Edit tour

Windows Analysis Report
upd_1916298.exe

Overview

General Information

Sample name:	upd_1916298.exe
Analysis ID:	1531070
MD5:	abdcc4a6d9ebcdb3f832de479bec51e0
SHA1:	ab8e09f1b836a3bc07a4fd72fc17155f304e8c87
SHA256:	2fa83a1f4b3196a87645d4e71c3a486c7eb433ccb462c85888d5a5dee2abe2e2
Tags:	exeKongTukeuser-monitorsg
Infos:

Detection

DarkGate, MailPassView

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected DarkGate

Yara detected MailPassView

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the product ID of Windows

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

upd_1916298.exe (PID: 4508 cmdline: "C:\Users\user\Desktop\upd_1916298.exe" MD5: ABDCC4A6D9EBCDB3F832DE479BEC51E0)

cmd.exe (PID: 6660 cmdline: "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ffdbfkc\chbdcee MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6172 cmdline: wmic ComputerSystem get domain MD5: E2DE6500DE1148C7F6027AD50AC8B891)

cleanup

Malware Configuration

Threatname: DarkGate

{"C2 url": "91.222.173.80", "check_ram": false, "crypter_rawstub": "DarkGate", "crypter_dll": "R0ijS0qCVITtS0e6xeZ", "crypter_au3": 6, "flag_14": true, "crypto_key": 80, "startup_persistence": false, "flag_32": false, "anti_vm": true, "min_disk": false, "flag_18": 100, "anti_analysis": true, "min_ram": false, "flag_19": 4096, "check_disk": false, "flag_21": true, "flag_23": false, "flag_31": false, "flag_24": "new10oct", "flag_25": "x88y8y", "flag_26": false, "flag_27": "voULmQMO", "flag_28": false, "flag_29": 2, "flag_35": false}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2051199600.00000000043AE000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000000.00000002.2051149313.00000000042F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
00000000.00000002.2051149313.00000000042F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
Process Memory Space: upd_1916298.exe PID: 4508	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
Process Memory Space: upd_1916298.exe PID: 4508	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.upd_1916298.exe.4350000.3.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.2.upd_1916298.exe.4350000.3.unpack	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
0.2.upd_1916298.exe.4350000.3.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.2.upd_1916298.exe.42f0000.2.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.2.upd_1916298.exe.42f0000.2.unpack	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
0.2.upd_1916298.exe.42f0000.2.raw.unpack	JoeSecurity_MailPassView	Yara detected MailPassView	Joe Security
0.2.upd_1916298.exe.42f0000.2.raw.unpack	JoeSecurity_DarkGate	Yara detected DarkGate	Joe Security
Click to see the 2 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2051307002.00000000044C0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: DarkGate {"C2 url": "91.222.173.80", "check_ram": false, "crypter_rawstub": "DarkGate", "crypter_dll": "R0ijS0qCVITtS0e6xeZ", "crypter_au3": 6, "flag_14": true, "crypto_key": 80, "startup_persistence": false, "flag_32": false, "anti_vm": true, "min_disk": false, "flag_18": 100, "anti_analysis": true, "min_ram": false, "flag_19": 4096, "check_disk": false, "flag_21": true, "flag_23": false, "flag_31": false, "flag_24": "new10oct", "flag_25": "x88y8y", "flag_26": false, "flag_27": "voULmQMO", "flag_28": false, "flag_29": 2, "flag_35": false}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.8% probability

Source: upd_1916298.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: upd_1916298.exe

Static PE information: certificate valid

Source:	Binary string: C:\buildagent\work\e92649e6840d750\additions\libwapshost\obj\x86\Release_static\libwapshost.pdb source: upd_1916298.exe
Source:	Binary string: C:\buildagent\work\e92649e6840d750\additions\libwapshost\obj\x86\Release_static\libwapshost.pdb\NvN hN_CorDllMainmscoree.dll source: upd_1916298.exe
Source:	Binary string: wa_3rd_party_host_32.pdb source: upd_1916298.exe

Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_043588D0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	0_2_043588D0
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_043589D8 FindFirstFileA,GetLastError,	0_2_043589D8
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04398A34 FindFirstFileW,FindNextFileW,FindClose,	0_2_04398A34
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04372B90 FindFirstFileA,FindNextFileA,FindClose,	0_2_04372B90
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_043795A4 FindFirstFileW,FindNextFileW,FindClose,	0_2_043795A4
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_043A12AC FindFirstFileW,FindNextFileW,FindClose,	0_2_043A12AC
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0439FDC0 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,	0_2_0439FDC0
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04355934 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_04355934

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 91.222.173.80

Source: Joe Sandbox View

ASN Name: KICUA-ASGI KICUA-ASGI

Source: upd_1916298.exe	String found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: upd_1916298.exe	String found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: upd_1916298.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: upd_1916298.exe	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: upd_1916298.exe	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: upd_1916298.exe	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: upd_1916298.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: upd_1916298.exe	String found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: upd_1916298.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: upd_1916298.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: upd_1916298.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: upd_1916298.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: upd_1916298.exe, 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/u/0/#inbox
Source: upd_1916298.exe	String found in binary or memory: https://www.certum.pl/CPS0
Source: upd_1916298.exe	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_0436BE20 OpenClipboard,GetClipboardData,GlobalLock,GlobalSize,GlobalUnlock,CloseClipboard,

0_2_0436BE20

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_04380380 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,

0_2_04380380

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_04371458 GetAsyncKeyState,

0_2_04371458

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_043792B0 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,

0_2_043792B0

Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00401093 NtAllocateVirtualMemory,NtCreateSection,NtMapViewOfSection,LoadLibraryA,	0_2_00401093
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04370694 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,	0_2_04370694
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04370374 GetCurrentProcessId,OpenProcess,InitializeProcThreadAttributeList,GetProcessHeap,RtlAllocateHeap,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,	0_2_04370374
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04399C28 NtDuplicateObject,NtClose,	0_2_04399C28
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04399C5C NtQueryObject,NtQueryObject,	0_2_04399C5C
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04399CB4 NtOpenProcess,	0_2_04399CB4
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04399D04 NtQuerySystemInformation,NtDuplicateObject,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,NtClose,	0_2_04399D04
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04399FA8 Sleep,TerminateThread,NtClose,NtClose,	0_2_04399FA8

Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0044F050	0_2_0044F050
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00409000	0_2_00409000
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_004470D0	0_2_004470D0
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0041E0E0	0_2_0041E0E0
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_004290A0	0_2_004290A0
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_004340A0	0_2_004340A0
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00425120	0_2_00425120
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00423250	0_2_00423250
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_004102E0	0_2_004102E0
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0040F300	0_2_0040F300
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00417330	0_2_00417330
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_004A23F0	0_2_004A23F0
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_004373A5	0_2_004373A5
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00441460	0_2_00441460
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00421430	0_2_00421430
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0041E600	0_2_0041E600
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00430620	0_2_00430620
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00427720	0_2_00427720
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00482720	0_2_00482720
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0044F840	0_2_0044F840
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0041F800	0_2_0041F800
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0042E880	0_2_0042E880
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0040E890	0_2_0040E890
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00408930	0_2_00408930
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00403980	0_2_00403980
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00428A80	0_2_00428A80
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00422A90	0_2_00422A90
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0040BBE0	0_2_0040BBE0
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00409CF0	0_2_00409CF0
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0041BD40	0_2_0041BD40
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00414D50	0_2_00414D50
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00426D00	0_2_00426D00
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00429D30	0_2_00429D30
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_004A0D30	0_2_004A0D30
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00401DF0	0_2_00401DF0
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00421F80	0_2_00421F80
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00467FB0	0_2_00467FB0
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0438443C	0_2_0438443C
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_043909F4	0_2_043909F4
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0438F40C	0_2_0438F40C
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0436FB8C	0_2_0436FB8C

Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: String function: 04354300 appears 72 times
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: String function: 04354324 appears 41 times
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: String function: 00408870 appears 205 times
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: String function: 004085B0 appears 32 times
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: String function: 04354354 appears 47 times
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: String function: 04377B38 appears 32 times
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: String function: 00409A30 appears 134 times
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: String function: 0042C200 appears 41 times
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: String function: 043548C4 appears 88 times
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: String function: 04354628 appears 36 times
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: String function: 04356940 appears 77 times

Source: upd_1916298.exe

Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

Source: upd_1916298.exe, 00000000.00000000.2023489319.0000000000615000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamelibwapshost.dll8 vs upd_1916298.exe
Source: upd_1916298.exe, 00000000.00000000.2023489319.0000000000615000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewa_3rd_party_host_32.exe8 vs upd_1916298.exe
Source: upd_1916298.exe, 00000000.00000000.2023416131.00000000005AE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: mQFileDescriptionFileVersionCommentsCompanyNameLegalTrademarksOriginalFilenameInternalNameLegalCopyrightProductVersionSpecialBuildPrivateBuildProductName\StringFileInfo\%04X%04X\%sOLESelfRegister\VarFileInfo\Translationcmd.exe /S /C "" 2> > OPSWAT" QuietDisplayNameDisplayNameSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UTCPMTZkernel32.dll%vm_idExecutablePath.+\\(.+)attempt_synchronizeactionroot\cimv2SELECT ExecutablePath,ProcessId,CommandLine from Win32_ProcessCommandLineProcessIdrunningrun<vmstate type="string">(.+?)</vmstate>vmwindow.exe%"C:\Windows\system32\VMWindow.exe"VMWindow.exe" -file "pausedsuspendC:\Windows\system32\timeout.exe /t 1SELECT CommandLine from Win32_Process where CommandLine like "%shut_downC:\Windows\system32\Taskkill.exe"C:\Windows\system32\Taskkill.exe" /PID /FremovableQHGetSigDatabaseVersionAQHGetSigDatabaseTimeQHIsAVInstalledQHIsOnAccessScanEnabledQHGetEngineVersionWQHGetEngineVersionAQHGetSigDatabaseVersionWQHInitUpdateQHIsLicenseExpiredQHGetExpDateQHEnableOnAccessScanQHFreeThreatHistoryListWQHGetThreatHistoryWQHFreeThreatHistoryListAQHGetThreatHistoryAQHGetDigitalCertSignerAQHGetAppLanguageWQHGetAppLanguageAQHIsUpdateInProgressQHGetSigDatabaseDirAQHGetProductInstallDirWQHGetProductInstallDirAQHGetDigitalCertSignerWQHInitiateFolderScanWQHInitiateFolderScanAQHInitiateFullScanQHGetSigDatabaseDirWQHIsFullScanRunningQHGetLastFullScanTimeQHInitiateFileScanWQHInitiateFileScanAQHGetSASQHStatusQHOpenScanner%s%sopswatai.dllQHChangeOnAccessScanStateSCANAPI.DLLSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SCANNER.EXE vs upd_1916298.exe
Source: upd_1916298.exe	Binary or memory string: mQFileDescriptionFileVersionCommentsCompanyNameLegalTrademarksOriginalFilenameInternalNameLegalCopyrightProductVersionSpecialBuildPrivateBuildProductName\StringFileInfo\%04X%04X\%sOLESelfRegister\VarFileInfo\Translationcmd.exe /S /C "" 2> > OPSWAT" QuietDisplayNameDisplayNameSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UTCPMTZkernel32.dll%vm_idExecutablePath.+\\(.+)attempt_synchronizeactionroot\cimv2SELECT ExecutablePath,ProcessId,CommandLine from Win32_ProcessCommandLineProcessIdrunningrun<vmstate type="string">(.+?)</vmstate>vmwindow.exe%"C:\Windows\system32\VMWindow.exe"VMWindow.exe" -file "pausedsuspendC:\Windows\system32\timeout.exe /t 1SELECT CommandLine from Win32_Process where CommandLine like "%shut_downC:\Windows\system32\Taskkill.exe"C:\Windows\system32\Taskkill.exe" /PID /FremovableQHGetSigDatabaseVersionAQHGetSigDatabaseTimeQHIsAVInstalledQHIsOnAccessScanEnabledQHGetEngineVersionWQHGetEngineVersionAQHGetSigDatabaseVersionWQHInitUpdateQHIsLicenseExpiredQHGetExpDateQHEnableOnAccessScanQHFreeThreatHistoryListWQHGetThreatHistoryWQHFreeThreatHistoryListAQHGetThreatHistoryAQHGetDigitalCertSignerAQHGetAppLanguageWQHGetAppLanguageAQHIsUpdateInProgressQHGetSigDatabaseDirAQHGetProductInstallDirWQHGetProductInstallDirAQHGetDigitalCertSignerWQHInitiateFolderScanWQHInitiateFolderScanAQHInitiateFullScanQHGetSigDatabaseDirWQHIsFullScanRunningQHGetLastFullScanTimeQHInitiateFileScanWQHInitiateFileScanAQHGetSASQHStatusQHOpenScanner%s%sopswatai.dllQHChangeOnAccessScanStateSCANAPI.DLLSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SCANNER.EXE vs upd_1916298.exe
Source: upd_1916298.exe	Binary or memory string: OriginalFilenamelibwapshost.dll8 vs upd_1916298.exe
Source: upd_1916298.exe	Binary or memory string: OriginalFilenamewa_3rd_party_host_32.exe8 vs upd_1916298.exe

Source: upd_1916298.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal88.troj.spyw.evad.winEXE@6/2@0/1

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_0437D924 GetLastError,FormatMessageA,

0_2_0437D924

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_04358C34 GetDiskFreeSpaceA,

0_2_04358C34

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_0435DEC0 CreateToolhelp32Snapshot,

0_2_0435DEC0

Source: C:\Users\user\Desktop\upd_1916298.exe

File created: C:\Users\user\AppData\Roaming\EFeACAf

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3424:120:WilError_03

Source: C:\Users\user\Desktop\upd_1916298.exe

File created: C:\temp\

Jump to behavior

Source: upd_1916298.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\upd_1916298.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: upd_1916298.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.72%

Source: C:\Users\user\Desktop\upd_1916298.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: upd_1916298.exe, 00000000.00000000.2023416131.00000000005AE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: upd_1916298.exe, upd_1916298.exe, 00000000.00000000.2023416131.00000000005AE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);

Source: upd_1916298.exe

String found in binary or memory: ADeinitializing RunsplacePool ...OClosing and disposing RunsplacePool ...KFinished Deinitializing RunsplacePool=debug_log_output_path.:"(.+?)"3Create Powershell engine.-Start PSInvoke. Cmd:

Source: unknown	Process created: C:\Users\user\Desktop\upd_1916298.exe "C:\Users\user\Desktop\upd_1916298.exe"
Source: C:\Users\user\Desktop\upd_1916298.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ffdbfkc\chbdcee
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain
Source: C:\Users\user\Desktop\upd_1916298.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ffdbfkc\chbdcee	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain	Jump to behavior

Source: C:\Users\user\Desktop\upd_1916298.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\upd_1916298.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\upd_1916298.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\upd_1916298.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\upd_1916298.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\upd_1916298.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\upd_1916298.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\upd_1916298.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\upd_1916298.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\upd_1916298.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: upd_1916298.exe

Static PE information: certificate valid

Source: upd_1916298.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: upd_1916298.exe

Static file information: File size 2695440 > 1048576

Source: upd_1916298.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1a0000

Source: upd_1916298.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: upd_1916298.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: upd_1916298.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: upd_1916298.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: upd_1916298.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: upd_1916298.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: upd_1916298.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: upd_1916298.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\buildagent\work\e92649e6840d750\additions\libwapshost\obj\x86\Release_static\libwapshost.pdb source: upd_1916298.exe
Source:	Binary string: C:\buildagent\work\e92649e6840d750\additions\libwapshost\obj\x86\Release_static\libwapshost.pdb\NvN hN_CorDllMainmscoree.dll source: upd_1916298.exe
Source:	Binary string: wa_3rd_party_host_32.pdb source: upd_1916298.exe

Source: upd_1916298.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: upd_1916298.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: upd_1916298.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: upd_1916298.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: upd_1916298.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_0436C0C8 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0436C0C8

Source: upd_1916298.exe

Static PE information: section name: .didat

Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_00591179 push ecx; ret	0_2_0059118C
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0053C4D6 push ecx; ret	0_2_0053C4E9
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04378424 push 04378450h; ret	0_2_04378448
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0439847C push 043984C8h; ret	0_2_043984C0
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_043564A4 push 043564F5h; ret	0_2_043564ED
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_043A0498 push 043A05C6h; ret	0_2_043A05BE
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0439A484 push 0439A4B0h; ret	0_2_0439A4A8
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0436A5F0 push 0436A69Bh; ret	0_2_0436A693
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0436A5EE push 0436A69Bh; ret	0_2_0436A693
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0436A6A0 push 0436A730h; ret	0_2_0436A728
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_043566EC push 04356718h; ret	0_2_04356710
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0436A734 push 0436A760h; ret	0_2_0436A758
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0436A732 push 0436A760h; ret	0_2_0436A758
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0439C73C push 0439C77Ch; ret	0_2_0439C774
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0435673E push 0435676Ch; ret	0_2_04356764
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0436C774 push 0436C7ACh; ret	0_2_0436C7A4
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04356740 push 0435676Ch; ret	0_2_04356764
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0439C7AC push 0439C7D8h; ret	0_2_0439C7D0
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04368028 push ecx; mov dword ptr [esp], ecx	0_2_0436802D
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0436C066 push 0436C094h; ret	0_2_0436C08C
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0436C068 push 0436C094h; ret	0_2_0436C08C
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04370128 push 04370154h; ret	0_2_0437014C
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0439A10C push 0439A138h; ret	0_2_0439A130
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04370160 push 0437018Ch; ret	0_2_04370184
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_043701BE push 043701ECh; ret	0_2_043701E4
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_043701C0 push 043701ECh; ret	0_2_043701E4
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0439A2AC push 0439A2D8h; ret	0_2_0439A2D0
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_043902D8 push ecx; mov dword ptr [esp], eax	0_2_043902DA
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0436CC34 push 0436CC70h; ret	0_2_0436CC68
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04396C10 push 04396E0Bh; ret	0_2_04396E03
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0439CC14 push 0439CCCEh; ret	0_2_0439CCC6

Source: C:\Users\user\Desktop\upd_1916298.exe

0_2_0436C0C8

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_043A2064

0_2_043A2064

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: upd_1916298.exe, upd_1916298.exe, 00000000.00000002.2051149313.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, upd_1916298.exe, 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp

Binary or memory string: SUPERANTISPYWARE.EXE

Source: C:\Users\user\Desktop\upd_1916298.exe

API coverage: 4.6 %

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_043A2064

0_2_043A2064

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Domain FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\upd_1916298.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_043588D0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	0_2_043588D0
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_043589D8 FindFirstFileA,GetLastError,	0_2_043589D8
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04398A34 FindFirstFileW,FindNextFileW,FindClose,	0_2_04398A34
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04372B90 FindFirstFileA,FindNextFileA,FindClose,	0_2_04372B90
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_043795A4 FindFirstFileW,FindNextFileW,FindClose,	0_2_043795A4
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_043A12AC FindFirstFileW,FindNextFileW,FindClose,	0_2_043A12AC
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0439FDC0 FindFirstFileW,lstrcmpW,lstrcmpW,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FindNextFileW,FindClose,	0_2_0439FDC0
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_04355934 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	0_2_04355934

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_043768D0 GetSystemInfo,

0_2_043768D0

Source: upd_1916298.exe, 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: upd_1916298.exe, upd_1916298.exe, 00000000.00000002.2051149313.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, upd_1916298.exe, 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: microsoft hyper-v video
Source: upd_1916298.exe, 00000000.00000002.2050990300.000000000281E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\upd_1916298.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_005526A5 IsDebuggerPresent,OutputDebugStringW,

0_2_005526A5

Source: C:\Users\user\Desktop\upd_1916298.exe

0_2_0436C0C8

Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0057C074 mov eax, dword ptr fs:[00000030h]	0_2_0057C074
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0058061A mov eax, dword ptr fs:[00000030h]	0_2_0058061A
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0436D494 mov eax, dword ptr fs:[00000030h]	0_2_0436D494
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0436FB8C mov eax, dword ptr fs:[00000030h]	0_2_0436FB8C
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0436FB8C mov eax, dword ptr fs:[00000030h]	0_2_0436FB8C

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_04370374 GetCurrentProcessId,OpenProcess,InitializeProcThreadAttributeList,GetProcessHeap,RtlAllocateHeap,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,

0_2_04370374

Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0053B537 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_0053B537
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: 0_2_0056DD94 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0056DD94

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_04373730 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,

0_2_04373730

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_04373730 CreateProcessA,CreateProcessA,OpenProcess,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,

0_2_04373730

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_04396BA8 mouse_event,mouse_event,

0_2_04396BA8

Source: C:\Users\user\Desktop\upd_1916298.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ffdbfkc\chbdcee			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic ComputerSystem get domain			Jump to behavior

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_0053C0F0 cpuid

0_2_0053C0F0

Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_04355B0C
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: GetLocaleInfoA,	0_2_04356430
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: GetLocaleInfoA,GetACP,	0_2_0435CB64
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: GetLocaleInfoA,	0_2_0435B4FC
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: GetLocaleInfoA,	0_2_0435B548
Source: C:\Users\user\Desktop\upd_1916298.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	0_2_04355C17

Source: C:\Users\user\Desktop\upd_1916298.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\upd_1916298.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\upd_1916298.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID			Jump to behavior
Source: C:\Users\user\Desktop\upd_1916298.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID			Jump to behavior

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_0053C4EB GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0053C4EB

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_04376A54 GetUserNameA,

0_2_04376A54

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_0057D5CA _free,_free,_free,GetTimeZoneInformation,_free,

0_2_0057D5CA

Source: C:\Users\user\Desktop\upd_1916298.exe

Code function: 0_2_043564F9 GetCommandLineA,GetVersion,GetVersion,GetThreadLocale,GetThreadLocale,GetCurrentThreadId,

0_2_043564F9

Source: upd_1916298.exe, upd_1916298.exe, 00000000.00000002.2051149313.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, upd_1916298.exe, 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: mcshield.exe
Source: upd_1916298.exe, upd_1916298.exe, 00000000.00000002.2051149313.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, upd_1916298.exe, 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: superantispyware.exe

Stealing of Sensitive Information

Yara detected DarkGate

Source: Yara match	File source: 0.2.upd_1916298.exe.4350000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upd_1916298.exe.42f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upd_1916298.exe.42f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2051199600.00000000043AE000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2051149313.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: upd_1916298.exe PID: 4508, type: MEMORYSTR

Yara detected MailPassView

Source: Yara match	File source: 0.2.upd_1916298.exe.4350000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upd_1916298.exe.4350000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upd_1916298.exe.42f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upd_1916298.exe.42f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2051149313.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: upd_1916298.exe PID: 4508, type: MEMORYSTR

Remote Access Functionality

Yara detected DarkGate

Source: Yara match	File source: 0.2.upd_1916298.exe.4350000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upd_1916298.exe.42f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.upd_1916298.exe.42f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2051199600.00000000043AE000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2051149313.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: upd_1916298.exe PID: 4508, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Create Account	211 Process Injection	1 Masquerading	11 Input Capture	2 System Time Discovery	Remote Services	11 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	251 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	55 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
http://crl.certum.pl/ctnca2.crl0l	0%	URL Reputation	safe
http://repository.certum.pl/ctnca2.cer09	0%	URL Reputation	safe
https://www.certum.pl/CPS0	0%	URL Reputation	safe
http://www.certum.pl/CPS0	0%	URL Reputation	safe
http://subca.ocsp-certum.com02	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://cevcsca2021.ocsp-certum.com07	upd_1916298.exe	false		unknown
http://crl.certum.pl/ctnca2.crl0l	upd_1916298.exe	false	URL Reputation: safe	unknown
http://repository.certum.pl/ctnca2.cer09	upd_1916298.exe	false	URL Reputation: safe	unknown
http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w	upd_1916298.exe	false		unknown
https://mail.google.com/mail/u/0/#inbox	upd_1916298.exe, 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp	false		unknown
https://www.certum.pl/CPS0	upd_1916298.exe	false	URL Reputation: safe	unknown
http://repository.certum.pl/cevcsca2021.cer0	upd_1916298.exe	false		unknown
http://www.certum.pl/CPS0	upd_1916298.exe	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com02	upd_1916298.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.222.173.80	unknown	Ukraine		39249	KICUA-ASGI	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1531070
Start date and time:	2024-10-10 20:12:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	upd_1916298.exe
Detection:	MAL
Classification:	mal88.troj.spyw.evad.winEXE@6/2@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 32 Number of non-executed functions: 206
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: upd_1916298.exe

Simulations

Behavior and APIs

Time	Type	Description
14:12:57	API Interceptor	1x Sleep call for process: WMIC.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
KICUA-ASGI	https://www.bing.com/ck/a?!&&p=a77cc440c9cf39f7JmltdHM9MTcyNDgwMzIwMCZpZ3VpZD0wZjA5MTkyNC0yMmI0LTZkZGEtM2NhYS0wYTlkMjNlMjZjYjYmaW5zaWQ9NTE5Mw&ptn=3&ver=2&hsh=3&fclid=0f091924-22b4-6dda-3caa-0a9d23e26cb6&psq=gastrogynaeclinic.com&u=a1aHR0cHM6Ly9nYXN0cm9neW5hZWNsaW5pYy5jb20v&ntb=1	Get hash	malicious	Phisher	Browse	91.222.174.230
	34GRtebP3g.exe	Get hash	malicious	DarkGate, MailPassView	Browse	91.222.173.42
	34GRtebP3g.exe	Get hash	malicious	DarkGate, MailPassView	Browse	91.222.173.42
	Authenticator_v5.1.exe	Get hash	malicious	Unknown	Browse	91.222.173.181
	Authenticator_v5.1.exe	Get hash	malicious	RHADAMANTHYS	Browse	91.222.173.181
	Authenticator_v5.1.exe	Get hash	malicious	RHADAMANTHYS	Browse	91.222.173.181
	counter.exe	Get hash	malicious	Bdaejec	Browse	195.214.214.53
	8TaHpZNfuf.exe	Get hash	malicious	DarkGate, MailPassView	Browse	91.222.173.167
	YandexDiskSetup.exe	Get hash	malicious	DarkGate, MailPassView	Browse	91.222.173.204
	17577037176.zip	Get hash	malicious	DarkGate, MailPassView	Browse	91.222.173.113

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	2.914979271060093
Encrypted:	false
SSDEEP:	3:Qh9eolFl+ClFYn:Q7eY+Xn
MD5:	AA80D60A166F0455FF52A716AB4484BA
SHA1:	8D6F9C56DCB008FF63ACBE7EE601F02B9E072A66
SHA-256:	DFBA4B33F04967D617B2D4222B574BB3D2C7C2E1816D12D22A7AB4732D86678C
SHA-512:	B25BE93F450333EE027AC15C3CA79C6F55A1DAAF211AA99839A59302D4F4519EA192A08E0CAF67AB42436243FE35A4F2AC978C0D4DBE3423A839F5C5D5988BCC
Malicious:	false
Reputation:	low
Preview:	..D.o.m.a.i.n. . .....4.y.k.o.N. . . .....

C:\Users\user\AppData\Roaming\EFeACAf

Download File

Process:	C:\Users\user\Desktop\upd_1916298.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	32
Entropy (8bit):	3.7417292966721747
Encrypted:	false
SSDEEP:	3:MQnFuGGSQuygn:M1GTzn
MD5:	C98F11CED00A201D0520C3B721D1C1BC
SHA1:	35036B454AEC25C848313688A7DF2EFF774D719C
SHA-256:	2CD35C2AB938E02D14A1BF7D118B7BC38C9377715D0E580BC25C74503171ABD5
SHA-512:	6AC3865166064167726C5EF993119558211FD6959A13DE4AA34562AE0C8C4B8D2B00633552D2285C4BFE316DED91C1ED6F04C1A2309F6E6A81EC2B5DCDA5368D
Malicious:	false
Reputation:	low
Preview:	CDAadHGEbAhHhKcfdDheFefdfDaGhDAE

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.95323091118722
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.72% Win32 Executable (generic) a (10002005/4) 49.68% Windows ActiveX control (116523/4) 0.58% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	upd_1916298.exe
File size:	2'695'440 bytes
MD5:	abdcc4a6d9ebcdb3f832de479bec51e0
SHA1:	ab8e09f1b836a3bc07a4fd72fc17155f304e8c87
SHA256:	2fa83a1f4b3196a87645d4e71c3a486c7eb433ccb462c85888d5a5dee2abe2e2
SHA512:	8adf6d9ec903385be0d379ecfd122db5ae2f30e393105b2d1db8fcde6816c85c7b709fe700ab90f1d7bd187d0d22b538a62e033238925fb3c77972281e8253e7
SSDEEP:	49152:Ms8boAvk/rdETXD/j6qYMfnz8xvMOjyPNerGSbR7Wtg2l3ZjH+7DnGdc9iOj:MNboAurdEPjflSb1WtZte7DB
TLSH:	5AC5AF13B7C7C073EC929171557ADBA7582D7A20072848CBE2C05E1D68E26D26F36B6F
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........p>...m...m...m...lv..m...l...mVn.m...me..l...me..l...me..lA..m...l...m...l...m...l...m...m...m...l...m...l...m...l...m...m...

File Icon


Icon Hash:	173149cccc490307

Static PE Info

General

Entrypoint:	0x53c060
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6645E940 [Thu May 16 11:08:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	8228b51f94e32d919543d0118d0ddc46

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	07/10/2024 04:08:37 07/10/2025 04:08:36
Subject Chain	CN="Pinchao (Shenzhen) Network Technology Co., Ltd.", O="Pinchao (Shenzhen) Network Technology Co., Ltd.", L=Shenzhen, S=Guangdong, C=CN, SERIALNUMBER=91440300596794584L, OID.1.3.6.1.4.1.311.60.2.1.1=Shenzhen, OID.1.3.6.1.4.1.311.60.2.1.2=Guangdong, OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	6678FF8DD909DD56B4AEB4ADF6E8729D
Thumbprint SHA-1:	443CAD90EB0711571D60B7DF7B1DBC7F97C3DCC2
Thumbprint SHA-256:	CB821EC143C163713C13111D49FBC544CA7B7E00950ECBE890CC493D60EB5704
Serial:	6DFFAF77D8C06AF0EF1E2A88CFE4360B

Entrypoint Preview

Instruction
call 00007F4C04845DDBh
jmp 00007F4C048457DDh
int3
int3
int3
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+04h]
sub ecx, eax
sbb eax, eax
not eax
and ecx, eax
mov eax, esp
and eax, FFFFF000h
cmp ecx, eax
jc 00007F4C0484595Eh
mov eax, ecx
pop ecx
xchg eax, esp
mov eax, dword ptr [eax]
mov dword ptr [esp], eax
ret
sub eax, 00001000h
test dword ptr [eax], eax
jmp 00007F4C04845939h
int3
int3
int3
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F4C047B3767h
mov dword ptr [esi], 005C2C28h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 005C2C30h
mov dword ptr [ecx], 005C2C28h
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F4C047B37A4h
push 00604774h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F4C048749F0h
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F4C04845912h
push 0060142Ch
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F4C048749D3h
int3
push ebp
mov ebp, esp
and dword ptr [0060E7E8h], 00000000h
sub esp, 2Ch
push ebx
xor ebx, ebx
inc ebx
or dword ptr [006071E0h], ebx
push 0000000Ah
call 00007F4C04845A20h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x204ae0	0x4c8	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x204fa8	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x215000	0x70a80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x28f800	0x2910	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x286000	0x115e8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1ee010	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1ee080	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1d26f8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1a1000	0x43c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x204a54	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x19ff5a	0x1a0000	c309efacfcca325177df19fd50cad3de	False	0.5116541935847356	data	6.62770760824614	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1a1000	0x6575a	0x65800	98499091282bed2ccdafdb62d6361afe	False	0.31095578048029554	data	5.384936595689672	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x207000	0xb178	0x7600	453997f62050178efeae0a6777c39680	False	0.19974841101694915	data	4.715686411768808	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didat	0x213000	0x10	0x200	c38288023812070ce82b7497534c2042	False	0.041015625	data	0.16476501235057214	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x214000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x215000	0x70a80	0x70c00	2c7b614854efe38a314201bfbe45657d	False	0.798758834534368	data	7.798650482101254	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x286000	0x115e8	0x11600	c169161967d938c5cc8ce39678463bcd	False	0.6230328237410072	data	6.649750511860731	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2152e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.4913294797687861
RT_ICON	0x215848	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.46435018050541516
RT_ICON	0x2160f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.39072494669509594
RT_ICON	0x216f98	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.6214539007092199
RT_ICON	0x217400	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.4298780487804878
RT_ICON	0x2184a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.32863070539419087
RT_ICON	0x21aa50	0x7cfc	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9984998124765596
RT_FONT	0x22274c	0x5f600	data			0.821141874180865
RT_RCDATA	0x281d4c	0x3800	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	English	United States	0.4654017857142857
RT_GROUP_ICON	0x28554c	0x68	data			0.7019230769230769
RT_VERSION	0x2855b4	0x34c	data	English	United States	0.4834123222748815
RT_MANIFEST	0x285900	0x17f	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5953002610966057

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, FormatMessageW, GetDiskFreeSpaceA, GetLastError, GetFileAttributesA, GetFileAttributesExW, OutputDebugStringW, FlushViewOfFile, CreateFileA, LoadLibraryA, WaitForSingleObjectEx, DeleteFileA, DeleteFileW, HeapReAlloc, CloseHandle, RaiseException, GetSystemInfo, LoadLibraryW, HeapAlloc, HeapCompact, HeapDestroy, UnlockFile, GetProcAddress, LocalFree, LockFileEx, GetFileSize, DeleteCriticalSection, GetCurrentProcessId, GetProcessHeap, SystemTimeToFileTime, FreeLibrary, WideCharToMultiByte, GetSystemTimeAsFileTime, GetSystemTime, FormatMessageA, CreateFileMappingW, MapViewOfFile, QueryPerformanceCounter, GetTickCount, FlushFileBuffers, GetTickCount64, SizeofResource, GetModuleHandleExW, GetModuleFileNameW, LocalAlloc, FreeResource, LockResource, LoadResource, FindResourceW, SetErrorMode, LoadLibraryExW, InitializeCriticalSectionEx, Sleep, GetWindowsDirectoryW, GetEnvironmentStringsW, GetCurrentDirectoryW, SetCurrentDirectoryW, FindFirstFileW, FindNextFileW, FindClose, FileTimeToSystemTime, GetFileTime, GetVolumeNameForVolumeMountPointW, GetLogicalDriveStringsW, GetDriveTypeW, DeviceIoControl, GetSystemWindowsDirectoryW, lstrcpyW, GetModuleHandleW, WaitForMultipleObjects, CreateEventW, SetEvent, CreateNamedPipeW, OpenProcess, CreateThread, GetOverlappedResult, ConnectNamedPipe, GetExitCodeProcess, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, DisconnectNamedPipe, CreateDirectoryW, GetCurrentProcess, CreateProcessW, CopyFileW, SetLastError, lstrcpynW, GetLocaleInfoW, TerminateProcess, GetTempFileNameW, ExpandEnvironmentStringsW, GetVersionExW, GetTimeZoneInformation, GetSystemDirectoryW, ReleaseMutex, CreateMutexA, VirtualAlloc, VirtualFree, VirtualQuery, WriteConsoleW, ReadConsoleW, SetStdHandle, MultiByteToWideChar, HeapSize, HeapValidate, UnmapViewOfFile, GetCurrentThreadId, GetFileAttributesW, CreateFileW, WaitForSingleObject, CreateMutexW, GetTempPathW, UnlockFileEx, SetEndOfFile, AreFileApisANSI, GetFullPathNameA, SetFilePointer, InitializeCriticalSection, LeaveCriticalSection, LockFile, OutputDebugStringA, GetDiskFreeSpaceW, WriteFile, GetFullPathNameW, EnterCriticalSection, HeapFree, HeapCreate, TryEnterCriticalSection, ReadFile, DecodePointer, FreeEnvironmentStringsW, FindFirstFileExW, SetEnvironmentVariableW, SetFilePointerEx, GetFileSizeEx, GetConsoleMode, GetConsoleOutputCP, GetOEMCP, GetACP, IsValidCodePage, GetFileType, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetCommandLineW, GetCommandLineA, GetStdHandle, ExitProcess, ExitThread, RtlUnwind, UnregisterWaitEx, QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, ReleaseSemaphore, VirtualProtect, UnregisterWait, RegisterWaitForSingleObject, SetThreadAffinityMask, GetProcessAffinityMask, GetNumaHighestNodeNumber, DeleteTimerQueueTimer, ChangeTimerQueueTimer, CreateTimerQueueTimer, GetLogicalProcessorInformation, GetThreadPriority, SetThreadPriority, SwitchToThread, SignalObjectAndWait, GetModuleHandleA, FreeLibraryAndExitThread, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, ResetEvent, IsDebuggerPresent, GetStartupInfoW, InitializeSListHead, GetStringTypeW, DuplicateHandle, GetCurrentThread, GetExitCodeThread, GetNativeSystemInfo, QueryPerformanceFrequency, EncodePointer, QueueUserWorkItem, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, CompareStringW, LCMapStringW, GetCPInfo, CreateTimerQueue, GetThreadTimes, LoadLibraryExA
USER32.dll	PostThreadMessageW, wsprintfW
ADVAPI32.dll	OpenSCManagerW, EqualSid, AllocateAndInitializeSid, FreeSid, CheckTokenMembership, QueryServiceStatus, OpenServiceW, RegCloseKey, RegEnumKeyExW, RegOpenKeyExW, RegQueryValueExW, CloseServiceHandle, GetSidSubAuthorityCount, GetSidSubAuthority, GetTokenInformation, AccessCheck, GetFileSecurityW, DuplicateToken, MapGenericMask, LookupPrivilegeValueW, AdjustTokenPrivileges, RegSaveKeyW, OpenProcessToken
ole32.dll	CoSetProxyBlanket, CoUninitialize, CoInitializeEx, CoCreateInstance, IIDFromString, CLSIDFromString, CoAddRefServerProcess, CoReleaseServerProcess, OleRun
OLEAUT32.dll	GetErrorInfo, VariantTimeToSystemTime, VariantClear, SafeArrayCreateVector, SafeArrayCreate, SafeArrayLock, VariantCopy, SafeArrayPutElement, SysAllocString, SysFreeString, SafeArrayGetDim, SysStringLen, SysAllocStringLen, SafeArrayDestroy, VariantInit, SafeArrayGetElement, SafeArrayUnlock
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
SHLWAPI.dll	StrStrIW
WININET.dll	HttpSendRequestW, InternetConnectW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetReadFile, HttpOpenRequestW

Exports

Name	Ordinal	Address
_QHChangeOnAccessScanState@8	1	0x51fa40
_QHEnableOnAccessScan@8	2	0x51e740
_QHFreeThreatHistoryListA@8	3	0x51ed00
_QHFreeThreatHistoryListW@8	4	0x51ed40
_QHGetAppLanguageA@16	5	0x51ee10
_QHGetAppLanguageW@16	6	0x51eec0
_QHGetDigitalCertSignerA@12	7	0x51ef80
_QHGetDigitalCertSignerW@12	8	0x51f020
_QHGetEngineVersionA@12	9	0x51e570
_QHGetEngineVersionW@12	10	0x51e610
_QHGetExpDate@8	11	0x51e7d0
_QHGetLastFullScanTime@8	12	0x51f650
_QHGetProductInstallDirA@12	13	0x51f0c0
_QHGetProductInstallDirW@12	14	0x51f160
_QHGetSASQHStatus@8	15	0x51f9a0
_QHGetSigDatabaseDirA@12	16	0x51f200
_QHGetSigDatabaseDirW@12	17	0x51f2a0
_QHGetSigDatabaseTime@8	18	0x51e390
_QHGetSigDatabaseVersionA@12	19	0x51e430
_QHGetSigDatabaseVersionW@12	20	0x51e4d0
_QHGetThreatHistoryA@8	21	0x51e990
_QHGetThreatHistoryW@8	22	0x51eb80
_QHInitUpdate@4	23	0x51e900
_QHInitiateFileScanA@8	24	0x51f510
_QHInitiateFileScanW@8	25	0x51f5b0
_QHInitiateFolderScanA@8	26	0x51f3d0
_QHInitiateFolderScanW@8	27	0x51f470
_QHInitiateFullScan@4	28	0x51f340
_QHIsAVInstalled@4	29	0x51e290
_QHIsFullScanRunning@4	30	0x51f6f0
_QHIsLicenseExpired@4	31	0x51e870
_QHIsOnAccessScanEnabled@4	32	0x51e6b0
_QHIsUpdateInProgress@4	33	0x51ed80
_QHOpenScanner@4	34	0x51f870

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	14:12:56
Start date:	10/10/2024
Path:	C:\Users\user\Desktop\upd_1916298.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\upd_1916298.exe"
Imagebase:	0x400000
File size:	2'695'440 bytes
MD5 hash:	ABDCC4A6D9EBCDB3F832DE479BEC51E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000000.00000002.2051199600.00000000043AE000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MailPassView, Description: Yara detected MailPassView, Source: 00000000.00000002.2051149313.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DarkGate, Description: Yara detected DarkGate, Source: 00000000.00000002.2051149313.00000000042F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:12:56
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\ffdbfkc\chbdcee
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:12:56
Start date:	10/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:12:56
Start date:	10/10/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic ComputerSystem get domain
Imagebase:	0xfe0000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.5%
Total number of Nodes:	1226
Total number of Limit Nodes:	14

Executed Functions

Function 04355B0C Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186
registrystringlibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000105,043A50A8), ref: 04355B27
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,043A50A8), ref: 04355B45
RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,043A50A8), ref: 04355B63
RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 04355B81
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,04355C10,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 04355BCA
RegQueryValueExA.ADVAPI32(?,04355D8C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,04355C10,?,80000001), ref: 04355BE8
RegCloseKey.ADVAPI32(?,04355C17,00000000,?,?,00000000,04355C10,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 04355C0A
lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 04355C27
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 04355C34
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 04355C3A
lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 04355C65
lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 04355CBA
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 04355CCA
lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 04355CF6
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 04355D06
lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 04355D30
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?), ref: 04355D40

Strings

Software\Borland\Locales, xrefs: 04355B3B, 04355B59
Software\Borland\Delphi\Locales, xrefs: 04355B77

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoadOpen$LocaleQueryValue$CloseFileInfoModuleNameThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1759228003-2375825460
Opcode ID: 0197972779b6416cb2bfcca9303e89c0f597c4eddba20fb9a5b8b959a2b11287
Instruction ID: 790649db70c966386f74b21a6dd095664462064fe0c0d69d94643b3e876adf33
Opcode Fuzzy Hash: 0197972779b6416cb2bfcca9303e89c0f597c4eddba20fb9a5b8b959a2b11287
Instruction Fuzzy Hash: FB612F71E0424DBEEF11DAE4CC45FEFB7FC9F08704F4050A1AA04E6195DAB4BA558B60

Function 00401093 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 301
nativememorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 00401223
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004012A6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000002,00000000,00000040), ref: 004012D3
LoadLibraryA.KERNELBASE(?,?), ref: 004013CC

Strings

Z#B5, xrefs: 00401128
SOTE, xrefs: 00401245
6, xrefs: 00401130
K, xrefs: 0040119D
>6Mx, xrefs: 0040113C
jR, xrefs: 00401135
5c<$, xrefs: 00401120
@m, xrefs: 004011E3

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: Section$AllocateCreateLibraryLoadMemoryViewVirtual
String ID: 5c<$$6$>6Mx$@m$K$SOTE$Z#B5$jR
API String ID: 876401816-2198514558
Opcode ID: c42821c472ddc47351ae0a83bd511b16d7c093262d24a0e1953ab31b91b421c9
Instruction ID: 9728a7fc0dcfb51032f400081c14b348bcd77a2e697f136fd5041557d93a2a00
Opcode Fuzzy Hash: c42821c472ddc47351ae0a83bd511b16d7c093262d24a0e1953ab31b91b421c9
Instruction Fuzzy Hash: 63B189712083819BD720CF68C880A2BB7E5FF98744F14492EF995DB3A1E774E845CB5A

Function 04355C17 Relevance: 15.1, APIs: 10, Instructions: 101
stringlibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyn.KERNEL32(?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000), ref: 04355C27
GetThreadLocale.KERNEL32(00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?), ref: 04355C34
GetLocaleInfoA.KERNEL32(00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019), ref: 04355C3A
lstrlen.KERNEL32(?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000), ref: 04355C65
lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 04355CBA
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 04355CCA
lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?), ref: 04355CF6
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?,00000105,80000001,Software\Borland\Delphi\Locales), ref: 04355D06
lstrcpyn.KERNEL32(?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?,00000005,?,?), ref: 04355D30
LoadLibraryExA.KERNEL32(?,00000000,00000002,?,?,00000105,?,00000000,00000002,?,?,00000105,?,00000000,00000003,?), ref: 04355D40

Strings

Software\Borland\Locales, xrefs: 04355B3B, 04355B59
Software\Borland\Delphi\Locales, xrefs: 04355B77

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: lstrcpyn$LibraryLoad$Locale$InfoThreadlstrlen
String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales
API String ID: 1599918012-2375825460
Opcode ID: 6fd94b6d1316c618e15987add27b6bfd0e313b6d9d0567b1eae1d6d7f647955d
Instruction ID: 03c0e9139fe93d5b2b363c4b57c56fe30e2062aa9a2cb43753e45136e20d85b0
Opcode Fuzzy Hash: 6fd94b6d1316c618e15987add27b6bfd0e313b6d9d0567b1eae1d6d7f647955d
Instruction Fuzzy Hash: 30316072E0020D7EEF11DAE8C888FEFB7FC9F48304F4050A1A548E6195D7B8BA558B50

Function 043792B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 167
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDesktopA.USER32(00000000,00000000,00000000,00000000,10000000,00000000), ref: 0437937A
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,00000000,00000000,043794A9,?,?,00000000), ref: 043793BB
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,00000000,00000000,00000000,00000000,00000000,000000FF,08008000), ref: 043793F8
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,00000000,00000000,043794A9,?,?,00000000), ref: 04379431
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,00000000,00000000,00000000,00000000,00000000,000000FF,08008000), ref: 04379469
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,00000000,00000000,043794A9), ref: 0437947C

Strings

D, xrefs: 0437934B

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Create$Process$DesktopObjectSingleWait
String ID: D
API String ID: 183768610-2746444292
Opcode ID: 8bfb8c3308c74b58f844156ccf00738a68e1e2dc3251250e6155cd6c489f4cac
Instruction ID: 1835f0b33da82fd9037f8e17b9f640ec9c41785d36717d5d76269469f97c5099
Opcode Fuzzy Hash: 8bfb8c3308c74b58f844156ccf00738a68e1e2dc3251250e6155cd6c489f4cac
Instruction Fuzzy Hash: 505128B0A44309AFFB10EBD4CC81FDEB7B8AF04714F605225A918BB6E0D774BA418B14

Function 04376A54 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?), ref: 04376A78

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 077c8d102f49a9a490a0158dc4368bb5a08352a95288a9bed4ac243d14eefa13
Instruction ID: 896adba72d9a0989a6d460c7af897a715b7a33afae5ed8d0a756361e380e8ab5
Opcode Fuzzy Hash: 077c8d102f49a9a490a0158dc4368bb5a08352a95288a9bed4ac243d14eefa13
Instruction Fuzzy Hash: F0E06D7170460063E700BA64D882A8E72E99F94314F00A9396CCA8A2A1FABDF9945692

Function 0435DEC0 Relevance: 1.5, APIs: 1, Instructions: 17processCOMMON

Download Yara Rule

APIs

Part of subcall function 0435DC44: GetModuleHandleA.KERNEL32(kernel32.dll,0000000F,0435DECB,?,?,04379FFC,00000000,0437A0DA,?,?,?,?,?,0436A795,00000000,0436ACAA), ref: 0435DC58
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0435DC70
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0435DC82
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0435DC94
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0435DCA6
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0435DCB8
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0435DCCA
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Process32First), ref: 0435DCDC
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0435DCEE
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0435DD00
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0435DD12
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0435DD24
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0435DD36
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Module32First), ref: 0435DD48
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0435DD5A
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0435DD6C
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0435DD7E

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,?,?,04379FFC,00000000,0437A0DA,?,?,?,?,?,0436A795,00000000,0436ACAA), ref: 0435DED1

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: AddressProc$CreateHandleModuleSnapshotToolhelp32
String ID:
API String ID: 2242398760-0
Opcode ID: 38092e7b625080dcb06ac7803198984aff8283d2df36e29525caa83cf8916ab1
Instruction ID: 7184e80e9ffb1c2a2427d93709cc0ae5094e3c23cf46b056f1c253fbd627214b
Opcode Fuzzy Hash: 38092e7b625080dcb06ac7803198984aff8283d2df36e29525caa83cf8916ab1
Instruction Fuzzy Hash: 7FC08CA2A0222017DB14B6F92C88CE3478CDD991B7319A4A2B90AD3112E6AA8C1092A0

Function 043768D0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32 ref: 043768D4

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 0c6cc4408eaa2b590609ffe9a698f2d664cf4d319a38b5d49889c3952d8e0d35
Instruction ID: a5fb1adf8285bba6a1b54e4cb7dd7c8fb2cb4cec8ac5803933f94ffdc7444266
Opcode Fuzzy Hash: 0c6cc4408eaa2b590609ffe9a698f2d664cf4d319a38b5d49889c3952d8e0d35
Instruction Fuzzy Hash: 2BA012204085000AC444A7184D4384F31801D41414FC40210689CB5391E605956443E7

Function 043A3990 Relevance: 49.4, APIs: 6, Strings: 22, Instructions: 403
threadsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 043A39B8
GetThreadDesktop.USER32(00000000,00000000,043A3FE1,?,00000014,00000000,00000000), ref: 043A39BE
IsDebuggerPresent.KERNEL32(00000000,00000000,043A3FE1,?,00000014,00000000,00000000), ref: 043A3A0D
Sleep.KERNEL32(000007D0,00000000,00000000,043A3FE1,?,00000014,00000000,00000000), ref: 043A3B84
GetCurrentThreadId.KERNEL32 ref: 043A3E8D

Part of subcall function 04377B38: GetFileAttributesA.KERNELBASE(00000000,?,?,?,?,0437A6B4,\AppData\Roaming\,?,C:\Users\,00000000,0437A6EA,?,?,00000000,00000000), ref: 04377B7A

Part of subcall function 04372E68: SHFileOperation.SHELL32(?,00000000,04372EE1,?,00000000), ref: 04372EC1

Part of subcall function 04378490: GetFileAttributesA.KERNEL32(00000000,?,?,043A8E50,04375D09,00000000), ref: 0437849F
Part of subcall function 04378490: SetFileAttributesA.KERNEL32(00000000,00000000,00000000,?,?,043A8E50,04375D09,00000000), ref: 043784B3

Sleep.KERNEL32(00000064,00000000,00000000,043A3FE1,?,00000014,00000000,00000000), ref: 043A3B8B

Part of subcall function 043786B4: DeleteFileA.KERNEL32(00000000,00000000,04378708,?,?,?,?,043753C5,.a3x,?,043A8E50,00000000,043754DD,?,?,00000015), ref: 043786E7

Part of subcall function 0437A364: Sleep.KERNEL32(00000002,00000000,0437A3D5), ref: 0437A3B5

Strings

abby, xrefs: 043A3CDB
DLL, xrefs: 043A3C60
test, xrefs: 043A3A24
mutex0, xrefs: 043A3B98
autoit3.exe, xrefs: 043A3F20
AHK, xrefs: 043A3BFE
cc.txt, xrefs: 043A3AFA, 043A3B28
c:\temp\test_ok, xrefs: 043A3A29
Yes, xrefs: 043A3C96, 043A3CAC, 043A3CF6, 043A3EAB
vbc.exe, xrefs: 043A3D29
c.txt, xrefs: 043A3B63
xdebug 0 , xrefs: 043A3AD6
u.txt, xrefs: 043A3D11, 043A3D5B
6.9.2, xrefs: 043A39D0
AU3, xrefs: 043A3C2F
uu.txt, xrefs: 043A3D89, 043A3ECC, 043A3EFA
c:\tes2\, xrefs: 043A3F81, 043A3F8F, 043A3F99
test.txt, xrefs: 043A3F6C
mutex1, xrefs: 043A3BBA
script.a3x, xrefs: 043A3F46
c:\temp\just_test.txt, xrefs: 043A3A16
c:\debugg, xrefs: 043A3ABD

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: File$AttributesSleepThread$Current$DebuggerDeleteDesktopOperationPresent
String ID: 6.9.2$AHK$AU3$DLL$Yes$abby$autoit3.exe$c.txt$c:\debugg$c:\temp\just_test.txt$c:\temp\test_ok$c:\tes2\$cc.txt$mutex0$mutex1$script.a3x$test$test.txt$u.txt$uu.txt$vbc.exe$xdebug 0
API String ID: 365650166-1933767752
Opcode ID: 75d2711c54b9242a3f9852e1b1025cf56528a4d63223868ce2ee8f92a7637c6f
Instruction ID: 713f8acee07eb261504f3467b07b5366408c241e5fd4a50aad8d02b759cdb1f6
Opcode Fuzzy Hash: 75d2711c54b9242a3f9852e1b1025cf56528a4d63223868ce2ee8f92a7637c6f
Instruction Fuzzy Hash: 44F12B38A402088BFB24FBA8D880B9DB7B5EF59308F50B451D854AB365CB78FD65CB51

Function 04378354 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 29
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,043A3A00,00000000,00000000,043A3FE1,?,00000014,00000000,00000000), ref: 0437835F
LoadLibraryA.KERNELBASE(Urlmon.dll,?,043A3A00,00000000,00000000,043A3FE1,?,00000014,00000000,00000000), ref: 0437838B

Strings

Advapi32.dll, xrefs: 0437839E
kernel32.dll, xrefs: 0437835A
LoadLibraryA, xrefs: 04378373
ntdll.dll, xrefs: 043783B6
Shell32.dll, xrefs: 043783AA
Urlmon.dll, xrefs: 04378386
user32.dll, xrefs: 04378392

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: HandleLibraryLoadModule
String ID: Advapi32.dll$LoadLibraryA$Shell32.dll$Urlmon.dll$kernel32.dll$ntdll.dll$user32.dll
API String ID: 4133054770-1140356178
Opcode ID: 01ddae7d14b16c94af51e929c6db74de1c05ad61ac8e78d45e76c3d0ec4e336d
Instruction ID: 94448196d640233112cbef6d152aac5fc524a7a788da01678ed2af8642e09042
Opcode Fuzzy Hash: 01ddae7d14b16c94af51e929c6db74de1c05ad61ac8e78d45e76c3d0ec4e336d
Instruction Fuzzy Hash: 40F0A9B8EC5650DFB758BF78989DE397AA8FA0D7067007056E5418A214D7B82C25CF12

Function 04379A08 Relevance: 7.6, APIs: 5, Instructions: 72
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,04379AA4,?,00000000,04379AC4,?,?,?,?), ref: 04379A57
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,04379AA4,?,00000000,04379AC4), ref: 04379A66
VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,04379AA4), ref: 04379A79
ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003), ref: 04379A8F
CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000), ref: 04379A95

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: File$AllocCloseCreateHandleReadSizeVirtual
String ID:
API String ID: 2717999310-0
Opcode ID: c81fd5de1f6fc0eba29e6ab3731fa18926c24a454b8b856ed8ba4ebbd17073b7
Instruction ID: 7c2a221d9761db0aebb4b63e9a183c11f5db69998202c023820d50b54cea83ba
Opcode Fuzzy Hash: c81fd5de1f6fc0eba29e6ab3731fa18926c24a454b8b856ed8ba4ebbd17073b7
Instruction Fuzzy Hash: E511BEB0644304BFF761DBA48C92F6AB7ECEF09B24FA05565F944E66E0E67469108A20

Function 0437ADAC Relevance: 4.6, APIs: 3, Instructions: 57
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.ADVAPI32(80000002,00000000,00000000,00020119,?,?,?,?,?,04376880,?,?,04376B5E,00000000,04376D51), ref: 0437ADF2
RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,00000100,80000002,00000000,00000000,00020119,?,?,?,?,?,04376880), ref: 0437AE19
RegCloseKey.ADVAPI32(?,80000002,00000000,00000000,00020119,?,?,?,?,?,04376880,?,?,04376B5E,00000000,04376D51), ref: 0437AE3E

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: a22893fb5e8f3dd307a574f301dce32eef748f652527de24c4e6ef9fe694505b
Instruction ID: ee2c0587dfd9e56b0adf88312e7769b5e84ae1e4c3dac879b0585d3150afc5ab
Opcode Fuzzy Hash: a22893fb5e8f3dd307a574f301dce32eef748f652527de24c4e6ef9fe694505b
Instruction Fuzzy Hash: EB116571E0021CABDB15EA94DC81FEFB7BCAF48314F405565EE18D7250E775AE848BA0

Function 0437A2D0 Relevance: 4.6, APIs: 3, Instructions: 54
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,0437A354), ref: 0437A315
WriteFile.KERNEL32(00000000,?,00000000,0437A3D5,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,0437A354), ref: 0437A32D
CloseHandle.KERNEL32(00000000,00000000,?,00000000,0437A3D5,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,0437A354), ref: 0437A339

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleWrite
String ID:
API String ID: 1065093856-0
Opcode ID: 800c9064bd6274efa7bdcfb2dc9e2f8a206ba3a6f40a4fa1d1cd69040e9d187e
Instruction ID: 1dc84f2b4bea06a404ab6c035bb5ec457d52caf433299ce255a84a7b6d0b12aa
Opcode Fuzzy Hash: 800c9064bd6274efa7bdcfb2dc9e2f8a206ba3a6f40a4fa1d1cd69040e9d187e
Instruction Fuzzy Hash: 7F01D471644308BFF725AEA8CC82FAE77BCDF49B18FA15275F914E21E0D6746E008550

Function 04377B38 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000000,?,?,?,?,0437A6B4,\AppData\Roaming\,?,C:\Users\,00000000,0437A6EA,?,?,00000000,00000000), ref: 04377B7A

Strings

GetFileAttributesA, xrefs: 04377B5E

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID: GetFileAttributesA
API String ID: 3188754299-811605020
Opcode ID: eec7e3d54c5835db4843cb89f7aff4205d94a8669e99167482c486c223f086fc
Instruction ID: f434cce0b20dc77f531337bbda4969d8e626becb4696a0208a2cec5add5fc493
Opcode Fuzzy Hash: eec7e3d54c5835db4843cb89f7aff4205d94a8669e99167482c486c223f086fc
Instruction Fuzzy Hash: 9FF0C230600304EFDB24EBB8DCD5E6A77BCEB09724B516974E440D2560D7787D10EA50

Function 04377550 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(00000000,00000000,?,?,?,?,043775EE,00000000,04377606,?,?,?,?,0437ACE5,?,04376C79), ref: 0437758C

Strings

CreateDirectoryA, xrefs: 0437756E

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID: CreateDirectoryA
API String ID: 4241100979-2169353901
Opcode ID: 91dd3af0cec0b9fce975fb41eb0c6b2f9c0a6f93435832db7464f297779668d1
Instruction ID: a37c9a86f5506e52038c1731d272a3938b588f24513c972b241a569940f56293
Opcode Fuzzy Hash: 91dd3af0cec0b9fce975fb41eb0c6b2f9c0a6f93435832db7464f297779668d1
Instruction Fuzzy Hash: 63F08270A00304BFE714EBA5DC96E69BBFCEB09A10B915471F400C3610D779BD108E10

Function 043773DC Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(00000000,00000000,?,043A8E50,04376EA6,04375C71,?,?,?,00000009,00000000,00000000,?,043A3A45,00000000,00000000), ref: 043773F5

Strings

TerminateProcess, xrefs: 043773E2

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID: TerminateProcess
API String ID: 560597551-2873147277
Opcode ID: 5f3c2c1d83f805e46625b62a6506687ce0c0b3a9f255e4bb19422982ec50621c
Instruction ID: 08381a3ac2a4e778cb9a124a461279a81c5bc0028a59a1ffd60e13c2e3ef5d67
Opcode Fuzzy Hash: 5f3c2c1d83f805e46625b62a6506687ce0c0b3a9f255e4bb19422982ec50621c
Instruction Fuzzy Hash: 7CC04CB3A82260BFA714A6FD6C88CFB669CDA4D6A27046462B619C3111D6B96C2047A0

Function 04354A94 Relevance: 3.0, APIs: 2, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 043549AE
SysAllocStringLen.OLEAUT32(?,00000011), ref: 04354A9F
SysFreeString.OLEAUT32(?), ref: 04354AB1

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: String$Free$Alloc
String ID:
API String ID: 986138563-0
Opcode ID: a6cfb0773c3ef7644bc5fa8a1aa0f216c157d3979ac4c5efcdb5762f20c81e5c
Instruction ID: 1b793244043c36add4bd7253716b3d7c3b3096bc20052bec91b4e80d1092fe8c
Opcode Fuzzy Hash: a6cfb0773c3ef7644bc5fa8a1aa0f216c157d3979ac4c5efcdb5762f20c81e5c
Instruction Fuzzy Hash: 22C08CBC6013026CFF0C6F31AA01F3F632CAE922007843CA9AC10C5030E764F8E06A26

Function 043515A0 Relevance: 2.5, APIs: 2, Instructions: 37memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00002000,00000001,?,?,?,04351933), ref: 043515CF
VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,?,00002000,00000001,?,?,?,04351933), ref: 043515F6

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 6b179bd98c2507ca5e88172c2c65433f6943e7df837ef79bf5d0e64d7e07aea2
Instruction ID: 7d9631966a77695cbc36c888efc77e93d3c4da4d4350a5db204194a9208dc962
Opcode Fuzzy Hash: 6b179bd98c2507ca5e88172c2c65433f6943e7df837ef79bf5d0e64d7e07aea2
Instruction Fuzzy Hash: E2F0E2B2F0062017EF2069690C80F465AC58F45794F041471FE89EF3D8D6A1AC004AA0

Function 04376B38 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 04376D0C

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CountTick
String ID:
API String ID: 536389180-0
Opcode ID: 1aed2b23b0c62a7498656453e3f8808d7da31b249e6bdf15e6ad5a178117e75d
Instruction ID: 5c8c08bb60535865cb2220952fad9d6c83ee61fa6c533c8f0127001b8cef1914
Opcode Fuzzy Hash: 1aed2b23b0c62a7498656453e3f8808d7da31b249e6bdf15e6ad5a178117e75d
Instruction Fuzzy Hash: 9951F934A0014D9BEF14FBA4D881EDDB7B6FF48308F50A521D850A7264DB78BE5ADB90

Function 0435CA14 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CompareStringA.KERNEL32(00000400,00000000,00000000,00000000,00000000,00000000), ref: 0435CA8B

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: 3c2a4598ed9131faea9741321b47b11001d8e40146b0261d8502946625375919
Instruction ID: ac80d3a9e37a5caa93915209e9f95e1bfd9236a97301de0c15db3d3c77e239b9
Opcode Fuzzy Hash: 3c2a4598ed9131faea9741321b47b11001d8e40146b0261d8502946625375919
Instruction Fuzzy Hash: EA1181317083449FE325FE7C8845F6ABBE5DF84724F186929AC94C72A1EA70A844C751

Function 04376AB0 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32(?,00000011), ref: 04376AEA

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: debed8a8cf0d20a6bfc2a07cd804a8a43943030c2eac5d132a43fc0fa89a953b
Instruction ID: 210183c653e9c726d3599d4df3fb2a7e7b8260e01c624e8f81379d22fa43d4a4
Opcode Fuzzy Hash: debed8a8cf0d20a6bfc2a07cd804a8a43943030c2eac5d132a43fc0fa89a953b
Instruction Fuzzy Hash: D4018F31B046089BEB18EBB5DC919DEB3FDEF4D314B419076D801E2650FA38B9048A61

Function 04355878 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(04350000,?,00000105), ref: 04355896

Part of subcall function 04355B0C: GetModuleFileNameA.KERNEL32(00000000,?,00000105,043A50A8), ref: 04355B27
Part of subcall function 04355B0C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,043A50A8), ref: 04355B45
Part of subcall function 04355B0C: RegOpenKeyExA.ADVAPI32(80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105,043A50A8), ref: 04355B63
Part of subcall function 04355B0C: RegOpenKeyExA.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000002,Software\Borland\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000), ref: 04355B81
Part of subcall function 04355B0C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,?,00000000,04355C10,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?), ref: 04355BCA
Part of subcall function 04355B0C: RegQueryValueExA.ADVAPI32(?,04355D8C,00000000,00000000,?,?,?,?,00000000,00000000,?,?,00000000,04355C10,?,80000001), ref: 04355BE8
Part of subcall function 04355B0C: RegCloseKey.ADVAPI32(?,04355C17,00000000,?,?,00000000,04355C10,?,80000001,Software\Borland\Locales,00000000,000F0019,?,00000000,?,00000105), ref: 04355C0A

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Open$FileModuleNameQueryValue$Close
String ID:
API String ID: 2796650324-0
Opcode ID: e82fc143541f2ca8756894b059f421398baaee22ccf841062e5dda170e5a689d
Instruction ID: d0c3f481e6f451180194ce6dc4cb4376ddb4f061dc3e9ad6324f87b34c484138
Opcode Fuzzy Hash: e82fc143541f2ca8756894b059f421398baaee22ccf841062e5dda170e5a689d
Instruction Fuzzy Hash: 47E06D71A012109BDB10DE98C9C0E8633D8AF08664F001961EC68CF35AD7B0E9108BE0

Function 04357FC0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CharLowerBuffA.USER32(00000000,00000000,?,00000000,00000000,0437F103,00000000,0437F143), ref: 04357FEA

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: BuffCharLower
String ID:
API String ID: 2358735015-0
Opcode ID: 4bc77d91f962526020d78ddd71e8f33b143e715481b804fc12e863804357d948
Instruction ID: 1ca8f67f0c1ecf4ebdd8e92e8c3bf8a109e5f51477686926431ec9dee276e43a
Opcode Fuzzy Hash: 4bc77d91f962526020d78ddd71e8f33b143e715481b804fc12e863804357d948
Instruction Fuzzy Hash: 1FD05E613006102B2244B2BE5CC0E0E92ED8FE80693152036BD0CC3330EE54EC520665

Function 0435DEE0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

Part of subcall function 0435DC44: GetModuleHandleA.KERNEL32(kernel32.dll,0000000F,0435DECB,?,?,04379FFC,00000000,0437A0DA,?,?,?,?,?,0436A795,00000000,0436ACAA), ref: 0435DC58
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0435DC70
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0435DC82
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0435DC94
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0435DCA6
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0435DCB8
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0435DCCA
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Process32First), ref: 0435DCDC
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0435DCEE
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0435DD00
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0435DD12
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0435DD24
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0435DD36
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Module32First), ref: 0435DD48
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0435DD5A
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0435DD6C
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0435DD7E

Process32First.KERNEL32(?,00000128), ref: 0435DEF1

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: AddressProc$FirstHandleModuleProcess32
String ID:
API String ID: 2774106396-0
Opcode ID: 06072daaf6c10612e98e4a4af51fd64d80885a87f40f28255e3fe0c4b5499e4b
Instruction ID: da30920fc0866d915f09af42708ebc4737cb96b9045303b48b5cd54b91b487a0
Opcode Fuzzy Hash: 06072daaf6c10612e98e4a4af51fd64d80885a87f40f28255e3fe0c4b5499e4b
Instruction Fuzzy Hash: 85C08CA2602220179B14B6F92C88CD3478CCD891F731464A2F90AD7112E6BA8C2092A0

Function 0435DF00 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

Part of subcall function 0435DC44: GetModuleHandleA.KERNEL32(kernel32.dll,0000000F,0435DECB,?,?,04379FFC,00000000,0437A0DA,?,?,?,?,?,0436A795,00000000,0436ACAA), ref: 0435DC58
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0435DC70
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0435DC82
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0435DC94
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0435DCA6
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0435DCB8
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0435DCCA
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Process32First), ref: 0435DCDC
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0435DCEE
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0435DD00
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0435DD12
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0435DD24
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0435DD36
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Module32First), ref: 0435DD48
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0435DD5A
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0435DD6C
Part of subcall function 0435DC44: GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0435DD7E

Process32Next.KERNEL32(?,00000128), ref: 0435DF11

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModuleNextProcess32
String ID:
API String ID: 2237597116-0
Opcode ID: 7b79b4b945091cad978d9fe28a6d899992803945043d9d3c9f93ae175808b74b
Instruction ID: dcac1fa63ea22f151ca12b5afae44b6ffe0580dff0e853ce07cd6b813821cd2a
Opcode Fuzzy Hash: 7b79b4b945091cad978d9fe28a6d899992803945043d9d3c9f93ae175808b74b
Instruction Fuzzy Hash: E6C08CA2606320179B14BAF92C88CD3978CCD891B7314A4A2B90AD3113E2AA8C1092A0

Function 043776C8 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,04377712,00000000,0437772A,?,?,?,?,0437778C,00000000,043777A4), ref: 043776D3

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 284fa65ff436c255e30d8086dea18221d188c5e36a3ef1bbce4107cb8ef41b41
Instruction ID: 361444854b86a5bab5c04057f4864a45873cb78add6a8f480d1cc6340a2e6e28
Opcode Fuzzy Hash: 284fa65ff436c255e30d8086dea18221d188c5e36a3ef1bbce4107cb8ef41b41
Instruction Fuzzy Hash: 73C04CE13253000A7A6875FC1CC595A42985E5513D7643F72E8B9D26E6D7AAB4A62020

Function 0436BE02 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,043A890C), ref: 0436BE17

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 4ac4ae826f87fd4838e727868a759d3795f001c762faf69d440301458b333e46
Instruction ID: f99db014ab8104823405b6bf71192ac9abd1973c61871616cc3fe2bd3f907d2f
Opcode Fuzzy Hash: 4ac4ae826f87fd4838e727868a759d3795f001c762faf69d440301458b333e46
Instruction Fuzzy Hash: 2CB012303E021663DB0876351806412BB58AF0073CFC0B418F286D908BC0C9B4700E03

Function 04351744 Relevance: 1.3, APIs: 1, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004), ref: 043517DD

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 69d37187c04af472f3420dc5640364f7190d08ec0538314d73a8c66c928037d8
Instruction ID: 8c90cf15cfd572be359e1040e6440cb960de2b7c54bc18bf4fc65483d3987eb9
Opcode Fuzzy Hash: 69d37187c04af472f3420dc5640364f7190d08ec0538314d73a8c66c928037d8
Instruction Fuzzy Hash: 5421ADB9A042469FCB50CF2CC880E5AB7E4FF88354B148969F999CB354E330E954CB56

Function 04379FC8 Relevance: 1.3, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0435DEC0: CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,?,?,04379FFC,00000000,0437A0DA,?,?,?,?,?,0436A795,00000000,0436ACAA), ref: 0435DED1

Part of subcall function 0435DEE0: Process32First.KERNEL32(?,00000128), ref: 0435DEF1

CloseHandle.KERNEL32(?,0437A0AE), ref: 0437A0A1

Part of subcall function 0435DF00: Process32Next.KERNEL32(?,00000128), ref: 0435DF11

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 384334dd6a0d29e802e763e7db1524115d4419ccaeec224f4ac3b5403ba6ec8a
Instruction ID: bddae99bf26f384621911146a1092912450358c6160a912faa351a16e70b7452
Opcode Fuzzy Hash: 384334dd6a0d29e802e763e7db1524115d4419ccaeec224f4ac3b5403ba6ec8a
Instruction Fuzzy Hash: 57217570A04708AFEB35EF61CC51ADDBBB9EF48704F4198B5E80492620E6787A50DD10

Function 04379AD8 Relevance: 1.3, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 04379A08: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,04379AA4,?,00000000,04379AC4,?,?,?,?), ref: 04379A57
Part of subcall function 04379A08: GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,04379AA4,?,00000000,04379AC4), ref: 04379A66
Part of subcall function 04379A08: VirtualAlloc.KERNEL32(00000000,00000000,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,04379AA4), ref: 04379A79
Part of subcall function 04379A08: ReadFile.KERNEL32(00000000,?,?,?,00000000,00000000,00000000,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000,00000003), ref: 04379A8F
Part of subcall function 04379A08: CloseHandle.KERNEL32(00000000,00000000,?,?,?,00000000,00000000,00000000,00001000,00000004,00000000,00000000,00000000,80000000,00000001,00000000), ref: 04379A95

VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,04379B4C,?,00000000,04379B6C,?,?,?,?), ref: 04379B3D

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: File$Virtual$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 1974014688-0
Opcode ID: 8b5bf7947e008da94feaaa213274c31ab5be117d2d69b8811aa4a202b9d55854
Instruction ID: bec8e22b60ce9af5548e6ce07e68913b324536499ed9e4ccdc8728bc184506d0
Opcode Fuzzy Hash: 8b5bf7947e008da94feaaa213274c31ab5be117d2d69b8811aa4a202b9d55854
Instruction Fuzzy Hash: 65010470A04704AFE715DBA8DC51F8EB7B8EF49710F5155B1E840D3660E6387E10CA14

Function 04378AA4 Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001,00000000,04378B1F,?,043A8E50), ref: 04378AD6

Part of subcall function 043792B0: CreateDesktopA.USER32(00000000,00000000,00000000,00000000,10000000,00000000), ref: 0437937A
Part of subcall function 043792B0: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08008000,00000000,00000000,00000044,00000000,00000000,043794A9,?,?,00000000), ref: 043793BB

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Create$DesktopProcessSleep
String ID:
API String ID: 4216851738-0
Opcode ID: 8a81504c0676657b21b012f96c49f770fd2e2c0f0f45ec58b6b83a7f21404707
Instruction ID: 2331a2570afae10ac43fa3980964a7c9174f1ffb3c79e4f2f744256798e65764
Opcode Fuzzy Hash: 8a81504c0676657b21b012f96c49f770fd2e2c0f0f45ec58b6b83a7f21404707
Instruction Fuzzy Hash: C1012C70A04208AFEB14EFA5C882F8DF7B8EF49714F5191A5E914A76A0D7747A009A54

Function 0437A364 Relevance: 1.3, APIs: 1, Instructions: 39sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0437A2D0: CreateFileA.KERNEL32(00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,0437A354), ref: 0437A315
Part of subcall function 0437A2D0: WriteFile.KERNEL32(00000000,?,00000000,0437A3D5,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,0437A354), ref: 0437A32D
Part of subcall function 0437A2D0: CloseHandle.KERNEL32(00000000,00000000,?,00000000,0437A3D5,00000000,00000000,40000000,00000002,00000000,00000002,00000000,00000000,00000000,0437A354), ref: 0437A339

Sleep.KERNEL32(00000002,00000000,0437A3D5), ref: 0437A3B5

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSleepWrite
String ID:
API String ID: 1443029356-0
Opcode ID: 59ab4778163871326ede8dbdc32b011d4dbb36482e41136abb2e98d46aa18325
Instruction ID: d12062e698be582324155dbcb00fd5e349165052fc9c755e416ac2d06fa8908d
Opcode Fuzzy Hash: 59ab4778163871326ede8dbdc32b011d4dbb36482e41136abb2e98d46aa18325
Instruction Fuzzy Hash: 7CF08130A04608AFE715EBA4C941A9DB7F8EF04714F505071D804E2660EB746E50DA50

Function 04376DF0 Relevance: 1.3, APIs: 1, Instructions: 3sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000007D0,043758A5,00000000,0437591B,?,00000000,00000000,00000000,?,04375D0E,00000000), ref: 04376DF1

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3ccf021c070af05231359b6493edc712279c6d769219fcb47292c1543b02b209
Instruction ID: a5c8246813c7e855401b15b18b8a56fd6f7fa93d7af317d43d31288a1f7cef50
Opcode Fuzzy Hash: 3ccf021c070af05231359b6493edc712279c6d769219fcb47292c1543b02b209
Instruction Fuzzy Hash:

Non-executed Functions

Function 0436C0C8 Relevance: 145.5, APIs: 43, Strings: 40, Instructions: 284libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00000000,0436C4D6,?,00000000,0436C4F3), ref: 0436C140
GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 0436C158
GetProcAddress.KERNEL32(00000000,__WSAFDIsSet), ref: 0436C16A
GetProcAddress.KERNEL32(00000000,closesocket), ref: 0436C17C
GetProcAddress.KERNEL32(00000000,ioctlsocket), ref: 0436C18E
GetProcAddress.KERNEL32(00000000,WSAGetLastError), ref: 0436C1A0
GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 0436C1B2
GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 0436C1C4
GetProcAddress.KERNEL32(00000000,accept), ref: 0436C1D6
GetProcAddress.KERNEL32(00000000,bind), ref: 0436C1E8
GetProcAddress.KERNEL32(00000000,connect), ref: 0436C1FA
GetProcAddress.KERNEL32(00000000,getpeername), ref: 0436C20C
GetProcAddress.KERNEL32(00000000,getsockname), ref: 0436C21E
GetProcAddress.KERNEL32(00000000,getsockopt), ref: 0436C230
GetProcAddress.KERNEL32(00000000,htonl), ref: 0436C242
GetProcAddress.KERNEL32(00000000,htons), ref: 0436C254
GetProcAddress.KERNEL32(00000000,inet_addr), ref: 0436C266
GetProcAddress.KERNEL32(00000000,inet_ntoa), ref: 0436C278
GetProcAddress.KERNEL32(00000000,listen), ref: 0436C28A
GetProcAddress.KERNEL32(00000000,ntohl), ref: 0436C29C
GetProcAddress.KERNEL32(00000000,ntohs), ref: 0436C2AE
GetProcAddress.KERNEL32(00000000,recv), ref: 0436C2C0
GetProcAddress.KERNEL32(00000000,recvfrom), ref: 0436C2D2
GetProcAddress.KERNEL32(00000000,select), ref: 0436C2E4
GetProcAddress.KERNEL32(00000000,send), ref: 0436C2F6
GetProcAddress.KERNEL32(00000000,sendto), ref: 0436C308
GetProcAddress.KERNEL32(00000000,setsockopt), ref: 0436C31A
GetProcAddress.KERNEL32(00000000,shutdown), ref: 0436C32C
GetProcAddress.KERNEL32(00000000,socket), ref: 0436C33E
GetProcAddress.KERNEL32(00000000,gethostbyaddr), ref: 0436C350
GetProcAddress.KERNEL32(00000000,gethostbyname), ref: 0436C362
GetProcAddress.KERNEL32(00000000,getprotobyname), ref: 0436C374
GetProcAddress.KERNEL32(00000000,getprotobynumber), ref: 0436C386
GetProcAddress.KERNEL32(00000000,getservbyname), ref: 0436C398
GetProcAddress.KERNEL32(00000000,getservbyport), ref: 0436C3AA
GetProcAddress.KERNEL32(00000000,gethostname), ref: 0436C3BC
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0436C3CE
GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 0436C3E0
GetProcAddress.KERNEL32(00000000,getnameinfo), ref: 0436C3F2
LoadLibraryA.KERNEL32(wship6.dll,00000000,getnameinfo,00000000,freeaddrinfo,00000000,getaddrinfo,00000000,gethostname,00000000,getservbyport,00000000,getservbyname,00000000,getprotobynumber,00000000), ref: 0436C430
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0436C44E
GetProcAddress.KERNEL32(00000000,freeaddrinfo), ref: 0436C463
GetProcAddress.KERNEL32(00000000,getnameinfo), ref: 0436C478

Strings

listen, xrefs: 0436C282
getservbyname, xrefs: 0436C390
getnameinfo, xrefs: 0436C3EA, 0436C46D
inet_addr, xrefs: 0436C25E
getservbyport, xrefs: 0436C3A2
WSAIoctl, xrefs: 0436C150
__WSAFDIsSet, xrefs: 0436C162
getaddrinfo, xrefs: 0436C3C6, 0436C443
socket, xrefs: 0436C336
setsockopt, xrefs: 0436C312
closesocket, xrefs: 0436C174
wship6.dll, xrefs: 0436C42B
WSAStartup, xrefs: 0436C1AA
recv, xrefs: 0436C2B8
getsockopt, xrefs: 0436C228
ntohs, xrefs: 0436C2A6
ioctlsocket, xrefs: 0436C186
freeaddrinfo, xrefs: 0436C3D8, 0436C458
ws2_32.dll, xrefs: 0436C0FA
ntohl, xrefs: 0436C294
recvfrom, xrefs: 0436C2CA
send, xrefs: 0436C2EE
shutdown, xrefs: 0436C324
WSACleanup, xrefs: 0436C1BC
getprotobynumber, xrefs: 0436C37E
gethostname, xrefs: 0436C3B4
htonl, xrefs: 0436C23A
getsockname, xrefs: 0436C216
WSAGetLastError, xrefs: 0436C198
gethostbyaddr, xrefs: 0436C348
inet_ntoa, xrefs: 0436C270
bind, xrefs: 0436C1E0
select, xrefs: 0436C2DC
gethostbyname, xrefs: 0436C35A
getpeername, xrefs: 0436C204
connect, xrefs: 0436C1F2
htons, xrefs: 0436C24C
getprotobyname, xrefs: 0436C36C
sendto, xrefs: 0436C300
accept, xrefs: 0436C1CE

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: WSACleanup$WSAGetLastError$WSAIoctl$WSAStartup$__WSAFDIsSet$accept$bind$closesocket$connect$freeaddrinfo$getaddrinfo$gethostbyaddr$gethostbyname$gethostname$getnameinfo$getpeername$getprotobyname$getprotobynumber$getservbyname$getservbyport$getsockname$getsockopt$htonl$htons$inet_addr$inet_ntoa$ioctlsocket$listen$ntohl$ntohs$recv$recvfrom$select$send$sendto$setsockopt$shutdown$socket$ws2_32.dll$wship6.dll
API String ID: 2238633743-3535293950
Opcode ID: 4f6e6ee2469220aaf92f42ef4d1af3ee3b5c03be99f589ee9fe1a194bc30d120
Instruction ID: 1b7ba97de6610b2784e4b8f7bd08dd00c9dfad64ab2cebd4cb75c558b54f9f1e
Opcode Fuzzy Hash: 4f6e6ee2469220aaf92f42ef4d1af3ee3b5c03be99f589ee9fe1a194bc30d120
Instruction Fuzzy Hash: 0BB1CCB0A80751BFEB01EBA5D846E3637ECFB09715F447966E885CF218D678B8108F52

Function 043A2064 Relevance: 55.5, APIs: 13, Strings: 18, Instructions: 1220threadsleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 043A21DD

Part of subcall function 0436CE10: Sleep.KERNEL32(00000064,00000000,0436CEF5,?,?,043A8CD4,?,00000000,00000000,00000000,00000000,00000000,?,043A223A,?,|||), ref: 0436CEC2

Sleep.KERNEL32(00000000,00000000,00000000,|||,043A8E8C,043A33FC,?,043A33FC,?,00000000,00000000,043A33FC,?,043A33FC,?,00000000), ref: 043A22FA
GetTickCount.KERNEL32 ref: 043A2304
TerminateThread.KERNEL32(00000000,00000000,00000000,?,|||,043A8E8C,043A33FC,?,043A33FC,?,00000000,00000000,043A33FC,?,043A33FC,?), ref: 043A2359
TerminateThread.KERNEL32(00000000,00000000,00000000,?,|||,043A8E8C,043A33FC,?,043A33FC,?,00000000,00000000,043A33FC,?,043A33FC,?), ref: 043A239B
Sleep.KERNEL32(00000BB8,00000001,00000000,.a3x,?,043A8E50,00000000,?,|||,043A8E8C,043A33FC,?,043A33FC,?,00000000,00000000), ref: 043A2650

Part of subcall function 04370694: GetCurrentProcessId.KERNEL32(?,00000000,043708E8,?,00000000), ref: 0437070A
Part of subcall function 04370694: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,?,00000000,043708E8), ref: 043707D7
Part of subcall function 04370694: NtQueryInformationProcess.NTDLL ref: 043707EF

TerminateThread.KERNEL32(00000000,00000000,00000000,?,|||,043A8E8C,043A33FC,?,043A33FC,?,00000000,00000000,043A33FC,?,043A33FC,?), ref: 043A2B35
TerminateThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,|||,043A8E8C,043A33FC,?,043A33FC,?,00000000,00000000,043A33FC,?), ref: 043A2B44
TerminateProcess.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,|||,043A8E8C,043A33FC,?,043A33FC,?,00000000,00000000), ref: 043A2B53
SetCursorPos.USER32(00000000,00000000,00000000,?,|||,043A8E8C,043A33FC,?,043A33FC,?,00000000,00000000,043A33FC,?,043A33FC,?), ref: 043A2DC9
SetCursorPos.USER32(00000000,00000000,00000000,?,|||,043A8E8C,043A33FC,?,043A33FC,?,00000000,00000000,043A33FC,?,043A33FC,?), ref: 043A2D70

Part of subcall function 04396BA8: mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 04396BB2
Part of subcall function 04396BA8: mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 04396BC1

Sleep.KERNEL32(00000064,00000000,00000000,00000000,?,|||,043A8E8C,043A33FC,?,043A33FC,?,00000000,00000000,043A33FC,?,043A33FC), ref: 043A2DD5
SetCursorPos.USER32(00000000,00000000,00000000,?,|||,043A8E8C,043A33FC,?,043A33FC,?,00000000,00000000,043A33FC,?,043A33FC,?), ref: 043A2E2E

Part of subcall function 04372DD4: SHFileOperationW.SHELL32(?,00000000,04372E4D,?,00000000), ref: 04372E2D

Strings

/c ping 127.0.0.1 & del /q /f /s c:\temp & del /q /f /s , xrefs: 043A28E0
.a3x, xrefs: 043A2600
C:\*, xrefs: 043A3264
dark, xrefs: 043A2331
vbc.exe, xrefs: 043A28B9
cmd.exe, xrefs: 043A2908, 043A2B82
Autoit3.exe, xrefs: 043A25BD, 043A25D6
& rmdir /s /q , xrefs: 043A28EC
Yes, xrefs: 043A2573, 043A2864
powershell.exe, xrefs: 043A2BCC
test msg, xrefs: 043A2FD8
script.au3, xrefs: 043A2621
NOTIFICATIONS, xrefs: 043A2CE2
||-_-|-_-||, xrefs: 043A2689, 043A269B, 043A2923, 043A2979, 043A29A9, 043A29F2, 043A2A1E, 043A2A94, 043A2C50, 043A2E48, 043A2E5D, 043A317A, 043A3259, 043A3274, 043A328A, 043A32A0, 043A32B6, 043A32CC, 043A32E2, 043A3314, 043A3329
DOMAINS, xrefs: 043A2CBD
au3, xrefs: 043A25F3
|||, xrefs: 043A2216
u.txt, xrefs: 043A259F

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Terminate$ProcessSleepThread$Cursor$CountTickmouse_event$CreateCurrentFileInformationOperationQuery
String ID: & rmdir /s /q $.a3x$/c ping 127.0.0.1 & del /q /f /s c:\temp & del /q /f /s $Autoit3.exe$C:\*$DOMAINS$NOTIFICATIONS$Yes$au3$cmd.exe$dark$powershell.exe$script.au3$test msg$u.txt$vbc.exe$||-_-|-_-||$|||
API String ID: 2524358176-1342930026
Opcode ID: 16b99fb0aa7971f67c96346ce62947cc784a2440a51e99785c51d45b27dff847
Instruction ID: 28f0d1f1f451afde15ff40aa3e4187e9117169bdf231f338738c2e85d35ca49d
Opcode Fuzzy Hash: 16b99fb0aa7971f67c96346ce62947cc784a2440a51e99785c51d45b27dff847
Instruction Fuzzy Hash: BCB23B34A80149CBFB24FBA4C884AAEB7B5EF49308F547491D951AB360DB34FC668F51

Function 04355934 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144stringlibraryfileCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,043578C4,?,043A50A8), ref: 04355951
GetProcAddress.KERNEL32(00000000,GetLongPathNameA), ref: 04355962
lstrcpyn.KERNEL32(?,?,?,?,043A50A8), ref: 04355996
lstrcpyn.KERNEL32(?,?,?,kernel32.dll,043578C4,?,043A50A8), ref: 04355A07
lstrcpyn.KERNEL32(?,?,?,?,?,?,kernel32.dll,043578C4,?,043A50A8), ref: 04355A42
FindFirstFileA.KERNEL32(?,?,?,?,?,?,?,?,kernel32.dll,043578C4,?,043A50A8), ref: 04355A55
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,kernel32.dll,043578C4,?,043A50A8), ref: 04355A62
lstrlen.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,kernel32.dll,043578C4,?,043A50A8), ref: 04355A6E
lstrcpyn.KERNEL32(?,?,00000104,?,00000000,?,?,?,?,?,?,?,?,kernel32.dll,043578C4), ref: 04355AA2
lstrlen.KERNEL32(?,?,?,00000104,?,00000000,?,?,?,?,?,?,?,?,kernel32.dll,043578C4), ref: 04355AAE
lstrcpyn.KERNEL32(?,?,?,?,?,?,00000104,?,00000000,?,?,?,?,?,?,?), ref: 04355AD7

Strings

\, xrefs: 04355A80
GetLongPathNameA, xrefs: 0435595C
kernel32.dll, xrefs: 0435594C

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: lstrcpyn$Findlstrlen$AddressCloseFileFirstHandleModuleProc
String ID: GetLongPathNameA$\$kernel32.dll
API String ID: 3245196872-1565342463
Opcode ID: b9bed98790b88f12f9b8c63702a04c3cd4789d59de2da1bc1852b33a164e94b7
Instruction ID: 8aeb362f7b19fde0f4cd49314d2654dd5fb34adf59b7947d87f25180f272d97a
Opcode Fuzzy Hash: b9bed98790b88f12f9b8c63702a04c3cd4789d59de2da1bc1852b33a164e94b7
Instruction Fuzzy Hash: D1514972E00259AFEB11DBE8CC84FEEB7B8AF44314F5414A1E858E7260D774BE408B64

Function 04370374 Relevance: 22.7, APIs: 15, Instructions: 241memorythreadprocessCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,04370685,?,?,?,00000001), ref: 043703F4
OpenProcess.KERNEL32(02000000,00000000,00000000,?,?,?,00000000,04370685,?,?,?,00000001), ref: 043704E4
InitializeProcThreadAttributeList.KERNEL32(00000000,00000001,00000000,?,02000000,00000000,00000000,?,?,?,00000000,04370685,?,?,?,00000001), ref: 043704F6
GetProcessHeap.KERNEL32(00000000,?,00000000,00000001,00000000,?,02000000,00000000,00000000,?,?,?,00000000,04370685), ref: 04370501
RtlAllocateHeap.KERNEL32(00000000,00000000,?,00000000,00000001,00000000,?,02000000,00000000,00000000,?,?,?,00000000,04370685), ref: 04370507
InitializeProcThreadAttributeList.KERNEL32(00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001,00000000,?,02000000,00000000,00000000,?,?), ref: 0437051A
UpdateProcThreadAttribute.KERNEL32(?,00000000,00000000,?,00000004,00000000,00000000,00000000,00000001,00000000,?,00000000,00000000,?,00000000,00000001), ref: 04370535
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00080004,00000000,00000000,?,?,?,00000000,00000000,?,00000004,00000000), ref: 0437056C
NtQueryInformationProcess.NTDLL ref: 0437058C
ReadProcessMemory.KERNEL32(?,?,?,00000004,?,?,00000000,?,00000018,?,00000000,00000000,00000000,00000000,00000000,00080004), ref: 043705B4
ReadProcessMemory.KERNEL32(?,?,?,00001000,?,?,?,?,00000004,?,?,00000000,?,00000018,?,00000000), ref: 043705E3

Part of subcall function 04370694: GetCurrentProcessId.KERNEL32(?,00000000,043708E8,?,00000000), ref: 0437070A
Part of subcall function 04370694: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,?,00000000,043708E8), ref: 043707D7
Part of subcall function 04370694: NtQueryInformationProcess.NTDLL ref: 043707EF

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Process$AttributeProcThread$CreateCurrentHeapInformationInitializeListMemoryQueryRead$AllocateOpenUpdate
String ID:
API String ID: 747061493-0
Opcode ID: 7863e7504d89cfb858af31d6f93942d4b1985621de8d01cb2ac368bcf8ee9418
Instruction ID: 0d9dc5c3b26a37837f4d8b98d82a46a9be2a23f836254bce2560e7142126e0eb
Opcode Fuzzy Hash: 7863e7504d89cfb858af31d6f93942d4b1985621de8d01cb2ac368bcf8ee9418
Instruction Fuzzy Hash: 8A913C70A10219AFEB54EBA8CC81FDEB7B8BF48704F505065E548F7290DB74BE458B61

Function 00441460 Relevance: 19.9, Strings: 15, Instructions: 1168COMMON

Download Yara Rule

Strings

tH], xrefs: 004421E0
M, xrefs: 00441EC5
new, xrefs: 00441B6A
misuse of aliased window function %s, xrefs: 00441FC4
%s: %s, xrefs: 00442249
%s: %s.%s, xrefs: 00442235
ambiguous column name, xrefs: 004421FF
misuse of aliased aggregate %s, xrefs: 00441F8D
excluded, xrefs: 00441C05
no such column, xrefs: 00442204, 00442218, 00442234, 00442248
old, xrefs: 00441BAF
main, xrefs: 0044151C
%s: %s.%s.%s, xrefs: 00442219
row value misused, xrefs: 00441FF1
double-quoted string literal: "%w", xrefs: 004420F1

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: %s: %s$%s: %s.%s$%s: %s.%s.%s$M$ambiguous column name$double-quoted string literal: "%w"$excluded$main$misuse of aliased aggregate %s$misuse of aliased window function %s$new$no such column$old$row value misused$tH]
API String ID: 0-3537978209
Opcode ID: 714aa2900515db2224ebb60d7a7f40f9bcf8ed40f984e7d29843c6cf95b58efd
Instruction ID: bdbb316bb320f929c555b10f401b8b5b0dedd08825359f16a82e1b8c6ea977b6
Opcode Fuzzy Hash: 714aa2900515db2224ebb60d7a7f40f9bcf8ed40f984e7d29843c6cf95b58efd
Instruction Fuzzy Hash: 01A2B1706043418FEB24CF29C58072BBBE1BF85314F15455EE8969B3A2D778EC86CB5A

Function 0439FDC0 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 272filestringtimeCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,043A0268,?,?,?,?,00000000,00000000), ref: 0439FE21
lstrcmpW.KERNEL32(00000000,043A0284,00000000,?,00000000,043A0268,?,?,?,?,00000000,00000000), ref: 0439FE54
lstrcmpW.KERNEL32(00000000,043A0288,00000000,043A0284,00000000,?,00000000,043A0268,?,?,?,?,00000000,00000000), ref: 0439FE67
FileTimeToLocalFileTime.KERNEL32(?,?,00000000,043A0288,00000000,043A0284,00000000,?,00000000,043A0268,?,?,?,?,00000000,00000000), ref: 0439FE7F
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0439FF19
FindNextFileW.KERNEL32(00000000,?,00000000,043A0284,00000000,?,00000000,043A0268,?,?,?,?,00000000,00000000), ref: 043A01C0
FindClose.KERNEL32(00000000,00000000,?,00000000,043A0284,00000000,?,00000000,043A0268,?,?,?,?,00000000,00000000), ref: 043A01CE

Part of subcall function 0435807C: CharLowerBuffW.USER32(00000000,00000000,?,?,00000000,043A00D8,?,?,?), ref: 043580A6

Strings

|File|, xrefs: 043A0154
c:\windows, xrefs: 043A008F
Folder||, xrefs: 043A0044
%.2d/%.2d/%.4d %.2d:%.2d, xrefs: 0439FEF6, 0439FF90

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: File$Time$Find$Locallstrcmp$BuffCharCloseFirstLowerNext
String ID: %.2d/%.2d/%.4d %.2d:%.2d$Folder||$c:\windows$|File|
API String ID: 627796702-3011307534
Opcode ID: 533b6a4f342adee40462989873bc9a644cfecc042b0f630acdc79d9cae9134a0
Instruction ID: 74a5fdf9ede9a5cdac3140700d0ca8309361041774430ae1654f401969139c84
Opcode Fuzzy Hash: 533b6a4f342adee40462989873bc9a644cfecc042b0f630acdc79d9cae9134a0
Instruction Fuzzy Hash: 19C10A7494026D9BEB14EB64CC88FDEB7B9EF48308F1051E6D948A3260DB34AE85CF50

Function 04399D04 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 174nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(00000010,?,00100000,?), ref: 04399D4B
NtDuplicateObject.NTDLL(00000000,?,000000FF,043A8FE0,00000000,00000000,00000002), ref: 04399DF0
NtClose.NTDLL ref: 04399E11

Part of subcall function 04399C5C: NtQueryObject.NTDLL ref: 04399C79
Part of subcall function 04399C5C: NtQueryObject.NTDLL ref: 04399C93

NtClose.NTDLL ref: 04399E3E
NtClose.NTDLL ref: 04399E49
NtClose.NTDLL ref: 04399E76
NtClose.NTDLL ref: 04399E81

Strings

cookies-journal, xrefs: 04399EBA
\cookies, xrefs: 04399ECB

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Close$ObjectQuery$DuplicateInformationSystem
String ID: \cookies$cookies-journal
API String ID: 1689247874-3437292708
Opcode ID: 1097f130fdc1d6eb2ddb3715523fb062fc5b3c25465eeaca2b02b8a0cab1df50
Instruction ID: 12f5ad41cb7c1031505a6b80ad8ee99442d8d9e400149aea3d5c9a0be4d112f5
Opcode Fuzzy Hash: 1097f130fdc1d6eb2ddb3715523fb062fc5b3c25465eeaca2b02b8a0cab1df50
Instruction Fuzzy Hash: 62618CB4A442469FEB24FFA4E880F6EB3E9FF08318F106569E95197350D738BD508B50

Function 04370694 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 180sleepprocessnativeCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(?,00000000,043708E8,?,00000000), ref: 0437070A
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,?,00000000,043708E8), ref: 043707D7
NtQueryInformationProcess.NTDLL ref: 043707EF
ReadProcessMemory.KERNEL32(?,?,?,00000004,?,?,00000000,?,00000018,?,00000000,00000000,00000000,00000000,00000000,00000004), ref: 04370817
ReadProcessMemory.KERNEL32(?,?,?,00001000,?,?,?,?,00000004,?,?,00000000,?,00000018,?,00000000), ref: 04370846
WriteProcessMemory.KERNEL32(?,?,00000000,00000000,?), ref: 04370898
ResumeThread.KERNEL32(?,?,?,00000000,00000000,?), ref: 043708A1
Sleep.KERNEL32(000001F4,?,?,?,00000000,00000000,?), ref: 043708AB
GetTickCount.KERNEL32 ref: 043708B0

Strings

D, xrefs: 043707A3

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Process$Memory$Read$CountCreateCurrentInformationQueryResumeSleepThreadTickWrite
String ID: D
API String ID: 4190092080-2746444292
Opcode ID: e781d190df5dc04174f50020e755e5344a2c2c51699264d287662d5d3025b6e2
Instruction ID: 4e0be52e2b6ddbb0f4201527067bf4d3a3c0ba34a1f6581d172e68bee93916ac
Opcode Fuzzy Hash: e781d190df5dc04174f50020e755e5344a2c2c51699264d287662d5d3025b6e2
Instruction Fuzzy Hash: B961E9B1A0020CAFEB54EBA8CC81FDEB7F8EF48314F505065E548F7250DB74AA858B64

Function 00403980 Relevance: 16.5, Strings: 13, Instructions: 253COMMON

Download Yara Rule

Strings

gfff, xrefs: 00403AC3
gfff, xrefs: 00403AF7
gfff, xrefs: 00403BF6
:, xrefs: 00403AD4
, xrefs: 004039FA
gfff, xrefs: 00403A1D
-, xrefs: 004039DB
gfff, xrefs: 00403BB1
gfff, xrefs: 00403A83
-, xrefs: 00403C3B
., xrefs: 00403B56
:, xrefs: 00403ACA
gfff, xrefs: 00403A4E

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: __allrem
String ID: $-$-$.$:$:$gfff$gfff$gfff$gfff$gfff$gfff$gfff
API String ID: 2933888876-2874839091
Opcode ID: ccabb56cbbb644860ec8be858a80e33865cb095fedb55019d6ce9f6aebbcd3e2
Instruction ID: 00a2078adaed40047784c74900f26d07721dcd5597a44b1eeb01fccf85cd39d1
Opcode Fuzzy Hash: ccabb56cbbb644860ec8be858a80e33865cb095fedb55019d6ce9f6aebbcd3e2
Instruction Fuzzy Hash: 5A81A7A260E7804FD309CA2E98A239AFF96DBE6340F48455DF5848B3C3D179D90AC753

Function 04373730 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 174processinjectionmemoryCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,00000000,04373919,?,?,00000000,00000001), ref: 043737DB
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,00000000,00000004), ref: 043737FB
OpenProcess.KERNEL32(001F0FFF,00000000,00000000,00000000,04373919,?,?,00000000,00000001), ref: 04373819
VirtualAllocEx.KERNEL32(00000000,00000000,00000000,00001000,00000040,00000000,00000000,00000000,00001000,00000040,001F0FFF,00000000,00000000,00000000,04373919), ref: 0437385C
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00001000,00000040,001F0FFF), ref: 043738CF
CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 043738E5
CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00001000,00000040,001F0FFF,00000000,00000000,00000000,04373919), ref: 043738F1

Strings

ntdll.dll, xrefs: 043737A6
cmd.exe, xrefs: 04373782

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Process$Create$AllocCloseHandleMemoryOpenRemoteThreadVirtualWrite
String ID: cmd.exe$ntdll.dll
API String ID: 1146768790-591426120
Opcode ID: 58bbfc5e24aa12af9a34cb8553192011c60b734605d28b5508796e13887c0a17
Instruction ID: 5c8841825914f732e8b3863564a463f597c31e6d6b8245343c79f71ef8a3500b
Opcode Fuzzy Hash: 58bbfc5e24aa12af9a34cb8553192011c60b734605d28b5508796e13887c0a17
Instruction Fuzzy Hash: C4518171A40219BEFB21EB94CC42FEEB7B89F05714F106021E944BB190DB78BA45DBA5

Function 00428A80 Relevance: 14.3, Strings: 11, Instructions: 526COMMON

Download Yara Rule

Strings

btreeInitPage() returns error code %d, xrefs: 00428B6D
Rowid %lld out of order, xrefs: 00428EFF
Offset %u out of range %u..%u, xrefs: 00429030
unable to get the page. error code=%d, xrefs: 00428B34
Child page depth differs, xrefs: 00428FD2
free space corruption, xrefs: 00428BAC
Fragmentation of %u bytes reported as %u on page %u, xrefs: 00428EBB
T?], xrefs: 00428C15, 00428CCA, 00428CD3
Extends off end of page, xrefs: 00428D00
Multiple uses for byte %u of page %u, xrefs: 00429054
p?], xrefs: 00428C39

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: Child page depth differs$Extends off end of page$Fragmentation of %u bytes reported as %u on page %u$Multiple uses for byte %u of page %u$Offset %u out of range %u..%u$Rowid %lld out of order$T?]$btreeInitPage() returns error code %d$free space corruption$p?]$unable to get the page. error code=%d
API String ID: 0-2921123838
Opcode ID: ccd50c552fafc9cbcb746d972ef44bba511bd7fb71c8dc00b7b47c51894114cc
Instruction ID: 4ef4468145aa4c904d178d73c3f961f3beee2d9c58689de95f32e380f2a8abc3
Opcode Fuzzy Hash: ccd50c552fafc9cbcb746d972ef44bba511bd7fb71c8dc00b7b47c51894114cc
Instruction Fuzzy Hash: 7F128F70F012199FCB14CF69D880AAEBBF2FF88304F55415EE855AB386DB39A905CB54

Function 004A0D30 Relevance: 14.3, Strings: 11, Instructions: 523COMMON

Download Yara Rule

Strings

lhos, xrefs: 004A0E61
"E, xrefs: 004A1329
no such vfs: %s, xrefs: 004A1314
no such %s mode: %s, xrefs: 004A122C
invalid uri authority: %.*s, xrefs: 004A0E7A
P~`, xrefs: 004A1122
file, xrefs: 004A0D8A
cach, xrefs: 004A1102
loca, xrefs: 004A0E58
mode, xrefs: 004A1138
%s mode not allowed: %s, xrefs: 004A128C

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: "E$%s mode not allowed: %s$P~`$cach$file$invalid uri authority: %.*s$lhos$loca$mode$no such %s mode: %s$no such vfs: %s
API String ID: 0-4123890489
Opcode ID: 0f06856a9efcdfff646d67b299160a6472175a8b39f948eb703a921e32d5907a
Instruction ID: b2707e008935cdf6755fd811894f58c7aaf010a25752fc14c69d65d5bb061e7e
Opcode Fuzzy Hash: 0f06856a9efcdfff646d67b299160a6472175a8b39f948eb703a921e32d5907a
Instruction Fuzzy Hash: 0E12C5715083828FDB21CE14C490367BBE2AFA7314F18469FE8D95B392C77AD846C74A

Function 04398A34 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 168fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,04398CF6,?,00000000,00000000,00000050,00000000,00000000,?,04398761), ref: 04398A88

Part of subcall function 04398A34: FindNextFileW.KERNEL32(00000000,?,00000000,?,00000000,04398CF6,?,00000000,00000000,00000050,00000000,00000000,?,04398761), ref: 04398C44
Part of subcall function 04398A34: FindClose.KERNEL32(00000000,00000000,?,00000000,?,00000000,04398CF6,?,00000000,00000000,00000050,00000000,00000000,?,04398761), ref: 04398C58

Strings

C:\Program Files (x86), xrefs: 04398BA7
C:\ProgramData, xrefs: 04398B6D
\AppData\, xrefs: 04398BD0
C:\Program Files, xrefs: 04398B33
C:\Windows, xrefs: 04398AF9

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: C:\Program Files$C:\Program Files (x86)$C:\ProgramData$C:\Windows$\AppData\
API String ID: 3541575487-3046630420
Opcode ID: 8d0e13867640ba33db8af232355ecadcf06e4df78fbb3bae4762ec08ceaf5df8
Instruction ID: 344989c042c114e091c310471f258f5295e18d68581b10e910001fe597ffb8b2
Opcode Fuzzy Hash: 8d0e13867640ba33db8af232355ecadcf06e4df78fbb3bae4762ec08ceaf5df8
Instruction Fuzzy Hash: CC61EC34A1511D9BEF18FB60DD84FDDB3B9AF95208F5061E19C48A3264EB70BE868F50

Function 0436FB8C Relevance: 9.2, Strings: 7, Instructions: 450COMMON

Download Yara Rule

Strings

OpenProcess, xrefs: 0436FE9E, 0436FEA4
VirtualAlloc, xrefs: 0436FE92, 0436FE95
LoadLibraryA, xrefs: 0436FE82, 0436FE88
ReadProcessMemory, xrefs: 0436FEAE, 0436FEB4
CloseHandle, xrefs: 0436FEBE, 0436FEC4
GetP, xrefs: 0436FC9E
ddre, xrefs: 0436FCA9

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID:
String ID: CloseHandle$GetP$LoadLibraryA$OpenProcess$ReadProcessMemory$VirtualAlloc$ddre
API String ID: 0-74115134
Opcode ID: 4cd9f9ecbeb5a7e973a920515f3bfac52f909a65e1fd192fa73b7d5d25a518c3
Instruction ID: 151933bde9e9cd9e0c30eb355b59484288a627deeff32e2d8d7e274e08238340
Opcode Fuzzy Hash: 4cd9f9ecbeb5a7e973a920515f3bfac52f909a65e1fd192fa73b7d5d25a518c3
Instruction Fuzzy Hash: 15221970E04259DFDB10CBA8C885B9EBBF5AF19314F188099E588EB342C375AE54CF65

Function 0436BE20 Relevance: 9.0, APIs: 6, Instructions: 44clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0436BE2A
GetClipboardData.USER32(00000001), ref: 0436BE35
GlobalLock.KERNEL32(00000000), ref: 0436BE41
GlobalSize.KERNEL32(00000000), ref: 0436BE50
GlobalUnlock.KERNEL32(00000000), ref: 0436BE7B
CloseClipboard.USER32 ref: 0436BE80

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: ClipboardGlobal$CloseDataLockOpenSizeUnlock
String ID:
API String ID: 1964585863-0
Opcode ID: 724df630c757d7b28cc49705ac9e0df25bbe6e1820df7ac60ec088d9d046317c
Instruction ID: 49475b2f1a3dbad3cf4e766e6f454112dc7431d660da968c76ac696b1f0256f3
Opcode Fuzzy Hash: 724df630c757d7b28cc49705ac9e0df25bbe6e1820df7ac60ec088d9d046317c
Instruction Fuzzy Hash: DDF09A327069311BF22176A85845F6FA2D98F81B58F856128ED88DB264CA60BC0187E2

Function 043564F9 Relevance: 9.0, APIs: 6, Instructions: 41threadCOMMON

Download Yara Rule

APIs

Part of subcall function 04353428: GetKeyboardType.USER32(00000000), ref: 0435342D
Part of subcall function 04353428: GetKeyboardType.USER32(00000001), ref: 04353439

GetCommandLineA.KERNEL32 ref: 0435655F
GetVersion.KERNEL32 ref: 04356573
GetVersion.KERNEL32 ref: 04356584
GetCurrentThreadId.KERNEL32 ref: 043565C0

Part of subcall function 04353458: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0435347A
Part of subcall function 04353458: RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,043534C9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 043534AD
Part of subcall function 04353458: RegCloseKey.ADVAPI32(?,043534D0,00000000,?,00000004,00000000,043534C9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 043534C3

GetThreadLocale.KERNEL32 ref: 043565A0

Part of subcall function 04356430: GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,04356496), ref: 04356456

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: KeyboardLocaleThreadTypeVersion$CloseCommandCurrentInfoLineOpenQueryValue
String ID:
API String ID: 3734044017-0
Opcode ID: 09664040f2c69fe7d31d4117503b92bae0bc21433137e467ff49ccbb286614c1
Instruction ID: 7c88297c5c929c7b14f523752160bf4988c31d5013f7833709c0b395deb8f2d6
Opcode Fuzzy Hash: 09664040f2c69fe7d31d4117503b92bae0bc21433137e467ff49ccbb286614c1
Instruction Fuzzy Hash: 1F0188E4CD068199FB15FF60B405B693AA4FF15308F843559CC4486235EB3C69288F72

Function 04372B90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 83fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,04372CBF), ref: 04372BF4
FindNextFileA.KERNEL32(00000000,00000010), ref: 04372C80
FindClose.KERNEL32(00000000,00000000,00000010), ref: 04372C94

Strings

., xrefs: 04372C0D
*.*, xrefs: 04372BDB

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID: *.*$.
API String ID: 3541575487-358234090
Opcode ID: 98a60efd1a6b11755694b6843f5c3b8c0207e0a2831e1d43f91d423c1075282e
Instruction ID: 6ae65f714d3bb074cc772770e31492aa2d58fe3eeb81968efa474bbb9bc88e80
Opcode Fuzzy Hash: 98a60efd1a6b11755694b6843f5c3b8c0207e0a2831e1d43f91d423c1075282e
Instruction Fuzzy Hash: C431847490061D9BEB34EB60CD41BDEB7B8EF55304F5065E5994CA3270EA34BF858E90

Function 043588D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37timefileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,C:\Windows\SysWOW64\ntdll.dll,?,04358942,?,0436D6D5,00000000,0436D790,00000000,0436D7BB,?,00000000,00000000,?,0436D7E7), ref: 043588EB
FindClose.KERNEL32(00000000,00000000,?,C:\Windows\SysWOW64\ntdll.dll,?,04358942,?,0436D6D5,00000000,0436D790,00000000,0436D7BB,?,00000000,00000000), ref: 043588F6
FileTimeToLocalFileTime.KERNEL32(?,?,00000000,00000000,?,C:\Windows\SysWOW64\ntdll.dll,?,04358942,?,0436D6D5,00000000,0436D790,00000000,0436D7BB,?,00000000), ref: 0435890F
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 04358920

Strings

C:\Windows\SysWOW64\ntdll.dll, xrefs: 043588D9

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: FileTime$Find$CloseDateFirstLocal
String ID: C:\Windows\SysWOW64\ntdll.dll
API String ID: 2659516521-1977295918
Opcode ID: 021e52537b58a8a24efad9ae785d0088adda562c49ae3df73527ebda30918afe
Instruction ID: 0883aa332ac587664d4d5c9f750f39916ba8e00b96e9a646936d51e6c1f2c9f3
Opcode Fuzzy Hash: 021e52537b58a8a24efad9ae785d0088adda562c49ae3df73527ebda30918afe
Instruction Fuzzy Hash: 19F0B276D0020C6ADF50EAE4CC85DCFB3AC9F09218F901796AD29D21A1EA34AB544B91

Function 0041BD40 Relevance: 8.0, APIs: 5, Instructions: 495COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29008a7e69d3123a2fb26311a4e1eac54fd82ebd80f3cea63365d97411ac780
Instruction ID: 53f3b163c2869a7f8aefd5b2437bc0e5b14831a6b24cb6f714058d9d0303c6d3
Opcode Fuzzy Hash: b29008a7e69d3123a2fb26311a4e1eac54fd82ebd80f3cea63365d97411ac780
Instruction Fuzzy Hash: 5B02BF75B002049FDB14DFA8D9917AEBBB1FF48314F14416AE90AEB380EB35AD45CB84

Function 004290A0 Relevance: 7.9, Strings: 6, Instructions: 359COMMON

Download Yara Rule

Strings

Page %u: pointer map referenced, xrefs: 004294A6
Page %u: never used, xrefs: 00429441
X@], xrefs: 0042926D
d, xrefs: 00429175
incremental_vacuum enabled with a max rootpage of zero, xrefs: 00429308
max rootpage (%u) disagrees with header (%u), xrefs: 004292E3

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: Page %u: never used$Page %u: pointer map referenced$X@]$d$incremental_vacuum enabled with a max rootpage of zero$max rootpage (%u) disagrees with header (%u)
API String ID: 0-742483155
Opcode ID: 8b405748116e873b7a4d8ff5fe5cc1804dde3f1611d0297273ac3e34f5b66346
Instruction ID: db0692f3314ae8561891490905c6d6f90fd571cd5aae2ceee3bbaf4767954ead
Opcode Fuzzy Hash: 8b405748116e873b7a4d8ff5fe5cc1804dde3f1611d0297273ac3e34f5b66346
Instruction Fuzzy Hash: F4E16C71E04228CBDB25DF18D854BAABBB1BF48304F5482DAD84DAB382DB749D85CF54

Function 0057D5CA Relevance: 7.8, APIs: 5, Instructions: 332timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0057D687
_free.LIBCMT ref: 0057D8CB
GetTimeZoneInformation.KERNEL32(?,?,00000000,?,?,00000000,?,?,?,?,?,?,0057DA8C,?,?,00000000), ref: 0057D8DD

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 64475697ff6c657874344f8fba4b53267147d901644214cdd6ca345a6865a2c3
Instruction ID: ac49190b97a431cdb066988590d16f8299533244bfccb80a8cd5d1e8ed6bae82
Opcode Fuzzy Hash: 64475697ff6c657874344f8fba4b53267147d901644214cdd6ca345a6865a2c3
Instruction Fuzzy Hash: 3CA13B72900216ABDB14BF65ED46AAF7FB9FF80710F148069F909E7191EB719E00D7A0

Function 005526A5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 004C7440: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,005526D4,?,?,?,00401BCA), ref: 004C7445
Part of subcall function 004C7440: GetLastError.KERNEL32(?,?,?,00401BCA), ref: 004C744F

IsDebuggerPresent.KERNEL32(?,?,?,00401BCA), ref: 005526D8
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00401BCA), ref: 005526E7

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 005526E2
@h\, xrefs: 005526C8

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
String ID: @h\$ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3511171328-228563416
Opcode ID: d0662fc625a0f074587a6d8fa2c437fc9eabe69525a7d6a5cfbfa93d1f21bd47
Instruction ID: ab31c8e2a66322c759f7bc495822a165f9b1fdbb8933a2942667e3d07e57f42d
Opcode Fuzzy Hash: d0662fc625a0f074587a6d8fa2c437fc9eabe69525a7d6a5cfbfa93d1f21bd47
Instruction Fuzzy Hash: C9E06D702007518FD720AF75E818B427EE4BB16349F00885EE856C6650DBB4D488DB55

Function 004373A5 Relevance: 6.8, Strings: 5, Instructions: 592COMMON

Download Yara Rule

Strings

out of memory, xrefs: 004370D9
unknown error, xrefs: 0043CA81
gfff, xrefs: 0043CAE6
string or blob too big, xrefs: 0043C677
statement aborts at %d: [%s] %s, xrefs: 0043CB05

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: gfff$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
API String ID: 0-355051975
Opcode ID: 2402e63ea8ee7df9dd6c02ebcc9c6d1f91dab72a780d3401f6477b995c44ab05
Instruction ID: 26bf5030797cd593773bb257e9d0426e152b4d2fd6965543d5f7ae421623c05f
Opcode Fuzzy Hash: 2402e63ea8ee7df9dd6c02ebcc9c6d1f91dab72a780d3401f6477b995c44ab05
Instruction Fuzzy Hash: 85323BB1A083418BD728CF19C49072ABBE1FFC9314F149A2EE4D597751D739E845CB8A

Function 00482720 Relevance: 6.7, Strings: 5, Instructions: 413COMMON

Download Yara Rule

Strings

--], xrefs: 00482A47
vtable constructor failed: %s, xrefs: 004828DD
vtable constructor did not declare schema: %s, xrefs: 00482994
vtable constructor called recursively: %s, xrefs: 004828A1
hidden, xrefs: 00482A80

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: --]$hidden$vtable constructor called recursively: %s$vtable constructor did not declare schema: %s$vtable constructor failed: %s
API String ID: 0-1101455045
Opcode ID: 6a4a20dceb9366cad7cde143ad840f23f0ee61eacbf5895aac00ee94a89c4df3
Instruction ID: c93d5faf33ff9f57d7ab3a0344270f043ceb30bdf5924f84c338eb81c403fb70
Opcode Fuzzy Hash: 6a4a20dceb9366cad7cde143ad840f23f0ee61eacbf5895aac00ee94a89c4df3
Instruction Fuzzy Hash: 7EF1C470A012098FCF14DF69C9906AEBBB2FF89314F1445AED805AB342D779ED46CB94

Function 00467FB0 Relevance: 6.6, Strings: 5, Instructions: 341COMMON

Download Yara Rule

Strings

d, xrefs: 00468152
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 00467FD7
%s at line %d of [%.10s], xrefs: 00467FE6
misuse, xrefs: 00467FE1
--], xrefs: 0046800D

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$--]$d$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f$misuse
API String ID: 0-2969180902
Opcode ID: 04a724e72f491da3f2df7217dcba3dc0b513962fe780727a7fe67756a27733ac
Instruction ID: 0c64858513f8a8df3a1865cb6effc6a8da8e2a7ff87560c0c459176e61155a42
Opcode Fuzzy Hash: 04a724e72f491da3f2df7217dcba3dc0b513962fe780727a7fe67756a27733ac
Instruction Fuzzy Hash: 4FC1B0716043118BCB10DF25C89462B7BE1AF89744F050A6FEC899B342EB39DD46CB9B

Function 0040F300 Relevance: 6.6, Strings: 5, Instructions: 320COMMON

Download Yara Rule

Strings

etilqs_, xrefs: 0040F589
winGetTempname4, xrefs: 0040F513
winGetTempname2, xrefs: 0040F48E
winGetTempname5, xrefs: 0040F568
winGetTempname1, xrefs: 0040F3BF

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 0-2933911573
Opcode ID: f42cbc6ba7eab9bfc68bc755f6e424735d993c00e30b4bf26b72ec2ad13d631c
Instruction ID: 4ce3534d60acabc03b5c8545852f8ade9aad875380eb8dbfc6505da6d60bcc27
Opcode Fuzzy Hash: f42cbc6ba7eab9bfc68bc755f6e424735d993c00e30b4bf26b72ec2ad13d631c
Instruction Fuzzy Hash: DCB14C71A006049BD714EB29DC51B7FBB65EF84304F5841BFE805672C3EA3A9A09CBD5

Function 0438F40C Relevance: 6.4, Strings: 5, Instructions: 179COMMON

Download Yara Rule

Strings

X, xrefs: 0438F5AF
X, xrefs: 0438F5B9
F, xrefs: 0438F5A5
J, xrefs: 0438F42A
J, xrefs: 0438F59C

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID:
String ID: F$J$J$X$X
API String ID: 0-2166313073
Opcode ID: 12fdb1c193f4f78136981c133ba371dc7561109d75048bcbb9abb70116e7edbf
Instruction ID: acdfc71f402c0005ce61805f482dc00129db859f2c6d8cbed8177e600a2643a0
Opcode Fuzzy Hash: 12fdb1c193f4f78136981c133ba371dc7561109d75048bcbb9abb70116e7edbf
Instruction Fuzzy Hash: AD718E706042809FE718CF29C4946A2FFE1AF4A304F19D0DED4898F367D676E945CBA5

Function 04399FA8 Relevance: 6.1, APIs: 4, Instructions: 106sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 04379E9C: CloseHandle.KERNEL32(00000000), ref: 04379F8C

Sleep.KERNEL32(000001F4,?,00000000,0439A0FC,?,?,043A8CD4,00000000), ref: 0439A067

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CloseHandleSleep
String ID:
API String ID: 252777609-0
Opcode ID: 92312d7df9f4c64a33bad308b5e534a2f55cfd6fa23b8c38463adfd218917ee9
Instruction ID: f68da199e760f90cc0b660c749f8c938b40d099ba8f8450deb0817b474d42d07
Opcode Fuzzy Hash: 92312d7df9f4c64a33bad308b5e534a2f55cfd6fa23b8c38463adfd218917ee9
Instruction Fuzzy Hash: 47417971A00245AFEB15FF64D880A6EBBF8EF48308F5165A5E840A3360DB34BD50CB61

Function 0042E880 Relevance: 5.7, Strings: 4, Instructions: 692COMMON

Download Yara Rule

Strings

MJ collide: %s, xrefs: 0042EB46
%.4c%s%.16c, xrefs: 0042EAEB
MJ delete: %s, xrefs: 0042EBBA
-mj%06X9%02X, xrefs: 0042EB75

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: %.4c%s%.16c$-mj%06X9%02X$MJ collide: %s$MJ delete: %s
API String ID: 0-4294478755
Opcode ID: caaf45dcb9453e8ab91ed97d3826b51d627ed385c2f3c9fee290ca06f42b941d
Instruction ID: d8de6c01e8c5e9ae68edc734be8a0dfa627f9250745c5250394a652ccc2138f8
Opcode Fuzzy Hash: caaf45dcb9453e8ab91ed97d3826b51d627ed385c2f3c9fee290ca06f42b941d
Instruction Fuzzy Hash: 9442BF71F002259BCF14DF66E4447AFBBB1AF84310F5941AED819AB342DB38AD45CB98

Function 0053C0F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0053C107

Part of subcall function 0056B18A: RaiseException.KERNEL32(?,?,0053C718,?,?,0061185C,?,?,?,?,?,0053C718,?,006047A0,?), ref: 0056B1E9

IsProcessorFeaturePresent.KERNEL32(0000000A,?), ref: 0053C126

Strings

, xrefs: 0053C28D

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: ExceptionException@8FeaturePresentProcessorRaiseThrow
String ID:
API String ID: 3513446524-3916222277
Opcode ID: f8469db699f0b416e22fb10022f7bb6559e85c35724cdb29d96f72862459b69f
Instruction ID: 5b16f62fec3faaf2460c6a084982e9319b5f5726daa6a5025d95a06302fe8aee
Opcode Fuzzy Hash: f8469db699f0b416e22fb10022f7bb6559e85c35724cdb29d96f72862459b69f
Instruction Fuzzy Hash: D0516C75D00609DBEB18CFA9D8856AEBFF5FB48314F24946AE805E7254E370AA00CF50

Function 043589D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,C:\Program Files (x86)\Microsoft\EdgeUpdate\,?,0436F313,00000000,0436F41F,?,?,?,?,0436F477,00000000,0436E9F6,00000001), ref: 043589F3
GetLastError.KERNEL32(00000000,?,00000000,C:\Program Files (x86)\Microsoft\EdgeUpdate\,?,0436F313,00000000,0436F41F,?,?,?,?,0436F477,00000000,0436E9F6,00000001), ref: 04358A18

Part of subcall function 0435896C: FileTimeToLocalFileTime.KERNEL32(?), ref: 0435899C
Part of subcall function 0435896C: FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 043589AB

Part of subcall function 04358A4C: FindClose.KERNEL32(?,?,04358A16,00000000,?,00000000,C:\Program Files (x86)\Microsoft\EdgeUpdate\,?,0436F313,00000000,0436F41F,?,?,?,?,0436F477), ref: 04358A58

Strings

C:\Program Files (x86)\Microsoft\EdgeUpdate\, xrefs: 043589D9

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: FileTime$Find$CloseDateErrorFirstLastLocal
String ID: C:\Program Files (x86)\Microsoft\EdgeUpdate\
API String ID: 976985129-435251725
Opcode ID: dd984b58e1f36984d8c859ddd85f927d3e6672790c0737ee5e6a18afbf431a11
Instruction ID: c2120fc742f259a79468c27704791663cb33db57f0844e5b61e71096e9b78019
Opcode Fuzzy Hash: dd984b58e1f36984d8c859ddd85f927d3e6672790c0737ee5e6a18afbf431a11
Instruction Fuzzy Hash: E9E09272B016A00B57587E7D5C80D9E65C88E8567834922B6ED28FB375D734EC2103D0

Function 00425120 Relevance: 5.2, Strings: 3, Instructions: 1427COMMON

Download Yara Rule

Strings

database corruption, xrefs: 00425924, 0042594C, 00425BA8, 00425BD0, 00425CC2, 00425E32, 004263F7
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 0042591A, 00425942, 00425B9E, 00425BC6, 00425CB8, 00425E28, 004263ED
%s at line %d of [%.10s], xrefs: 00425929, 00425951, 00425BAD, 00425BD5, 00425CC7, 00425E37, 004263FC

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: d8f20152da229dd753881ce1e046feaf7fe3c0070235044a9e607daa3c51fd31
Instruction ID: 62ef13f81e0f87215149a2b9dd1b7b7002c97a8cc9baf6f1fd932cb164bbb55c
Opcode Fuzzy Hash: d8f20152da229dd753881ce1e046feaf7fe3c0070235044a9e607daa3c51fd31
Instruction Fuzzy Hash: 3AD24974A002398FDB24DF59E880BADB7B1BF48304F5581EAD949A7341DB74AE81CF94

Function 043A12AC Relevance: 4.8, APIs: 3, Instructions: 305fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000000,043A1800,?,?,043A8CD4,00000000,0000005D,00000000,00000000,?,043A326E,||-_-|-_-||,?,00000000), ref: 043A1337
FindNextFileW.KERNEL32(?,?,00000000,043A169E,?,00000000,?,00000000,043A1800,?,?,043A8CD4,00000000,0000005D,00000000,00000000), ref: 043A1674
FindClose.KERNEL32(?,043A16A5,043A169E,?,00000000,?,00000000,043A1800,?,?,043A8CD4,00000000,0000005D,00000000,00000000), ref: 043A1698

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 69c8e5586c79726098c1e8e8e6775700569be8f3a8d120b4cfb1c6e4ad0d8a49
Instruction ID: dd6272684e425ea04009349a682b4ddeff76cac3422c40a09ff95e3f98bd2963
Opcode Fuzzy Hash: 69c8e5586c79726098c1e8e8e6775700569be8f3a8d120b4cfb1c6e4ad0d8a49
Instruction Fuzzy Hash: 83D1D73495011E9BEF14EB60DC85FDDB3B9EF54308F50A5E2D848A6220EB30BE968F51

Function 043795A4 Relevance: 4.6, APIs: 3, Instructions: 114fileCOMMON

Download Yara Rule

APIs

Part of subcall function 04354E54: SysAllocStringLen.OLEAUT32(?,?), ref: 04354E62

FindFirstFileW.KERNEL32(00000000,?), ref: 0437962B
FindNextFileW.KERNEL32(000000FF,?,00000000,043796E0,?,?,?,?,00000000,?), ref: 043796C0
FindClose.KERNEL32(000000FF,043796E7,043796E0,?,?,?,?,00000000,?), ref: 043796DA

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Find$File$AllocCloseFirstNextString
String ID:
API String ID: 41380636-0
Opcode ID: aad8e86a145a45dac98a529e4f5538ac8490d580a3b8f36b4c2777a7005c56d6
Instruction ID: 41b512aa64e1f05a0523127add538d91887655818b9336d683fce39a793b5861
Opcode Fuzzy Hash: aad8e86a145a45dac98a529e4f5538ac8490d580a3b8f36b4c2777a7005c56d6
Instruction Fuzzy Hash: CA4109B4904209DFEB24EFA5C885ADEB7B8FF48314F5056A5D848A3220DB34BE85CF50

Function 0056DD94 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0056DE8C
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0056DE96
UnhandledExceptionFilter.KERNEL32(0053C3E2,?,?,?,?,?,?), ref: 0056DEA3

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 488c5be2e45b08c2e07106bf550e0f8d29fcde8a7749c0b107276ed6594c258d
Instruction ID: f72dfaa6498219e91ae683c9fc29985b88259a9002e1da14d20fa8c0984c2e7e
Opcode Fuzzy Hash: 488c5be2e45b08c2e07106bf550e0f8d29fcde8a7749c0b107276ed6594c258d
Instruction Fuzzy Hash: 2031B274D01229ABCB21DF64D88979DBBB8BF58310F5045EAE81CA7290EB709F858F54

Function 04380380 Relevance: 4.6, APIs: 3, Instructions: 51fileclipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32(0000000E), ref: 0438038D
CopyEnhMetaFileA.GDI32(00000000,00000000,0000000E), ref: 043803AF
GetEnhMetaFileHeader.GDI32(?,00000064,?,00000000,00000000,0000000E), ref: 043803C1

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: FileMeta$ClipboardCopyDataHeader
String ID:
API String ID: 1752724394-0
Opcode ID: cc0b1327a74ad6daeaa573283cd3668ca463431728944a90bfe4633f76015c11
Instruction ID: fd7bddf3d77aececa9f7ff4aa8c3f4c73255d013e3918a08d8cd83e7f6e0f717
Opcode Fuzzy Hash: cc0b1327a74ad6daeaa573283cd3668ca463431728944a90bfe4633f76015c11
Instruction Fuzzy Hash: F4117972B003048FD710DFADC880A9ABBF8EF49310F104569E949DB251DA70FC098B90

Function 0057C074 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0057FB35,?,0057C073,00000008,00604098,0057FB35,00000008,0057FB35), ref: 0057C096
TerminateProcess.KERNEL32(00000000,?,0057C073,00000008,00604098,0057FB35,00000008,0057FB35), ref: 0057C09D
ExitProcess.KERNEL32 ref: 0057C0AF

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 2aac28625ce7a5cc241a1f1558566dc56c26e13d8873feb8ae62edf95ceb5deb
Instruction ID: 88f025cda94f436e5a36b86b6d902bbbaf424ea1539b1443586ea9c5451dfea8
Opcode Fuzzy Hash: 2aac28625ce7a5cc241a1f1558566dc56c26e13d8873feb8ae62edf95ceb5deb
Instruction Fuzzy Hash: 6BE09231415508EFCF216B55E90DA4C3F69FB95341F008418F90996231CA76D996EB94

Function 00423250 Relevance: 4.3, Strings: 3, Instructions: 543COMMON

Download Yara Rule

Strings

database corruption, xrefs: 0042328B, 004236F9, 0042374E
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 00423281, 004236EF, 0042372C, 00423744
%s at line %d of [%.10s], xrefs: 00423290, 004236FE, 00423753

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 577767762e91536bbd6f76c903ab6e7caba02d9b5db55cc01b1cd3a8e6fa59fd
Instruction ID: a76aec7630312cf4374a41d8acfae2ff1689310097e6525b81af7644d1c82a7b
Opcode Fuzzy Hash: 577767762e91536bbd6f76c903ab6e7caba02d9b5db55cc01b1cd3a8e6fa59fd
Instruction Fuzzy Hash: BA12A275B00225AFCB14DF58D480AAEB7B1BF88315F94405AE805AB341DB7DEE82CB94

Function 00426D00 Relevance: 4.3, Strings: 3, Instructions: 540COMMON

Download Yara Rule

Strings

database corruption, xrefs: 00426D5E, 00426E9D, 00426F12
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 00426D54, 00426E93, 00426F08
%s at line %d of [%.10s], xrefs: 00426D63, 00426EA2, 00426F17

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 28620339038fa0cd19d6078ac0c5e4e53a435a80c5922ee5b0963ec06bb8ded3
Instruction ID: 5dc22034cd700a0ef942be321c15918a7ed28abd4a210ccd1eb7820b23a9621b
Opcode Fuzzy Hash: 28620339038fa0cd19d6078ac0c5e4e53a435a80c5922ee5b0963ec06bb8ded3
Instruction Fuzzy Hash: 6212BF70B042299BCF14DF65E491ABEBBB1FF44304F54406AE80A9B382E739ED44CB95

Function 00417330 Relevance: 4.2, Strings: 3, Instructions: 495COMMON

Download Yara Rule

Strings

nolock, xrefs: 004176F7
-journal, xrefs: 004175F6
immutable, xrefs: 00417717

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: -journal$immutable$nolock
API String ID: 0-4201244970
Opcode ID: 28f00eb9229ec167fe09283ad384393133683387a599b202f3878b25437b08b2
Instruction ID: d74b6adc73d96bef9976170885967160307efc6a6d2dcb926451ad495f6964db
Opcode Fuzzy Hash: 28f00eb9229ec167fe09283ad384393133683387a599b202f3878b25437b08b2
Instruction Fuzzy Hash: E6024571A04606ABDB14CF68C8447EEBBB2FF45304F18816EE819AB381D739AD45CB95

Function 00430620 Relevance: 4.2, Strings: 3, Instructions: 437COMMON

Download Yara Rule

Strings

database corruption, xrefs: 0043070D, 00430B55, 00430B9A
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 00430703, 00430B3F, 00430B4B, 00430B90
%s at line %d of [%.10s], xrefs: 00430712, 00430B5A, 00430B9F

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 0b420fce88ffb9e8d5477dbb8448d3fc1288d8792d454520e4e3594153139fad
Instruction ID: 49ad4cd9efe996eddb5de288ddb99514a9119ea3d7534a2e59f22cbd9f8d4135
Opcode Fuzzy Hash: 0b420fce88ffb9e8d5477dbb8448d3fc1288d8792d454520e4e3594153139fad
Instruction Fuzzy Hash: 9AF105316083418FC714DF28D4A062BB7E1BF99318F14576FE89997391D738E946CB8A

Function 00427720 Relevance: 4.2, Strings: 3, Instructions: 417COMMON

Download Yara Rule

Strings

database corruption, xrefs: 00427789, 004277BD, 0042781C, 0042785B
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 0042777F, 004277B3, 00427812, 00427851
%s at line %d of [%.10s], xrefs: 0042778E, 004277C2, 00427821, 00427860

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 3557b88b8e8aee2d8dab0a2b45fe91a62e06f682f3506c50c8c96e805c904228
Instruction ID: f24462780008e67cfb3cf199936d72ee06b667abc1e44c7bf44ac07659cc59e5
Opcode Fuzzy Hash: 3557b88b8e8aee2d8dab0a2b45fe91a62e06f682f3506c50c8c96e805c904228
Instruction Fuzzy Hash: 1FE1C470B042259BCF14EF69E581ABEBBE1BF44304F4441ABE8059B382E779ED51CB94

Function 0041E600 Relevance: 4.1, Strings: 3, Instructions: 381COMMON

Download Yara Rule

Strings

database corruption, xrefs: 0041E672, 0041E6C3, 0041E89B, 0041E9AE, 0041E9E2
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 0041E668, 0041E6B9, 0041E891, 0041E9A4, 0041E9D8
%s at line %d of [%.10s], xrefs: 0041E677, 0041E6C8, 0041E8A0, 0041E9B3, 0041E9E7

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: b0ce51ca3f30d99162da168a30231244a04fe3504371b2c0110c4398bdddfd5a
Instruction ID: 3cfe93bc562a95931ceb079a6608797b88b1cd3c513a6a00e99de3942a386474
Opcode Fuzzy Hash: b0ce51ca3f30d99162da168a30231244a04fe3504371b2c0110c4398bdddfd5a
Instruction Fuzzy Hash: 08D1C475E001195BCB14DFADD881AFEFBB0EF89305F1841AFE949AB342D6349944CBA4

Function 00422A90 Relevance: 4.1, Strings: 3, Instructions: 345COMMON

Download Yara Rule

Strings

database corruption, xrefs: 00422DA4, 00422DD9, 00422E52
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 00422D9A, 00422DCF, 00422E27, 00422E48
%s at line %d of [%.10s], xrefs: 00422DA9, 00422DDE, 00422E57

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: b742f1b8d1a64046dcb9ff41e7c58f4ae6f4ea5531168ff272b4682ab7e6a113
Instruction ID: 9554de5e99cc182757ee62d871f79880fc0d441dd425dc3d4595d0a00686ec58
Opcode Fuzzy Hash: b742f1b8d1a64046dcb9ff41e7c58f4ae6f4ea5531168ff272b4682ab7e6a113
Instruction Fuzzy Hash: 85C10571B04265ABCF14DF29D99167EBBB1BF48304F4440AEE8459B382E7B8E941C798

Function 00421F80 Relevance: 4.1, Strings: 3, Instructions: 328COMMON

Download Yara Rule

Strings

database corruption, xrefs: 00421FC3, 0042201E
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 00421FB9, 00422014
%s at line %d of [%.10s], xrefs: 00421FC8, 00422023

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 6bfbc664e61d3dd423754df5e0df506cc7db2d6ed10846d93f6d67a75c76547d
Instruction ID: 591f3281ab928f7c8c2e912577f59282b146d47a6f9d87ba14006792bde8023d
Opcode Fuzzy Hash: 6bfbc664e61d3dd423754df5e0df506cc7db2d6ed10846d93f6d67a75c76547d
Instruction Fuzzy Hash: 08C1AB71704311AFC714DF29E980A2BB7E1BFC8314F448A6EE98997341EB75E901CB96

Function 00421430 Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

database corruption, xrefs: 00421577, 00421676
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 0042156D, 0042166C
%s at line %d of [%.10s], xrefs: 0042157C, 0042167B

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 0-2528248365
Opcode ID: 2e0fe759bdb8ea4aead63119498bb7b96e2e2c4403f3436e3880968b37a3b33f
Instruction ID: aa4c727c1afce594e27f5663af83e8200148e592dbbf85cc3dd7ee1791e299f5
Opcode Fuzzy Hash: 2e0fe759bdb8ea4aead63119498bb7b96e2e2c4403f3436e3880968b37a3b33f
Instruction Fuzzy Hash: A681A170B001149FCF18DF59E891A6EBBB1EF98710B5541AEE80A9B362DB34DD41CB94

Function 004470D0 Relevance: 3.2, Strings: 2, Instructions: 651COMMON

Download Yara Rule

Strings

USING INDEX %s FOR IN-OPERATOR, xrefs: 00447631
USING ROWID SEARCH ON TABLE %s FOR IN-OPERATOR, xrefs: 00447277

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: USING INDEX %s FOR IN-OPERATOR$USING ROWID SEARCH ON TABLE %s FOR IN-OPERATOR
API String ID: 0-896340817
Opcode ID: e27f74b2b3d4e7d2201d6060d6f07324991d61d123544eb97c6bafd8cfa39828
Instruction ID: b0a13e798fe3c40d25d108598873dfe5c7802dc7e9a05d1e085bf960ab3989c2
Opcode Fuzzy Hash: e27f74b2b3d4e7d2201d6060d6f07324991d61d123544eb97c6bafd8cfa39828
Instruction Fuzzy Hash: AE428174A083418FE714CF29C480A2BBBE2BF89314F55855EE8959B356D738EC43CB96

Function 0437D924 Relevance: 3.0, APIs: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,0437D9C0), ref: 0437D944
FormatMessageA.KERNEL32(00001000,00000000,00000000,00000400,?,00000100,00000000,00000000,0437D9C0), ref: 0437D96A

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 883ef9ffff2ff98d1b8cd4e3c0afb54421a0b4b4596523a9763c2ad92f70fb2a
Instruction ID: 8ceb04ca0b42b5420ac5986ae23e5915bf5f6b645a89c560e868f359726673e4
Opcode Fuzzy Hash: 883ef9ffff2ff98d1b8cd4e3c0afb54421a0b4b4596523a9763c2ad92f70fb2a
Instruction Fuzzy Hash: BD01A7716442045BF721EB609D92FE973BCDF59704F9060B5EA88A6190EAB4BD808A15

Function 04399C5C Relevance: 3.0, APIs: 2, Instructions: 38nativeCOMMON

Download Yara Rule

APIs

NtQueryObject.NTDLL ref: 04399C79
NtQueryObject.NTDLL ref: 04399C93

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: ObjectQuery
String ID:
API String ID: 2748340528-0
Opcode ID: ddd2d24ff975496120a620a4059b5611ba26367a02793644bf47745dfc031cd8
Instruction ID: 5b42f406b24359d92bbf307da2cbd9aec877435a622ba05c51612416cb134698
Opcode Fuzzy Hash: ddd2d24ff975496120a620a4059b5611ba26367a02793644bf47745dfc031cd8
Instruction Fuzzy Hash: 03F082B23086006BF311AA299C80FAF66ECCFC1665F00153DF994D7280E620AC009BA1

Function 0435CB64 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,0435CBC8), ref: 0435CB8A
GetACP.KERNEL32(?,?,00001004,?,00000007,00000000,0435CBC8), ref: 0435CBA3

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 351812b9e36fdf277d710ca6beb5185965ab64bd78d5177d35509a9855274c3b
Instruction ID: 74e60f05f3cff7a4d72536a532512d6f6eb84114d4575d1802673e433258cec9
Opcode Fuzzy Hash: 351812b9e36fdf277d710ca6beb5185965ab64bd78d5177d35509a9855274c3b
Instruction Fuzzy Hash: D0F09031E043086BEB05EBA1DC51D9EB7AAEBC4718F40D9B5E914966A0EA747A008A50

Function 04399C28 Relevance: 3.0, APIs: 2, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtDuplicateObject.NTDLL(00000000,?,000000FF,?,00000000,00000000,00000001), ref: 04399C3E
NtClose.NTDLL ref: 04399C50

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CloseDuplicateObject
String ID:
API String ID: 2007153175-0
Opcode ID: 388794ba7da1cd5908a2a696576d3ab3a00f69bb5b52e846e4394591b295277a
Instruction ID: e17be3515d2086069a898110949f7ae3a110c0e4521fe5d96ef156f0cc18e291
Opcode Fuzzy Hash: 388794ba7da1cd5908a2a696576d3ab3a00f69bb5b52e846e4394591b295277a
Instruction Fuzzy Hash: 0CD017F52582103AFA24AAA55C80FAB67DC8F453B4F205615B6B8EA2C0D964AC008671

Function 04396BA8 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 04396BB2
mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 04396BC1

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 8268991f3721764a0cd9b63c95bc188b519b5aace6f442c3f0e4f9d10c028989
Instruction ID: 2bd46cb80eb07a12a36a6282e5b065096e39a2e02903e4f23fcda7ba94c0090e
Opcode Fuzzy Hash: 8268991f3721764a0cd9b63c95bc188b519b5aace6f442c3f0e4f9d10c028989
Instruction Fuzzy Hash: 59C009743C279135F47222A08E07F1980061B50F08EF028483B083C0E288E53020202E

Function 00409CF0 Relevance: 2.4, APIs: 1, Instructions: 909COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00409EF9

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: 6c2bfaebedb377767d5e5db949a5704599c001e523628e1ae1c71e35d764c66f
Instruction ID: e9f66b46df6d6a293202fcddf137fab0f9e4632829147f9bcd865f3fb8309487
Opcode Fuzzy Hash: 6c2bfaebedb377767d5e5db949a5704599c001e523628e1ae1c71e35d764c66f
Instruction Fuzzy Hash: B6824B71D10F5D8ACB17CEB8C8501AEFB75AF9A391F15931BD81A7B285EB344882CB44

Function 00429D30 Relevance: 2.2, APIs: 1, Instructions: 663COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042A229

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 5ae0a39d2c2073240f6266376c713056fee0319cab37fc27031e5abba200ca2f
Instruction ID: d740bcec28778df9ca5c5f1aa5ef57d113e975d8129618b257f9ef0fa4326f8e
Opcode Fuzzy Hash: 5ae0a39d2c2073240f6266376c713056fee0319cab37fc27031e5abba200ca2f
Instruction Fuzzy Hash: B942C470B042218FCB24DF15E484B2BB7E1AF88314F59859EEC499B352D778EC51CB9A

Function 0041F800 Relevance: 1.8, Strings: 1, Instructions: 560COMMON

Download Yara Rule

Strings

:memory:, xrefs: 0041F850

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: :memory:
API String ID: 0-2920599690
Opcode ID: 121a4f857753736b876793b71cd5b865c9dda45ce21f1c01bc10c04b57dac036
Instruction ID: 8039dc751aed9f599a6b0f64d51bc6e25b67ea5e96d88b2e9d077b99f3fb0b27
Opcode Fuzzy Hash: 121a4f857753736b876793b71cd5b865c9dda45ce21f1c01bc10c04b57dac036
Instruction Fuzzy Hash: 3E22C671A006059FDB24DF24D8557AA77B1BF44308F1841BED8099B352E739ED8ACF98

Function 0438443C Relevance: 1.8, APIs: 1, Instructions: 286COMMON

Download Yara Rule

APIs

Part of subcall function 04382724: DeleteObject.GDI32(00000000), ref: 0438286B

DeleteObject.GDI32(?), ref: 04384565

Part of subcall function 0438430C: 73A16750.GDI32(?,?,?,04384720), ref: 043843A5

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: DeleteObject$A16750
String ID:
API String ID: 3641497311-0
Opcode ID: 5b653579760dadf1e4cc594e740e2e0f49ff942cd7a3d4dea20452a15a9a7ee3
Instruction ID: cbf5b402dfc55d708ed29c4e839d5d229e050eb8c99c467bf106df3fcff1ed0a
Opcode Fuzzy Hash: 5b653579760dadf1e4cc594e740e2e0f49ff942cd7a3d4dea20452a15a9a7ee3
Instruction Fuzzy Hash: 28C12934A00259DFEB51EB68C984BDDF7F5AF49304F5091E9E808AB651EB30AE85CF40

Function 0044F050 Relevance: 1.7, Strings: 1, Instructions: 490COMMON

Download Yara Rule

Strings

--], xrefs: 0044F6E9

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: --]
API String ID: 0-4196694791
Opcode ID: 165f298e26384d2b18c6577d1d8338d6ab37a7e3827f1021355cb6c13ac2a7a0
Instruction ID: 551266fcd60de6bc5fd61a389f3efa7239d6d4de080b8346958bb85b47c9fce7
Opcode Fuzzy Hash: 165f298e26384d2b18c6577d1d8338d6ab37a7e3827f1021355cb6c13ac2a7a0
Instruction Fuzzy Hash: 77226531A002298BEF24CF15C891BEAB7B1BF58314F1445EED44967351DB38AE9ACF84

Function 0044F840 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

--], xrefs: 0044FD4A

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: --]
API String ID: 0-4196694791
Opcode ID: 49efed526dab03c8c5e46a52df893804dd9d3c6b71340bebf30ef14c58fe51b6
Instruction ID: 1377e04e932916208015013d5c6e5f69f5da69c2d5ec63fc09ece69b64a6b2da
Opcode Fuzzy Hash: 49efed526dab03c8c5e46a52df893804dd9d3c6b71340bebf30ef14c58fe51b6
Instruction Fuzzy Hash: ABF19170A043419FEB24DF15D441B6BB7E1FF94308F14492EE88997352E739E94ACB8A

Function 00401DF0 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

U=, xrefs: 00402056

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: U=
API String ID: 0-2073391516
Opcode ID: 91cac67a3f74daec0ad69761ef804481233410861920cc3d04a732cff17d9e55
Instruction ID: d5e849eb5873d0b4adec26507afce9b10022582d5b41941802ef872aad9d3385
Opcode Fuzzy Hash: 91cac67a3f74daec0ad69761ef804481233410861920cc3d04a732cff17d9e55
Instruction Fuzzy Hash: 0ED13774A00705CFDB15CF28D988BABB7F1BF88304F14846ED856AB391D778A844CB55

Function 04358C34 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 04358C60

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: DiskFreeSpace
String ID:
API String ID: 1705453755-0
Opcode ID: d684a81ec9cb04d5bc1ead9fa81389dbc5d0550b1395fedb8dc1d5d3715ae129
Instruction ID: 9d2cd8896c728bf44ed7b3fefbdfbffd782af959eab6cf116b576007a358fa84
Opcode Fuzzy Hash: d684a81ec9cb04d5bc1ead9fa81389dbc5d0550b1395fedb8dc1d5d3715ae129
Instruction Fuzzy Hash: A211AFB1E0110DAF9B44DF99C881DAFF7F9EF8C304B548166A519E7250E631AA418BA0

Function 04356430 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,00001004,?,00000007,00000000,04356496), ref: 04356456

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: f5875d8641ab6d820a0f445386eb6c4f0eed850c7c65d828605dd59c7dcc4342
Instruction ID: fd540b97983ab958996ac2fcbe11c2f380f665c96a6a4c2039f994187a7ab848
Opcode Fuzzy Hash: f5875d8641ab6d820a0f445386eb6c4f0eed850c7c65d828605dd59c7dcc4342
Instruction Fuzzy Hash: A8F0C270A08309AFFB14DFA0DC42EEEB3BAFB84714F509975D914931A0E7B47A40CA80

Function 04399CB4 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

NtOpenProcess.NTDLL(00000040,00000040,?,?), ref: 04399CEA

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: OpenProcess
String ID:
API String ID: 3743895883-0
Opcode ID: 66d995517ae419eb0fc1af68f15aa233c851735c59d68c3f4bbe165e6394a9dc
Instruction ID: 69496bf9febcd2e6c6091cc552a375f1a328b595fcee0e238377a1ec3ca0fdeb
Opcode Fuzzy Hash: 66d995517ae419eb0fc1af68f15aa233c851735c59d68c3f4bbe165e6394a9dc
Instruction Fuzzy Hash: 1CF037B26083056BE714DEA88CC0BDBB3DD9F88154F04893EBA85C7240E631ED058762

Function 0435B4FC Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0435B51A

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: bc98e684697094c8d44724474af25827cc3d346ccf22818c231e5e61c0082185
Instruction ID: 529a2bc0b6aba22c14b6507eb1e9e51f02e8dc72735d5da6369d7a6ebd04dc78
Opcode Fuzzy Hash: bc98e684697094c8d44724474af25827cc3d346ccf22818c231e5e61c0082185
Instruction Fuzzy Hash: 4AE0D83270021427E319A958AC81FFAB35CAB68310F40117ABD09C7360EDA0FD9546F5

Function 0435B548 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0435CE7A,00000000,0435D093,?,?,00000000,00000000), ref: 0435B55B

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: f611c33623f56dad02d5eeb4d1304c947e724e6ceb184ce971e93603f14ec6ee
Instruction ID: 8fa5a024fd2e21791e8f7faf125b5922274c0859f4e17d122fc47f1f9d94a375
Opcode Fuzzy Hash: f611c33623f56dad02d5eeb4d1304c947e724e6ceb184ce971e93603f14ec6ee
Instruction Fuzzy Hash: 01D05E6630D6503AB214955A2D85DBB8A9CCAC9BA5F00543AF949C6221D200EC0797B1

Function 04371458 Relevance: 1.5, APIs: 1, Instructions: 10keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000000), ref: 0437145C

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: AsyncState
String ID:
API String ID: 425341421-0
Opcode ID: 9bb7f0b05e188046ca4471b4612c6a37e415ac58ff4f95526f3d2104a3a23fef
Instruction ID: 31e36dd17c4145d2678f2120a2c7b222f00b968a8338f7373cbf9ca723785682
Opcode Fuzzy Hash: 9bb7f0b05e188046ca4471b4612c6a37e415ac58ff4f95526f3d2104a3a23fef
Instruction Fuzzy Hash: 13B0129B31065005FB4010F08CC3A3F30DCF704715F94D8625499C0191C80FC4C80920

Function 00409000 Relevance: .4, Instructions: 403COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009bb4cb1fa2c00376d10d8f54a50dbf506c6aeb9b06ce6d4082e663e4bb1b45
Instruction ID: 6b6f3645af2e920cbcc3c5debe07bcc6fbf14ed152b43d55ff30d41f46a8f3fd
Opcode Fuzzy Hash: 009bb4cb1fa2c00376d10d8f54a50dbf506c6aeb9b06ce6d4082e663e4bb1b45
Instruction Fuzzy Hash: DAD16E629086514FE71A493888F53BB7B81DBA6310F1946BEC9E71B7C7C03D4D04D7AA

Function 00414D50 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89de99cd3b390ef2f969eac9c3463fa318e8a96267c1f8948c8c4dd1e87602e6
Instruction ID: ee3a1e7cc6152765f2f23a05ef79df03dd510c9777e41f72bcdfff645de85687
Opcode Fuzzy Hash: 89de99cd3b390ef2f969eac9c3463fa318e8a96267c1f8948c8c4dd1e87602e6
Instruction Fuzzy Hash: C4A1BE70A04B42ABDB24DF65C4947AABBA1BF84314F08416FD8498B781D778ECD5CBC9

Function 00408930 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81c9ce0ea73b582d08c2dcbcf96c531178f3a064caaf25e9138cc7162fa88a5
Instruction ID: 3ae6214e9cbd6ddb8481658cd0adbb805e8c450840de1730773106de260f026b
Opcode Fuzzy Hash: a81c9ce0ea73b582d08c2dcbcf96c531178f3a064caaf25e9138cc7162fa88a5
Instruction Fuzzy Hash: 4AC16FB2E042588BCB58CFA9D99069DFBF2BF98304F25912ED419E7305E734AA45CF44

Function 043909F4 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b03386b96f5e30bb3e8bf0fbfadeaf96a46d9e152a8ea3a6656ecb4155609ce0
Instruction ID: 377974146c6b94b4c803d30e8feb3db22ce09b41ee0948a8d8c0a30f603d5e2f
Opcode Fuzzy Hash: b03386b96f5e30bb3e8bf0fbfadeaf96a46d9e152a8ea3a6656ecb4155609ce0
Instruction Fuzzy Hash: 27B12EB16042008FE74CCF19D489B45BBE1BF49318F1680A9D9098F2A6D7BAE985CF95

Function 0040E890 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9897b9f6f5adcc25b79a650cd3d21d4fa58b4aec603f1b7c500c6e9da8e1539c
Instruction ID: 5f818e04a285143b0a98978b406bb5a84038c67eab48164d95980f34ae1d3f8a
Opcode Fuzzy Hash: 9897b9f6f5adcc25b79a650cd3d21d4fa58b4aec603f1b7c500c6e9da8e1539c
Instruction Fuzzy Hash: CD918C71A00609CBDF10CF66C894BAFB7B5FF48350F55846AE846AB390EB78AD15CB44

Function 004102E0 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d30f424717afc02c88fbca666493fc8406e373b31cb777efd67f4472ca5fa99
Instruction ID: 91ae989910d922fea7fa8b50a5daab52ecc175ea564542aa65facb369a2e10df
Opcode Fuzzy Hash: 0d30f424717afc02c88fbca666493fc8406e373b31cb777efd67f4472ca5fa99
Instruction Fuzzy Hash: 90515F327086D64EC3129F3DA89023FBFE26FCA155B46097ED4D2C7053D928D94ADB92

Function 0041E0E0 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3ab287be11f7faf9027dd66019c88d56bcb40735a7a50e9c80e6ad43e877fc5
Instruction ID: 691cd28049664e992c0f2a2e8d47aed32f7a19922c048a8687c7e56fe907e941
Opcode Fuzzy Hash: d3ab287be11f7faf9027dd66019c88d56bcb40735a7a50e9c80e6ad43e877fc5
Instruction Fuzzy Hash: 4C5149ABF047610AE3485EB3C980396B6D3AB85310F19C67ADCFD872C1D57CD0828B98

Function 004A23F0 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69cd0e18d62cb2a1254e59469f3cfe7d5509d294cc585abb067db091e85df358
Instruction ID: bde859cc22769ae74f20ea10652f0d1c03d8484511e86654b09ddd94312b272e
Opcode Fuzzy Hash: 69cd0e18d62cb2a1254e59469f3cfe7d5509d294cc585abb067db091e85df358
Instruction Fuzzy Hash: 8241E770B006159FDB10DF29D5A066FB7A2BFAA314F14406EE8069B351DBB8EC01EB55

Function 004340A0 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a65c24d22be4cf141f2cd6f856299196d4749ec7d4ea5ff7bf1d51f2065b824
Instruction ID: 9702dc1710a8eb4e525ed3f819f762afc8a2fc9c7024aa3ef77e7baaa002f94f
Opcode Fuzzy Hash: 6a65c24d22be4cf141f2cd6f856299196d4749ec7d4ea5ff7bf1d51f2065b824
Instruction Fuzzy Hash: 1631CE31B009059BDB18CB38DC8A7E7BBA5FBA9354F04512AD91AC3341DB28BC94C789

Function 0040BBE0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad4875cd540fbf067d10ba545834445fca73e4ac543b69045ba2554ba33d15c
Instruction ID: 5b4f9c60284f9845589627ebe38936da0363b75909d5f53178b36624b60be851
Opcode Fuzzy Hash: fad4875cd540fbf067d10ba545834445fca73e4ac543b69045ba2554ba33d15c
Instruction Fuzzy Hash: 99310855E1A6988BDB008939D9D1796BFC1C796315F28D3F8D8188F7CFDA24E409C3A4

Function 0058061A Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ae4aaee95331f51c05b2797a5aaec411dd2de83c19c154d32e6990bbc5c700
Instruction ID: dbe8d0dfd75effe82e5dc4f07a5ebba863d0f923859fe8be1415e5b3b608fa50
Opcode Fuzzy Hash: 85ae4aaee95331f51c05b2797a5aaec411dd2de83c19c154d32e6990bbc5c700
Instruction Fuzzy Hash: 51E08C32915238EBCB94EB99C948A8AF7ECFB84B10F110096F906E3290D270DE04C7D0

Function 0436D494 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: c2a2d129c8543363c052d008b34330d58e57021dec0e7df0c1a6226ed5b22a4b
Instruction Fuzzy Hash:

Function 0436DBDC Relevance: 75.4, APIs: 24, Strings: 19, Instructions: 132libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(PSAPI.dll,00000000,0436DF59,00000000,?,00000000,?,04373B35,00000104,001F0FFF,00000000,?), ref: 0436DBF0
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 0436DC0C
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 0436DC1E
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0436DC30
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0436DC42
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 0436DC54
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 0436DC66
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0436DC78
GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0436DC8A
GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 0436DC9C
GetProcAddress.KERNEL32(00000000,EmptyWorkingSet), ref: 0436DCAE
GetProcAddress.KERNEL32(00000000,QueryWorkingSet), ref: 0436DCC0
GetProcAddress.KERNEL32(00000000,InitializeProcessForWsWatch), ref: 0436DCD2
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA), ref: 0436DCE4
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA), ref: 0436DCF6
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA), ref: 0436DD08
GetProcAddress.KERNEL32(00000000,GetMappedFileNameA), ref: 0436DD1A
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameA), ref: 0436DD2C
GetProcAddress.KERNEL32(00000000,GetDeviceDriverFileNameA), ref: 0436DD3E
GetProcAddress.KERNEL32(00000000,GetMappedFileNameW), ref: 0436DD50
GetProcAddress.KERNEL32(00000000,GetDeviceDriverBaseNameW), ref: 0436DD62

Strings

GetModuleInformation, xrefs: 0436DC94
EnumProcesses, xrefs: 0436DC04
GetDeviceDriverBaseNameA, xrefs: 0436DCEE, 0436DD24
GetDeviceDriverBaseNameW, xrefs: 0436DD5A
EmptyWorkingSet, xrefs: 0436DCA6
GetModuleBaseNameA, xrefs: 0436DC28, 0436DC4C
GetMappedFileNameA, xrefs: 0436DCDC, 0436DD12
GetModuleBaseNameW, xrefs: 0436DC70
GetMappedFileNameW, xrefs: 0436DD48
GetProcessMemoryInfo, xrefs: 0436DD90
GetModuleFileNameExA, xrefs: 0436DC3A, 0436DC5E
InitializeProcessForWsWatch, xrefs: 0436DCCA
PSAPI.dll, xrefs: 0436DBEB
GetDeviceDriverFileNameA, xrefs: 0436DD00, 0436DD36
GetDeviceDriverFileNameW, xrefs: 0436DD6C
GetModuleFileNameExW, xrefs: 0436DC82
QueryWorkingSet, xrefs: 0436DCB8
EnumDeviceDrivers, xrefs: 0436DD7E
EnumProcessModules, xrefs: 0436DC16

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: EmptyWorkingSet$EnumDeviceDrivers$EnumProcessModules$EnumProcesses$GetDeviceDriverBaseNameA$GetDeviceDriverBaseNameW$GetDeviceDriverFileNameA$GetDeviceDriverFileNameW$GetMappedFileNameA$GetMappedFileNameW$GetModuleBaseNameA$GetModuleBaseNameW$GetModuleFileNameExA$GetModuleFileNameExW$GetModuleInformation$GetProcessMemoryInfo$InitializeProcessForWsWatch$PSAPI.dll$QueryWorkingSet
API String ID: 2238633743-2267155864
Opcode ID: 08abb9d418e998e3c7b3b9330398bcfe87149aa5b8920d2a3b2c0008ee0c4d57
Instruction ID: b60ac267911579f9c5f59300c2bcf80dcf921dff7519dcc334f0aeca701d7b25
Opcode Fuzzy Hash: 08abb9d418e998e3c7b3b9330398bcfe87149aa5b8920d2a3b2c0008ee0c4d57
Instruction Fuzzy Hash: F34172B0B81611AFEB04FFB4D886D2637A8FF2A6157407966E845CF258D678BC108F91

Function 0435DC44 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,0000000F,0435DECB,?,?,04379FFC,00000000,0437A0DA,?,?,?,?,?,0436A795,00000000,0436ACAA), ref: 0435DC58
GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 0435DC70
GetProcAddress.KERNEL32(00000000,Heap32ListFirst), ref: 0435DC82
GetProcAddress.KERNEL32(00000000,Heap32ListNext), ref: 0435DC94
GetProcAddress.KERNEL32(00000000,Heap32First), ref: 0435DCA6
GetProcAddress.KERNEL32(00000000,Heap32Next), ref: 0435DCB8
GetProcAddress.KERNEL32(00000000,Toolhelp32ReadProcessMemory), ref: 0435DCCA
GetProcAddress.KERNEL32(00000000,Process32First), ref: 0435DCDC
GetProcAddress.KERNEL32(00000000,Process32Next), ref: 0435DCEE
GetProcAddress.KERNEL32(00000000,Process32FirstW), ref: 0435DD00
GetProcAddress.KERNEL32(00000000,Process32NextW), ref: 0435DD12
GetProcAddress.KERNEL32(00000000,Thread32First), ref: 0435DD24
GetProcAddress.KERNEL32(00000000,Thread32Next), ref: 0435DD36
GetProcAddress.KERNEL32(00000000,Module32First), ref: 0435DD48
GetProcAddress.KERNEL32(00000000,Module32Next), ref: 0435DD5A
GetProcAddress.KERNEL32(00000000,Module32FirstW), ref: 0435DD6C
GetProcAddress.KERNEL32(00000000,Module32NextW), ref: 0435DD7E

Strings

Heap32ListNext, xrefs: 0435DC8C
Module32First, xrefs: 0435DD40
Thread32First, xrefs: 0435DD1C
Heap32Next, xrefs: 0435DCB0
Heap32ListFirst, xrefs: 0435DC7A
CreateToolhelp32Snapshot, xrefs: 0435DC68
Process32FirstW, xrefs: 0435DCF8
Module32FirstW, xrefs: 0435DD64
Module32Next, xrefs: 0435DD52
Process32NextW, xrefs: 0435DD0A
kernel32.dll, xrefs: 0435DC53
Process32Next, xrefs: 0435DCE6
Toolhelp32ReadProcessMemory, xrefs: 0435DCC2
Heap32First, xrefs: 0435DC9E
Thread32Next, xrefs: 0435DD2E
Process32First, xrefs: 0435DCD4
Module32NextW, xrefs: 0435DD76

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: CreateToolhelp32Snapshot$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Module32First$Module32FirstW$Module32Next$Module32NextW$Process32First$Process32FirstW$Process32Next$Process32NextW$Thread32First$Thread32Next$Toolhelp32ReadProcessMemory$kernel32.dll
API String ID: 667068680-597814768
Opcode ID: 4960a2a9a91a895ee2a4f133ac0559b0f4f6c92589798d6f2297d8551b99b4bc
Instruction ID: 510714b1ceaa11d10a49b92b23c0e64ae8c8b2aae4bfd8c834ede69eec3c2c2e
Opcode Fuzzy Hash: 4960a2a9a91a895ee2a4f133ac0559b0f4f6c92589798d6f2297d8551b99b4bc
Instruction Fuzzy Hash: E031D4B0A80310AFEB05AFA5D88AE7633E8FF09715B407566E844CF264D679B8508F91

Function 0435FCE8 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(oleaut32.dll), ref: 0435FCF1

Part of subcall function 0435FCB0: GetProcAddress.KERNEL32(00000000), ref: 0435FCCE

Strings

VarR8FromStr, xrefs: 0435FE49
VariantChangeTypeEx, xrefs: 0435FCFF
VarSub, xrefs: 0435FD57
VarMul, xrefs: 0435FD6D
VarOr, xrefs: 0435FDDB
VarDateFromStr, xrefs: 0435FE5F
oleaut32.dll, xrefs: 0435FCEC
VarI4FromStr, xrefs: 0435FE1D
VarAnd, xrefs: 0435FDC5
VarBstrFromCy, xrefs: 0435FEA1
VarMod, xrefs: 0435FDAF
VarBstrFromBool, xrefs: 0435FECD
VarXor, xrefs: 0435FDF1
VarBstrFromDate, xrefs: 0435FEB7
VarAdd, xrefs: 0435FD41
VarNot, xrefs: 0435FD2B
VarIdiv, xrefs: 0435FD99
VarCmp, xrefs: 0435FE07
VarCyFromStr, xrefs: 0435FE75
VarR4FromStr, xrefs: 0435FE33
VarDiv, xrefs: 0435FD83
VarNeg, xrefs: 0435FD15
VarBoolFromStr, xrefs: 0435FE8B

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
API String ID: 1646373207-1918263038
Opcode ID: f65e87362242908038f80450398fed0249671cac4723d16ed124d8a908d646ff
Instruction ID: 0b97389fcc6fd62d004951550828023163ab7c3a8bc3ee949c60ce7d26c9c7d8
Opcode Fuzzy Hash: f65e87362242908038f80450398fed0249671cac4723d16ed124d8a908d646ff
Instruction Fuzzy Hash: E241866AAC42045B72087B697500C3A77EDDB4975C7A0B02AAD04EBB74DE34FC51466E

Function 0437DB70 Relevance: 37.7, APIs: 25, Instructions: 248windowCOMMON

Download Yara Rule

APIs

73A14C00.GDI32(?,00000001,00000001), ref: 0437DBB3
SelectObject.GDI32(?,?), ref: 0437DBC8
MaskBlt.GDI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,0437DC43,?,?), ref: 0437DC17
SelectObject.GDI32(?,?), ref: 0437DC31
DeleteObject.GDI32(?), ref: 0437DC3D
73A14C40.GDI32(00000000), ref: 0437DC51
73A14C00.GDI32(?,?,?,00000000,0437DDF0,?,00000000), ref: 0437DC72
SelectObject.GDI32(?,?), ref: 0437DC87
73A08830.GDI32(?,A2080E55,00000000,?,?,?,?,?,00000000,0437DDF0,?,00000000), ref: 0437DC9B
73A08830.GDI32(?,?,00000000,?,A2080E55,00000000,?,?,?,?,?,00000000,0437DDF0,?,00000000), ref: 0437DCAD
73A08830.GDI32(?,00000000,000000FF,?,?,00000000,?,A2080E55,00000000,?,?,?,?,?,00000000,0437DDF0), ref: 0437DCC2
73A08830.GDI32(?,A2080E55,000000FF,?,?,00000000,?,A2080E55,00000000,?,?,?,?,?,00000000,0437DDF0), ref: 0437DCD8
73A022A0.GDI32(?,?,A2080E55,000000FF,?,?,00000000,?,A2080E55,00000000,?,?,?,?,?,00000000), ref: 0437DCE4
StretchBlt.GDI32(?,00000000,00000000,?,?,?,?,?,?,?,00CC0020), ref: 0437DD06
StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,?,?,?,?,00440328), ref: 0437DD28
SetTextColor.GDI32(?,00000000), ref: 0437DD30
SetBkColor.GDI32(?,00FFFFFF), ref: 0437DD3E
StretchBlt.GDI32(?,?,?,?,?,?,?,?,?,?,008800C6), ref: 0437DD6A
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0437DD8F
SetTextColor.GDI32(?,?), ref: 0437DD99
SetBkColor.GDI32(?,?), ref: 0437DDA3
SelectObject.GDI32(?,00000000), ref: 0437DDB6
DeleteObject.GDI32(?), ref: 0437DDBF
73A08830.GDI32(?,00000000,00000000,0437DDF7,?,?,?,?,?,?,?,?,00000000,00000000,?,?), ref: 0437DDE1
DeleteDC.GDI32(?), ref: 0437DDEA

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Object$A08830$ColorSelectStretch$Delete$Text$A022Mask
String ID:
API String ID: 348204008-0
Opcode ID: 4e8c16562cf31645fb64439406ad76620b3548bdff93bbaa2dd2e02976229f1e
Instruction ID: e2ae2a0f3436d5966d1194d4f5c30d57207501667efa5ae3150ad3c2bfb62ead
Opcode Fuzzy Hash: 4e8c16562cf31645fb64439406ad76620b3548bdff93bbaa2dd2e02976229f1e
Instruction Fuzzy Hash: 858180B2A00209AFEB50DEA9C991EAFBBFCEF0D714F515554FA18E7250C674ED008B61

Function 00403FC0 Relevance: 33.7, APIs: 6, Strings: 13, Instructions: 408COMMON

Download Yara Rule

Strings

%06.3f, xrefs: 00404176
u, xrefs: 0040448E
%02d:%02d, xrefs: 00404391
+], xrefs: 00404320
%03d, xrefs: 004042A2
%02d:%02d:%02d, xrefs: 0040444A
%04d, xrefs: 004044B0
%04d-%02d-%02d, xrefs: 00404199
%.16g, xrefs: 004042D3
%02d, xrefs: 00404146, 0040414E, 0040428C, 004042EE, 00404306, 00404429
%lld, xrefs: 0040440D
%.3f, xrefs: 004043D8
%2d, xrefs: 00404141

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: %.16g$%.3f$%02d$%02d:%02d$%02d:%02d:%02d$%03d$%04d$%04d-%02d-%02d$%06.3f$%2d$%lld$u$+]
API String ID: 0-1862065537
Opcode ID: 862587cffb825a10a828cb59d7da21972f02b9b17b5337566a5a8b4721e3c2df
Instruction ID: 6229c16559ad69dbe6ecfe9c79360568a416ba4126e73522de28f3ebe4db656a
Opcode Fuzzy Hash: 862587cffb825a10a828cb59d7da21972f02b9b17b5337566a5a8b4721e3c2df
Instruction Fuzzy Hash: B4E113B1508741ABD710EF28CD42B6BB7E5BFC0304F044A2FF685A6291EB79D8458B5B

Function 0439DD64 Relevance: 31.7, APIs: 4, Strings: 17, Instructions: 219sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000009C4,00000000,0439E080,?,?,?,?,00000009,00000000,00000000), ref: 0439DDBE
Sleep.KERNEL32(000009C4,00000000,0439E080,?,?,?,?,00000009,00000000,00000000), ref: 0439DE7E

Part of subcall function 04377B38: GetFileAttributesA.KERNELBASE(00000000,?,?,?,?,0437A6B4,\AppData\Roaming\,?,C:\Users\,00000000,0437A6EA,?,?,00000000,00000000), ref: 04377B7A

Sleep.KERNEL32(000009C4,00000000,0439E080,?,?,?,?,00000009,00000000,00000000), ref: 0439DF3A
Sleep.KERNEL32(00000064,?,00000000,0439E080,?,?,?,?,00000009,00000000,00000000), ref: 0439E008

Part of subcall function 0437A0F4: CloseHandle.KERNEL32(00000000), ref: 0437A201

Strings

cookie, xrefs: 0439DFEB, 0439E02E
/c cd /d ", xrefs: 0439DDC3, 0439DE83, 0439DEC2, 0439DF3F, 0439DF7E
firefox.exe, xrefs: 0439DDAF
cmd.exe, xrefs: 0439DDF0, 0439DE33, 0439DEB0, 0439DEEF, 0439DF6C, 0439DFAB
firefox\*, xrefs: 0439DE1E
chrome.exe, xrefs: 0439DE6F
brave.exe, xrefs: 0439DF2B
BraveSoftware, xrefs: 0439DF07
Opera Software, xrefs: 0439DFD1
" && move BraveSoftware braveSoftware, xrefs: 0439DF47, 0439DF86
Mozilla\, xrefs: 0439DD93
" && move firefox firefox, xrefs: 0439DDCB
Google, xrefs: 0439DE4B
firefox, xrefs: 0439DDFD
/c del /q /f /s , xrefs: 0439DE16
opera.exe, xrefs: 0439DFFC
" && move Google google, xrefs: 0439DE8B, 0439DECA

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Sleep$AttributesCloseFileHandle
String ID: " && move BraveSoftware braveSoftware$" && move Google google$" && move firefox firefox$/c cd /d "$/c del /q /f /s $BraveSoftware$Google$Mozilla\$Opera Software$brave.exe$chrome.exe$cmd.exe$cookie$firefox$firefox.exe$firefox\*$opera.exe
API String ID: 1617435388-3698069828
Opcode ID: 74e6f2499f584fcff894e712d11e7928f6edeebe9bd1f6b15b4d87b14007990f
Instruction ID: 41345af86fc913cb4c28c34b20b668cb57800b36f7f1abc937e70dbe99a1c147
Opcode Fuzzy Hash: 74e6f2499f584fcff894e712d11e7928f6edeebe9bd1f6b15b4d87b14007990f
Instruction Fuzzy Hash: B2811834A00109ABFF14FBA4C982E8DB7B5EF44308F207461E950B7790CA79FE559B61

Function 0438108C Relevance: 31.7, APIs: 21, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000054,?), ref: 043810AF
73A0A570.USER32(00000000,00000000,04381287,?,?,00000054,?), ref: 043810DD
73A14C40.GDI32(?,00000000,00000000,04381287,?,?,00000054,?), ref: 043810EE
73A16180.GDI32(?,?,00000001,00000001,00000000,?,00000000,00000000,04381287,?,?,00000054,?), ref: 04381109
SelectObject.GDI32(?,00000000), ref: 04381123
PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 04381145
73A14C40.GDI32(?,?,00000000,?,?,00000001,00000001,00000000,?,00000000,00000000,04381287,?,?,00000054,?), ref: 04381153
SelectObject.GDI32(?), ref: 0438119B
73A08830.GDI32(?,?,00000000,?,?,00000000,0438123F,?,?,?,00000000,?,?,00000001,00000001,00000000), ref: 043811AE
73A022A0.GDI32(?,?,?,00000000,?,?,00000000,0438123F,?,?,?,00000000,?,?,00000001,00000001), ref: 043811B7
73A08830.GDI32(?,?,00000000,?,?,?,00000000,?,?,00000000,0438123F,?,?,?,00000000,?), ref: 043811C3
73A022A0.GDI32(?,?,?,00000000,?,?,?,00000000,?,?,00000000,0438123F,?,?,?,00000000), ref: 043811CC
SetBkColor.GDI32(?), ref: 043811D6
73A14D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,?,?,?,00000000,0438123F), ref: 043811FA
SetBkColor.GDI32(?,00000000), ref: 04381204
SelectObject.GDI32(?,00000000), ref: 04381217
DeleteObject.GDI32 ref: 04381223
DeleteDC.GDI32(?), ref: 04381239
SelectObject.GDI32(?,00000000), ref: 04381254
DeleteDC.GDI32(00000000), ref: 04381270
73A0A480.USER32(00000000,00000000,0438128E,00000001,00000000,?,00000000,00000000,04381287,?,?,00000054,?), ref: 04381281

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Object$Select$Delete$A022A08830Color$A16180A480A570
String ID:
API String ID: 2539429222-0
Opcode ID: 12115fe419a44f39257ccf91d70cf16a9b744070efe37d95931760cf1fd086fb
Instruction ID: b14f6d2bc08da6130b60c72a9504be667083d18ffad77ef8428606de719f4c4a
Opcode Fuzzy Hash: 12115fe419a44f39257ccf91d70cf16a9b744070efe37d95931760cf1fd086fb
Instruction Fuzzy Hash: 1D510E71E00309ABEF50EBE9CC55FAEB7FCAF09704F505859BA18E7290D674B9418B60

Function 04381E28 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 351COMMON

Download Yara Rule

APIs

73A0A570.USER32(00000000,?,00000000,04382345,?,?), ref: 04382092
73A14C40.GDI32(00000001,00000000,043821FB,?,00000000,04382293,?,00000000,?,00000000,04382345,?,?), ref: 043820F7
73A14C00.GDI32(00000001,00000001,00000001,00000001,00000000,043821FB,?,00000000,04382293,?,00000000,?,00000000,04382345,?,?), ref: 0438210C
SelectObject.GDI32(?,00000000), ref: 04382116
73A08830.GDI32(?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,043821FB,?,00000000,04382293,?,00000000), ref: 04382146
73A022A0.GDI32(?,?,?,00000000,?,00000000,00000001,00000001,00000001,00000001,00000000,043821FB,?,00000000,04382293), ref: 04382152
73A16310.GDI32(?,?,00000004,00000000,?,00000000,00000000,043821CF,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 04382176
GetLastError.KERNEL32(?,?,00000004,00000000,?,00000000,00000000,043821CF,?,?,00000000,00000001,00000001,00000001,00000001,00000000), ref: 04382184
73A08830.GDI32(?,00000000,000000FF,043821D6,00000000,?,00000000,00000000,043821CF,?,?,00000000,00000001,00000001,00000001,00000001), ref: 043821B6
SelectObject.GDI32(?,?), ref: 043821C3
DeleteObject.GDI32(00000000), ref: 043821C9

Strings

(, xrefs: 04381FE1
BM, xrefs: 04381F4C

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Object$A08830Select$A022A16310A570DeleteErrorLast
String ID: ($BM
API String ID: 479392998-2980357723
Opcode ID: 8c3d9781480d7fd97d8f4b0272656b9efb0adcdb356eaf0e62f997409b673134
Instruction ID: aa8f419498dc42a6b59693ec71ba883bcee67831685c7e8c6bcb3f7a5d171fbc
Opcode Fuzzy Hash: 8c3d9781480d7fd97d8f4b0272656b9efb0adcdb356eaf0e62f997409b673134
Instruction Fuzzy Hash: 9AD13B74A002189FEF54EFA8C894AAEFBF5FF49304F1095A9E914EB255D734A840CB61

Function 0436E488 Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 475processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,00000000,0436EADE,?,?,00000000,00000000), ref: 0436E5E4
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,00000000,00000004), ref: 0436E608
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,00000000,0436EADE,?,?,00000000,00000000), ref: 0436E63B
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,00000000,00000004), ref: 0436E65B
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,00000000,00000004), ref: 0436E693

Part of subcall function 0436DAFC: GetTickCount.KERNEL32 ref: 0436DB75

GetTickCount.KERNEL32 ref: 0436EA9E

Strings

NtGetContextThread, xrefs: 0436E6E7
cmd.exe, xrefs: 0436E510
NtUnmapViewOfSection, xrefs: 0436E743
notepad.exe, xrefs: 0436E4F5
NtFreeVirtualMemory, xrefs: 0436EA5E
NtTerminateProcess, xrefs: 0436E939, 0436E9B8, 0436EA94
NtSetContextThread, xrefs: 0436E894
D, xrefs: 0436E5A2
NtResumeThread, xrefs: 0436E8EB

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CreateProcess$CountTick
String ID: D$NtFreeVirtualMemory$NtGetContextThread$NtResumeThread$NtSetContextThread$NtTerminateProcess$NtUnmapViewOfSection$cmd.exe$notepad.exe
API String ID: 2656259652-830972145
Opcode ID: 5f8f97b79e979891e36f9aa8838815b6c1de951b152207ca9f5c4f3d43fb0b2b
Instruction ID: 9df766e6476e0431247c6f754e16c6c08762acc1962e9fcca347d17ee7c9d440
Opcode Fuzzy Hash: 5f8f97b79e979891e36f9aa8838815b6c1de951b152207ca9f5c4f3d43fb0b2b
Instruction Fuzzy Hash: 8E121F74A00219AFEB50DBA8CC86FDDB7F8AF09314F509095E509F7285D774AA88CF21

Function 043979AC Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 133processthreadCOMMON

Download Yara Rule

APIs

OpenDesktopA.USER32(virtualdesk,00000000,000000FF,10000000), ref: 04397AB9
CreateDesktopA.USER32(virtualdesk,00000000,00000000,00000000,10000000,00000000), ref: 04397ADE
SetThreadDesktop.USER32(00000000,00000000,04397B96), ref: 04397AEE
CreateProcessA.KERNEL32(00000000,00000000,?, --mute-audio --disable-audio --new-window --disable-3d-apis --disable-gpu --disable-d3d11 ,?,04397D6C,?,04397D60,00000000,00000000,00000000,00000030,00000000,00000000,00000044,?), ref: 04397B69

Strings

\dark\Brave-Browser\User Data", xrefs: 04397A57
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe, xrefs: 04397A7F
--mute-audio --disable-audio --new-window --disable-3d-apis --disable-gpu --disable-d3d11 , xrefs: 04397B42
C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe, xrefs: 04397A3D
D, xrefs: 04397B02
\dark\User Data", xrefs: 04397A99
virtualdesk, xrefs: 04397AB4, 04397AD9, 04397B16
C:\Program Files\Google\Chrome\Application\chrome.exe, xrefs: 043979F8
\dark\Chrome\User Data", xrefs: 04397A12
https://mail.google.com/mail/u/0/#inbox, xrefs: 043979DA
--user-data-dir=", xrefs: 04397A02, 04397A47, 04397A89

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Desktop$Create$OpenProcessThread
String ID: --mute-audio --disable-audio --new-window --disable-3d-apis --disable-gpu --disable-d3d11 $--user-data-dir="$C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe$C:\Program Files\BraveSoftware\Brave-Browser\Application\brave.exe$C:\Program Files\Google\Chrome\Application\chrome.exe$D$\dark\Brave-Browser\User Data"$\dark\Chrome\User Data"$\dark\User Data"$https://mail.google.com/mail/u/0/#inbox$virtualdesk
API String ID: 1654231886-2641536602
Opcode ID: 745a9ec1e78c2c53f6422ae030cc65cc438298d6f2529d77269636028be44325
Instruction ID: 8765b2412e16e4ae1446978ce3eb9ed88377fd526af27df76647adc54c714c0e
Opcode Fuzzy Hash: 745a9ec1e78c2c53f6422ae030cc65cc438298d6f2529d77269636028be44325
Instruction Fuzzy Hash: 2D510874A60208EBFF14EBA0CC41F9DB7F9AF58714F606026E904A62E4D774BE518F14

Function 04371474 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 250sleepkeyboardthreadCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(0000000A,00000000,?,00000000), ref: 043714C2
GetWindowThreadProcessId.USER32(?,?), ref: 043714EC
GetKeyboardLayout.USER32(?), ref: 043714F8

Part of subcall function 04371458: GetAsyncKeyState.USER32(00000000), ref: 0437145C

MapVirtualKeyExA.USER32(00000000,00000000,00000000), ref: 0437157C
GetKeyNameTextA.USER32(00000000,?,00000021), ref: 04371592

Part of subcall function 04370A1C: GetForegroundWindow.USER32(00000000,04370A7E,?,?,?,00000001,00000000,?,04374FDA,00000000,043754DD,?,?,00000015,00000000,00000000), ref: 04370A34
Part of subcall function 04370A1C: GetWindowTextLengthA.USER32(00000000), ref: 04370A3C
Part of subcall function 04370A1C: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 04370A59

Sleep.KERNEL32(?,00000000,04371846), ref: 04371811

Strings

{Del2}, xrefs: 04371675
{Del}, xrefs: 04371687
{Tab}, xrefs: 04371663
{Esc}, xrefs: 04371651
{start}, xrefs: 04371699
{end}, xrefs: 043716AB
{Insert}, xrefs: 0437163F

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Window$Text$AsyncForegroundInfoKeyboardLayoutLengthNameParametersProcessSleepStateSystemThreadVirtual
String ID: {Del2}${Del}${Esc}${Insert}${Tab}${end}${start}
API String ID: 2662919289-1295617917
Opcode ID: acee1660fd26a6ff67c6ff5636b6a49748888ccc0706c01c456e880366041ba8
Instruction ID: 3ebd7add4b90219bb11f7d538c6a786e95fc0b2288cc1103c34a8bba1a2cc31a
Opcode Fuzzy Hash: acee1660fd26a6ff67c6ff5636b6a49748888ccc0706c01c456e880366041ba8
Instruction Fuzzy Hash: 4C81C577A1030D9AFF34EBA4CC80AEE76B8EF44304F507566D891E2720D63CF9418A52

Function 04396C10 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 160COMMON

Download Yara Rule

APIs

73A14620.GDI32(00000000,00000026,?,00000000,00000000,00000000), ref: 04396C9E
73A3E680.GDI32(00000000,00000000,00000100,00000004,00000000,00000026,?,00000000,00000000,00000000), ref: 04396CDA
73A16750.GDI32(00000000,00000000,00000000,00000100,00000004,00000000,00000026,?,00000000,00000000,00000000), ref: 04396CEB
73A14C40.GDI32(00000000,?,00000000,00000000,00000000), ref: 04396D47
73A0A480.USER32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 04396D5D

Part of subcall function 0437AD34: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020119), ref: 0437AD5C
Part of subcall function 0437AD34: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000004,00000004,80000001,00000000,00000000,00020119), ref: 0437AD83
Part of subcall function 0437AD34: RegCloseKey.ADVAPI32(00000000,80000001,00000000,00000000,00020119), ref: 0437AD9B

73A14C00.GDI32(00000000,00000000,?,00000000,00000000,00000000), ref: 04396D78
DeleteDC.GDI32(00000000), ref: 04396D89
73A0A480.USER32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 04396D91
SelectObject.GDI32(00000000,00000000), ref: 04396D9F
73A14D40.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 04396DC8
GetCursorPos.USER32(?), ref: 04396DD1

Part of subcall function 04396BC8: GetCursorInfo.USER32(00000014), ref: 04396BE4
Part of subcall function 04396BC8: DrawIconEx.USER32(00000000,?,?,?,00000020,00000020,00000000,00000000,00000003), ref: 04396C03

Part of subcall function 04382400: GetObjectA.GDI32(?,00000054,?), ref: 0438243A

DeleteObject.GDI32(00000000), ref: 04396DED

Strings

AppliedDPI, xrefs: 04396C6F
Control Panel\Desktop\WindowMetrics, xrefs: 04396C74

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Object$A480CursorDelete$A14620A16750CloseDrawE680IconInfoOpenQuerySelectValue
String ID: AppliedDPI$Control Panel\Desktop\WindowMetrics
API String ID: 775688490-3919141887
Opcode ID: bb97f909c106db75eb095c75577b7b50bf86697e5a4e7473c5414d92976cc8d7
Instruction ID: 2b0482045a0c76ef399ae1743fe55dc41581d875988908db426f3d5d5c70d16d
Opcode Fuzzy Hash: bb97f909c106db75eb095c75577b7b50bf86697e5a4e7473c5414d92976cc8d7
Instruction Fuzzy Hash: 6851AD70B01205AFEB54AF68D946B6EB7F9FF4D304F506068E505DB2A0DA78AC45CB90

Function 04381524 Relevance: 21.2, APIs: 14, Instructions: 217windowCOMMON

Download Yara Rule

APIs

Part of subcall function 04381BA0: 73A0A570.USER32(00000000,?,?,?,?,04380757,00000000,043807E3), ref: 04381BF6
Part of subcall function 04381BA0: 73A14620.GDI32(00000000,0000000C,00000000,?,?,?,?,04380757,00000000,043807E3), ref: 04381C0B
Part of subcall function 04381BA0: 73A14620.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,04380757,00000000,043807E3), ref: 04381C15
Part of subcall function 04381BA0: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,04380757,00000000,043807E3), ref: 04381C39
Part of subcall function 04381BA0: 73A0A480.USER32(00000000,00000000,00000000,?,?,?,?,04380757,00000000,043807E3), ref: 04381C44

73A08830.GDI32(?,?,000000FF), ref: 04381566
73A022A0.GDI32(?,?,?,000000FF), ref: 04381575
73A14620.GDI32(?,0000000C), ref: 04381587
73A14620.GDI32(?,0000000E,00000000,?,0000000C), ref: 04381596
GetBrushOrgEx.GDI32(?,?,0000000E,00000000,?,0000000C), ref: 043815C9
SetStretchBltMode.GDI32(?,00000004), ref: 043815D7
SetBrushOrgEx.GDI32(?,?,?,?,?,00000004,?,?,0000000E,00000000,?,0000000C), ref: 043815EF
SetStretchBltMode.GDI32(00000000,00000003), ref: 0438160C
73A14C40.GDI32(00000000,00000000,043816F5,?,?,0000000E,00000000,?,0000000C), ref: 0438166C
SelectObject.GDI32(?,?), ref: 04381681
SelectObject.GDI32(?,00000000), ref: 043816E0
DeleteDC.GDI32(00000000), ref: 043816EF

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: A14620$BrushModeObjectSelectStretch$A022A08830A480A570CreateDeleteHalftonePalette
String ID:
API String ID: 3220468439-0
Opcode ID: c125edca1f077b177f6c786729186db7850ae8e2ff84ce31e21c1b7ac724766d
Instruction ID: ee05f1051380a45422d7e059e4a764dc9d3007cc3c962007b66c5c6160179dd7
Opcode Fuzzy Hash: c125edca1f077b177f6c786729186db7850ae8e2ff84ce31e21c1b7ac724766d
Instruction Fuzzy Hash: 937115B5A00205AFEB50EFA8C995E9EFBF8AF08304F54A559F949E7250D634FD01CB50

Function 0437D9DC Relevance: 21.1, APIs: 14, Instructions: 131windowCOMMON

Download Yara Rule

APIs

73A14C40.GDI32(00000000), ref: 0437D9F3
73A14C40.GDI32(00000000,00000000), ref: 0437D9FD
GetObjectA.GDI32(?,00000018,?), ref: 0437DA1D
73A16180.GDI32(?,?,00000001,00000001,00000000,?,00000018,?,00000000,0437DB2A,?,00000000,00000000), ref: 0437DA34
73A0A570.USER32(00000000,?,00000018,?,00000000,0437DB2A,?,00000000,00000000), ref: 0437DA40
73A14C00.GDI32(00000000,?,?,00000000,0437DA99,?,00000000,?,00000018,?,00000000,0437DB2A,?,00000000,00000000), ref: 0437DA6D
73A0A480.USER32(00000000,00000000,0437DAA0,00000000,0437DA99,?,00000000,?,00000018,?,00000000,0437DB2A,?,00000000,00000000), ref: 0437DA93
SelectObject.GDI32(?,?), ref: 0437DAAE
SelectObject.GDI32(?,00000000), ref: 0437DABD
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0437DAE9
SelectObject.GDI32(?,00000000), ref: 0437DAF7
SelectObject.GDI32(?,00000000), ref: 0437DB05
DeleteDC.GDI32(?), ref: 0437DB1B
DeleteDC.GDI32(?), ref: 0437DB24

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Object$Select$Delete$A16180A480A570Stretch
String ID:
API String ID: 3135053572-0
Opcode ID: f43400c7ee1e973dbcac22c7c97e22769fb07dde3bc27ae01b5cc1fc0c133221
Instruction ID: ced9b35d77cc24c634b8a66370c0946368137b23e264c84bafaf4e0ed24db199
Opcode Fuzzy Hash: f43400c7ee1e973dbcac22c7c97e22769fb07dde3bc27ae01b5cc1fc0c133221
Instruction Fuzzy Hash: BC41DA72E04209AFEB50EBE8C852FAFB7BCEF49714F415455FA05E7250D674A9008B60

Function 04352C24 Relevance: 18.2, APIs: 9, Strings: 3, Instructions: 151COMMON

Download Yara Rule

APIs

CharNextA.USER32(00000000), ref: 04352C79
CharNextA.USER32(00000000,00000000), ref: 04352C85
CharNextA.USER32(00000000,00000000), ref: 04352CAD
CharNextA.USER32(00000000), ref: 04352CB9
CharNextA.USER32(?,00000000), ref: 04352CFA
CharNextA.USER32(00000000,?,00000000), ref: 04352D06
CharNextA.USER32(00000000,?,00000000), ref: 04352D3E
CharNextA.USER32(?,00000000), ref: 04352D4A

Strings

", xrefs: 04352D2F
", xrefs: 04352C9E
, xrefs: 04352C4C

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CharNext
String ID: $"$"
API String ID: 3213498283-938660540
Opcode ID: 5de8f13cd2f771ae2632233a0a532b488500cf84775a435defc53c42c6192f5c
Instruction ID: c53e0226f738e3a757f48aa47a5a50249c13efff6791be8fa37a7e9505209772
Opcode Fuzzy Hash: 5de8f13cd2f771ae2632233a0a532b488500cf84775a435defc53c42c6192f5c
Instruction Fuzzy Hash: 8151C574A082819FE761DF68C484E56BBF4EF5A344B241C99E8D5CB7A2E334B840DF50

Function 04397DD4 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 275windowsleepthreadCOMMON

Download Yara Rule

APIs

SetThreadDesktop.USER32(00000000,00000000,04398160,?,?,?,?,0000000E,00000000,00000000), ref: 04397E09
GetWindowRect.USER32(00000000,?), ref: 04397E18
Sleep.KERNEL32(00000032,00000000,?,00000000,00000101,?,001E0001,?,?,||-_-|-_-||,?,?,?,?,?,0000000E), ref: 04397E34
GetWindowRect.USER32(00000000,?), ref: 04397E53

Part of subcall function 0436CE10: Sleep.KERNEL32(00000064,00000000,0436CEF5,?,?,043A8CD4,?,00000000,00000000,00000000,00000000,00000000,?,043A223A,?,|||), ref: 0436CEC2

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000006,?,?,||-_-|-_-||,?,?,?,?,?,0000000E), ref: 04397FFD
PostMessageA.USER32(00000000,00000100,?,001E0001), ref: 043980DB
PostMessageA.USER32(00000000,00000101,?,001E0001), ref: 043980EE
PostMessageA.USER32(00000000,00000102,?,00000000), ref: 0439810A

Strings

Chrome Legacy Window, xrefs: 04397E22, 04397E3E
||-_-|-_-||, xrefs: 04397F70, 04397FC8, 0439800F, 0439804F, 04398090

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: MessagePostWindow$RectSleep$DesktopThread
String ID: Chrome Legacy Window$||-_-|-_-||
API String ID: 389509467-2894887002
Opcode ID: e5845b1dc9b6091a928f74d736797cefa7f2d5eeb71b463abf5935828800557e
Instruction ID: a50248508d9d46717b44ed354f6f0a50f485445df0055b18adbd0c3485df49f4
Opcode Fuzzy Hash: e5845b1dc9b6091a928f74d736797cefa7f2d5eeb71b463abf5935828800557e
Instruction Fuzzy Hash: 4AB1F834A102099FEF08FBA8C980E9EB7F9EF89304F606455E815B73A5DB34BD058B54

Function 04398F40 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000003,00000080,00000000,00000000,0439910A,?,?,00000000,00000000), ref: 04398FA4
ReadFile.KERNEL32(000000FF,04398896,00000000,?,00000000,00000000), ref: 04398FF3
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000001,00000000,00000000), ref: 04399032
SetFilePointer.KERNEL32(000000FF,?,00000000,00000000,000000FF,00000000,00000000,00000001,00000000,00000000), ref: 0439904D
WriteFile.KERNEL32(000000FF,?,?,?,00000000,000000FF,?,00000000,00000000,000000FF,00000000,00000000,00000001,00000000,00000000), ref: 04399063
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,000000FF,04398896,00000000,?,00000000,00000000), ref: 04399085
WriteFile.KERNEL32(000000FF,?,00000000,?,00000000,000000FF,00000000,00000000,00000002,000000FF,04398896,00000000,?,00000000,00000000), ref: 043990A1
CloseHandle.KERNEL32(000000FF,043990E1,?,00000000,00000000), ref: 043990D4

Strings

darkgate, xrefs: 04398F80

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: File$Pointer$Write$CloseCreateHandleRead
String ID: darkgate
API String ID: 3484830659-757439335
Opcode ID: a7edb009cc5ace6f285389d0a2b778f865374a27d0348eba31496942d3e191fd
Instruction ID: 75e1197d8733b76714c39d8a4b824af354ae735ad76306a42071e1bbe9bfad5b
Opcode Fuzzy Hash: a7edb009cc5ace6f285389d0a2b778f865374a27d0348eba31496942d3e191fd
Instruction Fuzzy Hash: E7513AB1A00208AFEF14EBA8DC81FEEB7F8EF49714F505065E914F7290DA75B9408B65

Function 0436EDB4 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 179COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,0436F0D6,?,?,?,00000001,00000000,00000000,?,0436F17C,00000001), ref: 0436EE83

Strings

conhost.exe, xrefs: 0436EF5E
explorer, xrefs: 0436EEE0
proce, xrefs: 0436EFDC
veracrypt, xrefs: 0436F01B
vbc.exe, xrefs: 0436EF1F
lp.txt, xrefs: 0436EE03, 0436EE2D
update, xrefs: 0436EF9D

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: conhost.exe$explorer$lp.txt$proce$update$vbc.exe$veracrypt
API String ID: 2050909247-3686906338
Opcode ID: e7084f742d1498c34e999086d5197b6f4d86e9953de94634cbc16ee318802914
Instruction ID: c38f9481637ef2b661ba7e4f742e3d39d3467aa22b7288e823f2a66546df7123
Opcode Fuzzy Hash: e7084f742d1498c34e999086d5197b6f4d86e9953de94634cbc16ee318802914
Instruction Fuzzy Hash: 66711434A0021A8BEF24EB60DC80FDDB3B5EF45348F50A5E19945A7264EB70BEC58F81

Function 0057FA79 Relevance: 13.7, APIs: 9, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,?,00574221,00604098,00000008,00541BD8), ref: 0057FA7E
_free.LIBCMT ref: 0057FADB
_free.LIBCMT ref: 0057FB11
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00574221,00604098,00000008,00541BD8), ref: 0057FB1C
_free.LIBCMT ref: 0057FB86
_free.LIBCMT ref: 0057FBBA
GetLastError.KERNEL32(?,?,?,005724A8,0057F6B3,?,?), ref: 0057FBD5
_free.LIBCMT ref: 0057FC32
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,005724A8,0057F6B3,?,?), ref: 0057FC73

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 6cf9e4cece5a3685970701f798e750783ef9ce5f5dd7770f45f5b19cc01f0a0e
Instruction ID: 8d44fd8e0045666e90b577906d9da50a3e051f069e94c2014241d9afe37432ba
Opcode Fuzzy Hash: 6cf9e4cece5a3685970701f798e750783ef9ce5f5dd7770f45f5b19cc01f0a0e
Instruction Fuzzy Hash: 6E41F8366496162AC751B274FC5DE2F2E9ABBC13787258730F92D921E1DDA08C09A3A0

Function 0040319C Relevance: 12.6, APIs: 1, Strings: 6, Instructions: 362COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004033AF

Strings

40f-20a-20d, xrefs: 0040324C
50f-20a-20d, xrefs: 00403259
20c:20e, xrefs: 0040332E
50f, xrefs: 004031E3
-, xrefs: 004033CC
40f, xrefs: 004031D3

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: -$20c:20e$40f$40f-20a-20d$50f$50f-20a-20d
API String ID: 885266447-3147171742
Opcode ID: 8845b97b23d10d55051bb46de6f7f821da7fa10b6d2a43d9c4ae76e3cfe20d86
Instruction ID: 122add596fd1467deb997ebfb6eaf8d71df5bb4de2e88c993e24e7a73a35223d
Opcode Fuzzy Hash: 8845b97b23d10d55051bb46de6f7f821da7fa10b6d2a43d9c4ae76e3cfe20d86
Instruction Fuzzy Hash: B1D14631E046099FCB15CF79C8446BEBBB9AF55315F14826FD805B72C2E7389A42CB84

Function 0435CDC8 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 201threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000000,0435D093,?,?,00000000,00000000), ref: 0435CDFE

Part of subcall function 0435B4FC: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0435B51A

Strings

:mm, xrefs: 0435D031
AMPM, xrefs: 0435D012
m/d/yy, xrefs: 0435CECD
AMPM , xrefs: 0435D021
:mm:ss, xrefs: 0435D04E
mmmm d, yyyy, xrefs: 0435CEFA

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
API String ID: 4232894706-2493093252
Opcode ID: 246287c0862a3305e862732080e7e5481a5b167f1f7188cac430f45aefae7dfe
Instruction ID: a51d3f137220909ce155265c024290c297c99e21e00d830de8fd93339cbbb5a0
Opcode Fuzzy Hash: 246287c0862a3305e862732080e7e5481a5b167f1f7188cac430f45aefae7dfe
Instruction Fuzzy Hash: 0D613234B002445BFB09FBA4D840E9EB7B6DF98308F54B825AA01AB375C935F95A9B11

Function 043A1AF4 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 189COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,000000FE,00000BB8,00000BB8,00000000,00000000,00000001,00000001,00000000,00000000,043A1D8C,?,?,?,00000006,00000000), ref: 043A1C1F

Part of subcall function 04376DF0: Sleep.KERNEL32(000007D0,043758A5,00000000,0437591B,?,00000000,00000000,00000000,?,04375D0E,00000000), ref: 04376DF1

Part of subcall function 04372A18: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 04372A22

Part of subcall function 0437A244: GetCurrentProcessId.KERNEL32(043A8CD4,00000000,043A2AF0,00000000,?,|||,043A8E8C,043A33FC,?,043A33FC,?,00000000,00000000,043A33FC,?,043A33FC), ref: 0437A24C
Part of subcall function 0437A244: OpenProcess.KERNEL32(00000001,00000000,00000000,00000000,043A8CD4,00000000,043A2AF0,00000000,?,|||,043A8E8C,043A33FC,?,043A33FC,?,00000000), ref: 0437A25C
Part of subcall function 0437A244: TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000,043A8CD4,00000000,043A2AF0,00000000,?,|||,043A8E8C,043A33FC,?,043A33FC,?), ref: 0437A262

Strings

||-_-|-_-||, xrefs: 043A1B48
NetPass, xrefs: 043A1BE5
Network Password Recovery, xrefs: 043A1BE0
xmr, xrefs: 043A1BAB, 043A1C2F, 043A1CB4, 043A1D19
c:\temp\data.txt, xrefs: 043A1C91, 043A1C9F, 043A1CF8, 043A1D2E, 043A1D38
SysListView32, xrefs: 043A1C50

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Process$CurrentMessageOpenSendSleepTerminateWindow
String ID: NetPass$Network Password Recovery$SysListView32$c:\temp\data.txt$xmr$||-_-|-_-||
API String ID: 673132420-1552625522
Opcode ID: 586fb87d514240fbc0b2aa09beb9a3a5f9d0fedff4318ce581e5821e4ceb4354
Instruction ID: 0c9c25e38542fc248119816ce389bda04360009afb55fee999a2597e19d9106a
Opcode Fuzzy Hash: 586fb87d514240fbc0b2aa09beb9a3a5f9d0fedff4318ce581e5821e4ceb4354
Instruction Fuzzy Hash: 57610B38A401099BFB14FBA4D891BEEB3B5EF44208F607161E850B72A4DB68FD558B51

Function 0051E990 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 169libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHGetThreatHistoryA), ref: 0051E9E1
GetProcAddress.KERNEL32(00000000,QHFreeThreatHistoryListA), ref: 0051E9EF
FreeLibrary.KERNEL32(00000000), ref: 0051EB69

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

FreeLibrary.KERNEL32(00000000), ref: 0051EB1D
FreeLibrary.KERNEL32(00000000), ref: 0051EB47

Strings

QHGetThreatHistoryA, xrefs: 0051E9DB
QHFreeThreatHistoryListA, xrefs: 0051E9E7

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressProc$Installed@4
String ID: QHFreeThreatHistoryListA$QHGetThreatHistoryA
API String ID: 3883472684-2418057661
Opcode ID: e2bebbe4e58748379b267894a4cd4aa79dc46e0c26c1dc581d537c47e1988541
Instruction ID: 028db0f94f810612de539a8f5c0dab742c3f4eaca65c0cf521befc5c703f5a6b
Opcode Fuzzy Hash: e2bebbe4e58748379b267894a4cd4aa79dc46e0c26c1dc581d537c47e1988541
Instruction Fuzzy Hash: 54512935A002599BEF11CF65C4897EABFB4FF56310F0842E9DC55AB241DB319D89C7A0

Function 04360EEC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 04360F85
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 04360FA1
SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 04360FDA
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 04361066
SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 04361085
VariantCopy.OLEAUT32(?), ref: 043610BA

Strings

, xrefs: 04360F06

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: ArraySafe$BoundIndex$CopyCreateVariant
String ID:
API String ID: 351091851-3916222277
Opcode ID: b84fe29cd4d480a9c3ffe91f73c65992df76025236a81c4a997d058fd3395255
Instruction ID: a436a8a415cf3ab325c251a047186adaf440f7549d1f175233e04a17efbcde5c
Opcode Fuzzy Hash: b84fe29cd4d480a9c3ffe91f73c65992df76025236a81c4a997d058fd3395255
Instruction Fuzzy Hash: 6B510775A0062A9BDF66DF58C880BC9B3FCAF4C204F0091E9A949E7215D630BF858F60

Function 0051EB80 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHGetThreatHistoryW), ref: 0051EBD3
GetProcAddress.KERNEL32(00000000,QHFreeThreatHistoryListW), ref: 0051EBE2
FreeLibrary.KERNEL32(00000000), ref: 0051ECE6

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

FreeLibrary.KERNEL32(00000000), ref: 0051EC9C
FreeLibrary.KERNEL32(00000000), ref: 0051ECC4

Strings

QHGetThreatHistoryW, xrefs: 0051EBCD
QHFreeThreatHistoryListW, xrefs: 0051EBD9

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressProc$Installed@4
String ID: QHFreeThreatHistoryListW$QHGetThreatHistoryW
API String ID: 3883472684-3643605958
Opcode ID: 8576ce66182b06a46858d6f1679396beaa7fc2d77573e0f156d4bad6a030ec4c
Instruction ID: 7f5282694f998b6b54394c00e9402cfe9fffe7d0c76be69997ea2a75be6f11be
Opcode Fuzzy Hash: 8576ce66182b06a46858d6f1679396beaa7fc2d77573e0f156d4bad6a030ec4c
Instruction Fuzzy Hash: 7A41D276A00219ABEB10DF95D885BEEBBB8FF95314F00416AED0567201DB719EC58BE0

Function 0437FC84 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122fileCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,000009EC,00000000), ref: 0437FD26
MulDiv.KERNEL32(?,000009EC,00000000), ref: 0437FD43
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0437FD6F
GetEnhMetaFileHeader.GDI32(00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC,00000000), ref: 0437FD8F
DeleteEnhMetaFile.GDI32(00000016), ref: 0437FDB0
SetWinMetaFileBits.GDI32(00000016,?,00000000,00000008,00000016,00000064,?,00000016,?,00000000,00000008,?,000009EC,00000000,?,000009EC), ref: 0437FDC3

Strings

`, xrefs: 0437FD0B

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: FileMeta$Bits$DeleteHeader
String ID: `
API String ID: 1990453761-2679148245
Opcode ID: 2df6e098d9c0a0184e9dacc0f7f16b9b0c65f36cee7e82744c838b2d55997bc3
Instruction ID: 6b12ca9d731e0278b11a6b2df16a04d9cd4bcdba573f0f79082b83295bd0ff2d
Opcode Fuzzy Hash: 2df6e098d9c0a0184e9dacc0f7f16b9b0c65f36cee7e82744c838b2d55997bc3
Instruction Fuzzy Hash: 97410D75E00208EFDB50DFA8C885AAEB7F9FF48710F509455E948EB254E738AD44CB64

Function 043540F8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001E,?,00000000,?,043541C2,?,?,?,?,00000002,0435426E,04352AF7,04352B3F), ref: 04354131
WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,043541C2,?,?,?,?,00000002,0435426E,04352AF7,04352B3F), ref: 04354137
GetStdHandle.KERNEL32(000000F5,04354180,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,043541C2), ref: 0435414C
WriteFile.KERNEL32(00000000,000000F5,04354180,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001E,?,00000000,?,043541C2), ref: 04354152
MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 04354170

Strings

Runtime error at 00000000, xrefs: 0435412A, 04354169
Error, xrefs: 04354164

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: FileHandleWrite$Message
String ID: Error$Runtime error at 00000000
API String ID: 1570097196-2970929446
Opcode ID: b4821e4d7ed622990003ab6400f8c9e5889f3587d24bd04a9383df0431a2e693
Instruction ID: 60a62d3de4c03bb4416db5db3457f4661af120a8f3f640cd6f25757ebffe8482
Opcode Fuzzy Hash: b4821e4d7ed622990003ab6400f8c9e5889f3587d24bd04a9383df0431a2e693
Instruction Fuzzy Hash: E6F02B64EC430435FE28F7A05C05FBA275CCB25B18F103745F930980E293B87AD08A21

Function 0437DF18 Relevance: 12.1, APIs: 8, Instructions: 79COMMON

Download Yara Rule

APIs

73A0A570.USER32(00000000), ref: 0437DF46
73A14620.GDI32(?,00000068,00000000,0437E015,?,00000000), ref: 0437DF62
73A3E680.GDI32(?,00000000,00000008,?,?,00000068,00000000,0437E015,?,00000000), ref: 0437DF81
73A3E680.GDI32(?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,0437E015,?,00000000), ref: 0437DFA5
73A3E680.GDI32(?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?,?,00000068,00000000,0437E015), ref: 0437DFC3
73A3E680.GDI32(?,00000007,00000001,?,?,00000000,00000007,?,?,-00000008,00000001,00C0C0C0,?,00000000,00000008,?), ref: 0437DFD7
73A3E680.GDI32(?,00000000,00000008,?,?,00000000,00000008,?,?,00000068,00000000,0437E015,?,00000000), ref: 0437DFF7
73A0A480.USER32(00000000,?,0437E01C,0437E015,?,00000000), ref: 0437E00F

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: E680$A14620A480A570
String ID:
API String ID: 738967622-0
Opcode ID: 581fecf2c2d693170726d8109dc94bd92fd4bfa7c001ada0e915ba5f2b966122
Instruction ID: f82cea383201a7e565e9fadddb4fa1eef8650546a9d3c954239d28bc86031dc1
Opcode Fuzzy Hash: 581fecf2c2d693170726d8109dc94bd92fd4bfa7c001ada0e915ba5f2b966122
Instruction Fuzzy Hash: 652153B1A40218ABEB50DBA5CD85FAE73BCEF48708F901491FB48E7590D675BE40DB24

Function 043790B8 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153processsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 04354E54: SysAllocStringLen.OLEAUT32(?,?), ref: 04354E62

CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08004000,00000000,00000000,00000044,?,00000000,0437928C,?,00000000), ref: 0437919E
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08004000,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,000000FF,08004000), ref: 043791DB
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08004000,00000000,00000000,00000044,?,00000000,0437928C,?,00000000), ref: 04379214
CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08004000,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,000000FF,08004000), ref: 0437924C
WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000000,00000000,000000FF,08004000,00000000,00000000,00000044,?,00000000,0437928C,?,00000000), ref: 0437925F

Strings

D, xrefs: 04379155

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CreateProcess$AllocObjectSingleStringWait
String ID: D
API String ID: 3271426801-2746444292
Opcode ID: 714660fc00cd821c73df12ca67a502614fc9b06d9e9fb8e4e969a6aafdebc8ca
Instruction ID: 906f9bc20f34162317f0dae8cb8dd28986a9e4f71ba3410b5f6d672f616d7370
Opcode Fuzzy Hash: 714660fc00cd821c73df12ca67a502614fc9b06d9e9fb8e4e969a6aafdebc8ca
Instruction Fuzzy Hash: CF510AB0A4430CAEEB14EBA4CC81FDEB7B9AF44714F605265E914BB2A0D774BA458B14

Function 0439821C Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000064,00000000,0439838E,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 043982F0
Sleep.KERNEL32(000001F4,?,||-_-|-_-||,?,00000064,00000000,0439838E,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04398359

Strings

Google, xrefs: 04398273
dark, xrefs: 04398248
BraveSoftware, xrefs: 043982A0
Microsoft\Edge, xrefs: 043982CD
||-_-|-_-||, xrefs: 04398321

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: BraveSoftware$Google$Microsoft\Edge$dark$||-_-|-_-||
API String ID: 3472027048-3484757196
Opcode ID: 94fa11ba6f80e777726aaaec31031d0dc34ce2acbcf64126caf9402c28a46e16
Instruction ID: d271ad908216441b7d0ff6628f3711dc11cff630220c9848c061b27e44cdfaa0
Opcode Fuzzy Hash: 94fa11ba6f80e777726aaaec31031d0dc34ce2acbcf64126caf9402c28a46e16
Instruction Fuzzy Hash: 94315238A641069FFB0CFBA4D880E6E77E6EF9A20CF1075159940A7750D738FD528B51

Function 04380238 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,?,000009EC), ref: 0438028A
MulDiv.KERNEL32(?,?,000009EC), ref: 043802A1
73A0A570.USER32(00000000,?,?,000009EC,?,?,000009EC), ref: 043802B8
GetWinMetaFileBits.GDI32(?,00000000,00000000,00000008,?,00000000,04380373,?,00000000,?,?,000009EC,?,?,000009EC), ref: 043802DC
GetWinMetaFileBits.GDI32(?,?,?,00000008,?,00000000,04380353,?,?,00000000,00000000,00000008,?,00000000,04380373), ref: 0438030F

Strings

`, xrefs: 04380270

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: BitsFileMeta$A570
String ID: `
API String ID: 2497453717-2679148245
Opcode ID: 9f68e04a6e6b9d3323e2a7ef59cd8707ee959339378e3288e559879f7924deb5
Instruction ID: 30a20d2c4b10501bdb4de2d53e31b564b46b6c2b1f13f65376b0be9acd19dd40
Opcode Fuzzy Hash: 9f68e04a6e6b9d3323e2a7ef59cd8707ee959339378e3288e559879f7924deb5
Instruction Fuzzy Hash: D7316375A00308ABEB45EFE4C882EAEB7B8EF0D704F515095F944EB250D674BE40DBA5

Function 0057FEB6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

ext-ms-, xrefs: 0057FF21
api-ms-, xrefs: 0057FF0D

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 2390db857c280cd6086a89409d94cfa5abc2074283de882d79655b6ffa12a0bc
Instruction ID: e00eced4e36c56f7580460c1414d26ace4416c2207e0aadceceaa5081dcf438d
Opcode Fuzzy Hash: 2390db857c280cd6086a89409d94cfa5abc2074283de882d79655b6ffa12a0bc
Instruction Fuzzy Hash: AB21D831A05221ABCB31DB65AC84A6A3F58BB12B60F158571FC1DA7191DE70ED00E7E0

Function 043808BC Relevance: 10.6, APIs: 7, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 0437E16C: GetObjectA.GDI32(?,00000004), ref: 0437E183
Part of subcall function 0437E16C: 73A16AA0.GDI32(?,00000000,?,?,?,00000004,?,000000FF,?,?,?,043808F2), ref: 0437E1A6

73A0A570.USER32(00000000), ref: 043808FA
73A14C40.GDI32(?,00000000), ref: 04380906
SelectObject.GDI32(?), ref: 04380913
SetDIBColorTable.GDI32(?,00000000,00000000,?,00000000,0438096B,?,?,?,?,00000000), ref: 04380937
SelectObject.GDI32(?,?), ref: 04380951
DeleteDC.GDI32(?), ref: 0438095A
73A0A480.USER32(00000000,?,?,?,?,04380972,?,00000000,0438096B,?,?,?,?,00000000), ref: 04380965

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Object$Select$A480A570ColorDeleteTable
String ID:
API String ID: 1916549171-0
Opcode ID: 1546049f6f39da38f4b5f0aa405fd45bbfddb25a3b3f10367372ef06638eb20e
Instruction ID: 699d043911b7cf3ca2f2091e262c0ff9c395aa4c94372e5d3861619199e898bb
Opcode Fuzzy Hash: 1546049f6f39da38f4b5f0aa405fd45bbfddb25a3b3f10367372ef06638eb20e
Instruction Fuzzy Hash: 02114676E047186BEB14EFE4CC52EAEB7FCEF09704F8154A5EA18E7260D674AD408B50

Function 00583022 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00582D6E: _free.LIBCMT ref: 00582D93

_free.LIBCMT ref: 00583070

Part of subcall function 0057DC3C: HeapFree.KERNEL32(00000000,00000000,?,00582D98,005724A8,00000000,005724A8,?,?,0058303B,005724A8,00000007,005724A8,?,0058369C,005724A8), ref: 0057DC52
Part of subcall function 0057DC3C: GetLastError.KERNEL32(005724A8,?,00582D98,005724A8,00000000,005724A8,?,?,0058303B,005724A8,00000007,005724A8,?,0058369C,005724A8,005724A8), ref: 0057DC64

_free.LIBCMT ref: 0058307B
_free.LIBCMT ref: 00583086
_free.LIBCMT ref: 005830DA
_free.LIBCMT ref: 005830E5
_free.LIBCMT ref: 005830F0
_free.LIBCMT ref: 005830FB

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2c1eddaff3a956912c90c3e3f47fcc89674c5b7d8f46e44a74a7fc2304d6aa06
Instruction ID: eb4cc7b4755537b39caa930b4ef133aa6702194a5a2eb74b0c5706bb49a022a1
Opcode Fuzzy Hash: 2c1eddaff3a956912c90c3e3f47fcc89674c5b7d8f46e44a74a7fc2304d6aa06
Instruction Fuzzy Hash: 53113D71541B09AADA31BBB0DD0BFCF7FAC7F80700F808815BA9D77053DA65A9069791

Function 0439B494 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(WS2_32.DLL,00000000,0439B561), ref: 0439B4C3
GetLastError.KERNEL32(WS2_32.DLL,00000000,0439B561), ref: 0439B4D6

Part of subcall function 043563D8: LoadStringA.USER32(00000000,0000FFF0,?,00001000), ref: 0435640A

GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 0439B527

Strings

WS2_32.DLL, xrefs: 0439B4F1
WS2_32.DLL, xrefs: 0439B4BE
WSAStartup, xrefs: 0439B51C

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Load$AddressErrorLastLibraryProcString
String ID: WS2_32.DLL$WS2_32.DLL$WSAStartup
API String ID: 607613470-1314211545
Opcode ID: 49b17879cc29f80e6ec712b169d29e96b1237e86d015c5c97de2858500ce0abc
Instruction ID: 9434cb6751da62c67f041f011f8f9a1d08b00659e5b17572343996497005037e
Opcode Fuzzy Hash: 49b17879cc29f80e6ec712b169d29e96b1237e86d015c5c97de2858500ce0abc
Instruction Fuzzy Hash: 79215EB5A44208EFEB40EFA4E885AAEB7FCFB0C314F506565E844E7250D678BE108F50

Function 04378BB4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61sleepCOMMON

Download Yara Rule

APIs

ShellExecuteEx.SHELL32(0000003C), ref: 04378C1B
Sleep.KERNEL32(00000001), ref: 04378C26
GetExitCodeProcess.KERNEL32(?,?), ref: 04378C33
CloseHandle.KERNEL32(?,00000001), ref: 04378C52

Strings

@, xrefs: 04378BE4
<, xrefs: 04378BDD

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CloseCodeExecuteExitHandleProcessShellSleep
String ID: <$@
API String ID: 2207808342-1426351568
Opcode ID: cecf155c9428d1685ee36016efcb36827d6faf5af1db03ed4ee72dd3443db119
Instruction ID: b780eb66b79ac2231571a29742187ef2f572bb9026453da92eacf5a4147527e8
Opcode Fuzzy Hash: cecf155c9428d1685ee36016efcb36827d6faf5af1db03ed4ee72dd3443db119
Instruction Fuzzy Hash: 02115171D0120CAFDB54EFE9D884ADEFBF8EF08314F50512AA958E7260E734AA45CB50

Function 0435BC00 Relevance: 10.6, APIs: 7, Instructions: 56filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0435BA68: VirtualQuery.KERNEL32(?,?,0000001C), ref: 0435BA84
Part of subcall function 0435BA68: GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0435BAA8
Part of subcall function 0435BA68: GetModuleFileNameA.KERNEL32(04350000,?,00000105), ref: 0435BAC3
Part of subcall function 0435BA68: LoadStringA.USER32(00000000,0000FFEA,?,00000100), ref: 0435BB67

CharToOemA.USER32(?,?), ref: 0435BC37
GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,?,?), ref: 0435BC54
WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0435BC5A
GetStdHandle.KERNEL32(000000F4,0435BCC4,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0435BC6F
WriteFile.KERNEL32(00000000,000000F4,0435BCC4,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,?,?), ref: 0435BC75
LoadStringA.USER32(00000000,0000FFEB,?,00000040), ref: 0435BC97
MessageBoxA.USER32(00000000,?,?,00002010), ref: 0435BCAD

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: File$HandleLoadModuleNameStringWrite$CharMessageQueryVirtual
String ID:
API String ID: 185507032-0
Opcode ID: 6debd2e08e483bc018a83f6747e11e70aa54eafc58b2e1dba4458fa4d12c193f
Instruction ID: 8a374e195814cb609a40b2d0d324c7ed8d533378d2b66f175373a6c25f93a890
Opcode Fuzzy Hash: 6debd2e08e483bc018a83f6747e11e70aa54eafc58b2e1dba4458fa4d12c193f
Instruction Fuzzy Hash: C61170B2544200BEE300E7A4CD82F9FB7ECAF44704F806916BB58D60F0DA74F9148B26

Function 0437365C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(ntdll.dll), ref: 04373665
GetProcAddress.KERNEL32(00000000,RtlAdjustPrivilege), ref: 04373676
GetProcAddress.KERNEL32(00000000,NtRaiseHardError), ref: 04373685

Strings

RtlAdjustPrivilege, xrefs: 04373670
ntdll.dll, xrefs: 04373660
NtRaiseHardError, xrefs: 0437367F

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtRaiseHardError$RtlAdjustPrivilege$ntdll.dll
API String ID: 2238633743-3189222469
Opcode ID: c05c69eb159c08272320d479fcc74d8535e280ab70fb541c91e987e2d8f12cc1
Instruction ID: 8a023e47f41095574b942e225bee66006942f492d33be267e53504b881f33fe9
Opcode Fuzzy Hash: c05c69eb159c08272320d479fcc74d8535e280ab70fb541c91e987e2d8f12cc1
Instruction Fuzzy Hash: A5F05E712843017BF6316B608CC7F5B76989F40B55F20A829FEC8692E0C6B9B054EE5A

Function 0041CDE0 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 453COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C0000006,00000000,00000003,?,?), ref: 0041CE51
__allrem.LIBCMT ref: 0041D15E

Strings

database corruption, xrefs: 0041CF88
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 0041CF7E
%s at line %d of [%.10s], xrefs: 0041CF8D

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: ExceptionRaise__allrem
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 2880153322-2528248365
Opcode ID: 223d4b543a97b696b87e65d83af13528f0ed88c7690a9b9784d8109eba9699c7
Instruction ID: 1150da6ff40c845a68603ed967cd7250fecb1372b55039fbaeab01007cec1348
Opcode Fuzzy Hash: 223d4b543a97b696b87e65d83af13528f0ed88c7690a9b9784d8109eba9699c7
Instruction Fuzzy Hash: EB025DB1E00619ABDF14CF99D885BEEBBB1BF48304F04416AE815AB341D778EC95CB94

Function 04369ECC Relevance: 9.1, APIs: 6, Instructions: 109threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 04369ED7
GetCurrentThreadId.KERNEL32 ref: 04369EE6

Part of subcall function 04369E80: ResetEvent.KERNEL32(000001FC,04369F21), ref: 04369E86

RtlEnterCriticalSection.KERNEL32(043A88C4), ref: 04369F2B
InterlockedExchange.KERNEL32(043A5444,?), ref: 04369F47
RtlLeaveCriticalSection.KERNEL32(043A88C4,00000000,0436A03B,?,00000000,0436A05A,?,043A88C4), ref: 04369FA0
RtlEnterCriticalSection.KERNEL32(043A88C4,0436A00C,0436A03B,?,00000000,0436A05A,?,043A88C4), ref: 04369FFF

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CriticalSection$CurrentEnterThread$EventExchangeInterlockedLeaveReset
String ID:
API String ID: 2189153385-0
Opcode ID: 39315c35f5eeba290b058ccecf68e0549a52cf994b03fee2ea763cecb36661e2
Instruction ID: 611dbbc1a59156e3b4d96593eb7119b18f280c24b60a85595007fa73407c8db0
Opcode Fuzzy Hash: 39315c35f5eeba290b058ccecf68e0549a52cf994b03fee2ea763cecb36661e2
Instruction Fuzzy Hash: B231F270B04645AFE701EFA4C851E6AB7F8EF49704F52E4A5E8029B664D7347C14CE20

Function 0436D354 Relevance: 9.1, APIs: 6, Instructions: 106filewindowCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0436D370
MessageBoxA.USER32(00000000,0436D48C,0436D488,00000000), ref: 0436D38A
GetFileSize.KERNEL32(00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0436D392
ReadFile.KERNEL32(00000000,00000000,00000003,00000003,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0436D3B4
MessageBoxA.USER32(00000000,0436D490,0436D488,00000000), ref: 0436D3CB
CloseHandle.KERNEL32(00000000,00000000,00000000,00000003,00000003,00000000,00000000,00000000,00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0436D475

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: File$Message$CloseCreateHandleReadSize
String ID:
API String ID: 2324011479-0
Opcode ID: b6eab574dde9fdefa35c06657f4dca12e8b122bf4e7813e15142886542e31284
Instruction ID: 763c914eab024a50dd101e26a5971856c94a8b5fbc206bc620f17b047d690af0
Opcode Fuzzy Hash: b6eab574dde9fdefa35c06657f4dca12e8b122bf4e7813e15142886542e31284
Instruction Fuzzy Hash: 2F311674344301ABE340EF19DC81F1AB3E5EF88A14F509928B9999B395DA70FC048B61

Function 0437E420 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 0437E46E
GetSystemMetrics.USER32(0000000C), ref: 0437E47A
73A0A570.USER32(00000000), ref: 0437E496
73A14620.GDI32(00000000,0000000E,00000000,0437E509,?,00000000), ref: 0437E4BD
73A14620.GDI32(00000000,0000000C,00000000,0000000E,00000000,0437E509,?,00000000), ref: 0437E4CA
73A0A480.USER32(00000000,00000000,0437E510,0000000E,00000000,0437E509,?,00000000), ref: 0437E503

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: A14620MetricsSystem$A480A570
String ID:
API String ID: 1130675633-0
Opcode ID: f430b67996588c5237c0d04225693342878e3ddf821d96f5d4cbb8e89a47b94b
Instruction ID: 0291bcd6e12a877f159c455a0f0613c2bd1a6b0eb5a8326957c778cd73ae5bda
Opcode Fuzzy Hash: f430b67996588c5237c0d04225693342878e3ddf821d96f5d4cbb8e89a47b94b
Instruction Fuzzy Hash: 64315274A00208EFEB10DFA4C882EAEBBF5FF49714F509565E858AB794D634AD40CF61

Function 0436A340 Relevance: 9.1, APIs: 6, Instructions: 73synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0436A34A
CreateEventA.KERNEL32(00000000,000000FF,00000000,00000000), ref: 0436A36F
RtlEnterCriticalSection.KERNEL32(043A88C4,00000000,0436A462,?,00000000,000000FF,00000000,00000000), ref: 0436A38A
RtlLeaveCriticalSection.KERNEL32(043A88C4,00000000,0436A444,?,043A88C4,00000000,0436A462,?,00000000,000000FF,00000000,00000000), ref: 0436A3EF
WaitForSingleObject.KERNEL32(?,000000FF,00000000,0436A425,?,043A88C4,00000000,0436A444,?,043A88C4,00000000,0436A462,?,00000000,000000FF,00000000), ref: 0436A408
RtlEnterCriticalSection.KERNEL32(043A88C4,0436A42C,0436A425,?,043A88C4,00000000,0436A444,?,043A88C4,00000000,0436A462,?,00000000,000000FF,00000000,00000000), ref: 0436A41F

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CriticalSection$Enter$CreateCurrentEventLeaveObjectSingleThreadWait
String ID:
API String ID: 1504017990-0
Opcode ID: 8d0249a03dc1fb1cd625a04c3912b7f1d3d3ef8198b346965a1a3eb0334d4edc
Instruction ID: aab2248727144b8c44fcbe731ab4ff57e0d5b1a732fd098d2783d85dc3624c4d
Opcode Fuzzy Hash: 8d0249a03dc1fb1cd625a04c3912b7f1d3d3ef8198b346965a1a3eb0334d4edc
Instruction Fuzzy Hash: 9821C130A40645AFD711EF64CC46E1DB7B8EF0A714FA1A561FC05A7AA4C678BC20CE51

Function 04351C18 Relevance: 9.1, APIs: 6, Instructions: 72COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.KERNEL32(043A85CC,00000000,04351D0C), ref: 04351C47
LocalFree.KERNEL32(02837CE8,00000000,04351D0C), ref: 04351C59
VirtualFree.KERNEL32(?,00000000,00008000,02837CE8,00000000,04351D0C), ref: 04351C7D
LocalFree.KERNEL32(00000000,?,00000000,00008000,02837CE8,00000000,04351D0C), ref: 04351CCE
RtlLeaveCriticalSection.KERNEL32(043A85CC,04351D13,02837CE8,00000000,04351D0C), ref: 04351CFC
RtlDeleteCriticalSection.KERNEL32(043A85CC,04351D13,02837CE8,00000000,04351D0C), ref: 04351D06

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CriticalFreeSection$Local$DeleteEnterLeaveVirtual
String ID:
API String ID: 3782394904-0
Opcode ID: b0742fa6adcba964cdf78ac51b95f2fca9dbb7d6907a62d7a0e336ac20b978c2
Instruction ID: de56e470787f67c6ae7220a11620cc0e5da07233ee6137d4032a83a03935c4c9
Opcode Fuzzy Hash: b0742fa6adcba964cdf78ac51b95f2fca9dbb7d6907a62d7a0e336ac20b978c2
Instruction Fuzzy Hash: 0E216B74E84604AFEB58FBA8D954F6D7BE8EB09304F102496EC40936A0E238BD60DF14

Function 0437E8A4 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 0437E75C: GetObjectA.GDI32(?,00000054), ref: 0437E770

73A14C40.GDI32(00000000), ref: 0437E8C6
73A08830.GDI32(?,?,00000000,00000000,0437E941,?,00000000), ref: 0437E8E7
73A022A0.GDI32(?,?,?,00000000,00000000,0437E941,?,00000000), ref: 0437E8F3
GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 0437E90A
73A08830.GDI32(?,00000000,00000000,0437E948,?,00000000), ref: 0437E932
DeleteDC.GDI32(?), ref: 0437E93B

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: A08830$A022BitsDeleteObject
String ID:
API String ID: 36482767-0
Opcode ID: e69a711ae72bbdf6fdf40ce735e615b210c3a60585f1242e522bf285961df471
Instruction ID: ea64b2d61d9c792c90700eb0dd263dd99adeffd6b6c45376e9a7647bf21bf496
Opcode Fuzzy Hash: e69a711ae72bbdf6fdf40ce735e615b210c3a60585f1242e522bf285961df471
Instruction Fuzzy Hash: 22114275A042047BEB10DBA98C52F5FB7ECDF49710F5080A5F918E7250D678A900C760

Function 0437E0C8 Relevance: 9.1, APIs: 6, Instructions: 55COMMON

Download Yara Rule

APIs

73A14C40.GDI32(00000000,00000000,?,?,04381BEB,?,?,?,?,04380757,00000000,043807E3), ref: 0437E0E1
SelectObject.GDI32(00000000,00000000), ref: 0437E0EA
GetDIBColorTable.GDI32(00000000,00000000,00000100,?,00000000,00000000,00000000,00000000,?,?,04381BEB,?,?,?,?,04380757), ref: 0437E0FE
SelectObject.GDI32(00000000,00000000), ref: 0437E10A
DeleteDC.GDI32(00000000), ref: 0437E110
73A16750.GDI32(?,00000000,?,?,04381BEB,?,?,?,?,04380757,00000000,043807E3), ref: 0437E156

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: ObjectSelect$A16750ColorDeleteTable
String ID:
API String ID: 3250964630-0
Opcode ID: 1d77ad448e25c48c6c336f3b71520cbf35f0e00ab0eee007a8ea6dcb1825cf89
Instruction ID: efeb160895448067dce6d10ba7b81176780fcc0f09f76b72a2c7c3a9b641449d
Opcode Fuzzy Hash: 1d77ad448e25c48c6c336f3b71520cbf35f0e00ab0eee007a8ea6dcb1825cf89
Instruction Fuzzy Hash: FF01527160831062F624676ACC43F6F72F89FC1798F44E859B9DD97290E678E8448392

Function 0437D7A0 Relevance: 9.0, APIs: 6, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0437D1EC: CreateBrushIndirect.GDI32(?), ref: 0437D296

UnrealizeObject.GDI32(00000000), ref: 0437D7AC
SelectObject.GDI32(?,00000000), ref: 0437D7BE
SetBkColor.GDI32(?,00000000), ref: 0437D7E1
SetBkMode.GDI32(?,00000002), ref: 0437D7EC
SetBkColor.GDI32(?,00000000), ref: 0437D807
SetBkMode.GDI32(?,00000001), ref: 0437D812

Part of subcall function 0437C628: GetSysColor.USER32(8B0437D5), ref: 0437C632

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Color$ModeObject$BrushCreateIndirectSelectUnrealize
String ID:
API String ID: 3527656728-0
Opcode ID: de0ee8b9474632cca31eaaac4631d21760cfbbf1c1e010ced98f08f156b00157
Instruction ID: c496f08df13610da984e735cdf37feed4632a366865922f7b23b275027b9e342
Opcode Fuzzy Hash: de0ee8b9474632cca31eaaac4631d21760cfbbf1c1e010ced98f08f156b00157
Instruction Fuzzy Hash: 48F09CB56011009BFF54FFB8DEC6E0B7BACAF0920A7447490B958DF166CA69F8108731

Function 04373A30 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 04373AE7
GetCurrentProcessId.KERNEL32(001F0FFF,00000000,?), ref: 04373B14
CloseHandle.KERNEL32(?,001F0FFF,00000000,?), ref: 04373BEF

Strings

norton, xrefs: 04373B81
IsWow64Process, xrefs: 04373A92

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentHandleOpen
String ID: IsWow64Process$norton
API String ID: 2750122171-2964445548
Opcode ID: b282a2f289d0f9c67350e7f7723acba495da71b263fb3de747ff856677f3d4cb
Instruction ID: 63318b02a5a56d5b96a7252ff1103989927f3e8bec6a4574cbf9f17012dcd600
Opcode Fuzzy Hash: b282a2f289d0f9c67350e7f7723acba495da71b263fb3de747ff856677f3d4cb
Instruction Fuzzy Hash: 7A513C70E006599FEB60EF68C884B9EB7F5EF48304F1094A5D849E7260EB34AE84DF51

Function 04382724 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113windowCOMMON

Download Yara Rule

APIs

73A0A570.USER32(00000000), ref: 043827E1
CreateHalftonePalette.GDI32(00000000,00000000), ref: 043827EE
73A0A480.USER32(00000000,00000000,00000000,00000000), ref: 043827FD
DeleteObject.GDI32(00000000), ref: 0438286B

Strings

(, xrefs: 04382797

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: A480A570CreateDeleteHalftoneObjectPalette
String ID: (
API String ID: 1033627753-3887548279
Opcode ID: 245f70a24fe68d326098d32d21d8029015585ed37db9b0c039e467d5d78e9ff8
Instruction ID: 64c0a09c7f4a352dad5c8325ac7dc26422e3231a17cebd918ab2b76d397efaad
Opcode Fuzzy Hash: 245f70a24fe68d326098d32d21d8029015585ed37db9b0c039e467d5d78e9ff8
Instruction Fuzzy Hash: BC417F70A04708EFDF14EFA9C445B9EFBF6EF49304F4450A9E804A7351D674AA45DB81

Function 0439EB54 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 105sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(0000000A,00000001,00000000,00000000,0439EC90), ref: 0439EC08
OpenProcess.KERNEL32(00000001,00000000,00000000,00000000), ref: 0439EC62
TerminateProcess.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 0439EC68

Strings

cmd.exe , xrefs: 0439EBAF
SysListView32, xrefs: 0439EC1F

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Process$OpenSleepTerminate
String ID: SysListView32$cmd.exe
API String ID: 3651790450-1829564397
Opcode ID: b53d6b7251fd7bd0edb0f9d27659dc639ada2da9fa4a22e6770e571fd516b9f0
Instruction ID: a38a5b4c5146af76e9d25a0d21169ed8456dd45330bdb0f1c6313dfb2d46adfa
Opcode Fuzzy Hash: b53d6b7251fd7bd0edb0f9d27659dc639ada2da9fa4a22e6770e571fd516b9f0
Instruction Fuzzy Hash: DC315030B00205AFFB15EBA4CC81B9EB7F4AF44714F50A575EC18AB2A0DB74BE418A40

Function 04351B40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlInitializeCriticalSection.KERNEL32(043A85CC,00000000,o ,?,?,?,04352566), ref: 04351B57
RtlEnterCriticalSection.KERNEL32(043A85CC,043A85CC,00000000,o ,?,?,?,04352566), ref: 04351B6A
LocalAlloc.KERNEL32(00000000,00000FF8,043A85CC,00000000,o ,?,?,?,04352566), ref: 04351B94
RtlLeaveCriticalSection.KERNEL32(043A85CC,04351C0F,00000000,o ,?,?,?,04352566), ref: 04351C02

Strings

o , xrefs: 04351B47

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CriticalSection$AllocEnterInitializeLeaveLocal
String ID: o
API String ID: 730355536-1027261244
Opcode ID: 3a3be32a3a3950615176d2fa61d69cbc552f2a934fcdaef0a00b5ae153fc4347
Instruction ID: fb082f9a9fb3db0d95f79a3273349369f520c38a02385825a38448e4a41364f0
Opcode Fuzzy Hash: 3a3be32a3a3950615176d2fa61d69cbc552f2a934fcdaef0a00b5ae153fc4347
Instruction Fuzzy Hash: 9D118BB4E84240ABFB1DFB589514F2D7BE4EB49304F18B4A9E840976A0D678AD608E54

Function 04353458 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 0435347A
RegQueryValueExA.ADVAPI32(?,FPUMaskValue,00000000,00000000,?,00000004,00000000,043534C9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 043534AD
RegCloseKey.ADVAPI32(?,043534D0,00000000,?,00000004,00000000,043534C9,?,80000002,SOFTWARE\Borland\Delphi\RTL,00000000,00000001,?), ref: 043534C3

Strings

FPUMaskValue, xrefs: 043534A4
SOFTWARE\Borland\Delphi\RTL, xrefs: 04353470

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: FPUMaskValue$SOFTWARE\Borland\Delphi\RTL
API String ID: 3677997916-4173385793
Opcode ID: 3f238c1ac020080f081b0bd93f3a8090a3b3b17fd85f4cb53b9f66f752e4ce83
Instruction ID: 3a1cec20fb130f28c61f4c0bb1748fef864b367180b52ed68dd4c295a9722156
Opcode Fuzzy Hash: 3f238c1ac020080f081b0bd93f3a8090a3b3b17fd85f4cb53b9f66f752e4ce83
Instruction Fuzzy Hash: D4015279A50208BAEB11DFD0DD42FBD77ACDB08B04F511462FE04D7590E6756910CA98

Function 0057C0F9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,0057C0AB,0057FB35,?,0057C073,00000008,00604098,0057FB35), ref: 0057C10E
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0057C121
FreeLibrary.KERNEL32(00000000,?,?,0057C0AB,0057FB35,?,0057C073,00000008,00604098,0057FB35), ref: 0057C144

Strings

CorExitProcess, xrefs: 0057C119
mscoree.dll, xrefs: 0057C107

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e8ad80054064a737b90c4febdd84ac9061fc9b9727d329729ab612a7c890ef36
Instruction ID: 777a28b6a77c3fc0d4441e12688c627049b8c2ca7a67fdd6e79e6d37c22cac90
Opcode Fuzzy Hash: e8ad80054064a737b90c4febdd84ac9061fc9b9727d329729ab612a7c890ef36
Instruction Fuzzy Hash: C8F08231900628FBCB119B90EC0DF9EBE78FB1175AF104068E405A10A0CB748E48FB94

Function 0057CA6B Relevance: 7.6, APIs: 5, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0057CAD9
_free.LIBCMT ref: 0057CAF9
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 0057CB5A
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 0057CB6C
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 0057CB79

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: __crt_fast_encode_pointer$_free
String ID:
API String ID: 366466260-0
Opcode ID: 600c04cdc60f4b8337f058c9fee0a897bd694e0f665208bb06258f01b738b17c
Instruction ID: d2e8a3a10503572145830aeae787950150eafbacfa38e885f024482e55d84164
Opcode Fuzzy Hash: 600c04cdc60f4b8337f058c9fee0a897bd694e0f665208bb06258f01b738b17c
Instruction Fuzzy Hash: 2A41BF36A002049BCB10DF78D885A5ABBF6FFC8714F5584ADE909EB351DB30AD01DB80

Function 04399130 Relevance: 7.6, APIs: 5, Instructions: 89fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000), ref: 04399169
SetFilePointer.KERNEL32(000000FF,000000F8,00000000,00000002,00000000,04399217,?,00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000), ref: 0439919D
GetLastError.KERNEL32(000000FF,000000F8,00000000,00000002,00000000,04399217,?,00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000), ref: 043991A9
ReadFile.KERNEL32(000000FF,04398887,00000008,?,00000000,000000FF,000000F8,00000000,00000002,00000000,04399217,?,00000000,80000000,00000001,00000000), ref: 043991CD
CloseHandle.KERNEL32(000000FF,0439921E,?,00000000,000000FF,000000F8,00000000,00000002,00000000,04399217,?,00000000,80000000,00000001,00000000,00000003), ref: 04399211

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastPointerRead
String ID:
API String ID: 3550223206-0
Opcode ID: 86cb08bd0e0189f8b67e920396b177de2a9d6e360bc423dce83ff5dc5a3010d4
Instruction ID: 9fa0f4e6645d4c3d50f29dd26558ca6ddded89c7ad97cfe9f7c59d8d2e9d4da8
Opcode Fuzzy Hash: 86cb08bd0e0189f8b67e920396b177de2a9d6e360bc423dce83ff5dc5a3010d4
Instruction Fuzzy Hash: 33213770A48348AEEF24E6F88C45FED77ECAF05324F5052A9E964E72D0D671AD04C761

Function 04397480 Relevance: 7.6, APIs: 5, Instructions: 84threadwindowCOMMON

Download Yara Rule

APIs

GetWindowThreadProcessId.USER32(?,?), ref: 043974AB
GetClassNameA.USER32(?,00000000,00000000), ref: 043974D0
GetWindowTextA.USER32(?,00000000,00000000), ref: 043974FF
IsWindowVisible.USER32(?), ref: 0439750F
GetCurrentProcessId.KERNEL32(00000000,0439756D,?,?,00000000,00000000,00000000,00000000), ref: 04397518

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Window$Process$ClassCurrentNameTextThreadVisible
String ID:
API String ID: 2023830111-0
Opcode ID: afe3447b5bc9710651759a5eee091824bfd5abdd2a0558293d4443277658c95c
Instruction ID: 2645ce3ad816d01c24e715418a91d9b35cc57ee892a7e19a670c281709d45371
Opcode Fuzzy Hash: afe3447b5bc9710651759a5eee091824bfd5abdd2a0558293d4443277658c95c
Instruction Fuzzy Hash: D5211BB0A10209AFEB58FBA4D881EAF77FDEF44204F506475EC1593661DB30BE45CA60

Function 0436B992 Relevance: 7.6, APIs: 5, Instructions: 78networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0436BA78: closesocket.WSOCK32(?,00000000,0436BCDE,?,?,?,00000000,?,?,?,?,?,0436BD70,?,0436BDA4,?), ref: 0436BA7F

socket.WSOCK32(00000002,00000001,00000006,00000000,0436BA65,?,000003E8,?), ref: 0436B9D5
htons.WSOCK32(?,00000002,00000001,00000006,00000000,0436BA65,?,000003E8,?), ref: 0436B9FC
inet_addr.WSOCK32(00000000,?,00000002,00000001,00000006,00000000,0436BA65,?,000003E8,?), ref: 0436BA09
gethostbyname.WSOCK32(00000000,00000000,?,00000002,00000001,00000006,00000000,0436BA65,?,000003E8,?), ref: 0436BA20
connect.WSOCK32(?,00000002,00000010,00000000,00000000,?,00000002,00000001,00000006,00000000,0436BA65,?,000003E8,?), ref: 0436BA45

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: closesocketconnectgethostbynamehtonsinet_addrsocket
String ID:
API String ID: 1954806591-0
Opcode ID: fe7d4ba97a5c27a5447003482bb2c5c725cb952d62fa3ec1571097e2969f1e2c
Instruction ID: dfa22d8ef9113e9652dd0cdc212161f202f9c4d3350a08f40b5cf343ec83da73
Opcode Fuzzy Hash: fe7d4ba97a5c27a5447003482bb2c5c725cb952d62fa3ec1571097e2969f1e2c
Instruction Fuzzy Hash: 0721B270E006199FDB10DFA8C841A9EF7F4EF08714F50A569E51AE7660E274B901CF50

Function 0436B994 Relevance: 7.6, APIs: 5, Instructions: 77networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0436BA78: closesocket.WSOCK32(?,00000000,0436BCDE,?,?,?,00000000,?,?,?,?,?,0436BD70,?,0436BDA4,?), ref: 0436BA7F

socket.WSOCK32(00000002,00000001,00000006,00000000,0436BA65,?,000003E8,?), ref: 0436B9D5
htons.WSOCK32(?,00000002,00000001,00000006,00000000,0436BA65,?,000003E8,?), ref: 0436B9FC
inet_addr.WSOCK32(00000000,?,00000002,00000001,00000006,00000000,0436BA65,?,000003E8,?), ref: 0436BA09
gethostbyname.WSOCK32(00000000,00000000,?,00000002,00000001,00000006,00000000,0436BA65,?,000003E8,?), ref: 0436BA20
connect.WSOCK32(?,00000002,00000010,00000000,00000000,?,00000002,00000001,00000006,00000000,0436BA65,?,000003E8,?), ref: 0436BA45

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: closesocketconnectgethostbynamehtonsinet_addrsocket
String ID:
API String ID: 1954806591-0
Opcode ID: f33c2ee2e4e6a1790278610ddbd9f6ff26afe9b4fe55f0b5ef64fad6e6fba8c7
Instruction ID: 27f7747e57726548912b3e17537a45cc53ecfd3685c9804a71e9719f1893f69f
Opcode Fuzzy Hash: f33c2ee2e4e6a1790278610ddbd9f6ff26afe9b4fe55f0b5ef64fad6e6fba8c7
Instruction Fuzzy Hash: FE21A170E006199FDB10EFA8C841AAEF7F8EF08714F50A469E51AE7660E734BA01CF50

Function 04396E5C Relevance: 7.6, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

73A0A570.USER32(00000000,00000000,04396F2B,?,?,00000000,00000000), ref: 04396E94
73A165D0.GDI32(00000000,00000000,00000000,00000000,00000000,04396F2B,?,?,00000000,00000000), ref: 04396EAC
73A14620.GDI32(00000000,00000008,00000000,00000000,00000000,00000000,00000000,04396F2B,?,?,00000000,00000000), ref: 04396EB6
73A14620.GDI32(00000000,0000000A,00000000,00000008,00000000,00000000,00000000,00000000,00000000,04396F2B,?,?,00000000,00000000), ref: 04396EC0
73A0A480.USER32(00000000,00000000,00000000,04397010,04396F44,?,00000000,0000000A,00000000,00000008,00000000,00000000,00000000,00000000,00000000,04396F2B), ref: 04396F03

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: A14620$A165A480A570
String ID:
API String ID: 2361052256-0
Opcode ID: bf7f20792e4889fb5ba5f1256ac43f374d253fbc10ef5405b9d00356325570eb
Instruction ID: 0b01cc3e429fefa9be6e2386eebdea2ca4d2971826f5830d40b7cc289e38a450
Opcode Fuzzy Hash: bf7f20792e4889fb5ba5f1256ac43f374d253fbc10ef5405b9d00356325570eb
Instruction Fuzzy Hash: 86218470F042056FEB01FFA5CC82F6FB6F8EF44704F906465E804B22A0DA747E118A65

Function 04381BA0 Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

73A0A570.USER32(00000000,?,?,?,?,04380757,00000000,043807E3), ref: 04381BF6
73A14620.GDI32(00000000,0000000C,00000000,?,?,?,?,04380757,00000000,043807E3), ref: 04381C0B
73A14620.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,04380757,00000000,043807E3), ref: 04381C15
CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,04380757,00000000,043807E3), ref: 04381C39
73A0A480.USER32(00000000,00000000,00000000,?,?,?,?,04380757,00000000,043807E3), ref: 04381C44

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: A14620$A480A570CreateHalftonePalette
String ID:
API String ID: 3846602122-0
Opcode ID: dd6398da807afdbd8996365ab2c4bc3381697381c6cd10f59fadf69823f68c27
Instruction ID: 537bb575bf2c4f78cd86422e5c14dc8b989448ac5046cf8eca8b20c17a28fff4
Opcode Fuzzy Hash: dd6398da807afdbd8996365ab2c4bc3381697381c6cd10f59fadf69823f68c27
Instruction Fuzzy Hash: 0A11D0316057599AEF60FF358440BEEBBE0BF51355F443128FC049A690D3B4B996C3A1

Function 0436A4D8 Relevance: 7.6, APIs: 5, Instructions: 59threadsynchronizationwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0436A4E6
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0436A512
MsgWaitForMultipleObjects.USER32(00000002,?,00000000,000003E8,00000040), ref: 0436A527
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0436A554
GetExitCodeThread.KERNEL32(?,?,?,000000FF), ref: 0436A55F

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: ThreadWait$CodeCurrentExitMessageMultipleObjectObjectsPeekSingle
String ID:
API String ID: 1797888035-0
Opcode ID: f4943639423ee592ea28db678548a79e8a7b11208c64a92910043b0bcdd40410
Instruction ID: 8cd7a2805a1533f84121c3527067f86916376ff0da5f684685cdc879cf98b727
Opcode Fuzzy Hash: f4943639423ee592ea28db678548a79e8a7b11208c64a92910043b0bcdd40410
Instruction Fuzzy Hash: D8118E70B403026BE610FA788CC2F5E73D99F06624F509A15FA99E72D4E635F8404B52

Function 0437E030 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

73A0A570.USER32(00000000), ref: 0437E048
73A14620.GDI32(?,00000068,00000000,0437E0B6,?,00000000), ref: 0437E064
73A16AA0.GDI32(A2080E55,00000000,00000008,?,?,00000068,00000000,0437E0B6,?,00000000), ref: 0437E07C
73A16AA0.GDI32(A2080E55,00000008,00000008,?,A2080E55,00000000,00000008,?,?,00000068,00000000,0437E0B6,?,00000000), ref: 0437E094
73A0A480.USER32(00000000,?,0437E0BD,0437E0B6,?,00000000), ref: 0437E0B0

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: A14620A480A570
String ID:
API String ID: 98612182-0
Opcode ID: c19bce697b0e7be2173e224d98cce766f1a65d05de4aa3ea8c1bbe1fcadc4609
Instruction ID: bdefcf949fcedb0177db081acb895374c52a712d4d4ce70506b47106762c9ef0
Opcode Fuzzy Hash: c19bce697b0e7be2173e224d98cce766f1a65d05de4aa3ea8c1bbe1fcadc4609
Instruction Fuzzy Hash: 06110831588304BEFB50DFA59C42F6D77ACEB49708F405495F9449A5C0DA7A7454C721

Function 0435B784 Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0435B81B,?,?,00000000), ref: 0435B79C

Part of subcall function 0435B4FC: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0435B51A

GetThreadLocale.KERNEL32(00000000,00000004,00000000,0435B81B,?,?,00000000), ref: 0435B7CC
EnumCalendarInfoA.KERNEL32(Function_0000B6D0,00000000,00000000,00000004), ref: 0435B7D7
GetThreadLocale.KERNEL32(00000000,00000003,00000000,0435B81B,?,?,00000000), ref: 0435B7F5
EnumCalendarInfoA.KERNEL32(Function_0000B70C,00000000,00000000,00000003), ref: 0435B800

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread$CalendarEnum
String ID:
API String ID: 4102113445-0
Opcode ID: 41555b624726af997fc403d7b8da667715c3d91c318abec68ffcfae64f8cf079
Instruction ID: 7939d0a1001ef727e818a2c27218be4b400ba4b648ec22398a0aeecf0b39c320
Opcode Fuzzy Hash: 41555b624726af997fc403d7b8da667715c3d91c318abec68ffcfae64f8cf079
Instruction Fuzzy Hash: 15012B706002486BF711BA74CC12FAEB15CDF42A18FE13570FC04E66F0E524FE008664

Function 00582AF6 Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00582B0E

Part of subcall function 0057DC3C: HeapFree.KERNEL32(00000000,00000000,?,00582D98,005724A8,00000000,005724A8,?,?,0058303B,005724A8,00000007,005724A8,?,0058369C,005724A8), ref: 0057DC52
Part of subcall function 0057DC3C: GetLastError.KERNEL32(005724A8,?,00582D98,005724A8,00000000,005724A8,?,?,0058303B,005724A8,00000007,005724A8,?,0058369C,005724A8,005724A8), ref: 0057DC64

_free.LIBCMT ref: 00582B20
_free.LIBCMT ref: 00582B32
_free.LIBCMT ref: 00582B44
_free.LIBCMT ref: 00582B56

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f377b449049b91cc4b48352d1fa28c8cc0d2fd0b4d87a25e459e3bd54cfedd7c
Instruction ID: 081fcc26b0020bcd2e1429b29befbd5034f2bf44220de7081a8f88f428374a4e
Opcode Fuzzy Hash: f377b449049b91cc4b48352d1fa28c8cc0d2fd0b4d87a25e459e3bd54cfedd7c
Instruction Fuzzy Hash: 0FF03C32945205A7C625EF54FA85C0B7FFEBA44711B545809F808E7621CA34FC81DA74

Function 00427330 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 356COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0042748C

Strings

database corruption, xrefs: 004273BB, 004274F7
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 004273B1, 004274ED
%s at line %d of [%.10s], xrefs: 004273C0, 004274FC

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: __allrem
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 2933888876-2528248365
Opcode ID: 4823043f7ef827a7b4fbdf938415d2a978374419fe1321bc0a1652debf4f2a91
Instruction ID: 8bb3c50be667d938f860189934fcaa3b0618836941bd3907525a36129d9531ae
Opcode Fuzzy Hash: 4823043f7ef827a7b4fbdf938415d2a978374419fe1321bc0a1652debf4f2a91
Instruction Fuzzy Hash: D7D16A71B002199FCB04DFA9E981AAEBBF1FF88314F5541AAE805AB351D734ED40CB94

Function 0041C400 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 168COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C0000006,00000000,00000003,94F768E5), ref: 0041C501

Strings

database corruption, xrefs: 0041C56C
ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f, xrefs: 0041C562
%s at line %d of [%.10s], xrefs: 0041C571

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: ExceptionRaise
String ID: %s at line %d of [%.10s]$database corruption$ebead0e7230cd33bcec9f95d2183069565b9e709bf745c9b5db65cc0cbf92c0f
API String ID: 3997070919-2528248365
Opcode ID: 830a313b83937d8fd3548d6c05d92ef11243a27d482c46180699246d61c9bb45
Instruction ID: 4664bd987f25b04ba3302c8c272136ff2b45e9a513d2b894f7a05249c9c9f803
Opcode Fuzzy Hash: 830a313b83937d8fd3548d6c05d92ef11243a27d482c46180699246d61c9bb45
Instruction Fuzzy Hash: B2519271E402199BDF14DF99D991AEEBBB2FF88300F51406AE805AB341EB34ED418B94

Function 0435B834 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(?,00000000,0435B9FE,?,?,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0435B863

Part of subcall function 0435B4FC: GetLocaleInfoA.KERNEL32(?,?,?,00000100), ref: 0435B51A

Strings

yyyy, xrefs: 0435B955
ggg, xrefs: 0435B948
eeee, xrefs: 0435B96E

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Locale$InfoThread
String ID: eeee$ggg$yyyy
API String ID: 4232894706-1253427255
Opcode ID: 4e10fafd960f032f507f7a67b9c67dd44e2a3506fd8dd2d9880f43732034b913
Instruction ID: 808dbf8b1a3973ba88a4d588ae32b9848ac846dc5966d1e407407bf9f16a95e9
Opcode Fuzzy Hash: 4e10fafd960f032f507f7a67b9c67dd44e2a3506fd8dd2d9880f43732034b913
Instruction Fuzzy Hash: FE41F4257185498BF716AA78C880FBEF3A9DF95208F543862DC81D7775EA20FD02DB21

Function 00450F20 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 142COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00450FCC

Strings

--], xrefs: 00451096
%llu, xrefs: 00451037
%llu, xrefs: 00450F87

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: __aulldiv
String ID: %llu$%llu$--]
API String ID: 3732870572-2480157117
Opcode ID: cce44e404b51992499fff160944e1f521e1e735025545a083bde9eb40e569d0e
Instruction ID: 0a4a175b1aae87d404323c12929a5bc8f9ee4b148dc61bbc7d5afdba2f2f1ae1
Opcode Fuzzy Hash: cce44e404b51992499fff160944e1f521e1e735025545a083bde9eb40e569d0e
Instruction Fuzzy Hash: 0E4116B16043005BD324DF14C881B1BB7E5FFC8759F044A2EF895877A2D779E8488B56

Function 04397288 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00000000), ref: 04397294
PrintWindow.USER32(00000000,00000000,00000000), ref: 04397357

Part of subcall function 0437AD34: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020119), ref: 0437AD5C
Part of subcall function 0437AD34: RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,00000004,00000004,80000001,00000000,00000000,00020119), ref: 0437AD83
Part of subcall function 0437AD34: RegCloseKey.ADVAPI32(00000000,80000001,00000000,00000000,00020119), ref: 0437AD9B

Strings

Control Panel\Desktop\WindowMetrics, xrefs: 043972C5
AppliedDPI, xrefs: 043972C0

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Window$CloseOpenPrintQueryRectValue
String ID: AppliedDPI$Control Panel\Desktop\WindowMetrics
API String ID: 4074139357-3919141887
Opcode ID: fd6c625138e006fe00760cbe0ae16e581fd57fb6f2665af96657caa041c9e9db
Instruction ID: 5ec2299e51a8189e9a58bb5aa85824f00d6ba255ef340fb00923d0d19ab02a13
Opcode Fuzzy Hash: fd6c625138e006fe00760cbe0ae16e581fd57fb6f2665af96657caa041c9e9db
Instruction Fuzzy Hash: D3211930701200DFD305EF28C885A5AB7EAFFD9345F54A5A9E8458B3A4CB35EC56CB91

Function 0051EE10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHGetAppLanguageA), ref: 0051EE65
FreeLibrary.KERNEL32(00000000), ref: 0051EE90
FreeLibrary.KERNEL32(00000000), ref: 0051EEA5

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

Strings

QHGetAppLanguageA, xrefs: 0051EE5F

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHGetAppLanguageA
API String ID: 1027185726-3584660723
Opcode ID: 4d8c9908f2b9495fb187adb5e77608ffe4f9459319f283cd96a308b6404d9079
Instruction ID: 64f68237436927b5e5ea975810e979839408c3f0f1193a1b79c977f6612f1b38
Opcode Fuzzy Hash: 4d8c9908f2b9495fb187adb5e77608ffe4f9459319f283cd96a308b6404d9079
Instruction Fuzzy Hash: 3511903650021AEBEF21CF58D806BDEBBB8FF55710F104256EC0563150D7715ADAEB90

Function 0051EEC0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHGetAppLanguageW), ref: 0051EF15
FreeLibrary.KERNEL32(00000000), ref: 0051EF40
FreeLibrary.KERNEL32(00000000), ref: 0051EF55

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

Strings

QHGetAppLanguageW, xrefs: 0051EF0F

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHGetAppLanguageW
API String ID: 1027185726-561848738
Opcode ID: 9348154ca0947ba3a80509dc1de2b1aacee8097e90cb81ab5cf37078e9467f4b
Instruction ID: 5b13dc3384b0458c14313cfcf7f3c705bf0637f61cfc7e0155c9e607331944cf
Opcode Fuzzy Hash: 9348154ca0947ba3a80509dc1de2b1aacee8097e90cb81ab5cf37078e9467f4b
Instruction Fuzzy Hash: F811AC3240021AEBEF21CF58D80ABDEBBB8BF21310F044156EC0563151D3719E9AEBA0

Function 0051F020 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHGetDigitalCertSignerW), ref: 0051F06F
FreeLibrary.KERNEL32(00000000), ref: 0051F097
FreeLibrary.KERNEL32(00000000), ref: 0051F0AC

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

Strings

QHGetDigitalCertSignerW, xrefs: 0051F069

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHGetDigitalCertSignerW
API String ID: 1027185726-757647949
Opcode ID: e4c9e6f1692c5d25e8228b29e07e68c3ef57c927740d33ebb48995b9cfa2d284
Instruction ID: f6e944859a96b666db4f6c15ea70c8ea3847a2f8442a7abda280619c39db18af
Opcode Fuzzy Hash: e4c9e6f1692c5d25e8228b29e07e68c3ef57c927740d33ebb48995b9cfa2d284
Instruction Fuzzy Hash: CE11C132401619EBEF20DF68D808BEEFBB8BF65310F1081A6EC05A7111D7715E99DBA1

Function 0051F0C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHGetProductInstallDirA), ref: 0051F10F
FreeLibrary.KERNEL32(00000000), ref: 0051F137
FreeLibrary.KERNEL32(00000000), ref: 0051F14C

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

Strings

QHGetProductInstallDirA, xrefs: 0051F109

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHGetProductInstallDirA
API String ID: 1027185726-4113977038
Opcode ID: 9df2d0a93c2be7dcae5de507c174f63c5653ba28ba1cd21bac182e7d1ede6ac0
Instruction ID: 77d71c9d4c526733e559db50fac44f9f4277ea0b2defdd04e405bb1259e483b9
Opcode Fuzzy Hash: 9df2d0a93c2be7dcae5de507c174f63c5653ba28ba1cd21bac182e7d1ede6ac0
Instruction Fuzzy Hash: 20119D32400619FBDB10DF58E809BDEBBA8BF61310F1081AAEC04A3210D7715A9ADB90

Function 0051F160 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHGetProductInstallDirW), ref: 0051F1AF
FreeLibrary.KERNEL32(00000000), ref: 0051F1D7
FreeLibrary.KERNEL32(00000000), ref: 0051F1EC

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

Strings

QHGetProductInstallDirW, xrefs: 0051F1A9

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHGetProductInstallDirW
API String ID: 1027185726-31652767
Opcode ID: 467c71992fdc889f8c65b7ea4e4e5369979a4ebae5ffd0e6d75d178546462cf7
Instruction ID: 6ca5ae053a3e99ef34fbfdea4c87691ec6fbbb5c95f8a0016c30ea5c74834205
Opcode Fuzzy Hash: 467c71992fdc889f8c65b7ea4e4e5369979a4ebae5ffd0e6d75d178546462cf7
Instruction Fuzzy Hash: D6118C3654161AFBEB11DF58D808BDEBBB8BF62310F1041AAEC04A7210D7715A99DBA0

Function 0051F200 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHGetSigDatabaseDirA), ref: 0051F24F
FreeLibrary.KERNEL32(00000000), ref: 0051F277
FreeLibrary.KERNEL32(00000000), ref: 0051F28C

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

Strings

QHGetSigDatabaseDirA, xrefs: 0051F249

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHGetSigDatabaseDirA
API String ID: 1027185726-3627614569
Opcode ID: 0ab4edce729bd9cca0cb0fcd859bc889099ecf149651019b79a12dbd13693e08
Instruction ID: ee99c3e56aa185312ed9382fd96017b168ab63353517510f99b6e6a12c1be9fd
Opcode Fuzzy Hash: 0ab4edce729bd9cca0cb0fcd859bc889099ecf149651019b79a12dbd13693e08
Instruction Fuzzy Hash: 32118F3A501619EBDF10DF99DC04BDEBBB8BF66310F104166EC14A7210D7715E96DB90

Function 0051F2A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHGetSigDatabaseDirW), ref: 0051F2EF
FreeLibrary.KERNEL32(00000000), ref: 0051F317
FreeLibrary.KERNEL32(00000000), ref: 0051F32C

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

Strings

QHGetSigDatabaseDirW, xrefs: 0051F2E9

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHGetSigDatabaseDirW
API String ID: 1027185726-753775672
Opcode ID: b3c862c2023c786f35cdf5389816b3f991a6a8ba770c2ce8212e9898ff3bc1ee
Instruction ID: fdbad49d1a5f72b21037f7991a46021073c6aa494784a9bcc05c14ef7f4c2a9d
Opcode Fuzzy Hash: b3c862c2023c786f35cdf5389816b3f991a6a8ba770c2ce8212e9898ff3bc1ee
Instruction Fuzzy Hash: FC11513A501619EBEF11DF98E804BDEFBB8BF62310F1041A6EC14A7110D7719E96DB90

Function 0051E430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHGetSigDatabaseVersionA), ref: 0051E47F
FreeLibrary.KERNEL32(00000000), ref: 0051E4A7
FreeLibrary.KERNEL32(00000000), ref: 0051E4BC

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

Strings

QHGetSigDatabaseVersionA, xrefs: 0051E479

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHGetSigDatabaseVersionA
API String ID: 1027185726-1039888001
Opcode ID: 6fe8fbfd7d4315056db3c0229bad704f671c278cfb7877c984a06afd10335d22
Instruction ID: f81906ce7fb2c546bcdbf20bf621cafe4341404a1eb6e593894c52ea3195a9f9
Opcode Fuzzy Hash: 6fe8fbfd7d4315056db3c0229bad704f671c278cfb7877c984a06afd10335d22
Instruction Fuzzy Hash: E611BF32901219EBDF10DF98E806BDEBBB8BF62310F10415AEC04A7210D7B15A9ADB94

Function 0051E4D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHGetSigDatabaseVersionW), ref: 0051E51F
FreeLibrary.KERNEL32(00000000), ref: 0051E547
FreeLibrary.KERNEL32(00000000), ref: 0051E55C

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

Strings

QHGetSigDatabaseVersionW, xrefs: 0051E519

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHGetSigDatabaseVersionW
API String ID: 1027185726-3375356880
Opcode ID: 957b5e729358e784356ce02d0ed9062d92419cfe2cf54d99ec1fddf5923007b0
Instruction ID: b98b57c025dfaca7d558f4f81cd3c078ef6f3cbcb03912ed5fbfa3c84e61e713
Opcode Fuzzy Hash: 957b5e729358e784356ce02d0ed9062d92419cfe2cf54d99ec1fddf5923007b0
Instruction Fuzzy Hash: 57119132501219EBDF11DF58D80ABEEFBB9BF62318F114156EC04A7110E7719E95DB90

Function 0051E570 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHGetEngineVersionA), ref: 0051E5BF
FreeLibrary.KERNEL32(00000000), ref: 0051E5E7
FreeLibrary.KERNEL32(00000000), ref: 0051E5FC

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

Strings

QHGetEngineVersionA, xrefs: 0051E5B9

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHGetEngineVersionA
API String ID: 1027185726-2655619221
Opcode ID: d31344ca3acc7efba477d8464e6b66e77c5570283d51824ae3a5bcba9dbaed41
Instruction ID: 8b2947b9e10ab9ce70c58da93023951a6d94631ee341d8baf9f94c975b0927ab
Opcode Fuzzy Hash: d31344ca3acc7efba477d8464e6b66e77c5570283d51824ae3a5bcba9dbaed41
Instruction Fuzzy Hash: 4F118F32501219EBDF11DF58D806BDEFBB9BF61314F114156EC04A7210E7719AD5DB90

Function 0051E610 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHGetEngineVersionW), ref: 0051E65F
FreeLibrary.KERNEL32(00000000), ref: 0051E687
FreeLibrary.KERNEL32(00000000), ref: 0051E69C

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

Strings

QHGetEngineVersionW, xrefs: 0051E659

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHGetEngineVersionW
API String ID: 1027185726-1788689860
Opcode ID: e9572a4ccaff1bdd1f7ac56475fb6f690010e4f2659db4256205f09c44683d03
Instruction ID: ad9056729a1764169832b003b2deed6d7bf1d5ec63d21677a343ff4ee2e10a7c
Opcode Fuzzy Hash: e9572a4ccaff1bdd1f7ac56475fb6f690010e4f2659db4256205f09c44683d03
Instruction Fuzzy Hash: E2118F32501219EBEB10DF58E806BDEBBB8BF71714F504156EC04A7210D7715E95DB90

Function 0051EF80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHGetDigitalCertSignerA), ref: 0051EFCF
FreeLibrary.KERNEL32(00000000), ref: 0051EFF7
FreeLibrary.KERNEL32(00000000), ref: 0051F00C

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

Strings

QHGetDigitalCertSignerA, xrefs: 0051EFC9

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHGetDigitalCertSignerA
API String ID: 1027185726-3657203484
Opcode ID: 645c0a21b85a54768c785ef44c000eb78025dd879b05462b4419b1a5f18356f3
Instruction ID: aac79212ebca52942d1999d6d620df48bdfd5a05e4ead2e880803621529eb38f
Opcode Fuzzy Hash: 645c0a21b85a54768c785ef44c000eb78025dd879b05462b4419b1a5f18356f3
Instruction Fuzzy Hash: 53119132501219EBEF10DF58D809BDEFBB8BF65314F10419AEC0467250D7719E96EB90

Function 0436BC5C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62networksleepCOMMON

Download Yara Rule

APIs

send.WSOCK32(?,?,?,00000000,?,?,?,?,?,0436BD70,?,0436BDA4,?,00000000,0436BD8D), ref: 0436BC95
WSAGetLastError.WSOCK32(?,?,?,00000000,?,?,?,?,?,0436BD70,?,0436BDA4,?,00000000,0436BD8D), ref: 0436BCB1
Sleep.KERNEL32(00000001,?,?,?,00000000,?,?,?,?,?,0436BD70,?,0436BDA4,?,00000000,0436BD8D), ref: 0436BCD0

Strings

3', xrefs: 0436BCC5

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: ErrorLastSleepsend
String ID: 3'
API String ID: 4076785223-280543908
Opcode ID: 2292d9f2f8ef471f2f2a1a77c6ccf9ea84c87bdf07eefb55005db2a9eacec080
Instruction ID: 65521af82f3b2729688bad1a806a6a50b7a46498f382ab6686317d881a86dbda
Opcode Fuzzy Hash: 2292d9f2f8ef471f2f2a1a77c6ccf9ea84c87bdf07eefb55005db2a9eacec080
Instruction Fuzzy Hash: D211E8706087139BD710DE28C88465AF7E8BFC4264F10DA2DE4AAC7294D770BA459FA3

Function 04372FB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 04377B38: GetFileAttributesA.KERNELBASE(00000000,?,?,?,?,0437A6B4,\AppData\Roaming\,?,C:\Users\,00000000,0437A6EA,?,?,00000000,00000000), ref: 04377B7A

CoTaskMemAlloc.OLE32(00000208,00000000,04373070), ref: 04372FF4
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000005,00000000,00000000,0437303B,?,00000208,00000000,04373070), ref: 04373014
CoTaskMemFree.OLE32(?,04373042,00000000,00000000,0437303B,?,00000208,00000000,04373070), ref: 04373035

Strings

USERPROFILE, xrefs: 04372FD7

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Task$AllocAttributesFileFolderFreePathSpecial
String ID: USERPROFILE
API String ID: 3197149909-2419442777
Opcode ID: 15a5523444ea8dbec6a09cb741ee533d1f2493966b97ae96d7847d94b967bbfe
Instruction ID: cbfb300ea1a93bd0a968dcfd9942a76908566d0a50b7bebad295b9c57e976946
Opcode Fuzzy Hash: 15a5523444ea8dbec6a09cb741ee533d1f2493966b97ae96d7847d94b967bbfe
Instruction Fuzzy Hash: F8116034A04208BFEB21DFA4D851E9DB7F8EF49B04F5194A5E840A7660D7787E00DB51

Function 0051F3D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHInitiateFolderScanA), ref: 0051F419
FreeLibrary.KERNEL32(00000000), ref: 0051F43E

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

FreeLibrary.KERNEL32(00000000), ref: 0051F453

Strings

QHInitiateFolderScanA, xrefs: 0051F413

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHInitiateFolderScanA
API String ID: 1027185726-3630185970
Opcode ID: 900d5e5177f3c967b565c907ccf228bb45f7253f3ffe93cef975407cc7490431
Instruction ID: 6e731323089e551aaf21808f3f3d564ca78fc0437ca1f73ee5d11e1041515017
Opcode Fuzzy Hash: 900d5e5177f3c967b565c907ccf228bb45f7253f3ffe93cef975407cc7490431
Instruction Fuzzy Hash: 2A118236501619ABDF10DF58E804ADFFBB8BF61311F1041A6EC05A7210E7B15E9ADB91

Function 0051E390 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHGetSigDatabaseTime), ref: 0051E3D9
FreeLibrary.KERNEL32(00000000), ref: 0051E3FE

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

FreeLibrary.KERNEL32(00000000), ref: 0051E413

Strings

QHGetSigDatabaseTime, xrefs: 0051E3D3

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHGetSigDatabaseTime
API String ID: 1027185726-2038021305
Opcode ID: dc04a3dd3b2f0ca51fb887d8c1f94c0966700bb4716aa39c79a4382a3995dbb8
Instruction ID: a8686931f3eb76d52bd728683bfcd6b818931f2f272f1e6c580560de02eba38b
Opcode Fuzzy Hash: dc04a3dd3b2f0ca51fb887d8c1f94c0966700bb4716aa39c79a4382a3995dbb8
Instruction Fuzzy Hash: FB11E532500219ABDF21DF58D805ADEFBB8FF61714F104596EC04A3210D770AEDAE790

Function 0051F470 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHInitiateFolderScanW), ref: 0051F4B9
FreeLibrary.KERNEL32(00000000), ref: 0051F4DE

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

FreeLibrary.KERNEL32(00000000), ref: 0051F4F3

Strings

QHInitiateFolderScanW, xrefs: 0051F4B3

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHInitiateFolderScanW
API String ID: 1027185726-750028963
Opcode ID: 2dfe3f47d94455700b29219844cbd7bd5135d520682cd3a47161cb1a582da858
Instruction ID: 93d33dbe7c995271657f75a4300e88a7aeb58fb71a7716a23ac533b2dd66f1aa
Opcode Fuzzy Hash: 2dfe3f47d94455700b29219844cbd7bd5135d520682cd3a47161cb1a582da858
Instruction Fuzzy Hash: 91118236501619ABDF20DF58D804ADFFFB8BF61311F1041A6EC45A7210D7B15E9ADBA0

Function 0051F510 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHInitiateFileScanA), ref: 0051F559
FreeLibrary.KERNEL32(00000000), ref: 0051F57E

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

FreeLibrary.KERNEL32(00000000), ref: 0051F593

Strings

QHInitiateFileScanA, xrefs: 0051F553

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHInitiateFileScanA
API String ID: 1027185726-3438782609
Opcode ID: 5a22e350e5090159fe7d7c9e2caf9f4707c0865de7de23981f1f77bb05893b61
Instruction ID: d168524f211127020115099c3b5d150796c6cd97487cf501bfdd4e5e9d60b2e1
Opcode Fuzzy Hash: 5a22e350e5090159fe7d7c9e2caf9f4707c0865de7de23981f1f77bb05893b61
Instruction Fuzzy Hash: E411C232500219EBDB10DF58E804BDEFBB9BF61311F1141A6EC0467210E7709E99DBE0

Function 0051F5B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHInitiateFileScanW), ref: 0051F5F9
FreeLibrary.KERNEL32(00000000), ref: 0051F61E

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

FreeLibrary.KERNEL32(00000000), ref: 0051F633

Strings

QHInitiateFileScanW, xrefs: 0051F5F3

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHInitiateFileScanW
API String ID: 1027185726-941825472
Opcode ID: 0687119eab5820cacd5d4550884c71db5290faceba97017ca0a73a8617d43842
Instruction ID: 8a8bf3255f5633e84b817f6d5865b82f3fb169b33fb7e8d17e66123627099521
Opcode Fuzzy Hash: 0687119eab5820cacd5d4550884c71db5290faceba97017ca0a73a8617d43842
Instruction Fuzzy Hash: 4311A532501619ABDF20DF58E804ADEFBB9FF61315F1041A6EC04A7210E7719EDADBA0

Function 0051F650 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHGetLastFullScanTime), ref: 0051F699
FreeLibrary.KERNEL32(00000000), ref: 0051F6BE

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

FreeLibrary.KERNEL32(00000000), ref: 0051F6D3

Strings

QHGetLastFullScanTime, xrefs: 0051F693

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHGetLastFullScanTime
API String ID: 1027185726-260134519
Opcode ID: a5b3776b1b200e9b2e7e6eaf3aa2deba28c18199a2cc92d73424ac5a7484dce5
Instruction ID: ef3ef82dddf6b8da4017076b1920032a48c9a1b230cadfd54e9d2fafcc972f4e
Opcode Fuzzy Hash: a5b3776b1b200e9b2e7e6eaf3aa2deba28c18199a2cc92d73424ac5a7484dce5
Instruction Fuzzy Hash: 6411E532501219ABDF10DF58E804ADEFBB8BF65311F1001AAEC4467220D7715E99DBE0

Function 0051E7D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHGetExpDate), ref: 0051E819
FreeLibrary.KERNEL32(00000000), ref: 0051E83E

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

FreeLibrary.KERNEL32(00000000), ref: 0051E853

Strings

QHGetExpDate, xrefs: 0051E813

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHGetExpDate
API String ID: 1027185726-3513785627
Opcode ID: e9824a6647318827eaef5202c71331795108c9675ead8b6f1b9fe8d04f412b2e
Instruction ID: 3b55c230d748e1c9fddaf714088282bd0b83520591b65d50fa655bf20844c4b7
Opcode Fuzzy Hash: e9824a6647318827eaef5202c71331795108c9675ead8b6f1b9fe8d04f412b2e
Instruction Fuzzy Hash: EB11A032900219BBEB11DF58D809BDEFBB8FF61310F104196EC04A7210D7715E99E790

Function 0051F9A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,QHGetSASQHStatus), ref: 0051F9E9
FreeLibrary.KERNEL32(00000000), ref: 0051FA0E

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

FreeLibrary.KERNEL32(00000000), ref: 0051FA23

Strings

QHGetSASQHStatus, xrefs: 0051F9E3

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHGetSASQHStatus
API String ID: 1027185726-1742833770
Opcode ID: d10846c7978494a55c385c76bc441c1a802256e712fc669b760039fc57e85319
Instruction ID: f8c2a60e50a6108df8612a426271ece355ceedb2230a7d5a797932b2f77be338
Opcode Fuzzy Hash: d10846c7978494a55c385c76bc441c1a802256e712fc669b760039fc57e85319
Instruction Fuzzy Hash: D711A036500219BBDB10EF98E804BEEFBB8BF65311F1001A6EC04A3210E7715E9AD7E0

Function 0051E740 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

GetProcAddress.KERNEL32(00000000,QHEnableOnAccessScan), ref: 0051E783
FreeLibrary.KERNEL32(00000000), ref: 0051E7A8
FreeLibrary.KERNEL32(00000000), ref: 0051E7BD

Strings

QHEnableOnAccessScan, xrefs: 0051E77D

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHEnableOnAccessScan
API String ID: 1027185726-4208909761
Opcode ID: 56af4687680982ecb2222f7ae2a286efc1a5f48dfed6b38e66960cf5846d7de0
Instruction ID: f856a66fd86fa42b417971ac750d96ab9227364b7be5518192830e0f525151e2
Opcode Fuzzy Hash: 56af4687680982ecb2222f7ae2a286efc1a5f48dfed6b38e66960cf5846d7de0
Instruction Fuzzy Hash: 3F11C836901559ABFB10DF54E806ADEFBB8FF61311F100196EC0463250D7715E9997E0

Function 0051FA40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

GetProcAddress.KERNEL32(00000000,QHChangeOnAccessScanState), ref: 0051FA83
FreeLibrary.KERNEL32(00000000), ref: 0051FAA8
FreeLibrary.KERNEL32(00000000), ref: 0051FABD

Strings

QHChangeOnAccessScanState, xrefs: 0051FA7D

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHChangeOnAccessScanState
API String ID: 1027185726-3987194592
Opcode ID: 07d0a39c47c6670b8f063963bfedd2cf2cb82e92d377d805ca18133190563abc
Instruction ID: 96c9c8237d60666e240ce1402ec194dbba1537f4e6b778b9668af0913d63083b
Opcode Fuzzy Hash: 07d0a39c47c6670b8f063963bfedd2cf2cb82e92d377d805ca18133190563abc
Instruction Fuzzy Hash: 8011C432501619ABDB10DF98E904ADEFBB8FF66311F1001A6EC48A3210D7755E9AD7E0

Function 0051F340 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

GetProcAddress.KERNEL32(00000000,QHInitiateFullScan), ref: 0051F383
FreeLibrary.KERNEL32(00000000), ref: 0051F3A5
FreeLibrary.KERNEL32(00000000), ref: 0051F3BA

Strings

QHInitiateFullScan, xrefs: 0051F37D

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHInitiateFullScan
API String ID: 1027185726-1507581976
Opcode ID: 9487c6d584b0a3be103005279d3f99cbf26591f091c31f0c86eaaedd3abd7605
Instruction ID: 48e6007332a00a765b70a3c84e031e25bb26a439d47dc2cea3f9bde5b1ac5dca
Opcode Fuzzy Hash: 9487c6d584b0a3be103005279d3f99cbf26591f091c31f0c86eaaedd3abd7605
Instruction Fuzzy Hash: 3B01B976501619E7DB10DF99E804ADEFBBCBF62310F1005A6EC04A3210D7715E95DBE4

Function 0051F6F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

GetProcAddress.KERNEL32(00000000,QHIsFullScanRunning), ref: 0051F733
FreeLibrary.KERNEL32(00000000), ref: 0051F755
FreeLibrary.KERNEL32(00000000), ref: 0051F76A

Strings

QHIsFullScanRunning, xrefs: 0051F72D

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHIsFullScanRunning
API String ID: 1027185726-603708037
Opcode ID: 0e16fc112b2177d88724181c728468009d73282db41922287ae756526513e989
Instruction ID: 7ed816c23d96db92520f34dafc1ba6921b4403388737852a32f6024bc88a6351
Opcode Fuzzy Hash: 0e16fc112b2177d88724181c728468009d73282db41922287ae756526513e989
Instruction Fuzzy Hash: D4019636501619A7DB11DF98E904ADEFBB8FF61311F1001A6EC04A3250E7715E95ABE4

Function 0051E6B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

GetProcAddress.KERNEL32(00000000,QHIsOnAccessScanEnabled), ref: 0051E6F3
FreeLibrary.KERNEL32(00000000), ref: 0051E715
FreeLibrary.KERNEL32(00000000), ref: 0051E72A

Strings

QHIsOnAccessScanEnabled, xrefs: 0051E6ED

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHIsOnAccessScanEnabled
API String ID: 1027185726-3537256947
Opcode ID: 1b151fb0c12f2e2f54bd769db27cc1defccb49d1aabf77a051dbfcc617d12dbc
Instruction ID: c88d6cf21a8c3d4b30552e9d27fed4ad20cc3730508c966e27d1d655c55a647e
Opcode Fuzzy Hash: 1b151fb0c12f2e2f54bd769db27cc1defccb49d1aabf77a051dbfcc617d12dbc
Instruction Fuzzy Hash: C601D636901259E7EB10DF98E805ADEFBB8FF72310F100196EC00A3240D7315E9597A4

Function 0051F870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

GetProcAddress.KERNEL32(00000000,QHOpenScanner), ref: 0051F8B3
FreeLibrary.KERNEL32(00000000), ref: 0051F8D5
FreeLibrary.KERNEL32(00000000), ref: 0051F8EA

Strings

QHOpenScanner, xrefs: 0051F8AD

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHOpenScanner
API String ID: 1027185726-2320846432
Opcode ID: ed04baf4a4bfe2e7fd25fa4408e0d966ee76cbe2aca41ed6d1c55b9a8efe814a
Instruction ID: 039ab4afb16e85a5ca9901681aa16bf710cd88ca870ee95636180082cd6436d2
Opcode Fuzzy Hash: ed04baf4a4bfe2e7fd25fa4408e0d966ee76cbe2aca41ed6d1c55b9a8efe814a
Instruction Fuzzy Hash: D1019636901619FBDB10DF98E9046DEFBB8FF61310F1001A6EC04A3210D7715E9AE7A4

Function 0051E870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

GetProcAddress.KERNEL32(00000000,QHIsLicenseExpired), ref: 0051E8B3
FreeLibrary.KERNEL32(00000000), ref: 0051E8D5
FreeLibrary.KERNEL32(00000000), ref: 0051E8EA

Strings

QHIsLicenseExpired, xrefs: 0051E8AD

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHIsLicenseExpired
API String ID: 1027185726-182807298
Opcode ID: 40ae03e471e39da3eee894c24531126ba20b7c20e43d946cbc972d95b7e8363d
Instruction ID: a1bcbe22ebf62fcc6ac905bda4f78e1dcf3bd6f9b62fc18a0a97b523e3572479
Opcode Fuzzy Hash: 40ae03e471e39da3eee894c24531126ba20b7c20e43d946cbc972d95b7e8363d
Instruction Fuzzy Hash: C7019636901619F7DB10DF98E8066DEFBB8BF62311F1001A6EC04A3210D7715E9A97E4

Function 0051E900 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

GetProcAddress.KERNEL32(00000000,QHInitUpdate), ref: 0051E943
FreeLibrary.KERNEL32(00000000), ref: 0051E965
FreeLibrary.KERNEL32(00000000), ref: 0051E97A

Strings

QHInitUpdate, xrefs: 0051E93D

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHInitUpdate
API String ID: 1027185726-3209068735
Opcode ID: 52de33cf9682ddd7df74b986584c01c7cf842735c5134b36045a05606f821a7a
Instruction ID: 42f47d32a8968b085a014207253310a8e5b1150464bad216036cf9fdf8a9317d
Opcode Fuzzy Hash: 52de33cf9682ddd7df74b986584c01c7cf842735c5134b36045a05606f821a7a
Instruction Fuzzy Hash: 69012632800619E7DB10DFA9E805ADEFBB8BF62310F000196EC00A3210E7705E9AD7A4

Function 0051ED80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0051F900: _QHIsAVInstalled@4.UPD_1916298(?,?), ref: 0051F928

GetProcAddress.KERNEL32(00000000,QHIsUpdateInProgress), ref: 0051EDC3
FreeLibrary.KERNEL32(00000000), ref: 0051EDE5
FreeLibrary.KERNEL32(00000000), ref: 0051EDFA

Strings

QHIsUpdateInProgress, xrefs: 0051EDBD

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: FreeLibrary$AddressInstalled@4Proc
String ID: QHIsUpdateInProgress
API String ID: 1027185726-844747468
Opcode ID: 1406cf0639a7a0db8d25e0f8a4fdebcfb22cabedc8820db470a265fe2dd610f7
Instruction ID: 5724d1f28848a021c84e1e13b58ba6672e24c5780089a2cc68e305ee28b7af9e
Opcode Fuzzy Hash: 1406cf0639a7a0db8d25e0f8a4fdebcfb22cabedc8820db470a265fe2dd610f7
Instruction Fuzzy Hash: 83019636501629E7DB10DF98E8456DEFBB8BF62310F10019AEC04A3210E7715E9597E4

Function 0436BA8C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WSOCK32(?,4004667F,?,00000400,?,?,00000000,0436BB38,000003E8,?,?,0436CEDA,00000000,0436CEF5), ref: 0436BAA5

Part of subcall function 0436BA78: closesocket.WSOCK32(?,00000000,0436BCDE,?,?,?,00000000,?,?,?,?,?,0436BD70,?,0436BDA4,?), ref: 0436BA7F

6F6D1E40.WSOCK32(?,?,00000400,00000000,00000400,?,?,00000000,0436BB38,000003E8,?,?,0436CEDA,00000000,0436CEF5), ref: 0436BAC5
WSAGetLastError.WSOCK32(?,?,00000400,00000000,00000400,?,?,00000000,0436BB38,000003E8,?,?,0436CEDA,00000000,0436CEF5), ref: 0436BAE0

Strings

3', xrefs: 0436BAE8

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: ErrorLastclosesocketioctlsocket
String ID: 3'
API String ID: 1604332089-280543908
Opcode ID: bfbc60af29c0a31d3b90f38dcb834787917a66be6857d2a98a3384e2a0fd7dbb
Instruction ID: 394b09373eddc05ede812b32dc403b374f0e86b7d519fb24da902b3a037da93c
Opcode Fuzzy Hash: bfbc60af29c0a31d3b90f38dcb834787917a66be6857d2a98a3384e2a0fd7dbb
Instruction Fuzzy Hash: F1018F706082329BD7107E3EDC849AAF6D8DF45274F01AA3CE1E7C7188D274B8408F22

Function 0435D220 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0435DBA9,00000000,0435DBBC), ref: 0435D226
GetProcAddress.KERNEL32(00000000,GetDiskFreeSpaceExA), ref: 0435D237

Strings

GetDiskFreeSpaceExA, xrefs: 0435D231
kernel32.dll, xrefs: 0435D221

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExA$kernel32.dll
API String ID: 1646373207-3712701948
Opcode ID: 9ca456a70675cea0f02fe09280af81d9262ec2a61528cc6123f8f4cd62339217
Instruction ID: 61e5ff0eafc7b7787fddf4965989488a5f7a3f5d339426634225ca6850927b61
Opcode Fuzzy Hash: 9ca456a70675cea0f02fe09280af81d9262ec2a61528cc6123f8f4cd62339217
Instruction Fuzzy Hash: E2D09E60B833456BFF40ABA4A5D9E357158D7A4229F4070259C155E120DAE4E815CA11

Function 04368458 Relevance: 6.4, APIs: 5, Instructions: 122COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,00000000,043685B2,?,?,043A8E50), ref: 043684A7
CharNextA.USER32(?,?,00000000,043685B2,?,?,043A8E50), ref: 04368526
CharNextA.USER32(?,?,?,00000000,043685B2,?,?,043A8E50), ref: 0436854D
CharNextA.USER32(00000000,?,?,?,00000000,043685B2,?,?,043A8E50), ref: 04368564

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: 143d647c8379db2fad79113e5f04287133b43ab394273ab3b9781f44b07b1db9
Instruction ID: e20ff77abc428e47a9ba579cb0b2261447e361632c936ed555f290642f4409e3
Opcode Fuzzy Hash: 143d647c8379db2fad79113e5f04287133b43ab394273ab3b9781f44b07b1db9
Instruction Fuzzy Hash: 48414E70A01249DFDB29EF68C895969B7F5EF0D304B60A899E982DB324DB30BD41CF54

Function 04373C88 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 135sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388,00000000,04373E31,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,043751EB,00000000), ref: 04373D03

Part of subcall function 04370374: GetCurrentProcessId.KERNEL32(?,00000000,04370685,?,?,?,00000001), ref: 043703F4

Part of subcall function 04370694: GetCurrentProcessId.KERNEL32(?,00000000,043708E8,?,00000000), ref: 0437070A
Part of subcall function 04370694: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,?,00000000,043708E8), ref: 043707D7
Part of subcall function 04370694: NtQueryInformationProcess.NTDLL ref: 043707EF

Part of subcall function 04373A30: CloseHandle.KERNEL32(?,001F0FFF,00000000,?), ref: 04373BEF

Part of subcall function 04377B38: GetFileAttributesA.KERNELBASE(00000000,?,?,?,?,0437A6B4,\AppData\Roaming\,?,C:\Users\,00000000,0437A6EA,?,?,00000000,00000000), ref: 04377B7A

Part of subcall function 0437A750: MessageBoxA.USER32(00000000,00000000,0437A7B0,00040040), ref: 0437A783

Strings

lp.txt, xrefs: 04373DF8
get random pid , xrefs: 04373DC1
c:\debugg, xrefs: 04373D9F

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Process$Current$AttributesCloseCreateFileHandleInformationMessageQuerySleep
String ID: c:\debugg$get random pid $lp.txt
API String ID: 2177347764-3996086189
Opcode ID: 3b3030be8e348fc8ae6b74dc16da11e59c06bca6ff1176c45f07234c4b3b1c8c
Instruction ID: c6889993cfa5f470c5e6c4ab1cf8aef942334191817fcceecfd2a35a6b144175
Opcode Fuzzy Hash: 3b3030be8e348fc8ae6b74dc16da11e59c06bca6ff1176c45f07234c4b3b1c8c
Instruction Fuzzy Hash: 82416135A04245AFFB31FBA4C541AAEB3A5EF49318B407165DCC0A7650DB3CBC15EB62

Function 0040C120 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040C14D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040C167
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040C1B2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040C1FC

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 8c84383f21786e8502575cb506da4988bdf5c78a0d80c08470d72a1a75f96be9
Instruction ID: 730e212914945aba66cc481720c8c7a87b2568509a1bd9d3e8f10577fddb01da
Opcode Fuzzy Hash: 8c84383f21786e8502575cb506da4988bdf5c78a0d80c08470d72a1a75f96be9
Instruction Fuzzy Hash: 18310831A40515FADB244F9998C5B5A77A5EB81360F2483BFFC08FA7D2D5398C408A98

Function 04360C4C Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 04360CFB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 04360D17
SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 04360D8E
VariantClear.OLEAUT32(?), ref: 04360DB7

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: ArraySafe$Bound$ClearIndexVariant
String ID:
API String ID: 920484758-0
Opcode ID: da7ce3720f0feee45edf04b66ce47de9d7f613fae01001da9ba70d08769d4907
Instruction ID: 76209dac20195ce9156ba949ffd4143e996e5262f8d4b7ce3f64e2a5e36d8019
Opcode Fuzzy Hash: da7ce3720f0feee45edf04b66ce47de9d7f613fae01001da9ba70d08769d4907
Instruction Fuzzy Hash: FB411C75A0161A9FDB66DF58CC91BC9B3FCAF48214F0092D5EA4AE7255DA30BF808F50

Function 0435BA68 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0435BA84
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0435BAA8
GetModuleFileNameA.KERNEL32(04350000,?,00000105), ref: 0435BAC3
LoadStringA.USER32(00000000,0000FFEA,?,00000100), ref: 0435BB67

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 9ba98a240c68349f3ad3bf0cffe1f6a1ae37b8abc598d2962f5b2e46e97ea681
Instruction ID: eeeb4695aa33198c5557b26c86ec90e2b269412115ad280f93357867b3792f6b
Opcode Fuzzy Hash: 9ba98a240c68349f3ad3bf0cffe1f6a1ae37b8abc598d2962f5b2e46e97ea681
Instruction Fuzzy Hash: FF41B575A002589FEB15EB68C884FDDB7B9AF08208F4460E5A908E7264D774BF84CF51

Function 0435BA66 Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0435BA84
GetModuleFileNameA.KERNEL32(?,?,00000105), ref: 0435BAA8
GetModuleFileNameA.KERNEL32(04350000,?,00000105), ref: 0435BAC3
LoadStringA.USER32(00000000,0000FFEA,?,00000100), ref: 0435BB67

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: FileModuleName$LoadQueryStringVirtual
String ID:
API String ID: 3990497365-0
Opcode ID: 7a15697f5bf2a03e1a869f0642db1ff95d28fb4e9310b2164d41d7ce302ed403
Instruction ID: 492a07332eec4181daa00e78a93079bf910cfa45d29c2af60b355a2121101aba
Opcode Fuzzy Hash: 7a15697f5bf2a03e1a869f0642db1ff95d28fb4e9310b2164d41d7ce302ed403
Instruction Fuzzy Hash: CE41C570A002589FEB15EB68CC84FEDB7F9AF08208F4460E5A908E7260D774BF848F51

Function 0435CC50 Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON

Download Yara Rule

APIs

GetStringTypeA.KERNEL32(00000C00,00000002,?,00000080,?), ref: 0435CD4A
GetThreadLocale.KERNEL32 ref: 0435CC7A

Part of subcall function 0435CBD8: GetCPInfo.KERNEL32(00000000,?), ref: 0435CBF1

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: InfoLocaleStringThreadType
String ID:
API String ID: 1505017576-0
Opcode ID: 9827a12f9b49de318b7e6130d8b0ee2984a5974aab972d0c0ad9b209aac5f9eb
Instruction ID: 810e9ffd7279c3ac84fb2960c40b55ef5b77ad2aff6fb9b8fa4d33568091ec23
Opcode Fuzzy Hash: 9827a12f9b49de318b7e6130d8b0ee2984a5974aab972d0c0ad9b209aac5f9eb
Instruction Fuzzy Hash: 3C313731D803598AE760EA25E801BB63FDCEB5630CF847055DCC8CB2D0EA3A68559751

Function 0437A0F4 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 0435DEC0: CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,?,?,04379FFC,00000000,0437A0DA,?,?,?,?,?,0436A795,00000000,0436ACAA), ref: 0435DED1

Part of subcall function 0435DEE0: Process32First.KERNEL32(?,00000128), ref: 0435DEF1

GetCurrentProcessId.KERNEL32 ref: 0437A1BE
OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 0437A1D8
TerminateProcess.KERNEL32(00000000,00000001,00000000,?,00000000), ref: 0437A1DE
CloseHandle.KERNEL32(00000000), ref: 0437A201

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Process$CloseCreateCurrentFirstHandleOpenProcess32SnapshotTerminateToolhelp32
String ID:
API String ID: 4153222164-0
Opcode ID: ce1610ff357fd0c02f569b15d5d8a62df65ec19bd4f94ded5dbee19081edef01
Instruction ID: c8e8eaa5432a6f1744abe5968bb8b02a716606725ee4e9081d6a3d1206663e40
Opcode Fuzzy Hash: ce1610ff357fd0c02f569b15d5d8a62df65ec19bd4f94ded5dbee19081edef01
Instruction Fuzzy Hash: D6314D30A042189BEB25EB64D881FCDB3B9EF49344F5095E5E908A3260DB747F81CF90

Function 04380704 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0437D428: RtlEnterCriticalSection.KERNEL32(043A8F1C,00000000,04380681,00000000,?,?,04381A9E,04382420,00000000,00000000,00000000), ref: 0437D430
Part of subcall function 0437D428: RtlLeaveCriticalSection.KERNEL32(043A8F1C,043A8F1C,00000000,04380681,00000000,?,?,04381A9E,04382420,00000000,00000000,00000000), ref: 0437D43D
Part of subcall function 0437D428: RtlEnterCriticalSection.KERNEL32(00000038,043A8F1C,043A8F1C,00000000,04380681,00000000,?,?,04381A9E,04382420,00000000,00000000,00000000), ref: 0437D446

Part of subcall function 04381BA0: 73A0A570.USER32(00000000,?,?,?,?,04380757,00000000,043807E3), ref: 04381BF6
Part of subcall function 04381BA0: 73A14620.GDI32(00000000,0000000C,00000000,?,?,?,?,04380757,00000000,043807E3), ref: 04381C0B
Part of subcall function 04381BA0: 73A14620.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,?,?,04380757,00000000,043807E3), ref: 04381C15
Part of subcall function 04381BA0: CreateHalftonePalette.GDI32(00000000,00000000,?,?,?,?,04380757,00000000,043807E3), ref: 04381C39
Part of subcall function 04381BA0: 73A0A480.USER32(00000000,00000000,00000000,?,?,?,?,04380757,00000000,043807E3), ref: 04381C44

73A14C40.GDI32(00000000,00000000,043807E3), ref: 04380759
SelectObject.GDI32(00000000,?), ref: 04380772
73A08830.GDI32(00000000,?,000000FF,00000000,00000000,043807E3), ref: 0438079B
73A022A0.GDI32(00000000,00000000,?,000000FF,00000000,00000000,043807E3), ref: 043807A7

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CriticalSection$A14620Enter$A022A08830A480A570CreateHalftoneLeaveObjectPaletteSelect
String ID:
API String ID: 581509073-0
Opcode ID: 4c6c74aa6925e70a0d09ea6c412eb8f424c86a8e50de244a4fce625b0abd65ac
Instruction ID: 62dbf702a0a10572035652763dcb2c3e622104b6bdc5ef584c1d2c39909ff663
Opcode Fuzzy Hash: 4c6c74aa6925e70a0d09ea6c412eb8f424c86a8e50de244a4fce625b0abd65ac
Instruction Fuzzy Hash: D7310574A04648EFEB08EB69C990D5EB3F5EF48724B6251A5E808AB321D730FE40DF50

Function 043976D0 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 04397709
GetWindowTextA.USER32(?,?,00000105), ref: 0439771B
GetWindowTextA.USER32(?,?,00000105), ref: 0439773E
73A16A70.USER32(?,043976D0,?), ref: 043977B4

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Window$Text$Rect
String ID:
API String ID: 1431499091-0
Opcode ID: 6ebb76459526bf4fb5486defdbc662122b6a1e08b9ce7c2e296eb20a06e59519
Instruction ID: 9843689f8abd86a6e330b493de0f2bc45997649007d50e82e17e5e2aa3c1e709
Opcode Fuzzy Hash: 6ebb76459526bf4fb5486defdbc662122b6a1e08b9ce7c2e296eb20a06e59519
Instruction Fuzzy Hash: 4F213731600618AFEB14DF24CC81EEAB3F9EF48704F4195A5AD08D7650EB70BE958F90

Function 043A1E54 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 69sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,00000000,043A1F4C,?,?,?,00000000,00000000,00000000,00000000), ref: 043A1E86
Sleep.KERNEL32(001B7740,000003E8,00000000,043A1F4C,?,?,?,00000000,00000000,00000000,00000000), ref: 043A1E90

Part of subcall function 0436CE10: Sleep.KERNEL32(00000064,00000000,0436CEF5,?,?,043A8CD4,?,00000000,00000000,00000000,00000000,00000000,?,043A223A,?,|||), ref: 0436CEC2

Part of subcall function 0436BA78: closesocket.WSOCK32(?,00000000,0436BCDE,?,?,?,00000000,?,?,?,?,?,0436BD70,?,0436BDA4,?), ref: 0436BA7F

Strings

NOTIFICATIONS, xrefs: 043A1F0C
DOMAINS, xrefs: 043A1ECE, 043A1EEE

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Sleep$closesocket
String ID: DOMAINS$NOTIFICATIONS
API String ID: 1480910923-4053764644
Opcode ID: e473bd4f37597bc8e3b66ff24869a8da487663d55bd7c75eee51fcbf5b274ee8
Instruction ID: e7f628026092598651d363f23a803d61d06e0ee90db55dae35e614cf3895a3b0
Opcode Fuzzy Hash: e473bd4f37597bc8e3b66ff24869a8da487663d55bd7c75eee51fcbf5b274ee8
Instruction Fuzzy Hash: EE216D787502459FEB04FB64C881C6EB3B9EF48608B90B964E802A7364DB74FD25CB61

Function 0439F338 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

waveInOpen.WINMM(043A9274,00000000,043A6CFC,Function_0004F31C,00000000,00030000), ref: 0439F39C
waveInPrepareHeader.WINMM(00000000,00000000,00000020,043A9274,00000000,043A6CFC,Function_0004F31C,00000000,00030000), ref: 0439F3D8
waveInAddBuffer.WINMM(00000000,00000000,00000020,00000000,00000000,00000020,043A9274,00000000,043A6CFC,Function_0004F31C,00000000,00030000), ref: 0439F3EF
waveInStart.WINMM(00000000,00000000,00000000,00000020,00000000,00000000,00000020,043A9274,00000000,043A6CFC,Function_0004F31C,00000000,00030000), ref: 0439F3FE

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderOpenPrepareStart
String ID:
API String ID: 4183526013-0
Opcode ID: 400d381e88eabde6c7929fa3d0e82f3cfb92a9d6e86d8970d4f8ff126abea13b
Instruction ID: c3aa228c54300620e88de9506dde44a0cbc63a24dc34102e25451cac69136f78
Opcode Fuzzy Hash: 400d381e88eabde6c7929fa3d0e82f3cfb92a9d6e86d8970d4f8ff126abea13b
Instruction Fuzzy Hash: 0F213BB1A84304ABDB00EF79E944B6637ECEF09348F117925E944EB351E338AC208B50

Function 0435896C Relevance: 6.0, APIs: 4, Instructions: 43timefileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(?,?), ref: 0435897D
GetLastError.KERNEL32(?,?), ref: 04358986
FileTimeToLocalFileTime.KERNEL32(?), ref: 0435899C
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 043589AB

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: FileTime$DateErrorFindLastLocalNext
String ID:
API String ID: 2103556486-0
Opcode ID: 2cb7df17525ff330c0fb8ded36cb43a372978efdecd841a49c9aaee905986161
Instruction ID: 15c12485eb5e2e2598293af12d1a2125e1d835a2e2d712c717ec1c79b4891430
Opcode Fuzzy Hash: 2cb7df17525ff330c0fb8ded36cb43a372978efdecd841a49c9aaee905986161
Instruction Fuzzy Hash: 57011DB26002059F9B48EFA8C9C2C9773ECEF0825435455A2AD59CF25AF630E9548BF1

Function 004A9DB0 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

new.LIBCMT ref: 004A9DDA

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee4bc63b2f9c6ce4a9b6e1bc5e3b1ec4e161e098a6b7bfa1472a22f39aa56fd
Instruction ID: baf4586a081725d5f88d18b9567e148d07b05ab9de87a608547abd3c7b652e6b
Opcode Fuzzy Hash: 1ee4bc63b2f9c6ce4a9b6e1bc5e3b1ec4e161e098a6b7bfa1472a22f39aa56fd
Instruction Fuzzy Hash: B8F082B26441054AA728E674989A92F7B98DBB5350B10023AF11EC6681FA25DD54829A

Function 04384CC8 Relevance: 6.0, APIs: 4, Instructions: 24COMMON

Download Yara Rule

APIs

73A0A570.USER32(00000000,?,?,04396A3F,00000000,04396AA4,?,00000000,00000000), ref: 04384CCC
73A14620.GDI32(00000000,0000000C,00000000,?,?,04396A3F,00000000,04396AA4,?,00000000,00000000), ref: 04384CD6
73A14620.GDI32(00000000,0000000E,00000000,0000000C,00000000,?,?,04396A3F,00000000,04396AA4,?,00000000,00000000), ref: 04384CE0
73A0A480.USER32(00000000,00000000,00000000,0000000E,00000000,0000000C,00000000,?,?,04396A3F,00000000,04396AA4,?,00000000,00000000), ref: 04384D00

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: A14620$A480A570
String ID:
API String ID: 787695464-0
Opcode ID: 55128c8cc92c8ffb3f1ddb8f28136bd9a63a39ae9df8e3bce712e1571bb08492
Instruction ID: 093dfcaa4271fa59fc4fe418489f50bec4de4a008ee4ecf38145c4596eb9cf2d
Opcode Fuzzy Hash: 55128c8cc92c8ffb3f1ddb8f28136bd9a63a39ae9df8e3bce712e1571bb08492
Instruction Fuzzy Hash: 33E0C262A453A4B9F26032785D86F6B595CCF2175DF803611ED092E4D2E0C86C4093B1

Function 04356E38 Relevance: 6.0, APIs: 4, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

GlobalHandle.KERNEL32 ref: 04356E3B
GlobalUnlock.KERNEL32(00000000), ref: 04356E42
GlobalReAlloc.KERNEL32(00000000,00000000), ref: 04356E47
GlobalLock.KERNEL32(00000000), ref: 04356E4D

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: Global$AllocHandleLockUnlock
String ID:
API String ID: 2167344118-0
Opcode ID: 7b1a70d85a067e4e8ce85303b722878b6d7635e66280a27da27395eb304ad526
Instruction ID: e6f14d1cf18fe631feeeaa98ce0070e372016ffb38e4c28c2f9ff7cc02c183a7
Opcode Fuzzy Hash: 7b1a70d85a067e4e8ce85303b722878b6d7635e66280a27da27395eb304ad526
Instruction Fuzzy Hash: 81B009E485460039BC4433B08D0BEBB029C9C9151E7C069487C48E2030D869B904443A

Function 0041A1E0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 394COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041A3B1

Strings

, xrefs: 0041A28F
recovered %d frames from WAL file %s, xrefs: 0041A613

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: $recovered %d frames from WAL file %s
API String ID: 885266447-3175670447
Opcode ID: 348644ea7a3b17e22c99032ba80098ef790741184723c297e5a57f2439e3130b
Instruction ID: cb541f9a61a8ae2385e76667ce195d16c93d230d2d6124f09697ff27da7d70c6
Opcode Fuzzy Hash: 348644ea7a3b17e22c99032ba80098ef790741184723c297e5a57f2439e3130b
Instruction Fuzzy Hash: BCE1AC70A006099FDB14DFA8C881BAEB7F6FF88304F14452EE41AE7791E774A895CB45

Function 00415980 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 314COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00415A9D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00415AF7

Strings

recovered %d pages from %s, xrefs: 00415C92

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: recovered %d pages from %s
API String ID: 885266447-1623757624
Opcode ID: 81b369427001b3bbb80177679b77f70de04fc60594af72296c99df654b44b3bc
Instruction ID: fe2014f15d7559c93d792136fa44a840349b8d79519577316d9d8a2a139383b2
Opcode Fuzzy Hash: 81b369427001b3bbb80177679b77f70de04fc60594af72296c99df654b44b3bc
Instruction Fuzzy Hash: 6FC14974B00A0AEBDB14DFA5C880BEAB7B5BF88304F14412AD915A7341E778BD95CB94

Function 00402AD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00402BB4
__allrem.LIBCMT ref: 00402C7C

Strings

local time unavailable, xrefs: 00402C0C

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID: local time unavailable
API String ID: 1992179935-3313036412
Opcode ID: 4968f25996e18ccec40193ef65dd58ab8918de38215ce0edb25b612f79670d79
Instruction ID: 28dbfbcd267b54fb3406f99fcd28faba4b53c0e2ae8bf8f990fb496b86746016
Opcode Fuzzy Hash: 4968f25996e18ccec40193ef65dd58ab8918de38215ce0edb25b612f79670d79
Instruction Fuzzy Hash: C151AE71908B408BD721CF28C985B1BB7F5BF98314F104B2EF5D9A72D1EBB4A5448B86

Function 0040D570 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0040D5C4

Strings

winTruncate1, xrefs: 0040D62C
winTruncate2, xrefs: 0040D66E

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: winTruncate1$winTruncate2
API String ID: 885266447-470713972
Opcode ID: 9d0a883b370d7fe9ea88769b658edd0c780820d649b1a7f090b0468f9d4f1f37
Instruction ID: 0ffb539fb6b39e3cccd1d3db576611f830a0c4a70323640a3e0fc2404feab031
Opcode Fuzzy Hash: 9d0a883b370d7fe9ea88769b658edd0c780820d649b1a7f090b0468f9d4f1f37
Instruction Fuzzy Hash: 3441C471A052119BCB10DF69DC41A2B77A5AF84760F150A3BFC48A73C1DA39DC088BEA

Function 043A08A4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,?,?,?,00000005,00000000,00000000), ref: 043A09C2

Part of subcall function 043549A0: SysFreeString.OLEAUT32(00000000), ref: 043549AE

Part of subcall function 043549B8: SysFreeString.OLEAUT32(?), ref: 043549CB

Strings

.rar, xrefs: 043A08E1
||-_-|-_-||, xrefs: 043A0935, 043A0949

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: FreeString$DeleteFile
String ID: .rar$||-_-|-_-||
API String ID: 51754653-3497882860
Opcode ID: 9b15648f9153ee84c27c36064fb1c72f45c4da407cfb444903b95f3803fb497b
Instruction ID: fcde4f99dc8f5aab83c6f244f7d33e96309aa19696842ab68800aaac77477c6b
Opcode Fuzzy Hash: 9b15648f9153ee84c27c36064fb1c72f45c4da407cfb444903b95f3803fb497b
Instruction Fuzzy Hash: 27413C35A5010A9FEB04EFA4D880EDEB7B9FF48314F506165E805A7260DB70FE59CBA1

Function 00402F93 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00402A40: __allrem.LIBCMT ref: 00402A6A

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00403045
__allrem.LIBCMT ref: 00403050

Strings

weekday , xrefs: 00402F95

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: __allrem$Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: weekday
API String ID: 2560231902-2485182243
Opcode ID: f7a8458cdbec16f4a2e21a1714db28fdb9ced649a53b23a7191597d02acf2541
Instruction ID: a134d3a5840b60f7cdfb2b20377b1f29cb6c6f46f96b2484ac62db50dea67f89
Opcode Fuzzy Hash: f7a8458cdbec16f4a2e21a1714db28fdb9ced649a53b23a7191597d02acf2541
Instruction Fuzzy Hash: D8313A72B046066BD715EE39CC5272AB798AF95354F14833AE815B72D1E779A8018388

Function 0040AA40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 0040AA94
__aulldiv.LIBCMT ref: 0040AAC7

Strings

-, xrefs: 0040AAF8

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: __aulldiv
String ID: -
API String ID: 3732870572-2547889144
Opcode ID: 1e551f2eec71130d3c0b6f3c433fbcde547cec4dd6b9e4eac08c43f067aa6855
Instruction ID: bb1326ee28ef1ee5415e55ca1b1733a22827c96ff84b3b3befb3a85b5e78b89b
Opcode Fuzzy Hash: 1e551f2eec71130d3c0b6f3c433fbcde547cec4dd6b9e4eac08c43f067aa6855
Instruction Fuzzy Hash: 5631D731B40208AFEB14CBA8CD457EF7BA4EB95314F14407AE905A73C2D6789D15CBAA

Function 0435A25C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,0435A33A), ref: 0435A2E2
GetDateFormatA.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,0435A33A), ref: 0435A2E8

Strings

yyyy, xrefs: 0435A2BD

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: DateFormatLocaleThread
String ID: yyyy
API String ID: 3303714858-3145165042
Opcode ID: cd14b6d55b6660525298d80c66dda726b9be13737a3bc9722939b2664e660b20
Instruction ID: 57cec210fd023fce00e92a984b1b40375466340f96a113f72363ef18ee3746bd
Opcode Fuzzy Hash: cd14b6d55b6660525298d80c66dda726b9be13737a3bc9722939b2664e660b20
Instruction Fuzzy Hash: 1E216034600208AFEB15EBA8D841EAE73F8EF18704F4121A5ED04D7770E630AE40DA61

Function 04383508 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32(?,00000048), ref: 04383531

Strings

H, xrefs: 04383522
%s|%d|%d|%d|%d, xrefs: 04383578

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: InfoMonitor
String ID: %s|%d|%d|%d|%d$H
API String ID: 2631571227-390123144
Opcode ID: b8283574e4468f2b652afd2d0be9569dee36e7f9453df0a654daaa5629910557
Instruction ID: bcfb21b374c3b553e9ab54d8e4d26ef412d383ab74bd1a0bbf39246a41d68c9f
Opcode Fuzzy Hash: b8283574e4468f2b652afd2d0be9569dee36e7f9453df0a654daaa5629910557
Instruction Fuzzy Hash: C521D374D043889FEB01DBE8D880B9DBBF8AF09704F60516AE814E7390E735A905CF55

Function 04378C68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,OPEN,00000000,04378D08,04378D08,00000005), ref: 04378CCA

Part of subcall function 043790B8: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08004000,00000000,00000000,00000044,?,00000000,0437928C,?,00000000), ref: 0437919E
Part of subcall function 043790B8: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,000000FF,08004000,00000000,00000000,00000044,?,00000000,00000000,00000000,00000000,000000FF,08004000), ref: 043791DB
Part of subcall function 043790B8: WaitForSingleObject.KERNEL32(?,000000FF,00000000,00000000,00000000,00000000,000000FF,08004000,00000000,00000000,00000044,?,00000000,0437928C,?,00000000), ref: 0437925F

Strings

.exe, xrefs: 04378C8E
OPEN, xrefs: 04378CC3

Memory Dump Source

Source File: 00000000.00000002.2051199600.0000000004350000.00000040.10000000.00040000.00000000.sdmp, Offset: 04350000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4350000_upd_1916298.jbxd

Yara matches

Similarity

API ID: CreateProcess$ExecuteObjectShellSingleWait
String ID: .exe$OPEN
API String ID: 2960631408-879745837
Opcode ID: 0b79530dc88aa57b52a57a49557f50380c7801268566012179023c427939c9d3
Instruction ID: 4d2e9c8b5fd591211ea556f7d46c41534955f12932b478bee7d0d05e6127e067
Opcode Fuzzy Hash: 0b79530dc88aa57b52a57a49557f50380c7801268566012179023c427939c9d3
Instruction Fuzzy Hash: C601D630340204BBF728FA65DD46F5EBBA8DF49614F50A472F840E3250D6B8BE049B50

Function 00541B9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

std::align.LIBCPMT ref: 00541BBC
shared_ptr.LIBCPMT ref: 00541BE2

Strings

d`, xrefs: 00541BA2

Memory Dump Source

Source File: 00000000.00000002.2050518799.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2050496654.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005A1000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050697093.00000000005AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050781484.0000000000607000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050796473.0000000000608000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050821484.000000000060E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2050844310.0000000000615000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_upd_1916298.jbxd

Similarity

API ID: shared_ptrstd::align
String ID: d`
API String ID: 734102406-4132929406
Opcode ID: a3dfc1ba2ba6f77f93b124f4d68edd6f8ff27bc4f4679be5a8828bad26e6e750
Instruction ID: 008895103f6156db8fa256e6a73d802831e5048148413b102a0f99430b381258
Opcode Fuzzy Hash: a3dfc1ba2ba6f77f93b124f4d68edd6f8ff27bc4f4679be5a8828bad26e6e750
Instruction Fuzzy Hash: 7DF0A73198020D7BDB04AE55DD058EB7F5DEB41364F044092FD0843681EA71AA409BE1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	Command: Command Execution, Process: Process Creation, User Account: User Account Creation
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report upd_1916298.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: DarkGate

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\ffdbfkc\chbdcee

C:\Users\user\AppData\Roaming\EFeACAf

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Windows Analysis Report
upd_1916298.exe

Function 04355B0C Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 186
registrystringlibraryCOMMON

Function 00401093 Relevance: 21.3, APIs: 4, Strings: 8, Instructions: 301
nativememorylibraryCOMMON

Function 04355C17 Relevance: 15.1, APIs: 10, Instructions: 101
stringlibrarythreadCOMMON

Function 043792B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 167
processsynchronizationCOMMON

Function 043A3990 Relevance: 49.4, APIs: 6, Strings: 22, Instructions: 403
threadsleepCOMMON

Function 04378354 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 29
libraryCOMMON

Function 04379A08 Relevance: 7.6, APIs: 5, Instructions: 72
filememoryCOMMON

Function 0437ADAC Relevance: 4.6, APIs: 3, Instructions: 57
registryCOMMON

Function 0437A2D0 Relevance: 4.6, APIs: 3, Instructions: 54
fileCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre