Edit tour

Windows Analysis Report
40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Overview

General Information

Sample name:	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Analysis ID:	1525119
MD5:	07dd73909e1a74b92498058afc918ede
SHA1:	2f3f9ab4f17ccd2dfe0c4aada522b00c580c454d
SHA256:	40122c3fc307277bbcb516dce390f74f27e2f798cb351a692f820ba7d3ffd735
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Deletes itself after installation

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

PE file has a writeable .text section

Potentially malicious time measurement code found

Query firmware table information (likely to detect VMs)

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe (PID: 6320 cmdline: "C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe" MD5: 07DD73909E1A74B92498058AFC918EDE)

cmd.exe (PID: 6520 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

explorer.exe (PID: 2536 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://5.188.87.43/29087f1d398f0eec.php", "Botnet": "meowsterioland29"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\bvhk	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Users\user\AppData\Local\Temp\bvhk	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.1874605322.0000000000611000.00000080.00000001.01000000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000001.00000002.1875254375.0000000005BD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: cmd.exe PID: 6520	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: explorer.exe PID: 2536	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.cmd.exe.5bd00c8.8.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
1.2.cmd.exe.5bd00c8.8.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Sigma Signatures

System Summary

Sigma detected: Proxy Execution Via Explorer.exe

Source: Process started

Author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative: Data: Command: C:\Windows\SysWOW64\explorer.exe, CommandLine: C:\Windows\SysWOW64\explorer.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\explorer.exe, NewProcessName: C:\Windows\SysWOW64\explorer.exe, OriginalFileName: C:\Windows\SysWOW64\explorer.exe, ParentCommandLine: C:\Windows\SysWOW64\cmd.exe, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6520, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysWOW64\explorer.exe, ProcessId: 2536, ProcessName: explorer.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.cmd.exe.5bd00c8.8.raw.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://5.188.87.43/29087f1d398f0eec.php", "Botnet": "meowsterioland29"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bvhk

ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

ReversingLabs: Detection: 54%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\bvhk

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0040EF10 CryptAcquireContextA,	0_2_0040EF10
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0040E0F0 CryptAcquireContextA,	0_2_0040E0F0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00421430 CryptAcquireContextA,CryptAcquireContextA,	0_2_00421430
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0041F900 CryptBinaryToStringA,	0_2_0041F900

Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: C:\FastCopy\src\install\Obj\ReleaseInst\setup.pdb source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Source:	Binary string: wntdll.pdbUGP source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675984078.0000000003A40000.00000004.00000800.00020000.00000000.sdmp, 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675861480.00000000036E7000.00000004.00000020.00020000.00000000.sdmp, 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1676294574.0000000003DF1000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1875062734.0000000005720000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874819246.00000000052B0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1874906293.0000000004945000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875143310.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675984078.0000000003A40000.00000004.00000800.00020000.00000000.sdmp, 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675861480.00000000036E7000.00000004.00000020.00020000.00000000.sdmp, 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1676294574.0000000003DF1000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1875062734.0000000005720000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874819246.00000000052B0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1874906293.0000000004945000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875143310.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Code function: 0_2_0044F978 FindFirstFileExA,

0_2_0044F978

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://5.188.87.43/29087f1d398f0eec.php

Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675663986.0000000003402000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c0rl.m%L
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675663986.0000000003402000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675663986.0000000003402000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.c
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.00000000034CB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.0000000005613000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: https://fastcopy.jp
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: https://fastcopy.jp.https://github.com/FastCopyLab/FastCopy/issues
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: https://fastcopy.jp.https://github.com/FastCopyLab/FastCopy/issuesVThis
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: https://fastcopy.jp/help/fastcopy.htm
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: https://fastcopy.jp/help/fastcopy_cn.htm
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: https://fastcopy.jp/pro/
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: https://fastcopy.jpF
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

System Summary

PE file has a writeable .text section

Source: bvhk.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_004136B0 NtQuerySystemInformation,		0_2_004136B0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_004136B0 NtQuerySystemInformation,		0_2_004136B0

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00401000	0_2_00401000
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0043F004	0_2_0043F004
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00433010	0_2_00433010
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0040D0A0	0_2_0040D0A0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00439100	0_2_00439100
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0045A100	0_2_0045A100
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0044E1F9	0_2_0044E1F9
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00407189	0_2_00407189
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00418300	0_2_00418300
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0045A310	0_2_0045A310
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00453527	0_2_00453527
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00429650	0_2_00429650
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00421660	0_2_00421660
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_004216E0	0_2_004216E0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00458690	0_2_00458690
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0042F730	0_2_0042F730
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00438800	0_2_00438800
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_004288C0	0_2_004288C0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_004588D0	0_2_004588D0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0042C8F0	0_2_0042C8F0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00459940	0_2_00459940
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00444952	0_2_00444952
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00421910	0_2_00421910
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0044DAE8	0_2_0044DAE8
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00432A80	0_2_00432A80
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00428BC0	0_2_00428BC0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00444B81	0_2_00444B81
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0040CC40	0_2_0040CC40
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00439C70	0_2_00439C70
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00458CF0	0_2_00458CF0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00435D40	0_2_00435D40
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00444DDE	0_2_00444DDE
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0040CE90	0_2_0040CE90
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00428F40	0_2_00428F40
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00458F50	0_2_00458F50
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0040DF70	0_2_0040DF70
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00424F30	0_2_00424F30
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00445FF0	0_2_00445FF0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0042CFA0	0_2_0042CFA0

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Code function: String function: 0043D610 appears 36 times

Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Static PE information: invalid certificate

Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675984078.0000000003B6D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1676294574.0000000003F14000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesetup.exe2 vs 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezip.exe( vs 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Binary or memory string: OriginalFilenamesetup.exe2 vs 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/2@0/0

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Code function: 0_2_0041E410 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,

0_2_0041E410

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

File created: C:\Users\user\AppData\Local\Temp\16f361f8

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

ReversingLabs: Detection: 54%

Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

String found in binary or memory: FastCopy.exeInstallFastCopy.exeopenFastCopy.lnk\%sSoftware\Microsoft\Windows\CurrentVersion\UninstallFastCopy.exeFastCopyDisplayIconFastCopyFastCopyDisplayNamesetup.exe /rUninstallStringDisplayIconDisplayVersionH.Shirouzu & FastCopy Lab, LLC.PublisherEstimatedSizeHelpLinkURLUpdateInfoURLInfoAboutpub-setup@fastcopy.jpCommentsHSToolsFastCopyPathReRegisterSparsePackageFastEx11.dll"%s\%s",%srundll32.exe/UPDATEDopen/INSTALLopenFastCopy.iniFastCopy.iniFastCopy.inito_OldDir(VirtualStore).lnk%s.obsolete%s.obsoleteto_ExeDir.lnk^(%s|%s\..+)$*...setup.exeLogmsixDocFastCopySetup path not found

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

File read: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe "C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe"
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior

Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Static file information: File size 5883824 > 1048576

Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\FastCopy\src\install\Obj\ReleaseInst\setup.pdb source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Source:	Binary string: wntdll.pdbUGP source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675984078.0000000003A40000.00000004.00000800.00020000.00000000.sdmp, 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675861480.00000000036E7000.00000004.00000020.00020000.00000000.sdmp, 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1676294574.0000000003DF1000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1875062734.0000000005720000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874819246.00000000052B0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1874906293.0000000004945000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875143310.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675984078.0000000003A40000.00000004.00000800.00020000.00000000.sdmp, 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675861480.00000000036E7000.00000004.00000020.00020000.00000000.sdmp, 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1676294574.0000000003DF1000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1875062734.0000000005720000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874819246.00000000052B0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1874906293.0000000004945000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875143310.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp

Source: bvhk.1.dr

Static PE information: section name: xnyuv

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00416075 push edi; retf	0_2_00416076
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00416079 push edi; retf	0_2_0041607A
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0041607D push edi; retf	0_2_0041607E
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00416089 push edi; retf	0_2_0041608A
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0041608D push edi; retf	0_2_0041608E
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00416091 push edi; retf	0_2_00416092
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0043D2C9 push ecx; ret	0_2_0043D2DC
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0043D656 push ecx; ret	0_2_0043D669
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_004158CD push cs; iretd	0_2_004158E0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00415EF5 push edi; retf	0_2_00415EF6
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00415EF9 push edi; retf	0_2_00415EFA
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00415EFD push edi; retf	0_2_00415EFE
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00415F01 push edi; retf	0_2_00415F02
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00415F05 push edi; retf	0_2_00415F06
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00415F09 push edi; retf	0_2_00415F0A
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00415F0D push edi; retf	0_2_00415F0E
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00415F11 push edi; retf	0_2_00415F12

Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Static PE information: section name: .text entropy: 6.809024001288572

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\bvhk

Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\bvhk

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\SysWOW64\cmd.exe

File deleted: c:\users\user\desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Jump to behavior

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe

Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\BVHK

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

System information queried: FirmwareTableInformation

Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	API/Special instruction interceptor: Address: 6CF17C44
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	API/Special instruction interceptor: Address: 6CF17945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6CF13B54
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: BDA317

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Code function: 0_2_004018C0 rdtsc

0_2_004018C0

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Code function: 0_2_0041E410 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,

0_2_0041E410

Source: C:\Windows\SysWOW64\cmd.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\bvhk

Jump to dropped file

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-25172

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe TID: 6248

Thread sleep time: -45000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Code function: 0_2_0044F978 FindFirstFileExA,

0_2_0044F978

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Code function: 0_2_0043AFAB VirtualQuery,GetSystemInfo,

0_2_0043AFAB

Source: explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675663986.0000000003402000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware,
Source: explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Binary or memory string: NGDELLVMwareVirtualUsbNcmMicrosoftParallelsOracle

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	API call chain: ExitProcess graph end node			graph_0-25830
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	API call chain: ExitProcess graph end node			graph_0-25283

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00401A90		0_2_00401A90
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00401B00		0_2_00401B00

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Code function: 0_2_004018C0 rdtsc

0_2_004018C0

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Code function: 0_2_004432E4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_004432E4

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Code function: 0_2_0041E410 GetCurrentProcessId,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,

0_2_0041E410

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_004532D3 mov eax, dword ptr fs:[00000030h]	0_2_004532D3
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00447AC0 mov eax, dword ptr fs:[00000030h]	0_2_00447AC0
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_00413D80 mov eax, dword ptr fs:[00000030h]	0_2_00413D80

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Code function: 0_2_004533B6 ExitProcess,GetProcessHeap,RtlAllocateHeap,VirtualProtect,VirtualProtect,

0_2_004533B6

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_004432E4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004432E4
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0043D428 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043D428
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: 0_2_0043CB59 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0043CB59

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2536, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bvhk, type: DROPPED

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	NtSetInformationThread: Direct from: 0x414A21	Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	NtProtectVirtualMemory: Direct from: 0x6CED4389	Jump to behavior
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	NtQuerySystemInformation: Direct from: 0x4534DD	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2536 base: BD79C0 value: 55			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2536 base: 610000 value: 00			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: BD79C0			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 610000			Jump to behavior

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Code function: 0_2_004016C0 cpuid

0_2_004016C0

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: EnumSystemLocalesW,	0_2_0044C265
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_004522AA
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: EnumSystemLocalesW,	0_2_0045256D
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: EnumSystemLocalesW,	0_2_00452522
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: EnumSystemLocalesW,	0_2_00452608
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: GetLocaleInfoW,	0_2_0044C60A
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00452695
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: GetLocaleInfoW,	0_2_004528E5
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00452A0E
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: GetLocaleInfoW,	0_2_00452B15
Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00452BE2

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Code function: 0_2_0040F620 GetLocalTime,

0_2_0040F620

Source: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 1.2.cmd.exe.5bd00c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cmd.exe.5bd00c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1874605322.0000000000611000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1875254375.0000000005BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bvhk, type: DROPPED

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 1.2.cmd.exe.5bd00c8.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cmd.exe.5bd00c8.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1874605322.0000000000611000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1875254375.0000000005BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\bvhk, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	11 DLL Side-Loading	311 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Virtualization/Sandbox Evasion	LSASS Memory	341 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 DLL Side-Loading	311 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Abuse Elevation Control Mechanism	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	124 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 File Deletion	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	54%	ReversingLabs	Win32.Spyware.Vidar

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\bvhk	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\bvhk	88%	ReversingLabs	Win32.Trojan.Stealc

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://www.symauth.com/rpa00	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	URL Reputation	safe
http://www.symauth.com/cps0(	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://5.188.87.43/29087f1d398f0eec.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://sectigo.com/CPS0	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	false	URL Reputation: safe	unknown
http://www.vmware.com/0	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://fastcopy.jp/help/fastcopy_cn.htm	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	false		unknown
http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	false	URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	false	URL Reputation: safe	unknown
http://www.symauth.com/rpa00	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://fastcopy.jpF	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	false		unknown
https://fastcopy.jp.https://github.com/FastCopyLab/FastCopy/issues	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	false		unknown
http://www.info-zip.org/	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.00000000034CB000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.0000000005613000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CAD000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://fastcopy.jp.https://github.com/FastCopyLab/FastCopy/issuesVThis	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	false		unknown
https://fastcopy.jp/pro/	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	false		unknown
http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	false	URL Reputation: safe	unknown
http://www.vmware.com/0/	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://fastcopy.jp	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	false		unknown
https://fastcopy.jp/help/fastcopy.htm	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	false		unknown
http://ocsp.digicert.c	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675663986.0000000003402000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe	false	URL Reputation: safe	unknown
http://c0rl.m%L	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675663986.0000000003402000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.symauth.com/cps0(	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675738637.0000000003521000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1874968146.000000000565B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.1875049674.0000000004CF5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl3.digicert.	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, 00000000.00000002.1675663986.0000000003402000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525119
Start date and time:	2024-10-03 17:56:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/2@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 32 Number of non-executed functions: 125
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Simulations

Behavior and APIs

Time	Type	Description
11:56:57	API Interceptor	1x Sleep call for process: 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe modified
11:57:17	API Interceptor	1x Sleep call for process: cmd.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\16f361f8

Download File

Process:	C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
File Type:	data
Category:	dropped
Size (bytes):	1051621
Entropy (8bit):	7.558029440197468
Encrypted:	false
SSDEEP:	24576:sHoc64zc8Uku9hjo8r8sthbuc5h9aCHBt2fOEFP:sHB64zgBtFZP9aCHgd
MD5:	CB229F62E3491C104232D68C7F9865D8
SHA1:	923B90E0CAA7BF56CBA81E1F508572080635815F
SHA-256:	F650639502221E183DA4402A67407A1B9503ECDAEE33BF9629507D7D9C22C417
SHA-512:	C36F384A853E2B07130215FE70BF9374B177F804386EA839D0257C9F0FA5A8A7B6C548EA4F78385C06F450E0B68D4253425B1ED4AAA3D71DC479D671813C2E4A
Malicious:	false
Reputation:	low
Preview:	............................................................................................................................................................................................................................................................................................................................................................................................................................B...F..._...}...f...\|...a...s..._...N...u...a...s...b...................................[...{...h.....................................................................Q...f...a...q..................................................................[...@..{...a...<...N.......`....................................................<..."..................................

C:\Users\user\AppData\Local\Temp\bvhk

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	320512
Entropy (8bit):	6.309192877646325
Encrypted:	false
SSDEEP:	6144:KlPi8WYtUokCulxMfpb7fefYxyFacU77+Uw3N/RQv8Yt9v:GHtUoH3BfQbFfI7x8/Ret9v
MD5:	B6CCE3D9BE9717453FCE377484AAE9F6
SHA1:	E0DBFB09652B692E7938149FEA2B5A59BD7F6EFB
SHA-256:	22A18B4EEA7AFD85AA75C382FB2D5115633F8726EBF3EC8AA6C4628654FCC3A1
SHA-512:	7D9215B6851298445A729B359351B65EA485E1AEA6F6529ACE0969F979CDCD062567CFB2E4E0246B587FC3A580A8E84B60E25FAED166141371092BED607A751B
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\bvhk, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: C:\Users\user\AppData\Local\Temp\bvhk, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C..............X......m.......Y.......p.....y.........`...............\......n.....Rich............PE..L....b<O......................$......i............@..........................0&...........@.................................8...<.............................%..$...................................................................................text............................... ....rdata..............................@..@.data.....#.........................@....reloc...E....%..F..................@..Bxnyuv.... ....&.....................@...................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.96603032667569
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
File size:	5'883'824 bytes
MD5:	07dd73909e1a74b92498058afc918ede
SHA1:	2f3f9ab4f17ccd2dfe0c4aada522b00c580c454d
SHA256:	40122c3fc307277bbcb516dce390f74f27e2f798cb351a692f820ba7d3ffd735
SHA512:	97f66cd575203cfbd0d584475c6696b160071e95466e5dde8b71d66138108f0b4d544af24706720960509fd7fd21bef07e443995457de3805168672844901853
SSDEEP:	98304:XUd9wETbKHs4+b4EmeICxgHxC6qz1loJoYFqQ5dn6uqhAoCVtxnz+oEIWoJd:MwgbKM44YCxwxmzLOFfdrq+P/xnCoEIh
TLSH:	36563310BAF39172E46785316DBEDAF7763CB9204B3189EB71C44A2A5D700C12736B7A
File Content Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........A.../.../.../.Sj..../.Sj..G./.Sj..../.yV..../...,.../...+.../...*.../......./......./......./.....i./.../.../.&.+.../.L.&.../

File Icon


Icon Hash:	53170f85a7c14639

Static PE Info

General

Entrypoint:	0x43d24b
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66B96AE1 [Mon Aug 12 01:52:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	c3e91fbd563a72c79722e447bd1614b5

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	22/09/2021 01:00:00 28/09/2024 00:59:59
Subject Chain	CN="FastCopy Lab, LLC.", O="FastCopy Lab, LLC.", S=Kanagawa, C=JP
Version:	3
Thumbprint MD5:	4884797B3C472467754D6AD8388EE5DC
Thumbprint SHA-1:	A58CC15DF883AA8BC4FF4C379080672AEA3B87D7
Thumbprint SHA-256:	793062CC3862DAE80CC98B2D7F6B53998DD4D73CDE549B891DD65DA7FE96EF19
Serial:	5621CB0BB7527F9B05D2EE5399515980

Entrypoint Preview

Instruction
call 00007F6F20C97119h
jmp 00007F6F20C9692Fh
push 00000010h
push 0047DF78h
call 00007F6F20C96E64h
xor ebx, ebx
mov dword ptr [ebp-20h], ebx
mov byte ptr [ebp-19h], bl
mov dword ptr [ebp-04h], ebx
cmp ebx, dword ptr [ebp+10h]
je 00007F6F20C96ACDh
mov ecx, dword ptr [ebp+14h]
call dword ptr [0045D1F8h]
mov ecx, dword ptr [ebp+08h]
call dword ptr [ebp+14h]
mov eax, dword ptr [ebp+0Ch]
add dword ptr [ebp+08h], eax
inc ebx
mov dword ptr [ebp-20h], ebx
jmp 00007F6F20C96A92h
mov al, 01h
mov byte ptr [ebp-19h], al
mov dword ptr [ebp-04h], FFFFFFFEh
call 00007F6F20C96ACDh
mov ecx, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop esi
pop ebx
leave
retn 0014h
mov ebx, dword ptr [ebp-20h]
mov al, byte ptr [ebp-19h]
test al, al
jne 00007F6F20C96AC1h
push dword ptr [ebp+18h]
push ebx
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F6F20C96297h
ret
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [0048106Ch]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret

Rich Headers

Programming Language:

[C++] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7f614	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9a000	0xc61e2	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x599ab0	0x2d00
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7b6c0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x7b714	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5fee0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5d000	0x1f8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x7e628	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5b6f9	0x5b800	9b06ac7fca11092ab7147c7fa76b1265	False	0.483459806181694	data	6.809024001288572	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x5d000	0x23132	0x23200	a11b9fff7d5d31ece0cf62fe5ba97298	False	0.5682829181494662	data	6.431648301840321	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x81000	0x18dc4	0x4200	51ed9959914ab0debd7a2e60f5f9a40c	False	0.6928267045454546	DOS executable (block device driver by P.J)	6.882464661105504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x9a000	0xc61e2	0xc6200	1d8a88994b58be4d149db6277f5f8616	False	0.9410094637223975	data	7.89691058058585	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
HJKC	0x9a4cc	0xc00fa	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Japanese	Japan	0.9613058389539865
RT_ICON	0x15a5c8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Japanese	Japan	0.18953068592057762
RT_DIALOG	0x15ae70	0x32a	data	English	United States	0.4962962962962963
RT_DIALOG	0x15b19c	0x276	data	Japanese	Japan	0.6158730158730159
RT_DIALOG	0x15b414	0x242	data	Chinese	China	0.6522491349480969
RT_DIALOG	0x15b658	0x128	data	English	United States	0.6283783783783784
RT_DIALOG	0x15b780	0x108	data	Japanese	Japan	0.6477272727272727
RT_DIALOG	0x15b888	0x118	data	Chinese	China	0.65
RT_DIALOG	0x15b9a0	0xd8	dBase III DBT, next free block index 4294901761	English	United States	0.6481481481481481
RT_DIALOG	0x15ba78	0xb4	data	Japanese	Japan	0.7
RT_DIALOG	0x15bb2c	0xb4	data	Chinese	China	0.7
RT_DIALOG	0x15bbe0	0xcc	data	English	United States	0.6617647058823529
RT_DIALOG	0x15bcac	0xb8	dBase III DBT, next free block index 4294901761	Japanese	Japan	0.7065217391304348
RT_DIALOG	0x15bd64	0xb4	dBase III DBT, next free block index 4294901761	Chinese	China	0.7166666666666667
RT_DIALOG	0x15be18	0x272	data	English	United States	0.4792332268370607
RT_DIALOG	0x15c08c	0x1de	data	Japanese	Japan	0.6213389121338913
RT_DIALOG	0x15c26c	0x19e	data	Chinese	China	0.6690821256038647
RT_DIALOG	0x15c40c	0x156	data	English	United States	0.6374269005847953
RT_DIALOG	0x15c564	0x11c	data	Japanese	Japan	0.7323943661971831
RT_DIALOG	0x15c680	0x120	data	Chinese	China	0.7152777777777778
RT_STRING	0x15c7a0	0x8b2	data	English	United States	0.2663971248876909
RT_STRING	0x15d054	0x5cc	data	Japanese	Japan	0.43194070080862534
RT_STRING	0x15d620	0x418	data	Chinese	China	0.5811068702290076
RT_STRING	0x15da38	0x9b2	data	English	United States	0.3178887993553586
RT_STRING	0x15e3ec	0x5ee	data	Japanese	Japan	0.4762845849802372
RT_STRING	0x15e9dc	0x502	data	Chinese	China	0.516380655226209
RT_GROUP_ICON	0x15eee0	0x14	data	Japanese	Japan	1.15
RT_VERSION	0x15eef4	0x3a8	data	Japanese	Japan	0.44551282051282054
RT_MANIFEST	0x15f29c	0x8cb	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2191), with CRLF line terminators	English	United States	0.31941359395824076
RT_MANIFEST	0x15fb68	0x67a	XML 1.0 document, ASCII text, with CRLF line terminators	Japanese	Japan	0.3968636911942099

Imports

DLL

Import

KERNEL32.dll

ReadFile, FindFirstFileW, FindNextFileW, WriteFile, FindClose, WaitForSingleObject, CreateFileW, DeleteFileW, CloseHandle, GetLocalTime, GetFileSize, GetSystemTimeAsFileTime, CreateDirectoryW, GetCommandLineW, GetFullPathNameW, RemoveDirectoryW, GetModuleFileNameW, GetFileAttributesW, GetCurrentDirectoryW, SetCurrentDirectoryW, GetProcAddress, CreateProcessW, FreeLibrary, CopyFileW, SetDllDirectoryW, MoveFileW, GetEnvironmentVariableW, VirtualProtect, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, GetTempPathW, Sleep, GetLastError, SetEvent, GetVersionExA, DeleteCriticalSection, GetModuleHandleW, GetEnvironmentStringsW, GetStdHandle, WriteConsoleA, OutputDebugStringA, GetCurrentThreadId, AttachConsole, OutputDebugStringW, WriteConsoleW, GetFileType, InterlockedIncrement, GetTickCount, SetThreadLocale, SetLastError, GetCurrentProcess, GetSystemDirectoryW, OpenProcess, CreateToolhelp32Snapshot, Process32NextW, GetUserDefaultLCID, Process32FirstW, LoadLibraryW, GetCurrentProcessId, MultiByteToWideChar, MoveFileExW, WideCharToMultiByte, ExitProcess, SetFileTime, UnmapViewOfFile, GetFileAttributesExW, CreateFileMappingA, MapViewOfFile, GetFileTime, GetModuleFileNameA, SetEndOfFile, RaiseException, CreateThread, SetUnhandledExceptionFilter, GetSystemInfo, VirtualQuery, LoadLibraryExA, GetStringTypeW, EncodePointer, DecodePointer, GetCPInfo, CompareStringW, LCMapStringW, GetLocaleInfoW, InitializeCriticalSectionAndSpinCount, CreateEventW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, ResetEvent, WaitForSingleObjectEx, UnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, InitializeSListHead, RtlUnwind, LoadLibraryExW, ExitThread, FreeLibraryAndExitThread, GetModuleHandleExW, GetACP, HeapFree, HeapAlloc, HeapReAlloc, IsValidLocale, EnumSystemLocalesW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, FreeEnvironmentStringsW, GetProcessHeap, SetStdHandle, FlushFileBuffers, GetConsoleCP, GetConsoleMode, HeapSize, SetFilePointerEx, ReadConsoleW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Japanese	Japan
English	United States
Chinese	China

Target ID:	0
Start time:	11:56:57
Start date:	03/10/2024
Path:	C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe"
Imagebase:	0x400000
File size:	5'883'824 bytes
MD5 hash:	07DD73909E1A74B92498058AFC918EDE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:56:57
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.1875254375.0000000005BD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:56:57
Start date:	03/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:57:09
Start date:	03/10/2024
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xaf0000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000003.00000002.1874605322.0000000000611000.00000080.00000001.01000000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.3%
Total number of Nodes:	960
Total number of Limit Nodes:	23

Executed Functions

Function 004533B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 004533FE
GetProcessHeap.KERNEL32(00000000,004245E4), ref: 00453423
RtlAllocateHeap.NTDLL(00000000), ref: 0045342A
VirtualProtect.KERNELBASE(0041200C,0044ABC5,0044ABC5,00000000,?,?,-00486124,?,?,?,?,-00486124,-00000065), ref: 0045347E
VirtualProtect.KERNELBASE(0041200C,?,?,?,?,-00486124,?,?,?,?,-00486124,-00000065), ref: 004534C5

Strings

EB, xrefs: 004533BC, 004533C2

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: HeapProcessProtectVirtual$AllocateExit
String ID: EB
API String ID: 2060938327-4058845024
Opcode ID: 81deea08a29ebeaec60e5c8dc44c4c48db2581d802409458ab8179689ba58cf5
Instruction ID: e0feb5c308cb3caa25c02f5ea7b49341d9319a30fb5a36ef35bdf6d2f62580cc
Opcode Fuzzy Hash: 81deea08a29ebeaec60e5c8dc44c4c48db2581d802409458ab8179689ba58cf5
Instruction Fuzzy Hash: F7317A31504605AFC715EF18EC8692ABBE9FB46386714482FF84583232DB34A94ACB58

Function 004136B0 Relevance: 1.6, APIs: 1, Instructions: 123nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00413650: GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 00413680

NtQuerySystemInformation.NTDLL(00000005,00000000,00040000,00040000), ref: 00413714

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: AllocGlobalInformationQuerySystem
String ID:
API String ID: 3737350999-0
Opcode ID: af0b5cb85ebff21ad004f17c148dcb155806cd6198d72419ed993a28eb2c6b99
Instruction ID: 334d9e1f443da80caadcf0951bc2f94e041f7f8f2c1830a0082dfa06546c3c02
Opcode Fuzzy Hash: af0b5cb85ebff21ad004f17c148dcb155806cd6198d72419ed993a28eb2c6b99
Instruction Fuzzy Hash: F9511EB5D00209EFCB04DF94D880AEEB7B5BF48305F10859AE915A7341D739AF81CBA5

Function 0040EF10 Relevance: 1.6, APIs: 1, Instructions: 109encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,?,00000000,00000000,00000020), ref: 0040EFC9

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: AcquireContextCrypt
String ID:
API String ID: 3951991833-0
Opcode ID: a4df5b6f4ede578420179da03cefb9d23027186d0e7b98bbade146ea44e7fdde
Instruction ID: 52c321606cd04c9d9ae63dbcaf6a6a9cd6da9e296a542db86cf50ebfba805cdb
Opcode Fuzzy Hash: a4df5b6f4ede578420179da03cefb9d23027186d0e7b98bbade146ea44e7fdde
Instruction Fuzzy Hash: 4C412F719006199BDB309B65DC44BEFB7B8AF09705F0040FAE549E6291EB74AE88CF58

Function 004110F0 Relevance: 46.1, APIs: 4, Strings: 22, Instructions: 570
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::bad_exception::bad_exception.LIBCMT ref: 00411149
std::bad_exception::bad_exception.LIBCMT ref: 00411155
std::bad_exception::bad_exception.LIBCMT ref: 00411161

Part of subcall function 0041CF70: GetStdHandle.KERNEL32(000000F5,?,00411226), ref: 0041CF82
Part of subcall function 0041CF70: AttachConsole.KERNELBASE(000000FF,?,00411226), ref: 0041CF8B

Part of subcall function 00427680: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000), ref: 004276D8
Part of subcall function 00427680: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004276F4

GetCommandLineW.KERNEL32(?,?,?,?,7FC866D6), ref: 00411265

Part of subcall function 0041D210: WriteConsoleW.KERNEL32(00000000,00000000,0045BC00,00000000,?,?,?,00000001), ref: 0041D2D8

Strings

/SILENT, xrefs: 0041143D
L2G, xrefs: 00411352
/DIR=, xrefs: 00411572
/SELFDELDIR, xrefs: 0041141C
RUNAS format error, xrefs: 00411994
/TEMPDIR, xrefs: 004115D3
/SELFDEL, xrefs: 004113FB
/AGREE_LICENSE, xrefs: 00411545
Unrecognized option: %s, xrefs: 004115F8
/runas=, xrefs: 004115B3
/EXTRACT64, xrefs: 004114A6
/NOPROG, xrefs: 004114D1
/NOAPP, xrefs: 0041150B
FastCopy, xrefs: 004119C0
/NODESK, xrefs: 004114EE
/SELFNAME=, xrefs: 00411594
/EXTRACT32, xrefs: 0041147F
/EXTRACT, xrefs: 0041145E
/DIR= can't be specified, xrefs: 004119C5
/NOSUBDIR, xrefs: 00411528
USAGE: /SILENT ... silent install/uninstall /DIR=<dir> ... setup/target dir /NOPROG ... no create program menu /, xrefs: 00411606
/UPDATE, xrefs: 004113BE

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: std::bad_exception::bad_exception$ConsoleFile$AttachCommandCreateHandleLineModuleNameWrite
String ID: USAGE: /SILENT ... silent install/uninstall /DIR=<dir> ... setup/target dir /NOPROG ... no create program menu /$/AGREE_LICENSE$/DIR=$/DIR= can't be specified$/EXTRACT$/EXTRACT32$/EXTRACT64$/NOAPP$/NODESK$/NOPROG$/NOSUBDIR$/SELFDEL$/SELFDELDIR$/SELFNAME=$/SILENT$/TEMPDIR$/UPDATE$/runas=$FastCopy$L2G$RUNAS format error$Unrecognized option: %s
API String ID: 1789046948-1587821655
Opcode ID: 4dc22c19c53dbdfc0d5d3c4913ed5a9b3fd340c5b8850e5b76b64ca44964e9af
Instruction ID: fc136143c7aa9bc36d5aafab948ea022e67ec151db0c769cb514499d1d4d463a
Opcode Fuzzy Hash: 4dc22c19c53dbdfc0d5d3c4913ed5a9b3fd340c5b8850e5b76b64ca44964e9af
Instruction Fuzzy Hash: 6722B5B0B407027BF7149F328D06BD6B694BF11709F14021BE91C662D2EBBEA554CADE

Function 00410DC0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetDllDirectoryW.KERNEL32(00473178), ref: 00410DCC
SetCurrentDirectoryW.KERNEL32(00000000), ref: 00410DD8
GetCommandLineW.KERNEL32 ref: 00410DEC
_wcsstr.LIBVCRUNTIME ref: 00410DFA
_wcsstr.LIBVCRUNTIME ref: 00410E0C
_wcsstr.LIBVCRUNTIME ref: 00410E1E
_wcsstr.LIBVCRUNTIME ref: 00410E30

Part of subcall function 0041C610: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,00000000), ref: 0041C652
Part of subcall function 0041C610: _wcsrchr.LIBVCRUNTIME ref: 0041C699
Part of subcall function 0041C610: CopyFileW.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,?,?,00000000), ref: 0041C6CD
Part of subcall function 0041C610: GetCommandLineW.KERNEL32(00000000), ref: 0041C723

Strings

/runas=, xrefs: 00410E06
/UPDATE, xrefs: 00410E18
/TEMPDIR, xrefs: 00410DF4

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: _wcsstr$CommandDirectoryFileLine$CopyCurrentModuleName_wcsrchr
String ID: /TEMPDIR$/UPDATE$/runas=
API String ID: 777160178-2186619886
Opcode ID: a565ea5aa08682e429d3d99ddacc49cc1bbc8efe8a742dc42e0b0f05d376c862
Instruction ID: 1312d0936fbb3aa7217a0c4e00ff3c464cf7d0e78675756b8126823e94a81325
Opcode Fuzzy Hash: a565ea5aa08682e429d3d99ddacc49cc1bbc8efe8a742dc42e0b0f05d376c862
Instruction Fuzzy Hash: 5F01E532A42319178B107B779D06ADF37589E5434BF00842BFC09D2242FB9D9991C2EE

Function 00427680 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000), ref: 004276D8
CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 004276F4
CreateFileMappingA.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000), ref: 00427720
MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000), ref: 0042774C
GetFileSize.KERNEL32(?,00000000), ref: 0042778F
UnmapViewOfFile.KERNEL32(00000000), ref: 00427848
CloseHandle.KERNELBASE(00000000), ref: 00427863

Strings

IP2:, xrefs: 004277F7

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: File$CreateView$CloseHandleMappingModuleNameSizeUnmap
String ID: IP2:
API String ID: 3748947118-2157472728
Opcode ID: 2a7e75b40f896a988d7817a46ed4256e8edbaae0c3b269946c3104a64653f880
Instruction ID: 49b8d75be2bc5bdf15849a1b6d06825087893c506f5fd0dc6444bad7fcb4b5d6
Opcode Fuzzy Hash: 2a7e75b40f896a988d7817a46ed4256e8edbaae0c3b269946c3104a64653f880
Instruction Fuzzy Hash: 7051F671F483249BEB20DF64DC89BAEB7B4AB05714F5002BAE609A73C0D7785E44CB49

Function 0041E7A0 Relevance: 10.6, APIs: 7, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000008,7FC866D6,?,?,?,00410F23), ref: 0041E7B8
OpenProcessToken.ADVAPI32(00000000,?,?,?,00410F23), ref: 0041E7BF
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00001000,?,?,?,00410F23), ref: 0041E7E3
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00410F23,00000000,00000000,?,?,?,00410F23), ref: 0041E804
GetSidSubAuthorityCount.ADVAPI32(00410F23,?,?,?,00410F23), ref: 0041E810
GetSidSubAuthority.ADVAPI32(00410F23,?,?,?,?,00410F23), ref: 0041E820
CloseHandle.KERNELBASE(00000000,?,?,?,00410F23), ref: 0041E84D

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: Token$AuthorityInformationProcess$CloseCountCurrentHandleOpen
String ID:
API String ID: 3218994068-0
Opcode ID: f53529b3792091d4b465834e043f0b354b7e9122bf615d9356d2e83c22f7d879
Instruction ID: f95b51f6ea6b9aa0ae02d55705415acf64bfd0c73e3be738233d33bbd9a1a08f
Opcode Fuzzy Hash: f53529b3792091d4b465834e043f0b354b7e9122bf615d9356d2e83c22f7d879
Instruction Fuzzy Hash: 3E219639A00209BBEB20AF56DC44BEF7B79FF44715F14006AFD01A3290D7759E469B58

Function 0041D950 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
threadlibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadUILanguage.KERNELBASE(?,0041DA00,?,?), ref: 0041D97A
SetThreadLocale.KERNEL32(?,0041DA00,?,?), ref: 0041D97D
GetModuleHandleW.KERNEL32(kernel32,SetThreadUILanguage,0041DA00,?,?), ref: 0041D9A8
GetProcAddress.KERNEL32(00000000), ref: 0041D9AF

Strings

SetThreadUILanguage, xrefs: 0041D99E
kernel32, xrefs: 0041D9A3

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: Thread$AddressHandleLanguageLocaleModuleProc
String ID: SetThreadUILanguage$kernel32
API String ID: 1264603166-3100891507
Opcode ID: 36509777f364e2029dfe97ca6fae5fd78e3771a1fa086f2a688fb69971d4c42d
Instruction ID: 8226adeb1bb0b7e5bb304b3aed404e840e1121e419c85bdefcb58014e5e125fd
Opcode Fuzzy Hash: 36509777f364e2029dfe97ca6fae5fd78e3771a1fa086f2a688fb69971d4c42d
Instruction Fuzzy Hash: 71F0C2F19112049BD710ABBCBC45A9B3768AB1A715B15003BF60D972A1DB3AAC418B9E

Function 0044CB08 Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,004452AA,004452AA,?,?,?,0044CD59,00000001,00000001,E6E85006), ref: 0044CB62
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0044CD59,00000001,00000001,E6E85006,?,?,?), ref: 0044CBE8
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,E6E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044CCE2
__freea.LIBCMT ref: 0044CCEF

Part of subcall function 0044A52B: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0044D1A0,00000000,?,?,?,?,?,?,?,?,00443073,00000000), ref: 0044A55D

__freea.LIBCMT ref: 0044CCF8
__freea.LIBCMT ref: 0044CD1D

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 8d753ce1340f0af89d2a966ec4020b5b9adb12589067db4d0f9f42fdc91f469e
Instruction ID: bc5c0ab247f1ed717b33575c2fbdfaaacb328a4595e656132f737cafb658a95f
Opcode Fuzzy Hash: 8d753ce1340f0af89d2a966ec4020b5b9adb12589067db4d0f9f42fdc91f469e
Instruction Fuzzy Hash: 53510672601206ABFB258F65DCC1EBF77A9EB44754F19422EFD09E6280EB38DC40C658

Function 00411DD0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000028,00000000,?,7FC866D6), ref: 00411E21

Strings

FastCopy, xrefs: 00411E92
ProgramFilesDir, xrefs: 00411E7D
FastCopy, xrefs: 00411E2C
Software\Microsoft\Windows\CurrentVersion, xrefs: 00411E5A

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: FolderPathSpecial
String ID: FastCopy$FastCopy$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
API String ID: 994120019-3101997651
Opcode ID: ba487b168f45413a8825fee989b7b6a5122aa8cd4fb1a0cae90a5357bc6670bf
Instruction ID: e5671268a5fea9e4b7b1c6c723f7814d25ba322f96064cfd98a15b99f381921a
Opcode Fuzzy Hash: ba487b168f45413a8825fee989b7b6a5122aa8cd4fb1a0cae90a5357bc6670bf
Instruction Fuzzy Hash: 4121CC30A40218AFDB24DF50DC86FEAB378EB04704F40456FB909A21D1FF746A49CA99

Function 0041E890 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemFirmwareTable.KERNELBASE(52534D42,00000000,?,?,00000000,?,?,00000000,0045BF04,000000FF), ref: 0041E8BE
GetModuleHandleW.KERNEL32(kernel32,GetSystemFirmwareTable,00000000,?,?,00000000,0045BF04,000000FF), ref: 0041E8E6
GetProcAddress.KERNEL32(00000000), ref: 0041E8ED

Strings

kernel32, xrefs: 0041E8E1
GetSystemFirmwareTable, xrefs: 0041E8DC

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: AddressFirmwareHandleModuleProcSystemTable
String ID: GetSystemFirmwareTable$kernel32
API String ID: 2688943460-2548160066
Opcode ID: ee004eb549ff47bb46911af9bd7b4d9b21efb960c69a83896ef83d9e69793226
Instruction ID: c97b9269743cdf1d1aef064dce0d6cd585d022e47a57241a26c1a3ab13d5e3e3
Opcode Fuzzy Hash: ee004eb549ff47bb46911af9bd7b4d9b21efb960c69a83896ef83d9e69793226
Instruction Fuzzy Hash: BBF0C2356403009FDA10AFB9EC49B9A3754AB55B15F10003BFA09CB2A1DB39AC41AA6E

Function 0041CF70 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F5,?,00411226), ref: 0041CF82
AttachConsole.KERNELBASE(000000FF,?,00411226), ref: 0041CF8B
GetStdHandle.KERNEL32(000000F5,?,00411226), ref: 0041CFA4
GetStdHandle.KERNEL32(000000F4,?,00411226), ref: 0041CFAD

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: Handle$AttachConsole
String ID:
API String ID: 3946486800-0
Opcode ID: 88bc93c7c3dc68290c0c96fe93f5429619183b7e7465b9d6f7f4fb93eb6618e3
Instruction ID: 16407302301c7395c512c237f62dbe49345b873898126d683e1e0da521be4782
Opcode Fuzzy Hash: 88bc93c7c3dc68290c0c96fe93f5429619183b7e7465b9d6f7f4fb93eb6618e3
Instruction Fuzzy Hash: 79F030319482259ECF646B3ABD445D93B95AB01735B240B3FB134C26F4E63498838B5C

Function 0044C80A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,00443EA8,00000010,?,?,004452AA,00000000,?,?,00000000,00000000,?,0041D0B0,00000000,-00486124), ref: 0044C85D
LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,E6E85006,00000001,?,?), ref: 0044C87B

Strings

LCMapStringEx, xrefs: 0044C81B, 0044C825

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 053775c26a657dccb78ae0c7d16ce851a20d1d7514978fbcfebcc7645542c30a
Instruction ID: 74e22b018818250540dec4f3d024ae5c2196a676d7d7e5642fd9bf961a14b574
Opcode Fuzzy Hash: 053775c26a657dccb78ae0c7d16ce851a20d1d7514978fbcfebcc7645542c30a
Instruction Fuzzy Hash: 05018C36500209BBCF12AF90CC01EEE7F62EF08750F044026FE0525120CB768971EB99

Function 00412F90 Relevance: 4.6, APIs: 3, Instructions: 79
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,?), ref: 00412FB2

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f2ed564a57136dcdfd9afc14d4280a279a6561515fd8f8e06747ede3fd6620df
Instruction ID: 8b6ed7d91a51469added2a976593c8c41b361ef093895cf95e6012bd0c9d318a
Opcode Fuzzy Hash: f2ed564a57136dcdfd9afc14d4280a279a6561515fd8f8e06747ede3fd6620df
Instruction Fuzzy Hash: 1E31EA75A00108FFCB04DF98C881F9EB7B9EF49310F208199E918AB391D671AE42DB54

Function 00453441 Relevance: 4.6, APIs: 3, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 004533FE
VirtualProtect.KERNELBASE(0041200C,0044ABC5,0044ABC5,00000000,?,?,-00486124,?,?,?,?,-00486124,-00000065), ref: 0045347E
VirtualProtect.KERNELBASE(0041200C,?,?,?,?,-00486124,?,?,?,?,-00486124,-00000065), ref: 004534C5

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ProtectVirtual$ExitProcess
String ID:
API String ID: 757691837-0
Opcode ID: 29053bcdf66999f559eb444738066931aeb31fea29479a80ad0c5827ff869c12
Instruction ID: 3779c1e5fe8931b58af16acdcec7b29547e3766bd6d4637068053676408edc27
Opcode Fuzzy Hash: 29053bcdf66999f559eb444738066931aeb31fea29479a80ad0c5827ff869c12
Instruction Fuzzy Hash: 24116A361041019FC709EF18EC8296E77E9FB46396318482FE84587332D735A846DB5C

Function 0040F160 Relevance: 4.6, APIs: 3, Instructions: 53
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040ED60: SHGetSpecialFolderPathW.SHELL32(00000000,?,00000023,00000000), ref: 0040ED81

CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000), ref: 0040F19E
ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040F1B6
CloseHandle.KERNEL32(00000000), ref: 0040F1CC

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: File$CloseCreateFolderHandlePathReadSpecial
String ID:
API String ID: 249527137-0
Opcode ID: 853e8b92e607af0e5b90fefc338658e3dde266ea588838612b1d436b8fab1b3e
Instruction ID: fa01f6cbc25e3b8cb8c3156fcf6051c3cda572213449e5ed83e981cb1644a3af
Opcode Fuzzy Hash: 853e8b92e607af0e5b90fefc338658e3dde266ea588838612b1d436b8fab1b3e
Instruction Fuzzy Hash: FB01F531A01318A7D7305A29DC45F9FB7689F48B24F100236BD18BB2D0EA349D4A46E9

Function 00413DD0 Relevance: 4.0, APIs: 2, Instructions: 995memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00413650: GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 00413680

Part of subcall function 00412BC0: LoadLibraryW.KERNELBASE(?), ref: 00412BF1

VirtualProtect.KERNELBASE(?,00000000,?,00000000), ref: 004149A5
VirtualProtect.KERNELBASE(?,00000000,00000000,00000000), ref: 004149D8

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ProtectVirtual$AllocGlobalLibraryLoad
String ID:
API String ID: 2510009449-0
Opcode ID: 240aa55989c54137efdc20a0ee1ae1ca480df6d3202c4e1da627c4bf8a4fd026
Instruction ID: 7d0e4552dcc845c019ba505946a745f4ca48045b8816fae346b729283b6f7aa4
Opcode Fuzzy Hash: 240aa55989c54137efdc20a0ee1ae1ca480df6d3202c4e1da627c4bf8a4fd026
Instruction Fuzzy Hash: 6D92F7B5E00208EFCB44DF98D991EEEB7B5AF88304F148199E509A7345E635AE81CF94

Function 0044FEC3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044FEE8

Strings

, xrefs: 0044FF2D

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: 7afba8b55d3488ba715570c5dd0b0bed42bab5df859cfade2121e85ef12322fa
Instruction ID: f340c0cc391ca2d0465b1bddbf1d0248f1dfe2de6c54524d21e1eca9e67ccfd1
Opcode Fuzzy Hash: 7afba8b55d3488ba715570c5dd0b0bed42bab5df859cfade2121e85ef12322fa
Instruction Fuzzy Hash: B4411C7050428C9BEB228E548C84BFABBA9DB46704F1404FFE58A87143D239994ADF25

Function 0040ED60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000023,00000000), ref: 0040ED81

Strings

FastCopyLab\FastCopy\, xrefs: 0040ED88

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: FolderPathSpecial
String ID: FastCopyLab\FastCopy\
API String ID: 994120019-2627472495
Opcode ID: d8ef5f93265ef5d9d734ae2ab39bac510f197aa2e39d074298dbfcec71fa741e
Instruction ID: 9d32c16395f0faa5c18dc5d241280ae51ee29f1d9a3d24980e65306043626ca6
Opcode Fuzzy Hash: d8ef5f93265ef5d9d734ae2ab39bac510f197aa2e39d074298dbfcec71fa741e
Instruction Fuzzy Hash: CA311635D0021A96CB24EB15DC85BEAB330EF54304F1009BAE82D771D1E7746EA58AC9

Function 00424120 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(7FC866D6,?,?), ref: 004241C7

Strings

tapp_%d, xrefs: 004241CE

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: CurrentProcess
String ID: tapp_%d
API String ID: 2050909247-297970625
Opcode ID: cdfb01d9f22fbec1b38e9e2a2087e691c8b70f2b603266fe742309b2340c3c80
Instruction ID: a9140052bc013eab3a6fdb4f78acdd1278dff2a207837cd484f9f6115e79cba6
Opcode Fuzzy Hash: cdfb01d9f22fbec1b38e9e2a2087e691c8b70f2b603266fe742309b2340c3c80
Instruction Fuzzy Hash: 72410AB0500705AFD710DF15C459B9ABBF4FF44314F10862EE4198BA80D7B9A598CFD4

Function 00410EF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00000104,00000104), ref: 00410F4F

Strings

FastCopy, xrefs: 00410F33

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: FileModuleName
String ID: FastCopy
API String ID: 514040917-3929645458
Opcode ID: c8863655552205c480adf680288b8279f85946f5e5d04ce576f9092bbb49eab5
Instruction ID: a78c0bfd507434f41c180f6c11f157e3f6159f7e88261d94356a3ba55a7a07c7
Opcode Fuzzy Hash: c8863655552205c480adf680288b8279f85946f5e5d04ce576f9092bbb49eab5
Instruction Fuzzy Hash: 8111C470A84308ABDB20EF65CC46BAE77B4EB04714F00066FB9159B2D1DF7859408B99

Function 00450218 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0044FDEB: GetOEMCP.KERNEL32(00000000,?,?,00450074,?), ref: 0044FE16

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,004500B9,?,00000000), ref: 0045028C
GetCPInfo.KERNEL32(00000000,004500B9,?,?,?,004500B9,?,00000000), ref: 0045029F

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 48aa889f73fde5d9f53fdfd0012ca96b64e2af6ad5cbf1c911fc539f47b983da
Instruction ID: 9ecbc4e406435950a58755d66ce0bd6bd4e56992bc4aa5e0c112b3c6c0d1832e
Opcode Fuzzy Hash: 48aa889f73fde5d9f53fdfd0012ca96b64e2af6ad5cbf1c911fc539f47b983da
Instruction Fuzzy Hash: 1C5135789003459FEB208F75C8856BFBBE5EF41305F1444AFEC968A253D63C994ACB88

Function 00450057 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0044A348: GetLastError.KERNEL32(?,?,00442F3D,?,-00486124,?,004435EA,00000000,-00486124,?,00000000), ref: 0044A34C
Part of subcall function 0044A348: _free.LIBCMT ref: 0044A37F
Part of subcall function 0044A348: SetLastError.KERNEL32(00000000,-00486124,?,00000000), ref: 0044A3C0
Part of subcall function 0044A348: _abort.LIBCMT ref: 0044A3C6

Part of subcall function 00450176: _abort.LIBCMT ref: 004501A8
Part of subcall function 00450176: _free.LIBCMT ref: 004501DC

Part of subcall function 0044FDEB: GetOEMCP.KERNEL32(00000000,?,?,00450074,?), ref: 0044FE16

_free.LIBCMT ref: 004500CF
_free.LIBCMT ref: 00450105

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: a4b886dfc6446ff479558324975a859181530649fc601d7036e0eb32f265b5f2
Instruction ID: 44c8dc2519b5f1fe22a4e896b9567054afe7fd395d80bb34583fc352816edaaa
Opcode Fuzzy Hash: a4b886dfc6446ff479558324975a859181530649fc601d7036e0eb32f265b5f2
Instruction Fuzzy Hash: 8D310735800244AFEB10EFA9D481B9DB7E4EF01725F25409FFD049B2A2EB7A5D45CB18

Function 00427C70 Relevance: 3.1, APIs: 2, Instructions: 83COMMON

Download Yara Rule

APIs

CreateDialogParamW.USER32(00000000,?,00000000,00424560,0000065C), ref: 00427CD2
CreateDialogParamW.USER32(7FC866D6,?,00000000,00424560,0000065C), ref: 00427D1D

Part of subcall function 0041D060: GetTickCount.KERNEL32 ref: 0041D070
Part of subcall function 0041D060: GetCurrentThreadId.KERNEL32 ref: 0041D08A
Part of subcall function 0041D060: OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,?,?,0040D72B), ref: 0041D0D1
Part of subcall function 0041D060: WriteConsoleA.KERNEL32(FFFFFFFF,00000000,00000000,0040D72B,00000000,?,?,?,?,?,?,?,?,0040D72B), ref: 0041D0ED

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: CreateDialogParam$ConsoleCountCurrentDebugOutputStringThreadTickWrite
String ID:
API String ID: 1709457916-0
Opcode ID: 8eb65d06854c80bd026900cf9c94b452a61a3a63b1553df82bd4c939347b2476
Instruction ID: 15598d646d01ead9bdfe16b3ae32fb22ee5f9bb3e7a8bb82bd02d538f2a138ca
Opcode Fuzzy Hash: 8eb65d06854c80bd026900cf9c94b452a61a3a63b1553df82bd4c939347b2476
Instruction Fuzzy Hash: 6321D6313186209BD325DB75B800B7B77A5EF80300F64082FE68687751D77AE841CB9C

Function 00422220 Relevance: 3.1, APIs: 2, Instructions: 73registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,7FC866D6,00000000,?,?,00000000,00000000,?,00422208,00000000,00000000,?,?,?,0040DF09,Software), ref: 0042228C
RegOpenKeyExW.KERNELBASE(?,7FC866D6,00000000,?,?,?,00422208,00000000,00000000,?,?,?,0040DF09,Software,?,80000002), ref: 004222B8

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 9bde9e4ee27e932945716a3380b01b228df06183be3dbb0729b023b0a0d5cbb5
Instruction ID: 399dd6e434088c276433afcbd2c229c9f8fe51a1f53e3ddfc47a66a9e059f6ce
Opcode Fuzzy Hash: 9bde9e4ee27e932945716a3380b01b228df06183be3dbb0729b023b0a0d5cbb5
Instruction Fuzzy Hash: 2A11E632350218BFE7258E58EC01FBB73ACEB50B10F90852EFA46D6190D7E9F9408764

Function 00413650 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 23memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 00413680

Strings

J!A, xrefs: 00413654

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: AllocGlobal
String ID: J!A
API String ID: 3761449716-252229089
Opcode ID: 9e5e02ec3ae36198606aa10b822d832cfef97aae54456fdc6b76e3fc24730506
Instruction ID: f461d7ce4b7e5731e933a860296e4a626b40112df9728b4c47e7a1448f9175b1
Opcode Fuzzy Hash: 9e5e02ec3ae36198606aa10b822d832cfef97aae54456fdc6b76e3fc24730506
Instruction Fuzzy Hash: D1F022B8A14208EFCB44DF58D580999B7A5EB48360F10C299AC198B345D631EE81DB94

Function 004507FD Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044C1C2: RtlAllocateHeap.NTDLL(00000008,-00486124,00000000,?,0044A376,00000001,00000364,?,00442F3D,?,-00486124,?,004435EA,00000000,-00486124), ref: 0044C203

_free.LIBCMT ref: 00450869

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 68632b6accfa67c6589bb11ae5d599ee0574b43283875d41925a816431e9d548
Instruction ID: 59488e23db80046a0a67b0f20c4173f22cbf737649f8d2187ff4cc8a2f01a699
Opcode Fuzzy Hash: 68632b6accfa67c6589bb11ae5d599ee0574b43283875d41925a816431e9d548
Instruction Fuzzy Hash: 6B012B762003055BE3219E5A9881D5AFBD9EB85370F250A1EF58443281EA346805C6A8

Function 0044C1C2 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,-00486124,00000000,?,0044A376,00000001,00000364,?,00442F3D,?,-00486124,?,004435EA,00000000,-00486124), ref: 0044C203

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5319b87e35019527b3a171d8a0a78833a1e69add73ad36924bad9e8b93c17e8c
Instruction ID: 387ec8851bebc52b237abdb73c08da3c83a64a2c90ace65eb963f4337cd5a631
Opcode Fuzzy Hash: 5319b87e35019527b3a171d8a0a78833a1e69add73ad36924bad9e8b93c17e8c
Instruction Fuzzy Hash: 50F02B3154652056FB606B638C81A1B3744BF41B60B0C8067AC05E6241CEB8EC01869D

Function 004224B0 Relevance: 1.5, APIs: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,FFFFFFFF,00000000,00000001,?,7FC866D6,00000000,?,?,00422442,00000000,00000000,?,7FC866D6), ref: 004224D5

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 8a21a867a35b328897f923b99d484d3285cd852b88006582c91d65d8edcbfa4f
Instruction ID: 2bf2986a0d2763897da3f9b84fa5c96cc7dbae943dbf720639d6e3ab8c15ec36
Opcode Fuzzy Hash: 8a21a867a35b328897f923b99d484d3285cd852b88006582c91d65d8edcbfa4f
Instruction Fuzzy Hash: 10F0FF76210209BBDB21CF94ED44EEAB7ADEB08310F00856AFD55C6250D772EA60DB94

Function 0044A52B Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0044D1A0,00000000,?,?,?,?,?,?,?,?,00443073,00000000), ref: 0044A55D

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f18a210d7fabcd7a56c169cf49c6ba2088eb89eb12ee893d5575ca8dc09e485e
Instruction ID: 83f9c735561bf47dce41eac88d06de404f8ef7f89711f7e17f4bc5a92a881313
Opcode Fuzzy Hash: f18a210d7fabcd7a56c169cf49c6ba2088eb89eb12ee893d5575ca8dc09e485e
Instruction Fuzzy Hash: 32E0E535180621B6FB2077268E0175B76499F417F0F190127BC04E6291CB3CDC2081EF

Function 00412BC0 Relevance: 1.5, APIs: 1, Instructions: 25libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00413650: GlobalAlloc.KERNELBASE(00000000,00000000,00000000), ref: 00413680

LoadLibraryW.KERNELBASE(?), ref: 00412BF1

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: AllocGlobalLibraryLoad
String ID:
API String ID: 3361179946-0
Opcode ID: f0635a325a859858965f79386bc2292b2c6fb1dc49c835a5e9fb86d575d4b663
Instruction ID: 68c734deace97c9547bdc46c8beefb2551936a8ae2835f7f576d04a2557860a4
Opcode Fuzzy Hash: f0635a325a859858965f79386bc2292b2c6fb1dc49c835a5e9fb86d575d4b663
Instruction Fuzzy Hash: 3CE0E579E00108BBCB00DFA8DD4199D7BB89F48205F108159F90897341E531EB518791

Function 004240D0 Relevance: 1.3, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004240EE

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 12131e1421671ee0d7c940b351190fe939cc99e826fb4d5def3e21c9d5349ef3
Instruction ID: 1fcfdca611d37629bbb0df76c48111eff694d6ac6465704d07cf3cb625e86608
Opcode Fuzzy Hash: 12131e1421671ee0d7c940b351190fe939cc99e826fb4d5def3e21c9d5349ef3
Instruction Fuzzy Hash: 73E0CD7050470557D3407B66EC0A74D7BD89F44319F00062DFED8812D1FB796194876F

Non-executed Functions

Function 004216E0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 004216FD
__aullrem.LIBCMT ref: 004217B6

Strings

"""", xrefs: 0042182A
DDDD, xrefs: 0042185C
wwww, xrefs: 004218BC
3333, xrefs: 00421842
UUUU, xrefs: 00421879

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: __aullrem
String ID: """"$3333$DDDD$UUUU$wwww
API String ID: 3758378126-1454985032
Opcode ID: 94933d7b4f6dce7e3534b43c6ce3df2fc0142a6a39d71385a232e0db3e27c205
Instruction ID: 407035f4b4803d1f953a5efa07fa5b6cb056a4ea784015299f4e1767cf74ba53
Opcode Fuzzy Hash: 94933d7b4f6dce7e3534b43c6ce3df2fc0142a6a39d71385a232e0db3e27c205
Instruction Fuzzy Hash: 72517274E002699BCF04CFA9E8916AEFBB0FF49300F14815AD915BB315D3799906CBA6

Function 00452BE2 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044A348: GetLastError.KERNEL32(?,?,00442F3D,?,-00486124,?,004435EA,00000000,-00486124,?,00000000), ref: 0044A34C
Part of subcall function 0044A348: _free.LIBCMT ref: 0044A37F
Part of subcall function 0044A348: SetLastError.KERNEL32(00000000,-00486124,?,00000000), ref: 0044A3C0
Part of subcall function 0044A348: _abort.LIBCMT ref: 0044A3C6

Part of subcall function 0044A348: _free.LIBCMT ref: 0044A3A7
Part of subcall function 0044A348: SetLastError.KERNEL32(00000000,-00486124,?,00000000), ref: 0044A3B4

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00452CEE
IsValidCodePage.KERNEL32(00000000), ref: 00452D49
IsValidLocale.KERNEL32(?,00000001), ref: 00452D58
GetLocaleInfoW.KERNEL32(?,00001001,00448FAA,00000040,?,004490CA,00000055,00000000,?,?,00000055,00000000), ref: 00452DA0
GetLocaleInfoW.KERNEL32(?,00001002,0044902A,00000040), ref: 00452DBF

Strings

|6F, xrefs: 00452C47

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: |6F
API String ID: 745075371-3020504566
Opcode ID: 0921e32962e1c775b5fa5a85f87d94b92a1d29e2793dd0783e4931349a4cd31a
Instruction ID: fd1fcad5380488482e06c330b428e01038e31de4d40f227e95b78bc9e51c2a7d
Opcode Fuzzy Hash: 0921e32962e1c775b5fa5a85f87d94b92a1d29e2793dd0783e4931349a4cd31a
Instruction Fuzzy Hash: E951A671900205ABDB21DFA5DD45ABF73B8BF06702F04446BED05E7252E7B89E088B69

Function 00452A0E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,00452D2D,?,00000000), ref: 00452AA7
GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,00452D2D,?,00000000), ref: 00452AD0
GetACP.KERNEL32(?,?,00452D2D,?,00000000), ref: 00452AE5

Strings

ACP, xrefs: 00452A2C
OCP, xrefs: 00452A62
--E, xrefs: 00452AC5, 00452A9C

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: InfoLocale
String ID: --E$ACP$OCP
API String ID: 2299586839-3256854490
Opcode ID: 65d9bb3179b9dfd5199c6c4127b62bbd6708adde3e2c96220b0bfc25e78d7d28
Instruction ID: 9e2cb8e85154f29def903e404e974f7b4ed5372836a4c2cc1505ab20edc32e59
Opcode Fuzzy Hash: 65d9bb3179b9dfd5199c6c4127b62bbd6708adde3e2c96220b0bfc25e78d7d28
Instruction Fuzzy Hash: E221B522B00101A7DB348F54CA04A9773A6EF56B52B168467ED09D7302E7B6DE4AC398

Function 00453527 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1488COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0045366D

Strings

1#SNAN, xrefs: 0045486C
1#IND, xrefs: 00454865
1#QNAN, xrefs: 00454873
1#INF, xrefs: 0045487A

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 600f6084088d5b4d5bd7b6b96aa46daa381874a7b7efd3daf6dc496d0a9f6d35
Instruction ID: 66e90d7675bf020ba9da1383151328b886b5d81187b4c7883042c8eb33c7e065
Opcode Fuzzy Hash: 600f6084088d5b4d5bd7b6b96aa46daa381874a7b7efd3daf6dc496d0a9f6d35
Instruction Fuzzy Hash: 2CD26F71E042288FDB25CE28DD407EAB3B5EB85356F1441EBD80DE7241E778AE858F45

Function 004522AA Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044A348: GetLastError.KERNEL32(?,?,00442F3D,?,-00486124,?,004435EA,00000000,-00486124,?,00000000), ref: 0044A34C
Part of subcall function 0044A348: _free.LIBCMT ref: 0044A37F
Part of subcall function 0044A348: SetLastError.KERNEL32(00000000,-00486124,?,00000000), ref: 0044A3C0
Part of subcall function 0044A348: _abort.LIBCMT ref: 0044A3C6

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00448FB1,?,?,?,?,00448A08,?,00000006), ref: 0045238C
_wcschr.LIBVCRUNTIME ref: 0045241C
_wcschr.LIBVCRUNTIME ref: 0045242A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00448FB1,00000000,004490D1), ref: 004524CD

Strings

|6F, xrefs: 004522E8

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID: |6F
API String ID: 4212172061-3020504566
Opcode ID: a4e0d5d045cfdbd8fc936b155a441da6d1c9af4700e5d0b6e555782e193c2162
Instruction ID: 47768b974a1f7be17f4d854725fb541139c2bb059ba7293febe1aedf56c89812
Opcode Fuzzy Hash: a4e0d5d045cfdbd8fc936b155a441da6d1c9af4700e5d0b6e555782e193c2162
Instruction Fuzzy Hash: EA610931600205AAD724AF71CD46BAB7398EF06706F14006FFD05D7282EBBCE908C7A9

Function 004016C0 Relevance: 7.6, Strings: 6, Instructions: 129COMMON

Download Yara Rule

Strings

enti, xrefs: 00401720
Auth, xrefs: 00401715
ineI, xrefs: 004016F9
Genu, xrefs: 004016EE
cAMD, xrefs: 0040172B
ntel, xrefs: 00401704

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID: Auth$Genu$cAMD$enti$ineI$ntel
API String ID: 0-1714976780
Opcode ID: c77623a033a8abfacda9f66ad4af76de5be2dd884c722bfa4f30fc1e450f6a10
Instruction ID: b0277bcb4c11fcf27d79857274acc09c90c07fbe13848fd3ab292745788dc46f
Opcode Fuzzy Hash: c77623a033a8abfacda9f66ad4af76de5be2dd884c722bfa4f30fc1e450f6a10
Instruction Fuzzy Hash: DD31F87BE145160BFB29B838C8853AD61839391330F2AC73BD926F36E5E87C8D814194

Function 0041E410 Relevance: 7.6, APIs: 5, Instructions: 61processCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,000001A4,00000001), ref: 0041E446
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041E452
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0041E46B
Process32NextW.KERNEL32(00000000,0000022C), ref: 0041E490
CloseHandle.KERNEL32(00000000), ref: 0041E4A2

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32
String ID:
API String ID: 592884611-0
Opcode ID: 7e59e4e07fd5113ef0432372c04b36a79a2f7466cb0504c185736072f3a355f3
Instruction ID: 17c18518249c65d890080ada07daeb844b3145a52f562d6ede5e5493ce8074ad
Opcode Fuzzy Hash: 7e59e4e07fd5113ef0432372c04b36a79a2f7466cb0504c185736072f3a355f3
Instruction Fuzzy Hash: 21110B35D0131897D730AB659C48BAEB768DF48725F0402A6ED09A32D1D738CD468AA8

Function 00438800 Relevance: 5.8, Strings: 4, Instructions: 781COMMON

Download Yara Rule

Strings

HH, xrefs: 00439088
iG, xrefs: 004389CA
jG, xrefs: 004389D1
@, xrefs: 00438C31

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID: jG$@$HH$iG
API String ID: 0-337142849
Opcode ID: 9e7ef6276b13fb398f65526b6f150b0cd287d6ce167e23f9f9b639d24e04da9c
Instruction ID: b3eac76d8630454c087f20d8abf30efdd854582e2c8e862270af3f791f4447fd
Opcode Fuzzy Hash: 9e7ef6276b13fb398f65526b6f150b0cd287d6ce167e23f9f9b639d24e04da9c
Instruction Fuzzy Hash: 2462AE71E002598FCB18CFA8C5906ADFBF2FF89300F2491AEE855AB341DB799945CB54

Function 0040E0F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,Microsoft Enhanced RSA and AES Cryptographic Provider,00000018,F0000000,7FC866D6), ref: 0040E158

Strings

Microsoft Enhanced RSA and AES Cryptographic Provider, xrefs: 0040E135, 0040E14E
Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype), xrefs: 0040E12D

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: AcquireContextCrypt
String ID: Microsoft Enhanced RSA and AES Cryptographic Provider$Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)
API String ID: 3951991833-3432907261
Opcode ID: 7a6656eb58b83a501e88466642f7dbf7e6111671403cce33cfcdecd4d3bbad31
Instruction ID: 1f102a94f756fb90f4d2e735d5ff3e54c282a2bc969c4474a65222f9af746e08
Opcode Fuzzy Hash: 7a6656eb58b83a501e88466642f7dbf7e6111671403cce33cfcdecd4d3bbad31
Instruction Fuzzy Hash: 03916C71A002289FDF25CF65CC45BDDBBB5AF49304F0485EAEA08AB290D7749E94CF94

Function 00452695 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0044A348: GetLastError.KERNEL32(?,?,00442F3D,?,-00486124,?,004435EA,00000000,-00486124,?,00000000), ref: 0044A34C
Part of subcall function 0044A348: _free.LIBCMT ref: 0044A37F
Part of subcall function 0044A348: SetLastError.KERNEL32(00000000,-00486124,?,00000000), ref: 0044A3C0
Part of subcall function 0044A348: _abort.LIBCMT ref: 0044A3C6

Part of subcall function 0044A348: _free.LIBCMT ref: 0044A3A7
Part of subcall function 0044A348: SetLastError.KERNEL32(00000000,-00486124,?,00000000), ref: 0044A3B4

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004526E9
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045273A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004527FA

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: ffaf75f295ce85e7e8ed44c0d5aab4c5dc592b649e92e1a95accec9fe31ce12b
Instruction ID: 3d18a123724a688aa2198eb0804b27019195e71889a034af333853c9d098d4de
Opcode Fuzzy Hash: ffaf75f295ce85e7e8ed44c0d5aab4c5dc592b649e92e1a95accec9fe31ce12b
Instruction Fuzzy Hash: 8761C2715402079BEB28AF65CE82B7B77A8EF05302F10417BED01D6282E7BCD949DB58

Function 004432E4 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 004433DC
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 004433E6
UnhandledExceptionFilter.KERNEL32(0044A0A3,?,?,?,?,?,00000000), ref: 004433F3

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a165e2e838e8048909f4e95f3655495299300fee987aef41989b4ca728518909
Instruction ID: 21279b697b3e8e65d40430b440e322ac1daf376582b29af52f144de37c980351
Opcode Fuzzy Hash: a165e2e838e8048909f4e95f3655495299300fee987aef41989b4ca728518909
Instruction Fuzzy Hash: DE31D575D0122C9BCB21DF65DC8978DBBB8BF08311F5041EAE81CA6261EB349F858F48

Function 00447AC0 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0044769B,?,00447A96,0044769B,0047E1F0,0000000C,00447BED,0044769B,00000002,00000000,?,0044769B), ref: 00447AE1
TerminateProcess.KERNEL32(00000000,?,00447A96,0044769B,0047E1F0,0000000C,00447BED,0044769B,00000002,00000000,?,0044769B), ref: 00447AE8
ExitProcess.KERNEL32 ref: 00447AFA

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: f2b00bbe24a58d09a7f490b20f49f7a9752c64b9b166b5e5895f077b32f7cd32
Instruction ID: 66884d226cd6908ee03d4072582e596a491f5494560376c94c09ba5f3e314da6
Opcode Fuzzy Hash: f2b00bbe24a58d09a7f490b20f49f7a9752c64b9b166b5e5895f077b32f7cd32
Instruction Fuzzy Hash: 33E08C31404608EFEF21AF20DD09A4A3B29EF4079AF108025F805EB232DB39ED43CB58

Function 0042CFA0 Relevance: 4.2, Strings: 3, Instructions: 497COMMON

Download Yara Rule

Strings

K^G, xrefs: 0042D313
@^G, xrefs: 0042D090
@^G, xrefs: 0042D1D7

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID: @^G$@^G$K^G
API String ID: 0-3667819164
Opcode ID: 42752be6ce5d7947d28470db3839fccd7a8190e57b63e787abee8166e4398b27
Instruction ID: dcb74a4bd41cfc789d610ca45eadb0594a7f0e5c919e2e6f1e3ac2b84bfba2af
Opcode Fuzzy Hash: 42752be6ce5d7947d28470db3839fccd7a8190e57b63e787abee8166e4398b27
Instruction Fuzzy Hash: 7D32F2719087419BC348DF29D88065BFBE1FFC9358F658A2EF489A7320D734A9448F86

Function 0044F978 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0044FB0B

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 109dc8de3550e436c2b7cddf23ae251a75f077c561c21a25f3ae8875978694c1
Instruction ID: 7fc264c81611b34d1d28db67d4ba625c71bb72a272814525e49252ee8ba3836e
Opcode Fuzzy Hash: 109dc8de3550e436c2b7cddf23ae251a75f077c561c21a25f3ae8875978694c1
Instruction Fuzzy Hash: 1D310671900249AFEB249E79CC84EFBBBBDDB85304F1401AEF818D7251E6349D498B54

Function 0041F900 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(?,00000010,00000001,00000000,00000025), ref: 0041F925

Strings

%, xrefs: 0041F90A

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: BinaryCryptString
String ID: %
API String ID: 80407269-2567322570
Opcode ID: 4a8f9aa07dbcbbb4d91ab63de4a8d1e62c372f3d263184c244958974326e12dd
Instruction ID: 63b556d1d43833baaee8f91911cb88a93a543c0edf8229bcbf6e2839a119be6e
Opcode Fuzzy Hash: 4a8f9aa07dbcbbb4d91ab63de4a8d1e62c372f3d263184c244958974326e12dd
Instruction Fuzzy Hash: 03F02471A0010873DB10EA56EC06EDF77ACCBC5724F00007FF90897240E9B15A5692D9

Function 0044C60A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,80000002,00000000,?,?,?,?,?,80000002), ref: 0044C65D

Strings

GetLocaleInfoEx, xrefs: 0044C61B, 0044C625

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 888d28e0e23220c2a2849725c9a281171a4ea3d1c12d3398a340c56cb0ea0184
Instruction ID: 43edc0971aa6edd81b901cc051b0e80189047587586467722f751319b4cbd0ce
Opcode Fuzzy Hash: 888d28e0e23220c2a2849725c9a281171a4ea3d1c12d3398a340c56cb0ea0184
Instruction Fuzzy Hash: D9F0F071B01308BBDB116F61DD02E7E7B64EF44B04F54806AFC0526291DF798D10AB9E

Function 00445FF0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1a064a515151b418c2cf71fa96124600c8b9b236f9e5624687ff340715903a
Instruction ID: ea90aa5d5f38cc1dffd3cc1aa86b068c5f0230ea2c53253f908d629e204390f9
Opcode Fuzzy Hash: aa1a064a515151b418c2cf71fa96124600c8b9b236f9e5624687ff340715903a
Instruction Fuzzy Hash: B8024D71E002199FEF14CFA9C9806AEB7F1FF49314F25826AD819E7341D735AE418B85

Function 00421430 Relevance: 3.1, APIs: 2, Instructions: 68encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(0041C54D,00000000,00000000,00000018,F0000020), ref: 004214BF
CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000003,F0000020), ref: 004214D6

Part of subcall function 00421500: EnterCriticalSection.KERNEL32(00000000,7FC866D6,?,?,?,000000FF,?,00421651), ref: 00421538
Part of subcall function 00421500: LeaveCriticalSection.KERNEL32(00000000,?,000000FF,?,00421651), ref: 00421574

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: AcquireContextCriticalCryptSection$EnterLeave
String ID:
API String ID: 2201596401-0
Opcode ID: 2be582bd4a09cbb5d565e65c21fb2a05c2685d62ff5a176ecc192f6502453fb4
Instruction ID: b2c1261bb61495dd5567ecdc428636ea79b382e525775839ef03458fc5c1dc7b
Opcode Fuzzy Hash: 2be582bd4a09cbb5d565e65c21fb2a05c2685d62ff5a176ecc192f6502453fb4
Instruction Fuzzy Hash: 0511B470740214E7DB20AB69FC4AF5E335CAB25705F50417BFA09E72A0DA6999009B9D

Function 00407189 Relevance: 2.7, Instructions: 2743COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4da689ddc86d4a50b152b55c5ecd8e765e5340b7e0f36ae35751aac68e074203
Instruction ID: a95d8f68ec4771e499f0d418fb0192c977c9eda7b481b030c40ed5c459e983f3
Opcode Fuzzy Hash: 4da689ddc86d4a50b152b55c5ecd8e765e5340b7e0f36ae35751aac68e074203
Instruction Fuzzy Hash: DB23A2B390C7088FD324DEA5D882197F3E1BFD8204F4AC73DE994A7601EBB4A90596C5

Function 00435D40 Relevance: 2.0, Strings: 1, Instructions: 731COMMON

Download Yara Rule

Strings

,HH, xrefs: 0043648B

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID: ,HH
API String ID: 0-2393991737
Opcode ID: 23cc3849220096b89ae33a4c2174ec2f0a3b1cbd002e59204f6e9ef4328e90e8
Instruction ID: 1ab3bd716f8b3248da6aac54cb9169068c2de84bef128864ee3165ff34426a84
Opcode Fuzzy Hash: 23cc3849220096b89ae33a4c2174ec2f0a3b1cbd002e59204f6e9ef4328e90e8
Instruction Fuzzy Hash: 06626EB0E002169FDB14CF59C5846AEBBB1BF48308F29D1AED814AB342C779D946CF94

Function 0044DAE8 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0044DAE3,?,?,00000008,?,?,00456A80,00000000), ref: 0044DD15

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c7c7725e891025eeee0acebd5be23dc516c0557d5652f40bbea13e70d5dc0789
Instruction ID: ba4724da440dbae40d750d9fbfc3a1fdb0c5861c1fde8ef59a6c5471ef90a042
Opcode Fuzzy Hash: c7c7725e891025eeee0acebd5be23dc516c0557d5652f40bbea13e70d5dc0789
Instruction Fuzzy Hash: CDB14E71A10608DFE715CF28C48AB657BE0FF45364F258659E899CF3A1C339E982CB44

Function 00433010 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

5`G, xrefs: 004332EA

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID: 5`G
API String ID: 0-1352942077
Opcode ID: 4a4270c957540fcc42f8c4b305c371a67e04e3205a9f86bb1aee19d8778dbcad
Instruction ID: 29a9c21f40011ffbd936625c37afed79026650b67204ff357391fa5feafa45d5
Opcode Fuzzy Hash: 4a4270c957540fcc42f8c4b305c371a67e04e3205a9f86bb1aee19d8778dbcad
Instruction Fuzzy Hash: DF02B3B18187818BD705CF38C5416AAF7E0FF95348F14DB1EF994A7212E734A689CB46

Function 004528E5 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0044A348: GetLastError.KERNEL32(?,?,00442F3D,?,-00486124,?,004435EA,00000000,-00486124,?,00000000), ref: 0044A34C
Part of subcall function 0044A348: _free.LIBCMT ref: 0044A37F
Part of subcall function 0044A348: SetLastError.KERNEL32(00000000,-00486124,?,00000000), ref: 0044A3C0
Part of subcall function 0044A348: _abort.LIBCMT ref: 0044A3C6

Part of subcall function 0044A348: _free.LIBCMT ref: 0044A3A7
Part of subcall function 0044A348: SetLastError.KERNEL32(00000000,-00486124,?,00000000), ref: 0044A3B4

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452939

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: a05e2808d0aad3375e9f7fdb90f75d9cab6ee2128226dbe87e470c308685cdc3
Instruction ID: 5288281195dd0558ef5a9005e13f5f075d3f741b8d8b69286eb37bb9ec8efc43
Opcode Fuzzy Hash: a05e2808d0aad3375e9f7fdb90f75d9cab6ee2128226dbe87e470c308685cdc3
Instruction Fuzzy Hash: F321B6B2600206ABDB249F65CD41BBB73A8EF05315F10017BED05D6342EBB89D44DB59

Function 0045256D Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044A348: GetLastError.KERNEL32(?,?,00442F3D,?,-00486124,?,004435EA,00000000,-00486124,?,00000000), ref: 0044A34C
Part of subcall function 0044A348: _free.LIBCMT ref: 0044A37F
Part of subcall function 0044A348: SetLastError.KERNEL32(00000000,-00486124,?,00000000), ref: 0044A3C0
Part of subcall function 0044A348: _abort.LIBCMT ref: 0044A3C6

EnumSystemLocalesW.KERNEL32(00452695,00000001,00000000,?,00448FAA,?,00452CC2,00000000,?,?,?), ref: 004525DF

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 992056a111dffc065082c41e4972960a92f5d9580a3d9da185f032c46a74f65b
Instruction ID: 7120b1b8de8889812730e53d15dcc97e27a9f8c44bfbb35679370cc92cc5893e
Opcode Fuzzy Hash: 992056a111dffc065082c41e4972960a92f5d9580a3d9da185f032c46a74f65b
Instruction Fuzzy Hash: 8F118C372003055FDB189F39C9A167AB791FF8132AB14442EED4747B01E7B5B946C744

Function 00421660 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 004216BC

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: __aullrem
String ID:
API String ID: 3758378126-0
Opcode ID: 32bcddcbb0f57876d42cc29c6b4b474e58285569bfc60d93861ade61fdd6c24f
Instruction ID: aa9f0b36cffe243bc0c383586418db659a3445d30606054d1a7220af99ce4afd
Opcode Fuzzy Hash: 32bcddcbb0f57876d42cc29c6b4b474e58285569bfc60d93861ade61fdd6c24f
Instruction Fuzzy Hash: D101AC727001186BE714CF66EC41EABB79AEFCC310F128129FD04A7241D6B1AD2197E4

Function 00452B15 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 0044A348: GetLastError.KERNEL32(?,?,00442F3D,?,-00486124,?,004435EA,00000000,-00486124,?,00000000), ref: 0044A34C
Part of subcall function 0044A348: _free.LIBCMT ref: 0044A37F
Part of subcall function 0044A348: SetLastError.KERNEL32(00000000,-00486124,?,00000000), ref: 0044A3C0
Part of subcall function 0044A348: _abort.LIBCMT ref: 0044A3C6

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004528B3,00000000,00000000,?), ref: 00452B41

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 508c54c8c177b43912c39c81adbd80600cc7d41b7de7a6453091a89205b6e70a
Instruction ID: 1a12c9176f5697537a32963eccedf0a34c8f42e1ab969b2199ee13d6293a3aa4
Opcode Fuzzy Hash: 508c54c8c177b43912c39c81adbd80600cc7d41b7de7a6453091a89205b6e70a
Instruction Fuzzy Hash: DEF07D32A001157FDB245E65CD45BBB7768EB01315F04042FED05A3241EAB8FE45C6DC

Function 00452608 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044A348: GetLastError.KERNEL32(?,?,00442F3D,?,-00486124,?,004435EA,00000000,-00486124,?,00000000), ref: 0044A34C
Part of subcall function 0044A348: _free.LIBCMT ref: 0044A37F
Part of subcall function 0044A348: SetLastError.KERNEL32(00000000,-00486124,?,00000000), ref: 0044A3C0
Part of subcall function 0044A348: _abort.LIBCMT ref: 0044A3C6

EnumSystemLocalesW.KERNEL32(004528E5,00000001,00000006,?,00448FAA,?,00452C86,00448FAA,?,?,?,?,?,00448FAA,?,?), ref: 00452654

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: c0ba92f636020946e6eb4993e2200f11f4c9b49ae34681ce57eac36c9584fd4a
Instruction ID: e31a53f9b0638ea960390cf4ed884842106cf75b53bf651b6960596dfb9f54be
Opcode Fuzzy Hash: c0ba92f636020946e6eb4993e2200f11f4c9b49ae34681ce57eac36c9584fd4a
Instruction Fuzzy Hash: D7F022363003045FDB246F399C91A6A7B94FF82729F05402FFD028B641D6B9AC01C608

Function 0040F620 Relevance: 1.5, APIs: 1, Instructions: 39timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,0040E79C), ref: 0040F637

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: c0058c6c02c3ed7ece96fba209971392b529757b3aa28988486f2436cf9b1a9b
Instruction ID: 8748f48d316d72b309bea25ba8209b7f6d9857cfaba0638c7c6d7617c797735c
Opcode Fuzzy Hash: c0058c6c02c3ed7ece96fba209971392b529757b3aa28988486f2436cf9b1a9b
Instruction Fuzzy Hash: 7BF01271A0410D9B8B14EF65DA418FD73A4DB58204F10457A9C0AB6191FA34AE558B95

Function 0044C265 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446FD4: EnterCriticalSection.KERNEL32(-0090B924,?,0044A0E8,?,0047E2B8,00000008,0044A1B6,-00486124,-00486124,?,-00486124,?,00000000), ref: 00446FE3

EnumSystemLocalesW.KERNEL32(0044C21F,00000001,0047E3C0,0000000C), ref: 0044C29D

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 4548e947f49409be8e616b4a42067fa84e2bfe5d6d6d1d5a55db095928d18e1b
Instruction ID: 5327eb8be103c97127a491e66e102bf7b25453b6e1629cb8784895e86d2b465f
Opcode Fuzzy Hash: 4548e947f49409be8e616b4a42067fa84e2bfe5d6d6d1d5a55db095928d18e1b
Instruction Fuzzy Hash: 1EF08C32A10704EFEB00EFA9DC06B5C37A1AB09324F00856AF420DB2A1CBB88941CB09

Function 00452522 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044A348: GetLastError.KERNEL32(?,?,00442F3D,?,-00486124,?,004435EA,00000000,-00486124,?,00000000), ref: 0044A34C
Part of subcall function 0044A348: _free.LIBCMT ref: 0044A37F
Part of subcall function 0044A348: SetLastError.KERNEL32(00000000,-00486124,?,00000000), ref: 0044A3C0
Part of subcall function 0044A348: _abort.LIBCMT ref: 0044A3C6

EnumSystemLocalesW.KERNEL32(00452479,00000001,00000006,?,?,00452CE4,00448FAA,?,?,?,?,?,00448FAA,?,?,?), ref: 00452559

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 2d077b49134461ad3e177e539cf48d332caa93386e6abb78057a3192a309bd25
Instruction ID: 0aed8c12a51424d524cf40a91c63ddca23b63110a7820a4bd529b3f80c88f504
Opcode Fuzzy Hash: 2d077b49134461ad3e177e539cf48d332caa93386e6abb78057a3192a309bd25
Instruction Fuzzy Hash: D2F05536300308A7CB049F76E85566B7F90EFC2B65B0A005BEE058B252D6B9D882C754

Function 00444952 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 00444AC2

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 54c5fcd7b22ae4f7905f209de64bade0d0584be9eddac90626a81f0c70438e1a
Instruction ID: cf2fb4714997f0e74d8901a5fc95d5e32c9a3900fd6cd5eafa9670710c744ec8
Opcode Fuzzy Hash: 54c5fcd7b22ae4f7905f209de64bade0d0584be9eddac90626a81f0c70438e1a
Instruction Fuzzy Hash: 0A517BA1244A845BFF3489B884567BF67D9DBC1304F18091FD582EB382C61CED42935F

Function 004532D3 Relevance: 1.3, Strings: 1, Instructions: 21COMMON

Download Yara Rule

Strings

EB, xrefs: 004532DB

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID: EB
API String ID: 0-4058845024
Opcode ID: 7e1a2460ff2deb269224f99021c263a15c4a4d124c1fb3f888e1022cddf892f6
Instruction ID: 6a93347d0772c4282ee35c739165d75ad50256c7318fdf863a9acf2e0c5f2f17
Opcode Fuzzy Hash: 7e1a2460ff2deb269224f99021c263a15c4a4d124c1fb3f888e1022cddf892f6
Instruction Fuzzy Hash: E2E0C232520A519FC7218F29C605713F7E4BF947A2F19886EEC8997612D739E948CF48

Function 00458F50 Relevance: .6, Instructions: 648COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37bf95ad1b49956eee4b7cc310841e1af362ba3954655cbc4465e83a2fdaa01d
Instruction ID: 21978241cada3e8faa305e9222fbd3e0fdc3f09c6084ed1a03195d13b451e8a2
Opcode Fuzzy Hash: 37bf95ad1b49956eee4b7cc310841e1af362ba3954655cbc4465e83a2fdaa01d
Instruction Fuzzy Hash: B842EE11319B858FC329CE7D889029AFEE26B6A100B4C8A7DE4C6D7B83D515F91DC7E1

Function 0044E1F9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdc5bdfe9c49ed7a395e3ca49c467cd3675301bdce186629b4f020360231ce4f
Instruction ID: 903373d930cefbc0880684c862f34a8c9deaadfd3342bad0587017b994e5cb52
Opcode Fuzzy Hash: fdc5bdfe9c49ed7a395e3ca49c467cd3675301bdce186629b4f020360231ce4f
Instruction Fuzzy Hash: D3323461D29F014DE7239636CD22336A248BFB73C5F15D737F81AB5AAAEB68C4834105

Function 00401000 Relevance: .6, Instructions: 598COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
Instruction ID: a7e04f7a097b3304455a4dd99eddf1f1f0ee64f5e8ba51464e5414a710c8c8fb
Opcode Fuzzy Hash: d9e1dffb9c167f2a1bfd412aa57ca9546c7a865265bd6293c312d3add4af8ce4
Instruction Fuzzy Hash: 112264735417044BE318CF2FCC81582B3E3AFD822475F857EC926CB696EEB9A61B4548

Function 00459940 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af81b254b35d8647013b9b690b76d24c50b8a6b1e162c157e7fcb7cd7736212d
Instruction ID: 498a50be9d829e8831ad35f6c09ae71d079e3d3ba44ac3422ffbac47f2d0f2e8
Opcode Fuzzy Hash: af81b254b35d8647013b9b690b76d24c50b8a6b1e162c157e7fcb7cd7736212d
Instruction Fuzzy Hash: 9342C0716187458FC348CF29C491A5BFBE2BF8C314F86992EE59ACB251DB30E845CB46

Function 00429650 Relevance: .6, Instructions: 564COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6be13c6d50210a6142a0770867933b0d658cad41e8064490dfc23b1fa49c2e2
Instruction ID: 530754d4f5c1c5516d24a32e6a753ce913d370d41dd851942dc1186af7733544
Opcode Fuzzy Hash: d6be13c6d50210a6142a0770867933b0d658cad41e8064490dfc23b1fa49c2e2
Instruction Fuzzy Hash: 5332F872A087458BC714CF69C88061BF7F1BFD8354F458A2DF998A7311EB74E9848B82

Function 00418300 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3d2bace96df991c9bbf8eff9eee7d339d789403f64e7e5114a932755614ef60
Instruction ID: 8944b274190f983084bb251118d62b6ba1b2f020612e0515f183a3c4d8d15ef8
Opcode Fuzzy Hash: d3d2bace96df991c9bbf8eff9eee7d339d789403f64e7e5114a932755614ef60
Instruction Fuzzy Hash: CE22D471E001198BCB14DF68C9807EEF7B5FF89314F24825ED819A7391EB34AA85CB95

Function 0042C8F0 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983508a39290bbdc0a14a9c49db98bd7fe77faf2ad3763c3dd05995955e26843
Instruction ID: 130500b6a4d22b057562171bc33f9443ed13a47fc9b56b424f0c0d0916206bee
Opcode Fuzzy Hash: 983508a39290bbdc0a14a9c49db98bd7fe77faf2ad3763c3dd05995955e26843
Instruction Fuzzy Hash: 1C22CE71A083518FC748DF28D88065BFBE1BFC8358F558A2EF899A7311D774E9448B86

Function 00424F30 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e5b58d81eacbef79955eae6e9d4e4d8818c3fcfcc69c8dc50da3911740d7fd
Instruction ID: 4f3c533d27854bb29013c4462865122892f68e6eef5a7f643975abfb89382653
Opcode Fuzzy Hash: 22e5b58d81eacbef79955eae6e9d4e4d8818c3fcfcc69c8dc50da3911740d7fd
Instruction Fuzzy Hash: B1E14E30314424DFC7289F19E848F6EBBF9EF88716B60045AF586C7252CB399D42DB95

Function 00432A80 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ad68ac1da2fc48663c87777dd8f15e0f16bfcdb3b54e6391bba4fd8d785bf47
Instruction ID: 481c0593de47d68c49b2d2aa8fce330e825971d5d6cf844f408aca30eae67390
Opcode Fuzzy Hash: 2ad68ac1da2fc48663c87777dd8f15e0f16bfcdb3b54e6391bba4fd8d785bf47
Instruction Fuzzy Hash: 58F170B19097418FC705CF38C5446AAF7E0BFD9348F189B1EF999A7211E730E9858B86

Function 00439C70 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf49820fa807b94d0f106b97b3a28fc126ac1404d47f7e6d138c94fc9639a5e
Instruction ID: b9b44a9b6128aefaa2c5fbca0c869b85948a71696589cd33b57c57189b6e8441
Opcode Fuzzy Hash: caf49820fa807b94d0f106b97b3a28fc126ac1404d47f7e6d138c94fc9639a5e
Instruction Fuzzy Hash: C3F15C755082118FCB09CF18C4D48FABBF5AF69310F1A82FED8899B3A6D7359981CB51

Function 0040D0A0 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db5f5e99c0e2cf70c72e7009468d71799b76a0b68520a13dbf1203c1b9f1949
Instruction ID: 45cf9cf25b0b3925fc23d2a9fd3168d115f05b362fb3854f2dd8036e59773ccb
Opcode Fuzzy Hash: 9db5f5e99c0e2cf70c72e7009468d71799b76a0b68520a13dbf1203c1b9f1949
Instruction Fuzzy Hash: DAE19F71A208188FC708CF1DECA157973E1FB49302745416AF682E7392DB79EA21DF96

Function 0042F730 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56a3ad62dab985e4d1f37e210bd85745669cfce5f285a58ea42366cc64121319
Instruction ID: e0d62ac77eb86f1bc5b15ff5484b2044df181e0689a07b0b23c66bcf203cd096
Opcode Fuzzy Hash: 56a3ad62dab985e4d1f37e210bd85745669cfce5f285a58ea42366cc64121319
Instruction Fuzzy Hash: 70E11171A083518FC314DF28D880A5BBBF5BFC9348F554A2EF899A7321D734E9458B86

Function 00428BC0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f1277d5a8c3c77aec790d0348c111311f339a94c1985228c84a2612242991d
Instruction ID: 5b238b8cde80ef590434112ace3fa5a2e5c0623979dffe439a1a365f63646078
Opcode Fuzzy Hash: 30f1277d5a8c3c77aec790d0348c111311f339a94c1985228c84a2612242991d
Instruction Fuzzy Hash: 0E9116B2F053146BD714AA35DC90A6FB5D39BC8300F0A8A3DF86AF7345D978AD1442D5

Function 004588D0 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ea683574af7d9f6593a00d6064c240e0011c299af65a5fe7c7b800fd6a00b47
Instruction ID: f8786a4b5bd81001c1776f05b5dd212b7667d39a22995fbd3718aad53ef7704e
Opcode Fuzzy Hash: 1ea683574af7d9f6593a00d6064c240e0011c299af65a5fe7c7b800fd6a00b47
Instruction Fuzzy Hash: ACA1FF2271A6C79FC30D8E6D48405A9FF607B7610074887DEE8C5EB783C514EAA9C7E2

Function 00444B81 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f320af3f0fdc0ed27fd180fefcb6c8c8ea32900801bb2654319e2cd716b47c4
Instruction ID: d8cc1a648bebecb6fc7fb58e0bfceeae650e5e66508d4c123f76cbd44543ff5e
Opcode Fuzzy Hash: 7f320af3f0fdc0ed27fd180fefcb6c8c8ea32900801bb2654319e2cd716b47c4
Instruction Fuzzy Hash: 13614AB1640B0857FE385A6859D2BBF6394DBC1744F28091FE842DF385DA1DED42835E

Function 00444DDE Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caef234aa8e12eea03f80804059b5c66a30f1319b19350332f7bd88dd02b699c
Instruction ID: 6f4318be4b52005aac0989d886fbc1682381af284dca42337812af0f45ba3c9c
Opcode Fuzzy Hash: caef234aa8e12eea03f80804059b5c66a30f1319b19350332f7bd88dd02b699c
Instruction Fuzzy Hash: 55616772200B0467FE349A685892BBF6385FBC1708F60081FE546DB782DB1DDD4A875E

Function 00439100 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f586c73bac3fe9c21d22c2ee3b6f2d9012ae9ad5994e8b1ed17511fa7dd5e76
Instruction ID: 7eb13b7df3363057bc619f5e5248791461f86ac90b34b2e5724c767d3970be86
Opcode Fuzzy Hash: 6f586c73bac3fe9c21d22c2ee3b6f2d9012ae9ad5994e8b1ed17511fa7dd5e76
Instruction Fuzzy Hash: 78919670A101259FCF18CF79DC8447EB7F1EB4A301BC681ABE945EB295C638E911CBA4

Function 00421910 Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90071b4f7eb5a335959c569701d6d625404ef65d2631da024539842673bd38d2
Instruction ID: 6355e4473cd233166006d096bf52ded002da75ce42549287f71dc62ec743fc2f
Opcode Fuzzy Hash: 90071b4f7eb5a335959c569701d6d625404ef65d2631da024539842673bd38d2
Instruction Fuzzy Hash: 9A61E672E101148BD718CF6DFC51366B3A6F7E9310F56833F8855932B0CA756D62CA89

Function 0040CC40 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af61a7bf3f62f0ad302b68cc2424a7f96668e127692df547e5c1c9c81f72b1b4
Instruction ID: 2a27d6e2c1384cf6015fdabbf1b09b088dd0ff299dc3ac48496ffe79ca38c33e
Opcode Fuzzy Hash: af61a7bf3f62f0ad302b68cc2424a7f96668e127692df547e5c1c9c81f72b1b4
Instruction Fuzzy Hash: EE615EB2B249114BC31CCB28DCA4235B7D1FF8D302705817EE916CB396DF68A960DB94

Function 0045A100 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9efb4b21a665edd337b48c14cb1081434ccb0241194add65235abc3b4e8b6ad
Instruction ID: ac695a9d5f582632563f69f71f4194d530d4c27f35c56cbe90e4b50bf67a3f58
Opcode Fuzzy Hash: e9efb4b21a665edd337b48c14cb1081434ccb0241194add65235abc3b4e8b6ad
Instruction Fuzzy Hash: 2C51E473F146104BE748CA69CC9137AB7D3ABC4315F0D857DE6AAC7282DAB8C50AC791

Function 0045A310 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63773620c1bbc958270631632036e27bc8fdf67ae08ae388996033c2d1f287e0
Instruction ID: 04ac7e4d6049e38c4eb2ce7faf3fe014ce37d57fbf1f29e6b199d7ac4d4d92ff
Opcode Fuzzy Hash: 63773620c1bbc958270631632036e27bc8fdf67ae08ae388996033c2d1f287e0
Instruction Fuzzy Hash: 12510432B193054BD708CE2DDC9126AB7C2EBC5304F08867CE986DB346DAB9D919C392

Function 0040CE90 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 824c2203f9fb1fa45b330883f59a994bf3ecff877083757ce0705eb8181a3178
Instruction ID: 035e91453429dba3eaf972e3c4f20be080e4d572245e74a254ba5e4831d6d36d
Opcode Fuzzy Hash: 824c2203f9fb1fa45b330883f59a994bf3ecff877083757ce0705eb8181a3178
Instruction Fuzzy Hash: 7351CDF5A105D18FC714CF29ECA0435BBB1BB4A30630845AAE9D197391E276EA21CF96

Function 0040DF70 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f702d432ce55b235456de9ac390bd1519cf7e68da9b3c32befe7a047617c288
Instruction ID: e4dc213016ae69c4af6d0ed308e4c648c734ae8a6830be41d569b959b516f1a8
Opcode Fuzzy Hash: 4f702d432ce55b235456de9ac390bd1519cf7e68da9b3c32befe7a047617c288
Instruction Fuzzy Hash: 2C416B719083128BC714DF2AC84565BF7E1FFC8314F144D2EE899E7280D779E9458B86

Function 00458CF0 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 366e9b7dcfd3b3b9d4a921d686b8df086239f5aec3d3387713fafe9ea38b6369
Instruction ID: 9587ee539ac28cb0e782d82634a661afbf1a3677956d4fe3cf9d4f68bc9eab75
Opcode Fuzzy Hash: 366e9b7dcfd3b3b9d4a921d686b8df086239f5aec3d3387713fafe9ea38b6369
Instruction Fuzzy Hash: 5F4130612192C69FC30E8E6D48805A6FF646F66100B4886DEECC4EF787C514D6A9C7F6

Function 00458690 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc8bd312f3e349f9dad806a753a52897bfbf746fa31be2927ab33105536cb1f1
Instruction ID: 1bc64aafb0f17a8802c48e0dba6faf43848a2ec450e7c7b4812ce4b7386397f8
Opcode Fuzzy Hash: cc8bd312f3e349f9dad806a753a52897bfbf746fa31be2927ab33105536cb1f1
Instruction Fuzzy Hash: E23164612092D29FC71A8E6D48816A6FF64AF66200B4C87DEECC49F787C114D5A8C7F5

Function 00428F40 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aecfbb0000b8596a95327721a81862697d11fb05f9d644a732aea48e48d4a968
Instruction ID: 7afe4be8484a056bea242e53f4c35833cb7deafc585f3aae0342aac50de08b1c
Opcode Fuzzy Hash: aecfbb0000b8596a95327721a81862697d11fb05f9d644a732aea48e48d4a968
Instruction Fuzzy Hash: F731D472A083009FC748CF2DD88561AF7E5AFC8318F498A2EB999D7351D730D9448B86

Function 00401B00 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11eebb7cfaba661fed68b8ce840fa2932926899e4130be5df7d846f9ec35b48f
Instruction ID: eed80fb6a54759ab7018dd1e656627b4d7db3862adad2f39b09debb5e65cf281
Opcode Fuzzy Hash: 11eebb7cfaba661fed68b8ce840fa2932926899e4130be5df7d846f9ec35b48f
Instruction Fuzzy Hash: 1201AD323083134FC7008E3C9A40796BBE5EB96364F15467AE40AE3255E375AD15C790

Function 00401A90 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b8f637df2607be9020db41d03dd8198541e46f60173560b77d50ac6b1b40836
Instruction ID: ebab065df887caa0ee3f39f4d58ced73b40ca3d93af9aad11e8cb252812dba09
Opcode Fuzzy Hash: 6b8f637df2607be9020db41d03dd8198541e46f60173560b77d50ac6b1b40836
Instruction Fuzzy Hash: 1EF0B4322053124FD300CE29D640653FBE9EBA6364F11057AF00AD3256C3B59D11CBD0

Function 004288C0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 064a24ab1cfdd551d807013aefb0a81b7e6aa21002605d6b14b430a091fcdaf8
Instruction ID: ea8b19540ea35ca10510ced1c198cb5a7d6191b47b8d0a5b87022a85f42c974a
Opcode Fuzzy Hash: 064a24ab1cfdd551d807013aefb0a81b7e6aa21002605d6b14b430a091fcdaf8
Instruction Fuzzy Hash: BBE09233A042212B635CD935DC62CBF658687C8210F05CB2EB80392184C8646C1582D6

Function 004018C0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5bfa0e5758767135c03b9cfa7ebf1cfc6a497a7f4626eb04003b2b0c40fd88f
Instruction ID: 61d1875f842735be8a05241bd4e7e21cba1aa0ea045287040abfd64e4b205b3d
Opcode Fuzzy Hash: e5bfa0e5758767135c03b9cfa7ebf1cfc6a497a7f4626eb04003b2b0c40fd88f
Instruction Fuzzy Hash: 54D0C27B4051005ADA01D928ED51822B3A1F7E2720F48CD39E081F2124D63D8614A129

Function 00413D80 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595

Function 0041C8C0 Relevance: 31.7, APIs: 3, Strings: 15, Instructions: 198processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0041CB1D
CloseHandle.KERNEL32(?), ref: 0041CB33
CloseHandle.KERNEL32(?), ref: 0041CB3B

Strings

cd "%s", xrefs: 0041CA0E
del /q "%s", xrefs: 0041CA3E
tlib, xrefs: 0041C99A
:END, xrefs: 0041CA8C
if %%i%% gtr 10 goto END, xrefs: 0041CA6C
D, xrefs: 0041CAB5
set i=0, xrefs: 0041CA1C
ping 127.0.0.1 -n 2, xrefs: 0041CA32
rd /q "%s", xrefs: 0041CA53
cmd.exe /c "%s", xrefs: 0041CAE9
deldir.bat, xrefs: 0041C9D3
set /a i=i+1, xrefs: 0041CA61
rd /s /q "%s", xrefs: 0041CA9E
if exist "%s" goto LOOP, xrefs: 0041CA7E
:LOOP, xrefs: 0041CA27

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: del /q "%s"$ if %%i%% gtr 10 goto END$ if exist "%s" goto LOOP$ ping 127.0.0.1 -n 2$ rd /q "%s"$ set /a i=i+1$:END$:LOOP$D$cd "%s"$cmd.exe /c "%s"$deldir.bat$rd /s /q "%s"$set i=0$tlib
API String ID: 2922976086-2169007383
Opcode ID: 957af1b8c44c711ea2ba51c34fa336142b5a7d040021e4bbc8a6185a0d74a8be
Instruction ID: 0c0a0788314b7d43f73b850e442758857e74c2a2b0256311aba6ef8d3d72745b
Opcode Fuzzy Hash: 957af1b8c44c711ea2ba51c34fa336142b5a7d040021e4bbc8a6185a0d74a8be
Instruction Fuzzy Hash: 1851BC71E4021876DB20E611AC43FEE73685F55704F5441ABB90CB6182FBBC6BC58AAE

Function 0041CB70 Relevance: 29.9, APIs: 3, Strings: 14, Instructions: 179processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,00000044,?), ref: 0041CD84
CloseHandle.KERNEL32(?), ref: 0041CD9A
CloseHandle.KERNEL32(?), ref: 0041CDA2

Strings

del /q "%s", xrefs: 0041CCC0
tlib, xrefs: 0041CC1C
ping 127.0.0.1 -n 2, xrefs: 0041CCB4
D, xrefs: 0041CD1C
if %%i%% gtr 10 goto END, xrefs: 0041CCD9
cmd.exe /c "%s", xrefs: 0041CD50
deldir.bat, xrefs: 0041CC55
cd "%s", xrefs: 0041CC90
set i=0, xrefs: 0041CC9E
:LOOP, xrefs: 0041CCA9
set /a i=i+1, xrefs: 0041CCCE
if exist "%s" goto LOOP, xrefs: 0041CCE5
rd /s /q "%s", xrefs: 0041CD05
:END, xrefs: 0041CCF3

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: del /q "%s"$ if %%i%% gtr 10 goto END$ if exist "%s" goto LOOP$ ping 127.0.0.1 -n 2$ set /a i=i+1$:END$:LOOP$D$cd "%s"$cmd.exe /c "%s"$deldir.bat$rd /s /q "%s"$set i=0$tlib
API String ID: 2922976086-3055506515
Opcode ID: db24526b645a2aed3e8b58a1a2b4cc5f31dd18a6ab88ae33cd65acc0b10ebcef
Instruction ID: 1c2cf7d3615497df17d0d6b673d952ef88d997ce94ddaae7b008e3619ffc8289
Opcode Fuzzy Hash: db24526b645a2aed3e8b58a1a2b4cc5f31dd18a6ab88ae33cd65acc0b10ebcef
Instruction Fuzzy Hash: 1351DB75E8021876D720E611AC43FEA766C9F55704F1041ABF90CB1182EBBC6BC48BED

Function 0041C610 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 190filesleepprocessCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,00000000), ref: 0041C652
_wcsrchr.LIBVCRUNTIME ref: 0041C699
CopyFileW.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,?,?,00000000), ref: 0041C6CD
GetCommandLineW.KERNEL32(00000000), ref: 0041C723
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000040), ref: 0041C80F
WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000040), ref: 0041C823
CloseHandle.KERNEL32(?,?,?,00000040), ref: 0041C833
CloseHandle.KERNEL32(?,?,?,00000040), ref: 0041C839
GetFileAttributesW.KERNEL32(?,?,?,00000040), ref: 0041C84B
DeleteFileW.KERNEL32(?,?,?,00000040), ref: 0041C85A
GetFileAttributesW.KERNEL32(?,?,?,00000040), ref: 0041C868
RemoveDirectoryW.KERNEL32(?,?,?,00000040), ref: 0041C877
Sleep.KERNEL32(000001F4,?,?,00000040), ref: 0041C882

Strings

/TEMPDIR, xrefs: 0041C7AE
"%s", xrefs: 0041C6FA
D, xrefs: 0041C7CE

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: File$AttributesCloseHandle$CommandCopyCreateDeleteDirectoryLineModuleNameObjectProcessRemoveSingleSleepWait_wcsrchr
String ID: "%s"$/TEMPDIR$D
API String ID: 2101136283-116382730
Opcode ID: 5a63c2984293973916a19ff6f51b608704b562aa10cc16e3d24518d2153c2716
Instruction ID: 92ebca56a36d1a779d2a7cd5b6707c3296d293630c0e77e40aa1c4bf15cedfcf
Opcode Fuzzy Hash: 5a63c2984293973916a19ff6f51b608704b562aa10cc16e3d24518d2153c2716
Instruction Fuzzy Hash: 466180B29043409BD720EB64DC89BDB73E8AF84719F40093EF649D21D1EB74D549CB96

Function 00446BF5 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00446C65
_free.LIBCMT ref: 00446C7B
_free.LIBCMT ref: 00446C8C
_free.LIBCMT ref: 00446C9D
_free.LIBCMT ref: 00446CB4
GetCPInfo.KERNEL32(?,?), ref: 00446CFC

Part of subcall function 0044CF4A: _free.LIBCMT ref: 0044CFB5

_free.LIBCMT ref: 00446EA8
_free.LIBCMT ref: 00446EBB
_free.LIBCMT ref: 00446EC9
_free.LIBCMT ref: 00446ED4
_free.LIBCMT ref: 00446F16
_free.LIBCMT ref: 00446F1E
_free.LIBCMT ref: 00446F26
_free.LIBCMT ref: 00446F2E
_free.LIBCMT ref: 00446F3C

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 36082e3037333ac212b2ddb4424394586568033ae9371a7943febd965f4be8a2
Instruction ID: 9b67b2d0f7a3248fa6c24f03dec9c2a90cadc772078b91b9fd60ca32160ee64a
Opcode Fuzzy Hash: 36082e3037333ac212b2ddb4424394586568033ae9371a7943febd965f4be8a2
Instruction Fuzzy Hash: 3DB1AE719002059FEB21DF69C881BEEBBF5BF09304F14406EF998A7242DB79AC458B65

Function 00427380 Relevance: 19.7, APIs: 13, Instructions: 185fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041DD80: CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 0041DDC4
Part of subcall function 0041DD80: GetLastError.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 0041DDD1
Part of subcall function 0041DD80: CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 0041DE1A
Part of subcall function 0041DD80: SetLastError.KERNEL32(00000000), ref: 0041DE28

GetLastError.KERNEL32(?,7FC866D6), ref: 004273D0

Part of subcall function 0041D110: GetTickCount.KERNEL32 ref: 0041D121
Part of subcall function 0041D110: GetCurrentThreadId.KERNEL32 ref: 0041D13B
Part of subcall function 0041D110: OutputDebugStringW.KERNEL32(00000000), ref: 0041D194
Part of subcall function 0041D110: WriteConsoleW.KERNEL32(FFFFFFFF,00000000,00000000,?,00000000), ref: 0041D1BC

GetFileSize.KERNEL32(00000000,00000000,?,7FC866D6), ref: 004273FC
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,7FC866D6), ref: 0042745B
GetLastError.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,?,7FC866D6), ref: 0042746B
CloseHandle.KERNEL32(?,?,?,?,?,?,?,7FC866D6), ref: 00427553

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ErrorFileLast$Create$CloseConsoleCountCurrentDebugHandleOutputSizeStringThreadTickWrite
String ID:
API String ID: 895585712-0
Opcode ID: 8b927ea43518847aa96dd96a360cbee10b756ebb935ca364ed246137ba283ee8
Instruction ID: 177761a6b83a000391e142aad0615db01089c8d770d0bac769558510628444f1
Opcode Fuzzy Hash: 8b927ea43518847aa96dd96a360cbee10b756ebb935ca364ed246137ba283ee8
Instruction Fuzzy Hash: AA512871F443147BDB209B68EC46FAFB3A8EF44B25F500226FA14E32D1DB789D418669

Function 00451898 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 004518DC

Part of subcall function 00450C2B: _free.LIBCMT ref: 00450C48
Part of subcall function 00450C2B: _free.LIBCMT ref: 00450C5A
Part of subcall function 00450C2B: _free.LIBCMT ref: 00450C6C
Part of subcall function 00450C2B: _free.LIBCMT ref: 00450C7E
Part of subcall function 00450C2B: _free.LIBCMT ref: 00450C90
Part of subcall function 00450C2B: _free.LIBCMT ref: 00450CA2
Part of subcall function 00450C2B: _free.LIBCMT ref: 00450CB4
Part of subcall function 00450C2B: _free.LIBCMT ref: 00450CC6
Part of subcall function 00450C2B: _free.LIBCMT ref: 00450CD8
Part of subcall function 00450C2B: _free.LIBCMT ref: 00450CEA
Part of subcall function 00450C2B: _free.LIBCMT ref: 00450CFC
Part of subcall function 00450C2B: _free.LIBCMT ref: 00450D0E
Part of subcall function 00450C2B: _free.LIBCMT ref: 00450D20

_free.LIBCMT ref: 004518D1

Part of subcall function 0044A4F1: HeapFree.KERNEL32(00000000,00000000,?,00451398,-00486124,00000000,-00486124,00000000,?,0045163C,-00486124,00000007,-00486124,?,00451A30,-00486124), ref: 0044A507
Part of subcall function 0044A4F1: GetLastError.KERNEL32(-00486124,?,00451398,-00486124,00000000,-00486124,00000000,?,0045163C,-00486124,00000007,-00486124,?,00451A30,-00486124,-00486124), ref: 0044A519

_free.LIBCMT ref: 004518F3
_free.LIBCMT ref: 00451908
_free.LIBCMT ref: 00451913
_free.LIBCMT ref: 00451935
_free.LIBCMT ref: 00451948
_free.LIBCMT ref: 00451956
_free.LIBCMT ref: 00451961
_free.LIBCMT ref: 00451999
_free.LIBCMT ref: 004519A0
_free.LIBCMT ref: 004519BD
_free.LIBCMT ref: 004519D5

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: e241acf566adbee0da8335c60fd19b63cad821c1f0fb7a6c6d2bd884e8ac57ca
Instruction ID: d0763aaf48d098d2705fb4fc9a3ca78186d36ff5918f4299e6b102420546e321
Opcode Fuzzy Hash: e241acf566adbee0da8335c60fd19b63cad821c1f0fb7a6c6d2bd884e8ac57ca
Instruction Fuzzy Hash: 06317F715003019FEB20AA79D849B5B73E8EF00355F10941FF948D7262DF79AD99CB29

Function 00457D84 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

\E, xrefs: 00457EFE, 00458091, 00457FF7, 00457F50, 00457F68, 00457F94, 00457FAE, 00457FDA
\E, xrefs: 00458086, 00458060, 004580AD

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID: \E$\E
API String ID: 0-2746232386
Opcode ID: a4e0cc55af878dfb13149370fddd6ef560a0f1a028f977aab78fe436cd7bc702
Instruction ID: 38121a2ea5842d315b041485afd8c76dcd42a5e37acd44c829244f58f8e9e1de
Opcode Fuzzy Hash: a4e0cc55af878dfb13149370fddd6ef560a0f1a028f977aab78fe436cd7bc702
Instruction Fuzzy Hash: F7C1D270904345AFDB11DFA8D881BAEBBB4AF09315F15419EED00A7393CB389D49CB69

Function 00450D29 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450D71
_free.LIBCMT ref: 00450D95
_free.LIBCMT ref: 00450DA2
_free.LIBCMT ref: 00450DC7
_free.LIBCMT ref: 00450DD4
_free.LIBCMT ref: 00450DDD
_free.LIBCMT ref: 004510BB
_free.LIBCMT ref: 004510C3

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9a03dcda8f28c39caa078d0d97852edccd277a8699b020615718aaf50ac9ff53
Instruction ID: e1a2d14cca123e39014218d43fd2ed0b0d876a72aa5435c0dea6f9ee707ef9f9
Opcode Fuzzy Hash: 9a03dcda8f28c39caa078d0d97852edccd277a8699b020615718aaf50ac9ff53
Instruction Fuzzy Hash: 68C16976E40205AFEB60DB98CC82FEE77F99B08705F140166FE05EB282D57899458B58

Function 00455D25 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00455A64: CreateFileW.KERNEL32(00000000,00000000,?,00455DCE,?,?,00000000,?,00455DCE,00000000,0000000C), ref: 00455A81

GetLastError.KERNEL32 ref: 00455E39
__dosmaperr.LIBCMT ref: 00455E40
GetFileType.KERNEL32(00000000), ref: 00455E4C
GetLastError.KERNEL32 ref: 00455E56
__dosmaperr.LIBCMT ref: 00455E5F
CloseHandle.KERNEL32(00000000), ref: 00455E7F
CloseHandle.KERNEL32(?), ref: 00455FC9
GetLastError.KERNEL32 ref: 00455FFB
__dosmaperr.LIBCMT ref: 00456002

Strings

H, xrefs: 00455F87

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 2d7b23edbf5f7c10672aacbbaa71b6006bd9b3a5e1c4bba1cad64c92333131bf
Instruction ID: c96aef165f07415c1d648542ce398c265d31266bcb11b17f428104075235ae67
Opcode Fuzzy Hash: 2d7b23edbf5f7c10672aacbbaa71b6006bd9b3a5e1c4bba1cad64c92333131bf
Instruction Fuzzy Hash: 6CA13532A106548FDF19DF68D8927BE7BA0EB06325F18015EEC02DB392C7389D1AC759

Function 0045114E Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004511BD
_free.LIBCMT ref: 004511CB
_free.LIBCMT ref: 004512F9
_free.LIBCMT ref: 00451304

Strings

@YH, xrefs: 0045135D
<YH, xrefs: 00451345
<YH, xrefs: 0045134D

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: _free
String ID: <YH$<YH$@YH
API String ID: 269201875-1962219393
Opcode ID: 40bb283a1cc13c8afdc41f955a5273fcb5e8ef8fb8b02b78132a99fdcf0e3020
Instruction ID: 3d74657f5b639414bcfd657e8bbcd51f5a55aa9c50066278d76c0e1eb4163688
Opcode Fuzzy Hash: 40bb283a1cc13c8afdc41f955a5273fcb5e8ef8fb8b02b78132a99fdcf0e3020
Instruction Fuzzy Hash: F161E231900205AFEB20DF69C882B9EBBF5EF04310F1445ABFD45EB292D7789D458B58

Function 00410DB1 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 53COMMON

Download Yara Rule

APIs

SetDllDirectoryW.KERNEL32(00473178), ref: 00410DCC
SetCurrentDirectoryW.KERNEL32(00000000), ref: 00410DD8
GetCommandLineW.KERNEL32 ref: 00410DEC
_wcsstr.LIBVCRUNTIME ref: 00410DFA
_wcsstr.LIBVCRUNTIME ref: 00410E0C
_wcsstr.LIBVCRUNTIME ref: 00410E1E
_wcsstr.LIBVCRUNTIME ref: 00410E30

Part of subcall function 0041C610: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,00000000), ref: 0041C652
Part of subcall function 0041C610: _wcsrchr.LIBVCRUNTIME ref: 0041C699
Part of subcall function 0041C610: CopyFileW.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,?,?,00000000), ref: 0041C6CD
Part of subcall function 0041C610: GetCommandLineW.KERNEL32(00000000), ref: 0041C723

Strings

/runas=, xrefs: 00410E06
/UPDATE, xrefs: 00410E18
/TEMPDIR, xrefs: 00410DF4

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: _wcsstr$CommandDirectoryFileLine$CopyCurrentModuleName_wcsrchr
String ID: /TEMPDIR$/UPDATE$/runas=
API String ID: 777160178-2186619886
Opcode ID: 26c7d2cec480a5dd383deabdaaf2af28292a8e3e6deb2b4db833de097a1664dd
Instruction ID: b922d73480ca559a4f1cbc01fddd249b2f3b04925782a9b3c0b7e2709873db7a
Opcode Fuzzy Hash: 26c7d2cec480a5dd383deabdaaf2af28292a8e3e6deb2b4db833de097a1664dd
Instruction Fuzzy Hash: B1F06D32A8271422961137779D07BDF37588C6574BF04483BFC09D0282F6CC9A9281AF

Function 0044A254 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044A268

Part of subcall function 0044A4F1: HeapFree.KERNEL32(00000000,00000000,?,00451398,-00486124,00000000,-00486124,00000000,?,0045163C,-00486124,00000007,-00486124,?,00451A30,-00486124), ref: 0044A507
Part of subcall function 0044A4F1: GetLastError.KERNEL32(-00486124,?,00451398,-00486124,00000000,-00486124,00000000,?,0045163C,-00486124,00000007,-00486124,?,00451A30,-00486124,-00486124), ref: 0044A519

_free.LIBCMT ref: 0044A274
_free.LIBCMT ref: 0044A27F
_free.LIBCMT ref: 0044A28A
_free.LIBCMT ref: 0044A295
_free.LIBCMT ref: 0044A2A0
_free.LIBCMT ref: 0044A2AB
_free.LIBCMT ref: 0044A2B6
_free.LIBCMT ref: 0044A2C1
_free.LIBCMT ref: 0044A2CF

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8c39027cbba713273718d996808573781ef20b2d876756b33561af9143ea92d8
Instruction ID: 18b08fc394aa40bd2b77af4edf73a090bb28494c9ddb0c56b274b923a1bc596c
Opcode Fuzzy Hash: 8c39027cbba713273718d996808573781ef20b2d876756b33561af9143ea92d8
Instruction Fuzzy Hash: DF11E676141058BFDB01EF5AC856CDD3BA5EF04354B4150AAFB088F232DA75EEA09B86

Function 0041DAE0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 174COMMON

Download Yara Rule

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000024,00000000), ref: 0041DB5C
SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001C,00000000,?,?), ref: 0041DC9F

Strings

(x86), xrefs: 0041DBCF
*, xrefs: 0041DB24
$, xrefs: 0041DB0B
&, xrefs: 0041DB1A
\VirtualStore%s, xrefs: 0041DCD0
#, xrefs: 0041DB2E

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: FolderPathSpecial
String ID: (x86)$#$$$&$*$\VirtualStore%s
API String ID: 994120019-4086142128
Opcode ID: fe9f88afd0057b3d1beff9e7f32121fd1cb7701e0ee6e332a388b7a6d522fc26
Instruction ID: aa3230fd2c7ec7d7197a8b00ce64965695e44b2594fcb6094d41e63a889dd173
Opcode Fuzzy Hash: fe9f88afd0057b3d1beff9e7f32121fd1cb7701e0ee6e332a388b7a6d522fc26
Instruction Fuzzy Hash: BF5114B5E002149ACB209F54EC487EBB3B4EF55354F1109ABD809A7280EB79ADC5CBD8

Function 004496B7 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044A348: GetLastError.KERNEL32(?,?,00442F3D,?,-00486124,?,004435EA,00000000,-00486124,?,00000000), ref: 0044A34C
Part of subcall function 0044A348: _free.LIBCMT ref: 0044A37F
Part of subcall function 0044A348: SetLastError.KERNEL32(00000000,-00486124,?,00000000), ref: 0044A3C0
Part of subcall function 0044A348: _abort.LIBCMT ref: 0044A3C6

_memcmp.LIBVCRUNTIME ref: 00449961
_free.LIBCMT ref: 004499D2
_free.LIBCMT ref: 004499EB
_free.LIBCMT ref: 00449A1D
_free.LIBCMT ref: 00449A26
_free.LIBCMT ref: 00449A32

Strings

C, xrefs: 0044981F

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 2aed541aef3411419980d53fddfb84edd90178823ed0385a40bc13b0f96fc7fa
Instruction ID: 77749b77856741a2bf16b1759a04f7d373e2cac00915cc106974636258728ff9
Opcode Fuzzy Hash: 2aed541aef3411419980d53fddfb84edd90178823ed0385a40bc13b0f96fc7fa
Instruction Fuzzy Hash: 7DB15975A01229DFEB24DF18C885AAEB7B4FF48304F1045AEE909A7350E735AE90CF45

Function 00454EC4 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00455639,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00454F06
__fassign.LIBCMT ref: 00454F81
__fassign.LIBCMT ref: 00454F9C
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00454FC2
WriteFile.KERNEL32(?,00000000,00000000,00455639,00000000,?,?,?,?,?,?,?,?,?,00455639,00000000), ref: 00454FE1
WriteFile.KERNEL32(?,00000000,00000001,00455639,00000000,?,?,?,?,?,?,?,?,?,00455639,00000000), ref: 0045501A

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: c8aebabe6f21adf80fb062b6d6bd38b25ad54b60e1c6b3fa23249dd0b9240746
Instruction ID: 94c0d3ccf81f98fbbbdfeb9775e17126659faa4811651160f403aa36165e293a
Opcode Fuzzy Hash: c8aebabe6f21adf80fb062b6d6bd38b25ad54b60e1c6b3fa23249dd0b9240746
Instruction Fuzzy Hash: 6E51E3719002099FCB10CFA8D895AEEBBF4FF09701F18412BE956E7292D7349945CBA9

Function 004103C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004103ED
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0041043C

Part of subcall function 0043BC03: _Yarn.LIBCPMT ref: 0043BC22
Part of subcall function 0043BC03: _Yarn.LIBCPMT ref: 0043BC46

__CxxThrowException@8.LIBVCRUNTIME ref: 0041046E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 004104A6
std::_Lockit::~_Lockit.LIBCPMT ref: 0041053A

Strings

bad locale name, xrefs: 00410458

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: std::_$Locinfo::_LockitYarn$Exception@8Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_Throw
String ID: bad locale name
API String ID: 3244628736-1405518554
Opcode ID: bfed77743ca5484e5ad16091644337873f9ba8fe80d53a870fd602ff43613d1a
Instruction ID: 0b47d3dcdc5a6a03506649fc6ed4a6375d1a5f838ce0120b86682906bd57ee4b
Opcode Fuzzy Hash: bfed77743ca5484e5ad16091644337873f9ba8fe80d53a870fd602ff43613d1a
Instruction Fuzzy Hash: 0C41B3B19007449FE720EF66C801B47B7E8EB04714F00892EE84AD7B81E7B9E604CB99

Function 00448356 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004483C8
_free.LIBCMT ref: 004483E8

Strings

bcrypt.dll, xrefs: 00448363

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: _free
String ID: bcrypt.dll
API String ID: 269201875-1107098536
Opcode ID: e42a761f8bbe03379a11fdac8b8c64394205dd6ee07a1fcd5abc616919286c9d
Instruction ID: 7c59deeafc3f393370ab6ad3a8db410d3be559959923bbd3e15428130d3cfe58
Opcode Fuzzy Hash: e42a761f8bbe03379a11fdac8b8c64394205dd6ee07a1fcd5abc616919286c9d
Instruction Fuzzy Hash: 94412436A002009FDB20DF78C884A6EB3B5EF89714F11456EEA15EB341EB35ED02CB84

Function 0043E450 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0043E47B
___except_validate_context_record.LIBVCRUNTIME ref: 0043E483
_ValidateLocalCookies.LIBCMT ref: 0043E511
__IsNonwritableInCurrentImage.LIBCMT ref: 0043E53C
_ValidateLocalCookies.LIBCMT ref: 0043E591

Strings

csm, xrefs: 0043E526

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: ff9308fff5db92995b66b9191fe59adb8af1da34f68728788229997d5ee99979
Instruction ID: 888951a9f7c08fb9d708a3357a2c94d672d5577bc0a6533be428af5e1ab61e9b
Opcode Fuzzy Hash: ff9308fff5db92995b66b9191fe59adb8af1da34f68728788229997d5ee99979
Instruction Fuzzy Hash: B441E734A01208EBCF10DF6AC840A9FBBA5AF4931CF14816BE8159B3D2D739DA45CB95

Function 0041FC10 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 109COMMON

Download Yara Rule

APIs

_wcschr.LIBVCRUNTIME ref: 0041FC48
_wcschr.LIBVCRUNTIME ref: 0041FC8F

Strings

LOG, xrefs: 0041FCD3
HOG, xrefs: 0041FCA1
LOG, xrefs: 0041FC85
LOG, xrefs: 0041FC1B

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: _wcschr
String ID: HOG$LOG$LOG$LOG
API String ID: 2691759472-882294224
Opcode ID: 799c7f4fadf8e1616fe67100953d3464757771e7967676407cbb7131d5baf31f
Instruction ID: 5ab140bf6a31946d4ca921a66d43077b04e7297e5186c6a8caf06aab13658000
Opcode Fuzzy Hash: 799c7f4fadf8e1616fe67100953d3464757771e7967676407cbb7131d5baf31f
Instruction Fuzzy Hash: DB319275B00119978B248B6D98815BAB3E5EF98350B25407BEC4AC7340FB39CD87A2D8

Function 0041CDD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80filesleepCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000007,00000000,00000002,00000080,00000000), ref: 0041CE34
CloseHandle.KERNEL32(00000000), ref: 0041CE5D
DeleteFileW.KERNEL32(?), ref: 0041CE75
Sleep.KERNEL32(000000C8), ref: 0041CE84
CloseHandle.KERNEL32(00000000), ref: 0041CE96

Strings

tlib-%llx, xrefs: 0041CE01

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: CloseFileHandle$CreateDeleteSleep
String ID: tlib-%llx
API String ID: 813185504-4025929660
Opcode ID: 698e67f51eae2bb693fc8f3e1e35daa3cd273ae54f87b0e3fbedea4f3d3159b5
Instruction ID: 05021f08ce7de6106e6c1de5a7928c80c76a27cff6ce2ec1535d48b0914cd71a
Opcode Fuzzy Hash: 698e67f51eae2bb693fc8f3e1e35daa3cd273ae54f87b0e3fbedea4f3d3159b5
Instruction Fuzzy Hash: 58212C32E403105BC230AF64AC89BDFB7949F48729F00062AFD58D72D1DB34984647DA

Function 00451623 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0045136A: _free.LIBCMT ref: 00451393

_free.LIBCMT ref: 00451671

Part of subcall function 0044A4F1: HeapFree.KERNEL32(00000000,00000000,?,00451398,-00486124,00000000,-00486124,00000000,?,0045163C,-00486124,00000007,-00486124,?,00451A30,-00486124), ref: 0044A507
Part of subcall function 0044A4F1: GetLastError.KERNEL32(-00486124,?,00451398,-00486124,00000000,-00486124,00000000,?,0045163C,-00486124,00000007,-00486124,?,00451A30,-00486124,-00486124), ref: 0044A519

_free.LIBCMT ref: 0045167C
_free.LIBCMT ref: 00451687
_free.LIBCMT ref: 004516DB
_free.LIBCMT ref: 004516E6
_free.LIBCMT ref: 004516F1
_free.LIBCMT ref: 004516FC

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 45bfe5d81deeab46d02a808e1d32005954562647bc1e4c98c39b370fd1afa7d4
Instruction ID: d6f47198eb795f9f41c41033cfe0c4d8ff3bb357b3bc5f275e56b2be381edb13
Opcode Fuzzy Hash: 45bfe5d81deeab46d02a808e1d32005954562647bc1e4c98c39b370fd1afa7d4
Instruction Fuzzy Hash: B6118132541B04AAEA20B7B2CC4BFCB779CBF00705F40481EBE9A66463DA6CB9588655

Function 00447045 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00447071
__cftoe.LIBCMT ref: 004470A3

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 72f73e8eda8cd3de51657ddfe8d4ec82b751ae02c9f9a6d2916c9b2f8d1341f6
Instruction ID: 5d4efb9d7cfef8b5144a46a1f18cb30abb618994dbe08e554f44fddba3a87db4
Opcode Fuzzy Hash: 72f73e8eda8cd3de51657ddfe8d4ec82b751ae02c9f9a6d2916c9b2f8d1341f6
Instruction Fuzzy Hash: 02513F32904205ABFB259F598C46EAF77A9EF49324F14421FF91496382DB3CDD02C66D

Function 004407E2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004407D9,0043DB86), ref: 004407F0
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 004407FE
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00440817
SetLastError.KERNEL32(00000000,?,004407D9,0043DB86), ref: 00440869

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 6cf3dfbe9a8500023a101f6171816b00d867ac43c7ca9491b893c36d3fdd2019
Instruction ID: b201999696807267a4c0a07219b49bf2b325bfe9a53378954708f91606be22f2
Opcode Fuzzy Hash: 6cf3dfbe9a8500023a101f6171816b00d867ac43c7ca9491b893c36d3fdd2019
Instruction Fuzzy Hash: 4B01283220A3115EB6213776AC8656B664CDB12779730063FF718556F1EF294C9292CC

Function 0044A855 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044A8E0
__alldvrm.LIBCMT ref: 0044AAE1
__alldvrm.LIBCMT ref: 0044AB03

Strings

m6D, xrefs: 0044A857

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID: m6D
API String ID: 1036877536-1206097309
Opcode ID: 3c54beaae978beddc10ac7ccd0518da632ec50764f4ae70d83dc09b4b8e7f40c
Instruction ID: 9c6afbc0c4addc09ac54d3434b9d1c536269fc3c1fb9715d54c7a3282da0f90a
Opcode Fuzzy Hash: 3c54beaae978beddc10ac7ccd0518da632ec50764f4ae70d83dc09b4b8e7f40c
Instruction Fuzzy Hash: 32A178729803869FF711CE28C8917AEBBE1EF15300F14416FE585AB382C63C9D52C75A

Function 0044A348 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00442F3D,?,-00486124,?,004435EA,00000000,-00486124,?,00000000), ref: 0044A34C
_free.LIBCMT ref: 0044A37F
_free.LIBCMT ref: 0044A3A7
SetLastError.KERNEL32(00000000,-00486124,?,00000000), ref: 0044A3B4
SetLastError.KERNEL32(00000000,-00486124,?,00000000), ref: 0044A3C0
_abort.LIBCMT ref: 0044A3C6

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: fa44734158aaed7f3a38c2a22c10f03cf131cb2c53922dda2d5d2aaadfa96055
Instruction ID: d43a22e6a9747f3d295ce572408345573b40a5fdb35c2809b49903df2d209258
Opcode Fuzzy Hash: fa44734158aaed7f3a38c2a22c10f03cf131cb2c53922dda2d5d2aaadfa96055
Instruction Fuzzy Hash: D8F0F936581A1066F31277296C49A1F256A5FC0735F29012FFD19D22E2FE2CC867411F

Function 0041D110 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0041CF50: InterlockedIncrement.KERNEL32(00486144), ref: 0041CF55

GetTickCount.KERNEL32 ref: 0041D121
GetCurrentThreadId.KERNEL32 ref: 0041D13B
OutputDebugStringW.KERNEL32(00000000), ref: 0041D194
WriteConsoleW.KERNEL32(FFFFFFFF,00000000,00000000,?,00000000), ref: 0041D1BC

Strings

%04d.%02d: [%4x]: , xrefs: 0041D156

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ConsoleCountCurrentDebugIncrementInterlockedOutputStringThreadTickWrite
String ID: %04d.%02d: [%4x]:
API String ID: 1593025748-2866869537
Opcode ID: f3a70c26e608eac7ba38bd2cac5e67a88d6bd7999bc01b313b195e5fe79e9624
Instruction ID: 309d17462de7827c14dd4e2872e7e83f3dd7d07634f4370849871a10e1fac294
Opcode Fuzzy Hash: f3a70c26e608eac7ba38bd2cac5e67a88d6bd7999bc01b313b195e5fe79e9624
Instruction Fuzzy Hash: 09212CB3E002102BD72567359C46AAB798D9F84724F05033EFC1A972D2EE28CD0586D9

Function 00410FC0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00411062

Strings

fastcopy, xrefs: 0041109D
fastcopy_upd, xrefs: 00410FE5
fcp.exe, xrefs: 00411084
fastcopy.exe, xrefs: 00411072

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: FullNamePath
String ID: fastcopy$fastcopy.exe$fastcopy_upd$fcp.exe
API String ID: 608056474-1011532868
Opcode ID: ccd8b2d6d976ed4c5d8d15ded39d73b96c801c44b1e2eba3ef3184064d0d77b2
Instruction ID: 688ed6ed664e0307daa826855f1a712aa0a7fc14a3c6f96152a90f668d04fb5a
Opcode Fuzzy Hash: ccd8b2d6d976ed4c5d8d15ded39d73b96c801c44b1e2eba3ef3184064d0d77b2
Instruction Fuzzy Hash: 08219BB5E0020856DF60AB219C42FDA77AC9B14305F0041FBB909E7591FE78AEC49AD9

Function 0041D060 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0041CF50: InterlockedIncrement.KERNEL32(00486144), ref: 0041CF55

GetTickCount.KERNEL32 ref: 0041D070
GetCurrentThreadId.KERNEL32 ref: 0041D08A
OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,?,?,0040D72B), ref: 0041D0D1
WriteConsoleA.KERNEL32(FFFFFFFF,00000000,00000000,0040D72B,00000000,?,?,?,?,?,?,?,?,0040D72B), ref: 0041D0ED

Strings

%04d.%02d: [%4x]: , xrefs: 0041D0A5

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ConsoleCountCurrentDebugIncrementInterlockedOutputStringThreadTickWrite
String ID: %04d.%02d: [%4x]:
API String ID: 1593025748-2866869537
Opcode ID: 5d621a03ad8b7898f78e2edcdc9d6ba445544391ea92c9af8ecd12775feb7664
Instruction ID: 411a10c37e6a417b4cf3e9d5dc94a1743720951c053e8cac2e768459bf684b5b
Opcode Fuzzy Hash: 5d621a03ad8b7898f78e2edcdc9d6ba445544391ea92c9af8ecd12775feb7664
Instruction Fuzzy Hash: 55113A72E002146FC710BB39DC499AB7F9DDF44269B000536F809C3292DE34DD05C6A4

Function 0041DA10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0041DA8C
GetProcAddress.KERNEL32(00000000), ref: 0041DA93
GetCurrentProcess.KERNEL32(00000000), ref: 0041DAA3

Strings

kernel32, xrefs: 0041DA80
IsWow64Process, xrefs: 0041DA74

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32
API String ID: 4190356694-3789238822
Opcode ID: d9c40c23f09c8b84be84aa99a35843bc8731ea70483f66437361ab6ccc7c8b92
Instruction ID: bd4f8f66dff082535e6d1a44981f976043d08d0d39319206d5714a6321e744df
Opcode Fuzzy Hash: d9c40c23f09c8b84be84aa99a35843bc8731ea70483f66437361ab6ccc7c8b92
Instruction Fuzzy Hash: DF11BFB1D04604EFC720CFA8DC45B9AB7A8EB09710F10463BEA15D7390DB3AA8008B89

Function 0044C3C7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,5D,00000000,00000000,?,0044C36E,5D,00000000,00000000,00000000,?,0044C5D8,00000006,FlsSetValue), ref: 0044C3F9
GetLastError.KERNEL32(?,0044C36E,5D,00000000,00000000,00000000,?,0044C5D8,00000006,FlsSetValue,004629BC,FlsSetValue,00000000,00000364,?,0044A41A), ref: 0044C405
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044C36E,5D,00000000,00000000,00000000,?,0044C5D8,00000006,FlsSetValue,004629BC,FlsSetValue,00000000), ref: 0044C413

Strings

5D, xrefs: 0044C3F0

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: 5D
API String ID: 3177248105-934400931
Opcode ID: 405b9fcf7d6e9cb4ba458d17f3d255862c2421280a8d416d078d92e90ebb29cd
Instruction ID: ce3b3dbf8419b9f7b95c3633cc86dbcaea94c89949699141cf5a3acaa3072375
Opcode Fuzzy Hash: 405b9fcf7d6e9cb4ba458d17f3d255862c2421280a8d416d078d92e90ebb29cd
Instruction Fuzzy Hash: 9301FC367027329BE7714B78AD949777798AF45BA1B540531FE05D3241DB24D802C6EC

Function 00447B45 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00447AF6,0044769B,?,00447A96,0044769B,0047E1F0,0000000C,00447BED,0044769B,00000002), ref: 00447B65
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00447B78
FreeLibrary.KERNEL32(00000000,?,?,?,00447AF6,0044769B,?,00447A96,0044769B,0047E1F0,0000000C,00447BED,0044769B,00000002,00000000), ref: 00447B9B

Strings

CorExitProcess, xrefs: 00447B70
mscoree.dll, xrefs: 00447B5E

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3879134358e871eac203d1e7f8126970f84934d4c1e07abe88b68ecd2a8602a0
Instruction ID: da9bcafbafd70123376a3e917fcc62abb965d6e5f6f417c5fa79239f53500e38
Opcode Fuzzy Hash: 3879134358e871eac203d1e7f8126970f84934d4c1e07abe88b68ecd2a8602a0
Instruction Fuzzy Hash: C7F04430900318BBDB115F51DC49F9EBFB4EF04716F00416AF805A2261DB349D85CB99

Function 0044D495 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71593a549cbf56420d4e87148139fb4afa2d36546803176819d10f59259692f5
Instruction ID: 72cb2edb8d46de3760501d3187d1c59ac9ab58a28be8e9d94d8e138f95182d1a
Opcode Fuzzy Hash: 71593a549cbf56420d4e87148139fb4afa2d36546803176819d10f59259692f5
Instruction Fuzzy Hash: EC71E531D002169BEF21DF99C844ABFBB75FF41364F26422BE41857291DB788D81CBA9

Function 004278C0 Relevance: 7.7, APIs: 5, Instructions: 188filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,?,?,?,?,0047571C,00000000), ref: 00427A46
GetLastError.KERNEL32(?,?,?,?,?,?,0047571C,00000000), ref: 00427A63
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,0047571C,00000000), ref: 00427ABD
SetFileTime.KERNEL32(00000000,?,?,?,?,?,00989680,00000000,?,?,?,?,?,0047571C,00000000), ref: 00427B0E
CloseHandle.KERNEL32(00000000,?,?,?,?,?,0047571C,00000000), ref: 00427B24

Part of subcall function 00427300: GetFileAttributesW.KERNEL32(?), ref: 00427344
Part of subcall function 00427300: DeleteFileW.KERNEL32(?), ref: 00427356

Part of subcall function 0041DD80: CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 0041DDC4
Part of subcall function 0041DD80: GetLastError.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 0041DDD1
Part of subcall function 0041DD80: CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 0041DE1A
Part of subcall function 0041DD80: SetLastError.KERNEL32(00000000), ref: 0041DE28

Part of subcall function 00427220: GetFileAttributesW.KERNEL32(?), ref: 0042729E
Part of subcall function 00427220: MoveFileExW.KERNEL32(?,?,00000001), ref: 004272B9
Part of subcall function 00427220: MoveFileExW.KERNEL32(?,00000000,00000004), ref: 004272CA

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: File$CreateErrorLast$AttributesMove$CloseDeleteHandleTimeWrite
String ID:
API String ID: 249337999-0
Opcode ID: 43818784a43fc20b7db5404f413aa0d907d25ab8eed26752cbb4a289c9778b64
Instruction ID: a8bab8172e5b6a882793e9538f84de6cd957d154053d780ba5b88cacbdb2f2cd
Opcode Fuzzy Hash: 43818784a43fc20b7db5404f413aa0d907d25ab8eed26752cbb4a289c9778b64
Instruction Fuzzy Hash: F1618271E00218ABDF14DF91EC46BEFB7B8AF44318F54412AF901B7281D7789A05CBA9

Function 00449239 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044A52B: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0044D1A0,00000000,?,?,?,?,?,?,?,?,00443073,00000000), ref: 0044A55D

_free.LIBCMT ref: 00449344
_free.LIBCMT ref: 0044935B
_free.LIBCMT ref: 0044937A
_free.LIBCMT ref: 00449395
_free.LIBCMT ref: 004493AC

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 628bca80cc3bcf03914b6007774ed4ba2381097925e17c04e2af61ded92ae7fe
Instruction ID: 041558fd0f8c54082201bbd978cc0ec8fb1b43ee61a6898b970cf46d75c6d7ba
Opcode Fuzzy Hash: 628bca80cc3bcf03914b6007774ed4ba2381097925e17c04e2af61ded92ae7fe
Instruction Fuzzy Hash: 6F51B131A00205AFEB20DF6AC881A6B77F4EF59724F1445AFE809D7290E739ED419B49

Function 0041E910 Relevance: 7.6, APIs: 5, Instructions: 106COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,?,0041EADF,00000010), ref: 0041E94A
OpenProcessToken.ADVAPI32(00000000,?,0041EADF,00000010), ref: 0041E951
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,0045BBC8,?,0041EADF,00000010), ref: 0041E974
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000,?,?,0041EADF,00000010), ref: 0041E9B3
CloseHandle.KERNEL32(00000000,?,0041EADF,00000010), ref: 0041EA2E

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: Token$InformationProcess$CloseCurrentHandleOpen
String ID:
API String ID: 434396405-0
Opcode ID: b09de237493dfc0b4c98a06d3c1136c4fe89a38552d541f3b0843de85eba35e0
Instruction ID: 419853f0f4f0e5c980132bcce33265372abfa63601a3a38600314cb1ed947ccb
Opcode Fuzzy Hash: b09de237493dfc0b4c98a06d3c1136c4fe89a38552d541f3b0843de85eba35e0
Instruction Fuzzy Hash: A031C5B5E00206ABEB109FA2DC45B9FBBB8FF04744F140066FD05E2291EB75DA54CB99

Function 004504CA Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 004504D3
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004504F6

Part of subcall function 0044A52B: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0044D1A0,00000000,?,?,?,?,?,?,?,?,00443073,00000000), ref: 0044A55D

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0045051C
_free.LIBCMT ref: 0045052F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0045053E

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: df910c5c37bf6149e56a2ecee20dc1b37b81de2dd5552b88339d729f049d2373
Instruction ID: cbc7e2fa6879bfcc3b14cc576e1b12a403b4637eab75837c2c3d457c39680a60
Opcode Fuzzy Hash: df910c5c37bf6149e56a2ecee20dc1b37b81de2dd5552b88339d729f049d2373
Instruction Fuzzy Hash: 5301DD76A017197F23315A766C8CC7F696CDEC2FA6315013AFD04C3242FA64CD068979

Function 0044A3CC Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,-00486124,?,00446B49,0044C214,?,0044A376,00000001,00000364,?,00442F3D,?,-00486124,?,004435EA,00000000), ref: 0044A3D1
_free.LIBCMT ref: 0044A406
_free.LIBCMT ref: 0044A42D
SetLastError.KERNEL32(00000000,-00486124,?,00000000), ref: 0044A43A
SetLastError.KERNEL32(00000000,-00486124,?,00000000), ref: 0044A443

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 7a3e8514dd29e5fca0c76d6c1b1b85d82fadb488b8ad7044cdd50c0b1e2f06ab
Instruction ID: 4c4ea9aeb1064e4e35cb6243a46123a746baa1a33fbcf068a091b78e9f0ed475
Opcode Fuzzy Hash: 7a3e8514dd29e5fca0c76d6c1b1b85d82fadb488b8ad7044cdd50c0b1e2f06ab
Instruction Fuzzy Hash: FE01D63628661067F31266695CCE92F15699BC4779724442BF50592292EEACCC63421F

Function 004510E5 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004510FD

Part of subcall function 0044A4F1: HeapFree.KERNEL32(00000000,00000000,?,00451398,-00486124,00000000,-00486124,00000000,?,0045163C,-00486124,00000007,-00486124,?,00451A30,-00486124), ref: 0044A507
Part of subcall function 0044A4F1: GetLastError.KERNEL32(-00486124,?,00451398,-00486124,00000000,-00486124,00000000,?,0045163C,-00486124,00000007,-00486124,?,00451A30,-00486124,-00486124), ref: 0044A519

_free.LIBCMT ref: 0045110F
_free.LIBCMT ref: 00451121
_free.LIBCMT ref: 00451133
_free.LIBCMT ref: 00451145

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 55d3128645d43a0328d598d2460d88df82300fdcec6eef1ef996e9127dfbfd9f
Instruction ID: 65badc70ad4a87c772fec15b779229cc105aff130046b24e5a048ba4af552193
Opcode Fuzzy Hash: 55d3128645d43a0328d598d2460d88df82300fdcec6eef1ef996e9127dfbfd9f
Instruction Fuzzy Hash: 63F08C32401650ABC320EB1DE8C6D0E73ECAA097517248C0FFA08C3A22CA68FCC14A6D

Function 0044F7E8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044F837
_free.LIBCMT ref: 0044F954

Part of subcall function 004434DB: IsProcessorFeaturePresent.KERNEL32(00000017,004434AD,00447669,0000002C,0047E400,0044F65D,00000000,?,?,?,004434BA,00000000,00000000,00000000,00000000,00000000), ref: 004434DD
Part of subcall function 004434DB: GetCurrentProcess.KERNEL32(C0000417,0000002C,00447669,00000016,0044A3CB,?,00000000), ref: 004434FF
Part of subcall function 004434DB: TerminateProcess.KERNEL32(00000000,?,00000000), ref: 00443506

Strings

., xrefs: 0044FB0B
*?, xrefs: 0044F82B

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 4fca0da324e288080f7fa78d35576da6f5e2eb1eda0b1aaa19624ea257ed5473
Instruction ID: 1c2beec6006765b626ecddd19d8b7556fbbf634175d2db55dd7b5fe273b046c1
Opcode Fuzzy Hash: 4fca0da324e288080f7fa78d35576da6f5e2eb1eda0b1aaa19624ea257ed5473
Instruction Fuzzy Hash: 2E51A371E00109AFEF14DFA9C881AAEB7B5EF58314F25417EE854E7301E739AE058B54

Function 00457BB3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,00000000,?,?,00000000,\E), ref: 00457CC0
GetLastError.KERNEL32(?,?,00000000,?,?,00000000,\E,?,?,?,?,0044C04B,00000000), ref: 00457CCC
__dosmaperr.LIBCMT ref: 00457CD3

Strings

\E, xrefs: 00457BB8, 00457BB9

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: \E
API String ID: 2434981716-4102632411
Opcode ID: 13695e106838e8ea1b07a645858ed4ce3d9f15c759f7c7fe897c2a5c1eb325ec
Instruction ID: 2136222e54398bf2f5f948cc56717551b408cc038b2d900d42123992abb554be
Opcode Fuzzy Hash: 13695e106838e8ea1b07a645858ed4ce3d9f15c759f7c7fe897c2a5c1eb325ec
Instruction Fuzzy Hash: 16417C3050C185AFDB269F28E880A7D3FA6EB86345B2841BFFC8587253D539CC16979C

Function 00447C40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe,00000104), ref: 00447C80
_free.LIBCMT ref: 00447D4B
_free.LIBCMT ref: 00447D55

Strings

C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe, xrefs: 00447C77, 00447C7E, 00447CAD, 00447CE5

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe
API String ID: 2506810119-1297405165
Opcode ID: 879fd34d3a0b9a7c54f71d83e097b4d086d2deb7189392c05b7123e9634d1cdb
Instruction ID: daab6c9f0fa0a2b818df638fa569b06bcaf4c5c3fd4c68e00be913e88e695b91
Opcode Fuzzy Hash: 879fd34d3a0b9a7c54f71d83e097b4d086d2deb7189392c05b7123e9634d1cdb
Instruction Fuzzy Hash: 7631D3B1E04618AFEB21DF99DCC19AEBBECEF85314B10406BF90497311D7744A42CB99

Function 00427220 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 0042729E
MoveFileExW.KERNEL32(?,?,00000001), ref: 004272B9
MoveFileExW.KERNEL32(?,00000000,00000004), ref: 004272CA

Strings

hVG, xrefs: 00427257

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: File$Move$Attributes
String ID: hVG
API String ID: 1508057057-3185339755
Opcode ID: 11f4b71dc8f107ac6713f66fcb303f15506e271b592085e037e9401bceb3f2b6
Instruction ID: 122cebe0dbf0c347f2e3b281480db438ec3a43537a70cfa83596f6fab66a9e78
Opcode Fuzzy Hash: 11f4b71dc8f107ac6713f66fcb303f15506e271b592085e037e9401bceb3f2b6
Instruction Fuzzy Hash: 35119AB1F4021D9BDB109A64DC85FDA73ACDB48714F8041B7F60CE7181D674ED458B68

Function 0041C500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,?,?,?,0045BBC8,000000FF), ref: 0041C511
CreateDirectoryW.KERNEL32(?,0045BBC8,?,?,?,?,?,?,?,?,0045BBC8,000000FF), ref: 0041C56D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,0045BBC8,000000FF), ref: 0041C577

Strings

%s-%llx, xrefs: 0041C556

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: CreateDirectoryErrorLastPathTemp
String ID: %s-%llx
API String ID: 3750913106-4122602866
Opcode ID: 82e63d97726f5b9c62ec73c17267d2a62982c841621fd9e77cb6b40365343599
Instruction ID: fbdc6595394894e952820cf35e7c0f4badbe9fea544646fe42e7001e655ec404
Opcode Fuzzy Hash: 82e63d97726f5b9c62ec73c17267d2a62982c841621fd9e77cb6b40365343599
Instruction Fuzzy Hash: C3012F32E401147BCB106FBAEC85AFFB779EF84715F00417BF908D1151EA3599515698

Function 0041DF00 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041DF7E
CloseHandle.KERNEL32(00000000), ref: 0041DF91

Strings

<, xrefs: 0041DF0B
LG, xrefs: 0041DF35

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: CloseHandleObjectSingleWait
String ID: LG$<
API String ID: 528846559-2104703480
Opcode ID: 3fff040cf0815762dcc68e50da1480e87cd2cba8cc6d8c1bfeaa280b80bd90a6
Instruction ID: 3657efbc79d2fe22212824dff7e1658ab259cf2452914dc3b05d29a1211d38ca
Opcode Fuzzy Hash: 3fff040cf0815762dcc68e50da1480e87cd2cba8cc6d8c1bfeaa280b80bd90a6
Instruction Fuzzy Hash: EA118270D013186BEB209F55DC05BDFBBB8AB45728F100116F914BA3C0D7B859458BAD

Function 00451707 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00451736

Strings

("F, xrefs: 0045171A

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: _free
String ID: ("F
API String ID: 269201875-4044516559
Opcode ID: 1456a9b4fb173dfcc21da0c8ab648c0a4f4ca925cef08bb884ec668f7a4edaea
Instruction ID: 75a013e61f6c8390daa0d7ee47d538bc4f63527bf6155b32b5a8e33c378c49a6
Opcode Fuzzy Hash: 1456a9b4fb173dfcc21da0c8ab648c0a4f4ca925cef08bb884ec668f7a4edaea
Instruction Fuzzy Hash: 2DF0F4329096107BE714366AA846B9F67499B41379F20002FFD0856193CBAD684642EE

Function 0041C490 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32,SwitchToThisWindow), ref: 0041C4D8
GetProcAddress.KERNEL32(00000000), ref: 0041C4DF

Strings

SwitchToThisWindow, xrefs: 0041C4CE
user32, xrefs: 0041C4D3

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SwitchToThisWindow$user32
API String ID: 1646373207-3637499893
Opcode ID: bf27ac272121e6ce06170bf6f2d37bf57a89c27f0ca0e7903faa2b242c0a0bec
Instruction ID: 44f7ca93bd2f2794aea4ff68d27735bd908187adb7afc910884ef8454a43c5a5
Opcode Fuzzy Hash: bf27ac272121e6ce06170bf6f2d37bf57a89c27f0ca0e7903faa2b242c0a0bec
Instruction Fuzzy Hash: 42F089B19846009BD620DB6CACC5F9E3364AB16711F14413BF10597292DB7CDD819B9D

Function 0041DD10 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(user32,ChangeWindowMessageFilter), ref: 0041DD58
GetProcAddress.KERNEL32(00000000), ref: 0041DD5F

Strings

user32, xrefs: 0041DD53
ChangeWindowMessageFilter, xrefs: 0041DD4E

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ChangeWindowMessageFilter$user32
API String ID: 1646373207-1355250615
Opcode ID: 60cf3188ab1f857f7704e09653a307826e7eba5c8e8ab68b3222f94442ac0178
Instruction ID: 7b1759a4afc4db76abed4644960b9387a57cecf31b604ce7f32be694f2269e64
Opcode Fuzzy Hash: 60cf3188ab1f857f7704e09653a307826e7eba5c8e8ab68b3222f94442ac0178
Instruction Fuzzy Hash: 2EF089F1A40200D7D6109B78AD46F5D3360AB15702F54053FF2059A2D1DB7DEC419B1D

Function 0041DFB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32,SetDefaultDllDirectories), ref: 0041DFF9
GetProcAddress.KERNEL32(00000000), ref: 0041E000

Strings

kernel32, xrefs: 0041DFF4
SetDefaultDllDirectories, xrefs: 0041DFEF

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SetDefaultDllDirectories$kernel32
API String ID: 1646373207-2865617923
Opcode ID: 2971ea9f1c73b8f7efd610c9bbf4ed13aed5d7c1920aeac2f35faa7a75663601
Instruction ID: 934fbe57e39bded1eec7c017f3a8beeed7f620c2c3e07537b78ab3558ae33c49
Opcode Fuzzy Hash: 2971ea9f1c73b8f7efd610c9bbf4ed13aed5d7c1920aeac2f35faa7a75663601
Instruction Fuzzy Hash: 58F05EF0E40700DBD6109BB8AC49B553360AB59702F24413BE116DA2A1DB39ED429A4E

Function 0041B850 Relevance: 6.2, APIs: 4, Instructions: 234COMMON

Download Yara Rule

APIs

__Towlower.LIBCPMT ref: 0041B88E
__Towlower.LIBCPMT ref: 0041B8B7

Part of subcall function 0043BD57: ___crtLCMapStringW.LIBCPMT ref: 0043BD9E

__Towlower.LIBCPMT ref: 0041B977
Concurrency::cancel_current_task.LIBCPMT ref: 0041BAAC

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: Towlower$Concurrency::cancel_current_taskString___crt
String ID:
API String ID: 1193043153-0
Opcode ID: 1767e900a39ca1387a17d1fbac61b6fcdf5652652a143da576b2d81ce759017e
Instruction ID: 1ed96a70a6ea75c683336faa60210ce7e5da6e7ada3dd0fc95c97965bb3c7624
Opcode Fuzzy Hash: 1767e900a39ca1387a17d1fbac61b6fcdf5652652a143da576b2d81ce759017e
Instruction Fuzzy Hash: 1D819DB1A006118FC724DF29C880AAAB7E5EF58311B15856FEC8ACB711E734EC81CB94

Function 0045770B Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0045783A

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: de4267e61b0b02472fc99ff73ded0ff0eb57705c85b610cca8fba728bfda5d52
Instruction ID: 85bf29b4d5606e66ed969160f78e48ca79c95a331e8ce7bba03d2f2f6f9d8aa5
Opcode Fuzzy Hash: de4267e61b0b02472fc99ff73ded0ff0eb57705c85b610cca8fba728bfda5d52
Instruction Fuzzy Hash: 5C417E316041106BEB207B7EBC46E6E3A65DF05379F14013BFC18D6293DA3C5849C26E

Function 0044D0FC Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,00000000,?,00000001,?,?,00000001,?,?), ref: 0044D149
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044D1D2
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0044D1E4
__freea.LIBCMT ref: 0044D1ED

Part of subcall function 0044A52B: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,0044D1A0,00000000,?,?,?,?,?,?,?,?,00443073,00000000), ref: 0044A55D

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: d355a92ae0b31548aa996caac8bdd32df8bda606e03f6c9ddf85ae1585e6ce29
Instruction ID: b6c4f82598daaed9bc13409bd6df9792d28a40fbf4978bb811f990352bb8a59e
Opcode Fuzzy Hash: d355a92ae0b31548aa996caac8bdd32df8bda606e03f6c9ddf85ae1585e6ce29
Instruction Fuzzy Hash: 3731B032E0020AABEF259F65DC81EAF7BA5EF00714F14416AFC04D6291EB39CD51CB98

Function 00427110 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(?,00000000,?), ref: 00427132
GetFileAttributesExW.KERNEL32(?,00000000,?,?,00000000,?), ref: 00427143
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00427182
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004271AB

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: AttributesFileUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 501703347-0
Opcode ID: 3ca59ec722104492152f0ce63bd1bf6e63719fd4335987d08fc80f4cebda5d1c
Instruction ID: 38232cd008c9736d9a9ca812f44e65207b305452144f64f08792aeb323e15330
Opcode Fuzzy Hash: 3ca59ec722104492152f0ce63bd1bf6e63719fd4335987d08fc80f4cebda5d1c
Instruction Fuzzy Hash: DF31C231B05229A6DF10AAA9AC81FBF73A9DB94704F54056BF815F7380DA29AC04877D

Function 0041DD80 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 0041DDC4
GetLastError.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 0041DDD1

Part of subcall function 00426F80: GetFullPathNameW.KERNEL32(?,00000104,00000000,A), ref: 00426FC4

CreateFileW.KERNEL32(?,?,?,00000000,?,?,00000000), ref: 0041DE1A
SetLastError.KERNEL32(00000000), ref: 0041DE28

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: CreateErrorFileLast$FullNamePath
String ID:
API String ID: 884815997-0
Opcode ID: 0948e60114e0d295d857c414629b4234ef272bdf1ad607b7870e598353da2887
Instruction ID: bb2375e5176a54e96e13b6640953f53191a577d76cf680df8095fa7475690898
Opcode Fuzzy Hash: 0948e60114e0d295d857c414629b4234ef272bdf1ad607b7870e598353da2887
Instruction Fuzzy Hash: 3A110D75E4031C6BCB209F65DC48BEAB778EF58711F1002A9F919972D1D7309D808F94

Function 0043C8E7 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004853CC,00479DC8,?,0041E157,00498680,?,?,?,7FC866D6), ref: 0043C8F1
LeaveCriticalSection.KERNEL32(004853CC,?,0041E157,00498680,?,?,?,7FC866D6), ref: 0043C924
SetEvent.KERNEL32(00000000,00498680,?,?,?,7FC866D6), ref: 0043C9B2
ResetEvent.KERNEL32(?,?,?,7FC866D6), ref: 0043C9BE

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: 2366b453981c19721fc7de70bc93c44c9a2f8c6005573cfcd381aa3e7d5e9a30
Instruction ID: 6244584131ec2cab5ea41e6e120ac1312b7f348bca7fd3b4edc4cde79a69f452
Opcode Fuzzy Hash: 2366b453981c19721fc7de70bc93c44c9a2f8c6005573cfcd381aa3e7d5e9a30
Instruction Fuzzy Hash: BF011A75A00B14DBCB049F28FC98A5D7BA9FB0A745B01443AE902A7761CB759842CB99

Function 0043B63F Relevance: 6.0, APIs: 4, Instructions: 22COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0043B64B
__CxxThrowException@8.LIBVCRUNTIME ref: 0043B659

Part of subcall function 0043EA17: RaiseException.KERNEL32(?,?,0043B63E,00000000,00000000,00000000,00479DC8,?,?,?,?,0043B63E,00000000,0047DDEC,?,00000000), ref: 0043EA77

std::regex_error::regex_error.LIBCPMT ref: 0043B66B
__CxxThrowException@8.LIBVCRUNTIME ref: 0043B679

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaisestd::invalid_argument::invalid_argumentstd::regex_error::regex_error
String ID:
API String ID: 744872699-0
Opcode ID: d6bdba78b69decf847b4d1e218f44082f1f89d33dc30cf617a6ad17d31f783a7
Instruction ID: ef772611e8dc4d21a58a6d5f92b7a368c83a611d071faf06dfac01caeb133d40
Opcode Fuzzy Hash: d6bdba78b69decf847b4d1e218f44082f1f89d33dc30cf617a6ad17d31f783a7
Instruction Fuzzy Hash: CEE04F31C0020C77CB04FAE6DC46DED773CAE18300F80981ABB6462482EB78A60987D8

Function 00423460 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 192COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 004234C9

Strings

P4B, xrefs: 00423557, 004234A0
list<T> too long, xrefs: 0042364B

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: P4B$list<T> too long
API String ID: 601868998-4160811081
Opcode ID: dd13cd3cee1302d8fa579bd1087bfa3976727b529fa55db0134efcf2c3c05c66
Instruction ID: 747be4ae4192a8d206e75c2dc7b6be4e7c314297ff831e7db27a162a7b08f0f6
Opcode Fuzzy Hash: dd13cd3cee1302d8fa579bd1087bfa3976727b529fa55db0134efcf2c3c05c66
Instruction Fuzzy Hash: EB616D71B002159FDB14DF65D881B9EB7F5AF48311F10816EE91AA7341EB38EE05CBA4

Function 0043CE33 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 103COMMON

Download Yara Rule

Strings

,WH, xrefs: 0043CEAF
WH, xrefs: 0043CE8E

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID: WH$,WH
API String ID: 0-3089320185
Opcode ID: d68351f520a74ccb60f01d52cc96cb2e4a9f43583d05d00f7c7915872c34c134
Instruction ID: a4ef496b129204ebd986a66c97a3711e33cddfe57394effc15a4765697b01967
Opcode Fuzzy Hash: d68351f520a74ccb60f01d52cc96cb2e4a9f43583d05d00f7c7915872c34c134
Instruction Fuzzy Hash: 0731D332D00700DADB10EF68E88279E77A5DB09324F10D56FE925FB2C1D7B89A458B9C

Function 00452109 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00452364,?,00000050,?,?,?,?,?), ref: 004521E4

Strings

ACP, xrefs: 00452127
OCP, xrefs: 0045215D

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3da82b711d8406e1961ba499738e54a3443df8bf307d5dbcc06131080a12b18b
Instruction ID: 0f0c35e6a070c4cbf3a36b6ec39d0ed77f5c138a3aad2243a9cf0aa1338ea1ca
Opcode Fuzzy Hash: 3da82b711d8406e1961ba499738e54a3443df8bf307d5dbcc06131080a12b18b
Instruction Fuzzy Hash: EA21F962A00A01B7D7348A55CF41B9772669F52B53F168427EF0AD7302E77ADE05C358

Function 0044BA23 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 0044C1C2: RtlAllocateHeap.NTDLL(00000008,-00486124,00000000,?,0044A376,00000001,00000364,?,00442F3D,?,-00486124,?,004435EA,00000000,-00486124), ref: 0044C203

_free.LIBCMT ref: 0044BAAC

Part of subcall function 0044A4F1: HeapFree.KERNEL32(00000000,00000000,?,00451398,-00486124,00000000,-00486124,00000000,?,0045163C,-00486124,00000007,-00486124,?,00451A30,-00486124), ref: 0044A507
Part of subcall function 0044A4F1: GetLastError.KERNEL32(-00486124,?,00451398,-00486124,00000000,-00486124,00000000,?,0045163C,-00486124,00000007,-00486124,?,00451A30,-00486124,-00486124), ref: 0044A519

Strings

Uq, xrefs: 0044BA32
DG, xrefs: 0044BA25

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID: DG$Uq
API String ID: 314386986-1795643913
Opcode ID: f79b21ebe6c8f7f51dd1e72d6ff23d80a34962a3d717fc892d5b0cab65b52614
Instruction ID: c0c70b0884434c4fd40bc8b4154fc00c46d1dfe53e9cba7ef73f1b069a217092
Opcode Fuzzy Hash: f79b21ebe6c8f7f51dd1e72d6ff23d80a34962a3d717fc892d5b0cab65b52614
Instruction Fuzzy Hash: 8521D131601701AFEB11DF59C8C1B5AB368EF01328F10451AF915AB781DB38ED41CBD9

Function 0044C32B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,-00486124), ref: 0044C38B
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 0044C398

Strings

5D, xrefs: 0044C362, 0044C376, 0044C367

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID: 5D
API String ID: 2279764990-934400931
Opcode ID: cb9b665aa19bb0efa0ca3fa13492aa89810fea40f43a87fa015ae37731be1fc1
Instruction ID: e30e372cca5b2e79b8281317a55c55c3eb331f2d82a04ad887588d194548b6f0
Opcode Fuzzy Hash: cb9b665aa19bb0efa0ca3fa13492aa89810fea40f43a87fa015ae37731be1fc1
Instruction Fuzzy Hash: E3113A37A016208BEB21DE29DCC095F7395AB81720B1EC236FC15AB354D734EC0287D9

Function 0041D9D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00479DC8,0041E772,?,?), ref: 0041D9D2
GetLastError.KERNEL32(?,?), ref: 0041D9DE

Part of subcall function 0041D060: GetTickCount.KERNEL32 ref: 0041D070
Part of subcall function 0041D060: GetCurrentThreadId.KERNEL32 ref: 0041D08A
Part of subcall function 0041D060: OutputDebugStringA.KERNEL32(00000000,?,?,?,?,?,?,?,?,0040D72B), ref: 0041D0D1
Part of subcall function 0041D060: WriteConsoleA.KERNEL32(FFFFFFFF,00000000,00000000,0040D72B,00000000,?,?,?,?,?,?,?,?,0040D72B), ref: 0041D0ED

Strings

TLoadLibraryW err=%d, xrefs: 0041D9E5

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ConsoleCountCurrentDebugErrorLastLibraryLoadOutputStringThreadTickWrite
String ID: TLoadLibraryW err=%d
API String ID: 3729237134-286212260
Opcode ID: a441e3535453ffd9108e8b2228a45a9f462a71442408d748d52854ea8e86a494
Instruction ID: d2da24007daf9eab93b61cea3f2165193f5f3afa345e17901cd63641830bb378
Opcode Fuzzy Hash: a441e3535453ffd9108e8b2228a45a9f462a71442408d748d52854ea8e86a494
Instruction Fuzzy Hash: 07D05EF1D5023157CA3123A47C097D729149F007AAF01023BF90AD1292D728C8C1C2AE

Function 0044D219 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,7FC866D6,00000000,00000000,00000000,00000000,0047E59C,0047E59C,00000000,00000000,00000000,7FC866D6), ref: 0044D2AF
GetLastError.KERNEL32(?,0047E59C), ref: 0044D2BD
MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,7FC866D6,00000000,?,0047E59C), ref: 0044D318

Memory Dump Source

Source File: 00000000.00000002.1673572488.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1673515441.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673683865.000000000045D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673728731.0000000000481000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673755880.0000000000483000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000484000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673788209.0000000000498000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1673852442.000000000055A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_40122c3fc307277bbcb516dce390f74f27e2f798cb351.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 64049eacdcd1aadf0891ca6d30f58ca29db5bd5751ab9179a69296d3f145b54f
Instruction ID: 5e4a79ef43b98ec2e7e85e4ce19094185e158f801687e593f2a8ce446e3af92f
Opcode Fuzzy Hash: 64049eacdcd1aadf0891ca6d30f58ca29db5bd5751ab9179a69296d3f145b54f
Instruction Fuzzy Hash: DD41E730E00646EFEF219F65C8447AB7BA4EF02324F1582ABFC5597291DB349D01C76A

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\16f361f8

C:\Users\user\AppData\Local\Temp\bvhk

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
40122c3fc307277bbcb516dce390f74f27e2f798cb351.exe

Function 004533B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101
memoryCOMMON

Function 004110F0 Relevance: 46.1, APIs: 4, Strings: 22, Instructions: 570
COMMON

Function 00410DC0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60
COMMON

Function 00427680 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 174
fileCOMMON

Function 0041E7A0 Relevance: 10.6, APIs: 7, Instructions: 74
COMMON

Function 0041D950 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
threadlibraryloaderCOMMON

Function 0044CB08 Relevance: 9.2, APIs: 6, Instructions: 216
COMMON

Function 00411DD0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 75
COMMON

Function 0041E890 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35
libraryloaderCOMMON

Function 0041CF70 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 0044C80A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
COMMON

Function 00412F90 Relevance: 4.6, APIs: 3, Instructions: 79
fileCOMMON

Function 0040F160 Relevance: 4.6, APIs: 3, Instructions: 53
fileCOMMON