMMON

Download Yara Rule

APIs

SendDlgItemMessageA.USER32(?,00000066,00000171,00000000,00000000), ref: 00409867
DestroyIcon.USER32(00000000), ref: 00409872
EndDialog.USER32(?,00000005), ref: 0040987A
SetDlgItemTextA.USER32(?,00000065,?), ref: 004098C2
SHGetFileInfoA.SHELL32(?,00000000,?,00000160,00000100), ref: 004098DD
SendDlgItemMessageA.USER32(?,00000066,00000170,?,00000000), ref: 004098F4
FindFirstFileA.KERNEL32(?,?), ref: 00409908
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00409925
FileTimeToSystemTime.KERNEL32(?,?), ref: 00409933
GetTimeFormatA.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00409947
GetDateFormatA.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 0040995A
wsprintfA.USER32 ref: 00409985
SetDlgItemTextA.USER32(?,0000006A,?), ref: 00409996
FindClose.KERNEL32(?), ref: 0040999B
wsprintfA.USER32 ref: 004099D8
SetDlgItemTextA.USER32(?,00000068,?), ref: 004099E9
SendDlgItemMessageA.USER32(?,00000067,00000170,?,00000000), ref: 004099FD
DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00409A17
FileTimeToSystemTime.KERNEL32(?,?), ref: 00409A25
GetTimeFormatA.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00409A3A
GetDateFormatA.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00409A4F
wsprintfA.USER32 ref: 00409A74
SetDlgItemTextA.USER32(?,0000006B,?), ref: 00409A85
wsprintfA.USER32 ref: 00409AC9
SetDlgItemTextA.USER32(?,00000069,?), ref: 00409ADA

Strings

%s %s %s, xrefs: 0040997F, 00409A6E
%s %s, xrefs: 004099D2, 00409AC3
REPLACEFILEDLG, xrefs: 00409802

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Time$Item$File$Text$Formatwsprintf$DateMessageSend$FindSystem$CloseDestroyDialogFirstIconInfoLocal
String ID: %s %s$%s %s %s$REPLACEFILEDLG
API String ID: 1296638866-1840816070
Opcode ID: 368cabe2378c700bece5c16eae3625b51fed413dafd5d5eac11ae66a17fec9d2
Instruction ID: 2cd12b30774dc937117188f6e86c86919f213cecabe2238188cd9feaf6cdea38
Opcode Fuzzy Hash: 368cabe2378c700bece5c16eae3625b51fed413dafd5d5eac11ae66a17fec9d2
Instruction Fuzzy Hash: 9D914FB294010DBBEB21AFE0CD45FEB37ACEB04744F004076B605F61D1DA789E498B68

Function 004050C9 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 157memorystringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?), ref: 0040510B
GlobalAlloc.KERNEL32(00000040,-00000100), ref: 0040511F
GetVersionExA.KERNEL32(?), ref: 0040513A
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,-00000100,00000000,00000000,?,?,<html>,00000006,00000000,<html>), ref: 00405202
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,?,000000FF,00000003,-00000100,00000000,00000000), ref: 00405220
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,00000000,?,?,<html>,00000006,00000000,<html>), ref: 00405254

Strings

about:blank, xrefs: 004050ED
<head><meta http-equiv="content-type" content="text/html; charset=, xrefs: 00405168
<html>, xrefs: 00405158, 0040519E
</html>, xrefs: 004051CD
utf-8"></head>, xrefs: 00405179

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AllocCreateStreamVersionlstrlen
String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$about:blank$utf-8"></head>
API String ID: 918982468-1117646011
Opcode ID: a3208fb9bfabf9e9ee198b6b6d48032044c7b9f0c5de058316cad559f5e80f60
Instruction ID: b0df79cbbcafecc5d1d3fe2439321bd46533520a5d54157ae409ba36862a632a
Opcode Fuzzy Hash: a3208fb9bfabf9e9ee198b6b6d48032044c7b9f0c5de058316cad559f5e80f60
Instruction Fuzzy Hash: 5751C371900788AEDB219FB48C44DAF3BA9EF06704F14417EF965A62D2C638D805CF29

Function 0040879E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000,004240A4), ref: 004087AD
FindResourceA.KERNEL32(00000000,RTL,00000005), ref: 004087BC

Strings

LTR, xrefs: 004087CC, 004087D1, 004087DB
RTL, xrefs: 004087B5, 004087BA, 004087E3

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FindHandleModuleResource
String ID: LTR$RTL
API String ID: 3537982541-719208805
Opcode ID: 5cf9133b96cdb5e751eebdb6f14a221c694bd113946158c6320ebb948c4b38f8
Instruction ID: 97b953d20493639f8d756745a358aa298b0a5738bb8163ef9c32eb1628be1a44
Opcode Fuzzy Hash: 5cf9133b96cdb5e751eebdb6f14a221c694bd113946158c6320ebb948c4b38f8
Instruction Fuzzy Hash: 05F0E961A402146AD71067B59D09FAB3A1CDB41704F04057EB749F31C5CFB9D94AC7AD

Function 00404AB5 Relevance: 3.1, APIs: 2, Instructions: 59comCOMMON

Download Yara Rule

APIs

CLSIDFromString.OLE32(?,?), ref: 00404AC6
CoCreateInstance.OLE32(?,00000000,00000005,0040D98C,?), ref: 00404ADD

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateFromInstanceString
String ID:
API String ID: 432265043-0
Opcode ID: d19104ebca548e3a4e23326e591f4332876ca990d32e9b9a57e645437a086fae
Instruction ID: 7394c687b9ab7a9ec171c3789a840e8af17843061d96c5c926664323b13b0674
Opcode Fuzzy Hash: d19104ebca548e3a4e23326e591f4332876ca990d32e9b9a57e645437a086fae
Instruction Fuzzy Hash: 1A114FB5600204FFCB10DFA5C848E9A7BB8EF89715B200469F945EB290DB75ED46CBA0

Function 004091C2 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000400,0000000F,?,00000064), ref: 004091D5

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 9b8d12d91d7a5c04c61474bce4898f75dfc33585eaff928901da7e17592fbf48
Instruction ID: dc0e9f2bea77d387bf1c7fd8ba2b91bd23300cdd34a12593aea106de39e6c475
Opcode Fuzzy Hash: 9b8d12d91d7a5c04c61474bce4898f75dfc33585eaff928901da7e17592fbf48
Instruction Fuzzy Hash: 88C08C60A4434D2EE610E7E05E07F6EBAFC4700B0AF000021BB05BF0C1D5B0DA0A8696

Function 0040621D Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c6ef4726d1ca9335a4b4f802c9871927e27ec4a2e3032671f39348f488034e
Instruction ID: 60278eddc61cbb796610d08b14828801d9e98cc5dc8ea292e3dc49246b676d6e
Opcode Fuzzy Hash: d1c6ef4726d1ca9335a4b4f802c9871927e27ec4a2e3032671f39348f488034e
Instruction Fuzzy Hash: F4E10571A00219ABDB24DF94DC8466E76B1AB01324F26027BD827B72E1D37C49A7DF4D

Function 00405D4D Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d62bd8809aecbded89597a4069a6ef0d10a7564c3bb6a7eb00a1a5ad7911520
Instruction ID: a134ac672da8825195ae82180d73fc4adc7593fe0b7618fedeb8c4994a89564a
Opcode Fuzzy Hash: 9d62bd8809aecbded89597a4069a6ef0d10a7564c3bb6a7eb00a1a5ad7911520
Instruction Fuzzy Hash: 34E15931600649CFDB18DF68C980AAE7BA1FF89344F11857AED56A7390D735E885CF84

Function 0040168A Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5247107952cd3e3df5016bb80305d4f2df4f5cbd325335a8729d6fa6dedb5fca
Instruction ID: 13bc688672f0039179c7fcc53b0786394b47e316986cc60408bc98c0177477ce
Opcode Fuzzy Hash: 5247107952cd3e3df5016bb80305d4f2df4f5cbd325335a8729d6fa6dedb5fca
Instruction Fuzzy Hash: 7C21C9318340714BC264EA2ADD4462B33D3D7C2302F5D497AD784A76AAC23DF5169779

Function 004055BD Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004055D0
#17.COMCTL32 ref: 004055D6
ShowWindow.USER32(?,00000000,?,?), ref: 004055EF
GetWindowRect.USER32(?,?), ref: 00405608
GetParent.USER32(?), ref: 0040561D
MapWindowPoints.USER32(00000000,00000000), ref: 00405622
DestroyWindow.USER32(?), ref: 00405630
GetParent.USER32(?), ref: 0040563E
CreateWindowExA.USER32(00000000,RarHtmlClassName,00000000,40000000,?,?,?,?,00000000), ref: 00405666
ShowWindow.USER32(00000000,00000005), ref: 00405676
UpdateWindow.USER32(?), ref: 0040567B
DestroyWindow.USER32(?), ref: 0040569E
ShowWindow.USER32(?,00000005), ref: 004056AC
SetWindowTextA.USER32(?,00000000), ref: 004056FB

Strings

RarHtmlClassName, xrefs: 00405660

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Show$DestroyParent$CreateInitializePointsRectTextUpdate
String ID: RarHtmlClassName
API String ID: 2853670363-1658105358
Opcode ID: 17d39edd45265ab84dc0476f0d2ae35fd2cff382de378c590d713691094954cd
Instruction ID: 4dfbfdda96dff529e62f8a79261a68c819df0797669c019bdfecddb02dd620f6
Opcode Fuzzy Hash: 17d39edd45265ab84dc0476f0d2ae35fd2cff382de378c590d713691094954cd
Instruction Fuzzy Hash: 2541AF70A00604BFDB21AFA5DD49F6F7BA9EF44704F00452EF955B22A1CB39ED048E68

Function 00409532 Relevance: 19.6, APIs: 13, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0040953E
CreateCompatibleDC.GDI32(00000000), ref: 0040954E
CreateCompatibleDC.GDI32(?), ref: 00409555
GetObjectA.GDI32(?,00000018,?), ref: 00409563
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 00409585
SelectObject.GDI32(00000000,?), ref: 00409598
SelectObject.GDI32(?,00000000), ref: 004095A3
StretchBlt.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,00CC0020), ref: 004095C1
SelectObject.GDI32(00000000,?), ref: 004095CB
SelectObject.GDI32(?,?), ref: 004095D3
DeleteDC.GDI32(00000000), ref: 004095DC
DeleteDC.GDI32(?), ref: 004095E1
ReleaseDC.USER32(00000000,?), ref: 004095E7

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$Delete$BitmapReleaseStretch
String ID:
API String ID: 3950507155-0
Opcode ID: d83b7360ee04117ac1b528f11ec80559780e506d935eb9e65f2f62ad471a194d
Instruction ID: 2689064bbdca2239bb9988a8b37c2e4a78949efbfd3dab3b95c9ab04797621b4
Opcode Fuzzy Hash: d83b7360ee04117ac1b528f11ec80559780e506d935eb9e65f2f62ad471a194d
Instruction Fuzzy Hash: D4217376C00218FBCF119FE5DD48C9EBFB9FB48364B104466F918A6120C7359A65EFA4

Function 0040A3AC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32(?,00000005), ref: 0040A3C8
GetClassNameA.USER32(00000000,?,00000400), ref: 0040A401

Part of subcall function 0040BDA3: CompareStringA.KERNEL32(00000400,00001001,0040A418,000000FF,?,000000FF,0040A418,?,STATIC), ref: 0040BDB9

GetWindowLongA.USER32(00000000,000000F0), ref: 0040A41F
SendMessageA.USER32(00000000,00000173,00000000,00000000), ref: 0040A436
GetObjectA.GDI32(00000000,00000018,?), ref: 0040A445

Part of subcall function 0040963A: GetDC.USER32(00000000), ref: 00409646
Part of subcall function 0040963A: GetDeviceCaps.GDI32(00000000,0000005A), ref: 00409655
Part of subcall function 0040963A: ReleaseDC.USER32(00000000,00000000), ref: 00409663

Part of subcall function 004095F7: GetDC.USER32(00000000), ref: 00409603
Part of subcall function 004095F7: GetDeviceCaps.GDI32(00000000,00000058), ref: 00409612
Part of subcall function 004095F7: ReleaseDC.USER32(00000000,00000000), ref: 00409620

Part of subcall function 00409532: GetDC.USER32(00000000), ref: 0040953E
Part of subcall function 00409532: CreateCompatibleDC.GDI32(00000000), ref: 0040954E
Part of subcall function 00409532: CreateCompatibleDC.GDI32(?), ref: 00409555
Part of subcall function 00409532: GetObjectA.GDI32(?,00000018,?), ref: 00409563
Part of subcall function 00409532: CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 00409585
Part of subcall function 00409532: SelectObject.GDI32(00000000,?), ref: 00409598
Part of subcall function 00409532: SelectObject.GDI32(?,00000000), ref: 004095A3
Part of subcall function 00409532: StretchBlt.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,00CC0020), ref: 004095C1
Part of subcall function 00409532: SelectObject.GDI32(00000000,?), ref: 004095CB
Part of subcall function 00409532: SelectObject.GDI32(?,?), ref: 004095D3
Part of subcall function 00409532: DeleteDC.GDI32(00000000), ref: 004095DC
Part of subcall function 00409532: DeleteDC.GDI32(?), ref: 004095E1
Part of subcall function 00409532: ReleaseDC.USER32(00000000,?), ref: 004095E7

SendMessageA.USER32(00000000,00000172,00000000,00000000), ref: 0040A46C
DeleteObject.GDI32(00000000), ref: 0040A477
GetWindow.USER32(00000000,00000002), ref: 0040A480

Strings

STATIC, xrefs: 0040A407

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$Select$CompatibleCreateDeleteReleaseWindow$CapsDeviceMessageSend$BitmapClassCompareLongNameStretchString
String ID: STATIC
API String ID: 1367540300-1882779555
Opcode ID: fdc27fe7626693b025d062835a8ad42b090aed04de6fe4f0cb52fbba01bed054
Instruction ID: 90747e43eef975b1ef8f2a06123fd816479804d3f12fbf91bfac505df9b18d4e
Opcode Fuzzy Hash: fdc27fe7626693b025d062835a8ad42b090aed04de6fe4f0cb52fbba01bed054
Instruction Fuzzy Hash: A42123329403047BDB12ABA4DC8AFBF7778AF45705F008036FA05B61C1CB789D568AAD

Function 0040B382 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000080,00000001,000E02F3), ref: 0040B3E3
SendDlgItemMessageA.USER32(?,00000066,00000172,00000000,06050E1C), ref: 0040B3F8
GetDlgItem.USER32(?,00000065), ref: 0040B407
SendMessageA.USER32(00000000,00000435,00000000,00010000), ref: 0040B41C
GetSysColor.USER32(0000000F), ref: 0040B420
SendMessageA.USER32(00000000,00000443,00000000,00000000), ref: 0040B42F
EndDialog.USER32(?,00000001), ref: 0040B46C

Strings

LICENSEDLG, xrefs: 0040B38E

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Item$ColorDialog
String ID: LICENSEDLG
API String ID: 1567230415-2177901306
Opcode ID: 18ba7daf24b0f60f3670f9ff4b2e36e5b043ecb788506ceb9dc9f2db9d4766c4
Instruction ID: 53b56dc1ae4cdf5a37f30b4a018add1efa5a99e370e4494e87736e16fdd8d5c4
Opcode Fuzzy Hash: 18ba7daf24b0f60f3670f9ff4b2e36e5b043ecb788506ceb9dc9f2db9d4766c4
Instruction Fuzzy Hash: EC21B371340205BBEA216FA09D85F7B366DEB48B50F504036FB00B91E1CBB99D519BAD

Function 00404F1C Relevance: 12.1, APIs: 8, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00404F2E
GetTickCount.KERNEL32 ref: 00404F33
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00404F62
TranslateMessage.USER32(?), ref: 00404F70
DispatchMessageA.USER32(?), ref: 00404F7A
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F87
GetTickCount.KERNEL32 ref: 00404F8D
VariantInit.OLEAUT32(?), ref: 00404F9A

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$CountTick$DispatchInitPeekTranslateVariant
String ID:
API String ID: 4242828014-0
Opcode ID: ce7f697eae858985e074176cd85e5998923cf01d77bd7059184eb1bd7df5c033
Instruction ID: 9ead429ac9f12c2d6e7e18ed3d96fc4075c96c96a3d2a370c375a777f6eeea27
Opcode Fuzzy Hash: ce7f697eae858985e074176cd85e5998923cf01d77bd7059184eb1bd7df5c033
Instruction Fuzzy Hash: 1A21F9B1D00209AFDB00EBE4D98CD9EBBBCEF48355F108866B605EB250D6749A45CB60

Function 0040A500 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 66COMMON

Download Yara Rule

APIs

DialogBoxParamA.USER32(RENAMEDLG,00409AE9,?,?,00000000), ref: 0040A57E

Strings

RENAMEDLG, xrefs: 0040A573
ya-page.html, xrefs: 0040A500
REPLACEFILEDLG, xrefs: 0040A54C

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DialogParam
String ID: RENAMEDLG$REPLACEFILEDLG$ya-page.html
API String ID: 665744214-2543800263
Opcode ID: d22f67cf0eccbce8fe844416c923a4954bdc51a3872815b6067d974ca026a17e
Instruction ID: 3998d42a0657ff46a4165e1f59e4b2ef33b672e01ded065cc7c81dafb0c22691
Opcode Fuzzy Hash: d22f67cf0eccbce8fe844416c923a4954bdc51a3872815b6067d974ca026a17e
Instruction Fuzzy Hash: 9A2139B4214389FECF218F14EC01B523BA0FB45B51F448472E904AA2E1C37D9A66DB6A

Function 00404D66 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00404D7D
GetTickCount.KERNEL32 ref: 00404D98
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00404DAC
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404DBD
TranslateMessage.USER32(?), ref: 00404DC7
DispatchMessageA.USER32(?), ref: 00404DD1

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$CountTick$DispatchPeekTranslate
String ID:
API String ID: 3906477200-0
Opcode ID: 355ad66bcd185ed0683bd5be14dd71d8262a807b52ca2c5befd4d8300a9e0c3a
Instruction ID: 98622dc8d5726893005e033153a9124b41a8af399fb3e9dc447dabcc560afb25
Opcode Fuzzy Hash: 355ad66bcd185ed0683bd5be14dd71d8262a807b52ca2c5befd4d8300a9e0c3a
Instruction Fuzzy Hash: 7C2107B5A00209AFDB00DFE5D988DAEBBBCEF88319B1444AAE501E7250D734DD45CB64

Function 00409AE9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000001), ref: 00409B28
SendDlgItemMessageA.USER32(?,00000066,0000000D,00000050,?), ref: 00409B3D
SetDlgItemTextA.USER32(?,00000065,?), ref: 00409B57
SetDlgItemTextA.USER32(?,00000066,?), ref: 00409B5D

Strings

RENAMEDLG, xrefs: 00409AF9

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Item$Text$DialogMessageSend
String ID: RENAMEDLG
API String ID: 1109518134-3299779563
Opcode ID: 6e2899ca4cac3cc24f67df2f93fa6cc09470fa0abd8febf76d90f6f8d215923a
Instruction ID: d7bb06c2e9f53518b0c44163b23661684f6f6be34bb52d1ecc6a3b040d7549b5
Opcode Fuzzy Hash: 6e2899ca4cac3cc24f67df2f93fa6cc09470fa0abd8febf76d90f6f8d215923a
Instruction Fuzzy Hash: 6D0184726402587ADB305FA6AC49FAB7F7CFB45770F000426B605BA1D2C979A810D6B8

Function 004054D8 Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

SetWindowLongA.USER32(?,000000EB,?), ref: 004054FB
GetWindowLongA.USER32(?,000000EB), ref: 00405506
GetWindowLongA.USER32(?,000000EB), ref: 00405522
GetWindowLongA.USER32(?,000000EB), ref: 00405534
DefWindowProcA.USER32(?,?,?,?,?), ref: 0040554A

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Long$Proc
String ID:
API String ID: 3468714886-0
Opcode ID: ae50b28cdb3c45490eb0201267ea7d12dbb0562ddd8befe6d78ebf3c60ac522f
Instruction ID: 5befd8c353175417034b054f16956efe95a52a3910a3ba4e9b6fdd0606bb9232
Opcode Fuzzy Hash: ae50b28cdb3c45490eb0201267ea7d12dbb0562ddd8befe6d78ebf3c60ac522f
Instruction Fuzzy Hash: BC01843550882577CF042FA85D18CBF3B5AEE8A324B50463AF513B22E5CA389A119E6D

Function 004012EB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SHGetMalloc.SHELL32(?), ref: 004012F8
SHBrowseForFolderA.SHELL32(?,?), ref: 00401333

Strings

A, xrefs: 0040132C

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: BrowseFolderMalloc
String ID: A
API String ID: 3812826013-3554254475
Opcode ID: 31c41954e464ea8f36933d2fd890b593abe260fe4963732b6db781e1316aa49d
Instruction ID: c07431a8fdccfcb09c40a1c8fd7a026c1d6160c88d93ce7f416c5748d4766fd6
Opcode Fuzzy Hash: 31c41954e464ea8f36933d2fd890b593abe260fe4963732b6db781e1316aa49d
Instruction Fuzzy Hash: 6D011772D00219ABDB00CFA4D949BEF7BF8BF49311F104565E805E7250DB38DA058BA4

Function 0040A2A5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(80000001,Software\WinRAR SFX,00000000,00000000,00000000,00020006,00000000,?,?,00422730,?,00000000), ref: 0040A2ED
RegSetValueExA.ADVAPI32(?,?,00000000,00000001,?,00000001,?), ref: 0040A312
RegCloseKey.ADVAPI32(?), ref: 0040A31B

Strings

Software\WinRAR SFX, xrefs: 0040A2E3

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateValue
String ID: Software\WinRAR SFX
API String ID: 1818849710-754673328
Opcode ID: 140a66476dbc5c3609a6cfb1f32657b0f88eced4c7360654378db9e082538fa5
Instruction ID: 50db57340244aff708c96372dc14b21709ded8bcbdf4b2ab95babac9991c61da
Opcode Fuzzy Hash: 140a66476dbc5c3609a6cfb1f32657b0f88eced4c7360654378db9e082538fa5
Instruction Fuzzy Hash: 790181B1900218FEEF209BD0DE81EEB7B2CEB0434CF500076BA45B20A1D7755E5A9778

Function 00409B69 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000001), ref: 00409BA6
GetDlgItemTextA.USER32(?,00000065,00423748,00000080), ref: 00409BBB
SetDlgItemTextA.USER32(?,00000066,?), ref: 00409BCB

Strings

GETPASSWORD1, xrefs: 00409B74

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemText$Dialog
String ID: GETPASSWORD1
API String ID: 1770891597-3292211884
Opcode ID: 29bd22b970e79d3ce02add4ee7f25b3153798e02fad62c7d94743aa9a71f71ab
Instruction ID: 4459c1cc3da49acf5754bbb768d9eb509da326780ca2402c1c064f5d6b2b846d
Opcode Fuzzy Hash: 29bd22b970e79d3ce02add4ee7f25b3153798e02fad62c7d94743aa9a71f71ab
Instruction Fuzzy Hash: DEF0C231284219BAEB212F94AD06FEB3674FF04761F004422F601B90D1D6BEBD10976D

Function 0040A326 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,Software\WinRAR SFX,00000000,00000001,0000000C,?,00000022), ref: 0040A359
RegQueryValueExA.ADVAPI32(0000000C,?,00000000,00000000,?,?), ref: 0040A386
RegCloseKey.ADVAPI32(0000000C), ref: 0040A3A2

Strings

Software\WinRAR SFX, xrefs: 0040A34F

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Software\WinRAR SFX
API String ID: 3677997916-754673328
Opcode ID: dc33241564bbc0f6e3559bc288e356941d31d220efe287f4ee3b0b5dd2a07c5f
Instruction ID: 348379781705168262105f19cddc2eb37d0364b5317624143072abc8b8b1301a
Opcode Fuzzy Hash: dc33241564bbc0f6e3559bc288e356941d31d220efe287f4ee3b0b5dd2a07c5f
Instruction Fuzzy Hash: 7B011A75900218BADF11DB90DD45FDE7BBCEB04348F1041B6BA04B2090D7789B5A9B99

Function 00405556 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33registryCOMMON

Download Yara Rule

APIs

LoadCursorA.USER32(00000000,00007F00), ref: 0040558D
RegisterClassExA.USER32(00000030), ref: 004055AE

Strings

0, xrefs: 0040556C
RarHtmlClassName, xrefs: 004055A4

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClassCursorLoadRegister
String ID: 0$RarHtmlClassName
API String ID: 1693014935-3342523147
Opcode ID: 010a648192bcce36bee8effdea3a2d5caaaabf17c659dbe5ddbae759b47cf6cc
Instruction ID: 586680fbf4ca238fa2fde50e5c1e2f1c39d62c57558c5a96ba43bd0c9b0511b1
Opcode Fuzzy Hash: 010a648192bcce36bee8effdea3a2d5caaaabf17c659dbe5ddbae759b47cf6cc
Instruction Fuzzy Hash: E4F0C4B1D00219ABDB019FDAD944AEEFBF8FF99315F10806BE510B7250C7B816058FA8

Function 00409BFF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00424098,?,0040187A,00000000,00000000,00000076,?,00000000,00402F22,00000017,00000000,00000000,004033B2,?), ref: 00409C1E
wvsprintfA.USER32(?,?,84@), ref: 00409C34

Part of subcall function 004097B0: wvsprintfA.USER32(?,?,?), ref: 004097D1

SetLastError.KERNEL32(00000000,?,0040187A,00000000,00000000,00000076,?,00000000,00402F22,00000017,00000000,00000000,004033B2,?), ref: 00409C52

Strings

84@, xrefs: 00409C26, 00409C29

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastwvsprintf
String ID: 84@
API String ID: 2157943386-416276317
Opcode ID: 099d9fcfdfd0abb558066334728ce0564fc7f4266850570df45829d0b6ae13cc
Instruction ID: 5ad1827fabc9a2481898a3fb1758f903ddd74db165321497a9a6725a78f664e2
Opcode Fuzzy Hash: 099d9fcfdfd0abb558066334728ce0564fc7f4266850570df45829d0b6ae13cc
Instruction Fuzzy Hash: BDF08276804259EBDB12AF94DC04BEA33ACEB05355F4400B6F900B6295DB78DE88CB9C

Function 004095F7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00409603
GetDeviceCaps.GDI32(00000000,00000058), ref: 00409612
ReleaseDC.USER32(00000000,00000000), ref: 00409620

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, xrefs: 00409600

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsDeviceRelease
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
API String ID: 127614599-155749501
Opcode ID: 1a1ebba51d98459a22b853aa640b42f81edd3dfff86fa16ea8e33b6d1adb7b35
Instruction ID: dc34b730860ec105271f22cc56a71c82c41f894b9059c57f30de03ec1e384494
Opcode Fuzzy Hash: 1a1ebba51d98459a22b853aa640b42f81edd3dfff86fa16ea8e33b6d1adb7b35
Instruction Fuzzy Hash: 90E04F76E42710EBD2245B50ED1DF5BBF54EB19712F40003EF605AA1D4CB769806CB9C

Function 00409313 Relevance: 6.1, APIs: 4, Instructions: 96comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00409320
CoCreateInstance.OLE32(0040D9CC,00000000,00000001,0040D91C,?), ref: 00409337
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 004093DB
OleUninitialize.OLE32 ref: 0040940B

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharCreateInitializeInstanceMultiUninitializeWide
String ID:
API String ID: 2968213145-0
Opcode ID: e3d30a5dc041db76ae0ffe594783bd22d1a51641a5756bedbbdc59179d40c081
Instruction ID: 9968d1dce90ce409cd03d185e590d58b435a4268f2979d2d6bbbf321111772d5
Opcode Fuzzy Hash: e3d30a5dc041db76ae0ffe594783bd22d1a51641a5756bedbbdc59179d40c081
Instruction Fuzzy Hash: 9131D7B5A00209EFDF00DFA0C988EAA7B79AF88304F1444A9F905EB291C775DE55DF64

Function 00404024 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON

Download Yara Rule

Strings

ya-page.html, xrefs: 00404178
ya-page.html, xrefs: 004040E0, 004040E5, 00404121, 00404122, 0040412B, 0040413A, 00404149, 00404177

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: ya-page.html$ya-page.html
API String ID: 0-3785280954
Opcode ID: a55ff3d4b88d9528ac417d13ac00c67db43c38f3a10a660d839860c85ccbeb77
Instruction ID: 42a8a48695ce9647df0486e4a66efce0a820137707f4b6972cc230aab0cd0772
Opcode Fuzzy Hash: a55ff3d4b88d9528ac417d13ac00c67db43c38f3a10a660d839860c85ccbeb77
Instruction Fuzzy Hash: 7241F7B1604110AFC720EB28DC89E673BE8AB95348F44453FF640F72D2D73C98868A9D

Function 0040165B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(0001044C), ref: 0040A5FB
DialogBoxParamA.USER32(GETPASSWORD1,0001044C,00409B69,?,?), ref: 0040A623

Strings

GETPASSWORD1, xrefs: 0040A618

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DialogParamVisibleWindow
String ID: GETPASSWORD1
API String ID: 3157717868-3292211884
Opcode ID: e3ca5bf099fcb78085ab7cfa6dc35946d6707158ce17ab433fbdd83721c44345
Instruction ID: b92803b1d29aa7e565dd06d43062644e98e25ac5081392048c50ae78eddeab10
Opcode Fuzzy Hash: e3ca5bf099fcb78085ab7cfa6dc35946d6707158ce17ab433fbdd83721c44345
Instruction Fuzzy Hash: F30125B26403957BCF308F60AC01A537AB4BB00711B58443AF8C0332D0D67E68A1979E

Function 0040CCA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,00000000,C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe,0040BCC1), ref: 0040CCB9
FreeLibrary.KERNEL32(?,00000000,C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe,0040BCC1), ref: 0040CCC3

Strings

C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe, xrefs: 0040CCA8

Memory Dump Source

Source File: 00000000.00000002.3324911196.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3324829250.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3324975000.000000000040D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.000000000040F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325083284.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3325224800.000000000042A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FreeLibrary
String ID: C:\Users\user\Desktop\SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe
API String ID: 3664257935-155749501
Opcode ID: c960052bc573e9d22d0eccc5bbfc13a804a57d14caca9005fd91cdeaa639b38c
Instruction ID: 704669044e8851c13d82bdc28e6d9538e25662768ad7cea90585f79a98261614
Opcode Fuzzy Hash: c960052bc573e9d22d0eccc5bbfc13a804a57d14caca9005fd91cdeaa639b38c
Instruction Fuzzy Hash: BEE01232B055209BC720AF69ED84D4BF3EC9FD571030A056BE809F7350CB74EC428AA8

Analysis Process: mshta.exePID: 2220, Parent PID: 2296COMMON

Executed Functions

Function 06BD0FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3329216015.0000000006BD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6bd0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction ID: d3fadd55c5fd5dd6de8cce5ebc8c0ee4aa768219fa5b4737226a32ce9e565413
Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
Instruction Fuzzy Hash:

Analysis Process: Xr5XVue.exePID: 7148, Parent PID: 2220COMMON

Execution Graph

Execution Coverage:	4.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	84

Executed Functions

Function 004253D0 Relevance: 104.3, APIs: 45, Strings: 14, Instructions: 1097COMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 004253D7
exit.MSVCRT ref: 00425496

Part of subcall function 0047D344: ferror.MSVCRT ref: 0047D350
Part of subcall function 0047D344: fputs.MSVCRT ref: 0047D366

exit.MSVCRT ref: 004254B9
exit.MSVCRT ref: 004254F3
free.MSVCRT ref: 004254FE
exit.MSVCRT ref: 00425536
free.MSVCRT ref: 00425541
exit.MSVCRT ref: 0042556C
exit.MSVCRT ref: 004255A1
exit.MSVCRT ref: 004255D6
exit.MSVCRT ref: 004255F2
exit.MSVCRT ref: 00425616
exit.MSVCRT ref: 0042563E
exit.MSVCRT ref: 00425666
exit.MSVCRT ref: 0042568E
exit.MSVCRT ref: 0042569A
exit.MSVCRT ref: 0042579B

Strings

8, xrefs: 00426D25
Both --no-clobber and --convert-links were specified, only --convert-links will be used., xrefs: 00425E1D
@Fu, xrefs: 004265AB, 004265B4, 004265C8, 004265D2, 004265E0
`F:v, xrefs: 00426839, 00426869, 0042686E, 00426890
s, xrefs: 00426FEE
=<j, xrefs: 00425949, 00425DBD
R, xrefs: 00426F0F
A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:, xrefs: 00425951, 00425DC5
,=j, xrefs: 00426573
>Lj, xrefs: 0042569F, 004256AF
8Pj, xrefs: 00426038
XWj, xrefs: 00425DCD
e, xrefs: 00426EE6
Uj, xrefs: 0042693A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exit$free$ferrorfputs
String ID: ,=j$8$8Pj$=<j$>Lj$@Fu$A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:$Both --no-clobber and --convert-links were specified, only --convert-links will be used.$XWj$`F:v$R$Uj$s$e
API String ID: 983530446-765883185
Opcode ID: 50697fd4cd2db638f64f7e0ebeeda54edeb645cc6318f9b0b873f03cdedbfe86
Instruction ID: eaf85c739d9e76ae82a660a242de8c978cac2729e79e1cec6857fb70612b78a7
Opcode Fuzzy Hash: 50697fd4cd2db638f64f7e0ebeeda54edeb645cc6318f9b0b873f03cdedbfe86
Instruction Fuzzy Hash: 85A258706043508FDB40EF65E8417AABBF1EF45349F85885EE4C8AB352DBBC9841CB5A

Function 00425CD5 Relevance: 70.9, APIs: 24, Strings: 16, Instructions: 885COMMON

Download Yara Rule

Strings

XWj, xrefs: 00426FF7
8, xrefs: 00426D25
Both --no-clobber and --convert-links were specified, only --convert-links will be used., xrefs: 00425E1D
noclobber, xrefs: 00425D6F
@Fu, xrefs: 004265AB, 004265B4, 004265C8, 004265D2, 004265E0
`F:v, xrefs: 00426839
s, xrefs: 00426FEE
noparent, xrefs: 00425D68
=<j, xrefs: 00425DBD
R, xrefs: 00426F0F
A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:, xrefs: 00425DC5
8Pj, xrefs: 00426038
!Nj, xrefs: 00425D58
XWj, xrefs: 00425DCD
e, xrefs: 00426EE6
Uj, xrefs: 0042693A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID:
String ID: !Nj$8$8Pj$=<j$@Fu$A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:$Both --no-clobber and --convert-links were specified, only --convert-links will be used.$XWj$XWj$`F:v$noclobber$noparent$R$Uj$s$e
API String ID: 0-3546124017
Opcode ID: 74045fb9b780ecf6025611efa76f26c58cf73cde54ba2279338cecbd0657bf72
Instruction ID: 50084f1a93d7d78ce774408522d0a82746cb4447fab56503e9ea60b21ac7752a
Opcode Fuzzy Hash: 74045fb9b780ecf6025611efa76f26c58cf73cde54ba2279338cecbd0657bf72
Instruction Fuzzy Hash: D88258706043508BDB50EF25E8407AA7BE1EF46349F85C85EE4C4AB362CBBDD841CB5A

Function 00425B62 Relevance: 69.1, APIs: 25, Strings: 14, Instructions: 878COMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 00425F36

Strings

XWj, xrefs: 00426FF7
8, xrefs: 00426D25
Both --no-clobber and --convert-links were specified, only --convert-links will be used., xrefs: 00425E1D
@Fu, xrefs: 004265AB, 004265B4, 004265C8, 004265D2, 004265E0
`F:v, xrefs: 00426839
s, xrefs: 00426FEE
=<j, xrefs: 00425DBD
R, xrefs: 00426F0F
A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:, xrefs: 00425DC5
8Pj, xrefs: 00426038
XWj, xrefs: 00425DCD
e, xrefs: 00426EE6
#Nj, xrefs: 00425C54
Uj, xrefs: 0042693A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exit
String ID: #Nj$8$8Pj$=<j$@Fu$A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:$Both --no-clobber and --convert-links were specified, only --convert-links will be used.$XWj$XWj$`F:v$R$Uj$s$e
API String ID: 2483651598-3860630875
Opcode ID: 2eb076f7cc238af49990b28957db0cf6a962b8a3e624e32b7323dc583be65332
Instruction ID: 5ccd1b95994ffb7a792bb568a1e349549d9ffdac54a46c675c9e0c6f39ab7644
Opcode Fuzzy Hash: 2eb076f7cc238af49990b28957db0cf6a962b8a3e624e32b7323dc583be65332
Instruction Fuzzy Hash: 558258706043508FDB50EF25E8407AA7BE1EF45349F85C85EE4C8AB362CBBD9845CB5A

Function 00425BF2 Relevance: 69.1, APIs: 24, Strings: 15, Instructions: 847COMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 00425F36

Strings

XWj, xrefs: 00426FF7
8, xrefs: 00426D25
Both --no-clobber and --convert-links were specified, only --convert-links will be used., xrefs: 00425E1D
noclobber, xrefs: 00425C03
@Fu, xrefs: 004265AB, 004265B4, 004265C8, 004265D2, 004265E0
`F:v, xrefs: 00426839
s, xrefs: 00426FEE
=<j, xrefs: 00425DBD
R, xrefs: 00426F0F
A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:, xrefs: 00425DC5
8Pj, xrefs: 00426038
!Nj, xrefs: 00425BFB
XWj, xrefs: 00425DCD
e, xrefs: 00426EE6
Uj, xrefs: 0042693A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exit
String ID: !Nj$8$8Pj$=<j$@Fu$A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:$Both --no-clobber and --convert-links were specified, only --convert-links will be used.$XWj$XWj$`F:v$noclobber$R$Uj$s$e
API String ID: 2483651598-2739010732
Opcode ID: 0e7829838e323e7803e853a9ff601b2753126c34a5e41d2b24e59c5e26fe740b
Instruction ID: 287ccbf726af5d45b232ad3dd880b998ed50be22871c3e156b27e4e6f6803728
Opcode Fuzzy Hash: 0e7829838e323e7803e853a9ff601b2753126c34a5e41d2b24e59c5e26fe740b
Instruction Fuzzy Hash: DD8258706043508FDB50EF25E8407AA7BE1EF45349F85C85EE4C8AB362CBBD9845CB5A

Function 00425C14 Relevance: 69.1, APIs: 24, Strings: 15, Instructions: 847COMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 00425F36

Strings

XWj, xrefs: 00426FF7
8, xrefs: 00426D25
Both --no-clobber and --convert-links were specified, only --convert-links will be used., xrefs: 00425E1D
@Fu, xrefs: 004265AB, 004265B4, 004265C8, 004265D2, 004265E0
`F:v, xrefs: 00426839
s, xrefs: 00426FEE
noparent, xrefs: 00425C25
=<j, xrefs: 00425DBD
R, xrefs: 00426F0F
A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:, xrefs: 00425DC5
8Pj, xrefs: 00426038
!Nj, xrefs: 00425C1D
XWj, xrefs: 00425DCD
e, xrefs: 00426EE6
Uj, xrefs: 0042693A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exit
String ID: !Nj$8$8Pj$=<j$@Fu$A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:$Both --no-clobber and --convert-links were specified, only --convert-links will be used.$XWj$XWj$`F:v$noparent$R$Uj$s$e
API String ID: 2483651598-2819477804
Opcode ID: bdda34dbb05908cd585c00d97ac015b8bb24284f4665d06693c1d34acc3b833c
Instruction ID: a761e7ab7a6f0465a3e3b648583a611f6bf216ab54a44888726ee20e274c78e5
Opcode Fuzzy Hash: bdda34dbb05908cd585c00d97ac015b8bb24284f4665d06693c1d34acc3b833c
Instruction Fuzzy Hash: 808258706043508FDB50EF25E8407AA7BE1EF45349F85C85EE4C4AB362CBBD9845CB5A

Function 004258F6 Relevance: 67.4, APIs: 25, Strings: 13, Instructions: 871COMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 0042593A

Strings

XWj, xrefs: 00426FF7
8, xrefs: 00426D25
Both --no-clobber and --convert-links were specified, only --convert-links will be used., xrefs: 00425E1D
@Fu, xrefs: 004265AB, 004265B4, 004265C8, 004265D2, 004265E0
`F:v, xrefs: 00426839
s, xrefs: 00426FEE
=<j, xrefs: 00425949, 00425DBD
R, xrefs: 00426F0F
A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:, xrefs: 00425951, 00425DC5
8Pj, xrefs: 00426038
XWj, xrefs: 00425DCD
e, xrefs: 00426EE6
Uj, xrefs: 0042693A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exit
String ID: 8$8Pj$=<j$@Fu$A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:$Both --no-clobber and --convert-links were specified, only --convert-links will be used.$XWj$XWj$`F:v$R$Uj$s$e
API String ID: 2483651598-4121705587
Opcode ID: 43988dbdfe86059932bd213646845e49548bbf870a217520385dd07543860cf8
Instruction ID: 09a9c7134b9545a266d320cdc6b856c7190884937db3edad94c106028d17e079
Opcode Fuzzy Hash: 43988dbdfe86059932bd213646845e49548bbf870a217520385dd07543860cf8
Instruction Fuzzy Hash: 918258706043508FDB50EF25E8407AA7BE1EF45349F85C85EE4C8AB362CBBD9845CB5A

Function 00425A98 Relevance: 67.4, APIs: 24, Strings: 14, Instructions: 863COMMON

Download Yara Rule

Strings

XWj, xrefs: 00426FF7
8, xrefs: 00426D25
Both --no-clobber and --convert-links were specified, only --convert-links will be used., xrefs: 00425E1D
@Fu, xrefs: 004265AB, 004265B4, 004265C8, 004265D2, 004265E0
`F:v, xrefs: 00426839
s, xrefs: 00426FEE
!Nj, xrefs: 00425AE9
=<j, xrefs: 00425DBD
R, xrefs: 00426F0F
A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:, xrefs: 00425DC5
8Pj, xrefs: 00426038
XWj, xrefs: 00425DCD
e, xrefs: 00426EE6
Uj, xrefs: 0042693A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID:
String ID: !Nj$8$8Pj$=<j$@Fu$A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:$Both --no-clobber and --convert-links were specified, only --convert-links will be used.$XWj$XWj$`F:v$R$Uj$s$e
API String ID: 0-305022974
Opcode ID: c220d4ee3edb7048c36354b52561c1ae6e7db3dc221031badbda6667b52c5b3e
Instruction ID: 70a1dd63d1771d3cd731d3d4687c68ee1f5150e231b1c391fd5c9ec5291b5600
Opcode Fuzzy Hash: c220d4ee3edb7048c36354b52561c1ae6e7db3dc221031badbda6667b52c5b3e
Instruction Fuzzy Hash: 618258706043508BDB50EF65E8407AA7BE1EF45349F85C85EE4C8AB362CBBCD841CB5A

Function 00425BD0 Relevance: 65.6, APIs: 24, Strings: 13, Instructions: 847COMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 00425F36

Strings

XWj, xrefs: 00426FF7
8, xrefs: 00426D25
Both --no-clobber and --convert-links were specified, only --convert-links will be used., xrefs: 00425E1D
@Fu, xrefs: 004265AB, 004265B4, 004265C8, 004265D2, 004265E0
`F:v, xrefs: 00426839
s, xrefs: 00426FEE
=<j, xrefs: 00425DBD
R, xrefs: 00426F0F
A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:, xrefs: 00425DC5
8Pj, xrefs: 00426038
XWj, xrefs: 00425DCD
e, xrefs: 00426EE6
Uj, xrefs: 0042693A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exit
String ID: 8$8Pj$=<j$@Fu$A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:$Both --no-clobber and --convert-links were specified, only --convert-links will be used.$XWj$XWj$`F:v$R$Uj$s$e
API String ID: 2483651598-4121705587
Opcode ID: 983f9dd11acafecf096993413a0bb10ee877e143aca09392ee28f6dfddd1260e
Instruction ID: 4ab6fd25f8a201803674d13650d5cea1fcdba6ef86bc00ec0c6f6dd853061b8b
Opcode Fuzzy Hash: 983f9dd11acafecf096993413a0bb10ee877e143aca09392ee28f6dfddd1260e
Instruction Fuzzy Hash: 968258706043508FDB50EF25E8407AA7BE1EF45349F85C85EE4C4AB362CBBD9845CB5A

Function 00425B8C Relevance: 65.6, APIs: 24, Strings: 13, Instructions: 847COMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 00425F36

Strings

XWj, xrefs: 00426FF7
8, xrefs: 00426D25
Both --no-clobber and --convert-links were specified, only --convert-links will be used., xrefs: 00425E1D
@Fu, xrefs: 004265AB, 004265B4, 004265C8, 004265D2, 004265E0
`F:v, xrefs: 00426839
s, xrefs: 00426FEE
=<j, xrefs: 00425DBD
R, xrefs: 00426F0F
A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:, xrefs: 00425DC5
8Pj, xrefs: 00426038
XWj, xrefs: 00425DCD
e, xrefs: 00426EE6
Uj, xrefs: 0042693A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exit
String ID: 8$8Pj$=<j$@Fu$A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:$Both --no-clobber and --convert-links were specified, only --convert-links will be used.$XWj$XWj$`F:v$R$Uj$s$e
API String ID: 2483651598-4121705587
Opcode ID: fb838156d170eabdb44ab39dd96119f94b76f86f0f239e4cc355d458f6f02c8f
Instruction ID: 0b112f1e3810fa7cadd7584954196f1ef8f4e721ed259961ab39af6c00bcace5
Opcode Fuzzy Hash: fb838156d170eabdb44ab39dd96119f94b76f86f0f239e4cc355d458f6f02c8f
Instruction Fuzzy Hash: B98258706043508FDB50EF25E8407AA7BE1EF45349F85C85EE4C8AB362CBBD9845CB5A

Function 00425BAE Relevance: 65.6, APIs: 24, Strings: 13, Instructions: 847COMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 00425F36

Strings

XWj, xrefs: 00426FF7
8, xrefs: 00426D25
Both --no-clobber and --convert-links were specified, only --convert-links will be used., xrefs: 00425E1D
@Fu, xrefs: 004265AB, 004265B4, 004265C8, 004265D2, 004265E0
`F:v, xrefs: 00426839
s, xrefs: 00426FEE
=<j, xrefs: 00425DBD
R, xrefs: 00426F0F
A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:, xrefs: 00425DC5
8Pj, xrefs: 00426038
XWj, xrefs: 00425DCD
e, xrefs: 00426EE6
Uj, xrefs: 0042693A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exit
String ID: 8$8Pj$=<j$@Fu$A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:$Both --no-clobber and --convert-links were specified, only --convert-links will be used.$XWj$XWj$`F:v$R$Uj$s$e
API String ID: 2483651598-4121705587
Opcode ID: 32e6df2c4eaf9a5c8f1b37f6a842e616f6138506bdf898888d339b4744197de5
Instruction ID: 6d007290206fcedf3f974215cb9ca707257664fac86ec87bcde167ce2ae4a2e4
Opcode Fuzzy Hash: 32e6df2c4eaf9a5c8f1b37f6a842e616f6138506bdf898888d339b4744197de5
Instruction Fuzzy Hash: 078258706043508FDB50EF25E8407AA7BE1EF45349F85C85EE4C4AB362CBBD9845CB5A

Function 00425893 Relevance: 65.6, APIs: 24, Strings: 13, Instructions: 845COMMON

Download Yara Rule

Strings

XWj, xrefs: 00426FF7
8, xrefs: 00426D25
Both --no-clobber and --convert-links were specified, only --convert-links will be used., xrefs: 00425E1D
@Fu, xrefs: 004265AB, 004265B4, 004265C8, 004265D2, 004265E0
`F:v, xrefs: 00426839
s, xrefs: 00426FEE
=<j, xrefs: 00425DBD
R, xrefs: 00426F0F
A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:, xrefs: 00425DC5
8Pj, xrefs: 00426038
XWj, xrefs: 00425DCD
e, xrefs: 00426EE6
Uj, xrefs: 0042693A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exit$getenvmemsetstrcmp
String ID: 8$8Pj$=<j$@Fu$A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:$Both --no-clobber and --convert-links were specified, only --convert-links will be used.$XWj$XWj$`F:v$R$Uj$s$e
API String ID: 4250974075-4121705587
Opcode ID: d5efb2a289d39d9350c4895acc28564641c98b967596d25c65a87605bb26dc85
Instruction ID: bfbbf686e7545f8145c7db32114282eeafea9b1d0026d5e510e5b17b6c086393
Opcode Fuzzy Hash: d5efb2a289d39d9350c4895acc28564641c98b967596d25c65a87605bb26dc85
Instruction Fuzzy Hash: 1A8258706043508BDB50EF25E8407AA7BE1EF46349F85C85EE4C4AB362CBBDD845CB5A

Function 00425A72 Relevance: 65.6, APIs: 24, Strings: 13, Instructions: 841COMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 00425F36
exit.MSVCRT ref: 00425F78
exit.MSVCRT ref: 00425FBA
exit.MSVCRT ref: 00426021
exit.MSVCRT ref: 004260C6
exit.MSVCRT ref: 00426150
exit.MSVCRT ref: 0042628E
exit.MSVCRT ref: 00426355

Strings

XWj, xrefs: 00426FF7
8, xrefs: 00426D25
Both --no-clobber and --convert-links were specified, only --convert-links will be used., xrefs: 00425E1D
@Fu, xrefs: 004265AB, 004265B4, 004265C8, 004265D2, 004265E0
`F:v, xrefs: 00426839
s, xrefs: 00426FEE
=<j, xrefs: 00425DBD
R, xrefs: 00426F0F
A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:, xrefs: 00425DC5
8Pj, xrefs: 00426038
XWj, xrefs: 00425DCD
e, xrefs: 00426EE6
Uj, xrefs: 0042693A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exit
String ID: 8$8Pj$=<j$@Fu$A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:$Both --no-clobber and --convert-links were specified, only --convert-links will be used.$XWj$XWj$`F:v$R$Uj$s$e
API String ID: 2483651598-4121705587
Opcode ID: 8454291ca32d2b00dd9a20ceee28f7506f6f7aa6ec25f65da5a873cafbabc9b7
Instruction ID: fdf06a1f6e2be65c7af2a53d6ce648d151fe47e065eca330c63e053297ab48a5
Opcode Fuzzy Hash: 8454291ca32d2b00dd9a20ceee28f7506f6f7aa6ec25f65da5a873cafbabc9b7
Instruction Fuzzy Hash: 9D8258706043508BDB50EF25E8407AA7BE1EF45349F85C85EE4C8AB362CBBDD845CB5A

Function 00425B43 Relevance: 65.6, APIs: 24, Strings: 13, Instructions: 840COMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 00425F36

Part of subcall function 00421EF3: exit.MSVCRT ref: 00421F44
Part of subcall function 00421EF3: free.MSVCRT ref: 00421F4F
Part of subcall function 00421EF3: free.MSVCRT ref: 00421F61

Strings

XWj, xrefs: 00426FF7
8, xrefs: 00426D25
Both --no-clobber and --convert-links were specified, only --convert-links will be used., xrefs: 00425E1D
@Fu, xrefs: 004265AB, 004265B4, 004265C8, 004265D2, 004265E0
`F:v, xrefs: 00426839
s, xrefs: 00426FEE
=<j, xrefs: 00425DBD
R, xrefs: 00426F0F
A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:, xrefs: 00425DC5
8Pj, xrefs: 00426038
XWj, xrefs: 00425DCD
e, xrefs: 00426EE6
Uj, xrefs: 0042693A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exitfree
String ID: 8$8Pj$=<j$@Fu$A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:$Both --no-clobber and --convert-links were specified, only --convert-links will be used.$XWj$XWj$`F:v$R$Uj$s$e
API String ID: 1835919795-4121705587
Opcode ID: f569b891052168be9fb8332c5beb8edaa6ec77255c385da4210e8eb11cac7882
Instruction ID: 91b80298f7371817943931f08f49b16ee1be19faecf22dfa47b2909541a2cd9b
Opcode Fuzzy Hash: f569b891052168be9fb8332c5beb8edaa6ec77255c385da4210e8eb11cac7882
Instruction Fuzzy Hash: 878268706043508BDB50EF25E8407AA7BE1EF45349F85C85EE4C8AB362CBBDD845CB5A

Function 00425B1C Relevance: 65.6, APIs: 24, Strings: 13, Instructions: 840COMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 00425F36
exit.MSVCRT ref: 00425F78
exit.MSVCRT ref: 00425FBA
exit.MSVCRT ref: 00426021
exit.MSVCRT ref: 004260C6
exit.MSVCRT ref: 00426150
exit.MSVCRT ref: 0042628E
exit.MSVCRT ref: 00426355

Strings

XWj, xrefs: 00426FF7
8, xrefs: 00426D25
Both --no-clobber and --convert-links were specified, only --convert-links will be used., xrefs: 00425E1D
@Fu, xrefs: 004265AB, 004265B4, 004265C8, 004265D2, 004265E0
`F:v, xrefs: 00426839
s, xrefs: 00426FEE
=<j, xrefs: 00425DBD
R, xrefs: 00426F0F
A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:, xrefs: 00425DC5
8Pj, xrefs: 00426038
XWj, xrefs: 00425DCD
e, xrefs: 00426EE6
Uj, xrefs: 0042693A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exit
String ID: 8$8Pj$=<j$@Fu$A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:$Both --no-clobber and --convert-links were specified, only --convert-links will be used.$XWj$XWj$`F:v$R$Uj$s$e
API String ID: 2483651598-4121705587
Opcode ID: 07b02c9ac1dc6bd25a432bb751baf3c4bbb933647d15bdab4b1068c5763f859d
Instruction ID: bf4ed79aad59f785f558324042b2edbc94e9699397dd2be5e1b06ba6cc60ebf1
Opcode Fuzzy Hash: 07b02c9ac1dc6bd25a432bb751baf3c4bbb933647d15bdab4b1068c5763f859d
Instruction Fuzzy Hash: F28257706043508BDB50EF25E8407AA7BE1EF45349F85C85EE4C8AB362CBBDD845CB5A

Function 00425D86 Relevance: 65.6, APIs: 24, Strings: 13, Instructions: 838COMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 00425F36
exit.MSVCRT ref: 00425F78
exit.MSVCRT ref: 00425FBA
exit.MSVCRT ref: 00426021
exit.MSVCRT ref: 004260C6
exit.MSVCRT ref: 00426150
exit.MSVCRT ref: 0042628E
exit.MSVCRT ref: 00426355

Strings

XWj, xrefs: 00426FF7
8, xrefs: 00426D25
Both --no-clobber and --convert-links were specified, only --convert-links will be used., xrefs: 00425E1D
@Fu, xrefs: 004265AB, 004265B4, 004265C8, 004265D2, 004265E0
`F:v, xrefs: 00426839
s, xrefs: 00426FEE
=<j, xrefs: 00425DBD
R, xrefs: 00426F0F
A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:, xrefs: 00425DC5
8Pj, xrefs: 00426038
XWj, xrefs: 00425DCD
e, xrefs: 00426EE6
Uj, xrefs: 0042693A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exit
String ID: 8$8Pj$=<j$@Fu$A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:$Both --no-clobber and --convert-links were specified, only --convert-links will be used.$XWj$XWj$`F:v$R$Uj$s$e
API String ID: 2483651598-4121705587
Opcode ID: 9d0174fd8c4b2c9525540fbbd8e816c45e0b12993ad3ac96f3151b8de0688c8c
Instruction ID: 95a4de8aa58588885c3cf0aeacfe9be02c5420a0b07a7375c9f828384219f1c5
Opcode Fuzzy Hash: 9d0174fd8c4b2c9525540fbbd8e816c45e0b12993ad3ac96f3151b8de0688c8c
Instruction Fuzzy Hash: 7F8258706043508BDB50EF25E8407AA7BE1EF45349F85C85EE4C8AB362CBBDD845CB5A

Function 00425B09 Relevance: 65.6, APIs: 24, Strings: 13, Instructions: 837COMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 00425F36
exit.MSVCRT ref: 00425F78
exit.MSVCRT ref: 00425FBA
exit.MSVCRT ref: 00426021
exit.MSVCRT ref: 004260C6
exit.MSVCRT ref: 00426150
exit.MSVCRT ref: 0042628E
exit.MSVCRT ref: 00426355

Strings

XWj, xrefs: 00426FF7
8, xrefs: 00426D25
Both --no-clobber and --convert-links were specified, only --convert-links will be used., xrefs: 00425E1D
@Fu, xrefs: 004265AB, 004265B4, 004265C8, 004265D2, 004265E0
`F:v, xrefs: 00426839
s, xrefs: 00426FEE
=<j, xrefs: 00425DBD
R, xrefs: 00426F0F
A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:, xrefs: 00425DC5
8Pj, xrefs: 00426038
XWj, xrefs: 00425DCD
e, xrefs: 00426EE6
Uj, xrefs: 0042693A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exit
String ID: 8$8Pj$=<j$@Fu$A:Ea:bKB:ckdP:D:X:e:xFhEI:46i:l:mn:O:o:pY:qQ:rR:LSHT:Nt:U:vVw:$Both --no-clobber and --convert-links were specified, only --convert-links will be used.$XWj$XWj$`F:v$R$Uj$s$e
API String ID: 2483651598-4121705587
Opcode ID: 1ec74227dcda7711d1a9dddb4865ac587e4b97a172488f3cbb977bcca7167f79
Instruction ID: 188231b1f5788a78f8b0e87c82a2ae18f67df7ade42ad866b82f0f0bbe494f53
Opcode Fuzzy Hash: 1ec74227dcda7711d1a9dddb4865ac587e4b97a172488f3cbb977bcca7167f79
Instruction Fuzzy Hash: 278258706043508BDB50EF25E8407AA7BE1EF45349F85C85EE4C8AB362CBBDD845CB5A

Function 0041C4B7 Relevance: 61.9, APIs: 20, Strings: 14, Instructions: 2422stringCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0041C63D

Part of subcall function 00405BEE: strlen.MSVCRT ref: 00405C01
Part of subcall function 00405BEE: strcpy.MSVCRT ref: 00405C50

Part of subcall function 00417078: free.MSVCRT ref: 0041709B

Part of subcall function 004171B0: strchr.MSVCRT ref: 004171C4
Part of subcall function 004171B0: memcpy.MSVCRT ref: 0041723E

free.MSVCRT ref: 0041CD35
time.MSVCRT ref: 0041CD70
free.MSVCRT ref: 0041CE34
free.MSVCRT ref: 0041CE85
memcpy.MSVCRT ref: 0041D14D

Part of subcall function 004055FC: time.MSVCRT ref: 00405609
Part of subcall function 004055FC: strlen.MSVCRT ref: 00405619
Part of subcall function 004055FC: strcpy.MSVCRT ref: 00405668
Part of subcall function 004055FC: strrchr.MSVCRT ref: 00405773

Part of subcall function 00460B8C: strlen.MSVCRT ref: 00460B98

free.MSVCRT ref: 0041D288
free.MSVCRT ref: 0041D3AF
free.MSVCRT ref: 0041D59B
free.MSVCRT ref: 0041D5C1
free.MSVCRT ref: 0041D5D6
strchr.MSVCRT ref: 0041D852
free.MSVCRT ref: 0041D8D3
fclose.MSVCRT ref: 0041CADC

Part of subcall function 00419089: free.MSVCRT ref: 004190CE
Part of subcall function 00419089: memset.MSVCRT ref: 004190F4

Part of subcall function 00402C9B: free.MSVCRT ref: 00402D2B

free.MSVCRT ref: 0041EC57
free.MSVCRT ref: 0041EC69
free.MSVCRT ref: 0041EC7E

Strings

Proxy, xrefs: 0041CB05
false, xrefs: 0041D792, 0041D7EA
ignored, xrefs: 0041E742
`F:v, xrefs: 0041EC2E
#, xrefs: 0041E89B
., xrefs: 0041E173
true, xrefs: 0041D78B, 0041D7E3
[following], xrefs: 0041DD57
unspecified, xrefs: 0041DD7D, 0041E749
#, xrefs: 0041DE59
#, xrefs: 0041D3BB
#, xrefs: 0041EAA5
HTTP, xrefs: 0041CB0C
c, xrefs: 0041CE1F

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strlen$memcpystrchrstrcpytime$fclosememsetstrrchr
String ID: [following]$#$#$#$#$.$HTTP$Proxy$`F:v$c$false$ignored$true$unspecified
API String ID: 2612153770-42555389
Opcode ID: f74aa882846484268ed53c1cdca7a07fdc7e3a43d000ce34980933213ebff977
Instruction ID: a2eb3ef9208f9efa22f1865fd0fe99ffb446e39562b9a40eb83c86957f8f9a72
Opcode Fuzzy Hash: f74aa882846484268ed53c1cdca7a07fdc7e3a43d000ce34980933213ebff977
Instruction Fuzzy Hash: 614316B4A043488FCB10DF69C9847DEBBF1BF49304F10899AE899AB351D3789981CF56

Function 004011FD Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 157
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00401285
malloc.MSVCRT ref: 00401339
strlen.MSVCRT ref: 00401359
malloc.MSVCRT ref: 00401364
memcpy.MSVCRT ref: 00401380
_cexit.MSVCRT ref: 004013EE
_amsg_exit.MSVCRT ref: 0040142A
_initterm.MSVCRT ref: 0040144C

Strings

[&, xrefs: 004013A0
r&, xrefs: 00401279
|&, xrefs: 0040129F

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled_amsg_exit_cexit_inittermmemcpystrlen
String ID: [&$r&$|&
API String ID: 2574462208-2878343020
Opcode ID: ed578bdb480cc311f77da22850f2fe22eb7945d20703ba5584c3be5d5269d204
Instruction ID: 50c0881524fdb69a46c22aeaa8bbfc4e3e9115ed8bfbba8d6b94334e01a07d4e
Opcode Fuzzy Hash: ed578bdb480cc311f77da22850f2fe22eb7945d20703ba5584c3be5d5269d204
Instruction Fuzzy Hash: B65138B49043008FD790AF68E9813AA7BF1FB45305F44843ED989AB3B2D77D9844CB4A

Function 0043F831 Relevance: 1.5, APIs: 1, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CertOpenSystemStoreA.CRYPT32 ref: 0043F884

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: CertOpenStoreSystem
String ID:
API String ID: 4293387918-0
Opcode ID: b402aaa50ce190a6c99d3d37fd5c7e2dc981649117f72b52044d55a151b2ef25
Instruction ID: 4d466bb2319b6e579c871f2267e1586c8195d24fd2308686dff6990ee7ffb06b
Opcode Fuzzy Hash: b402aaa50ce190a6c99d3d37fd5c7e2dc981649117f72b52044d55a151b2ef25
Instruction Fuzzy Hash: 9AF01D70A00301DBC718FF7DD98164637E4AB48749F41A539E844D7360E778D9888BAA

Function 0042621E Relevance: 46.1, APIs: 18, Strings: 8, Instructions: 575
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

exit.MSVCRT ref: 0042628E
exit.MSVCRT ref: 00426355
exit.MSVCRT ref: 0042639D
exit.MSVCRT ref: 004263D0
exit.MSVCRT ref: 00426418
exit.MSVCRT ref: 00426445
exit.MSVCRT ref: 00426484
exit.MSVCRT ref: 004264BA
free.MSVCRT ref: 0042655D

Strings

8, xrefs: 00426D25
XWj, xrefs: 00426FF7
@Fu, xrefs: 004265AB, 004265B4, 004265C8, 004265D2, 004265E0
`F:v, xrefs: 00426839
s, xrefs: 00426FEE
e, xrefs: 00426EE6
Uj, xrefs: 0042693A
R, xrefs: 00426F0F

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exit$free
String ID: 8$@Fu$XWj$`F:v$R$Uj$s$e
API String ID: 1509854097-890522916
Opcode ID: 1a7d32b82dc41dbdf47be3c4a5263812b1062f983925f846d73f45cee298b6e4
Instruction ID: 86128c84b6a6301a850a87bbb96bc2046bd3a9b9e24af5c5971cc7cb1d06ddf8
Opcode Fuzzy Hash: 1a7d32b82dc41dbdf47be3c4a5263812b1062f983925f846d73f45cee298b6e4
Instruction Fuzzy Hash: 994236706043108BDB50EF65E88179ABBE1EF45349F85C85DE488AB352DBBCD841CB5A

Function 0042C79E Relevance: 23.5, APIs: 11, Strings: 2, Instructions: 713stringCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0042C8FC
strlen.MSVCRT ref: 0042C9B8
strlen.MSVCRT ref: 0042CBA1
free.MSVCRT ref: 0042CBCA
strlen.MSVCRT ref: 0042CAF5

Part of subcall function 0047D4C9: ferror.MSVCRT ref: 0047D4D5
Part of subcall function 0047D4C9: fwrite.MSVCRT ref: 0047D4F9

strtol.MSVCRT ref: 0042CB30
free.MSVCRT ref: 0042CB46
free.MSVCRT ref: 0042D1A2
free.MSVCRT ref: 0042D245

Strings

/, xrefs: 0042C8D7
8, xrefs: 0042C8C7

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strlen$ferrorfwritestrtol
String ID: /$8
API String ID: 1157984370-364544503
Opcode ID: 7378f553dc583aebfe3b40eb529954ce463475829aa0a47ca28134428cf16a17
Instruction ID: 9905ee9e163896404219eace85484dfa719a2146e6a31bc7573304c2093db135
Opcode Fuzzy Hash: 7378f553dc583aebfe3b40eb529954ce463475829aa0a47ca28134428cf16a17
Instruction Fuzzy Hash: 6272F470E00329DBDB20DFA9E88479DBBF1BF48314F50856AE898A7390D7789985CF05

Function 00426A65 Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 314
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 00426C1F
free.MSVCRT ref: 00426C37

Strings

8, xrefs: 00426D25
XWj, xrefs: 00426FF7
s, xrefs: 00426FEE
e, xrefs: 00426EE6
R, xrefs: 00426F0F

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID: 8$XWj$R$s$e
API String ID: 1294909896-1997389215
Opcode ID: 73d227d54efdcb5b1ff2dcca430196e2d60db19b3e9a690bb2fb0965c52940f2
Instruction ID: 5a9b0b19a21206e99b3f72d2b5e1d64c1f985ebb14a81466567074eae4f5b02a
Opcode Fuzzy Hash: 73d227d54efdcb5b1ff2dcca430196e2d60db19b3e9a690bb2fb0965c52940f2
Instruction Fuzzy Hash: 46E11A74A047108FDB50EF65E88179ABBF1FF49304F85885EE488A7311DBB99885CF4A

Function 004269EF Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0042FC92: strchr.MSVCRT ref: 0042FCBE
Part of subcall function 0042FC92: free.MSVCRT ref: 0042FD26

free.MSVCRT ref: 00426A3C

Part of subcall function 0043B899: free.MSVCRT ref: 0043B8AD
Part of subcall function 0043B899: free.MSVCRT ref: 0043B8C4
Part of subcall function 0043B899: free.MSVCRT ref: 0043B8DC
Part of subcall function 0043B899: free.MSVCRT ref: 0043B8F1

time.MSVCRT ref: 00426F23

Part of subcall function 0042E07D: free.MSVCRT ref: 0042E15C

Strings

8, xrefs: 00426D25
XWj, xrefs: 00426FF7
OVj, xrefs: 00426A1F
s, xrefs: 00426FEE
e, xrefs: 00426EE6
R, xrefs: 00426F0F

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strchrtime
String ID: 8$OVj$XWj$R$s$e
API String ID: 3825303048-391996190
Opcode ID: e47f8577d7101ca6e49969ae4e9fda311abbb9038d34b6a419c04f08b8b48dd8
Instruction ID: 4bdc3fd723bd35aa116c51f05fe1364621b74aae86b32c22054a12b0e69fdb17
Opcode Fuzzy Hash: e47f8577d7101ca6e49969ae4e9fda311abbb9038d34b6a419c04f08b8b48dd8
Instruction Fuzzy Hash: 96A11774A047158FDB50EF25E88169ABBF1FF49304F81C85EE488A7311DBB99885CF4A

Function 0041734D Relevance: 17.7, APIs: 14, Instructions: 231
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 00417363
strlen.MSVCRT ref: 00417373
strlen.MSVCRT ref: 004173AE
strlen.MSVCRT ref: 004173BE
strlen.MSVCRT ref: 004173FF
memcpy.MSVCRT ref: 0041741D
strlen.MSVCRT ref: 0041743D
memcpy.MSVCRT ref: 0041745C
memcpy.MSVCRT ref: 00417489
strlen.MSVCRT ref: 004174BD
memcpy.MSVCRT ref: 004174DB
strlen.MSVCRT ref: 00417507
memcpy.MSVCRT ref: 00417526
free.MSVCRT ref: 00417633

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: strlen$memcpy$free
String ID:
API String ID: 749734937-0
Opcode ID: b32a3bf4bfc4870d45fb74b80ff61508bdc1460ab216cd73aa15073acbe492c5
Instruction ID: 79dbbf5fa9ae02b723d4d30afbea053788e8b7b1d50dd24c229c6e2782c1b77b
Opcode Fuzzy Hash: b32a3bf4bfc4870d45fb74b80ff61508bdc1460ab216cd73aa15073acbe492c5
Instruction Fuzzy Hash: 84B19EB4E04609AFCB40DFA8C485A9DBBF1FF48314F15C859E898AB311E378A944CF56

Function 0042D89D Relevance: 16.7, APIs: 9, Strings: 2, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.MSVCRT ref: 0042D8DD
free.MSVCRT ref: 0042D8EF

Part of subcall function 0043B899: free.MSVCRT ref: 0043B8AD
Part of subcall function 0043B899: free.MSVCRT ref: 0043B8C4
Part of subcall function 0043B899: free.MSVCRT ref: 0043B8DC
Part of subcall function 0043B899: free.MSVCRT ref: 0043B8F1

free.MSVCRT ref: 0042D945
free.MSVCRT ref: 0042DB07
free.MSVCRT ref: 0042DB3C

Part of subcall function 0043023D: free.MSVCRT ref: 00430256
Part of subcall function 0043023D: free.MSVCRT ref: 0043026E
Part of subcall function 0043023D: free.MSVCRT ref: 00430285
Part of subcall function 0043023D: free.MSVCRT ref: 0043029C
Part of subcall function 0043023D: free.MSVCRT ref: 004302B4
Part of subcall function 0043023D: free.MSVCRT ref: 004302CC
Part of subcall function 0043023D: free.MSVCRT ref: 004302E4
Part of subcall function 0043023D: free.MSVCRT ref: 004302FC
Part of subcall function 0043023D: free.MSVCRT ref: 00430314
Part of subcall function 0043023D: free.MSVCRT ref: 0043032C
Part of subcall function 0043023D: free.MSVCRT ref: 00430341

Strings

), xrefs: 0042D928
0, xrefs: 0042DADE

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID: )$0
API String ID: 1294909896-535590263
Opcode ID: fe488163996673be135351baf3fc68c618209ac8fe68856adf5f1f6a06ea1da8
Instruction ID: 862285783a962f45e2c5f4bf1dc5e5f9f25dd8d455fb14d0804f7b3437606c76
Opcode Fuzzy Hash: fe488163996673be135351baf3fc68c618209ac8fe68856adf5f1f6a06ea1da8
Instruction Fuzzy Hash: 88A195B4E043599FDB40EFA9D08579EBBF0AF08304F45885EE888AB351D7789885CF56

Function 0054BDC0 Relevance: 16.6, APIs: 11, Instructions: 117
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

strlen.MSVCRT ref: 0054BDCF
MultiByteToWideChar.KERNEL32 ref: 0054BE04
MultiByteToWideChar.KERNEL32 ref: 0054BE4E
strlen.MSVCRT ref: 0054BE6A
MultiByteToWideChar.KERNEL32 ref: 0054BE96
_wfopen.MSVCRT ref: 0054BEA9
_errno.MSVCRT ref: 0054BEB9
_errno.MSVCRT ref: 0054BEC0
fopen.MSVCRT ref: 0054BED1
fopen.MSVCRT ref: 0054BF11

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: ByteCharMultiWide$_errnofopenstrlen$_wfopen
String ID:
API String ID: 3461520518-0
Opcode ID: 275a2c7ecdec79219aada254a0907888565657743c9cb52870c2fe22b07bed98
Instruction ID: 38b2b7b6da2ec73aa722b8c2587b30fa8d6f78ef96be0e7a32f6a6363b7bb566
Opcode Fuzzy Hash: 275a2c7ecdec79219aada254a0907888565657743c9cb52870c2fe22b07bed98
Instruction Fuzzy Hash: 1E41F3B09083059FE700EF69D98529EBBF4FF84714F00C92EE99897240D778D958CB96

Function 00426D3A Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

time.MSVCRT ref: 00426F23
free.MSVCRT ref: 00426F71
free.MSVCRT ref: 00426F89
exit.MSVCRT ref: 00427060

Strings

XWj, xrefs: 00426FF7
s, xrefs: 00426FEE
e, xrefs: 00426EE6
R, xrefs: 00426F0F

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$exittime
String ID: XWj$R$s$e
API String ID: 2327188956-2831100210
Opcode ID: c0c4c882d2b4437bae5b8591a15bda57697e8e3fa46ead01aa725bcdf076431f
Instruction ID: e3224db08ec068d2c97d7c066e8258c4dcc9a79a20290058fe33d81adda7d449
Opcode Fuzzy Hash: c0c4c882d2b4437bae5b8591a15bda57697e8e3fa46ead01aa725bcdf076431f
Instruction Fuzzy Hash: C6916A74A04714CFDB40EF65E48069ABBF1FF49308F51885EE488A7312DBB99884CF0A

Function 00421835 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00421855
getenv.MSVCRT ref: 00421861
exit.MSVCRT ref: 004218DF
exit.MSVCRT ref: 00421957
strcmp.MSVCRT ref: 0042197C
exit.MSVCRT ref: 00421A0B
free.MSVCRT ref: 00421A16

Strings

@6j, xrefs: 004219A8

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exit$freegetenvmemsetstrcmp
String ID: @6j
API String ID: 2316467743-2879409633
Opcode ID: 0c08f4214b20baed03230fc34161df495ff80cdeac6b68a6959e1e03693e15be
Instruction ID: 3248f881c551947c21f6dd63d13bbf1119deca145cd0f561b0fdcdb7e6985f29
Opcode Fuzzy Hash: 0c08f4214b20baed03230fc34161df495ff80cdeac6b68a6959e1e03693e15be
Instruction Fuzzy Hash: DE5129B0A0531A9FCB00EFA4C5452EEFBF2AF55304F45886DE4C8AB312E7389944DB56

Function 00419F22 Relevance: 10.9, APIs: 7, Instructions: 436
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41d86614df0d35bfe67e29a002b0e6fd9c3c576a655602e17f7e786c84c5615
Instruction ID: 808072c06ef70044cfe723c26c6aae70f9e1a5c46350caa80fa86ae7215b2da0
Opcode Fuzzy Hash: d41d86614df0d35bfe67e29a002b0e6fd9c3c576a655602e17f7e786c84c5615
Instruction Fuzzy Hash: F822F4B4909308DFCB00EFA9C08469EBBF1AF49314F11885EE898AB351D779D885DF56

Function 0041E11C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 130stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 0041E17E
free.MSVCRT ref: 0041EC57
free.MSVCRT ref: 0041EC69
free.MSVCRT ref: 0041EC7E

Strings

., xrefs: 0041E173
", xrefs: 0041E313

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strrchr
String ID: "$.
API String ID: 274422233-3921061877
Opcode ID: a77223877e1fb2817aef3ad722b323f08f8f1b1bcb50b45d9bb84de42cdf7f7c
Instruction ID: ef6e76cabf1cb4016e6f3718b405b77d4fae76a798a86b11a3fb4da175df8c93
Opcode Fuzzy Hash: a77223877e1fb2817aef3ad722b323f08f8f1b1bcb50b45d9bb84de42cdf7f7c
Instruction Fuzzy Hash: AB51A2B8A043498FCB10EF69C984B9EBBF1BF49314F11499AE8589B351D738DD80CB16

Function 0041E125 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 130stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 0041E17E
free.MSVCRT ref: 0041EC57
free.MSVCRT ref: 0041EC69
free.MSVCRT ref: 0041EC7E

Strings

., xrefs: 0041E173
", xrefs: 0041E313

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strrchr
String ID: "$.
API String ID: 274422233-3921061877
Opcode ID: ea76f4e53d2d4a5d1bcade641160f171a98bc873afefab0174d7bf4a8261a747
Instruction ID: c16188e50795d23b001826d3561bf5da6994c05f4d9c9cc00c8f619bf5c8707c
Opcode Fuzzy Hash: ea76f4e53d2d4a5d1bcade641160f171a98bc873afefab0174d7bf4a8261a747
Instruction Fuzzy Hash: 6451B2B8A043498FCB10EF69C984B9EBBF1BF49314F11499AE8599B351D738DD80CB16

Function 0041E12E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 130stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 0041E17E
free.MSVCRT ref: 0041EC57
free.MSVCRT ref: 0041EC69
free.MSVCRT ref: 0041EC7E

Strings

., xrefs: 0041E173
", xrefs: 0041E313

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strrchr
String ID: "$.
API String ID: 274422233-3921061877
Opcode ID: 5df61849ce4f0f16a41505c2873c44e5ea51da8e695b819c9476985536bcc7f1
Instruction ID: b340bb9326995705ef740733356b50f47bf59f2315722873c9ffd5b355f3137f
Opcode Fuzzy Hash: 5df61849ce4f0f16a41505c2873c44e5ea51da8e695b819c9476985536bcc7f1
Instruction Fuzzy Hash: F451B2B8A043498FCB10EF69C984B9EBBF1BF49314F11499AE8589B351D738DD84CB16

Function 0041E137 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 130stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 0041E17E
free.MSVCRT ref: 0041EC57
free.MSVCRT ref: 0041EC69
free.MSVCRT ref: 0041EC7E

Strings

., xrefs: 0041E173
", xrefs: 0041E313

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strrchr
String ID: "$.
API String ID: 274422233-3921061877
Opcode ID: ef0e4a82d16e19fe93269afa24d0a7e0888c8fead389b1fd02818a1f6e63eb3b
Instruction ID: 45eb2d3cebc1999a0807d9782dffaa879d5fe24969202ffdadbafde1384fc73c
Opcode Fuzzy Hash: ef0e4a82d16e19fe93269afa24d0a7e0888c8fead389b1fd02818a1f6e63eb3b
Instruction Fuzzy Hash: 6F51B2B8A043498FCB10EF69C984B9EBBF1BF49314F11499AE8589B351D738DD80CB16

Function 004012E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00401339
strlen.MSVCRT ref: 00401359
malloc.MSVCRT ref: 00401364
memcpy.MSVCRT ref: 00401380
_cexit.MSVCRT ref: 004013EE

Strings

[&, xrefs: 004013A0

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: malloc$_cexitmemcpystrlen
String ID: [&
API String ID: 701060287-3271595223
Opcode ID: aeb69ca1cb686830ec74dfba737b7d52bbc258aae849b950b97e445a881a7e29
Instruction ID: 965c3d292cbff97388150151c545c7a908f9f77cb4e3548335915cb6c1eb0e9f
Opcode Fuzzy Hash: aeb69ca1cb686830ec74dfba737b7d52bbc258aae849b950b97e445a881a7e29
Instruction Fuzzy Hash: DB3108B99007008FD760DF68E58065AB7F1FB85310F05843ED948A7362E739A845CF59

Function 0041977D Relevance: 9.5, APIs: 2, Strings: 4, Instructions: 480
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00417078: free.MSVCRT ref: 0041709B

strchr.MSVCRT ref: 00419C0C
strlen.MSVCRT ref: 00419D3B

Strings

, xrefs: 00419898
j, xrefs: 004198B8
:, xrefs: 00419C01
Thu, 01 Jan 1970 00:00:00 GMT, xrefs: 004198D1

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freestrchrstrlen
String ID: $:$Thu, 01 Jan 1970 00:00:00 GMT$j
API String ID: 1913134129-4165282386
Opcode ID: e873dad4b49a565b372f5e2d0ea3ec106194eca045ed6557181ed330444d5a2c
Instruction ID: 097db0f84014798812c83fa85dddf91717b471fdfade40e66580a72709d19211
Opcode Fuzzy Hash: e873dad4b49a565b372f5e2d0ea3ec106194eca045ed6557181ed330444d5a2c
Instruction Fuzzy Hash: 7A22E0B46093059FDB00EF69D584A9ABBF1BF49344F15881EE8889B361D778EC84CF46

Function 0041EE13 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

time.MSVCRT ref: 0041EF84
free.MSVCRT ref: 0041F062
free.MSVCRT ref: 0041FF96

Strings

=, xrefs: 0041F223

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$time
String ID: =
API String ID: 3693300059-2322244508
Opcode ID: 620d097b1c9ea0e39160d960c1ec1b0304843c5eb76f4ef63a14d2d0d373fe80
Instruction ID: 0a8e64a59e763a9ce6429c94df9d8a589197a0bc5ff596ea875e4037381337eb
Opcode Fuzzy Hash: 620d097b1c9ea0e39160d960c1ec1b0304843c5eb76f4ef63a14d2d0d373fe80
Instruction Fuzzy Hash: DCC1FA74A043489FCB50DF69C4407DEBBF1AF0A304F04849AE898AB352D779D986CF5A

Function 004F39A0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,00000000,?,?,?,005754F3), ref: 004F3AB3

Strings

d, xrefs: 004F3AF0
b, xrefs: 004F3B10
A, xrefs: 004F3AE8
`, xrefs: 004F3A19

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memcpy
String ID: A$`$b$d
API String ID: 3510742995-2771120670
Opcode ID: 497120e677dea6e6dea1beffe9b69278fb1ca67cff807daaf74c707520e4089b
Instruction ID: aef0e62bf40d3a5c934b54a8e3b3f9b7348d10a4fb89c1de7016fccd1a5de335
Opcode Fuzzy Hash: 497120e677dea6e6dea1beffe9b69278fb1ca67cff807daaf74c707520e4089b
Instruction Fuzzy Hash: C1418FB1A087498FD3109F15C18572BBBE2EF95345F20C81EDACA4B351D3B9E985CB46

Function 00413DD4 Relevance: 7.6, APIs: 5, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00460B09: calloc.MSVCRT ref: 00460B43

Part of subcall function 00411BA2: memset.MSVCRT ref: 00411C94

free.MSVCRT ref: 00413EAE
fclose.MSVCRT ref: 00413EC6

Part of subcall function 0041387F: free.MSVCRT ref: 004139A9

_fileno.MSVCRT ref: 00413ED3
fclose.MSVCRT ref: 00413EFA
free.MSVCRT ref: 00413F12

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$fclose$_filenocallocmemset
String ID:
API String ID: 3449806882-0
Opcode ID: 15e9becd5e46de83467f95fa9ddf09e7ef5359ba3cd663d5132cba1a15197062
Instruction ID: f0e79def0d53250ed262c60bc357264f9804f3a32227b7e46b5d2f497c822c56
Opcode Fuzzy Hash: 15e9becd5e46de83467f95fa9ddf09e7ef5359ba3cd663d5132cba1a15197062
Instruction Fuzzy Hash: F84182B49057049FCB40EFA5C18969EFBF0AF44309F01885EE898AB351D7789A85CB46

Function 0047D4C9 Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON

Download Yara Rule

APIs

ferror.MSVCRT ref: 0047D4D5
fwrite.MSVCRT ref: 0047D4F9
fwrite.MSVCRT ref: 0047D52F
ferror.MSVCRT ref: 0047D553
_fileno.MSVCRT ref: 0047D562

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: ferrorfwrite$_fileno
String ID:
API String ID: 3592838841-0
Opcode ID: d8a6108e16a8e68ff5a2a4556ee9fbfb05c248eed037320316f599e93a08bbe8
Instruction ID: f54c4a89a6f91f0cd43f628b621eee4eefa336d910b88ed4659e1127a814c1a0
Opcode Fuzzy Hash: d8a6108e16a8e68ff5a2a4556ee9fbfb05c248eed037320316f599e93a08bbe8
Instruction Fuzzy Hash: 3221A6B4914715EFCB50EF78D985A9EBBF0AF48304F008D29E898D7310E778D9508B56

Function 0047D344 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

ferror.MSVCRT ref: 0047D350
fputs.MSVCRT ref: 0047D366
fputs.MSVCRT ref: 0047D38E
ferror.MSVCRT ref: 0047D3B0
_fileno.MSVCRT ref: 0047D3BF

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: ferrorfputs$_fileno
String ID:
API String ID: 310648706-0
Opcode ID: 7c58974ccf9d783a330a5cf04a87b04508ebfa75091d7fa345e4e6e2a7ba6abf
Instruction ID: b3f142affa705196af26a418d433a645ceaa96a3feccb72d9e89d320e1d0934f
Opcode Fuzzy Hash: 7c58974ccf9d783a330a5cf04a87b04508ebfa75091d7fa345e4e6e2a7ba6abf
Instruction Fuzzy Hash: 812193709142049BCB40EF78D98969DBBF0EF04310F008D6AE9A9DB351E778E9458B86

Function 004193FB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 189stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0041941C
fclose.MSVCRT ref: 0041946F
strlen.MSVCRT ref: 004194A0

Part of subcall function 0047D4C9: ferror.MSVCRT ref: 0047D4D5
Part of subcall function 0047D4C9: fwrite.MSVCRT ref: 0047D4F9

Strings

6, xrefs: 00419450

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: strlen$fcloseferrorfwrite
String ID: 6
API String ID: 60933242-498629140
Opcode ID: 1496fcc939fc4c85bc027832da91bf7e5a354d0238d166d15008d50e6eba9e09
Instruction ID: 41490ea08d38f5c031c65a4a0e1b96f2f5238db138098914d4a954de67eb5931
Opcode Fuzzy Hash: 1496fcc939fc4c85bc027832da91bf7e5a354d0238d166d15008d50e6eba9e09
Instruction Fuzzy Hash: 1391BE74A082089FCB44CF69C494A9EBBF1BF48354F14892AE898EB351D339ED85CF55

Function 00412D87 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00412E57
free.MSVCRT ref: 00412E9F
memset.MSVCRT ref: 00412EC1

Strings

, xrefs: 00412EAB

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$memset
String ID:
API String ID: 2717317152-3916222277
Opcode ID: c95099f1b1ba6e802d3e0e982dced5e6ba0788d1ff89921ceb082aea28af9b33
Instruction ID: 166d69ca5f3f16b8fad2fb634196107f0005583bfd63ec33eb2758ed592b3820
Opcode Fuzzy Hash: c95099f1b1ba6e802d3e0e982dced5e6ba0788d1ff89921ceb082aea28af9b33
Instruction Fuzzy Hash: 78B1F770A083489FDB10EFA4D5857DEBBF1BF09345F00885AE894EB341D3B89985DB0A

Function 0042C621 Relevance: 6.1, APIs: 4, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c7ba596437187c94d6268acc1911a50dbb34eaca0964d1a5b91be920a0ecbf
Instruction ID: cf7e16e0554f92252ad1b8a70143a527ef91d3dc4a30c83dbc81827b2e2aa2a8
Opcode Fuzzy Hash: a7c7ba596437187c94d6268acc1911a50dbb34eaca0964d1a5b91be920a0ecbf
Instruction Fuzzy Hash: 4851E3B46042069FCB10DF28D484B9E7BE1AF88354F54C52AF8098B391D379E881CF96

Function 0041DB0C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0041EC57
free.MSVCRT ref: 0041EC69
free.MSVCRT ref: 0041EC7E

Strings

#, xrefs: 0041DCE9

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID: #
API String ID: 1294909896-1885708031
Opcode ID: 978434c4c49930387b52edbf89f155e1d6cdf4a21255d9b389c9e506a96bc254
Instruction ID: a0d4243d262b47d471b74db286fe56e8889208a22803b9b8f03a010c74fc011a
Opcode Fuzzy Hash: 978434c4c49930387b52edbf89f155e1d6cdf4a21255d9b389c9e506a96bc254
Instruction Fuzzy Hash: 6F4136B49052498FDB10EF64C884BDEBBF0BF05304F11499AE8A49B352D378D985CF89

Function 0041DA5F Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0041EC57
free.MSVCRT ref: 0041EC69
free.MSVCRT ref: 0041EC7E

Strings

#, xrefs: 0041DCE9

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID: #
API String ID: 1294909896-1885708031
Opcode ID: 9723ccd9cdee488990608615eb4d5838bdbddb6377fcee2c30cb596651fba2bf
Instruction ID: e410c56f6590e62ab90ae5a39fd0e8de74edec7df31a91afd7966630aba616d1
Opcode Fuzzy Hash: 9723ccd9cdee488990608615eb4d5838bdbddb6377fcee2c30cb596651fba2bf
Instruction Fuzzy Hash: A24115B4A042498FDB10EF64C884BDEBBF0BF05304F11499AE8649B352D378D985CF99

Function 0041DA32 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0041EC57
free.MSVCRT ref: 0041EC69
free.MSVCRT ref: 0041EC7E

Strings

#, xrefs: 0041DCE9

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID: #
API String ID: 1294909896-1885708031
Opcode ID: ffb9b38d2cc040dd394aaaf56b61d18c6f4037d3e4f321e65aa71301f4bed40b
Instruction ID: 785210258a9d37480deb3a86f9126cc30d9074fd5be2df1ee8de5db8cd704001
Opcode Fuzzy Hash: ffb9b38d2cc040dd394aaaf56b61d18c6f4037d3e4f321e65aa71301f4bed40b
Instruction Fuzzy Hash: 024114B4A042498FDB10EF64C884BDEBBF0BF05304F11899AE8649B352D378D985CF99

Function 0041DAE6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0041EC57
free.MSVCRT ref: 0041EC69
free.MSVCRT ref: 0041EC7E

Strings

#, xrefs: 0041DCE9

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID: #
API String ID: 1294909896-1885708031
Opcode ID: b3daa94482c57a7a2589ca59f8c387141f6c0f0f27d68a98c2ea13de8983dab7
Instruction ID: 57915c63eaa9b8c0ca951baae56b3f79d8f9ef5f3fe95050119084277df2f5ad
Opcode Fuzzy Hash: b3daa94482c57a7a2589ca59f8c387141f6c0f0f27d68a98c2ea13de8983dab7
Instruction Fuzzy Hash: 2D4115B4A042498FDB10EF64C884BDEBBF0BF05304F11499AE8649B392D378D985DF95

Function 0041DA8C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0041EC57
free.MSVCRT ref: 0041EC69
free.MSVCRT ref: 0041EC7E

Strings

#, xrefs: 0041DCE9

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID: #
API String ID: 1294909896-1885708031
Opcode ID: a3c2fa572bc3bf9351fac8711145b6a22fbe8d6f8aa9d98ce36347097f80d6bb
Instruction ID: 5ac31a97a5ed70ab5cbef0135f7a92194b53beb600d23fea9fe8f0a869715d13
Opcode Fuzzy Hash: a3c2fa572bc3bf9351fac8711145b6a22fbe8d6f8aa9d98ce36347097f80d6bb
Instruction Fuzzy Hash: B84114B4A042498FDB10EF64C888BDEBBF0BF05304F11499AE8649B352D378D985CF99

Function 0041DAB9 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0041EC57
free.MSVCRT ref: 0041EC69
free.MSVCRT ref: 0041EC7E

Strings

#, xrefs: 0041DCE9

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID: #
API String ID: 1294909896-1885708031
Opcode ID: 5b846f7cd01a69ce3ac63edc554a45ddd86485903fbd4ee1448e0b1e1855ca8b
Instruction ID: 393f6fbe86eb3052d1150eee4edd620d502d5f1d79251ab8ab4f07f415afa825
Opcode Fuzzy Hash: 5b846f7cd01a69ce3ac63edc554a45ddd86485903fbd4ee1448e0b1e1855ca8b
Instruction Fuzzy Hash: 194115B4A042498FDB10EF64C884BDEBBF0BF05304F11499AE8A49B352D378D985DF99

Function 0041DB58 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 79stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 0041DBDD
free.MSVCRT ref: 0041EC57
free.MSVCRT ref: 0041EC69
free.MSVCRT ref: 0041EC7E

Strings

#, xrefs: 0041DCE9

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strchr
String ID: #
API String ID: 2369460792-1885708031
Opcode ID: 3414fd8933293d5b8d56627fe1e30dae5b0ffbc70b9b2ab37d5f0c3d687e1ae6
Instruction ID: fc894027f21602762751c51404fea94026679a2a31089601ea60a9137592f78b
Opcode Fuzzy Hash: 3414fd8933293d5b8d56627fe1e30dae5b0ffbc70b9b2ab37d5f0c3d687e1ae6
Instruction Fuzzy Hash: 3231F3B4A042498FDB10EF64C884BDEBBF0BF05314F11499AE864AB392D378D985CF95

Function 0043F01B Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0043F029
free.MSVCRT ref: 0043F040
strlen.MSVCRT ref: 0043F055

Part of subcall function 00460B8C: strlen.MSVCRT ref: 00460B98

SetConsoleTitleA.KERNELBASE ref: 0043F0B0

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freestrlen$ConsoleTitle
String ID:
API String ID: 1994177765-0
Opcode ID: 715eb3f84be509a2fcfde9d7eced7b9bf160d2ef9c52872fb052417eb36322c3
Instruction ID: 2f602f612cc5dcb17bf36531ddd28f8a568aee71e474dc415e782fe3a2ce588a
Opcode Fuzzy Hash: 715eb3f84be509a2fcfde9d7eced7b9bf160d2ef9c52872fb052417eb36322c3
Instruction Fuzzy Hash: 6901C8B49047009BC740FF78E8856497BF0FB48359F01892CE498A7375E7B898848B4A

Function 0043F8F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 248COMMON

Download Yara Rule

Strings

0, xrefs: 0043F961
!, xrefs: 0043FD15

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: _strdup
String ID: !$0
API String ID: 1169197092-301933775
Opcode ID: 79a52b6e4f34db024e4c6e05b39ccc2a276c99eb97d15e5d5ff391509746279a
Instruction ID: a97783de4948e808963add2b9b8a9abf3a019dea89433ed59dd298d3474c37d7
Opcode Fuzzy Hash: 79a52b6e4f34db024e4c6e05b39ccc2a276c99eb97d15e5d5ff391509746279a
Instruction Fuzzy Hash: 7BB1B6B49093059FD740EFA5D58579EBBF0FB48309F10982EE884A7361D7BC9884CB5A

Function 0043F39C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 0043F43F
CloseHandle.KERNELBASE ref: 0043F518

Strings

N(A, xrefs: 0043F3A2

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID: N(A
API String ID: 3032276028-3653478004
Opcode ID: ec526c603de0b0b10e0024b37cf8df1287289b8a841516e3ed8ee141f38516f8
Instruction ID: 631b2ffcea90623892d965e4f6b82528291757fb6156b80df46224b602b1eb86
Opcode Fuzzy Hash: ec526c603de0b0b10e0024b37cf8df1287289b8a841516e3ed8ee141f38516f8
Instruction Fuzzy Hash: 224108B4904259DFDB40EFA8E9406AEBBF0FF48304F00942AE894E7351E7789945CF56

Function 0042D25D Relevance: 5.2, APIs: 4, Instructions: 164COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0042D2B7

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 801cc7c671341da9f68db69cc4637cddc346a3bb823fdedf0cad0dec95c28f3d
Instruction ID: 28db09580a94379e77249def635cd5996f72259a314eeb98d7cf7f30adc93cd3
Opcode Fuzzy Hash: 801cc7c671341da9f68db69cc4637cddc346a3bb823fdedf0cad0dec95c28f3d
Instruction Fuzzy Hash: 857190B4E0421ADFDF40DFA8D5847AEB7F0BF48304F50896AE854A7351D378AA40CB66

Function 005400F0 Relevance: 5.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00540157
malloc.MSVCRT ref: 0054019D
free.MSVCRT ref: 005401D3

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freemallocmemcpy
String ID:
API String ID: 3056473165-0
Opcode ID: e5ec8185e0ddb8ed4c4c3f98b6164e58c42435811ab1d4489655ecd469324852
Instruction ID: 10e4e68930de5d37dd9f93d49253b5c4b3ec9597af1e54e3a791a7f4ae55e52b
Opcode Fuzzy Hash: e5ec8185e0ddb8ed4c4c3f98b6164e58c42435811ab1d4489655ecd469324852
Instruction Fuzzy Hash: 0D418071A087158BC710AF6AE88415EFFE5FFC4754F24A93EEA8887351D6718840CB82

Function 004019A8 Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 004019B1
free.MSVCRT ref: 004019FF

Part of subcall function 00401570: abort.MSVCRT ref: 00401650

Part of subcall function 0047CD45: WSASocketA.WS2_32 ref: 0047CD88

Strings

), xrefs: 00401ADD

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$Socketabort
String ID: )
API String ID: 1951475325-2427484129
Opcode ID: 47875c9e49db872d097af2beac85b8ab2a4a18329d0e9fc9c45670de49320ff4
Instruction ID: 5b1bc68b90c6b26f7c28ce40ca56dd23dbb7e68ff23e3cb575841447d016275c
Opcode Fuzzy Hash: 47875c9e49db872d097af2beac85b8ab2a4a18329d0e9fc9c45670de49320ff4
Instruction Fuzzy Hash: 8E71A6B49083059FDB50EFA5C4857AEBBF1EF48304F10886EE898A7351E778D9458F1A

Function 0047CF40 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 126stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0047CFCA
strcpy.MSVCRT ref: 0047D00B

Strings

/, xrefs: 0047D081

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: strcpystrlen
String ID: /
API String ID: 2543315000-2043925204
Opcode ID: a3b17050d1f158781d9add6fd88b0b898e1ff1bdd6c7f8b4b8e1e936783b695a
Instruction ID: ef246b47ee778193be47cea3fe124f909e76eb280f3e4781451f6bb9bbd0dbc9
Opcode Fuzzy Hash: a3b17050d1f158781d9add6fd88b0b898e1ff1bdd6c7f8b4b8e1e936783b695a
Instruction Fuzzy Hash: C6517B30D04289CACF24DFA8D8953EEBBF1EF45304F04956BD4699B380C379898ACB45

Function 0043AE20 Relevance: 4.6, APIs: 3, Instructions: 125COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0043AE6A
CoInitializeEx.COMBASE ref: 0043AE9D

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: ConsoleInitializeWindow
String ID:
API String ID: 3649267127-0
Opcode ID: f6f6232bc1c7fe2cdb30d62d726dad77c52301c1740cddb9bed7a33d9f0e6cbf
Instruction ID: 8d280c15701826048ab65ea85b58ecb918681cff13f09564d54c7fb0260c2724
Opcode Fuzzy Hash: f6f6232bc1c7fe2cdb30d62d726dad77c52301c1740cddb9bed7a33d9f0e6cbf
Instruction Fuzzy Hash: 7C511B74605300DFE714DF68D98478ABBF4EB48319F10C519E5649B3B0E7B89984EF8A

Function 00464696 Relevance: 4.6, APIs: 3, Instructions: 93stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 004646AA
strlen.MSVCRT ref: 004646C0

Part of subcall function 00468A51: strcmp.MSVCRT ref: 00468A8C

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: strcmp$strlen
String ID:
API String ID: 982114912-0
Opcode ID: 13fa9c9e605a36617a72e788f1147402baeed7aa7496a1dd21c4337cf82b006f
Instruction ID: 082e9b9c434e19273e75ba9a1ec8f7dc47641338265906865c71cbe26f4c8f1b
Opcode Fuzzy Hash: 13fa9c9e605a36617a72e788f1147402baeed7aa7496a1dd21c4337cf82b006f
Instruction Fuzzy Hash: C441CC74904209DFCB00EF68C4857ADBBF1EF45315F00886AE954DB350E778D981DB96

Function 0043F281 Relevance: 4.5, APIs: 3, Instructions: 49networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 0043F2AB
exit.MSVCRT ref: 0043F2E2
exit.MSVCRT ref: 0043F323

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exit$Startup
String ID:
API String ID: 3290106138-0
Opcode ID: 35c906f8250cf9bf4b3bb54227b665c69b0c9c208ce901add356cc7b19cf7847
Instruction ID: ba5bf66eb07a604192a5a88e9c68f9ca633e385c5d616674ea4bbda6c7e28e68
Opcode Fuzzy Hash: 35c906f8250cf9bf4b3bb54227b665c69b0c9c208ce901add356cc7b19cf7847
Instruction Fuzzy Hash: 64113474904305DFDB40BF68D9412ADBBF1EF89309F80D82DE4889B351D7B89885CB4A

Function 004270AE Relevance: 3.9, APIs: 3, Instructions: 183stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 0042721B

Part of subcall function 004213D9: getenv.MSVCRT ref: 004213EF
Part of subcall function 004213D9: free.MSVCRT ref: 00421436

strlen.MSVCRT ref: 004270FD
free.MSVCRT ref: 0042715E

Part of subcall function 0047CF40: strlen.MSVCRT ref: 0047CFCA

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freestrlen$getenvstrcmp
String ID:
API String ID: 2448397153-0
Opcode ID: afe61a2ce3640a36f12c00694347dcf7a4d2190420514f87bc4dca361c57cb21
Instruction ID: 0743a0cb2b298ba9ae7ea8ab5c6fde8c6ef70db0f93a9feed584ed7be7c44891
Opcode Fuzzy Hash: afe61a2ce3640a36f12c00694347dcf7a4d2190420514f87bc4dca361c57cb21
Instruction Fuzzy Hash: C471F474A08219DFDB00DFA9E484AAABBF4FF09304F54889AE855DB350D378D941CF69

Function 0041A719 Relevance: 3.9, APIs: 3, Instructions: 179COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0041A7DF
free.MSVCRT ref: 0041A853
free.MSVCRT ref: 0041A925

Part of subcall function 00418CC2: free.MSVCRT ref: 00418EB2

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d0db221c8ffc9b81a0e7f67f5ac5466e610c7987db6fdcd065fe83b5071c2100
Instruction ID: aa6813a580a65116210c012cab052189b34e958acc99939f23a3fc6519a6496f
Opcode Fuzzy Hash: d0db221c8ffc9b81a0e7f67f5ac5466e610c7987db6fdcd065fe83b5071c2100
Instruction Fuzzy Hash: A77117B4A152449FCB40DF68C190AEABBF0EF09314F05C85AECA49B352D739D985CF56

Function 0041AF0E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 181COMMON

Download Yara Rule

APIs

Part of subcall function 00430350: strlen.MSVCRT ref: 0043035D

Part of subcall function 0042E742: strlen.MSVCRT ref: 0042E74F
Part of subcall function 0042E742: rename.MSVCRT ref: 0042E922

_fdopen.MSVCRT ref: 0041B05E

Strings

`F:v, xrefs: 0041AF14, 0041B12C

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: strlen$_fdopenrename
String ID: `F:v
API String ID: 516826447-4072330013
Opcode ID: cf2555b4fb802af3a0f6a9a606caf1c3687af937c5ce50fdfb8a4a2aa3d48bc6
Instruction ID: 7589cfd2ef86fa9d69714036b616c42fb2a6c61bc901604dfb789caebdacf73e
Opcode Fuzzy Hash: cf2555b4fb802af3a0f6a9a606caf1c3687af937c5ce50fdfb8a4a2aa3d48bc6
Instruction Fuzzy Hash: 4271C6746143409FDB40EF29C480A9A7BE0FF49354F01885AF998CB321E779DC85CB9A

Function 004023DD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 00402400

Strings

@, xrefs: 004023DD

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exit
String ID: @
API String ID: 2483651598-2766056989
Opcode ID: f19004df49279bc7550a0b8a3df8d7c6affa8de33b375ad2a8e6c0e3c9394521
Instruction ID: 555673a0d254e813efa1906ebc93e1e8a8f3f05757b78d1321a0da667d21a47a
Opcode Fuzzy Hash: f19004df49279bc7550a0b8a3df8d7c6affa8de33b375ad2a8e6c0e3c9394521
Instruction Fuzzy Hash: F041BE70904229CBCB20DF15DA897DEB7F0EF48304F5084AAE848A6290D3799F95CF95

Function 0041F0F5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

time.MSVCRT ref: 0041F1F4

Part of subcall function 0047CF40: strlen.MSVCRT ref: 0047CFCA

Strings

=, xrefs: 0041F223

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: strlentime
String ID: =
API String ID: 3241370836-2322244508
Opcode ID: 964740f4c99686a495eb6d299b7b2da4ae752580c7eee0f4ccc352cfc92988c6
Instruction ID: 70e797156160c8e2c65590d8a2d8c8daf6884810d145fd9066f645a9ee06cd75
Opcode Fuzzy Hash: 964740f4c99686a495eb6d299b7b2da4ae752580c7eee0f4ccc352cfc92988c6
Instruction Fuzzy Hash: F63192B4904259DFDB50DF68C98079AB7F1AB49304F1089AAE898A7311E7389D89CF45

Function 0043F0B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

SetConsoleTitleA.KERNELBASE ref: 0043F15C

Strings

d, xrefs: 0043F110

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: ConsoleTitle
String ID: d
API String ID: 3358957663-2564639436
Opcode ID: 470ca4840c38c49093014c53db79bdbc5eeb08288b7867b20db8ae8acb14da7d
Instruction ID: 63bd806f4766f10f573de8ab512822fe66ff0c499071e59b7ab288b2cf3a0d65
Opcode Fuzzy Hash: 470ca4840c38c49093014c53db79bdbc5eeb08288b7867b20db8ae8acb14da7d
Instruction Fuzzy Hash: C621BB78E04208DACF00AF95E9446DEBBF4FF4D705F00A46AE864A6264E3389D45CF69

Function 0041F0D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

time.MSVCRT ref: 0041F1F4

Strings

=, xrefs: 0041F223

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: time
String ID: =
API String ID: 1872009285-2322244508
Opcode ID: 14d9f3d69f090f1a17790957a2742d18f06f40b48bcf7fb76afe35d3863600da
Instruction ID: 8eec7af03fa72e39f5361f43c7037e95f263fa78abe1c5ac9c2e473e214ffc5a
Opcode Fuzzy Hash: 14d9f3d69f090f1a17790957a2742d18f06f40b48bcf7fb76afe35d3863600da
Instruction Fuzzy Hash: E92180B4A04249DFCB50DF68C88069ABBF1FB49304F11896AE898E7310E738DD85CF56

Function 0043F5F7 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,?,?,00402552), ref: 0043F6B6

Strings

4', xrefs: 0043F66A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: abort
String ID: 4'
API String ID: 4206212132-1610175587
Opcode ID: 911f266f9143c72e0447eac51af53391e465a35c68cd5edcef9d4594cc415073
Instruction ID: ca16a917f653f69a80e104804aaa2e7a0348c03309473b54e2363fbf34c7c971
Opcode Fuzzy Hash: 911f266f9143c72e0447eac51af53391e465a35c68cd5edcef9d4594cc415073
Instruction Fuzzy Hash: CE11D7B0804305DBDB54EFB9D94639EBBF0AB44309F00982AD09597361D7BC9A49CF5A

Function 00440184 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 167COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00440209

Part of subcall function 00460B09: calloc.MSVCRT ref: 00460B43

Strings

7, xrefs: 004401ED

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: callocfree
String ID: 7
API String ID: 306872129-1790921346
Opcode ID: 5d247ad5574d2652f3986449516e2a27e64f1fa262da87ac1319bc533339b0f2
Instruction ID: 2e2598d4d15525469d61ed0a8057c319054c3a9d5767f11e4922e6e8e6e4726a
Opcode Fuzzy Hash: 5d247ad5574d2652f3986449516e2a27e64f1fa262da87ac1319bc533339b0f2
Instruction Fuzzy Hash: EA71E6B49083059FEB10EFA5C4856AEBBF0EF09304F00986AE99497341D778D951CF5A

Function 005A56D0 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 005A5770

Strings

{, xrefs: 005A5794

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memcpy
String ID: {
API String ID: 3510742995-366298937
Opcode ID: 8593c2dc27c60c5dfcabeac99fc87ecb64a0006f14ed6540b60574d0d53536b6
Instruction ID: 52c66950c6ccec48e599880332683762f6543f338f764ca9a99d3c4491c18395
Opcode Fuzzy Hash: 8593c2dc27c60c5dfcabeac99fc87ecb64a0006f14ed6540b60574d0d53536b6
Instruction Fuzzy Hash: C34126746087029FD3109F69C08461EFBE0FF8A758F24C92DE9899B351E778C845CB92

Function 00423EF3 Relevance: 3.1, APIs: 2, Instructions: 62COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00423F95
exit.MSVCRT ref: 00423FE4

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exitmemset
String ID:
API String ID: 2099101326-0
Opcode ID: 9d11301d8d0457d865ad5a0a43a07fbcbe6ae79590103d2611f4a8ea91e5833e
Instruction ID: 41ae15fc92de30a2dab86ce7de09d4c6dc46d61175eb8e1fc1848420f1f01db8
Opcode Fuzzy Hash: 9d11301d8d0457d865ad5a0a43a07fbcbe6ae79590103d2611f4a8ea91e5833e
Instruction Fuzzy Hash: 18213870A04258DFCB00EFA8E880ADDBBF0EF49305F41889AE948D7321C77D9A85CB15

Function 00423F54 Relevance: 3.0, APIs: 2, Instructions: 48COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00423F95
exit.MSVCRT ref: 00423FE4

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exitmemset
String ID:
API String ID: 2099101326-0
Opcode ID: ed75e973074cdef3beb622bfe2423ff84917c583f9f467357b2aaf3e8c7d9430
Instruction ID: 3ef781411e9eb80c620050ac242bfa0557689184d141cb07de7dffad3e62f522
Opcode Fuzzy Hash: ed75e973074cdef3beb622bfe2423ff84917c583f9f467357b2aaf3e8c7d9430
Instruction Fuzzy Hash: 71112570A04258CFCB00DFA4E440ADEBBF4EF49305F51989AE588E7311D27D9A45CB1A

Function 00423F46 Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00423F95
exit.MSVCRT ref: 00423FE4

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exitmemset
String ID:
API String ID: 2099101326-0
Opcode ID: d8c4aec8a603dbeca3b416f111519c739c41335eee2eee593aea778c535aa209
Instruction ID: ccdf3e9afb81024ebc7595c239ac2f2a92eff6d53d61fcb8c42d16acb8a84207
Opcode Fuzzy Hash: d8c4aec8a603dbeca3b416f111519c739c41335eee2eee593aea778c535aa209
Instruction Fuzzy Hash: 18111570A042589ECB00DFA4E440ADEBBF0EF49305F51889AE488E7311C27D9A45CB2A

Function 00423F6F Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00423F95
exit.MSVCRT ref: 00423FE4

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exitmemset
String ID:
API String ID: 2099101326-0
Opcode ID: 600320caa1e9103d0db4132fde1cafc95bf4c6b47e46888636e1ba82281d108d
Instruction ID: ed3cc8e07aa7325973fa8dbab8a072d0588bf1a75424b4137fad0591a98ac6d8
Opcode Fuzzy Hash: 600320caa1e9103d0db4132fde1cafc95bf4c6b47e46888636e1ba82281d108d
Instruction Fuzzy Hash: CE11E570A04218DFDB00DFA8E480ADEBBF4EF49305F51885AE488E7351D77D9A44CB26

Function 00423F38 Relevance: 3.0, APIs: 2, Instructions: 43COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00423F95
exit.MSVCRT ref: 00423FE4

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exitmemset
String ID:
API String ID: 2099101326-0
Opcode ID: ec83d1c357471287911a55739f13455890432768a7bf02ae1a45322970a65433
Instruction ID: 4ac567a2d8191226b80cc39fea47c300b508cd27c7aefe1b6f0b6c31ec6e91a8
Opcode Fuzzy Hash: ec83d1c357471287911a55739f13455890432768a7bf02ae1a45322970a65433
Instruction Fuzzy Hash: 5611E570A04218DFDB00DFA8E580ADEBBF4EF49305F51885AE488E7311D77C9A44CB1A

Function 00424896 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00424928

Strings

;j, xrefs: 0042490E

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID: ;j
API String ID: 1294909896-1977938914
Opcode ID: ad409d82c504765ab01c8389b7fabd896787edae2e84b6573de13c37c85f4b8c
Instruction ID: 1f27e88fa889f734d7828730a967bb973907e3299c71c90dba63bd16e4046c3a
Opcode Fuzzy Hash: ad409d82c504765ab01c8389b7fabd896787edae2e84b6573de13c37c85f4b8c
Instruction Fuzzy Hash: 2F0157B4A08314AFCB50EFA6E40139EBBF0EF45305F80885EA494A7301D7BC9980CF0A

Function 0047CD45 Relevance: 3.0, APIs: 2, Instructions: 30networkCOMMON

Download Yara Rule

APIs

WSASocketA.WS2_32 ref: 0047CD88
_open_osfhandle.MSVCRT ref: 0047CDB5

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: Socket_open_osfhandle
String ID:
API String ID: 2711568458-0
Opcode ID: 4e8f23924f10283bdc33ec1ef7bc4c70bd5dbc860a21ee0b48c98884fea07405
Instruction ID: 9953b17059341df9d053e2a1fd5358db5be358a1a020380fa032044eb7135807
Opcode Fuzzy Hash: 4e8f23924f10283bdc33ec1ef7bc4c70bd5dbc860a21ee0b48c98884fea07405
Instruction Fuzzy Hash: 76F0B6B05043049FCB40EF69D48569EBBF0BB44318F00CA1DE9A897390D7B999448F96

Function 0043467F Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

time.MSVCRT ref: 00434692
_utime.MSVCRT ref: 004346A7

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: _utimetime
String ID:
API String ID: 2365392533-0
Opcode ID: 5d7b8e0e51d40e907e0c0ef6eca9a611386bd34c2ab41a737e0b0de17b86c666
Instruction ID: 3d67df263d2003d0eb0fd2ed5d194bb3cbd82581c6bc4154f53429d51ba7083d
Opcode Fuzzy Hash: 5d7b8e0e51d40e907e0c0ef6eca9a611386bd34c2ab41a737e0b0de17b86c666
Instruction Fuzzy Hash: 33F092B49043049FCB40EFA9D48169DBBF0AF49354F01991EE8A9D7391D77899809F46

Function 00428A28 Relevance: 2.6, APIs: 2, Instructions: 78COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00428AFA
free.MSVCRT ref: 00428B0F

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1a1ef44b58ce5155f59f007b431e5b7c724047e294409035cc663f2025063bb0
Instruction ID: be9f1a485516f7723145d8fd51c122b4ee4804a0062790a37a97143ab2b29634
Opcode Fuzzy Hash: 1a1ef44b58ce5155f59f007b431e5b7c724047e294409035cc663f2025063bb0
Instruction Fuzzy Hash: 5F31D1B8A01208AFCB44EF99D484A5DBBF1FF48314F55849AEC549B312DB78E940CF55

Function 0042156B Relevance: 2.5, APIs: 2, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 0042144C: getenv.MSVCRT ref: 00421459
Part of subcall function 0042144C: exit.MSVCRT ref: 004214CA

free.MSVCRT ref: 004215DF
free.MSVCRT ref: 004215F1

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$exitgetenv
String ID:
API String ID: 775086512-0
Opcode ID: 3ef97d3ec32bd3dbb1181ce44b909ee2e43835db7ec2e0d324c69bdb11b47f8f
Instruction ID: 68ffc5274a1bfae9c889fb61ba61b14076a662a9578c0e379acd83caab325263
Opcode Fuzzy Hash: 3ef97d3ec32bd3dbb1181ce44b909ee2e43835db7ec2e0d324c69bdb11b47f8f
Instruction Fuzzy Hash: 4D11F7B0D04228AFCB00EFA5D44939EBBF0AF54308F40889AE4A5AB351D3799A84CF55

Function 0044007B Relevance: 2.5, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 004400AE
free.MSVCRT ref: 004400C3

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 91310159e71ccbf5a56bbe3123e289c33a0625fe3579f224f16f9b26aa63a248
Instruction ID: 14c0435220f77f5d26195cbd89c5a62e6a8faf6bde1fa3b9da596c105c73ac4b
Opcode Fuzzy Hash: 91310159e71ccbf5a56bbe3123e289c33a0625fe3579f224f16f9b26aa63a248
Instruction Fuzzy Hash: 4F1172B4904309AFDB40EFA9C485A9EBBF0EF49344F018859E998AB311E778E9408F55

Function 004214E3 Relevance: 2.5, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 004213D9: getenv.MSVCRT ref: 004213EF
Part of subcall function 004213D9: free.MSVCRT ref: 00421436

free.MSVCRT ref: 0042151A
free.MSVCRT ref: 00421553

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$getenv
String ID:
API String ID: 942515318-0
Opcode ID: 518c54a789697a5c6b4831e54babfa33ed932a3633049fddc5fc828749e89317
Instruction ID: c0bd9c489619de216a66150b8a8ca0707502c7fb59418c44fbc18873d13140e5
Opcode Fuzzy Hash: 518c54a789697a5c6b4831e54babfa33ed932a3633049fddc5fc828749e89317
Instruction Fuzzy Hash: D301C8B0E04228ABDB40EFA5D4453AEB7F0BF54348F40885EE495A7350D37899848F86

Function 00461869 Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 004618B0

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: connect
String ID:
API String ID: 1959786783-0
Opcode ID: 04f03a6811c614121f33b76f869edaf1089a20586fa265b9c81c4feedc987e02
Instruction ID: 6e8d309fab39bf9baebf067e29b8b09d0b026cedcf54d4b5de631c28274fd827
Opcode Fuzzy Hash: 04f03a6811c614121f33b76f869edaf1089a20586fa265b9c81c4feedc987e02
Instruction Fuzzy Hash: BF01C474904215DFCB00FFB9D88559DBBF0BB44325F008A2AE465D72A0E7789940DF56

Function 0041284E Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 00412886

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: getaddrinfo
String ID:
API String ID: 300660673-0
Opcode ID: cbb95dcc5888576af45be5941620f59cd4ee6ba8284f3416f2a602a45be379a8
Instruction ID: fe544205b4f2411dffe926bc1f1767dffefaf07eb8a3451ed645b5bca9df3f44
Opcode Fuzzy Hash: cbb95dcc5888576af45be5941620f59cd4ee6ba8284f3416f2a602a45be379a8
Instruction Fuzzy Hash: 6BF04D78E04208AFCB04DF69D58488AFBF4FB88354B01C4AAE96897321D330EA40CF51

Function 0047AA5D Relevance: 1.5, APIs: 1, Instructions: 25networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0047AA34: GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,0047AA6E), ref: 0047AA4C

WSAEnumNetworkEvents.WS2_32 ref: 0047AA9A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: ConsoleEnumEventsModeNetwork
String ID:
API String ID: 583204498-0
Opcode ID: 862b3bffad0a1818dcd20fa8192cdd618566d059ca948438e88f8f7323121268
Instruction ID: 9044311f2f7148dd6453d4ad627516b68afe01fcf58160d024c78015fee40a20
Opcode Fuzzy Hash: 862b3bffad0a1818dcd20fa8192cdd618566d059ca948438e88f8f7323121268
Instruction Fuzzy Hash: EEF01C749052069BDB00EF68D68169DBBE5AB80348F10842AF444D7250F638D995CB86

Function 00439C03 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetConsoleScreenBufferInfo.KERNELBASE ref: 00439C29

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: BufferConsoleInfoScreen
String ID:
API String ID: 3437242342-0
Opcode ID: dfcd4c2100ae190027de928b43d96c00dbc831342f7b3fc49fdb3aa3b18c8279
Instruction ID: 91b8f57e9f5d2d2d8f998abc68752e66a25a490a3fb34714e5a7239af27c0417
Opcode Fuzzy Hash: dfcd4c2100ae190027de928b43d96c00dbc831342f7b3fc49fdb3aa3b18c8279
Instruction Fuzzy Hash: 88E04F74504305C7CB10BB78E94125DB7F0AB44204F508625A860D73A4E2789C0ACB56

Function 0047AA34 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNELBASE(?,?,?,?,?,?,?,?,?,0047AA6E), ref: 0047AA4C

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: ConsoleMode
String ID:
API String ID: 4145635619-0
Opcode ID: 80480ece5c09b5b35940650d0ba9ae42ad8eb97845d2f4cd483cd80533cce654
Instruction ID: 2b7fe6eb735d98fff3a59e19e7a640a738f7f3286625aafbe770bda874728109
Opcode Fuzzy Hash: 80480ece5c09b5b35940650d0ba9ae42ad8eb97845d2f4cd483cd80533cce654
Instruction Fuzzy Hash: 72D0C734505305DBD700EF79DD8265977F8EB44245F008435AC54D3250F674E9559756

Function 0046467C Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 0046468F

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: fopen
String ID:
API String ID: 1432627528-0
Opcode ID: f678540ac207d7a4ece132411da7f97e21d93bdf7e1e93c913f34b2c1c87ecf8
Instruction ID: 750549a0b97c8e0f9a2ff1375084a205b6d34a6627c55bcb84dda5a6eed577fa
Opcode Fuzzy Hash: f678540ac207d7a4ece132411da7f97e21d93bdf7e1e93c913f34b2c1c87ecf8
Instruction Fuzzy Hash: 44C00274504708ABCB40FF69C546449BBE4AA44654F40885DAD8897341E670E9418B86

Function 00423D0C Relevance: 1.4, APIs: 1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: fflush$ferror
String ID:
API String ID: 2552446576-0
Opcode ID: c6a553a7cc52543f409f4ea739795cf71f01be604600bc47326b2f67ea8b52c6
Instruction ID: b2591332b61e99e1f98b8d45c8656f49debbebd2144fa89ce6cf02cd3d106414
Opcode Fuzzy Hash: c6a553a7cc52543f409f4ea739795cf71f01be604600bc47326b2f67ea8b52c6
Instruction Fuzzy Hash: D6419E78A047199FCB00DFA9C080AAEBBF0BF48715F51885AE898DB311D338EA41DF55

Function 00540010 Relevance: 1.3, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 005400B1

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: eee766dfc27c4a1ef9eaf450829c6c0ba7474cfec757f85b2aa26daea8bd08f8
Instruction ID: cb7556e4f15a1fc05d43627bab0bcd56265c1bcd7336d14593879f634045cb83
Opcode Fuzzy Hash: eee766dfc27c4a1ef9eaf450829c6c0ba7474cfec757f85b2aa26daea8bd08f8
Instruction Fuzzy Hash: CD11B7726093408BE7109A1CE88935BBBD3BFE031CFB95969DA4D473D6E275C8409752

Function 00402C9B Relevance: 1.3, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00402D2B

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e67394bb7136c0bf6bc4f7055df30ff5de0000bc6388ff562c88e7ebc2cddba5
Instruction ID: f77e7718b88f293aa5d98531dd08ea47ce6418b669dd63fff0d49620fea51c9c
Opcode Fuzzy Hash: e67394bb7136c0bf6bc4f7055df30ff5de0000bc6388ff562c88e7ebc2cddba5
Instruction Fuzzy Hash: 1821A774A04604EFCB04DF65D58875ABBF0AF48344F01C56AE8549B3A1D378D981DF55

Function 0043E9BA Relevance: 1.3, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

Part of subcall function 0043AE20: GetConsoleWindow.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0043AE6A

free.MSVCRT ref: 0043E9D4

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: ConsoleWindowfree
String ID:
API String ID: 2737378773-0
Opcode ID: 976e63d70306c5dadfcd165419d18ee9a74ef74d77386df5177f0ef06ccc518c
Instruction ID: 0336be1f7356ff0d79f244d22c4d80e4556c4336f768efb9b66c983b7dccd9a1
Opcode Fuzzy Hash: 976e63d70306c5dadfcd165419d18ee9a74ef74d77386df5177f0ef06ccc518c
Instruction Fuzzy Hash: 13D0A7700043448BC740BF7AEC4310937F4DB01325F40560C91E4973E1CAB8A840C78B

Non-executed Functions

Function 00672100 Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 207fileCOMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00672143
GetFileType.KERNEL32 ref: 00672156
_telli64.MSVCRT ref: 00672172
GetFileSizeEx.KERNEL32 ref: 006721A5
SetFilePointer.KERNEL32 ref: 006721EF
SetEndOfFile.KERNEL32 ref: 00672204
_lseeki64.MSVCRT ref: 00672237
GetFileInformationByHandle.KERNEL32 ref: 00672265
calloc.MSVCRT ref: 00672285
calloc.MSVCRT ref: 0067229B
FindFirstVolumeW.KERNEL32 ref: 006722BD
GetVolumeInformationW.KERNEL32 ref: 00672327
FindVolumeClose.KERNEL32 ref: 0067233D
free.MSVCRT ref: 00672349
GetDiskFreeSpaceExW.KERNEL32 ref: 00672369
free.MSVCRT ref: 00672377
GetLastError.KERNEL32 ref: 006723CB

Strings

2, xrefs: 006722D0
2, xrefs: 006722B2

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: File$Volume$FindInformationcallocfree$CloseDiskErrorFirstFreeHandleLastPointerSizeSpaceType_get_osfhandle_lseeki64_telli64
String ID: 2$2
API String ID: 3491859926-3784399050
Opcode ID: 86e5fae8627af5e8a306d80b44b5c768520eaa0ba1cad4685c439971ffccf29d
Instruction ID: e11d20acf2a5183567f5fcbfb6e7d6543dfeec1a941fb9961cadc3d56bde5363
Opcode Fuzzy Hash: 86e5fae8627af5e8a306d80b44b5c768520eaa0ba1cad4685c439971ffccf29d
Instruction Fuzzy Hash: 02810670408701CFD710AF68D58866EBBE2FF84324F108E2DE5E987295D7789889CB83

Function 00441595 Relevance: 12.4, APIs: 5, Strings: 3, Instructions: 356stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 004415BD
strchr.MSVCRT ref: 004415D9
strlen.MSVCRT ref: 0044160B
memcpy.MSVCRT ref: 004419D3
memcpy.MSVCRT ref: 004419FA

Strings

/, xrefs: 004415CB
@, xrefs: 0044197F
@, xrefs: 0044163C

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memcpystrchr$strlen
String ID: /$@$@
API String ID: 2338772939-1565350487
Opcode ID: d20841fb2bbffe94549e7b95efb91ec315a4e599ec4a1c4134dd13e21622419b
Instruction ID: 0d9ca5671754a069293aa5ff3ab7d486c4f8fd78523594d72e6f04efee76844e
Opcode Fuzzy Hash: d20841fb2bbffe94549e7b95efb91ec315a4e599ec4a1c4134dd13e21622419b
Instruction Fuzzy Hash: 0B02CD71A056588FDB24CF59C490BDEFBF1BF89304F14859AE488AB311D3799A89CF81

Function 005974A0 Relevance: 7.6, Strings: 6, Instructions: 129COMMON

Download Yara Rule

Strings

ntel, xrefs: 005974E4
ineI, xrefs: 005974D9
enti, xrefs: 005974FC
Genu, xrefs: 005974CE
cAMD, xrefs: 00597507
Auth, xrefs: 005974F1

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID:
String ID: Auth$Genu$cAMD$enti$ineI$ntel
API String ID: 0-1714976780
Opcode ID: 30a1b6f0e564be8d07df84ea30504acaa5bb7ec169232fbda98bf8fdb4b6cb7d
Instruction ID: 2685c04cd2fecdc048f2b0e3633d37600022f7f5650d4f90598ca53bfae1c144
Opcode Fuzzy Hash: 30a1b6f0e564be8d07df84ea30504acaa5bb7ec169232fbda98bf8fdb4b6cb7d
Instruction Fuzzy Hash: 4A31F877A2851A0FFF789838C84537D2583B398730F2BC73AD526D36D5E868CD804290

Function 0066F740 Relevance: 7.6, APIs: 5, Instructions: 54timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0066F779
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004014F2), ref: 0066F78A
GetCurrentThreadId.KERNEL32 ref: 0066F792
GetTickCount.KERNEL32 ref: 0066F79A
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,004014F2), ref: 0066F7A9

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: c62728d26c022010a62770c8fc6165ed0a3ba27ebc33263508e086cfa9066be3
Instruction ID: c27c242b26b68e4ffad7a9d5dc56758dc6c6347fab7913c62806c74d53dd10b5
Opcode Fuzzy Hash: c62728d26c022010a62770c8fc6165ed0a3ba27ebc33263508e086cfa9066be3
Instruction Fuzzy Hash: 451186B19043018FD710DFB8F98C58BBBE5FB88265F05593AE944C7310DB799858CB92

Function 00461409 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a3103032de7e2352077393b6e3334fe343c76da73142f3e2e67ed39b2239b8f
Instruction ID: fb179fe5324dcf8bee08c07a30dd2e097147edd60c0494fa5ab4f73d3a251d21
Opcode Fuzzy Hash: 6a3103032de7e2352077393b6e3334fe343c76da73142f3e2e67ed39b2239b8f
Instruction Fuzzy Hash: D7F07970904255DFCB00EFB9D88569DB7F0AB45325F008A2AE464D7290E77899458F46

Function 00671570 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 135windowCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0067158F
GetModuleFileNameW.KERNEL32 ref: 006715D1
_snwprintf.MSVCRT ref: 0067160C
MessageBoxW.USER32 ref: 00671639

Strings

,Xt, xrefs: 00671660
0Xt, xrefs: 006715F5
<unknown>, xrefs: 00671670, 00671680, 006716E3

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: FileMessageModuleName_snwprintfmalloc
String ID: ,Xt$0Xt$<unknown>
API String ID: 2604804178-526161930
Opcode ID: 076e91add005132565814656afe83f3b8992f1542d45c73906098b2bd8da7c03
Instruction ID: c9a68154edb48fe931e2cecf07ff18f203033ff61f2b007db6eab5fe9c8c37ea
Opcode Fuzzy Hash: 076e91add005132565814656afe83f3b8992f1542d45c73906098b2bd8da7c03
Instruction Fuzzy Hash: 31514EB14083008BD754AF29D4852AEBBF6EF86340F15CC2EE8C89B351D7799845CB97

Function 005544E0 Relevance: 25.8, APIs: 3, Strings: 14, Instructions: 287stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00553D40: strlen.MSVCRT ref: 00553E03

strcmp.MSVCRT ref: 00554548
strlen.MSVCRT ref: 00554599
strlen.MSVCRT ref: 00554794

Strings

CMS, xrefs: 00554875
ENCRYPTED PRIVATE KEY, xrefs: 0055456E
NEW CERTIFICATE REQUEST, xrefs: 00554675
TRUSTED CERTIFICATE, xrefs: 005546B2, 00554841
PARAMETERS, xrefs: 00554772
PKCS7, xrefs: 005546D3, 0055485A
PRIVATE KEY, xrefs: 00554589, 005545AE
X509 CERTIFICATE, xrefs: 00554644
CERTIFICATE REQUEST, xrefs: 00554685
ANY PRIVATE KEY, xrefs: 00554555
CERTIFICATE, xrefs: 0055465C, 0055469A
PKCS #7 SIGNED DATA, xrefs: 005546C7
X9.42 DH PARAMETERS, xrefs: 00554616
DH PARAMETERS, xrefs: 00554626

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: strlen$strcmp
String ID: ANY PRIVATE KEY$CERTIFICATE$CERTIFICATE REQUEST$CMS$DH PARAMETERS$ENCRYPTED PRIVATE KEY$NEW CERTIFICATE REQUEST$PARAMETERS$PKCS #7 SIGNED DATA$PKCS7$PRIVATE KEY$TRUSTED CERTIFICATE$X509 CERTIFICATE$X9.42 DH PARAMETERS
API String ID: 551667898-1119032718
Opcode ID: 6972bd79973dfb1c2e280fb5d24a5e7d7921eb58974e791f513cf3bc7803c8f8
Instruction ID: 4a3f08ba6de2eb80041b6fce867e9dce58b9b2388e15697e267f98f615c17ed6
Opcode Fuzzy Hash: 6972bd79973dfb1c2e280fb5d24a5e7d7921eb58974e791f513cf3bc7803c8f8
Instruction Fuzzy Hash: 1DB14A719083459BE7209F18C1A476ABFE5FB85359F05883EE9C88B381E735DC898F52

Function 0043C04A Relevance: 22.8, APIs: 13, Strings: 2, Instructions: 338stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 0043C123
free.MSVCRT ref: 0043C26C

Part of subcall function 0043D828: free.MSVCRT ref: 0043D89E

Part of subcall function 0043DBF6: free.MSVCRT ref: 0043DCD7

free.MSVCRT ref: 0043C31A
free.MSVCRT ref: 0043C332
free.MSVCRT ref: 0043C3BB
free.MSVCRT ref: 0043C3D3
free.MSVCRT ref: 0043C54B
free.MSVCRT ref: 0043C563
free.MSVCRT ref: 0043C57B
free.MSVCRT ref: 0043C5D1
free.MSVCRT ref: 0043C5E6
free.MSVCRT ref: 0043C5FB
free.MSVCRT ref: 0043C610

Strings

`F:v, xrefs: 0043C62F
8, xrefs: 0043C3A0

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strcmp
String ID: 8$`F:v
API String ID: 507678545-3193217446
Opcode ID: 013dfff32339beb900c8ba9d51fbccca020c0964dbb7936797957f2880128658
Instruction ID: fe5edda2907f9931c179bac942bf96f8dd8401e3f8fbcb7f9e5a605ede422f0b
Opcode Fuzzy Hash: 013dfff32339beb900c8ba9d51fbccca020c0964dbb7936797957f2880128658
Instruction Fuzzy Hash: 4802A2B4905318DFDB50EF69C884B9EBBF0BF49304F00989AE488AB351D7789984DF56

Function 0064E300 Relevance: 22.8, APIs: 15, Instructions: 255COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 0064E31F
malloc.MSVCRT ref: 0064E351
free.MSVCRT ref: 0064E3D3
free.MSVCRT ref: 0064E3E5
free.MSVCRT ref: 0064E3ED

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$malloc
String ID:
API String ID: 2190258309-0
Opcode ID: 6cead0102cc2dc017502c4b18627807d9a87f12d5b43944c9b3e5485dfa3dbdf
Instruction ID: cc1499a460c89fd9141748a16a4299318cd147f187f84dafe40e152d871ee3a1
Opcode Fuzzy Hash: 6cead0102cc2dc017502c4b18627807d9a87f12d5b43944c9b3e5485dfa3dbdf
Instruction Fuzzy Hash: E5A17FB05087008FEB559F69D48436ABBE2BF40318F15895DE8998F396E37AC885CF42

Function 004313CD Relevance: 21.4, APIs: 13, Strings: 1, Instructions: 381stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00431406

Part of subcall function 00460B8C: strlen.MSVCRT ref: 00460B98

Strings

/, xrefs: 00431766

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: strlen
String ID: /
API String ID: 39653677-2043925204
Opcode ID: b97d917b2a0545725f3d9626497b094b745e22d6fd71353216b8d82aaa1a47c5
Instruction ID: 90723c190dd04189e7767452cee89386b0490e0f60eebe6090065e2ed06e0fc6
Opcode Fuzzy Hash: b97d917b2a0545725f3d9626497b094b745e22d6fd71353216b8d82aaa1a47c5
Instruction Fuzzy Hash: F802B074E04208AFCB50DFACC4856ADBBF1AF4D304F18D46AE898EB351D7349982CB45

Function 0040E6CF Relevance: 20.5, APIs: 16, Instructions: 471stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E6EB

Part of subcall function 0040D4FF: strpbrk.MSVCRT ref: 0040D51E
Part of subcall function 0040D4FF: strlen.MSVCRT ref: 0040D53D
Part of subcall function 0040D4FF: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040E4F4), ref: 0040D587
Part of subcall function 0040D4FF: strncmp.MSVCRT ref: 0040D682

strlen.MSVCRT ref: 0040E70D
free.MSVCRT ref: 0040E73F
free.MSVCRT ref: 0040E75B

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freestrlen$memsetstrcpystrncmpstrpbrk
String ID:
API String ID: 37117747-0
Opcode ID: f94bc97323b07e77de00f267c964e9945cd113ea80c3b1a245980b6f08c3d736
Instruction ID: 0014d1c6a1d50267bbede2b768f527c96f54e1ed55d0cdb2cf3e5a6e494b6b30
Opcode Fuzzy Hash: f94bc97323b07e77de00f267c964e9945cd113ea80c3b1a245980b6f08c3d736
Instruction Fuzzy Hash: AB123974D042499FDB00DFA9C4457EEBBF1EF49304F0488AAE8A4BB351D2389946DF55

Function 004FB240 Relevance: 20.2, APIs: 16, Instructions: 158COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 004FB319
memcmp.MSVCRT ref: 004FB339
memcmp.MSVCRT ref: 004FB359
memcmp.MSVCRT ref: 004FB379
memcmp.MSVCRT ref: 004FB399
memcmp.MSVCRT ref: 004FB3B9
memcmp.MSVCRT ref: 004FB3D9
memcmp.MSVCRT ref: 004FB3F9
memcmp.MSVCRT ref: 004FB419
memcmp.MSVCRT ref: 004FB439

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: fc616eecc711f4611f5d73e97f7e91b3cda04fb457d559786e9534050b823ad6
Instruction ID: 5ec318f01c39bf023f743f5ebe8a2a61f0c0613920a98613a238662a0907fb7e
Opcode Fuzzy Hash: fc616eecc711f4611f5d73e97f7e91b3cda04fb457d559786e9534050b823ad6
Instruction Fuzzy Hash: 52612BB14083859AD7405F29CA8523BBFE1AF46340F48C89EE9D89B393E739C444DB67

Function 004F7260 Relevance: 18.2, APIs: 12, Instructions: 155filestringCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32 ref: 004F7276
GetFileType.KERNEL32(00000000), ref: 004F7286
strlen.MSVCRT ref: 004F7298
MultiByteToWideChar.KERNEL32 ref: 004F72D7
_vsnprintf.MSVCRT ref: 004F7490
WriteFile.KERNEL32 ref: 004F74B7

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: File$ByteCharHandleMultiTypeWideWrite_vsnprintfstrlen
String ID:
API String ID: 4278424647-0
Opcode ID: 51d873587c00f295d4dfa6d697c86f84267dc5cc2e339a879f5611b35f47d2ee
Instruction ID: 30d01f631253808c8137bc642cc08e542cb2a94ba0a54c25a934c6300ee974c1
Opcode Fuzzy Hash: 51d873587c00f295d4dfa6d697c86f84267dc5cc2e339a879f5611b35f47d2ee
Instruction Fuzzy Hash: 0C518FB1908309DFD7109F25D4483AEBBF4FF44315F01895EEA9887210E37C9549CB9A

Function 004115EC Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 360COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 004116F3
free.MSVCRT ref: 00411705
free.MSVCRT ref: 00411B16

Part of subcall function 00464696: strcmp.MSVCRT ref: 004646AA
Part of subcall function 00464696: strlen.MSVCRT ref: 004646C0

Strings

(nil), xrefs: 00411A97
`F:v, xrefs: 004115F2, 00411651, 00411B34

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strcmpstrlen
String ID: (nil)$`F:v
API String ID: 3516724208-1863269726
Opcode ID: 25a54c04ce616f4c4000b2c33d8198a8c91d3796778b72f020de0bdf021bb150
Instruction ID: bfc610280fdf34fa50f73d47b01f4bfe577fc2ae1658f644b7095c00d2da9eb6
Opcode Fuzzy Hash: 25a54c04ce616f4c4000b2c33d8198a8c91d3796778b72f020de0bdf021bb150
Instruction Fuzzy Hash: 49025FB4A083059FCB40EFA9C584A9EBBF1FF49314F01885AE8989B311D778D981CF56

Function 00671290 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00671330

Strings

-, xrefs: 006713E6
.j@, xrefs: 006713C0, 006714B0

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: _errno
String ID: -$.j@
API String ID: 2918714741-188648854
Opcode ID: e7316502e919c20ca7ae42973582db9e02c82138ed0003a4b65582f9e7ed537f
Instruction ID: 5994e571b7c1f56168389c7bd7029fe10631b227635c5948c1f16abb7c80d8b1
Opcode Fuzzy Hash: e7316502e919c20ca7ae42973582db9e02c82138ed0003a4b65582f9e7ed537f
Instruction Fuzzy Hash: 9A7183716083018BD710DE6CC88026FB7E7AFD6364F14C92EE8998F355E674D9468B86

Function 0041B7CD Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 159stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 0041B815
strcmp.MSVCRT ref: 0041B86E
tmpfile.MSVCRT ref: 0041B88B
free.MSVCRT ref: 0041B933
fclose.MSVCRT ref: 0041BB2D
free.MSVCRT ref: 0041C061
free.MSVCRT ref: 0041C076
free.MSVCRT ref: 0041C08E

Strings

@Fu, xrefs: 0041B8AA
`F:v, xrefs: 0041B87B, 0041B890, 0041B895, 0041BB25, 0041BB53

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strcmp$fclosetmpfile
String ID: @Fu$`F:v
API String ID: 976011942-3610526832
Opcode ID: 11e257bfcc90bbde27cddfa0f8b327e5883e499c6f53b7367c7ee8b1deacaa93
Instruction ID: c253f9c00d6ced01a334a89390fdb5db9ba99e4ff214c60abbab61f46f0c052c
Opcode Fuzzy Hash: 11e257bfcc90bbde27cddfa0f8b327e5883e499c6f53b7367c7ee8b1deacaa93
Instruction Fuzzy Hash: E371A4B49083189FDB50EF69C48479EBBF1FF49314F00896AE498AB301D7789985CF46

Function 004273C0 Relevance: 16.8, APIs: 11, Instructions: 299COMMON

Download Yara Rule

APIs

Part of subcall function 00464696: strcmp.MSVCRT ref: 004646AA
Part of subcall function 00464696: strlen.MSVCRT ref: 004646C0

free.MSVCRT ref: 00427848
fclose.MSVCRT ref: 0042785A
free.MSVCRT ref: 00427877

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$fclosestrcmpstrlen
String ID:
API String ID: 586208616-0
Opcode ID: a3a9a90a2d42b19007e4a01ab320c99f7d3a8a47ae5db2e037dc4a28d30b05e4
Instruction ID: 8e99783a2cd416de6b5ffd270e4f0798565d41a6a5cc59492ab3bbf9e4f60bda
Opcode Fuzzy Hash: a3a9a90a2d42b19007e4a01ab320c99f7d3a8a47ae5db2e037dc4a28d30b05e4
Instruction Fuzzy Hash: D5D1D474E093199FCB00EFA5D5846AEBBF1EF49304F50889AE894AB301D7389945CF5A

Function 0046D2BC Relevance: 16.4, APIs: 13, Instructions: 159COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0046D302
free.MSVCRT ref: 0046D334
free.MSVCRT ref: 0046D35D
free.MSVCRT ref: 0046D386
free.MSVCRT ref: 0046D3A8
free.MSVCRT ref: 0046D3B6
free.MSVCRT ref: 0046D3C4
free.MSVCRT ref: 0046D3D1
free.MSVCRT ref: 0046D43D

Part of subcall function 0046C4E8: free.MSVCRT ref: 0046C4F7
Part of subcall function 0046C4E8: free.MSVCRT ref: 0046C505
Part of subcall function 0046C4E8: free.MSVCRT ref: 0046C526
Part of subcall function 0046C4E8: free.MSVCRT ref: 0046C534
Part of subcall function 0046C4E8: free.MSVCRT ref: 0046C542
Part of subcall function 0046C4E8: free.MSVCRT ref: 0046C550
Part of subcall function 0046C4E8: free.MSVCRT ref: 0046C55E
Part of subcall function 0046C4E8: free.MSVCRT ref: 0046C569

free.MSVCRT ref: 0046D45B
free.MSVCRT ref: 0046D476
free.MSVCRT ref: 0046D487
free.MSVCRT ref: 0046D492

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: f97815f575312837291d4d89f94a0b10ad0e5091acf78eaea71466a7a2f63e4b
Instruction ID: b8c1781d1df6221ed01d0ba25963ce43ad6073cd0041e35e37b203bf8fb1de60
Opcode Fuzzy Hash: f97815f575312837291d4d89f94a0b10ad0e5091acf78eaea71466a7a2f63e4b
Instruction Fuzzy Hash: 2D6172B8B046059FCB44DF68C88599DBBF1FF48360B158559E888DB321E738EE81CB95

Function 00425220 Relevance: 15.1, APIs: 9, Strings: 1, Instructions: 92stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00460B8C: strlen.MSVCRT ref: 00460B98

free.MSVCRT ref: 00425252
strtok.MSVCRT ref: 0042527D
free.MSVCRT ref: 0042535C

Strings

, xrefs: 0042529A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strlenstrtok
String ID:
API String ID: 1922117322-3916222277
Opcode ID: 189d681d9a1f0a0e0de138fc11690c5ed5e2f96416003b7f4947c5d75f51db0a
Instruction ID: 19f148e38a21c679215d9c7d5a07e1e149e6eb00c1ee24aa1821b52552891c7b
Opcode Fuzzy Hash: 189d681d9a1f0a0e0de138fc11690c5ed5e2f96416003b7f4947c5d75f51db0a
Instruction Fuzzy Hash: A241E8B4A0571A9FCB40EFA5C54536EBBF0EF04354F50891DE498E7381E77899408FA6

Function 00552320 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 112stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00552342
memcpy.MSVCRT ref: 0055235C

Strings

m, xrefs: 005523C3
Enter PEM pass phrase:, xrefs: 00552490
d, xrefs: 005523CB
@, xrefs: 005523B3

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memcpystrlen
String ID: @$Enter PEM pass phrase:$d$m
API String ID: 3412268980-724452614
Opcode ID: 49d2f8e069be4af491053696d9a9fb5aa128ced40aff11be3bc53e236985ce10
Instruction ID: b1b7b1f3b2db44c8de18c2c77fcdcc90030ff6d5ef7cb1340f3f4c5b580fd265
Opcode Fuzzy Hash: 49d2f8e069be4af491053696d9a9fb5aa128ced40aff11be3bc53e236985ce10
Instruction Fuzzy Hash: 6D4159B19083419AD7109F29C49532FBBE1BF86355F158D2EED9847351E3B988489B83

Function 00420056 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 68stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00420075
strlen.MSVCRT ref: 00420089
memcpy.MSVCRT ref: 004200BB
setlocale.MSVCRT ref: 004200D8
memset.MSVCRT ref: 004200FF
setlocale.MSVCRT ref: 0042016A

Strings

$, xrefs: 004200E6
P"j, xrefs: 004200C9

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: setlocale$memcpymemsetstrlen
String ID: $$P"j
API String ID: 707871278-3143280230
Opcode ID: 156a3cde93b3c382b0f8012dc3f4a10f20186d0cbe9345dfe3c1e591ba9a7d57
Instruction ID: 9527cf1737d775d830efbc2b3aec26a1ecea64137194c14ec2bf70bae5b9f628
Opcode Fuzzy Hash: 156a3cde93b3c382b0f8012dc3f4a10f20186d0cbe9345dfe3c1e591ba9a7d57
Instruction Fuzzy Hash: 1831E5B0D05319DADB50EFA4D4453EEBBF0EF05304F50885EA598A7341D7798A84CF96

Function 004406CA Relevance: 13.9, APIs: 6, Strings: 3, Instructions: 414COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0044081C
free.MSVCRT ref: 0044082E
free.MSVCRT ref: 004408C1

Strings

U, xrefs: 00440970
WARNING, xrefs: 004406F9
ERROR, xrefs: 004406F2

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID: ERROR$U$WARNING
API String ID: 1294909896-34697698
Opcode ID: af08b106176ca7fe440a5e21722397424f2d07eaaeaf0f2274c748e28c78785c
Instruction ID: 7ff3ec3107bcddb30cfcf9e01b1a1ce613d680e562bf26a4df3967762a15542d
Opcode Fuzzy Hash: af08b106176ca7fe440a5e21722397424f2d07eaaeaf0f2274c748e28c78785c
Instruction Fuzzy Hash: FC12C2B4908344DFDB40EFA9C18579EBBF0AF49304F10885EE598AB341E7B89985CF56

Function 0042E07D Relevance: 13.9, APIs: 6, Strings: 3, Instructions: 357COMMON

Download Yara Rule

APIs

Part of subcall function 0043B900: free.MSVCRT ref: 0043B984

Part of subcall function 0043B9B9: free.MSVCRT ref: 0043BA30

free.MSVCRT ref: 0042E15C

Part of subcall function 0043B899: free.MSVCRT ref: 0043B8AD
Part of subcall function 0043B899: free.MSVCRT ref: 0043B8C4
Part of subcall function 0043B899: free.MSVCRT ref: 0043B8DC
Part of subcall function 0043B899: free.MSVCRT ref: 0043B8F1

free.MSVCRT ref: 0042E2AA

Part of subcall function 0042F58C: free.MSVCRT ref: 0042FC71

Part of subcall function 0042FC92: strchr.MSVCRT ref: 0042FCBE
Part of subcall function 0042FC92: free.MSVCRT ref: 0042FD26

Strings

>Lj, xrefs: 0042E080
+, xrefs: 0042E330
@Fu, xrefs: 0042E0B2, 0042E0CE, 0042E214

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strchr
String ID: +$>Lj$@Fu
API String ID: 2369460792-290703121
Opcode ID: e096800c95d31eedce3631e34b8f774c648173852984441191d056bfb12dbcad
Instruction ID: 638d48195d4d1042f5866e2a3f79bbc363470a744489b3ee950d1df8c1ba19be
Opcode Fuzzy Hash: e096800c95d31eedce3631e34b8f774c648173852984441191d056bfb12dbcad
Instruction Fuzzy Hash: AC02A0B4A04319DFCB40DFA9D485AAEBBF0FF08304F54885AE894AB351D7789885CF56

Function 0043023D Relevance: 13.8, APIs: 11, Instructions: 72COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00430256
free.MSVCRT ref: 0043026E
free.MSVCRT ref: 00430285
free.MSVCRT ref: 0043029C
free.MSVCRT ref: 004302B4
free.MSVCRT ref: 004302CC
free.MSVCRT ref: 004302E4
free.MSVCRT ref: 004302FC
free.MSVCRT ref: 00430314
free.MSVCRT ref: 0043032C
free.MSVCRT ref: 00430341

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4caa5a744f2b5da4675b49a9d180e2a0257546a76145eba216af86feae5cb3b4
Instruction ID: 7c81cb4bff09717c4ec47376b4b500732c9dcb95bc3a687a1475744ed7d67d09
Opcode Fuzzy Hash: 4caa5a744f2b5da4675b49a9d180e2a0257546a76145eba216af86feae5cb3b4
Instruction Fuzzy Hash: 7B310FB8604704AFDB40EF68C595B597BF1AF083A4F028958F9889F362D774E984CF85

Function 004447A4 Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 155COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,0043E78A), ref: 004447F2
memcpy.MSVCRT(?,?,?,?,?,?,?,?,0043E78A), ref: 00444873
memcpy.MSVCRT ref: 004448AE
memcpy.MSVCRT ref: 00444930
memcpy.MSVCRT ref: 0044497C

Strings

?, xrefs: 00444901
@, xrefs: 0044495E
@, xrefs: 004448CA
@, xrefs: 0044494E

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memcpy
String ID: ?$@$@$@
API String ID: 3510742995-3749118003
Opcode ID: 240a03f2e73e50a3bc4d71c8d6420ca9d7269ec5b8cdcf7acccf73cba3da0dbe
Instruction ID: 48927bdac2aea96809282bbfa22beb013f182a5a80408a93d571bd85edbc1660
Opcode Fuzzy Hash: 240a03f2e73e50a3bc4d71c8d6420ca9d7269ec5b8cdcf7acccf73cba3da0dbe
Instruction Fuzzy Hash: 11718BB4A0434A9FDB44DF29C480A9EB7F1FF88350F11C82AE8689B315E334E951DB95

Function 0044787B Relevance: 13.7, APIs: 5, Strings: 4, Instructions: 155COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,0044781A), ref: 004478C9
memcpy.MSVCRT(?,?,?,?,?,?,?,?,0044781A), ref: 0044794A
memcpy.MSVCRT ref: 00447985
memcpy.MSVCRT ref: 00447A07
memcpy.MSVCRT ref: 00447A53

Strings

@, xrefs: 00447A25
@, xrefs: 004479A1
@, xrefs: 00447A35
?, xrefs: 004479D8

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memcpy
String ID: ?$@$@$@
API String ID: 3510742995-3749118003
Opcode ID: 6f835ff52076eeb5e88f2670f7070f3f4b7f9d963d6b242084ee5cb59db08774
Instruction ID: a7e17e53b2947ce6c2c009aec710c79b9e0de8c2099fa056b63d042f32b68165
Opcode Fuzzy Hash: 6f835ff52076eeb5e88f2670f7070f3f4b7f9d963d6b242084ee5cb59db08774
Instruction Fuzzy Hash: E1716BB4A0430A9FDB40DF29C58099EB7F1BF88354F11C91AE8689B355E334EA51CF55

Function 0040F4A7 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 154stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D4FF: strpbrk.MSVCRT ref: 0040D51E
Part of subcall function 0040D4FF: strlen.MSVCRT ref: 0040D53D
Part of subcall function 0040D4FF: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040E4F4), ref: 0040D587
Part of subcall function 0040D4FF: strncmp.MSVCRT ref: 0040D682

strlen.MSVCRT ref: 0040F4CA
free.MSVCRT ref: 0040F4FC
free.MSVCRT ref: 0040F518

Strings

), xrefs: 0040F633

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freestrlen$strcpystrncmpstrpbrk
String ID: )
API String ID: 4034866347-2427484129
Opcode ID: 61b06fbd557c210522d7dcf842db3646c53ec597b60216f83c829658361b716b
Instruction ID: 1afeed9333593b3bc0a946aa65ca6fdd142fa13c109370ba9576ea69722d66ed
Opcode Fuzzy Hash: 61b06fbd557c210522d7dcf842db3646c53ec597b60216f83c829658361b716b
Instruction Fuzzy Hash: 3261B2B4908309EFDB10AFA4C59576EBBF4EF04304F01883AE894AB751D3789949DF46

Function 004060E7 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 410COMMON

Download Yara Rule

APIs

Part of subcall function 00464696: strcmp.MSVCRT ref: 004646AA
Part of subcall function 00464696: strlen.MSVCRT ref: 004646C0

time.MSVCRT ref: 00406161
free.MSVCRT ref: 004065FC
fclose.MSVCRT ref: 0040660E

Strings

TRUE, xrefs: 00406440, 00406493

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: fclosefreestrcmpstrlentime
String ID: TRUE
API String ID: 1079940273-3412697401
Opcode ID: fc1ed8d8516f3b46875e5c3a46cc3780228396d00201c81ba9d56d1b40e6c16a
Instruction ID: bb85a04d865bee957ce1c8443554495e03ebc8486c4266b804ddccd5e4694c39
Opcode Fuzzy Hash: fc1ed8d8516f3b46875e5c3a46cc3780228396d00201c81ba9d56d1b40e6c16a
Instruction Fuzzy Hash: C502D278E042489FCB10DFA8C4806ADBBF1FF49300F1594AAE8A5BB395D3389946CF55

Function 0040D7E9 Relevance: 12.6, APIs: 10, Instructions: 150COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0040D7F5
free.MSVCRT ref: 0040D81A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2c8e37fbe091660acce8de1a51b17556276ab255c97750600f4706245974c23f
Instruction ID: 06ea58b8dc2c3c88dee26cb5669b2d5d1b216d74b3a79f9728f2c86fe9991542
Opcode Fuzzy Hash: 2c8e37fbe091660acce8de1a51b17556276ab255c97750600f4706245974c23f
Instruction Fuzzy Hash: 3A61B3B4E046498FCB40EFA8C4857AEBBF1AF09314F14982AE494B7341D3389985DF56

Function 00433184 Relevance: 12.6, APIs: 10, Instructions: 141stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00433262
free.MSVCRT ref: 00433294
memcpy.MSVCRT ref: 004332E7
free.MSVCRT ref: 00433310
free.MSVCRT ref: 00433325
free.MSVCRT ref: 00433337
free.MSVCRT ref: 00433349

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$memcpystrlen
String ID:
API String ID: 4283329877-0
Opcode ID: f6750cc027a2ecfc1d8f12171c85d6fb274bcffb19ed3228425bab6eb4b244d5
Instruction ID: 6e074893b99c1cfe19778936aacebb6c747d7f9e5e8f0a112cb58292449dd5b6
Opcode Fuzzy Hash: f6750cc027a2ecfc1d8f12171c85d6fb274bcffb19ed3228425bab6eb4b244d5
Instruction Fuzzy Hash: 356192B4D042099FDF40EFA4C585AAEBBF1BF48304F10881EE498A7350D7389A44CF66

Function 004163D9 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 282COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00416641

Strings

%j, xrefs: 00416712
,, xrefs: 0041673E

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID: %j$,
API String ID: 1294909896-651064510
Opcode ID: a62ef1ff29dc70d58f9f0b570248292dbdd4d693aa1cb52d636d1e9e3fa17b47
Instruction ID: 198a848cdb6ecb7146f8c8fc2081f59bd5fbddfdbd430fac15054397b1a77135
Opcode Fuzzy Hash: a62ef1ff29dc70d58f9f0b570248292dbdd4d693aa1cb52d636d1e9e3fa17b47
Instruction Fuzzy Hash: D0C107B49043098FDB00EFA8C5856EEBBF1AF49314F15885AE894A7351D338D985CF5A

Function 0040B471 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 222stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040B4AC
free.MSVCRT ref: 0040B66B

Part of subcall function 00460B8C: strlen.MSVCRT ref: 00460B98

strrchr.MSVCRT ref: 0040B6A5
free.MSVCRT ref: 0040B790
free.MSVCRT ref: 0040B7A2

Strings

0, xrefs: 0040B496
/, xrefs: 0040B69A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$memsetstrlenstrrchr
String ID: /$0
API String ID: 297553965-459344325
Opcode ID: c419734dc1c209ef706ee13f3d5c453ea4768c175c8593b56d401004d918506b
Instruction ID: b609da9d348bcba5f69dcfab7cfdf196af27421d66ef1e93a50959b8d63b81bb
Opcode Fuzzy Hash: c419734dc1c209ef706ee13f3d5c453ea4768c175c8593b56d401004d918506b
Instruction Fuzzy Hash: 35A1CAB49043489FDB10DFA4C58479EBBF0FF08314F10896AE894AB391D7799945CF9A

Function 0043B172 Relevance: 12.3, APIs: 7, Strings: 1, Instructions: 252stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00485C82: calloc.MSVCRT ref: 00485C97

strlen.MSVCRT ref: 0043B212
free.MSVCRT ref: 0043B2CD
strchr.MSVCRT ref: 0043B300
strchr.MSVCRT ref: 0043B319

Strings

@, xrefs: 0043B490

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: strchr$callocfreestrlen
String ID: @
API String ID: 2959767064-2766056989
Opcode ID: e487ca07b9dfe8fa3582cb0d0b618ad5e5c2dfe811d4c1830d54712b601fb7f0
Instruction ID: 6a232c5d5a348f8c251e27b42b9fbd3835432909f8d46895373d1e4dfa6a032d
Opcode Fuzzy Hash: e487ca07b9dfe8fa3582cb0d0b618ad5e5c2dfe811d4c1830d54712b601fb7f0
Instruction Fuzzy Hash: A4C1A5B4A047099FCB40EFA9C48569EBBF0FF49314F10981AE998E7311D778D9418FA6

Function 00423802 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 206stringCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 004238CD
strlen.MSVCRT ref: 00423935
memcpy.MSVCRT ref: 00423987

Strings

--2024-09-29 08:19:01-- https://download.yandex.ru/yandex-pack/downloader/downloader.exe, xrefs: 00423874, 00423910

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memcpy$strlen
String ID: --2024-09-29 08:19:01-- https://download.yandex.ru/yandex-pack/downloader/downloader.exe
API String ID: 2619041689-910687100
Opcode ID: 36e4789794223990330ea9afd43b4dd3c5e14053157386ae6e5d8bbc812ac773
Instruction ID: 8a8f6c9882a57c9e822982492c0930df49664c80b5deabac5757226cc2ca8d72
Opcode Fuzzy Hash: 36e4789794223990330ea9afd43b4dd3c5e14053157386ae6e5d8bbc812ac773
Instruction Fuzzy Hash: 03A1A674A042099FCB04DF98D584BAEBBF2FF88300F64C569E898E7315D638E945CB56

Function 0054D740 Relevance: 10.8, APIs: 2, Strings: 5, Instructions: 340COMMON

Download Yara Rule

Strings

1p, xrefs: 0054DC76
e, xrefs: 0054DC7E
f, xrefs: 0054DC86
91p, xrefs: 0054D9B0
1p, xrefs: 0054D8FF

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID:
String ID: 1p$ 1p$91p$e$f
API String ID: 0-2068057407
Opcode ID: 1fdb430ef66be8ae684dfaa15ffcf793ad68bfe6aecf06cd3f3451648c3866c9
Instruction ID: 6d9402e2085885d05260b9cb1a27ad75f6a2d1315bd9ae614e8f3d940d904761
Opcode Fuzzy Hash: 1fdb430ef66be8ae684dfaa15ffcf793ad68bfe6aecf06cd3f3451648c3866c9
Instruction Fuzzy Hash: 54E1F3716087468FD760DF29C5847AABBF1FF84708F15892DE8C88B241EB75D848DB62

Function 0040A0C4 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 316COMMON

Download Yara Rule

APIs

time.MSVCRT ref: 00409ECF
free.MSVCRT ref: 00409F88
free.MSVCRT ref: 0040A0D5
fclose.MSVCRT ref: 0040A53E

Part of subcall function 00402C9B: free.MSVCRT ref: 00402D2B

Strings

, xrefs: 00409F0E
6, xrefs: 0040A045

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$fclosetime
String ID: $6
API String ID: 4167560123-3514963568
Opcode ID: 7e7bfa48ccde9fd500fb8c8610d791134c281afbe1d1a860a6707186847f6eca
Instruction ID: 972a9bfeb9e2a5e133db9d44855d61ebda691811e7db289571dbcce9cb273f3f
Opcode Fuzzy Hash: 7e7bfa48ccde9fd500fb8c8610d791134c281afbe1d1a860a6707186847f6eca
Instruction Fuzzy Hash: 10E1B1B4A042098FDB10CF68D585A9EBBF0BF48314F14856AE858EB391D738ED51CF66

Function 0046F756 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 222COMMON

Download Yara Rule

Strings

_, xrefs: 0046FC18
\, xrefs: 0046F802
_, xrefs: 0046F895
_, xrefs: 0046F8DA

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID:
String ID: \$_$_$_
API String ID: 0-501989280
Opcode ID: a047b3ee5501014dc5af9ab1e8f3a21cdf7f67721899804a66bbd2737fea26a9
Instruction ID: 5efeba2ec4ca6653dc158f9a6d3a1f2e90c7e062e5e76076c3d2dd09736e9e6a
Opcode Fuzzy Hash: a047b3ee5501014dc5af9ab1e8f3a21cdf7f67721899804a66bbd2737fea26a9
Instruction Fuzzy Hash: F7913C356082859FDB01DF68D585AA9BFE1EF05314F08C0A5E898CF3A2E379E945DB06

Function 0040661C Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 211COMMON

Download Yara Rule

APIs

time.MSVCRT ref: 0040664C

Part of subcall function 0047D344: ferror.MSVCRT ref: 0047D350
Part of subcall function 0047D344: fputs.MSVCRT ref: 0047D366

Part of subcall function 0047D344: fputs.MSVCRT ref: 0047D38E
Part of subcall function 0047D344: ferror.MSVCRT ref: 0047D3B0
Part of subcall function 0047D344: _fileno.MSVCRT ref: 0047D3BF

ferror.MSVCRT ref: 0040686E
fclose.MSVCRT ref: 004068B7

Strings

TRUE, xrefs: 004067D4, 004067FA
FALSE, xrefs: 004067DB, 004067F3

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: ferror$fputs$_filenofclosetime
String ID: FALSE$TRUE
API String ID: 3022861296-1412513891
Opcode ID: 5549e82b0af02d0df410d59ce9cccef5e3006147b1a74e67b4726c55265324e4
Instruction ID: e602d591a7cb9c1141c899a8990940b4c41c6187481caa83e09169cf2307568b
Opcode Fuzzy Hash: 5549e82b0af02d0df410d59ce9cccef5e3006147b1a74e67b4726c55265324e4
Instruction Fuzzy Hash: AF91C8B49043049FCB00EFA9C5856ADBBF0EF48304F01986EE899AB351D778D951CF5A

Function 004167A2 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 177stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00416815
strspn.MSVCRT ref: 00416863
strcspn.MSVCRT ref: 00416891
free.MSVCRT ref: 00416939

Strings

,, xrefs: 00416982
5j, xrefs: 00416886

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freestrcspnstrlenstrspn
String ID: ,$5j
API String ID: 2191726307-2557168326
Opcode ID: dc021d42e120f4128b86647dfb1494817512cb20fe110e6b08af025241767994
Instruction ID: 0cae1977953cc37efd5a6b075cf41ec35192b50681be2b1e82787fee461a7847
Opcode Fuzzy Hash: dc021d42e120f4128b86647dfb1494817512cb20fe110e6b08af025241767994
Instruction Fuzzy Hash: 6D81E6B4E042499FDB00DFA8C584AEEFBF1AF49304F19845AE898E7311D338D985CB65

Function 004055FC Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 170stringCOMMON

Download Yara Rule

APIs

time.MSVCRT ref: 00405609
strlen.MSVCRT ref: 00405619
strcpy.MSVCRT ref: 00405668
strrchr.MSVCRT ref: 00405773

Part of subcall function 00460B8C: strlen.MSVCRT ref: 00460B98

Strings

P, xrefs: 004056BA
/, xrefs: 00405765

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: strlen$strcpystrrchrtime
String ID: /$P
API String ID: 1007391074-1456695453
Opcode ID: dba572191d2155ff4f378bcf9dcbbd0d7cf8ad463f5a01ecc936a17eef82bad0
Instruction ID: 401a1ce7d23f91005bd9d76ef5d6ec32c055be2567508cecadd5d7eac09c841e
Opcode Fuzzy Hash: dba572191d2155ff4f378bcf9dcbbd0d7cf8ad463f5a01ecc936a17eef82bad0
Instruction Fuzzy Hash: 0A71B6B4908605CFDB00EF68C585AAEBBF0FF48304F15886AE899AB351D378D841DF56

Function 00421602 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00421811
fclose.MSVCRT ref: 00421823

Strings

4j, xrefs: 0042175F

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: fclosefree
String ID: 4j
API String ID: 271167838-4068273965
Opcode ID: 4b0ffd59eba6519c13a84d7658c047b9889508a5a730a60941407779210c7b22
Instruction ID: 9897a63151fe53fbe6c78d6f7a9ff78ff1e434bc9bb41b9ecfca278b390a57c0
Opcode Fuzzy Hash: 4b0ffd59eba6519c13a84d7658c047b9889508a5a730a60941407779210c7b22
Instruction Fuzzy Hash: 2161B1B4A083199FCB04EF65D48469EBBF1FF89304F10881EE489A7310D7799945CF9A

Function 00403800 Relevance: 10.6, APIs: 7, Instructions: 128stringCOMMON

Download Yara Rule

APIs

strpbrk.MSVCRT ref: 00403897
strlen.MSVCRT ref: 004038B4
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004033A9), ref: 004038DD
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004033A9), ref: 004038F2
strlen.MSVCRT ref: 0040390A
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004033A9), ref: 00403949
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004033A9), ref: 00403973

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memcpystrcpystrlen$strpbrk
String ID:
API String ID: 4170637506-0
Opcode ID: 87b04866c798240f4da44f6fc269bbc31bd30759982df5f8a96aafc7919197f9
Instruction ID: e1558638dfe16f4e417b7753d8e73b0ee4bb84088810475f4b40b8ed33750368
Opcode Fuzzy Hash: 87b04866c798240f4da44f6fc269bbc31bd30759982df5f8a96aafc7919197f9
Instruction Fuzzy Hash: 64510BB5E042099FCB40DFA8C4816AEBBF5EF49314F14C46AE898E7341D378DA46CB56

Function 004F7110 Relevance: 10.6, APIs: 7, Instructions: 96libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 004F7138
GetProcAddress.KERNEL32 ref: 004F7152
GetProcessWindowStation.USER32 ref: 004F7170
GetUserObjectInformationW.USER32 ref: 004F71A8
GetLastError.KERNEL32 ref: 004F71B5
GetUserObjectInformationW.USER32 ref: 004F7207
wcsstr.MSVCRT ref: 004F722E

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindowwcsstr
String ID:
API String ID: 459917433-0
Opcode ID: c01001ac9d2b8a9e032b881a0097ccc29465dab91242815c4922b218d069662d
Instruction ID: 0c281ff6b6c40e4f93192565fbd2894e5386cff893fbb610b9f689901830949e
Opcode Fuzzy Hash: c01001ac9d2b8a9e032b881a0097ccc29465dab91242815c4922b218d069662d
Instruction Fuzzy Hash: D73179B09087098BD7109F79D9442AFBBE4EF80321F01866EE5A89A391D77CD8058B56

Function 0040E4BF Relevance: 10.2, APIs: 8, Instructions: 156stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040E4DB

Part of subcall function 0040D4FF: strpbrk.MSVCRT ref: 0040D51E
Part of subcall function 0040D4FF: strlen.MSVCRT ref: 0040D53D
Part of subcall function 0040D4FF: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040E4F4), ref: 0040D587
Part of subcall function 0040D4FF: strncmp.MSVCRT ref: 0040D682

strlen.MSVCRT ref: 0040E4FD
free.MSVCRT ref: 0040E52F
free.MSVCRT ref: 0040E54B

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freestrlen$memsetstrcpystrncmpstrpbrk
String ID:
API String ID: 37117747-0
Opcode ID: 2af70df6942f8788a593a368755bad845996662767a20b9178a7961ac7af4e86
Instruction ID: 2e47be19448ca4c968f290e43e3f60f21134e4efa9415be890fde95abd191071
Opcode Fuzzy Hash: 2af70df6942f8788a593a368755bad845996662767a20b9178a7961ac7af4e86
Instruction Fuzzy Hash: 6261F2749042499FDB00DFA9C8856EEBBF1FF09304F04886AE894BB351D33899469F66

Function 00430054 Relevance: 10.1, APIs: 8, Instructions: 107stringCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00430063
strlen.MSVCRT ref: 004300C6
strlen.MSVCRT ref: 004300D4
memcpy.MSVCRT ref: 0043010D
memcpy.MSVCRT ref: 00430138
free.MSVCRT ref: 00430163
free.MSVCRT ref: 00430180
free.MSVCRT ref: 00430194

Part of subcall function 00460B8C: strlen.MSVCRT ref: 00460B98

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strlen$memcpy
String ID:
API String ID: 491682182-0
Opcode ID: b931de36020922378c27375d85442b29c7381fe2cf126589495eff6b9ef096ad
Instruction ID: 8955db4824fd8d3cb312aa3885bcaeca3ae9d8a5d808701241b759697dbe9945
Opcode Fuzzy Hash: b931de36020922378c27375d85442b29c7381fe2cf126589495eff6b9ef096ad
Instruction Fuzzy Hash: DB5174B4A043199FCB40EFA8C485A9EBBF1FF08344F118959E898EB311D338E9408F95

Function 0040F715 Relevance: 10.1, APIs: 8, Instructions: 83stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D4FF: strpbrk.MSVCRT ref: 0040D51E
Part of subcall function 0040D4FF: strlen.MSVCRT ref: 0040D53D
Part of subcall function 0040D4FF: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040E4F4), ref: 0040D587
Part of subcall function 0040D4FF: strncmp.MSVCRT ref: 0040D682

strlen.MSVCRT ref: 0040F738
free.MSVCRT ref: 0040F76A
free.MSVCRT ref: 0040F786

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freestrlen$strcpystrncmpstrpbrk
String ID:
API String ID: 4034866347-0
Opcode ID: d18120c08be0f9edcda4baa2adbaa2ca32ddc8b94e70566835fb90f427263eec
Instruction ID: 47f235587e79a0ee7022f1b76d0ab16432360907cb33263497a4779bcc273ff3
Opcode Fuzzy Hash: d18120c08be0f9edcda4baa2adbaa2ca32ddc8b94e70566835fb90f427263eec
Instruction Fuzzy Hash: 9D3190B4D04208DFCB50EFA9C0856AEBBF1EF04314F01886EE898AB351D7789944CF86

Function 0046C4E8 Relevance: 10.0, APIs: 8, Instructions: 44COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0046C4F7
free.MSVCRT ref: 0046C505
free.MSVCRT ref: 0046C526
free.MSVCRT ref: 0046C534
free.MSVCRT ref: 0046C542
free.MSVCRT ref: 0046C550
free.MSVCRT ref: 0046C55E
free.MSVCRT ref: 0046C569

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 11a32b751f7b711a22f4e843d3f9655cee8c835f5b044fae3b5d88573dea134c
Instruction ID: 79b343fa198cb3a6a45578b82c60c9f0d0cbb209d05a6c9ddafb91beb76a9d6b
Opcode Fuzzy Hash: 11a32b751f7b711a22f4e843d3f9655cee8c835f5b044fae3b5d88573dea134c
Instruction Fuzzy Hash: 0911DBB8604714AFCB80EF68C5858597BF1AF483A4B468959FDCC9B322D634ED80CF85

Function 00530590 Relevance: 9.3, APIs: 3, Strings: 3, Instructions: 338COMMON

Download Yara Rule

Strings

A, xrefs: 00530AD7
{, xrefs: 00530ADF
n, xrefs: 00530AB4

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID:
String ID: A$n${
API String ID: 0-4170650037
Opcode ID: a215ee608bfef13f648dd838ee081dd9d05afcdb71f82ef181080700f729eded
Instruction ID: f105480d26ae962938350a3ff80c1bafbb430d6b4e9da468cfd6eef8a7b1b912
Opcode Fuzzy Hash: a215ee608bfef13f648dd838ee081dd9d05afcdb71f82ef181080700f729eded
Instruction Fuzzy Hash: C6E118B1508706DFD710AF24C59932ABFE1FF84344F15992DE8888B396D7B9D885CB82

Function 00575100 Relevance: 9.3, APIs: 3, Strings: 3, Instructions: 293stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 005751AF
memcpy.MSVCRT ref: 0057529B
strncpy.MSVCRT ref: 0057554E

Strings

|, xrefs: 0057548F
6, xrefs: 00575512
t, xrefs: 005754B1

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memcpystrlenstrncpy
String ID: 6$t$|
API String ID: 1911853469-1018207855
Opcode ID: ae76b100560bf55d1ec8d686b43ac6811d3b2861cedc6b3ce1d6fdef9d48c153
Instruction ID: 8afd1a5220f480ab81b62c83d67227c0ee5448f4237c86fe040c205c4b49387d
Opcode Fuzzy Hash: ae76b100560bf55d1ec8d686b43ac6811d3b2861cedc6b3ce1d6fdef9d48c153
Instruction Fuzzy Hash: 5CC149706097418FE720DF68D484B5ABFE1BF85348F148D2DE9898B351E7B9D884DB42

Function 0049F100 Relevance: 9.3, APIs: 4, Strings: 2, Instructions: 267COMMON

Download Yara Rule

APIs

Part of subcall function 0056DAA0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,?,00000000,004A1E49), ref: 0056DAD1

memcpy.MSVCRT ref: 0049F241
memcpy.MSVCRT ref: 0049F2B5
memcpy.MSVCRT ref: 0049F317
memcpy.MSVCRT ref: 0049F37F

Strings

`, xrefs: 0049F55D
_, xrefs: 0049F531

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memcpy$CountCriticalInitializeSectionSpin
String ID: _$`
API String ID: 3739010516-620441697
Opcode ID: f1133e2869732f5a8c05db6e225f4e16c0f0e0d793ae8601dc8aab90c2af4fc5
Instruction ID: 4f4b51b3628ef54e42d1a33edf42a3e6571d23a0cff40326e6d21249acf5de89
Opcode Fuzzy Hash: f1133e2869732f5a8c05db6e225f4e16c0f0e0d793ae8601dc8aab90c2af4fc5
Instruction Fuzzy Hash: B5C1C2B4605B069FD714DF29C48479BBBE1BF84344F10893EE89987341EB74E948CB96

Function 005526C0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 196stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00552917
memcpy.MSVCRT ref: 00552940

Strings

@, xrefs: 005528A0
Enter PEM pass phrase:, xrefs: 005529D0
j, xrefs: 005528EF
h, xrefs: 005528E7

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memcpystrlen
String ID: @$Enter PEM pass phrase:$h$j
API String ID: 3412268980-3159370177
Opcode ID: 54ddc2d6fa2f89616b31800bbe7e512b5423ec217dc88811637a1f06089d5d32
Instruction ID: 2ce265c4d2c2f1d97df05363e99a5cad275e0d07224369a3bb7775619d8fa68a
Opcode Fuzzy Hash: 54ddc2d6fa2f89616b31800bbe7e512b5423ec217dc88811637a1f06089d5d32
Instruction Fuzzy Hash: 6F81D0B56083029FD310DF29C49465BBBE1FFC9358F10C92EE99887341E779D9498B92

Function 0040E0A5 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

L, xrefs: 0040E10F

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memset
String ID: L
API String ID: 2221118986-2909332022
Opcode ID: cddd001e8aa6e2ec3bba35f20826b2b60b747586b5d277dc1f75ebb1d4eaf7d9
Instruction ID: df508a19e85e6f7f782c9481f9f4bbedb9cc0d4b61847bba94947295f4265650
Opcode Fuzzy Hash: cddd001e8aa6e2ec3bba35f20826b2b60b747586b5d277dc1f75ebb1d4eaf7d9
Instruction Fuzzy Hash: D941B6B4D08708AFCB40EFA9D08569DBBF4EF04304F00886EE895EB391D7789944CB86

Function 0042D70A Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00460B8C: strlen.MSVCRT ref: 00460B98

free.MSVCRT ref: 0042D765
free.MSVCRT ref: 0042D826
free.MSVCRT ref: 0042D838
free.MSVCRT ref: 0042D84A

Strings

), xrefs: 0042D883
@Fu, xrefs: 0042D798

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strlen
String ID: )$@Fu
API String ID: 667451143-3547685617
Opcode ID: e816c8e2d8d99c4e3e050ae07db4b5ce2b0b7282b44452c9a970119e7d770a49
Instruction ID: 2ef89e4adb19e9252a3655accf94c25a5b5aee6206234cf1e9497561130d2326
Opcode Fuzzy Hash: e816c8e2d8d99c4e3e050ae07db4b5ce2b0b7282b44452c9a970119e7d770a49
Instruction Fuzzy Hash: 395173B4D043199FDB40EFA9D48879EBBF0BF08314F41881AE894AB351D7B89985CF85

Function 0040782A Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 342COMMON

Download Yara Rule

APIs

Part of subcall function 0040F4A7: strlen.MSVCRT ref: 0040F4CA
Part of subcall function 0040F4A7: free.MSVCRT ref: 0040F4FC

abort.MSVCRT(?,8B0001C5), ref: 004078E6
free.MSVCRT ref: 00407A8B

Part of subcall function 00402C9B: free.MSVCRT ref: 00402D2B

abort.MSVCRT(?,8B0001C5), ref: 00407AB0
abort.MSVCRT(?,?,?,?,?,?,?,?,8B0001C5), ref: 00407C36

Strings

done., xrefs: 00407AC2

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: abortfree$strlen
String ID: done.
API String ID: 4207420737-1207068090
Opcode ID: 635aa5a2e4a2429cd93a11482ef7ab6267f68ccc97e01065b90a21ab135d1b96
Instruction ID: 4cce97db24fd9dd51d7937567d12b05986a11c0a9f3ce39455b1da4c658747c0
Opcode Fuzzy Hash: 635aa5a2e4a2429cd93a11482ef7ab6267f68ccc97e01065b90a21ab135d1b96
Instruction Fuzzy Hash: 3CE1E9B06082158FDB10EF68C54569E7BF1FF49308F11896AE498AB392D778ED41CF1A

Function 004F60C0 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 340stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 004F617F
strncmp.MSVCRT ref: 004F61B5

Part of subcall function 0054BFB0: strlen.MSVCRT ref: 0054BFC1
Part of subcall function 0054BFB0: memcpy.MSVCRT ref: 0054BFF2

strlen.MSVCRT ref: 004F6503

Strings

q, xrefs: 004F651F
u, xrefs: 004F65FE

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: strlen$memcpystrncmpstrrchr
String ID: q$u
API String ID: 246011797-2079702880
Opcode ID: ac5676017a8d9340915280c991d6019f574a791dda7b665a6fe0c084c176f694
Instruction ID: 9d25d7ee33a1fb88d58c14d1f0dd0b7d5fec63233c6860e18a26ee21eebd6422
Opcode Fuzzy Hash: ac5676017a8d9340915280c991d6019f574a791dda7b665a6fe0c084c176f694
Instruction Fuzzy Hash: C2E1D4B450870AAFD710AF25C58822FBFE5BF84744F118C2EE6988B351DBB8D845DB46

Function 0040E2FF Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 62stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D4FF: strpbrk.MSVCRT ref: 0040D51E
Part of subcall function 0040D4FF: strlen.MSVCRT ref: 0040D53D
Part of subcall function 0040D4FF: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040E4F4), ref: 0040D587
Part of subcall function 0040D4FF: strncmp.MSVCRT ref: 0040D682

strlen.MSVCRT ref: 0040E35F
free.MSVCRT ref: 0040E3C8
free.MSVCRT ref: 0040E3DA

Strings

,5w@, xrefs: 0040E321
,, xrefs: 0040E38B
5w@, xrefs: 0040E377, 0040E39B

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freestrlen$strcpystrncmpstrpbrk
String ID: ,$,5w@$5w@
API String ID: 4034866347-1760719336
Opcode ID: 7a6fa4902a13f0fdeb05aebd0dbd13059ca62602e94ff052c61ee8758588a723
Instruction ID: 2dd1634f92e4fabab67fa16f99effe0eed8adeae9359cf8bdf71c5e548c86982
Opcode Fuzzy Hash: 7a6fa4902a13f0fdeb05aebd0dbd13059ca62602e94ff052c61ee8758588a723
Instruction Fuzzy Hash: 5B2162B49043199FDB40EFA5C5497AEBBF0BF08304F01882DE894B7340D77899598F96

Function 006716E0 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 59stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 006716FA
malloc.MSVCRT ref: 00671706
strlen.MSVCRT ref: 00671710
malloc.MSVCRT ref: 0067171C
free.MSVCRT ref: 0067177C

Strings

<unknown>, xrefs: 00671670, 00671680, 006716E3

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: mallocstrlen$free
String ID: <unknown>
API String ID: 2585366504-1574992787
Opcode ID: 4b3badec502726448eb36ee53d057b963de23915ce37d69777494a77973ad49c
Instruction ID: 8ec1017c5590017715a9d2c75d5b74a2f11899caf38e476215ca29931ce195a1
Opcode Fuzzy Hash: 4b3badec502726448eb36ee53d057b963de23915ce37d69777494a77973ad49c
Instruction Fuzzy Hash: 811160755083508BC754AF39D88256ABBF2EF86350F15CC6EE8C88B312E7369445CB56

Function 004841FC Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 244stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00484225
memcmp.MSVCRT ref: 0048425B
_getpid.MSVCRT ref: 004842CC

Strings

>, xrefs: 004844E5
?j, xrefs: 00484250

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: _getpidmemcmpstrlen
String ID: >$?j
API String ID: 1697227860-1718540790
Opcode ID: 4c75086d572b92109e139489d53cd7589ff6a2ccfe097eebd94f7f5b3ccb892d
Instruction ID: 932e5f66f61ef84db0ba40bced8f3a088072318b5855a435148ace3bfeec6795
Opcode Fuzzy Hash: 4c75086d572b92109e139489d53cd7589ff6a2ccfe097eebd94f7f5b3ccb892d
Instruction Fuzzy Hash: 00C1DFB4905308DFCB40DFA8D884A9EBBF1BF89304F00C92AE4989B365D77899418F56

Function 00418599 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 183stringCOMMON

Download Yara Rule

APIs

strtol.MSVCRT ref: 00418647
free.MSVCRT ref: 0041865D
free.MSVCRT ref: 00418694

Strings

EOF received, xrefs: 00418777

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strtol
String ID: EOF received
API String ID: 555484265-733935692
Opcode ID: 58d3479d5bc34e0d13c3ebcf1f9934766fe26d5d178310e9fb4e5a9418d7d68c
Instruction ID: 68375598295c7c9f2158309a2dfe56382f912d47cfcdb0d15ee97c2cbafa811f
Opcode Fuzzy Hash: 58d3479d5bc34e0d13c3ebcf1f9934766fe26d5d178310e9fb4e5a9418d7d68c
Instruction Fuzzy Hash: 2F81DB74D042199FEB10EFA5C8497EEBBF1AF44304F10886ED898A7341D7789A81CF5A

Function 00432194 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 004321F0
fread.MSVCRT ref: 004322AB

Strings

s, xrefs: 00432325
l, xrefs: 00432329

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: fflushfread
String ID: l$s
API String ID: 3351130099-2254973558
Opcode ID: 2d6b1b3a8d17a30b3d846707a68638323eb0f90d6eed5e93929e4956be74bf86
Instruction ID: dbac5385818ea423b8456a6f6b6dca3264b3951da7f98bda1bc0e3289b312c8f
Opcode Fuzzy Hash: 2d6b1b3a8d17a30b3d846707a68638323eb0f90d6eed5e93929e4956be74bf86
Instruction Fuzzy Hash: A98106B4908748CFDB00DFA8D88479EBBF1BB99305F04C91DE488A7351D7B99984CB5A

Function 0046007E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 0046009F
memset.MSVCRT ref: 0046014F
free.MSVCRT ref: 00460219

Strings

Du, xrefs: 0046010E
'o9iQbd0.exe', xrefs: 0046020A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: abortfreememset
String ID: Du$'o9iQbd0.exe'
API String ID: 2552529481-251729588
Opcode ID: 394ae5f5fabaef1e25d300fca73bcce877e1f2b3ffd9597fa3c1a219e10e00a8
Instruction ID: 72afdb1365d53b85751a192fcd88c8d61dc441a81e11f18ceb40af4b5056f9d9
Opcode Fuzzy Hash: 394ae5f5fabaef1e25d300fca73bcce877e1f2b3ffd9597fa3c1a219e10e00a8
Instruction Fuzzy Hash: DD815FB4A0420A9FCB40DF69D580A9EBBF1FF49344F00895AE858DB321E334EA55CF56

Function 00433390 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

Part of subcall function 00464696: strcmp.MSVCRT ref: 004646AA
Part of subcall function 00464696: strlen.MSVCRT ref: 004646C0

free.MSVCRT ref: 0043353E
fclose.MSVCRT ref: 00433550

Strings

Loaded %d records from CDX., xrefs: 0043351C
>Lj, xrefs: 00433393
Loaded %d record from CDX., xrefs: 00433515

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: fclosefreestrcmpstrlen
String ID: >Lj$Loaded %d record from CDX.$Loaded %d records from CDX.
API String ID: 2977352491-581019807
Opcode ID: e50e39e6b24841f7d6f98a476901fb13a53b0c0fee1b8132ba808fe580185adb
Instruction ID: 107feef6a852187122471daed45f16a680b82fc808d10106e8bd3a84683860ed
Opcode Fuzzy Hash: e50e39e6b24841f7d6f98a476901fb13a53b0c0fee1b8132ba808fe580185adb
Instruction Fuzzy Hash: 5951F9B0C04309DBCB00EFA9D48559EBBF0BF49325F509A1EE4A4A7390D3789A85CF56

Function 00424073 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 0042412E
_fileno.MSVCRT ref: 0042415E
_isatty.MSVCRT ref: 00424166

Strings

;j, xrefs: 004240C5
@F:v, xrefs: 004240A4, 004240A9, 00424147, 0042414C

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: _fileno_isattyexit
String ID: ;j$@F:v
API String ID: 1309095928-2959357134
Opcode ID: 636c8ca8ba3e52cd66cb30b68e55eddbaa4f53e0fcd6c6a7e75793a89ca0fef7
Instruction ID: 378e6f7ce305c8f01cd0e9bbe73630facab59748370742f5dbb9561ba4c7e8fb
Opcode Fuzzy Hash: 636c8ca8ba3e52cd66cb30b68e55eddbaa4f53e0fcd6c6a7e75793a89ca0fef7
Instruction Fuzzy Hash: 7F312A74604704DFC700EF28E9807997BF1EB56346F80C89AE588CB361D7B99881CF5A

Function 0043A746 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 0043A7A5
strrchr.MSVCRT ref: 0043A7BC
free.MSVCRT ref: 0043A7F1
perror.MSVCRT ref: 0043A817

Part of subcall function 004342E2: memcpy.MSVCRT ref: 00434327

Strings

/, xrefs: 0043A7AE

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freememcpyperrorstrcmpstrrchr
String ID: /
API String ID: 974839352-2043925204
Opcode ID: 2e994438edc2b12a3b4ae7ab36f2bcd25206b724045477054b8a828b17dd2d2b
Instruction ID: c0efe29a73835cbee70a05ce1ede8ea4a53349d14f7937cf6a81b9f442ea7dc2
Opcode Fuzzy Hash: 2e994438edc2b12a3b4ae7ab36f2bcd25206b724045477054b8a828b17dd2d2b
Instruction Fuzzy Hash: E721D2749042059FDB00EFA8C484BAEBBF1EF49344F14989AE894AB351D378D981CF5B

Function 0048B4A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0048C500: malloc.MSVCRT ref: 0048C50B

fread.MSVCRT ref: 0048B4EF
feof.MSVCRT ref: 0048B4FD
ferror.MSVCRT ref: 0048B509
feof.MSVCRT ref: 0048B549

Strings

>Lj, xrefs: 0048B4A3

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: feof$ferrorfreadmalloc
String ID: >Lj
API String ID: 2139885029-538941895
Opcode ID: 2675621022986000acddf6a6651f4929679bdaf9a8c302746db8300982746356
Instruction ID: 4202a0e9b4fb267cb371157b9110590e551b291480603d6faded4c656714eacc
Opcode Fuzzy Hash: 2675621022986000acddf6a6651f4929679bdaf9a8c302746db8300982746356
Instruction Fuzzy Hash: C021C9B0509705AED7507F76D5C562FBBE4EF40798F058C2EE5888B212E778C4448BDA

Function 00419289 Relevance: 8.8, APIs: 7, Instructions: 54COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00419298
free.MSVCRT ref: 004192B0
free.MSVCRT ref: 004192C8
free.MSVCRT ref: 004192E0
free.MSVCRT ref: 004192F8
free.MSVCRT ref: 00419310
free.MSVCRT ref: 00419328

Part of subcall function 0048AF40: free.MSVCRT ref: 0048AF5B
Part of subcall function 0048AF40: free.MSVCRT ref: 0048AF6A
Part of subcall function 0048AF40: free.MSVCRT ref: 0048AF97
Part of subcall function 0048AF40: free.MSVCRT ref: 0048AFA6
Part of subcall function 0048AF40: free.MSVCRT ref: 0048AFB5

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 637b2b9256c5a6f04a97e6bba0d10958ce23c919564bdf524328ab01f46182a0
Instruction ID: 6bf1c635eda13776ca614da713491dd5117c3cd194956a1b6fbdbaefb41a0ff4
Opcode Fuzzy Hash: 637b2b9256c5a6f04a97e6bba0d10958ce23c919564bdf524328ab01f46182a0
Instruction Fuzzy Hash: FB2105B8614704AFDB40EF68C585A597BF0BF083A4F028958FD889F362D775E9848F85

Function 004345F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004664F0: localtime.MSVCRT(?,?,?,?,?,?,?,?,?,00434609), ref: 004664FC

abort.MSVCRT ref: 00434612
strftime.MSVCRT ref: 00434634
abort.MSVCRT(?,?,?,?,?,?,?,?,?,0043467D), ref: 0043463D

Strings

2024-09-29 08:19:05, xrefs: 0043462D, 00434642
, xrefs: 00434625

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: abort$localtimestrftime
String ID: $2024-09-29 08:19:05
API String ID: 4060286791-3440902801
Opcode ID: 5e299bee61fa91567d50ae28a07b1833922bc6829eee337b994e52f7b8846c0d
Instruction ID: f9ce77136c946b7489fb427f51de89a8d6276bdf7e2af721c016dd62e31d681a
Opcode Fuzzy Hash: 5e299bee61fa91567d50ae28a07b1833922bc6829eee337b994e52f7b8846c0d
Instruction Fuzzy Hash: A7F0AC749043049ADB40FF69C04668DB7F8AF85348F01C86DE89897301E678D5848F56

Function 00417855 Relevance: 7.6, APIs: 5, Instructions: 136COMMON

Download Yara Rule

APIs

fread.MSVCRT ref: 004178DF
fclose.MSVCRT ref: 0041794D
fclose.MSVCRT ref: 00417995
feof.MSVCRT ref: 004179B8
fclose.MSVCRT ref: 004179E7

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: fclose$feoffread
String ID:
API String ID: 3575824699-0
Opcode ID: 0d5f716946cd4ee70f908a41e3c62a58535ce5de67a9682ebd7268ebbfffa2fc
Instruction ID: 74d0ddec3937304b6f0bd249209546b70ccf3784dbf876eabd1ba711ebe34ce0
Opcode Fuzzy Hash: 0d5f716946cd4ee70f908a41e3c62a58535ce5de67a9682ebd7268ebbfffa2fc
Instruction Fuzzy Hash: 71512FB0E082099FDB00DFA9C5856EEBBF1FF48314F20891AE494A7340D7789980CF66

Function 004324D9 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

fread.MSVCRT ref: 0043252D
ferror.MSVCRT ref: 00432571
free.MSVCRT ref: 00432584
feof.MSVCRT ref: 004325A0

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: feofferrorfreadfree
String ID:
API String ID: 1625292482-0
Opcode ID: 57704f382de84700739404eb2ac0a9f69512d0e1094fa5c8ddcc60c2623ec8ad
Instruction ID: b3b76494cb22a1512182e747b18feefd2f2322fece4e4c33f4dee8a591b739dc
Opcode Fuzzy Hash: 57704f382de84700739404eb2ac0a9f69512d0e1094fa5c8ddcc60c2623ec8ad
Instruction Fuzzy Hash: 9451D174E046099BDB00DFA8C5847EEBBF1BF48314F10856AE458A7340D778AA84CF99

Function 004133F6 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strchr.MSVCRT ref: 004134CD
strchr.MSVCRT ref: 004134FA
free.MSVCRT ref: 0041353D
free.MSVCRT ref: 00413551

Strings

., xrefs: 004134EF

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freestrchr
String ID: .
API String ID: 3117412158-248832578
Opcode ID: bd8d72a44c2a58d56af29ce67850cde53ca6309379f9f47c5ff8a37cfaaf988e
Instruction ID: b3a7e1307010b17e98d72a08e1497f618844301e9b20bc568741e4cc7050604a
Opcode Fuzzy Hash: bd8d72a44c2a58d56af29ce67850cde53ca6309379f9f47c5ff8a37cfaaf988e
Instruction Fuzzy Hash: 3D5185B4A0060ADFDB00DFA8C585BAEBBF1FF49304F108459E554AB354D378AA85CFA5

Function 00480098 Relevance: 7.6, APIs: 5, Instructions: 101stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 004800A4
memcpy.MSVCRT ref: 00480141
free.MSVCRT ref: 004801A0
free.MSVCRT ref: 004801BF
_unlink.MSVCRT ref: 004801D0

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$_unlinkmemcpystrlen
String ID:
API String ID: 622704575-0
Opcode ID: 5668909cdf17ac24ecf8ca4404784558dfde9f7dd0f7871fed2f1495a297a691
Instruction ID: cbe53c475af017e8e8676599a374aa13e9cb81624a34ab4f9e088f742daaa9e1
Opcode Fuzzy Hash: 5668909cdf17ac24ecf8ca4404784558dfde9f7dd0f7871fed2f1495a297a691
Instruction Fuzzy Hash: C7413C74914609DFCB40EFA8C8887AEBBF1AF09314F04895AE854AB350D3799A89CF55

Function 0040F84B Relevance: 7.6, APIs: 6, Instructions: 95stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D4FF: strpbrk.MSVCRT ref: 0040D51E
Part of subcall function 0040D4FF: strlen.MSVCRT ref: 0040D53D
Part of subcall function 0040D4FF: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040E4F4), ref: 0040D587
Part of subcall function 0040D4FF: strncmp.MSVCRT ref: 0040D682

strlen.MSVCRT ref: 0040F86D
free.MSVCRT ref: 0040F89F
free.MSVCRT ref: 0040F8CB

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freestrlen$strcpystrncmpstrpbrk
String ID:
API String ID: 4034866347-0
Opcode ID: 770b9ffc85ac3ba3acda6f44466006ed730831e5e1b4e300d318011ac75a284c
Instruction ID: 7abae07c37b933f45e555c917f5dbd6ccf78dc78032c4f636d506b4a31f342b4
Opcode Fuzzy Hash: 770b9ffc85ac3ba3acda6f44466006ed730831e5e1b4e300d318011ac75a284c
Instruction Fuzzy Hash: 1C41A2B4904309DFDB40EFA8C4957AEBBF0EF04304F018869E998AB391D7799945CF96

Function 00443492 Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00466E40: malloc.MSVCRT ref: 00466E4C

fread.MSVCRT ref: 004434EF
ferror.MSVCRT ref: 00443512
free.MSVCRT ref: 00443521

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: ferrorfreadfreemalloc
String ID:
API String ID: 2213037399-0
Opcode ID: dbea59ea604e3e4d43c6cdd0a98158e641551b07428e0954faaaf6a4c1b5c08c
Instruction ID: 6b8c97a0c59b67f77728cbca95a11bdca06b76aab3831e0ce8c9517d9f5a85e9
Opcode Fuzzy Hash: dbea59ea604e3e4d43c6cdd0a98158e641551b07428e0954faaaf6a4c1b5c08c
Instruction Fuzzy Hash: 8931B9B4904309AFDB40EFA5C4856AEBBF0BF44755F01882EE89997340D778DA84CF46

Function 0044B5FB Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00466E40: malloc.MSVCRT ref: 00466E4C

fread.MSVCRT ref: 0044B65E
ferror.MSVCRT ref: 0044B681
free.MSVCRT ref: 0044B690

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: ferrorfreadfreemalloc
String ID:
API String ID: 2213037399-0
Opcode ID: 17608483d2bb84f3ca788853a59ab57ad8ef80258d5f337e7777108a80cab41e
Instruction ID: 89c9c861119ab1aeb4ac0468ac9ef43b595bcf6abd8af302a1bde6114df41c84
Opcode Fuzzy Hash: 17608483d2bb84f3ca788853a59ab57ad8ef80258d5f337e7777108a80cab41e
Instruction Fuzzy Hash: 783185B4908709DBEB40EF65C4847AEB7F4EF48304F01886AE89897341E778D9858F96

Function 004475A3 Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00466E40: malloc.MSVCRT ref: 00466E4C

fread.MSVCRT ref: 00447606
ferror.MSVCRT ref: 00447629
free.MSVCRT ref: 00447638

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: ferrorfreadfreemalloc
String ID:
API String ID: 2213037399-0
Opcode ID: 9fc8d3d9829d7891c3e937a4d498c5e4daf8e67d39506a1d35379690804d350f
Instruction ID: 89627da46152ff55fea6ed79a2b88537cfed459153cd40d330b41d845661dddd
Opcode Fuzzy Hash: 9fc8d3d9829d7891c3e937a4d498c5e4daf8e67d39506a1d35379690804d350f
Instruction Fuzzy Hash: 7331C8B4908709DBEB40EF69C4847AEBBF5BF44354F01886EE898A7341D7389985CF46

Function 00444638 Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00466E40: malloc.MSVCRT ref: 00466E4C

fread.MSVCRT ref: 0044469B
ferror.MSVCRT ref: 004446BE
free.MSVCRT ref: 004446CD

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: ferrorfreadfreemalloc
String ID:
API String ID: 2213037399-0
Opcode ID: 16a2dd953733763580db543b7f3e67b02027cff8caed754fa83dbfc39abcade0
Instruction ID: 751ec2d2c25b7f20dce7288945cebc4d45aef790d9cd8925519ad7b1ad32a3d0
Opcode Fuzzy Hash: 16a2dd953733763580db543b7f3e67b02027cff8caed754fa83dbfc39abcade0
Instruction Fuzzy Hash: 0C31D7B49087099BEB40EFA4C4457AEB7F0FF85304F01886EE898A7341D7789985CF46

Function 004476C5 Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00466E40: malloc.MSVCRT ref: 00466E4C

fread.MSVCRT ref: 00447728
ferror.MSVCRT ref: 0044774B
free.MSVCRT ref: 0044775A

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: ferrorfreadfreemalloc
String ID:
API String ID: 2213037399-0
Opcode ID: a1c90d395d8d177f73aa126620af914b8d5ed9f6e757c8a438fc2a1bcb05113f
Instruction ID: 83ef2d0f02f39554e4963e2426ed250b92d7bf4208c6dd63daa4ccba2b1804a0
Opcode Fuzzy Hash: a1c90d395d8d177f73aa126620af914b8d5ed9f6e757c8a438fc2a1bcb05113f
Instruction Fuzzy Hash: 9F31C7B4909708DBEB40EFA8C4847AEB7F4BF44304F00886EE498A7341E7789985CF46

Function 0044B71D Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 00466E40: malloc.MSVCRT ref: 00466E4C

fread.MSVCRT ref: 0044B780
ferror.MSVCRT ref: 0044B7A3
free.MSVCRT ref: 0044B7B2

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: ferrorfreadfreemalloc
String ID:
API String ID: 2213037399-0
Opcode ID: 4ee0aa95e5fee7228a8b7cd9ed278d7b8e1f86cf0cc41cd561f5b2eabeae5f69
Instruction ID: 5c3fbbc48fd9d2facf3daa0749eaf46c98c7ac6201958495a0c385c2f2b7d06d
Opcode Fuzzy Hash: 4ee0aa95e5fee7228a8b7cd9ed278d7b8e1f86cf0cc41cd561f5b2eabeae5f69
Instruction Fuzzy Hash: C83174B4908709DBEB40EF65C4857AEB7F4FF44304F00886AE89897341E778D9858F86

Function 004335B4 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

exit.MSVCRT ref: 0043360F
exit.MSVCRT ref: 00433642
exit.MSVCRT ref: 0043367E
exit.MSVCRT ref: 004336C8
exit.MSVCRT ref: 004336FD

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exit
String ID:
API String ID: 2483651598-0
Opcode ID: 7f96208a35e1248891029813ac31be7fa2c190da685e5582e368e68713d8cca7
Instruction ID: 8a8073d4acae41a1499a12db6730b2570545f8c6ca56fb86fdec91b1cadcc59f
Opcode Fuzzy Hash: 7f96208a35e1248891029813ac31be7fa2c190da685e5582e368e68713d8cca7
Instruction Fuzzy Hash: 7131EAB05083448FD750BFA595023AABBE1AF0530AF41994EE4C49B392C7FE8584CB5A

Function 0040F053 Relevance: 7.6, APIs: 6, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D4FF: strpbrk.MSVCRT ref: 0040D51E
Part of subcall function 0040D4FF: strlen.MSVCRT ref: 0040D53D
Part of subcall function 0040D4FF: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040E4F4), ref: 0040D587
Part of subcall function 0040D4FF: strncmp.MSVCRT ref: 0040D682

strlen.MSVCRT ref: 0040F075
free.MSVCRT ref: 0040F0A7
free.MSVCRT ref: 0040F0C3

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freestrlen$strcpystrncmpstrpbrk
String ID:
API String ID: 4034866347-0
Opcode ID: 969020391e904adff096306e8f472016aa938987f053c96df48453ce22c69789
Instruction ID: 2a263fb33e182c132b425f924d2e5ca61d55926580bda60aa7b14938efa6d3ca
Opcode Fuzzy Hash: 969020391e904adff096306e8f472016aa938987f053c96df48453ce22c69789
Instruction Fuzzy Hash: D33194B4D04209DFCB50EFA8C4857AEBBF1EF04314F01887AE994AB351D7789985CB96

Function 0040F23B Relevance: 7.6, APIs: 6, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D4FF: strpbrk.MSVCRT ref: 0040D51E
Part of subcall function 0040D4FF: strlen.MSVCRT ref: 0040D53D
Part of subcall function 0040D4FF: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040E4F4), ref: 0040D587
Part of subcall function 0040D4FF: strncmp.MSVCRT ref: 0040D682

strlen.MSVCRT ref: 0040F25D
free.MSVCRT ref: 0040F28F
free.MSVCRT ref: 0040F2AB

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freestrlen$strcpystrncmpstrpbrk
String ID:
API String ID: 4034866347-0
Opcode ID: 0dccf4c214a7bb8277d0f090a81ea7470aa41b0d5a926b668da0a487d0780f73
Instruction ID: 7b4265167e80660bb387846f5e20aa4e2049e692021a2f488d4a3a7082e68a18
Opcode Fuzzy Hash: 0dccf4c214a7bb8277d0f090a81ea7470aa41b0d5a926b668da0a487d0780f73
Instruction Fuzzy Hash: E23184B4D042099FDB50EFA8C0857AEBBF1EF04314F40887EE994AB351D77899858F96

Function 0064F230 Relevance: 7.6, APIs: 6, Instructions: 65stringCOMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0064F253
strlen.MSVCRT ref: 0064F280
strlen.MSVCRT ref: 0064F28A
malloc.MSVCRT ref: 0064F296
strlen.MSVCRT ref: 0064F2A7
strlen.MSVCRT ref: 0064F2B1

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: strlen$freemalloc
String ID:
API String ID: 1282205974-0
Opcode ID: f9b191c3a967ca56cb6c30f1530dc430a65cf2d3cde2ee9ba47de722decc8a61
Instruction ID: b74e56cb4b203936ad4f1c0a1203dd0adaad5ba684d850e3ed90c64b275ed15f
Opcode Fuzzy Hash: f9b191c3a967ca56cb6c30f1530dc430a65cf2d3cde2ee9ba47de722decc8a61
Instruction Fuzzy Hash: DF21A1758047108FC7A0AF69D48515EBBF5EF81320F054A2DEDA897356E37189458B83

Function 0047A42C Relevance: 7.6, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0047A4A0
free.MSVCRT ref: 0047A4BB
free.MSVCRT ref: 0047A4C9
free.MSVCRT ref: 0047A4D4

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: df04787e92bf3977fbe0efff50491df031d7ce347e890ac1cfafaa0837b2f201
Instruction ID: 7f6fc7d3adb9a3684fd4b6487d09d3935042150ea652d51cbb1c90cb519ec3ed
Opcode Fuzzy Hash: df04787e92bf3977fbe0efff50491df031d7ce347e890ac1cfafaa0837b2f201
Instruction Fuzzy Hash: FF3164B4A00609DFCB40DFA8C485AAEB7F1FF48350F158859E958AB321D374ED40CB66

Function 0047D280 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

ferror.MSVCRT ref: 0047D28C
fputc.MSVCRT ref: 0047D2A2
fputc.MSVCRT ref: 0047D2CA
ferror.MSVCRT ref: 0047D2EC
_fileno.MSVCRT ref: 0047D2FB

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: ferrorfputc$_fileno
String ID:
API String ID: 3192151539-0
Opcode ID: 917c0744ca44729ff76d4dda15370c0f733d866578801d78067e17bcb6b38e2e
Instruction ID: 7963ca36a7d4390cba080d0245cf4829c175a0bade3588fd5cd594e580de2ded
Opcode Fuzzy Hash: 917c0744ca44729ff76d4dda15370c0f733d866578801d78067e17bcb6b38e2e
Instruction Fuzzy Hash: BC21A4749142059FCB40FFB9D98569DBBF0EF04310F40C92AE9A8DB351EB78D9458B4A

Function 0040A740 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 472COMMON

Download Yara Rule

APIs

Part of subcall function 00460B8C: strlen.MSVCRT ref: 00460B98

Part of subcall function 004301FE: free.MSVCRT ref: 0043020D

_chmod.MSVCRT ref: 0040ABBB
free.MSVCRT ref: 0040AC9A
free.MSVCRT ref: 0040ACCA

Part of subcall function 0047CF40: strlen.MSVCRT ref: 0047CFCA

Strings

6, xrefs: 0040ACF4

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strlen$_chmod
String ID: 6
API String ID: 1218483711-498629140
Opcode ID: 73cd18548b771be89cb25db49d0b2903f3b321935a56ba6fa66e82c43128ad59
Instruction ID: d44139442b8aa3c41563eaf1e94316c804439dcb778418d46c7a7a7ec5f6281a
Opcode Fuzzy Hash: 73cd18548b771be89cb25db49d0b2903f3b321935a56ba6fa66e82c43128ad59
Instruction Fuzzy Hash: 3422F8B4A043458FDB10DF68D584A9ABBF1BF48304F15852AF898EB391D778D851CF2A

Function 0048B5A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23fileCOMMON

Download Yara Rule

APIs

fopen.MSVCRT ref: 0048B5B4

Part of subcall function 0048B4A0: feof.MSVCRT ref: 0048B549

fclose.MSVCRT ref: 0048B5D9

Strings

>Lj, xrefs: 0048B5A1
-Ll, xrefs: 0048B5A9

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: fclosefeoffopen
String ID: -Ll$>Lj
API String ID: 1582107633-3880824773
Opcode ID: ac3b157f25fdfdde00b6e444298acf8f68fdd626a3a674ab5b078a653ea76d15
Instruction ID: 77e95241bdf958cb3b1f9dc4b0ed71d1778fb7ee86fc69f708b906cde105611b
Opcode Fuzzy Hash: ac3b157f25fdfdde00b6e444298acf8f68fdd626a3a674ab5b078a653ea76d15
Instruction Fuzzy Hash: 35E01AB09097144BC750BF28958641FBAE4EF48B58F064D6EF8C89B306D678CC408BD2

Function 00466666 Relevance: 6.5, APIs: 5, Instructions: 202stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00466672
strlen.MSVCRT ref: 00466680
strchr.MSVCRT ref: 00466783
free.MSVCRT ref: 004667DF
free.MSVCRT ref: 00466800

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freestrlen$strchr
String ID:
API String ID: 2161346236-0
Opcode ID: a5ca42b07b0b332eb1bda6367aa7a222a4ad064eca75f36c013bb39282fc6abd
Instruction ID: 881ee802812e07cdcae6acc596adc3cc4d8b47ad92f8e32ab071326a37d6f872
Opcode Fuzzy Hash: a5ca42b07b0b332eb1bda6367aa7a222a4ad064eca75f36c013bb39282fc6abd
Instruction Fuzzy Hash: 07811674A04248CFCB10EF68C8847AEB7F1EF49314F12856BE464DB361E7789981DB5A

Function 0043A39C Relevance: 6.4, APIs: 5, Instructions: 175COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 0043A48F
memcpy.MSVCRT ref: 0043A4C7
memcpy.MSVCRT ref: 0043A51C
memcpy.MSVCRT ref: 0043A562
memcpy.MSVCRT ref: 0043A5A2

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 5d3bbc39cddabb0cd8f415be2921467b09b5696671d1690e52f7636433b88e64
Instruction ID: 76ab6be8e3b995398ddc18ca7b35c780efb9cbb3b60b6dda6742eb0cc1f0b698
Opcode Fuzzy Hash: 5d3bbc39cddabb0cd8f415be2921467b09b5696671d1690e52f7636433b88e64
Instruction Fuzzy Hash: 74817DB4A0420A9FCB44DF58C5819AEBBF1FF88304F10981AF858EB350E734EA55CB56

Function 004040EA Relevance: 6.4, APIs: 5, Instructions: 122stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 0040415C
free.MSVCRT ref: 004041B1
free.MSVCRT ref: 004041C3
free.MSVCRT ref: 0040424C
free.MSVCRT ref: 0040425E

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strcmp
String ID:
API String ID: 507678545-0
Opcode ID: 02afefc0a4dead14cab2b7d234294687f19ccfed5358a5a2f722d3aa55c16f9d
Instruction ID: 0314209b880bfa7965aefab8bf48d9330b8014cbfd65c81e8e1eb9470fbd4801
Opcode Fuzzy Hash: 02afefc0a4dead14cab2b7d234294687f19ccfed5358a5a2f722d3aa55c16f9d
Instruction Fuzzy Hash: 8E5195B4A047059FCB40EFA5D48569EBBF0EF88354F01C82EE9989B351E778D9818F46

Function 00531710 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 363COMMON

Download Yara Rule

Strings

e, xrefs: 00531C0D
d, xrefs: 00531C05

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID:
String ID: d$e
API String ID: 0-2091896479
Opcode ID: 1738e669481e992b97892dc1dd00ebd1602f8afda7b910a3160274d552a9fcc6
Instruction ID: 8705651d6c4c4153acc9892bfdee204b33a1c85f0be5924aae9a5b3b7cf3fe81
Opcode Fuzzy Hash: 1738e669481e992b97892dc1dd00ebd1602f8afda7b910a3160274d552a9fcc6
Instruction Fuzzy Hash: B7E168716087458FD710DF68C09466AFFE0FF88358F08896EE8898B342E3B5D945CB96

Function 0040F14C Relevance: 6.3, APIs: 5, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D4FF: strpbrk.MSVCRT ref: 0040D51E
Part of subcall function 0040D4FF: strlen.MSVCRT ref: 0040D53D
Part of subcall function 0040D4FF: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040E4F4), ref: 0040D587
Part of subcall function 0040D4FF: strncmp.MSVCRT ref: 0040D682

strlen.MSVCRT ref: 0040F189
free.MSVCRT ref: 0040F1BB
free.MSVCRT ref: 0040F1D4

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freestrlen$strcpystrncmpstrpbrk
String ID:
API String ID: 4034866347-0
Opcode ID: 5b9318574c05414045dcac178074bcc64c32adfc121d44a8e832eaa00b1ff210
Instruction ID: 61909c09539d82ab4d277844b135435545862b271f4ef5ba74da7ed50397a5f0
Opcode Fuzzy Hash: 5b9318574c05414045dcac178074bcc64c32adfc121d44a8e832eaa00b1ff210
Instruction Fuzzy Hash: 593185B4D04309DFCB50EFA8C4856AEBBF1EF08314F00886EE998A7341D77899458F96

Function 004CF0C0 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 308stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 004CF1D2

Strings

SECLEVEL=, xrefs: 004CF424
DEFAULT, xrefs: 004CF0C1
STRENGTH, xrefs: 004CF481

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: strncmp
String ID: DEFAULT$SECLEVEL=$STRENGTH
API String ID: 1114863663-1671674613
Opcode ID: 32ea227b58dda6ba90265086afc670bac1354ff2cff5b4a2c30016aa7cf1b71c
Instruction ID: 17a5e4dc33fad8a1a0d9940f9703340b7d33bad675b234aaf070e37d5d0979c7
Opcode Fuzzy Hash: 32ea227b58dda6ba90265086afc670bac1354ff2cff5b4a2c30016aa7cf1b71c
Instruction Fuzzy Hash: F3C18D785083459FD7A4CF58C084B6BBBE3BB85304F58892EE8958B351D77DDC4A8B0A

Function 00525350 Relevance: 6.3, APIs: 1, Strings: 3, Instructions: 257COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 00525506

Strings

!, xrefs: 00525573
n, xrefs: 005256F1
A, xrefs: 005256E9

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memcpy
String ID: !$A$n
API String ID: 3510742995-1063879630
Opcode ID: bf48037dac0f04f895ff68b0127cf50889267ee0accfb42769105e8647f8a8ba
Instruction ID: ca227b7be8ac40626a1b427dd8b444a87e7fcf52428d572dd118c6758efface6
Opcode Fuzzy Hash: bf48037dac0f04f895ff68b0127cf50889267ee0accfb42769105e8647f8a8ba
Instruction Fuzzy Hash: 92A13AB0608B118FDB10EF25E48572ABFE1FF86314F44896DE8888B395E775D845CB92

Function 0046B810 Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

realloc.MSVCRT ref: 0046B874
memcpy.MSVCRT ref: 0046B8EB
memcpy.MSVCRT ref: 0046B9E9

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memcpy$realloc
String ID:
API String ID: 3498169086-0
Opcode ID: 3dd5fd27aa0475244140fe7c2abc5db9d387265cba294067eef4e9a411db6628
Instruction ID: 25e4e0f0af3c0f02c5e5f4498a772d6cbd84119475b07d9e7cbdbf9b9d21fc16
Opcode Fuzzy Hash: 3dd5fd27aa0475244140fe7c2abc5db9d387265cba294067eef4e9a411db6628
Instruction Fuzzy Hash: 0AC19E78A00609DFCB04CF59C585AAABBF1FF58350F15C569E959DB321E338EA81CB81

Function 0060B460 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 155COMMON

Download Yara Rule

Strings

n, xrefs: 0060B710
t, xrefs: 0060B728
P, xrefs: 0060B6B9

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID:
String ID: P$n$t
API String ID: 0-900248086
Opcode ID: 321a567dbbd36d83e07ca71f30b9cfaed11306467cb1d004a8b857edfdb6aa2a
Instruction ID: 101434c1dc54e0bb650a1eeabd85f089cd828d83739bdb63fc1052460786ad2c
Opcode Fuzzy Hash: 321a567dbbd36d83e07ca71f30b9cfaed11306467cb1d004a8b857edfdb6aa2a
Instruction Fuzzy Hash: 9C6103B05183059FD724AF24D48839FBBE1BF84358F118D2DE4D887391E7B99489CB52

Function 0043537A Relevance: 6.1, APIs: 4, Instructions: 148COMMON

Download Yara Rule

APIs

_fileno.MSVCRT ref: 0043539F
_read.MSVCRT ref: 00435463
free.MSVCRT ref: 0043551E
free.MSVCRT ref: 00435532

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$_fileno_read
String ID:
API String ID: 2544081419-0
Opcode ID: 5826e7909c431e709536cae9bc098acd7e58b675f3512d59643295725b3b7dc2
Instruction ID: c80407ab8e3d9d67e625f67603bdd3b745ff4088f2e6a87b829444f17b038d69
Opcode Fuzzy Hash: 5826e7909c431e709536cae9bc098acd7e58b675f3512d59643295725b3b7dc2
Instruction Fuzzy Hash: F951A5B4E046098FCB04DFA8C485BAEBBF1AF48314F158459E994EB351E778E881CB95

Function 0040D4FF Relevance: 6.1, APIs: 4, Instructions: 132stringCOMMON

Download Yara Rule

APIs

strpbrk.MSVCRT ref: 0040D51E
strlen.MSVCRT ref: 0040D53D
strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040E4F4), ref: 0040D587
strncmp.MSVCRT ref: 0040D682

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: strcpystrlenstrncmpstrpbrk
String ID:
API String ID: 1641922644-0
Opcode ID: 26dff9fd53af1bdf8f76a88192bab8515dce6f7f54f493afcc77f3692746a484
Instruction ID: 4c09633717028b7603d32d667b1a08b2ced639035c6cad10bff597db142cb581
Opcode Fuzzy Hash: 26dff9fd53af1bdf8f76a88192bab8515dce6f7f54f493afcc77f3692746a484
Instruction Fuzzy Hash: A551B3B49083059FDB00EFA9C1516AEBBF1EF48304F14882EE898AB341D778D945DF56

Function 00402126 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040215A
memset.MSVCRT ref: 004021D5
abort.MSVCRT ref: 004022A7

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memset$abort
String ID:
API String ID: 555401181-0
Opcode ID: 342784479f6f7dfef88689ee002c99257524d8c24325fefd012827274886a023
Instruction ID: 4742ae14d3f4bf0e512eadfeee0d567255e0c34e9d00a8df9cacda78cb028b19
Opcode Fuzzy Hash: 342784479f6f7dfef88689ee002c99257524d8c24325fefd012827274886a023
Instruction Fuzzy Hash: D941D5B89043059FDB50DF68C5846AABBF0FF48310F10C9AAE858AB391D778D981CF56

Function 004D8170 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 95stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 004D8217
strlen.MSVCRT ref: 004D827F

Strings

PRIVATE KEY, xrefs: 004D8171

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: strlen
String ID: PRIVATE KEY
API String ID: 39653677-3918793146
Opcode ID: 6850bde1f3366bf81d08e39fe5ed23b1ea34227714df3f4863de142fc5d2792d
Instruction ID: dea473fb9499e73b70c7f5b885891c30eec5e01c0a0aebf8a838b66770893a2b
Opcode Fuzzy Hash: 6850bde1f3366bf81d08e39fe5ed23b1ea34227714df3f4863de142fc5d2792d
Instruction Fuzzy Hash: 2D316C75A087068FCB10AF69D8D426FBBE4FB89750F00482FE998C7301EB79D8458B56

Function 0041F4FB Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 0041F63B
free.MSVCRT ref: 0041FF96

Strings

-, xrefs: 0041F647
GI, xrefs: 0041F5A7

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free
String ID: -$GI
API String ID: 1294909896-3764463600
Opcode ID: 7a949826d61e7ccc000a20883232404de1c032ec69143a67d381d830ff2acf9e
Instruction ID: be910e61166184c1282237cafe1a5b6e165960512543fe0e86bd6e7daa6b4a26
Opcode Fuzzy Hash: 7a949826d61e7ccc000a20883232404de1c032ec69143a67d381d830ff2acf9e
Instruction Fuzzy Hash: DC41E974A042049FDB10EF65D4857DEBBF1BF09304F04886AE889AB351C77DD886CB5A

Function 00420174 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 80stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00420181
strlen.MSVCRT ref: 0042018E

Strings

VUUU, xrefs: 004201F5
R"j, xrefs: 004201DC

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: strlen
String ID: R"j$VUUU
API String ID: 39653677-4025554640
Opcode ID: 1acc5504e87c000de7eee4ffabeccfc953b12c3228e3fd04139b68576bc925e5
Instruction ID: e2afc70438765ff70df85d60a5c0854ccb82b65826decb45b4e2884144c2b199
Opcode Fuzzy Hash: 1acc5504e87c000de7eee4ffabeccfc953b12c3228e3fd04139b68576bc925e5
Instruction Fuzzy Hash: D8313EB1A046099FDB04EF69C58278EBBF5EF88304F10C929F898DB341E674DA458B42

Function 0040E225 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040E26A
free.MSVCRT ref: 0040E2DC
free.MSVCRT ref: 0040E2EE

Part of subcall function 0040D4FF: strpbrk.MSVCRT ref: 0040D51E
Part of subcall function 0040D4FF: strlen.MSVCRT ref: 0040D53D
Part of subcall function 0040D4FF: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040E4F4), ref: 0040D587
Part of subcall function 0040D4FF: strncmp.MSVCRT ref: 0040D682

Strings

, xrefs: 0040E2CC

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freestrlen$strcpystrncmpstrpbrk
String ID:
API String ID: 4034866347-3916222277
Opcode ID: 1a0f70a3d0b64e1ad74b9d68cea7199c0ea77c6b1c13aecd8bb1d0f8f0f26de7
Instruction ID: 080edf03632529b28ce316c5157b73fb6662ff82e7c0830075f84125d9eaa242
Opcode Fuzzy Hash: 1a0f70a3d0b64e1ad74b9d68cea7199c0ea77c6b1c13aecd8bb1d0f8f0f26de7
Instruction Fuzzy Hash: 5E2180B4D083099FDB40EFA5C5497AEBBF4BF04314F00886DE594A7380D3B896488F96

Function 0040E3EB Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 58stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040D4FF: strpbrk.MSVCRT ref: 0040D51E
Part of subcall function 0040D4FF: strlen.MSVCRT ref: 0040D53D
Part of subcall function 0040D4FF: strcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040E4F4), ref: 0040D587
Part of subcall function 0040D4FF: strncmp.MSVCRT ref: 0040D682

strlen.MSVCRT ref: 0040E433
free.MSVCRT ref: 0040E49C
free.MSVCRT ref: 0040E4AE

Strings

,, xrefs: 0040E45F

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freestrlen$strcpystrncmpstrpbrk
String ID: ,
API String ID: 4034866347-3772416878
Opcode ID: 4875fc27bffa9390a5751e94cb77b6040db72ccef224c934ad1a07695df381ca
Instruction ID: c1f315b4d1e8afb9ded99d055467b76c5d2de8ed173a437f71661900fdb02ef4
Opcode Fuzzy Hash: 4875fc27bffa9390a5751e94cb77b6040db72ccef224c934ad1a07695df381ca
Instruction Fuzzy Hash: B92192B4D0420ADFDB00EFA5C1457AEBBF1AF04314F108869E594B7341D7789A48CF96

Function 0066F5A0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 0066F5C5
__dllonexit.MSVCRT ref: 0066F603
_unlock.MSVCRT ref: 0066F633
_onexit.MSVCRT ref: 0066F647

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: __dllonexit_lock_onexit_unlock
String ID:
API String ID: 209411981-0
Opcode ID: 448557ca1dd2cfbdcf81c72d8946961dc32e4e1a9dcf9ceb0da74e856e2e7ca5
Instruction ID: 0dcb538493313c8bad2047058ded7d9807b082d6a3c56fb47ff16a121c433578
Opcode Fuzzy Hash: 448557ca1dd2cfbdcf81c72d8946961dc32e4e1a9dcf9ceb0da74e856e2e7ca5
Instruction Fuzzy Hash: 5D11AFB09193008BC780EFB8D48555EBBE1FF48351F409D2EE4C8D7351EA7898848B86

Function 0044333C Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0044335B
memset.MSVCRT ref: 00443376
memset.MSVCRT ref: 00443394

Strings

0, xrefs: 00443348

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memset
String ID: 0
API String ID: 2221118986-4108050209
Opcode ID: 9a3371fbc08bb2320efb9a66f5217fea2f71186ba9fe69faf010ab64a9acaf70
Instruction ID: 1a6843beecda9b036c12b300968ae350e07218c98cfa1b2940006f4a612fee06
Opcode Fuzzy Hash: 9a3371fbc08bb2320efb9a66f5217fea2f71186ba9fe69faf010ab64a9acaf70
Instruction Fuzzy Hash: 4CF062B0509304ABE700AF68C09974EBBF0AF41388F41CD4CE4889B351D7B9D9889B86

Function 0040A141 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

time.MSVCRT ref: 0040A157
free.MSVCRT ref: 0040A2ED

Strings

%s (%s) - written to stdout %s[%s], xrefs: 0040A244

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: freetime
String ID: %s (%s) - written to stdout %s[%s]
API String ID: 1332385498-177992797
Opcode ID: 50049f2b49a54382c1086fef41ad933bd30cf25daa2895565f14c4227653d992
Instruction ID: cd992a3e185eacfc30e0a8746f43b83936ba128a81b1190ff053f77791a6c81f
Opcode Fuzzy Hash: 50049f2b49a54382c1086fef41ad933bd30cf25daa2895565f14c4227653d992
Instruction Fuzzy Hash: CC6126B49083449FCB50DFA8D180B9EBBF0EF49314F10896EE894AB392D379D855CB56

Function 004241EF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

fflush.MSVCRT ref: 00424374
fflush.MSVCRT ref: 0042437F

Strings

--2024-09-29 08:19:01-- https://download.yandex.ru/yandex-pack/downloader/downloader.exe, xrefs: 00424258

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: fflush
String ID: --2024-09-29 08:19:01-- https://download.yandex.ru/yandex-pack/downloader/downloader.exe
API String ID: 497872470-910687100
Opcode ID: b891c21f041fe2174c5df9b604720f97a14e7162263b629953abb1609b50ffb8
Instruction ID: 811616238678588f616a86844f97d056cfd5f6635670f06d074cc7c86fc7556e
Opcode Fuzzy Hash: b891c21f041fe2174c5df9b604720f97a14e7162263b629953abb1609b50ffb8
Instruction Fuzzy Hash: A1412474F002158BCB00DFA9E8857AEB7F2EB88300F98C66AD844D7355E678DA45CB95

Function 004211AE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004211CB
getenv.MSVCRT ref: 00421237

Strings

@Fu, xrefs: 0042133D

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: getenvmemset
String ID: @Fu
API String ID: 2427648170-160905698
Opcode ID: 164325a2fb92b9150e8f14da321161fb5e3fbf1df651d95c20aebb15549ce4de
Instruction ID: 7a99202e98306228c4b82602ea91bc0a6e1667b51096a519d677f62a00898e17
Opcode Fuzzy Hash: 164325a2fb92b9150e8f14da321161fb5e3fbf1df651d95c20aebb15549ce4de
Instruction Fuzzy Hash: C0411670419384CBE3919F68E8593C63EE1E31535EF54C688D4912A3E2CBFF21488B5B

Function 004114C2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

9, xrefs: 00411579

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID:
String ID: 9
API String ID: 0-2366072709
Opcode ID: 2c4d8f56a7095f208754471cc3d8d4dff81a768f27379315d91e3435a4c8f075
Instruction ID: 412300ee3f83be9774a59ccb955bc4eef5c7af9eb8d8db249e088e34fd80266d
Opcode Fuzzy Hash: 2c4d8f56a7095f208754471cc3d8d4dff81a768f27379315d91e3435a4c8f075
Instruction Fuzzy Hash: 9F31A274909304ABCB10AFA9C09569DBBF1EF45304F01882EE58A9B351D7B8D9C59F8A

Function 005CB0F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 005CB187

Strings

ENV, xrefs: 005CB140

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: getenv
String ID: ENV
API String ID: 498649692-1709310067
Opcode ID: 964fc39699854814b12d10ecebe3f66be287b98df8c55680362671c3e44cfd44
Instruction ID: 79fa6a54415a39d9eb2d4a6c160f0485138a8e8fa9d56c54a012500992b59bb8
Opcode Fuzzy Hash: 964fc39699854814b12d10ecebe3f66be287b98df8c55680362671c3e44cfd44
Instruction Fuzzy Hash: 7111E471A083058FE710DF69D595A2ABBF4FB84790F08082DEA8887200E731DD44CBA2

Function 0042144C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

getenv.MSVCRT ref: 00421459
exit.MSVCRT ref: 004214CA

Strings

D4j, xrefs: 004214B3

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: exitgetenv
String ID: D4j
API String ID: 3838239448-2661255103
Opcode ID: bb3b07b06fc19e56a2a810309206d09ae93f9ce11f083a043cbb3f40febba6b2
Instruction ID: b08d63f4bff3b6f2c626c0a079d026ebc0a138e7dd3a85ae493b041b55f70fc3
Opcode Fuzzy Hash: bb3b07b06fc19e56a2a810309206d09ae93f9ce11f083a043cbb3f40febba6b2
Instruction Fuzzy Hash: BC11B3B49043189FCB00EFA5D0456AEFBF1EF49304F80C86EA899A7351D7789941CF5A

Function 00484626 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 00484658

Strings

EH, xrefs: 0048466B
EH, xrefs: 0048465D

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: abort
String ID: EH$EH
API String ID: 4206212132-1143124007
Opcode ID: 67719b3dabf38655a7a3fd5264408ad8d4603e7bd08c643ff3b4d1ee609edb2e
Instruction ID: 774e43e9fc1f0ca275cf251fc0ce1fe880004b86ccbf7194f62e25e3bbcfcea8
Opcode Fuzzy Hash: 67719b3dabf38655a7a3fd5264408ad8d4603e7bd08c643ff3b4d1ee609edb2e
Instruction Fuzzy Hash: C0F0DA7490420AAB8B00FF69C08545EBBF4AA96308F51CC1BE979E7340E37CD9459F4A

Function 00435296 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 004352AA
strchr.MSVCRT ref: 004352C7

Strings

/, xrefs: 004352BC

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: strchrstrrchr
String ID: /
API String ID: 3976189772-2043925204
Opcode ID: 4213c0de15f9e4cb033179699396065e0a5aee4ad635f512dcef2d2c41a1efe7
Instruction ID: d36c20ec37d871ea10197bbd8d626ab7eb2babad295817790a31e7f9482c9c3d
Opcode Fuzzy Hash: 4213c0de15f9e4cb033179699396065e0a5aee4ad635f512dcef2d2c41a1efe7
Instruction Fuzzy Hash: 9DE0ED70904708ABDB04AFA9C58939EB7F8AF08344F009868A4A5D7381E678D941CF46

Function 0046D7C9 Relevance: 5.2, APIs: 4, Instructions: 242stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0046D840
calloc.MSVCRT ref: 0046D8D6
strcmp.MSVCRT ref: 0046D971

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: callocmemsetstrcmp
String ID:
API String ID: 515720262-0
Opcode ID: f6e82c6615333a988c97fe6d5083ae64f1d918c9b3896d98f1e11dc6902ce298
Instruction ID: 0f11a368acdaad632c1ac94120a56225603180055a15731b18995a5d29140032
Opcode Fuzzy Hash: f6e82c6615333a988c97fe6d5083ae64f1d918c9b3896d98f1e11dc6902ce298
Instruction Fuzzy Hash: 1AA14A70E042498FDB10DF58C484BAEBBF1EF09354F148566E8A8AB351E339DD85CB96

Function 004410CB Relevance: 5.2, APIs: 4, Instructions: 154stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 004410DB
memset.MSVCRT ref: 00441210
strlen.MSVCRT ref: 00441234
memset.MSVCRT ref: 004412D1

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: memsetstrlen
String ID:
API String ID: 841943882-0
Opcode ID: 5fb7e855fa65b02f7f62f6cb986c457631bc30fab7aaef14718a49387229d470
Instruction ID: 87af1275d6617d1b1d43465a42f61a8ce342100c32c3aa2ee436d7f5caa94b52
Opcode Fuzzy Hash: 5fb7e855fa65b02f7f62f6cb986c457631bc30fab7aaef14718a49387229d470
Instruction Fuzzy Hash: CA71A374904249DFDB00EF68C485A9EBBF1FF49304F10896AE498A7351E7749A88CF56

Function 0040A5A2 Relevance: 5.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

Part of subcall function 00434D0E: strrchr.MSVCRT ref: 00434D23

free.MSVCRT ref: 0040A5C1
free.MSVCRT ref: 0040A60F
free.MSVCRT ref: 0040A669
free.MSVCRT ref: 0040A71E

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strrchr
String ID:
API String ID: 274422233-0
Opcode ID: 2bc4ce756a987293b4bdd4645ed79a6bc270aa514e8f8d11ce71549ef8c4474e
Instruction ID: d84a44be9d128ede88ef400b6ecd9853d4472d724eb76920e06b3b612a42a497
Opcode Fuzzy Hash: 2bc4ce756a987293b4bdd4645ed79a6bc270aa514e8f8d11ce71549ef8c4474e
Instruction Fuzzy Hash: F25185B49047058FCB40EF68C58566EBBF0FF48304F11892DE898AB351D778D950CB66

Function 0040F334 Relevance: 5.1, APIs: 4, Instructions: 103stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 0040F3A0
free.MSVCRT ref: 0040F3D2
free.MSVCRT ref: 0040F3EE
free.MSVCRT ref: 0040F456

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$strlen
String ID:
API String ID: 667451143-0
Opcode ID: bb7733415e9dddd495705376d1e2e24074763acb2ca9debf8bdf5502b9cde1dd
Instruction ID: 3ba40ede93f5896a3ef65ad6a5734a4f8dc87a7ce60f4c15af8a1eea008e3fe8
Opcode Fuzzy Hash: bb7733415e9dddd495705376d1e2e24074763acb2ca9debf8bdf5502b9cde1dd
Instruction Fuzzy Hash: 1241D5B4D042499EDB20DFA8C4457AEBBF0AF19314F048479E894B7781D3789989CF66

Function 004272D8 Relevance: 5.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

free.MSVCRT ref: 00427306
free.MSVCRT ref: 0042731D
free.MSVCRT ref: 00427335
memset.MSVCRT ref: 00427380

Memory Dump Source

Source File: 00000004.00000002.2129919081.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2129894893.0000000000400000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130091293.000000000067E000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130111034.0000000000680000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130132423.0000000000681000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130153464.0000000000687000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130174402.000000000068A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.000000000068B000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130187801.00000000006E2000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130265528.0000000000751000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000004.00000002.2130281737.000000000075A000.00000008.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_Xr5XVue.jbxd

Similarity

API ID: free$memset
String ID:
API String ID: 2717317152-0
Opcode ID: 11696d5e6eae9ba1bab53ef73d143f883507d9df223ae1f02666ff48eef4f121
Instruction ID: 145e6a165ab6334dfbf9447ae0f117794e94c639310b598d9b089a8edc3033f0
Opcode Fuzzy Hash: 11696d5e6eae9ba1bab53ef73d143f883507d9df223ae1f02666ff48eef4f121
Instruction Fuzzy Hash: C6212F78A04608EFCB40DF99C484A9DBBF0FF48354F01C89AE858AB361D374A940DF45

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

C:\Users\user\AppData\Local\Temp\RarSFX0\7z.dll

C:\Users\user\AppData\Local\Temp\RarSFX0\7z.exe

C:\Users\user\AppData\Local\Temp\RarSFX0\Xr5XVue.exe

C:\Users\user\AppData\Local\Temp\RarSFX0\anim.gif

C:\Users\user\AppData\Local\Temp\RarSFX0\gam-page.html

C:\Users\user\AppData\Local\Temp\RarSFX0\gtea.vbs

C:\Users\user\AppData\Local\Temp\RarSFX0\gteb.vbs

C:\Users\user\AppData\Local\Temp\RarSFX0\gtec.vbs

C:\Users\user\AppData\Local\Temp\RarSFX0\icon.ico

C:\Users\user\AppData\Local\Temp\RarSFX0\icon.png

C:\Users\user\AppData\Local\Temp\RarSFX0\icons.zip

C:\Users\user\AppData\Local\Temp\RarSFX0\img\log-game.png

C:\Users\user\AppData\Local\Temp\RarSFX0\img\logo-offer.png

C:\Users\user\AppData\Local\Temp\RarSFX0\img\master-logo.png

C:\Users\user\AppData\Local\Temp\RarSFX0\img\screen-002-min.png

C:\Users\user\AppData\Local\Temp\RarSFX0\last-page.html

C:\Users\user\AppData\Local\Temp\RarSFX0\o9iQbd0.exe

C:\Users\user\AppData\Local\Temp\RarSFX0\setup.exe

C:\Users\user\AppData\Local\Temp\RarSFX0\start.hta

Windows Analysis Report
SecuriteInfo.com.Adware.Downware.20477.12113.8703.exe

Function 0040CC30 Relevance: 21.0, APIs: 7, Strings: 5, Instructions: 41
libraryloaderCOMMON

Function 00404492 Relevance: 12.2, APIs: 8, Instructions: 249
fileCOMMON

Function 0040B47B Relevance: 95.0, APIs: 44, Strings: 10, Instructions: 543
windowsleepCOMMON

Function 0040A886 Relevance: 42.4, APIs: 18, Strings: 6, Instructions: 379
windowfilestringCOMMON

Function 0040BB93 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 120
comwindowCOMMON

Function 0040969C Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94
windowCOMMON

Function 004087FD Relevance: 18.2, APIs: 12, Instructions: 165
COMMON

Function 0040A66D Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 176
sleepwindowCOMMON

Function 00409452 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 56
librarystringloaderCOMMON

Function 00401A97 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 257
fileCOMMON