Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1538238
MD5:	4691c303b4e07b49aa7dea2efec34923
SHA1:	954df91669f2f85b8bd9c9704bb30c2e8bdb0d49
SHA256:	e5e38644d06e2d6e6bc230ada2ce73bb7af3c8074d52aa05b677f5845647e92c
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	14
Range:	0 - 100
Whitelisted:	false
Confidence:	0%

Signatures

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 5784 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 4691C303B4E07B49AA7DEA2EFEC34923)

cmd.exe (PID: 6836 cmdline: cmd.exe /d /c bxskiicciwd.bat 342745396 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

fopholde.exe (PID: 5096 cmdline: fopholde.exe lfssylb.iiun 342745396 MD5: 2890F1847D5D5F8F0E0C036EB0E9D58C)

rundll32.exe (PID: 1508 cmdline: "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\" MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Sigma Signatures

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 5784, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D530D6 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_00D530D6

Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_e10ea267-1

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: wextract.pdb source: file.exe
Source:	Binary string: wextract.pdbGCTL source: file.exe
Source:	Binary string: stub.pdbGCTL source: gufcrfmk.iiun.0.dr
Source:	Binary string: stub.pdb source: gufcrfmk.iiun.0.dr
Source:	Binary string: c:\workspace\iojs+release\nodes\win2008r2-release-ia32\Release\node.pdb source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5249E FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		0_2_00D5249E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_01046920 GetFileAttributesW,_swprintf,FindFirstFileW,_free,GetLastError,FindNextFileW,FindClose,WideCharToMultiByte,_free,_free,GetLastError,		4_2_01046920

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	File opened: C:\Users\user\AppData\Local\Temp\IXP000.TMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	File opened: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lfssylb.iiun	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe

Code function: 4_2_0103C120 uv_udp_recv_start,

4_2_0103C120

Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: http://code.google.com/p/v8/wiki/DebuggerProtocol
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: http://daniel.haxx.se/blog/2011/02/21/localhost-hack-on-windows/
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: http://foo.com
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488521547.0000000027A08000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: http://insanecoding.blogspot.com/2007/11/pathmax-simply-isnt.html
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: http://invisible-island.net/xterm/ctlseqs/ctlseqs.html
Source: ekkmphakhofqv.iiun.0.dr	String found in binary or memory: http://mathiasbynens.be/notes/javascript-encoding
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: http://mths.be/punycode
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488521547.0000000027A08000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: http://narwhaljs.org)
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: http://nodejs.org/
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, fopholde.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: http://pod.tst.eu/http://cvs.schmorp.de/libev/ev.pod#Be_smart_about_timeouts
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488165504.0000000014208000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: http://stackoverflow.com/a/5501711/3561
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: http://tools.ietf.org/html/rfc3492#section-3.4
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488521547.0000000027A08000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: http://wiki.commonjs.org/wiki/Unit_Testing/1.0
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: http://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: http://www.ecma-international.org/publications/standards/Ecma-262.htm)
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: http://www.midnight-commander.org/browser/lib/tty/key.c
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: http://www.squid-cache.org/Doc/config/half_closed_clients/
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: https://code.google.com/p/chromium/issues/detail?id=25916
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488165504.0000000014208000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: https://codereview.chromium.org/121173009/
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: https://github.com/antirez/linenoise
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488521547.0000000027A08000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: https://github.com/isaacs/readable-stream/issues/16
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488521547.0000000027A08000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: https://github.com/joyent/node/issues/1707
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: https://github.com/joyent/node/issues/1726
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: https://github.com/joyent/node/issues/2631
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: https://github.com/joyent/node/issues/3295.
Source: fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	String found in binary or memory: https://groups.google.com/forum/?pli=1#
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe.2.dr	String found in binary or memory: https://www.globalsign.com/repository/03

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_01040180 uv_cpu_info,GetSystemInfo,_calloc,NtQuerySystemInformation,RtlNtStatusToDosError,__snwprintf,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,WideCharToMultiByte,WideCharToMultiByte,_free,GetLastError,RegCloseKey,GetLastError,_free,_free,_free,	4_2_01040180
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_010470C0 NtSetInformationFile,RtlNtStatusToDosError,	4_2_010470C0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_010472A0 NtQueryInformationFile,RtlNtStatusToDosError,NtSetInformationFile,	4_2_010472A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_01049C30 SetNamedPipeHandleState,GetLastError,SetLastError,NtQueryInformationFile,CreateIoCompletionPort,	4_2_01049C30

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D5209F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,

0_2_00D5209F

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D53D86	0_2_00D53D86
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D538C7	0_2_00D538C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D55F17	0_2_00D55F17
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_00FAF450	4_2_00FAF450
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0103FF30	4_2_0103FF30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0125513D	4_2_0125513D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_00F501D0	4_2_00F501D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_011D00A0	4_2_011D00A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0106B300	4_2_0106B300
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_011CF300	4_2_011CF300
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_010B3240	4_2_010B3240
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_011DAAB0	4_2_011DAAB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0111EAC0	4_2_0111EAC0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_01123C10	4_2_01123C10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_01247C3B	4_2_01247C3B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0103F710	4_2_0103F710
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_011DA7E0	4_2_011DA7E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_00F6B750	4_2_00F6B750
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660EE29	4_2_0660EE29
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660B607	4_2_0660B607
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660BE1F	4_2_0660BE1F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660CF3F	4_2_0660CF3F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660C707	4_2_0660C707
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_066137BB	4_2_066137BB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_06637422	4_2_06637422
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660CCC5	4_2_0660CCC5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660D4DF	4_2_0660D4DF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_06613545	4_2_06613545
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660DD01	4_2_0660DD01
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660E5E6	4_2_0660E5E6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660A5C6	4_2_0660A5C6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660ADDF	4_2_0660ADDF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660D267	4_2_0660D267
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660E2BC	4_2_0660E2BC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660DA82	4_2_0660DA82
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660AB65	4_2_0660AB65
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660C3C9	4_2_0660C3C9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660BBA2	4_2_0660BBA2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660EBA7	4_2_0660EBA7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660E866	4_2_0660E866
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660B87F	4_2_0660B87F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660E044	4_2_0660E044
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660A838	4_2_0660A838
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660C147	4_2_0660C147
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660C98D	4_2_0660C98D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_2F813E66	4_2_2F813E66
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_2F8140DC	4_2_2F8140DC

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: String function: 01054B30 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: String function: 01104390 appears 156 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: String function: 01054E90 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: String function: 01054DF0 appears 202 times
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: String function: 0124062F appears 106 times

Source: file.exe

Static PE information: invalid certificate

Source: file.exe

Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 3632887 bytes, 7 files, at 0x2c +A "gufcrfmk.iiun" +A "ekkmphakhofgs.iiun", ID 11590, number 1, 230 datablocks, 0x1503 compression

Source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamenode.exe* vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean14.evad.winEXE@7/8@0/0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D55BD2 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,

0_2_00D55BD2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D5209F GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx,

0_2_00D5209F

Source: C:\Users\user\Desktop\file.exe

0_2_00D55BD2

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe

Code function: 4_2_00FAF450 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

4_2_00FAF450

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D52E59 memset,memset,memset,CreateEventA,SetEvent,CreateMutexA,GetLastError,CloseHandle,FindResourceA,LoadResource,

0_2_00D52E59

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5544:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /d /c bxskiicciwd.bat 342745396

Source: C:\Users\user\Desktop\file.exe

Command line argument: Kernel32.dll

0_2_00D52DA4

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /d /c bxskiicciwd.bat 342745396
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe fopholde.exe lfssylb.iiun 342745396
Source: unknown	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /d /c bxskiicciwd.bat 342745396	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe fopholde.exe lfssylb.iiun 342745396	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: feclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: advpack.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Section loaded: perfos.dll	Jump to behavior

Source: file.exe

Static file information: File size 3787944 > 1048576

Source: file.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x392600

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wextract.pdb source: file.exe
Source:	Binary string: wextract.pdbGCTL source: file.exe
Source:	Binary string: stub.pdbGCTL source: gufcrfmk.iiun.0.dr
Source:	Binary string: stub.pdb source: gufcrfmk.iiun.0.dr
Source:	Binary string: c:\workspace\iojs+release\nodes\win2008r2-release-ia32\Release\node.pdb source: file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr

Source: file.exe

Static PE information: 0xA889EAE7 [Fri Aug 8 23:27:35 2059 UTC]

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D530D6 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_00D530D6

Source: gufcrfmk.iiun.0.dr

Static PE information: real checksum: 0x9edd should be: 0x146df0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D575C1 push ecx; ret	0_2_00D575D4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_010C1180 push ecx; mov dword ptr [esp], ecx	4_2_010C1181
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0124B405 push ecx; ret	4_2_0124B418
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660F751 push ecx; ret	4_2_0660F7AB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660FC20 push ecx; ret	4_2_0660FD75
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660FA60 push ecx; ret	4_2_0660FBCF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660F860 push ecx; ret	4_2_0660FA0A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660F773 push ecx; ret	4_2_0660F7AB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_06613F7A push ecx; ret	4_2_0660F7AB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660F740 push ecx; ret	4_2_0660F7AB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660FA20 push ecx; ret	4_2_0660FBCF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660FBE0 push ecx; ret	4_2_0660FD75
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0660F820 push ecx; ret	4_2_0660FA0A

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\gufcrfmk.iiun			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\gufcrfmk.iiun

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D51BD3 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA,

0_2_00D51BD3

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce wextract_cleanup0	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe

4_2_00FAF450

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe

4_2_00FAF450

Source: C:\Users\user\Desktop\file.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\IXP000.TMP\gufcrfmk.iiun

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-2547

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe

API coverage: 7.4 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D5249E FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		0_2_00D5249E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_01046920 GetFileAttributesW,_swprintf,FindFirstFileW,_free,GetLastError,FindNextFileW,FindClose,WideCharToMultiByte,_free,_free,GetLastError,		4_2_01046920

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D556B2 GetSystemInfo,CreateDirectoryA,RemoveDirectoryA,

0_2_00D556B2

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	File opened: C:\Users\user\AppData\Local\Temp\IXP000.TMP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	File opened: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lfssylb.iiun	Jump to behavior

Source: fopholde.exe, 00000004.00000002.1488165504.0000000014208000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: GuaHGFSkP
Source: fopholde.exe, 00000004.00000002.1486314859.000000000193A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: fopholde.exe, 00000004.00000002.1486314859.000000000193A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8@
Source: fopholde.exe.2.dr	Binary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe

Code function: 4_2_01052920 ??0Unlocker@v8@@QAE@PAVIsolate@1@@Z,LdrInitializeThunk,?Exit@Isolate@v8@@QAEXXZ,

4_2_01052920

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe

Code function: 4_2_01241CAA IsDebuggerPresent,

4_2_01241CAA

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe

4_2_00FAF450

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe

Code function: 4_2_010F41E0 VirtualAlloc ?,00001000,00001000,00000102,?,00009000,00000000,?,010F3A5C,?

4_2_010F41E0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D530D6 GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA,

0_2_00D530D6

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D57260 SetUnhandledExceptionFilter,	0_2_00D57260
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D57006 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00D57006
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0124DC97 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0124DC97

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe

Memory allocated: page readonly | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe fopholde.exe lfssylb.iiun 342745396

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D518BF LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary,

0_2_00D518BF

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lfssylb.iiun VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Queries volume information: C:\Users\user\AppData\Local VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lfssylb.iiun VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lfssylb.iiun VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\IXP000.TMP\lfssylb.iiun VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D574B9 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00D574B9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D52DA4 GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle,

0_2_00D52DA4

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0104A1B0 uv_pipe_bind,WaitNamedPipeW,WaitNamedPipeW,GetLastError,GetLastError,GetLastError,PostQueuedCompletionStatus,GetLastError,uv_pipe_connect,GetLastError,WaitNamedPipeW,MultiByteToWideChar,	4_2_0104A1B0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_010509D0 uv_udp_set_ttl,uv_udp_bind,setsockopt,WSAGetLastError,	4_2_010509D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0106A1F0 ?SetDebugEventListener2@Debug@v8@@SA_NP6AXABVEventDetails@12@@ZV?$Handle@VValue@v8@@@2@@Z,	4_2_0106A1F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0106A040 ?SetDebugEventListener@Debug@v8@@SA_NP6AXW4DebugEvent@2@V?$Handle@VObject@v8@@@2@1V?$Handle@VValue@v8@@@2@@Z2@Z,	4_2_0106A040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_01050890 uv_udp_set_broadcast,uv_udp_bind,setsockopt,WSAGetLastError,	4_2_01050890
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_01050300 uv_udp_bind6,	4_2_01050300
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_01050B30 uv_udp_set_multicast_loop,uv_udp_bind,setsockopt,WSAGetLastError,	4_2_01050B30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_01068370 ?AddMessageListener@V8@v8@@SA_NP6AXV?$Handle@VMessage@v8@@@2@V?$Handle@VValue@v8@@@2@@Z1@Z,	4_2_01068370
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0106A3A0 ?SetDebugEventListener@Debug@v8@@SA_NV?$Handle@VObject@v8@@@2@V?$Handle@VValue@v8@@@2@@Z,	4_2_0106A3A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_010493C0 uv_listen,	4_2_010493C0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0104FBE0 socket,closesocket,setsockopt,bind,WSAGetLastError,	4_2_0104FBE0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_01050260 uv_udp_bind,	4_2_01050260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_01050A80 uv_udp_set_multicast_ttl,uv_udp_bind,setsockopt,WSAGetLastError,	4_2_01050A80
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0104E2C0 uv_tcp_bind,GetLastError,WSAGetLastError,	4_2_0104E2C0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0104E510 uv_tcp_bind6,GetLastError,WSAGetLastError,	4_2_0104E510
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_01068540 ?RemoveMessageListeners@V8@v8@@SAXP6AXV?$Handle@VMessage@v8@@@2@V?$Handle@VValue@v8@@@2@@Z@Z,	4_2_01068540
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0103BDB0 uv_tcp_bind,	4_2_0103BDB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0104FCD0 socket,WSAGetLastError,closesocket,setsockopt,bind,	4_2_0104FCD0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0103BF40 uv_udp_bind6,	4_2_0103BF40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0104FF40 uv_udp_bind,	4_2_0104FF40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_01050790 uv_udp_set_membership,uv_udp_bind,inet_addr,inet_addr,htonl,inet_addr,setsockopt,WSAGetLastError,	4_2_01050790
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0103BE30 uv_tcp_bind6,	4_2_0103BE30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	Code function: 4_2_0103BEC0 uv_udp_bind,	4_2_0103BEC0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Command and Scripting Interpreter	1 Scripting	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Native API	1 Registry Run Keys / Startup Folder	11 Process Injection	11 Virtualization/Sandbox Evasion	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	11 Disable or Modify Tools	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Access Token Manipulation	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	16 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	3%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://www.openssl.org/support/faq.html	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://wiki.squid-cache.org/SquidFaq/InnerWorkings#What_is_a_half-closed_filedescriptor.3F	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
http://insanecoding.blogspot.com/2007/11/pathmax-simply-isnt.html	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488521547.0000000027A08000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
https://github.com/joyent/node/issues/1707	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488521547.0000000027A08000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
https://github.com/joyent/node/issues/3295.	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
http://nodejs.org/	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
https://github.com/joyent/node/issues/1726	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
http://stackoverflow.com/a/5501711/3561	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488165504.0000000014208000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
http://daniel.haxx.se/blog/2011/02/21/localhost-hack-on-windows/	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
http://www.midnight-commander.org/browser/lib/tty/key.c	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
http://www.ecma-international.org/publications/standards/Ecma-262.htm)	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
http://www.squid-cache.org/Doc/config/half_closed_clients/	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
http://code.google.com/p/v8/wiki/DebuggerProtocol	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
http://www.3waylabs.com/nw/WWW/products/wizcon/vt220.html	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
http://narwhaljs.org)	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488521547.0000000027A08000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
http://tools.ietf.org/html/rfc3492#section-3.4	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
http://www.openssl.org/support/faq.html	file.exe, 00000000.00000003.1457042277.0000000005250000.00000004.00000020.00020000.00000000.sdmp, fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr	false	URL Reputation: safe	unknown
http://invisible-island.net/xterm/ctlseqs/ctlseqs.html	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
https://code.google.com/p/chromium/issues/detail?id=25916	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
https://codereview.chromium.org/121173009/	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488165504.0000000014208000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
http://mths.be/punycode	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
https://github.com/isaacs/readable-stream/issues/16	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488521547.0000000027A08000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
http://wiki.commonjs.org/wiki/Unit_Testing/1.0	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1488521547.0000000027A08000.00000004.00001000.00020000.00000000.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
http://foo.com	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
https://github.com/antirez/linenoise	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
https://groups.google.com/forum/?pli=1#	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
http://pod.tst.eu/http://cvs.schmorp.de/libev/ev.pod#Be_smart_about_timeouts	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown
http://mathiasbynens.be/notes/javascript-encoding	ekkmphakhofqv.iiun.0.dr	false		unknown
https://github.com/joyent/node/issues/2631	fopholde.exe, 00000004.00000000.1460684596.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe, 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmp, fopholde.exe.2.dr, ekkmphakhofqv.iiun.0.dr	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1538238
Start date and time:	2024-10-20 21:16:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	CLEAN
Classification:	clean14.evad.winEXE@7/8@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 67% Number of executed functions: 141 Number of non-executed functions: 197
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe	s7DAizjnD4.exe	Get hash	malicious	Unknown	Browse
	s7DAizjnD4.exe	Get hash	malicious	Unknown	Browse
	Jv8fOnU0dO.exe	Get hash	malicious	Unknown	Browse
	vFsYU3btg0.exe	Get hash	malicious	CryptbotV2, Vidar	Browse
	hA0wxBx95Y.exe	Get hash	malicious	Nymaim	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\IXP000.TMP\bxskiicciwd.bat

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	145
Entropy (8bit):	4.637611194717789
Encrypted:	false
SSDEEP:	3:0uRio2hQOBQ4rNdVrNML8rN4LF+SBlYOYPlMKBGAn:ZAhzQcn1KcWxDBzIvgAn
MD5:	E66DBCF875E27844C3891D02C46640B6
SHA1:	9F628F5BC1158836E3B12E775C7867ED0076F33E
SHA-256:	8920EC4D55EBEC295FDE463575054140950160BABB524FEBEAE07817B51741A1
SHA-512:	C3AB7BEF411639F811B9CD951047F61B4A440C97A9615599845F52F0B81EEF2F3DFB923EC7352412D7B79D3ACBC9E14BF51A535CF67A7220CF0E3EE022F0E131
Malicious:	false
Reputation:	low
Preview:	rem 15864963.copy /b ekkmphakhofgs.iiun + ekkmphakhofox.iiun + ekkmphakhofir.iiun + ekkmphakhofqv.iiun fopholde.exe.fopholde.exe lfssylb.iiun %1%

C:\Users\user\AppData\Local\Temp\IXP000.TMP\ekkmphakhofgs.iiun

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:o:o
MD5:	69691C7BDCC3CE6D5D8A1361F22D04AC
SHA1:	C63AE6DD4FC9F9DDA66970E827D13F7C73FE841C
SHA-256:	08F271887CE94707DA822D5263BAE19D5519CB3614E0DAEDC4C7CE5DAB7473F1
SHA-512:	253405E03B91441A6DD354A9B72E040068B1BFE10E83EB1A64A086C05525D8CCAE2BF09130C624AF50D55C3522A4FBB7C18CFC8DD843E5F4801D9AD2B5164B12
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	M

C:\Users\user\AppData\Local\Temp\IXP000.TMP\ekkmphakhofir.iiun

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Matlab v4 mat-file (little endian) , rows 4, columns 65535, imaginary
Category:	dropped
Size (bytes):	33
Entropy (8bit):	1.0934255569822822
Encrypted:	false
SSDEEP:	3:dqt/vll:dq
MD5:	500BA63E2664798939744B8A8C9BE982
SHA1:	54743A77E4186CB327B803EFB1EF5B3D4AC163CE
SHA-256:	4EBC21177EE9907F71A1641A0482603CED98E9D43389CAC0FFB0B59F7343EEBA
SHA-512:	9992B70DE5867E2A00AFF4F79C37BA71E827CBB104C192EBD4A553F91AE06A5B235F34E65D9D1145591C147E9E6726146CB92171945AA67B8F3294116A223FE7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	....................@............

C:\Users\user\AppData\Local\Temp\IXP000.TMP\ekkmphakhofox.iiun

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	3
Entropy (8bit):	1.584962500721156
Encrypted:	false
SSDEEP:	3:H:H
MD5:	158B365B9EEDCFAF539F5DEDFD82EE97
SHA1:	529F5D61AC99F60A8E473368EFF1B32095A3E2BF
SHA-256:	39561F8AF034137905F14CA7FD5A2C891BC12982F3F8EF2271E75E93433FFA90
SHA-512:	A1B231C2E6AF432EE7DF82E00D568819E12149AF707D4C4FDD018B38CC4F9761062C5B7E497BD1B67E466B89E391520B88BF13F18C8B9FF646D82DF740C05C09
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	Z..

C:\Users\user\AppData\Local\Temp\IXP000.TMP\ekkmphakhofqv.iiun

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	5493851
Entropy (8bit):	6.86441447779733
Encrypted:	false
SSDEEP:	49152:cOTrG8+oMMZlxDffaWDfjgkTkOky11LAIElzI+7pMf9VxEc1+koC98lYMhhTQE6b:c39oM2DtjgkTvky11LAIuccgRyIVsH
MD5:	A919729A18174FBBBC592801F8274939
SHA1:	D2D18176E1A56E95449D48D0943030D94BC045F7
SHA-256:	6F639B042ECFF76E4BE8C4DB5A36BB3AE783624B44DF31628F7C52E4489D0F3D
SHA-512:	36AAE913B019420149D53E2018DE2585C6DFF0C0FCA927F05AF030B396EED0833B120B0E84FC0BDF397F7EB0074F44FA85603175E5DCF08F437961AB3E5CE7D6
Malicious:	false
Preview:	...................................!..L.!This program cannot be run in DOS mode....$.......H+.;.J.h.J.h.J.h...h.J.h..&h9J.h...hKJ.h..'h.J.h...h.J.h..h.J.h.J.h.K.h.."h.H.h...h.J.h...h.J.h.JPh.J.h...h.J.hRich.J.h................PE..L...e.V..................3...!......21...... 3...@..........................@T.....v.T...@..........................GN.;...<.O......PP.x.............S.......R..:.. $3.8............................=N.@............ 3..............................text...e.3.......3................. ..`.rdata....... 3.......3.............@..@.data.... ... O.......O.............@....rsrc...x....PP.......O.............@..@.reloc...:....R..<....Q.............@..B........................................................................................................................................................................................................................................................................................................................USVW3.X..5..

C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5493888
Entropy (8bit):	6.864397008199
Encrypted:	false
SSDEEP:	49152:kOTrG8+oMMZlxDffaWDfjgkTkOky11LAIElzI+7pMf9VxEc1+koC98lYMhhTQE6b:k39oM2DtjgkTvky11LAIuccgRyIVsH
MD5:	2890F1847D5D5F8F0E0C036EB0E9D58C
SHA1:	656306727FB15C4C43C40B57EB98C016FD1EC6FD
SHA-256:	F0280E1F5C2568E5FDA9F911AB8341B47914A21D30F854136299F510DC843816
SHA-512:	233D5D07E98DC55C2D4D992F4D86B3BD19850DB871E514569FC28E39B4CF8552F2225E38527341F85EB50A357B7781924185DE163E540F270E3157545BE6BDA6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Joe Sandbox View:	Filename: s7DAizjnD4.exe, Detection: malicious, Browse Filename: s7DAizjnD4.exe, Detection: malicious, Browse Filename: Jv8fOnU0dO.exe, Detection: malicious, Browse Filename: vFsYU3btg0.exe, Detection: malicious, Browse Filename: hA0wxBx95Y.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H+.;.J.h.J.h.J.h...h.J.h..&h9J.h...hKJ.h..'h.J.h...h.J.h..h.J.h.J.h.K.h.."h.H.h...h.J.h...h.J.h.JPh.J.h...h.J.hRich.J.h................PE..L...e.V..................3...!......21...... 3...@..........................@T.....v.T...@..........................GN.;...<.O......PP.x.............S.......R..:.. $3.8............................=N.@............ 3..............................text...e.3.......3................. ..`.rdata....... 3.......3.............@..@.data.... ... O.......O.............@....rsrc...x....PP.......O.............@..@.reloc...:....R..<....Q.............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\gufcrfmk.iiun

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1338506
Entropy (8bit):	7.997421850666356
Encrypted:	true
SSDEEP:	24576:NJN8Q6cetleC94rRd1sSGq5mqlPeumFLutQX9+C10Xne8p6FtfnQL10nO897:Njdks5mqIqlPe/xutqLuzcdQ50Og
MD5:	8CCC9769A0B6DB3DA5F562D5343F03E6
SHA1:	CB2AE405437715F5559A4ED80771701BF87C4B61
SHA-256:	046B3E9DEBCA7F2E54D558A95CAB1320E4C126AD0FD6D6D4582BDF0CFFFB5D01
SHA-512:	E5DFEF849A8F7D85C7EA0F20DFA3B4DC3F0035665DFDBEC4EEBBABF6A3FA13A4063DF5B320B540114652A166484B3C1127AE0352D8D52569C7C0A1CC008EC519
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y.2.=.\.=.\.=.\.)._.?.\.).X.7.\.=.].*.\.).].8.\.).\.<.\.).T.?.\.)...<.\.).^.<.\.Rich=.\.................PE..d......d.........." .........................................................p...........`A.........................................%..D...$&..<....P.......@...............`......0"..T............................ ..............(!...............................text...p........................... ..`.rdata....... ......................@..@.data...P....0......................@....pdata.......@......................@..@.rsrc........P....... ..............@..@.reloc.......`.......&..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\IXP000.TMP\lfssylb.iiun

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	696950
Entropy (8bit):	6.011850632278692
Encrypted:	false
SSDEEP:	12288:8xji9RYnmyX65h0/2H7Qrf6TG3ju3jcx0vUxEsGA52tsw+nhZYyCO61s:8lARYmr5hEPf6q3ju3Y0vAcjswWYE
MD5:	0735411480F3C0D633A383B6AD41CD24
SHA1:	9F5430C0CDF67D96648D1584930BE1E609563399
SHA-256:	2B265EFB1AE4C4C377488D179D546A46B8452CD3D7DAC125D3BCDD3C9BCD7C81
SHA-512:	301F61FBEB626F656EF9BEA5D5CAAC24D7DDEAB2EC9B2984BD5A3ED57281BB0544EC3AB1DBE9C34D3CF1FB3204326A53152B3FFDE257FC9070724B67A9893577
Malicious:	false
Preview:	'lHIUoaGD3USamudPhuehVBF5LZ8/WhPJIxS7LwnseEwCLQOgJ46PeJSAJdTNfCq6ugg0Ztj4FWEZM6YdTzS40U2rODG1zM9mAyvrDjBpHSJOuQiiuPWUKwo6qI/HsjGcp2aNTcK69SnqwAb/6I1HFg+BQA3LxJElpNlrAGBdW3mJvr4Uyh/D1AmjJBSalU9L5H/KFgz3ruo0uMlcxAQDbGHp/oVSZDp/T86RaCprL/j2Cd74nzZGIgdZB7772+gfs+tR4LGvOL8fCNOinVYU1v184rGfv/IwJdxIBEyFsV55jRqnX6ByMsxr9baVJZYeGusztpNVwYblxI7KkEEvfhyEQaNnb+D7KzO4h8lsj34WbWI3nPD8z9eWjI6DB01VdGmE4CJuJ+2M/5NHQL1c5L0yM+yMQFjsJ9Iev8OENSCvO+OqS/QAkc1RHuiI3R6ROiMiR2Hs65gA4brhwrwmgRdfUsCN5/iO0l0ll1ldbyvDZ0R1oiHR2fGjhJN1rnrtcPmDkB4tFj/nn/VnmgGTVQawDxyC3BRKM2hRvCOdXOBFvvTsbyyLFm2lbv6/i6ughr/y0A70C4x7scY9HvsicchPn6xBBPDZqgJqJ0XxjKc=';BBY='qF0M9VXylzEhPL7wBh/ToS/Vncbs92v24bQFqowlM1O+pnMZ+SF0UCxP0vtVYlYKnr2t2Q59DXrMFkty3xLMj6zcQC695QhS0V79MthE8tOIQU/KkFJ8Iti20wV2xha+gHarE4iRk4EHg9DFUOvO5I7GRJLdDIOPch5mBSA7jYGFFW7s12PnuCLOr5dtH6JlFspgSuKXvX9ijwqFa62YipRjiITauVevPIlTckZvC+mBe19lxQ0nrcUWwNmXngsWaOwiOMeihO2HU7sjz8awcjhtsnnqwJ5yRIeGxG+qfBgDLVJa+Hm5vqeck8OLmYhw/dMtvyR95G1WLeCRyayF7xjfN2n+c2fIXUUm/9JFsr1nm9okG+ej

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.992170327107664
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	3'787'944 bytes
MD5:	4691c303b4e07b49aa7dea2efec34923
SHA1:	954df91669f2f85b8bd9c9704bb30c2e8bdb0d49
SHA256:	e5e38644d06e2d6e6bc230ada2ce73bb7af3c8074d52aa05b677f5845647e92c
SHA512:	eca842ae293399a324637a26489713ab670731ade4a8e22da7fcf6ea6534c524c4cb07033465e20ea49a2ca6272ea53711436849e39787dac4d34f6704da4d2d
SSDEEP:	98304:LXnvyPoK3DkR+9LJxTrdzWGJ7SLe/lt6LWWtHljkse:7neF3DbxTr59SLedsVt8
TLSH:	B5063320BBE494A8CE5467B105F9129795367DC13ABBE3E32A0315814DB07C1F9FB36A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.R...<...<...<.E.9...<.E.?...<.E.8...<.E.=...<...=...<.E.4...<.E.....<.E.>...<.Rich..<.................PE..L..................

File Icon


Icon Hash:	3b6120282c4c5a1f

Static PE Info

General

Entrypoint:	0x406d50
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0xA889EAE7 [Fri Aug 8 23:27:35 2059 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:	646167cce332c1c252cdcb1839e0cf48

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Poll Soft Corp
Signature Validation Error:	A certificate chain could not be built to a trusted root authority
Error Number:	-2146762486
Not Before, Not After	09/10/2024 19:58:42 07/10/2034 19:58:42
Subject Chain	CN=Poll Soft Corp
Version:	3
Thumbprint MD5:	9BC333A0C490B0ED8EFA4373AAC13439
Thumbprint SHA-1:	E274141945F9EFEDD402300CAB1537ABD1C12F4F
Thumbprint SHA-256:	7CD955F966F6F8451C3744FF716B6747F1B53815E539756437E0EC370F2FB0C0
Serial:	53B6E38251BF83A8B1BD89995C3101F527530056

Entrypoint Preview

Instruction
call 00007FB621161D09h
jmp 00007FB6211615ABh
int3
int3
int3
int3
int3
int3
push 00000058h
push 00407640h
call 00007FB621161DB5h
xor ebx, ebx
mov dword ptr [ebp-20h], ebx
lea eax, dword ptr [ebp-68h]
push eax
call dword ptr [0040A184h]
mov dword ptr [ebp-04h], ebx
mov eax, dword ptr fs:[00000018h]
mov esi, dword ptr [eax+04h]
mov edi, ebx
mov edx, 004088ACh
mov ecx, esi
xor eax, eax
lock cmpxchg dword ptr [edx], ecx
test eax, eax
je 00007FB6211615BAh
cmp eax, esi
jne 00007FB6211615A9h
xor esi, esi
inc esi
mov edi, esi
jmp 00007FB6211615B2h
push 000003E8h
call dword ptr [0040A188h]
jmp 00007FB621161579h
xor esi, esi
inc esi
cmp dword ptr [004088B0h], esi
jne 00007FB6211615ACh
push 0000001Fh
call 00007FB621161B17h
pop ecx
jmp 00007FB6211615DCh
cmp dword ptr [004088B0h], ebx
jne 00007FB6211615CEh
mov dword ptr [004088B0h], esi
push 004010E0h
push 004010D4h
call 00007FB621161706h
pop ecx
pop ecx
test eax, eax
je 00007FB6211615B9h
mov dword ptr [ebp-04h], FFFFFFFEh
mov eax, 000000FFh
jmp 00007FB6211616D9h
mov dword ptr [004081E4h], esi
cmp dword ptr [004088B0h], esi
jne 00007FB6211615BDh
push 004010D0h
push 004010C8h
call 00007FB621161CFDh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa290	0xb4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc000	0x3924a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x39b000	0x1ca8	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x39f000	0x888	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1420	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1008	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa000	0x288	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x669c	0x6800	8efccde25b9e492cde40b5ef253cf7a7	False	0.56005859375	data	6.273040582242402	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x8000	0x1aa0	0x200	7b9890a93c0516bb070e1170cfde54d5	False	0.609375	data	4.970639543960129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xa000	0x1056	0x1200	8fa33e292b5a9d9dcf9cf67d5c955b3d	False	0.4157986111111111	data	5.044065263162861	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc000	0x393000	0x392600	6b30f11ba5cc81ddf337b6e277232142	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x39f000	0x888	0xa00	0e9fae0fc18f3412188d18fc97b6fc55	False	0.750390625	data	6.269219670787053	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AVI	0xc9f8	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp	English	United States	0.2713099474665311
RT_ICON	0xf814	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.3225609756097561
RT_ICON	0xfe7c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.41263440860215056
RT_ICON	0x10164	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	English	United States	0.4569672131147541
RT_ICON	0x1034c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.5574324324324325
RT_ICON	0x10474	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.6223347547974414
RT_ICON	0x1131c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7369133574007221
RT_ICON	0x11bc4	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.783410138248848
RT_ICON	0x1228c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.3829479768786127
RT_ICON	0x127f4	0xd9d2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0004662673505254
RT_ICON	0x201c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5300829875518672
RT_ICON	0x22770	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6137429643527205
RT_ICON	0x23818	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.703688524590164
RT_ICON	0x241a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.425531914893617
RT_DIALOG	0x24608	0x2f2	data	English	United States	0.4389920424403183
RT_DIALOG	0x248fc	0x1b0	data	English	United States	0.5625
RT_DIALOG	0x24aac	0x166	data	English	United States	0.5223463687150838
RT_DIALOG	0x24c14	0x1c0	data	English	United States	0.5446428571428571
RT_DIALOG	0x24dd4	0x130	data	English	United States	0.5526315789473685
RT_DIALOG	0x24f04	0x120	data	English	United States	0.5763888888888888
RT_STRING	0x25024	0x8c	Matlab v4 mat-file (little endian) l, numeric, rows 0, columns 0	English	United States	0.6214285714285714
RT_STRING	0x250b0	0x520	data	English	United States	0.4032012195121951
RT_STRING	0x255d0	0x5cc	data	English	United States	0.36455525606469
RT_STRING	0x25b9c	0x4b0	data	English	United States	0.385
RT_STRING	0x2604c	0x44a	data	English	United States	0.3970856102003643
RT_STRING	0x26498	0x3ce	data	English	United States	0.36858316221765913
RT_RCDATA	0x26868	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x26870	0x376ef7	Microsoft Cabinet archive data, many, 3632887 bytes, 7 files, at 0x2c +A "gufcrfmk.iiun" +A "ekkmphakhofgs.iiun", ID 11590, number 1, 230 datablocks, 0x1503 compression	English	United States	1.0002145767211914
RT_RCDATA	0x39d768	0x4	data	English	United States	3.0
RT_RCDATA	0x39d76c	0x24	data	English	United States	1.0277777777777777
RT_RCDATA	0x39d790	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x39d798	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x39d7a0	0x4	data	English	United States	3.0
RT_RCDATA	0x39d7a4	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x39d7ac	0x4	data	English	United States	3.0
RT_RCDATA	0x39d7b0	0x28	data	English	United States	1.2
RT_RCDATA	0x39d7d8	0x4	data	English	United States	3.0
RT_RCDATA	0x39d7dc	0x9	ASCII text, with no line terminators	English	United States	1.8888888888888888
RT_RCDATA	0x39d7e8	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_RCDATA	0x39d7f0	0x7	ASCII text, with no line terminators	English	United States	2.142857142857143
RT_GROUP_ICON	0x39d7f8	0xbc	data	English	United States	0.6117021276595744
RT_VERSION	0x39d8b4	0x408	data	English	United States	0.42054263565891475
RT_MANIFEST	0x39dcbc	0x7e2	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3761149653121903

Imports

DLL	Import
ADVAPI32.dll	GetTokenInformation, RegDeleteValueA, RegOpenKeyExA, RegQueryInfoKeyA, FreeSid, OpenProcessToken, RegSetValueExA, RegCreateKeyExA, LookupPrivilegeValueA, AllocateAndInitializeSid, RegQueryValueExA, EqualSid, RegCloseKey, AdjustTokenPrivileges
KERNEL32.dll	_lopen, _llseek, CompareStringA, GetLastError, GetFileAttributesA, GetSystemDirectoryA, LoadLibraryA, DeleteFileA, GlobalAlloc, GlobalFree, CloseHandle, WritePrivateProfileStringA, IsDBCSLeadByte, GetWindowsDirectoryA, SetFileAttributesA, GetProcAddress, GlobalLock, LocalFree, RemoveDirectoryA, FreeLibrary, _lclose, CreateDirectoryA, GetPrivateProfileIntA, GetPrivateProfileStringA, GlobalUnlock, ReadFile, SizeofResource, WriteFile, GetDriveTypeA, lstrcmpA, SetFileTime, SetFilePointer, FindResourceA, CreateMutexA, GetVolumeInformationA, ExpandEnvironmentStringsA, GetCurrentDirectoryA, FreeResource, GetVersion, SetCurrentDirectoryA, GetTempPathA, LocalFileTimeToFileTime, CreateFileA, SetEvent, TerminateThread, GetVersionExA, LockResource, GetSystemInfo, CreateThread, ResetEvent, LoadResource, ExitProcess, GetModuleHandleW, CreateProcessA, FormatMessageA, GetTempFileNameA, DosDateTimeToFileTime, CreateEventA, GetExitCodeProcess, FindNextFileA, LocalAlloc, GetShortPathNameA, MulDiv, GetDiskFreeSpaceA, EnumResourceLanguagesA, GetTickCount, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, GetStartupInfoW, Sleep, FindClose, GetCurrentProcess, FindFirstFileA, WaitForSingleObject, GetModuleFileNameA, LoadLibraryExA
GDI32.dll	GetDeviceCaps
USER32.dll	SetWindowLongA, GetDlgItemTextA, DialogBoxIndirectParamA, ShowWindow, MsgWaitForMultipleObjects, SetWindowPos, GetDC, GetWindowRect, DispatchMessageA, GetDesktopWindow, CharUpperA, SetDlgItemTextA, ExitWindowsEx, MessageBeep, EndDialog, CharPrevA, LoadStringA, CharNextA, EnableWindow, ReleaseDC, SetForegroundWindow, PeekMessageA, GetDlgItem, SendMessageA, SendDlgItemMessageA, MessageBoxA, SetWindowTextA, GetWindowLongA, CallWindowProcA, GetSystemMetrics
msvcrt.dll	_controlfp, ?terminate@@YAXXZ, _acmdln, _initterm, __setusermatherr, _except_handler4_common, memcpy, _ismbblead, __p__fmode, _cexit, _exit, exit, __set_app_type, __getmainargs, _amsg_exit, __p__commode, _XcptFilter, memcpy_s, _vsnprintf, memset
COMCTL32.dll
Cabinet.dll
VERSION.dll	GetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	15:17:08
Start date:	20/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xd50000
File size:	3'787'944 bytes
MD5 hash:	4691C303B4E07B49AA7DEA2EFEC34923
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:17:08
Start date:	20/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /d /c bxskiicciwd.bat 342745396
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:17:08
Start date:	20/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:17:08
Start date:	20/10/2024
Path:	C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe
Wow64 process (32bit):	true
Commandline:	fopholde.exe lfssylb.iiun 342745396
Imagebase:	0xf30000
File size:	5'493'888 bytes
MD5 hash:	2890F1847D5D5F8F0E0C036EB0E9D58C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:17:16
Start date:	20/10/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\"
Imagebase:	0x7ff759240000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	26.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	28.4%
Total number of Nodes:	973
Total number of Limit Nodes:	46

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00D53D86 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 309
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00D53DF5
CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,00000004), ref: 00D53EC0
GetProcAddress.KERNEL32(00000000,DoInfInstall), ref: 00D54013

Part of subcall function 00D548A1: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00D548B2
Part of subcall function 00D548A1: SizeofResource.KERNEL32(00000000,00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548BB
Part of subcall function 00D548A1: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00D548D5
Part of subcall function 00D548A1: LoadResource.KERNEL32(00000000,00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548DE
Part of subcall function 00D548A1: LockResource.KERNEL32(00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548E5
Part of subcall function 00D548A1: memcpy_s.MSVCRT ref: 00D548F7
Part of subcall function 00D548A1: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00D54901

CompareStringA.KERNEL32(0000007F,00000001,?,000000FF,<None>,000000FF,00000104,?,00D58C42), ref: 00D53F7C
FreeLibrary.KERNEL32(00000000), ref: 00D540EC
LocalFree.KERNEL32(?,?,?,?,00D58C42), ref: 00D5410C
FreeLibrary.KERNEL32(00000000), ref: 00D5412D
LocalFree.KERNEL32(?,?,?,?,00D58C42), ref: 00D54134
FreeLibrary.KERNEL32(00000000,DoInfInstall,00000000,00000010,00000000), ref: 00D54163
LocalFree.KERNEL32(?,advpack.dll,00000000,00000010,00000000,?,?), ref: 00D5416D
LocalFree.KERNEL32(?,00000000,00000000,00000010,00000000,?,?), ref: 00D541AF

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00D54061
advpack.dll, xrefs: 00D5418A
D, xrefs: 00D53DFD
ADMQCMD, xrefs: 00D53E82
DoInfInstall, xrefs: 00D5400C, 00D54011, 00D54155
<None>, xrefs: 00D53EAD, 00D53F6A
USRQCMD, xrefs: 00D53E91
SHOWWINDOW, xrefs: 00D53E18
REBOOT, xrefs: 00D53DC6
RUNPROGRAM, xrefs: 00D53EEE
nxyfrmby, xrefs: 00D54055
POSTRUNPROGRAM, xrefs: 00D53F4D

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Free$Resource$Local$Library$CompareFindString$AddressLoadLockProcSizeofmemcpy_smemset
String ID: <None>$ADMQCMD$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$D$DoInfInstall$POSTRUNPROGRAM$REBOOT$RUNPROGRAM$SHOWWINDOW$USRQCMD$advpack.dll$nxyfrmby
API String ID: 1032054927-439599944
Opcode ID: 4d65fde4be271d9721a752bf818597a0a6a3dfa224d7e7d203559e1f01bba94b
Instruction ID: 79dc205559bef81bbea52529023fb2a694f64847ece4d4838923549418f305c1
Opcode Fuzzy Hash: 4d65fde4be271d9721a752bf818597a0a6a3dfa224d7e7d203559e1f01bba94b
Instruction Fuzzy Hash: 72B1D0705047019BDF209F288855B6BB6E4EB8479BF140A2DFE86D22D0DB70C98DCB72

Function 00D51BD3 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 295
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CompareStringA.KERNEL32(0000007F,00000001,00000000,000000FF,.INF,000000FF,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,?,?,00000000,00000001,00000000), ref: 00D51CD6
GetFileAttributesA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,?,?,00000000,00000001,00000000), ref: 00D51CED
LocalAlloc.KERNEL32(00000040,00000200,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?,?,?,00000000,00000001,00000000), ref: 00D51D48
GetPrivateProfileIntA.KERNEL32(?,Reboot,00000000,?), ref: 00D51D79
GetPrivateProfileStringA.KERNEL32(Version,AdvancedINF,00D51158,00000000,00000008,?), ref: 00D51DA9
GetShortPathNameA.KERNEL32(?,?,00000104), ref: 00D51E0C

Part of subcall function 00D546C7: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00D54726
Part of subcall function 00D546C7: MessageBoxA.USER32(?,?,nxyfrmby,00010010), ref: 00D54762

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00D51C8F
Command.com /c %s, xrefs: 00D51E8C, 00D51ED9
setupapi.dll, xrefs: 00D51E14, 00D51E2B
setupx.dll, xrefs: 00D51E05
", xrefs: 00D51C12
Reboot, xrefs: 00D51D73
rundll32.exe %s,InstallHinfSection %s 128 %s, xrefs: 00D51E2C
Version, xrefs: 00D51DA4
.BAT, xrefs: 00D51E74
.INF, xrefs: 00D51CCA
AdvancedINF, xrefs: 00D51D9F
DefaultInstall, xrefs: 00D51D65, 00D51D78, 00D51DBF, 00D51DC4, 00D51E1E, 00D51E2A

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: String$PrivateProfile$AllocAttributesCompareFileLoadLocalMessageNamePathShort
String ID: "$.BAT$.INF$AdvancedINF$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Command.com /c %s$DefaultInstall$Reboot$Version$rundll32.exe %s,InstallHinfSection %s 128 %s$setupapi.dll$setupx.dll
API String ID: 383838535-253093935
Opcode ID: 35cf561adc94a7a4d96c75e9d9afacd1bc74b57a799cb9c066f5803319a967d0
Instruction ID: b14769d8ea82a214d79c70dd6a8345a072449abe81dbe410dadff7a81b552bc9
Opcode Fuzzy Hash: 35cf561adc94a7a4d96c75e9d9afacd1bc74b57a799cb9c066f5803319a967d0
Instruction Fuzzy Hash: E0A124B8A00718ABEF209B28CC45FEA7769DB55312F140295FD55A32C1DBB09E8DCA70

Function 00D52E59 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 185
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00D52E88
memset.MSVCRT ref: 00D52E98
memset.MSVCRT ref: 00D52EA8

Part of subcall function 00D548A1: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00D548B2
Part of subcall function 00D548A1: SizeofResource.KERNEL32(00000000,00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548BB
Part of subcall function 00D548A1: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00D548D5
Part of subcall function 00D548A1: LoadResource.KERNEL32(00000000,00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548DE
Part of subcall function 00D548A1: LockResource.KERNEL32(00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548E5
Part of subcall function 00D548A1: memcpy_s.MSVCRT ref: 00D548F7
Part of subcall function 00D548A1: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00D54901

CreateEventA.KERNEL32(00000000,00000001,00000001,00000000,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D52EE3
SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,00000002,00000000), ref: 00D52EEF
CreateMutexA.KERNEL32(00000000,00000001,?,00000104,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00D52F5D
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 00D52F6C
CloseHandle.KERNEL32(nxyfrmby,00000000,00000020,00000004,?,?,?,?,?,?,?,00000002,00000000), ref: 00D52FB9

Part of subcall function 00D546C7: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00D54726
Part of subcall function 00D546C7: MessageBoxA.USER32(?,?,nxyfrmby,00010010), ref: 00D54762

Strings

EXTRACTOPT, xrefs: 00D52EFC
nxyfrmby, xrefs: 00D52EB3, 00D52F88, 00D52F9F
TITLE, xrefs: 00D52EB8
VERCHECK, xrefs: 00D53003
INSTANCECHECK, xrefs: 00D52F44

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Resource$memset$CreateEventFindLoad$CloseErrorFreeHandleLastLockMessageMutexSizeofStringmemcpy_s
String ID: EXTRACTOPT$INSTANCECHECK$TITLE$VERCHECK$nxyfrmby
API String ID: 1002816675-1680743935
Opcode ID: 05ae341b0379b8b4e355db635329c8a8f523852f8116af5900208c31e9be6049
Instruction ID: 5df2167a7fe4a74bb8c12028153ebf00bee604ead91f112bda8f9c4de8a9e78b
Opcode Fuzzy Hash: 05ae341b0379b8b4e355db635329c8a8f523852f8116af5900208c31e9be6049
Instruction Fuzzy Hash: 35514870344341AAEF206B3DAC5AF7A2699DB45797F140025BD42E63D1DEB4C94DCA32

Function 00D55BD2 Relevance: 19.7, APIs: 13, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryA.KERNEL32(00000104,?,00000001,00000000), ref: 00D55C09
SetCurrentDirectoryA.KERNELBASE(?), ref: 00D55C10

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: CurrentDirectory
String ID:
API String ID: 1611563598-0
Opcode ID: c2cc1e13ce3befad3ce9c8b2190ebf5cfc04a270bd33e84f16cbd3c92e845472
Instruction ID: f9a8eb0f46b20ac74805ef7b30e589830cd4ce6f10b01373b4e633936b4c6425
Opcode Fuzzy Hash: c2cc1e13ce3befad3ce9c8b2190ebf5cfc04a270bd33e84f16cbd3c92e845472
Instruction Fuzzy Hash: 787195B19007199BDF269B24DC95FEA77BCEB48346F5440AAFD45D2244EA308F898F31

Function 00D530D6 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 119
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000105), ref: 00D5314C
LoadLibraryA.KERNEL32(?,advapi32.dll), ref: 00D5316B
GetProcAddress.KERNEL32(00000000,DecryptFileA), ref: 00D5317F
DecryptFileA.ADVAPI32 ref: 00D5319F
FreeLibrary.KERNEL32(00000000), ref: 00D531B1
SetCurrentDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00D531D5

Part of subcall function 00D55411: LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00D53106,?,00000002,00000000), ref: 00D5542D

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00D53194, 00D531D0
advapi32.dll, xrefs: 00D53152
DecryptFileA, xrefs: 00D53179

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: DirectoryLibrary$AddressAllocCurrentDecryptFileFreeLoadLocalProcSystem
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DecryptFileA$advapi32.dll
API String ID: 2126469477-3008067379
Opcode ID: 5f20d7526cd29e62fe338b1fdda430aced64195789987ba92ae2257fc11981be
Instruction ID: dbb931aef2b3e318275bf1c93f0b6c1f0dfd5ca2dbc9bbdb5d4f0baf6a83d5e2
Opcode Fuzzy Hash: 5f20d7526cd29e62fe338b1fdda430aced64195789987ba92ae2257fc11981be
Instruction Fuzzy Hash: C1419330A00B159ADF30AB75AC56E6676B8EB553D7F080165ED02D2290EF74CE8CCB75

Function 00D556B2 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00D5578A

Part of subcall function 00D555D7: RemoveDirectoryA.KERNELBASE(?,?,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00D5563C
Part of subcall function 00D555D7: GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00D55643
Part of subcall function 00D555D7: GetTempFileNameA.KERNEL32(?,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00D55664
Part of subcall function 00D555D7: DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00D55672
Part of subcall function 00D555D7: CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00D5567B

GetSystemInfo.KERNEL32(?,?,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00D55714
RemoveDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00D557CE

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00D556C8, 00D556CC, 00D556F6, 00D55767, 00D55768, 00D55769, 00D55789, 00D557C7
mips, xrefs: 00D55742
ppc, xrefs: 00D55734
alpha, xrefs: 00D5573B
i386, xrefs: 00D55749

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Directory$File$CreateRemove$AttributesDeleteInfoNameSystemTemp
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$alpha$i386$mips$ppc
API String ID: 1979080616-1381881128
Opcode ID: 43ff0b7360bfe02cca1b91ca5fd025fb688bac366e35e898b9da164e6758d37e
Instruction ID: 0eb08319050c536f91577107c0b70a298b2ba0a84d8f2a01abaabf727065541e
Opcode Fuzzy Hash: 43ff0b7360bfe02cca1b91ca5fd025fb688bac366e35e898b9da164e6758d37e
Instruction Fuzzy Hash: A9314970700B15DBCF129B38AD74A6EB69AEB98353B14012AAC46D2388DE70CD4DC671

Function 00D5249E Relevance: 12.1, APIs: 8, Instructions: 97
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE(?,00D58A3A,00D5120C,00D58A3A,00D58A3A,00D58A3A,00000000,?,?), ref: 00D52506
lstrcmpA.KERNEL32(?,00D51210), ref: 00D52539
lstrcmpA.KERNEL32(?,00D51214), ref: 00D5254D
SetFileAttributesA.KERNELBASE(?,00000080,?), ref: 00D525A7
DeleteFileA.KERNELBASE(?), ref: 00D525B5
FindNextFileA.KERNELBASE(00000000,00000010), ref: 00D525C1
FindClose.KERNELBASE(00000000), ref: 00D525D0
RemoveDirectoryA.KERNELBASE(00D58A3A), ref: 00D525D7

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: File$Find$lstrcmp$AttributesCloseDeleteDirectoryFirstNextRemove
String ID:
API String ID: 836429354-0
Opcode ID: 24c408ca9df145b65ac861922a8bb0d849d3346abd64c8b33a356230e44b3db0
Instruction ID: 7fc536b01e709befcb2ee5d0a8ff0f27fbabd90f2c27fef8aa84f31cd9e1f8f5
Opcode Fuzzy Hash: 24c408ca9df145b65ac861922a8bb0d849d3346abd64c8b33a356230e44b3db0
Instruction Fuzzy Hash: CB319E71204740ABCB20DB68DC89EEB77ACEB85307F044A2DBD59C2290EF74994CC672

Function 00D52DA4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,00000002,00000000,?,00D56EA6,00D50000,00000000,00000002,0000000A), ref: 00D52DAC
GetModuleHandleW.KERNEL32(Kernel32.dll,?,00D56EA6,00D50000,00000000,00000002,0000000A), ref: 00D52DC1
GetProcAddress.KERNEL32(00000000,HeapSetInformation), ref: 00D52DD1
CloseHandle.KERNEL32(00000000,?,?,00D56EA6,00D50000,00000000,00000002,0000000A), ref: 00D52E41

Strings

Kernel32.dll, xrefs: 00D52DBC
HeapSetInformation, xrefs: 00D52DCB

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Handle$AddressCloseModuleProcVersion
String ID: HeapSetInformation$Kernel32.dll
API String ID: 62482547-3460614246
Opcode ID: 1e11098df7bc07c736d98b2b19c687725c89972f61e650be8456ea33c8355858
Instruction ID: 469140bff8f108779d61a8e0d186d52c8e6a73583f06fd3977565f01cb2e6254
Opcode Fuzzy Hash: 1e11098df7bc07c736d98b2b19c687725c89972f61e650be8456ea33c8355858
Instruction Fuzzy Hash: DD1102356003159BDF206B79ACDAA7A3B68DB46393F08011AFD40C3391EE30DC4C96B5

Function 00D52143 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 180
registrylibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00D5216A
memset.MSVCRT ref: 00D52178
RegCreateKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00000000,00000000,0002001F,00000000,?,?,?,?,?,?,?,00000001), ref: 00D521A3

Part of subcall function 00D517E1: _vsnprintf.MSVCRT ref: 00D51808

RegQueryValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00D521DE
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000001), ref: 00D521FA
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00D52218
LoadLibraryA.KERNELBASE(?,advpack.dll,?,?,?,?,?,?,?,?,?,00000001), ref: 00D52237
GetProcAddress.KERNEL32(00000000,DelNodeRunDLL32), ref: 00D52249
FreeLibrary.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,00000001), ref: 00D52254
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00D52266
GetModuleFileNameA.KERNEL32(?,00000104,?,?,?,?,?,?,?,?,?,00000001), ref: 00D52292
LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00D522C7
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000001), ref: 00D522EA
RegSetValueExA.KERNELBASE(?,wextract_cleanup0,00000000,00000001,00000000,00000002,?,?,?,?,?,?,?,?,?), ref: 00D52343
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00D5234F
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00D52356

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00D522AE, 00D5230A
advpack.dll, xrefs: 00D5221E
wextract_cleanup0, xrefs: 00D521BC, 00D521D3, 00D52200, 00D52338
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00D522FC
wextract_cleanup%d, xrefs: 00D521B5
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00D52199
%s /D:%s, xrefs: 00D52305, 00D52316
DelNodeRunDLL32, xrefs: 00D52243

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Close$DirectoryFreeLibraryLocalSystemValuememset$AddressAllocCreateFileLoadModuleNameProcQuery_vsnprintf
String ID: %s /D:%s$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$DelNodeRunDLL32$Software\Microsoft\Windows\CurrentVersion\RunOnce$advpack.dll$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup%d$wextract_cleanup0
API String ID: 178549006-3208851462
Opcode ID: 8f6270dccfa844dc0c38a54c7c89bb56fbf38251614dedf7d9975e06876bcdd5
Instruction ID: 7717fca7033c9829ce629fc4277d98f1608528c66720a6e44ce5d321ffd52821
Opcode Fuzzy Hash: 8f6270dccfa844dc0c38a54c7c89bb56fbf38251614dedf7d9975e06876bcdd5
Instruction Fuzzy Hash: B051D275600318AFEF209B68DC89FFA773CEB55346F140294FD45E2291EA719D8D8A30

Function 00D557ED Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 247
memorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D548A1: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00D548B2
Part of subcall function 00D548A1: SizeofResource.KERNEL32(00000000,00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548BB
Part of subcall function 00D548A1: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00D548D5
Part of subcall function 00D548A1: LoadResource.KERNEL32(00000000,00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548DE
Part of subcall function 00D548A1: LockResource.KERNEL32(00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548E5
Part of subcall function 00D548A1: memcpy_s.MSVCRT ref: 00D548F7
Part of subcall function 00D548A1: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00D54901

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000), ref: 00D5581C
lstrcmpA.KERNEL32(00000000,<None>,00000000), ref: 00D55885
LocalFree.KERNEL32(00000000), ref: 00D55899
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00D5586D

Part of subcall function 00D546C7: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00D54726
Part of subcall function 00D546C7: MessageBoxA.USER32(?,?,nxyfrmby,00010010), ref: 00D54762

Part of subcall function 00D56512: GetLastError.KERNEL32(00D55E30), ref: 00D56512

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00D55906
GetDriveTypeA.KERNEL32(0000005A,?,A:\), ref: 00D5596B
GetFileAttributesA.KERNEL32(0000005A,?,A:\), ref: 00D55984
GetWindowsDirectoryA.KERNEL32(0000005A,00000104,00000000,?,A:\), ref: 00D55A1A
GetFileAttributesA.KERNEL32(0000005A,msdownld.tmp,00000000,?,A:\), ref: 00D55A3C
CreateDirectoryA.KERNEL32(0000005A,00000000,?,A:\), ref: 00D55A4F

Part of subcall function 00D5277D: GetWindowsDirectoryA.KERNEL32(?,00000104,00000000), ref: 00D527A1

SetFileAttributesA.KERNEL32(0000005A,00000002,?,A:\), ref: 00D55A7D

Part of subcall function 00D567BF: FindResourceA.KERNEL32(00D50000,000007D6,00000005), ref: 00D567D2
Part of subcall function 00D567BF: LoadResource.KERNEL32(00D50000,00000000,?,?,00D5309A,00000000,00D51AC0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00D567E0
Part of subcall function 00D567BF: DialogBoxIndirectParamA.USER32(00D50000,00000000,00000547,00D51AC0,00000000), ref: 00D567FF
Part of subcall function 00D567BF: FreeResource.KERNEL32(00000000,?,?,00D5309A,00000000,00D51AC0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00D56808

GetWindowsDirectoryA.KERNEL32(0000005A,00000104,?,A:\), ref: 00D55AC5

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00D558FB, 00D55900, 00D55A8A
Z, xrefs: 00D55957
<None>, xrefs: 00D5587F
A:\, xrefs: 00D55941
RUNPROGRAM, xrefs: 00D5580A, 00D5584D
msdownld.tmp, xrefs: 00D55A20

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Resource$DirectoryFree$AttributesFileFindLoadLocalWindows$AllocCreateDialogDriveErrorIndirectLastLockMessageParamPathSizeofStringTempTypelstrcmpmemcpy_s
String ID: <None>$A:\$C:\Users\user\AppData\Local\Temp\IXP000.TMP\$RUNPROGRAM$Z$msdownld.tmp
API String ID: 4204210681-675003171
Opcode ID: 6ace29f5e53fb518f30f350a3acba3aa45b33114a51e657d30cb2e9c8f15d94d
Instruction ID: 5f7014d05b79c6a57eeb1cd6ae28c88fa331b54d784b5c971ff610512b34be9d
Opcode Fuzzy Hash: 6ace29f5e53fb518f30f350a3acba3aa45b33114a51e657d30cb2e9c8f15d94d
Instruction Fuzzy Hash: 40815770A047149BDF22A734ACA1BEA766D9B64313F440165EDC2D2288DF74CECD8A31

Function 00D55200 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D548A1: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00D548B2
Part of subcall function 00D548A1: SizeofResource.KERNEL32(00000000,00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548BB
Part of subcall function 00D548A1: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00D548D5
Part of subcall function 00D548A1: LoadResource.KERNEL32(00000000,00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548DE
Part of subcall function 00D548A1: LockResource.KERNEL32(00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548E5
Part of subcall function 00D548A1: memcpy_s.MSVCRT ref: 00D548F7
Part of subcall function 00D548A1: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00D54901

FindResourceA.KERNEL32(00000000,CABINET,0000000A), ref: 00D5521E
LoadResource.KERNEL32(00000000,00000000), ref: 00D55226
LockResource.KERNEL32(00000000), ref: 00D5522D
GetDlgItem.USER32(00000000,00000842), ref: 00D55250
ShowWindow.USER32(00000000), ref: 00D55257
GetDlgItem.USER32(00000841,00000005), ref: 00D5526A
ShowWindow.USER32(00000000), ref: 00D55271
FreeResource.KERNEL32(00000000,00000000,00000010,00000000), ref: 00D55331
SendMessageA.USER32(00000FA1,00000000,00000000,00000000), ref: 00D55379

Strings

CABINET, xrefs: 00D55206, 00D55217
*MEMCAB, xrefs: 00D552E7

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Resource$Find$FreeItemLoadLockShowWindow$MessageSendSizeofmemcpy_s
String ID: *MEMCAB$CABINET
API String ID: 1305606123-2642027498
Opcode ID: 1d4572e6de265429322ed247e16296bfb303c79e3f326f98f87b2d4ba483b4db
Instruction ID: 1bb059a67b0129e841fd569032d2ca6a3dd82063bc77aebc17f2e5e1ee41189d
Opcode Fuzzy Hash: 1d4572e6de265429322ed247e16296bfb303c79e3f326f98f87b2d4ba483b4db
Instruction Fuzzy Hash: 4031EB70640B22AFEF111B65AD9AF67765CF70478BF040124FD09E2398DFB48C488672

Function 00D555D7 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D517E1: _vsnprintf.MSVCRT ref: 00D51808

RemoveDirectoryA.KERNELBASE(?,?,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00D5563C
GetFileAttributesA.KERNELBASE(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00D55643
GetTempFileNameA.KERNEL32(?,IXP,00000000,?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00D55664
DeleteFileA.KERNEL32(?,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00D55672
CreateDirectoryA.KERNEL32(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00D5567B
CreateDirectoryA.KERNELBASE(?,00000000,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00D55697

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00D555ED
IXP%03d.TMP, xrefs: 00D555FC
IXP, xrefs: 00D55659

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: DirectoryFile$Create$AttributesDeleteNameRemoveTemp_vsnprintf
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$IXP$IXP%03d.TMP
API String ID: 1082909758-1968295449
Opcode ID: 675cce4588c1a761389a90e18aa96c2ddc36d65c75d094758d678988a37c50eb
Instruction ID: 9b2b0947619bd34edfc8f1eec309b3827091e48c29f9ba0e2d37268bdb171cb4
Opcode Fuzzy Hash: 675cce4588c1a761389a90e18aa96c2ddc36d65c75d094758d678988a37c50eb
Instruction Fuzzy Hash: 84112970600324ABDB209F28AC45FAF7B79EB85B52F500265BD45D22D0CBB48D498A71

Function 00D56D50 Relevance: 13.6, APIs: 9, Instructions: 144
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D574B9: GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00D574E6
Part of subcall function 00D574B9: GetCurrentProcessId.KERNEL32 ref: 00D574F5
Part of subcall function 00D574B9: GetCurrentThreadId.KERNEL32 ref: 00D574FE
Part of subcall function 00D574B9: GetTickCount.KERNEL32 ref: 00D57507
Part of subcall function 00D574B9: QueryPerformanceCounter.KERNEL32(?), ref: 00D5751C

GetStartupInfoW.KERNEL32(?,00D57640,00000058), ref: 00D56D75
Sleep.KERNEL32(000003E8), ref: 00D56DAA
_amsg_exit.MSVCRT ref: 00D56DBF
_initterm.MSVCRT ref: 00D56E13
__IsNonwritableInCurrentImage.LIBCMT ref: 00D56E3F
exit.KERNELBASE ref: 00D56EB5
_ismbblead.MSVCRT ref: 00D56ED0

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Current$Time$CountCounterFileImageInfoNonwritablePerformanceProcessQuerySleepStartupSystemThreadTick_amsg_exit_initterm_ismbbleadexit
String ID:
API String ID: 836923961-0
Opcode ID: 0b3e34ba70b577964e73757709ce00c25e42a33f2952ac2be513fbfdbdb4414e
Instruction ID: 840fb0fa12ad5cefe7a01cdfa8d65c14fcdcc3d8f614ddf141467e42ef68a7c8
Opcode Fuzzy Hash: 0b3e34ba70b577964e73757709ce00c25e42a33f2952ac2be513fbfdbdb4414e
Instruction Fuzzy Hash: 9541B235A057658FDF219B58E80676A7BB0EB44763FA8411AFC41E7390DF70C8489BB0

Function 00D55B19 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNEL32(00000040,?,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00D55781,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00D55B38
CreateFileA.KERNELBASE(00000000,40000000,00000000,00000000,00000001,04000080,00000000,TMP4351$.TMP,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00D55781,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00D55B92
LocalFree.KERNEL32(00000000,?,00D55781,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00D55B9C
CloseHandle.KERNEL32(00000000,?,00D55781,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00D55BAB
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,00D55781,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000001,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,00000000), ref: 00D55BB2

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00D55B1E, 00D55B20, 00D55B68, 00D55BB1
TMP4351$.TMP, xrefs: 00D55B72

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: FileLocal$AllocAttributesCloseCreateFreeHandle
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$TMP4351$.TMP
API String ID: 747627703-2300777897
Opcode ID: ccfc9ed3ed25034bec3bdd1cefd1d6ee5dbe34015addb87142084ab2bb660832
Instruction ID: f96249865d390b75b689f5071e1a4a9b63db73e8f6019975f57ba68684fe554f
Opcode Fuzzy Hash: ccfc9ed3ed25034bec3bdd1cefd1d6ee5dbe34015addb87142084ab2bb660832
Instruction Fuzzy Hash: 011134317007206BCB241B7D6C5CF9B7E99EF457A2F100214BD46D32C5DAB0D80986B0

Function 00D541E2 Relevance: 10.6, APIs: 7, Instructions: 96
processsynchronizationwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,00000000), ref: 00D54226
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00D5423C
GetExitCodeProcess.KERNELBASE(?,?), ref: 00D5424F
CloseHandle.KERNEL32(?), ref: 00D5428F
CloseHandle.KERNEL32(?), ref: 00D5429B
GetLastError.KERNEL32(00000000,?,00000200,00000000), ref: 00D542CF
FormatMessageA.KERNEL32(00001000,00000000,00000000), ref: 00D542DC

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateErrorExitFormatLastMessageObjectSingleWait
String ID:
API String ID: 3183975587-0
Opcode ID: 4da8cfc9e23fa5b13e5d1991e7dc1721c2471d8825df1046e40a2fc799fbe165
Instruction ID: 56e37e582e79ccd8a9889039fa673916fe6196790e01cc5dfea44cdb278a22fa
Opcode Fuzzy Hash: 4da8cfc9e23fa5b13e5d1991e7dc1721c2471d8825df1046e40a2fc799fbe165
Instruction Fuzzy Hash: 37318431540728BBDF609B69DC49FABBB7CEB9570AF104169FD05D22A0CA304D89DB36

Function 00D55411 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D548A1: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00D548B2
Part of subcall function 00D548A1: SizeofResource.KERNEL32(00000000,00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548BB
Part of subcall function 00D548A1: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00D548D5
Part of subcall function 00D548A1: LoadResource.KERNEL32(00000000,00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548DE
Part of subcall function 00D548A1: LockResource.KERNEL32(00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548E5
Part of subcall function 00D548A1: memcpy_s.MSVCRT ref: 00D548F7
Part of subcall function 00D548A1: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00D54901

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00D53106,?,00000002,00000000), ref: 00D5542D
LocalFree.KERNEL32(00000000,00000000,00000000,00000010,00000000,00000000), ref: 00D5547C

Part of subcall function 00D546C7: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00D54726
Part of subcall function 00D546C7: MessageBoxA.USER32(?,?,nxyfrmby,00010010), ref: 00D54762

Part of subcall function 00D56512: GetLastError.KERNEL32(00D55E30), ref: 00D56512

Strings

UPROMPT, xrefs: 00D5541B, 00D5545C
<None>, xrefs: 00D5548E

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocErrorLastLockMessageSizeofStringmemcpy_s
String ID: <None>$UPROMPT
API String ID: 957408736-2980973527
Opcode ID: 592762a23cca8a4c3a69d5bc927a04a7d059e79dcbc2fbb24979a78140c4da9e
Instruction ID: 0c3133bc61ababc7f7fc8e64d4f327e5a76e9eff8a89eebe9b0ed5ec0a96ecb5
Opcode Fuzzy Hash: 592762a23cca8a4c3a69d5bc927a04a7d059e79dcbc2fbb24979a78140c4da9e
Instruction Fuzzy Hash: C41122B0200711AFEF112B7AAD65F3B659EEBC8357F104128FE82D6794DA79CC484236

Function 00D554E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64fileCOMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(034B4400,00000080,?,00000000), ref: 00D55524
DeleteFileA.KERNELBASE(034B4400), ref: 00D5552C
LocalFree.KERNEL32(034B4400,?,00000000), ref: 00D55537
LocalFree.KERNEL32(034B4400), ref: 00D5553E
SetCurrentDirectoryA.KERNELBASE(00D51214,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00D55595

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00D55566

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: FileFreeLocal$AttributesCurrentDeleteDirectory
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 2833751637-4151094324
Opcode ID: 9b9295f148a26f9205a69741ca123852ddf54dc2816af61fc23491c6f040afec
Instruction ID: 5140de8e18e4fc7cda672ff032d9d793f749af136ad666bc480b1d95b64fd306
Opcode Fuzzy Hash: 9b9295f148a26f9205a69741ca123852ddf54dc2816af61fc23491c6f040afec
Instruction Fuzzy Hash: 0C218030551B10DFDF219F28EC29769B7B5AB14757F040129EC42A22E8EB705D8CCB71

Function 00D52689 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,System\CurrentControlSet\Control\Session Manager,00000000,00020019,?,00000000,?,?,?,00D52764,00D51FDB,00000001,00000000,00D5432E,?,00D54289), ref: 00D526AA
RegQueryValueExA.KERNELBASE(?,PendingFileRenameOperations,00000000,00000000,00000000,00D54289,?,00D52764,00D51FDB,00000001,00000000,00D5432E,?,00D54289), ref: 00D526C3
RegCloseKey.KERNELBASE(?,?,00D52764,00D51FDB,00000001,00000000,00D5432E,?,00D54289), ref: 00D526D5

Strings

System\CurrentControlSet\Control\Session Manager, xrefs: 00D5269D
PendingFileRenameOperations, xrefs: 00D526BB

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: PendingFileRenameOperations$System\CurrentControlSet\Control\Session Manager
API String ID: 3677997916-3057196482
Opcode ID: c590e225aee37fb71ecaa0caac1d462a65227c49ee50bac5c24b822cb78a889c
Instruction ID: 9f9d59ad9b2af5ba1b97a402d770a335146cde69f5011623c5c37d86ebc364a9
Opcode Fuzzy Hash: c590e225aee37fb71ecaa0caac1d462a65227c49ee50bac5c24b822cb78a889c
Instruction Fuzzy Hash: 18F03A75951328FFDF208BA9DC0ACEF7FBCEF057A2B100151BC05E2180D6709A48D6A0

Function 00D520F6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,00020006,00D555BE,?,?,00D555BE), ref: 00D5211A
RegDeleteValueA.KERNELBASE(00D555BE,wextract_cleanup0,?,?,00D555BE), ref: 00D5212C
RegCloseKey.ADVAPI32(00D555BE,?,?,00D555BE), ref: 00D52135

Strings

wextract_cleanup0, xrefs: 00D520FC, 00D52124
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00D52110

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\RunOnce$wextract_cleanup0
API String ID: 849931509-702805525
Opcode ID: cdbca30ee9f9322da8fb80da75a970ff434c625c63077499c965530c26994f9a
Instruction ID: a2d300446cd4649af5697ab067e40362493c612dbdebd7b765f8c84c00a6070d
Opcode Fuzzy Hash: cdbca30ee9f9322da8fb80da75a970ff434c625c63077499c965530c26994f9a
Instruction Fuzzy Hash: 68E04F30520324BBDF208B98AD0AF5A7A69A7107C7F540154BE01F01E0EB609B0CA635

Function 00D54F50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SetFileAttributesA.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 00D55000
SetDlgItemTextA.USER32(00000000,00000837,?), ref: 00D55028

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00D54FB9, 00D55037

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: AttributesFileItemText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 3625706803-4151094324
Opcode ID: 19c22c8f5cfd813df392c1bfc38a97d49a4ef98758ca0210be7acad93b21c688
Instruction ID: 91c06a26a5bf2ef979e68212a644347bba016ec4fd85502b6a9844f8491fe4ac
Opcode Fuzzy Hash: 19c22c8f5cfd813df392c1bfc38a97d49a4ef98758ca0210be7acad93b21c688
Instruction Fuzzy Hash: E531B2359407119BCF619F3CDE15AAA72A8EF1430BF080618AC81D65D4DE30D9CCDB72

Function 00D54EAD Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON

Download Yara Rule

APIs

DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 00D54ECA
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00D54EDC
SetFileTime.KERNELBASE(?,?,?,?), ref: 00D54EF2

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Time$File$DateLocal
String ID:
API String ID: 2071732420-0
Opcode ID: 64f01cf451e6a96a1b86d4ce5900b0112291822ddd2ea67c558b40070302cf98
Instruction ID: 6a5cbef47cf8c7a9a2f3e8e70120eb4275c2df8b1c4ad924dea621c4088077da
Opcode Fuzzy Hash: 64f01cf451e6a96a1b86d4ce5900b0112291822ddd2ea67c558b40070302cf98
Instruction Fuzzy Hash: 61F03072510319AE9F109AB9DC09CFBBAFCEB44307B040526AD17D1094EA30D948D6B1

Function 00D54ACA Relevance: 3.1, APIs: 2, Instructions: 63fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00008000,-80000000,00000000,00000000,?,00000080,00000000,00000000,00000000,00000000,00D54C77,?,?,00D5518B,*MEMCAB,00008000), ref: 00D54B3B
CreateFileA.KERNEL32(00008000,-80000000,00000000,00000000,?,00000080,00000000,?,?,00D5518B,*MEMCAB,00008000,00000180), ref: 00D54B5F

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4f257cd6bfe23e518e9364714a673503882a30f83c9c85897093eac5fe9b0f5d
Instruction ID: 83947d69dc34da5e0afb8d93ee8c422119df1def59d52fc7be1f1be67c2682d9
Opcode Fuzzy Hash: 4f257cd6bfe23e518e9364714a673503882a30f83c9c85897093eac5fe9b0f5d
Instruction Fuzzy Hash: 2F017CB66917202AFB200529ACC9FB7240CD79277FF1D0335BDB1D11D0CA488C899172

Function 00D54D30 Relevance: 3.0, APIs: 2, Instructions: 47fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00D53866: MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 00D53885
Part of subcall function 00D53866: PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 00D538AF

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00D54D65

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: FileMessageMultipleObjectsPeekWaitWrite
String ID:
API String ID: 3430465807-0
Opcode ID: 703067dde34684e576038cd44c691c6457a1ab2d98a3501a8535e63a821443a8
Instruction ID: 032487b30194266389b9ae17c939a13e022c2458b9c0e6e8830c250f3767d367
Opcode Fuzzy Hash: 703067dde34684e576038cd44c691c6457a1ab2d98a3501a8535e63a821443a8
Instruction Fuzzy Hash: BC01AD312003109BDF048F18DC15BA577A9A74072BF188226FD25DA3E0CB749856CBB1

Function 00D56836 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

CharPrevA.USER32(00D58A3A,00D58A3B,00000000,00D58A3A,00D58A3A,?,00D5637A,00D51158,?,?), ref: 00D56866

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: CharPrev
String ID:
API String ID: 122130370-0
Opcode ID: 4fc83182bfceba807fbc66305127fb59de07796707c9cec916d0571dcc238a76
Instruction ID: eb24ee6b676953e87b8f4bdeb8d7525710d145406274b1ece50194ee3fb75f30
Opcode Fuzzy Hash: 4fc83182bfceba807fbc66305127fb59de07796707c9cec916d0571dcc238a76
Instruction Fuzzy Hash: D5F07832504250ABDB350D1CC888FA6BFDACB86352F68016AECDDC3281DE66CC09D3B1

Function 00D564A7 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00D564C8

Part of subcall function 00D546C7: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00D54726
Part of subcall function 00D546C7: MessageBoxA.USER32(?,?,nxyfrmby,00010010), ref: 00D54762

Part of subcall function 00D56512: GetLastError.KERNEL32(00D55E30), ref: 00D56512

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: DirectoryErrorLastLoadMessageStringWindows
String ID:
API String ID: 381621628-0
Opcode ID: 96fe3865acc8201d65a835c75b640305281b89e457185905f550e5204be16136
Instruction ID: 649cd789b2c38ddf03d95363344a4ba9cd0e544a1cd1e8706cf226e41ab877ce
Opcode Fuzzy Hash: 96fe3865acc8201d65a835c75b640305281b89e457185905f550e5204be16136
Instruction Fuzzy Hash: 68F0E270600308ABEF50FB389D06FBAB2ACDB44302F900039BD82D71C5EE70D9888A30

Function 00D56975 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,00D549C4,?,?,00D55054,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?), ref: 00D56978

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9279fb21b80e453cb1e57b0b41abfda6f49a5a416de49fd17b4f0507abdf8155
Instruction ID: 7ae95f51158f89507f2f3333d637f19e55f3a07044c2e97b6dfb551f07816a54
Opcode Fuzzy Hash: 9279fb21b80e453cb1e57b0b41abfda6f49a5a416de49fd17b4f0507abdf8155
Instruction Fuzzy Hash: 9AB09277132680026E2006397C1955B2841A6C123B7E81B90F832C11D8CE3EC88AD820

Function 00D54DD0 Relevance: 1.3, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,00000000,00000000,?,00D551C5,00000000), ref: 00D54E08

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 21580e4ff0536580144fa64afe23e3049623db4776f46667f0c6644262568ab3
Instruction ID: 592106d35f301463ddf2003482d90d630ecb082382f3735e4f18bbdebfb24496
Opcode Fuzzy Hash: 21580e4ff0536580144fa64afe23e3049623db4776f46667f0c6644262568ab3
Instruction Fuzzy Hash: 1EF0FE71540B089E4B618F3A8C01512BAF8BA95363314192FEDBFE2190DB32A855EBB1

Function 00D54F10 Relevance: 1.3, APIs: 1, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,?), ref: 00D54F1A

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 56edc147a61a7bad94376560066d4f6fb069a96e8ac2a3ff21ac431ea9f1bdbd
Instruction ID: 129a5390a66ec020289ed7b829a6daaaa9eac92a811ca36847bbc84b6a9119c0
Opcode Fuzzy Hash: 56edc147a61a7bad94376560066d4f6fb069a96e8ac2a3ff21ac431ea9f1bdbd
Instruction Fuzzy Hash: B8B0123204430CB7CF001FCAEC09F863F1DE7C4762F140000FA0C891908A72941086A6

Function 00D54F30 Relevance: 1.3, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 00D54F38

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: df8e5c98b72c29d17ffac718d525b17ac85b7682a7899b7d8d696ecdfaaf4157
Instruction ID: 3e4ad740d78771df909ef22ad7cf0acee9399b816ffd4cee1ee4ccb8c87f1205
Opcode Fuzzy Hash: df8e5c98b72c29d17ffac718d525b17ac85b7682a7899b7d8d696ecdfaaf4157
Instruction Fuzzy Hash: 57B0123100030CB78F001B4AEC088453F1DD6C02617000010FA0C851218B3398118595

Non-executed Functions

Function 00D55F17 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 430COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,00000000,?,?), ref: 00D55F6E
GetModuleFileNameA.KERNEL32(00D58B3E,00000104,00000000,?,?), ref: 00D5607C
CharUpperA.USER32(?), ref: 00D560BE
CharUpperA.USER32(-00000052), ref: 00D56167
CompareStringA.KERNEL32(0000007F,00000001,RegServer,000000FF,?,000000FF), ref: 00D561F5
CharUpperA.USER32(?), ref: 00D5622D
CharUpperA.USER32(-0000004E), ref: 00D5628E
CharUpperA.USER32(?), ref: 00D56330
CloseHandle.KERNEL32(00000000), ref: 00D56475
ExitProcess.KERNEL32 ref: 00D5647D

Strings

RegServer, xrefs: 00D561EC
", xrefs: 00D563BB
:, xrefs: 00D563A6
", xrefs: 00D55FF8

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Char$Upper$CloseCompareExitFileHandleModuleNameNextProcessString
String ID: "$"$:$RegServer
API String ID: 1203814774-25366791
Opcode ID: 4b2ff176bcc4c236a7739789cb495fb5b3c905d708e938498a5916cd098517b9
Instruction ID: 18938d9e08c13e0d4a9fd1f6be9d72e235b8bd9e09d8435aad8482bdc030fa00
Opcode Fuzzy Hash: 4b2ff176bcc4c236a7739789cb495fb5b3c905d708e938498a5916cd098517b9
Instruction Fuzzy Hash: 93E14331A08B554BDF358B3C9C58BB96BA1AB16353F8C01A9DCC6D7291D670CD8E8B30

Function 00D5209F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 93shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?,?), ref: 00D52006
OpenProcessToken.ADVAPI32(00000000), ref: 00D5200D
ExitWindowsEx.USER32(00000002,00000000), ref: 00D520E2

Strings

SeShutdownPrivilege, xrefs: 00D52033

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Process$CurrentExitOpenTokenWindows
String ID: SeShutdownPrivilege
API String ID: 2795981589-3733053543
Opcode ID: 2eb9fc15b31564f1540de5b0d768f3a3b810016ae24019194ccbb2e9c5b9ab04
Instruction ID: 08a35b46d3beaf27fa74fbd2d86f4c8a9cf6391dc0625041df673be2c8c98641
Opcode Fuzzy Hash: 2eb9fc15b31564f1540de5b0d768f3a3b810016ae24019194ccbb2e9c5b9ab04
Instruction Fuzzy Hash: 0621B471A41315ABDF206BA99C0AF7F7A78EB86713F140119FE02E62C5CA74884DD632

Function 00D518BF Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 70librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,00D519B2), ref: 00D518EB
GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00D518FD
AllocateAndInitializeSid.ADVAPI32(00D519B2,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00D519B2), ref: 00D51926
FreeSid.ADVAPI32(?,?,?,?,00D519B2), ref: 00D51954
FreeLibrary.KERNEL32(00000000,?,?,?,00D519B2), ref: 00D5195B

Strings

CheckTokenMembership, xrefs: 00D518F7
advapi32.dll, xrefs: 00D518E1

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: FreeLibrary$AddressAllocateInitializeLoadProc
String ID: CheckTokenMembership$advapi32.dll
API String ID: 4204503880-1888249752
Opcode ID: 6087fc0d3dab34aad8250ab8f256b5413b9dd24b3c6fe0897ad50d39aca75177
Instruction ID: 4b296a880d00dd7179f6ebae698329c914066a2ba6757af4a7300fa7dbeba9d2
Opcode Fuzzy Hash: 6087fc0d3dab34aad8250ab8f256b5413b9dd24b3c6fe0897ad50d39aca75177
Instruction Fuzzy Hash: F1118135A00315AFDB009FA8DC59BBEBBB8EF44702F140529ED16E2390DA709D058B71

Function 00D538C7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 235windowCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,00000000,?,?), ref: 00D538FC
MessageBeep.USER32(00000000), ref: 00D53B92
MessageBoxA.USER32(00000000,?,nxyfrmby,00000030), ref: 00D53BC5

Strings

nxyfrmby, xrefs: 00D53BB8, 00D53BED
3, xrefs: 00D5395F

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Message$BeepVersion
String ID: 3$nxyfrmby
API String ID: 2519184315-1623293978
Opcode ID: 0ea647d685bdaa291d3abbb174ab7938a16c0aa189c2e30621f4a541598d719a
Instruction ID: 4cb5934a2885f5aa3197c897e383bb0e105d5b8410e0bd7008c884f9c46fb809
Opcode Fuzzy Hash: 0ea647d685bdaa291d3abbb174ab7938a16c0aa189c2e30621f4a541598d719a
Instruction Fuzzy Hash: 47918E71A013259FEF25CF28C991BA9B3B1EB45386F1841A9DC89D7250DB70DE88DF21

Function 00D574B9 Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000), ref: 00D574E6
GetCurrentProcessId.KERNEL32 ref: 00D574F5
GetCurrentThreadId.KERNEL32 ref: 00D574FE
GetTickCount.KERNEL32 ref: 00D57507
QueryPerformanceCounter.KERNEL32(?), ref: 00D5751C

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: c3de77fa13ad6356dfc9c7e9a9e9fb58e5c7befe2f62e3b6ae7d8254971457c2
Instruction ID: 2732dfd5393a507cab0f4a68b3423c9bdbb0384a297ab64c5daa4ef239604442
Opcode Fuzzy Hash: c3de77fa13ad6356dfc9c7e9a9e9fb58e5c7befe2f62e3b6ae7d8254971457c2
Instruction Fuzzy Hash: E9110A71D00718DBCF10DFB8EA48A9EBBF5EF58316FA54555DC02E7350EA309A049B61

Function 00D57006 Relevance: 6.0, APIs: 4, Instructions: 13COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00D57142,00D51000), ref: 00D5700D
UnhandledExceptionFilter.KERNEL32(00D57142,?,00D57142,00D51000), ref: 00D57016
GetCurrentProcess.KERNEL32(C0000409,?,00D57142,00D51000), ref: 00D57021
TerminateProcess.KERNEL32(00000000,?,00D57142,00D51000), ref: 00D57028

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 7104cd4c40e48c7fe94ce4f06cc9d2133265f9c6c4c37d5e48da3dd22b6011ee
Instruction ID: 1053fb5ad320f7338ee2ec7134a804a60cacf4d227a3c29ba37af6927af3a224
Opcode Fuzzy Hash: 7104cd4c40e48c7fe94ce4f06cc9d2133265f9c6c4c37d5e48da3dd22b6011ee
Instruction Fuzzy Hash: 0DD0C932000B18BBDB002BF9EC0CE593F28EB48213F444100FB19C6220CE3254518B72

Function 00D57260 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00007210), ref: 00D57265

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e1338d494ee420c0a08384ad138782cbd69086ef1248380dbcc9d78fd5dfa1de
Instruction ID: 736454f056af4254ece41c8aa970d20690d37b9a7c0896ecec51d8c188a0e57f
Opcode Fuzzy Hash: e1338d494ee420c0a08384ad138782cbd69086ef1248380dbcc9d78fd5dfa1de
Instruction Fuzzy Hash: D59002602957104A8E101B746D0980565907B5E703F915D60BC11C4154DE6040095537

Function 00D533E0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 187windowCOMMON

Download Yara Rule

APIs

LoadStringA.USER32(000003E8,00D58598,00000200), ref: 00D53442
GetDesktopWindow.USER32 ref: 00D535AA
SetWindowTextA.USER32(?,nxyfrmby), ref: 00D535C2
SendDlgItemMessageA.USER32(?,00000835,000000C5,00000103,00000000), ref: 00D535DB
GetDlgItem.USER32(?,00000836), ref: 00D535F1
EnableWindow.USER32(00000000), ref: 00D535F8
EndDialog.USER32(?,00000000), ref: 00D5360C

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00D534CA, 00D534D4, 00D534F8, 00D5350B, 00D53522, 00D53531
nxyfrmby, xrefs: 00D535BC

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Window$Item$DesktopDialogEnableLoadMessageSendStringText
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$nxyfrmby
API String ID: 2418873061-741910996
Opcode ID: 0888e78ba29a50cdfb0af27a37d462e91422dfd26af8cbebf6e7b4d16f54cae8
Instruction ID: 51fadf626b3374cc06eeccdf86354636ec636b69c11d78ac723537d5a80bf425
Opcode Fuzzy Hash: 0888e78ba29a50cdfb0af27a37d462e91422dfd26af8cbebf6e7b4d16f54cae8
Instruction Fuzzy Hash: 5451D330340321B7EF201B799C4EF7B2E59DB46BD7F144128BE46E62D0DAB4CA4992B5

Function 00D536D0 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119threadwindowCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(00000000), ref: 00D53715
EndDialog.USER32(?,?), ref: 00D53721
ResetEvent.KERNEL32 ref: 00D5373F
SetEvent.KERNEL32(00D51158,00000000,00000020,00000004), ref: 00D53770
GetDesktopWindow.USER32 ref: 00D537A7
GetDlgItem.USER32(?,0000083B), ref: 00D537D1
SendMessageA.USER32(00000000), ref: 00D537D8
GetDlgItem.USER32(?,0000083B), ref: 00D537F0
SendMessageA.USER32(00000000), ref: 00D537F7
SetWindowTextA.USER32(?,nxyfrmby), ref: 00D53803
CreateThread.KERNEL32(00000000,00000000,Function_00005200,00000000,00000000,00D58798), ref: 00D53817
EndDialog.USER32(?,00000000), ref: 00D53851

Strings

nxyfrmby, xrefs: 00D537FD

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: DialogEventItemMessageSendThreadWindow$CreateDesktopResetTerminateText
String ID: nxyfrmby
API String ID: 2406144884-3132153233
Opcode ID: 6d04802b78186e986321093db8fce20aaffc13b5c78d3289f924add8c1462ee8
Instruction ID: 46a2551fef87e6b79a7a4198fbeda28e616bed8defd7aebd8b4dba8b8c7897e0
Opcode Fuzzy Hash: 6d04802b78186e986321093db8fce20aaffc13b5c78d3289f924add8c1462ee8
Instruction Fuzzy Hash: 49319371240711BBDF241F29AC4DE2A3E24E789B83F144529FE12E52A0DB718A08DB71

Function 00D5442A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 131libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000001), ref: 00D5443C
GetProcAddress.KERNEL32(00000000,SHBrowseForFolder), ref: 00D54452
GetProcAddress.KERNEL32(00000000,000000C3), ref: 00D54469
GetProcAddress.KERNEL32(00000000,SHGetPathFromIDList), ref: 00D54480
GetTempPathA.KERNEL32(00000104,00D588C0,?,00000001), ref: 00D544A5
CharPrevA.USER32(00D588C0,01AB1181,?,00000001), ref: 00D544C8
CharPrevA.USER32(00D588C0,00000000,?,00000001), ref: 00D544DC
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00D54597
FreeLibrary.KERNEL32(00000000,?,00000001), ref: 00D545AB

Strings

SHGetPathFromIDList, xrefs: 00D5447A
SHELL32.DLL, xrefs: 00D54435
SHBrowseForFolder, xrefs: 00D5444C

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: AddressLibraryProc$CharFreePrev$LoadPathTemp
String ID: SHBrowseForFolder$SHELL32.DLL$SHGetPathFromIDList
API String ID: 1865808269-1731843650
Opcode ID: fa90cb93ad6a918ee6936de5d259d1fe1434eb54ede8ab82f821c06038d880ed
Instruction ID: b843ca7e4ec94f12339e76cafac082801964001ac52a1196211eae6da7a09d18
Opcode Fuzzy Hash: fa90cb93ad6a918ee6936de5d259d1fe1434eb54ede8ab82f821c06038d880ed
Instruction Fuzzy Hash: 2341A174A00310AFDF116B68AC85AAE7FB4EB4934BF180169ED01A7391DF748D4D9B72

Function 00D528C8 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 121registryCOMMON

Download Yara Rule

APIs

CharUpperA.USER32(BB768A09,00000000,00000000,00000000), ref: 00D528FD
CharNextA.USER32(00000001), ref: 00D5290A
CharNextA.USER32(00000000), ref: 00D52911
GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00D52936
GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 00D52948
RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00020019,?,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00D5299E
RegQueryValueExA.ADVAPI32(?,00D51158,00000000,?,00000000,?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00D529C3
ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00D529E1
RegCloseKey.ADVAPI32(?,?,Software\Microsoft\Windows\CurrentVersion\App Paths), ref: 00D52A11
GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 00D52A24

Strings

Software\Microsoft\Windows\CurrentVersion\App Paths, xrefs: 00D52954

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: CharDirectory$NextSystem$CloseEnvironmentExpandOpenQueryStringsUpperValueWindows
String ID: Software\Microsoft\Windows\CurrentVersion\App Paths
API String ID: 229715263-2428544900
Opcode ID: 2457cd6b433ccf13a0b77be57f658ba6997d265ed8dc0bcabbd1a359e159ad19
Instruction ID: 4116a094a8994f7aace1f0678038d37e4bcf39bb3854445d0797e595492b3d46
Opcode Fuzzy Hash: 2457cd6b433ccf13a0b77be57f658ba6997d265ed8dc0bcabbd1a359e159ad19
Instruction Fuzzy Hash: C941B770A002285FDF249B289C85AFA7B7DEB46712F040095ED45E2240DB708E8D8F71

Function 00D546C7 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 159memorywindowCOMMON

Download Yara Rule

APIs

LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00D54726
MessageBoxA.USER32(?,?,nxyfrmby,00010010), ref: 00D54762
LocalAlloc.KERNEL32(00000040,00000065), ref: 00D547B1
LocalAlloc.KERNEL32(00000040,00000065), ref: 00D547F1
LocalAlloc.KERNEL32(00000040,00000002), ref: 00D5481B
MessageBeep.USER32(00000000), ref: 00D5483E
MessageBoxA.USER32(?,00000000,nxyfrmby,00000000), ref: 00D54874
LocalFree.KERNEL32(00000000), ref: 00D5487D

Part of subcall function 00D56B0D: GetVersionExA.KERNEL32(?,00000000,00000002), ref: 00D56B5C
Part of subcall function 00D56B0D: GetSystemMetrics.USER32(0000004A), ref: 00D56B95
Part of subcall function 00D56B0D: RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00D56BBA
Part of subcall function 00D56B0D: RegQueryValueExA.ADVAPI32(?,00D51158,00000000,?,?,0000000C), ref: 00D56BE2
Part of subcall function 00D56B0D: RegCloseKey.ADVAPI32(?), ref: 00D56BF0

Strings

LoadString() Error. Could not load string resource., xrefs: 00D546F2
nxyfrmby, xrefs: 00D54753, 00D54868

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Local$AllocMessage$BeepCloseFreeLoadMetricsOpenQueryStringSystemValueVersion
String ID: LoadString() Error. Could not load string resource.$nxyfrmby
API String ID: 3244514340-2962051177
Opcode ID: 2d342a9358a8ee1e275797bf6c582b63db64623e81365b6e0265cca6cb853469
Instruction ID: 3542188860be30646daacb9f17ccad534fd1bfd308de70b95dd883480c2e09df
Opcode Fuzzy Hash: 2d342a9358a8ee1e275797bf6c582b63db64623e81365b6e0265cca6cb853469
Instruction Fuzzy Hash: B451F1769003559BDF219F288C48BAABBA9EF49306F184194EC49E3241CB31DD89CBB1

Function 00D52371 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 87registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\RunOnce,00000000,0002001F,?,00000001), ref: 00D523AD
RegQueryValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000000,?,?,00000001), ref: 00D523E2
memset.MSVCRT ref: 00D523FF
GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00D5240F
RegSetValueExA.ADVAPI32(?,wextract_cleanup0,00000000,00000001,?,?,?,?,?,?,?,?,?), ref: 00D52478
RegCloseKey.ADVAPI32(?), ref: 00D52484

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00D5242B
wextract_cleanup0, xrefs: 00D52386, 00D523D7, 00D5246D
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s", xrefs: 00D52437
Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00D523A3

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Value$CloseDirectoryOpenQuerySystemmemset
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$Software\Microsoft\Windows\CurrentVersion\RunOnce$rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"$wextract_cleanup0
API String ID: 3027380567-4043760798
Opcode ID: 3ed0f6ba7e44aba9f4711bebf2f089f4d7d742c0318e6282b3de2c5cce77a619
Instruction ID: 997f8c47af15d1a1193f16a504f35adde5d4cf4a7df4f282360f03a213a8ea72
Opcode Fuzzy Hash: 3ed0f6ba7e44aba9f4711bebf2f089f4d7d742c0318e6282b3de2c5cce77a619
Instruction Fuzzy Hash: 8831B871A00328ABCF219B64DC49FEA7B7CEF15742F0401A5BD0DE6191EA709B8CCA70

Function 00D532C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 70windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,00000000), ref: 00D532FB
GetDesktopWindow.USER32 ref: 00D5330B
SetDlgItemTextA.USER32(?,00000834), ref: 00D5332A
SetWindowTextA.USER32(?,nxyfrmby), ref: 00D53336
SetForegroundWindow.USER32(?), ref: 00D5333D
GetDlgItem.USER32(?,00000834), ref: 00D53345
GetWindowLongA.USER32(00000000,000000FC), ref: 00D53350
SetWindowLongA.USER32(00000000,000000FC,00D53280), ref: 00D53363
SendDlgItemMessageA.USER32(?,00000834,000000B1,000000FF,00000000), ref: 00D5338A

Strings

nxyfrmby, xrefs: 00D53330

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Window$Item$LongText$DesktopDialogForegroundMessageSend
String ID: nxyfrmby
API String ID: 3785188418-3132153233
Opcode ID: 24618128ae05457fabb32fa27f010e9409e248c0da267b7a111da3f8f1f31ff1
Instruction ID: 3b1b7c6f5d64a4ab7a50a35462c6e787518cdaec753fe57da668ec875c4c5076
Opcode Fuzzy Hash: 24618128ae05457fabb32fa27f010e9409e248c0da267b7a111da3f8f1f31ff1
Instruction Fuzzy Hash: 21118C31544721EBEF115F289C0EE5A3E64EB4A763F144310FD15E12A0DF708A49D6B6

Function 00D51978 Relevance: 16.6, APIs: 11, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D518BF: LoadLibraryA.KERNEL32(advapi32.dll,00000002,?,00000000,?,?,?,00D519B2), ref: 00D518EB
Part of subcall function 00D518BF: GetProcAddress.KERNEL32(00000000,CheckTokenMembership), ref: 00D518FD
Part of subcall function 00D518BF: AllocateAndInitializeSid.ADVAPI32(00D519B2,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,00D519B2), ref: 00D51926
Part of subcall function 00D518BF: FreeSid.ADVAPI32(?,?,?,?,00D519B2), ref: 00D51954
Part of subcall function 00D518BF: FreeLibrary.KERNEL32(00000000,?,?,?,00D519B2), ref: 00D5195B

GetCurrentProcess.KERNEL32(00000008,?,00000000,00000001), ref: 00D519C0
OpenProcessToken.ADVAPI32(00000000), ref: 00D519C7
GetTokenInformation.ADVAPI32(?,00000002,00000000,00000000,?), ref: 00D519DF
GetLastError.KERNEL32 ref: 00D519ED
LocalAlloc.KERNEL32(00000000,?,?), ref: 00D51A01
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?), ref: 00D51A19
AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00D51A39
EqualSid.ADVAPI32(00000004,?), ref: 00D51A4F
FreeSid.ADVAPI32(?), ref: 00D51A71
LocalFree.KERNEL32(00000000), ref: 00D51A78
CloseHandle.KERNEL32(?), ref: 00D51A82

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Free$Token$AllocateInformationInitializeLibraryLocalProcess$AddressAllocCloseCurrentEqualErrorHandleLastLoadOpenProc
String ID:
API String ID: 2168512254-0
Opcode ID: db7ccca59c973e4357034df31999bc49be5831007a70e61378bea34c1a821e49
Instruction ID: c324b98d80cf55d93ffa2054e806fb060717c45ce3c8bb551b30adc2ea3a0ab9
Opcode Fuzzy Hash: db7ccca59c973e4357034df31999bc49be5831007a70e61378bea34c1a821e49
Instruction Fuzzy Hash: 4F313C35A11315AFDF219FA9DC48AAFBBB8FF04316F140524ED11E2295DB309A4ACB31

Function 00D548A1 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00D548B2
SizeofResource.KERNEL32(00000000,00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548BB
FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00D548D5
LoadResource.KERNEL32(00000000,00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548DE
LockResource.KERNEL32(00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548E5
memcpy_s.MSVCRT ref: 00D548F7
FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00D54901

Strings

nxyfrmby, xrefs: 00D548F6
TITLE, xrefs: 00D548AF, 00D548D2

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Resource$Find$FreeLoadLockSizeofmemcpy_s
String ID: TITLE$nxyfrmby
API String ID: 3370778649-1312248298
Opcode ID: f328218defe624984d120f342082f03bd7b8cb61fa9f6cc783b8c67df2c72be5
Instruction ID: 34e40b2b6c0171d61582fcee7f08c73944ff34d96d68db1df3f41929c0a80e60
Opcode Fuzzy Hash: f328218defe624984d120f342082f03bd7b8cb61fa9f6cc783b8c67df2c72be5
Instruction Fuzzy Hash: 4201863A2443247BE72017AD9C4EF6B7E2CDBC5B97F084218FE0AD6290C9618C54CA73

Function 00D53630 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 00D53670
GetDesktopWindow.USER32 ref: 00D5367A
SetWindowTextA.USER32(?,nxyfrmby), ref: 00D53692
SetDlgItemTextA.USER32(?,00000838), ref: 00D536A4
SetForegroundWindow.USER32(?), ref: 00D536AB
EndDialog.USER32(?,00000002), ref: 00D536B8

Strings

nxyfrmby, xrefs: 00D5368C

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Window$DialogText$DesktopForegroundItem
String ID: nxyfrmby
API String ID: 852535152-3132153233
Opcode ID: 473858861d6dfecd70c5fb5bb63ddc8831c0a9db0c8e08fb66fc72ac6473320e
Instruction ID: c08a95fcf0d4186a11ea3369d03644b9a873ed30a42b711d2adcc3b1e62848b8
Opcode Fuzzy Hash: 473858861d6dfecd70c5fb5bb63ddc8831c0a9db0c8e08fb66fc72ac6473320e
Instruction Fuzzy Hash: 1B015332240725ABCB116F6C9D0CDA97A20AB08783F084118FD46CA3A0CA30CB19CBB1

Function 00D52C30 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,00000104,00000000,00000000,?), ref: 00D52C74
IsDBCSLeadByte.KERNEL32(?), ref: 00D52C90
CharNextA.USER32(?), ref: 00D52CB0
CharUpperA.USER32 ref: 00D52CBC
CharPrevA.USER32(?,?), ref: 00D52CF3
CharUpperA.USER32(00000000), ref: 00D52D2F
CharNextA.USER32(00000000), ref: 00D52D69
CharNextA.USER32(?), ref: 00D52D72

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Char$Next$Upper$ByteFileLeadModuleNamePrev
String ID:
API String ID: 975904313-0
Opcode ID: c88449422f2b54172d1eb43a08c388693321c74306a432f286e1abd3b2923148
Instruction ID: b1bcfc432610f29be022821d4ba3559f8182e0732f48e91c1638e0055a8cb3b4
Opcode Fuzzy Hash: c88449422f2b54172d1eb43a08c388693321c74306a432f286e1abd3b2923148
Instruction Fuzzy Hash: FE41F2345043919EDF268F388854BF9BFB69F57302F1C419ADCC287242CA654D8E8BB1

Function 00D545DA Relevance: 10.6, APIs: 7, Instructions: 96COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00D545FB
GetWindowRect.USER32(00000000,?), ref: 00D54615
GetDC.USER32(?), ref: 00D5462D
GetDeviceCaps.GDI32(00000000,00000008), ref: 00D54638
GetDeviceCaps.GDI32(00000000,0000000A), ref: 00D54644
ReleaseDC.USER32(?,00000000), ref: 00D54651
SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,00000001,?), ref: 00D546AC

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Window$CapsDeviceRect$Release
String ID:
API String ID: 2212493051-0
Opcode ID: 29cf54f4bf1790306c0f04254d7fc23574a4e4a71d2351bc4b7e8451a3296ed3
Instruction ID: 6b58710ac8c615addd54c281e9e58693202c7449e8d0852803600b65b60f5791
Opcode Fuzzy Hash: 29cf54f4bf1790306c0f04254d7fc23574a4e4a71d2351bc4b7e8451a3296ed3
Instruction Fuzzy Hash: 1E313932A00619ABCF14CFB8DD88DEEBBB5EB89311F154229ED01F3254DA30AC458B61

Function 00D5652B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

Part of subcall function 00D517E1: _vsnprintf.MSVCRT ref: 00D51808

LoadResource.KERNEL32(00000000,00000000,?,?,00000002,00000000,?,00D553F0,00000004,00000024,00D5312A,?,00000002,00000000), ref: 00D56560
LockResource.KERNEL32(00000000,?,?,00000002,00000000,?,00D553F0,00000004,00000024,00D5312A,?,00000002,00000000), ref: 00D56567
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,00D553F0,00000004,00000024,00D5312A,?,00000002,00000000), ref: 00D565AE
FindResourceA.KERNEL32(00000000,00000004,0000000A), ref: 00D565D8
FreeResource.KERNEL32(00000000,?,?,00000002,00000000,?,00D553F0,00000004,00000024,00D5312A,?,00000002,00000000), ref: 00D565EA

Strings

UPDFILE%lu, xrefs: 00D56546, 00D565BC

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Resource$Free$FindLoadLock_vsnprintf
String ID: UPDFILE%lu
API String ID: 2922116661-2329316264
Opcode ID: c4fa5691da3d902b19ee5c971fdcd16e0cc3c832dc4a2afa121aa28361cf3bf2
Instruction ID: 6fd664f10960eff4af571b036266d58cbe36d6b304fb23701b210f2ab2203331
Opcode Fuzzy Hash: c4fa5691da3d902b19ee5c971fdcd16e0cc3c832dc4a2afa121aa28361cf3bf2
Instruction Fuzzy Hash: F421B475A00329AFDF109FA89C459BEBB78EF48706B540229ED02E3255DB35DD0AC7B0

Function 00D56B0D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80registryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,00000000,00000002), ref: 00D56B5C
GetSystemMetrics.USER32(0000004A), ref: 00D56B95
RegOpenKeyExA.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,00020019,?), ref: 00D56BBA
RegQueryValueExA.ADVAPI32(?,00D51158,00000000,?,?,0000000C), ref: 00D56BE2
RegCloseKey.ADVAPI32(?), ref: 00D56BF0

Part of subcall function 00D569CC: CharNextA.USER32(?,00000001,00000000,00000000,?,?,?,00D56C08), ref: 00D56A14

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00D56BB0

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: CharCloseMetricsNextOpenQuerySystemValueVersion
String ID: Control Panel\Desktop\ResourceLocale
API String ID: 3346862599-1109908249
Opcode ID: fb5dbedc305f66f805bea5c6b160c49ae1ec1d2dee4717449fca761d4dbd4bfd
Instruction ID: 055225e9d15925cf49846a7928f3f547c9e9b78343eae603c6a3eed56b1b2946
Opcode Fuzzy Hash: fb5dbedc305f66f805bea5c6b160c49ae1ec1d2dee4717449fca761d4dbd4bfd
Instruction Fuzzy Hash: 8C310D35A013289EDF60DF15DC45BAABFB8EB45712F480995DD89E3240DB30998D8B72

Function 00D53C17 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 73memorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 00D548A1: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00D548B2
Part of subcall function 00D548A1: SizeofResource.KERNEL32(00000000,00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548BB
Part of subcall function 00D548A1: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00D548D5
Part of subcall function 00D548A1: LoadResource.KERNEL32(00000000,00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548DE
Part of subcall function 00D548A1: LockResource.KERNEL32(00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548E5
Part of subcall function 00D548A1: memcpy_s.MSVCRT ref: 00D548F7
Part of subcall function 00D548A1: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00D54901

LocalAlloc.KERNEL32(00000040,00000001,00000000,?,00000002,00000000,00D5311D,?,00000002,00000000), ref: 00D53C35
LocalFree.KERNEL32(00000000,00000000,00000010,00000000,00000000), ref: 00D53C8B

Part of subcall function 00D546C7: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00D54726
Part of subcall function 00D546C7: MessageBoxA.USER32(?,?,nxyfrmby,00010010), ref: 00D54762

Part of subcall function 00D56512: GetLastError.KERNEL32(00D55E30), ref: 00D56512

lstrcmpA.KERNEL32(<None>,00000000), ref: 00D53CA8
LocalFree.KERNEL32 ref: 00D53CEB

Part of subcall function 00D567BF: FindResourceA.KERNEL32(00D50000,000007D6,00000005), ref: 00D567D2
Part of subcall function 00D567BF: LoadResource.KERNEL32(00D50000,00000000,?,?,00D5309A,00000000,00D51AC0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00D567E0
Part of subcall function 00D567BF: DialogBoxIndirectParamA.USER32(00D50000,00000000,00000547,00D51AC0,00000000), ref: 00D567FF
Part of subcall function 00D567BF: FreeResource.KERNEL32(00000000,?,?,00D5309A,00000000,00D51AC0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00D56808

LocalFree.KERNEL32(00000000,00D532C0,00000000,00000000), ref: 00D53CCC

Strings

<None>, xrefs: 00D53C9D
LICENSE, xrefs: 00D53C1E

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Resource$Free$Local$FindLoad$AllocDialogErrorIndirectLastLockMessageParamSizeofStringlstrcmpmemcpy_s
String ID: <None>$LICENSE
API String ID: 2414642746-383193767
Opcode ID: 95bde6a56b2644ce6f61d6348b2b8612c618c342246c0b42ae687449659fc95c
Instruction ID: 65edeb32cd19fb66a3cbe59db76548a0cc07622905ea4495eb0fa64afe23bf49
Opcode Fuzzy Hash: 95bde6a56b2644ce6f61d6348b2b8612c618c342246c0b42ae687449659fc95c
Instruction Fuzzy Hash: 3311DA30201311AFDF206B3A9D09E2779B9EBD5753B10412EBD42F67F1DAB5C8049A35

Function 00D525F8 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104,00000000,00000000), ref: 00D5261E
WritePrivateProfileStringA.KERNEL32(00000000,00000000,00000000,?), ref: 00D52644
_lopen.KERNEL32(?,00000040), ref: 00D52653
_llseek.KERNEL32(00000000,00000000,00000002), ref: 00D52664
_lclose.KERNEL32(00000000), ref: 00D5266D

Strings

wininit.ini, xrefs: 00D52628

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: DirectoryPrivateProfileStringWindowsWrite_lclose_llseek_lopen
String ID: wininit.ini
API String ID: 3273605193-4206010578
Opcode ID: c9507fc1c514466a5d34f74fb938b6b5adc671f6cb3fe0f957320f02ee7650bd
Instruction ID: 8a87e51debd8fe2ae660808c2be47e4f1e0bdd150fdb133c1be772abdd96740e
Opcode Fuzzy Hash: c9507fc1c514466a5d34f74fb938b6b5adc671f6cb3fe0f957320f02ee7650bd
Instruction Fuzzy Hash: CC0192316003246BCB209B6DDC09EDFBA6CDB45712F440255BE45D32D0DE748A89C675

Function 00D56739 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?), ref: 00D56783
LoadLibraryExA.KERNEL32(?,00000000,00000008,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?), ref: 00D5679D
LoadLibraryA.KERNEL32(advpack.dll,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\,?,?), ref: 00D567A6

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00D56750
advpack.dll, xrefs: 00D56766, 00D56771, 00D567A5

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: LibraryLoad$AttributesFile
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\$advpack.dll
API String ID: 438848745-476397916
Opcode ID: c691b081e9682acc086302ee615b917ed3a3dc33ac176cf58231a37bfd578b1f
Instruction ID: a8023aa71be20cf56c6e5bc4a4bb6931f6cf8d5adf041f50d35e6f0d0fa3c2dd
Opcode Fuzzy Hash: c691b081e9682acc086302ee615b917ed3a3dc33ac176cf58231a37bfd578b1f
Instruction Fuzzy Hash: 1AF06230910314ABEF509B68DC49FEA7B69DB54716F900265BD85931D0DEB0998E8631

Function 00D52A53 Relevance: 7.6, APIs: 5, Instructions: 144memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00D52BDA

Part of subcall function 00D528C8: CharUpperA.USER32(BB768A09,00000000,00000000,00000000), ref: 00D528FD
Part of subcall function 00D528C8: CharNextA.USER32(00000001), ref: 00D5290A
Part of subcall function 00D528C8: CharNextA.USER32(00000000), ref: 00D52911
Part of subcall function 00D528C8: GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00D52936

GlobalAlloc.KERNEL32(00000042,00000000,?,?,?,?,?,?,?,?,00D53B36,?,?,?,?,00000000), ref: 00D52AC3
GlobalLock.KERNEL32(00000000), ref: 00D52AD4
GlobalUnlock.KERNEL32(00000000), ref: 00D52B8C
GlobalUnlock.KERNEL32(00000000), ref: 00D52BEA

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Global$Char$NextUnlock$AllocDirectoryFreeLockUpperWindows
String ID:
API String ID: 2818966397-0
Opcode ID: a55042f1315eda5f3a7acd7050fcaa2d161782c83121a9e54962b51b0ecff666
Instruction ID: 2363aba33622bebb081e87dc0aadb0be55235c7d56b9436a89df053202e17b0d
Opcode Fuzzy Hash: a55042f1315eda5f3a7acd7050fcaa2d161782c83121a9e54962b51b0ecff666
Instruction Fuzzy Hash: 6F511771A00219DFCF11CF98C885AAEBBB9FF49312F18456AED05E7255C7309949CBB0

Function 00D54366 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00D548A1: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00D548B2
Part of subcall function 00D548A1: SizeofResource.KERNEL32(00000000,00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548BB
Part of subcall function 00D548A1: FindResourceA.KERNEL32(00000000,TITLE,0000000A), ref: 00D548D5
Part of subcall function 00D548A1: LoadResource.KERNEL32(00000000,00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548DE
Part of subcall function 00D548A1: LockResource.KERNEL32(00000000,?,00D52EC9,0000007F,?,?,?,?,?,?,?,00000002,00000000), ref: 00D548E5
Part of subcall function 00D548A1: memcpy_s.MSVCRT ref: 00D548F7
Part of subcall function 00D548A1: FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000002,00000000), ref: 00D54901

LocalAlloc.KERNEL32(00000040,?,00000000,00000000,00000105,00000000,00D5326B), ref: 00D54386
LocalFree.KERNEL32(00000000,?,00000000,00000000,00000105,00000000,00D5326B), ref: 00D543E4

Part of subcall function 00D546C7: LoadStringA.USER32(000004B1,?,00000200,00000000), ref: 00D54726
Part of subcall function 00D546C7: MessageBoxA.USER32(?,?,nxyfrmby,00010010), ref: 00D54762

Strings

<None>, xrefs: 00D543C2
FINISHMSG, xrefs: 00D54370, 00D543A8

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Resource$FindFreeLoadLocal$AllocLockMessageSizeofStringmemcpy_s
String ID: <None>$FINISHMSG
API String ID: 3507850446-3091758298
Opcode ID: a88e1f1014112338eead226f8ba283fbbe829a922d7b147b8a14478dc9cb67fa
Instruction ID: 2e37d8efc8181236567916d6427354817c79ab1edbe13f7b32a7bf2f4beabecb
Opcode Fuzzy Hash: a88e1f1014112338eead226f8ba283fbbe829a922d7b147b8a14478dc9cb67fa
Instruction Fuzzy Hash: 6301D1A13413247FFB24266A9C96F7B154EDB8479BF444125FF02E26E0CAA9DC490177

Function 00D51AC0 Relevance: 7.6, APIs: 5, Instructions: 51windowCOMMON

Download Yara Rule

APIs

EndDialog.USER32(?,?), ref: 00D51AFF
GetDesktopWindow.USER32 ref: 00D51B07
LoadStringA.USER32(?,?,00000200), ref: 00D51B32
SetDlgItemTextA.USER32(?,0000083F,00000000), ref: 00D51B45
MessageBeep.USER32(000000FF), ref: 00D51B4D

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: BeepDesktopDialogItemLoadMessageStringTextWindow
String ID:
API String ID: 1273765764-0
Opcode ID: ff658cb6c07abc8c3eac2bb91cbb548cb21cca0dacafbeeb5460ec2ebc3e7258
Instruction ID: c20ce2618c534a5c92b3b52cc752b3814954ffac4375d4c5ff1818a573b542ce
Opcode Fuzzy Hash: ff658cb6c07abc8c3eac2bb91cbb548cb21cca0dacafbeeb5460ec2ebc3e7258
Instruction Fuzzy Hash: 11113C35500359ABDF11AF7CDD08EAE7BB4EB0A302F148254ED51D22A1DA749E05DB71

Function 00D56660 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00D566CD
WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00D566FB
CloseHandle.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\IXP000.TMP\), ref: 00D5671A

Strings

C:\Users\user\AppData\Local\Temp\IXP000.TMP\, xrefs: 00D5668B

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: File$CloseCreateHandleWrite
String ID: C:\Users\user\AppData\Local\Temp\IXP000.TMP\
API String ID: 1065093856-4151094324
Opcode ID: acc26895bc2a8d24076e13d395eff6a23f63416714c3962d645ba2bedc6c309b
Instruction ID: 4319af3a1e07af28a821ded6d30e1ea401be9ea27a83a2f34e1d035e9280f0d1
Opcode Fuzzy Hash: acc26895bc2a8d24076e13d395eff6a23f63416714c3962d645ba2bedc6c309b
Instruction Fuzzy Hash: 6D21A871A00328ABDB10DF29DC85FDB7768EB49316F104169AD45E3280DAB49D898F74

Function 00D526E7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Control\Session Manager\FileRenameOperations,00000000,00020019,?,00000000,?,?,?,00D5276B,00D51FDB,00000001,00000000,00D5432E,?,00D54289), ref: 00D52708
RegQueryInfoKeyA.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00D54289,00000000,00000000,00000000,00000000,?,00D5276B,00D51FDB,00000001), ref: 00D52723
RegCloseKey.ADVAPI32(?,?,00D5276B,00D51FDB,00000001,00000000,00D5432E,?,00D54289), ref: 00D52735

Strings

System\CurrentControlSet\Control\Session Manager\FileRenameOperations, xrefs: 00D526FB

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: CloseInfoOpenQuery
String ID: System\CurrentControlSet\Control\Session Manager\FileRenameOperations
API String ID: 2142960691-1430103811
Opcode ID: d3c4b10a87580c319112665cfb881c25599d88da333e1f5904bddae0cc54eea1
Instruction ID: ecf92371fa431f687c8768e7cc914ebe42471086b2d5e5eeb17d525d753f2bfb
Opcode Fuzzy Hash: d3c4b10a87580c319112665cfb881c25599d88da333e1f5904bddae0cc54eea1
Instruction Fuzzy Hash: A3F03AB5912238BB9F208BA6DC09CEFBFBCEF457A2B100150B805E2140D6709B04D6B0

Function 00D5689A Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

CharPrevA.USER32(?,00000000,00000000,00000000,00000000,?,?,00D52CD1), ref: 00D568B8
CharPrevA.USER32(?,00000000,?,00D52CD1), ref: 00D568C8
CharPrevA.USER32(?,00000000,?,00D52CD1), ref: 00D568DF
CharNextA.USER32(00000000,?,00D52CD1), ref: 00D568EB

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Char$Prev$Next
String ID:
API String ID: 3260447230-0
Opcode ID: ab623ae6229da66df52cca613e1af24e1b0735aa159fe155a2b45b1759845ce4
Instruction ID: 9b6c95d45540245ef06b2240bd0fff27d5e943dbc5f975b271309ffa9030dc54
Opcode Fuzzy Hash: ab623ae6229da66df52cca613e1af24e1b0735aa159fe155a2b45b1759845ce4
Instruction Fuzzy Hash: C401D671104B506EEB221B299C88CB7BF9CDB87366B5D02BFED82C3141E6558D4A8771

Function 00D567BF Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(00D50000,000007D6,00000005), ref: 00D567D2
LoadResource.KERNEL32(00D50000,00000000,?,?,00D5309A,00000000,00D51AC0,00000547,0000083E,?,?,?,?,?,?,?), ref: 00D567E0
DialogBoxIndirectParamA.USER32(00D50000,00000000,00000547,00D51AC0,00000000), ref: 00D567FF
FreeResource.KERNEL32(00000000,?,?,00D5309A,00000000,00D51AC0,00000547,0000083E,?,?,?,?,?,?,?,00000002), ref: 00D56808

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: Resource$DialogFindFreeIndirectLoadParam
String ID:
API String ID: 1214682469-0
Opcode ID: 7df4620e717f4589fb01aa80113cc7766d4563814f17fca249b83a2358473cd2
Instruction ID: 63fc2ac945283aab04e0190ad74db52c158677af531a443f6d1681ed406f831b
Opcode Fuzzy Hash: 7df4620e717f4589fb01aa80113cc7766d4563814f17fca249b83a2358473cd2
Instruction Fuzzy Hash: EC01A272100716BBDF101FA99C48DAB7A6CEB89766F444225FE11E3190DB71CC0086B1

Function 00D56CA0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

Part of subcall function 00D572FA: GetModuleHandleW.KERNEL32(00000000,?,00D56CB1,00000002), ref: 00D57301

__set_app_type.MSVCRT ref: 00D56CB2
__p__fmode.MSVCRT ref: 00D56CC8
__p__commode.MSVCRT ref: 00D56CD6
__setusermatherr.MSVCRT ref: 00D56CF7

Memory Dump Source

Source File: 00000000.00000002.1490521421.0000000000D51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D50000, based on PE: true

Associated: 00000000.00000002.1490461644.0000000000D50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490538713.0000000000D58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490555461.0000000000D5C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d50000_file.jbxd

Similarity

API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1632413811-0
Opcode ID: aacc33591ed46dd1b71452d0e1bf101dd9ea1024275d21a772fd232069ef9fa3
Instruction ID: fa6f3145ffeecf5bed5478329131eafbf89a78ddf8da9579e9eb034283589740
Opcode Fuzzy Hash: aacc33591ed46dd1b71452d0e1bf101dd9ea1024275d21a772fd232069ef9fa3
Instruction Fuzzy Hash: D1F07470508301DFDA146B38BD4B5193B60FB09333B641659ED62D63E1DF3A9449EA35

Analysis Process: fopholde.exePID: 5096, Parent PID: 6836COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	11%
Signature Coverage:	16.2%
Total number of Nodes:	718
Total number of Limit Nodes:	71

Executed Functions

Function 00FAF450 Relevance: 133.6, APIs: 48, Strings: 28, Instructions: 565
libraryloadermemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(ADVAPI32.DLL,92D9F7EA), ref: 00FAF4A6
LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 00FAF4B3
LoadLibraryA.KERNEL32(NETAPI32.DLL), ref: 00FAF4C0
GetProcAddress.KERNEL32(00000000,NetStatisticsGet), ref: 00FAF4FA
GetProcAddress.KERNEL32(?,NetApiBufferFree), ref: 00FAF50D
NetStatisticsGet.NETAPI32(00000000,LanmanWorkstation,00000000,00000000,?), ref: 00FAF53B
NetStatisticsGet.NETAPI32(00000000,LanmanServer,00000000,00000000,?), ref: 00FAF57D
FreeLibrary.KERNEL32(?), ref: 00FAF5B0
GetProcAddress.KERNEL32(?,CryptAcquireContextW), ref: 00FAF5C6
GetProcAddress.KERNEL32(?,CryptGenRandom), ref: 00FAF5D9
GetProcAddress.KERNEL32(?,CryptReleaseContext), ref: 00FAF5EC
FreeLibrary.KERNEL32(?), ref: 00FAF6E0
LoadLibraryA.KERNEL32(USER32.DLL), ref: 00FAF6F8
GetProcAddress.KERNEL32(00000000,GetForegroundWindow), ref: 00FAF712
GetProcAddress.KERNEL32(?,GetCursorInfo), ref: 00FAF725
GetProcAddress.KERNEL32(?,GetQueueStatus), ref: 00FAF738
FreeLibrary.KERNEL32(?), ref: 00FAF7BE
GetProcAddress.KERNEL32(?,CreateToolhelp32Snapshot), ref: 00FAF7EC
GetProcAddress.KERNEL32(?,CloseToolhelp32Snapshot), ref: 00FAF7FF
GetProcAddress.KERNEL32(?,Heap32First), ref: 00FAF812
GetProcAddress.KERNEL32(?,Heap32Next), ref: 00FAF825
GetProcAddress.KERNEL32(?,Heap32ListFirst), ref: 00FAF838
GetProcAddress.KERNEL32(?,Heap32ListNext), ref: 00FAF84B
GetProcAddress.KERNEL32(?,Process32First), ref: 00FAF85E
GetProcAddress.KERNEL32(?,Process32Next), ref: 00FAF871
GetProcAddress.KERNEL32(?,Thread32First), ref: 00FAF884
GetProcAddress.KERNEL32(?,Thread32Next), ref: 00FAF897
GetProcAddress.KERNEL32(?,Module32First), ref: 00FAF8AA
GetProcAddress.KERNEL32(?,Module32Next), ref: 00FAF8BD
CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 00FAF956
GetTickCount.KERNEL32 ref: 00FAF97C
Heap32ListFirst.KERNEL32(00000000,00000010), ref: 00FAF993
Heap32First.KERNEL32(?,?,?), ref: 00FAF9FF
Heap32Next.KERNEL32(?), ref: 00FAFA40
GetTickCount.KERNEL32 ref: 00FAFA4E
Heap32ListNext.KERNEL32(?,00000010), ref: 00FAFAB5
GetTickCount.KERNEL32 ref: 00FAFAC3
GetTickCount.KERNEL32 ref: 00FAFAF2
Process32First.KERNEL32(?,00000128), ref: 00FAFB07
GetTickCount.KERNEL32 ref: 00FAFB45
GetTickCount.KERNEL32 ref: 00FAFB62
FreeLibrary.KERNEL32(?), ref: 00FAFC54
GlobalMemoryStatus.KERNEL32(?), ref: 00FAFC66
GetCurrentProcessId.KERNEL32 ref: 00FAFCD4

Strings

Intel Hardware Cryptographic Service Provider, xrefs: 00FAF677
NETAPI32.DLL, xrefs: 00FAF4BB
USER32.DLL, xrefs: 00FAF6F3
GetForegroundWindow, xrefs: 00FAF70C
LanmanWorkstation, xrefs: 00FAF534
Heap32ListFirst, xrefs: 00FAF82D
GetQueueStatus, xrefs: 00FAF72D
Thread32Next, xrefs: 00FAF88C
Heap32Next, xrefs: 00FAF81A
CryptAcquireContextW, xrefs: 00FAF5C0
CryptGenRandom, xrefs: 00FAF5CE
Thread32First, xrefs: 00FAF879
Process32First, xrefs: 00FAF853
Module32Next, xrefs: 00FAF8B2
Module32First, xrefs: 00FAF89F
CryptReleaseContext, xrefs: 00FAF5E1
NetStatisticsGet, xrefs: 00FAF4F4
ADVAPI32.DLL, xrefs: 00FAF49B
LanmanServer, xrefs: 00FAF570
CreateToolhelp32Snapshot, xrefs: 00FAF7E0
Process32Next, xrefs: 00FAF866
Heap32First, xrefs: 00FAF807
Heap32ListNext, xrefs: 00FAF840
CloseToolhelp32Snapshot, xrefs: 00FAF7F4
$, xrefs: 00FAF9E8
KERNEL32.DLL, xrefs: 00FAF4AE
NetApiBufferFree, xrefs: 00FAF502
GetCursorInfo, xrefs: 00FAF71A

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: AddressProc$Library$CountTick$FreeHeap32Load$First$ListNextStatistics$CreateCurrentGlobalMemoryProcessProcess32SnapshotStatusToolhelp32
String ID: $$ADVAPI32.DLL$CloseToolhelp32Snapshot$CreateToolhelp32Snapshot$CryptAcquireContextW$CryptGenRandom$CryptReleaseContext$GetCursorInfo$GetForegroundWindow$GetQueueStatus$Heap32First$Heap32ListFirst$Heap32ListNext$Heap32Next$Intel Hardware Cryptographic Service Provider$KERNEL32.DLL$LanmanServer$LanmanWorkstation$Module32First$Module32Next$NETAPI32.DLL$NetApiBufferFree$NetStatisticsGet$Process32First$Process32Next$Thread32First$Thread32Next$USER32.DLL
API String ID: 2857262387-1723836103
Opcode ID: 8929548a8f0d91bcb8ee68f6fb493647bd4ad8ef8de930e86623fc44ffefc7a0
Instruction ID: a4c80b32590a735a0789aee14bb0846fdfae120c326e9324b269723cdedfef25
Opcode Fuzzy Hash: 8929548a8f0d91bcb8ee68f6fb493647bd4ad8ef8de930e86623fc44ffefc7a0
Instruction Fuzzy Hash: B5326DF0E002299BDF319F65CD44BE9B7B9AF44714F4041EAEA08A7251EB708E85DF58

Function 01040180 Relevance: 51.0, APIs: 22, Strings: 7, Instructions: 278
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?), ref: 010401D0
_calloc.LIBCMT ref: 010401DD
NtQuerySystemInformation.NTDLL(00000008,00000000,?,?), ref: 0104022D
RtlNtStatusToDosError.NTDLL(00000000), ref: 01040238
_free.LIBCMT ref: 010404F4
_free.LIBCMT ref: 01040507
_free.LIBCMT ref: 01040513

Part of subcall function 01050C50: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0103B1F8), ref: 01050BBF
Part of subcall function 01050C50: SetEvent.KERNEL32(00000000), ref: 01050BE0

Strings

result_size == sppi_size, xrefs: 01040253
len > 0, xrefs: 01040405
ProcessorNameString, xrefs: 01040325
HARDWARE\DESCRIPTION\System\CentralProcessor\%d, xrefs: 01040285
~MHz, xrefs: 010402FD
src\win\util.c, xrefs: 0104024E, 010402BC, 01040400
len > 0 && len < ARRAY_SIZE(key_name), xrefs: 010402C1

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: _free$EventSystem$CreateErrorInfoInformationQueryStatus_calloc
String ID: HARDWARE\DESCRIPTION\System\CentralProcessor\%d$ProcessorNameString$len > 0$len > 0 && len < ARRAY_SIZE(key_name)$result_size == sppi_size$src\win\util.c$~MHz
API String ID: 1074259684-3419889062
Opcode ID: 10c2445a2e0edc25d33bccafa48b4ce1c01d2bf0f2ae05e7538f52fbfefe05f5
Instruction ID: 38e84415de27e63927969e4063422b9dd39ab628cd9e25887114c58b02508228
Opcode Fuzzy Hash: 10c2445a2e0edc25d33bccafa48b4ce1c01d2bf0f2ae05e7538f52fbfefe05f5
Instruction Fuzzy Hash: 81A181B1604301AFE760DF64DC85BABBBE5FF98704F00492DFA89AA294DB70D544CB52

Function 01046920 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 277
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesW.KERNEL32(?), ref: 010469B3
_swprintf.LIBCMT ref: 01046A12
FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 01046A24
_free.LIBCMT ref: 01046A31
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 01046A49
FindNextFileW.KERNELBASE(?,?), ref: 01046B64
FindClose.KERNEL32(?), ref: 01046B73
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 01046B96

Strings

., xrefs: 01046A82
malloc, xrefs: 01046C58, 01046C67
realloc, xrefs: 01046C76

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: FileFind$AttributesByteCharCloseErrorFirstLastMultiNextWide_free_swprintf
String ID: .$malloc$realloc
API String ID: 4109108170-4281005810
Opcode ID: 436456a1507b1f8da9c9ac4d9ce48947d00e88e964cdcc833f9727a8aaafa1c6
Instruction ID: b694da1e092d833be77a07c9fb4439b8e58598c76948ad5223aff85721d73b5e
Opcode Fuzzy Hash: 436456a1507b1f8da9c9ac4d9ce48947d00e88e964cdcc833f9727a8aaafa1c6
Instruction Fuzzy Hash: 9C91F5B5A043028BCB64DF28D8C46ABB7E4FF89314F04496DE9C997391EB71D845CB92

Function 0103FF30 Relevance: 9.2, APIs: 6, Instructions: 181
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(80000004,013D2190,00000000,00000000,?,?), ref: 0103FF7B
RegQueryValueExW.ADVAPI32(80000004,013D2190,00000000,00000000,00000000,?), ref: 0103FFE0
_free.LIBCMT ref: 0104011A
_free.LIBCMT ref: 0103FF9D

Part of subcall function 01240441: RtlFreeHeap.NTDLL(00000000,00000000,7534EA60,0103B28A,?,?,00000000), ref: 01240455
Part of subcall function 01240441: GetLastError.KERNEL32(?,?,00000000), ref: 01240467

_free.LIBCMT ref: 0104005E
_free.LIBCMT ref: 01040143

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: _free$QueryValue$ErrorFreeHeapLast
String ID:
API String ID: 1290430078-0
Opcode ID: b350d1b1f55c0a7c6a52ac35b5c49548b0a69fd956712e487f9702d53e1ce944
Instruction ID: f57ed6f599816c571b75b638977bd4e4ae80c3456c0238105e6233b16b55aa6b
Opcode Fuzzy Hash: b350d1b1f55c0a7c6a52ac35b5c49548b0a69fd956712e487f9702d53e1ce944
Instruction Fuzzy Hash: 7351E571B002068BC324CF28D8C0AAFB7E6EFD5350F54426AFA895B255DB70E885C7D6

Function 010F41E0 Relevance: 2.5, APIs: 2, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00001000,00001000,00000102,?,00009000,00000000,?,010F3A5C,?), ref: 010F420E

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e1b32bd78b3f4f12dbbe120f182a5f3c404f92fe42d92944ddf3a082c2feb7bf
Instruction ID: 07b3211c9f25b5e983b2cc4cc1a4a365bda99fd211e6f8a5c45e12683543981a
Opcode Fuzzy Hash: e1b32bd78b3f4f12dbbe120f182a5f3c404f92fe42d92944ddf3a082c2feb7bf
Instruction Fuzzy Hash: 04F0F671344310AAFA209968BC4BFD3239CAB45B99F448458FBC0DA1C6D2A098858260

Function 0CA3A940 Relevance: 12.6, Strings: 9, Instructions: 1361COMMON

Download Yara Rule

Strings

tA$, xrefs: 0CA3B138
eKA$, xrefs: 0CA3B578
u@$, xrefs: 0CA3B681
I.B$, xrefs: 0CA3B541
u@$, xrefs: 0CA3B745
Q/B$, xrefs: 0CA3B7B5
u@$, xrefs: 0CA3B7E2
u@$, xrefs: 0CA3B716
u@$, xrefs: 0CA3B6B0

Memory Dump Source

Source File: 00000004.00000002.1487938376.000000000CA0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0CA0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0a000_fopholde.jbxd

Similarity

API ID:
String ID: I.B$$Q/B$$eKA$$u@$$u@$$u@$$u@$$u@$$tA$
API String ID: 0-489992784
Opcode ID: 0d5c7e2fcc16a65ef2c0175d6dda0a67282f99dd3ea9e74d553900c6f2d5b229
Instruction ID: 9e9022a7d525a78b821257147af3dac7436fc852615addd15e32d12bd927e40f
Opcode Fuzzy Hash: 0d5c7e2fcc16a65ef2c0175d6dda0a67282f99dd3ea9e74d553900c6f2d5b229
Instruction Fuzzy Hash: 58A22230B086105BE3D8ABB9CCA5B2A7ED56F44254F1CC01CF865DF397CA69DC848B98

Function 01069470 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0TryCatch@v8@@QAE@XZ.FOPHOLDE ref: 0106952F
?ToString@Value@v8@@QBE?AV?$Local@VString@v8@@@2@XZ.FOPHOLDE(?), ref: 0106953C
?Length@String@v8@@QBEHXZ.FOPHOLDE(?), ref: 01069549
?WriteAscii@String@v8@@QBEHPADHHH@Z.FOPHOLDE(00000000,00000000,000000FF,00000000), ref: 0106957C
??1TryCatch@v8@@QAE@XZ.FOPHOLDE(?), ref: 01069585

Strings

Out of memory, xrefs: 01069563
v8::String::AsciiValue::AsciiValue(), xrefs: 010694C4

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Catch@v8@@String@v8@@$Ascii@Length@Local@String@String@v8@@@2@Value@v8@@Write
String ID: Out of memory$v8::String::AsciiValue::AsciiValue()
API String ID: 984799517-2270035404
Opcode ID: f80993530dd354f15f3502ba4a1693fee973f4c87b1b14c2d307db4daa6b4983
Instruction ID: 580e588722e6c47bc21760feabda5578ec5c85c5b300b9f76b809eb268950477
Opcode Fuzzy Hash: f80993530dd354f15f3502ba4a1693fee973f4c87b1b14c2d307db4daa6b4983
Instruction Fuzzy Hash: CF31E9715083028FDB61DF28D480BAAB7F8FF98318F044579ED998B6D1DB749848CBA1

Function 01046C90 Relevance: 6.1, APIs: 4, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileInformationByHandle.KERNEL32(?,00000000,00000000,?), ref: 01046CAA
__aulldiv.LIBCMT ref: 01046D6D
__aulldiv.LIBCMT ref: 01046D94
__aulldiv.LIBCMT ref: 01046DBB

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: __aulldiv$FileHandleInformation
String ID:
API String ID: 3501339380-0
Opcode ID: 2388acd9fe95b2180a9841f318916e7799d8269dcd2dbf944f97f5ffe745ab18
Instruction ID: c4fac489f9e552b0dbd2a5eb08d321a30affa7e9f53b5500456e26469571219c
Opcode Fuzzy Hash: 2388acd9fe95b2180a9841f318916e7799d8269dcd2dbf944f97f5ffe745ab18
Instruction Fuzzy Hash: F7415EB46147019BE364DF28D880B67BBE5EF84714F40892DE8DAC7790E779E8448B46

Function 0CA72660 Relevance: 5.4, Strings: 1, Instructions: 4151COMMON

Download Yara Rule

Strings

-A$, xrefs: 0CA74C52

Memory Dump Source

Source File: 00000004.00000002.1487938376.000000000CA0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0CA0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0a000_fopholde.jbxd

Similarity

API ID:
String ID: -A$
API String ID: 0-4253175391
Opcode ID: 3e46c2f1786c00b55e419c9a95ca153b0dbcfef6f42f2668236bc34127976e7b
Instruction ID: 78d5fdaae51636c279ad5236cea7486ad3586d67ab87d7ee68e4eb9313abcc25
Opcode Fuzzy Hash: 3e46c2f1786c00b55e419c9a95ca153b0dbcfef6f42f2668236bc34127976e7b
Instruction Fuzzy Hash: AF73CF71704100AFDB94EF99CC80E4FBBA6FF88310F298558E959AF311CA31ED549BA5

Function 0664F180 Relevance: 5.2, Strings: 4, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pA$, xrefs: 0664F1DD
qA$, xrefs: 0664F1F8
pA$, xrefs: 0664F1AA
qA$, xrefs: 0664F1B8

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID: pA$$pA$$qA$$qA$
API String ID: 0-2947877496
Opcode ID: 7ae90979e58126622fcfc4a2afdb6478ef4e104f0df566062e5d819ccb4da52f
Instruction ID: 536577628928a0772f8734a6a7d710b01543410e9d49ab3282c53d1bd5e4ee67
Opcode Fuzzy Hash: 7ae90979e58126622fcfc4a2afdb6478ef4e104f0df566062e5d819ccb4da52f
Instruction Fuzzy Hash: 2C51D474B04204AF8FD0EFA5CC8095E7BA6EFC8214B148449FC29EB301DA35ED519BD9

Function 010835A0 Relevance: 4.6, APIs: 3, Instructions: 73
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,010F3A2E,?,00100000,?,?,?,?), ref: 010835C5

Part of subcall function 01083060: TlsGetValue.KERNEL32(?,?,?,?,?,010835F7,00000001,?,00000000,?,?,?,?,010F3A2E,?,00100000), ref: 0108308C
Part of subcall function 01083060: VirtualAlloc.KERNEL32(00000000,?,00002000,00000000,?,?,010F3A2E,?,00100000,?,?,?,?), ref: 010830E8

VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,010F3A2E,?,00100000,?,?,?,?), ref: 0108360A
VirtualAlloc.KERNEL32(?,?,00002000,00000001,?,?,010F3A2E,?,00100000,?,?,?,?), ref: 01083624

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Virtual$Alloc$FreeInfoSystemValue
String ID:
API String ID: 1211218043-0
Opcode ID: 6cfe7ee7b496830ad9598080d3061cad9a627c9c714045a292e08d82964e92c7
Instruction ID: e1364a2c5454e599968ea493a1a02180c682869460cd5b7e314919d265b83c27
Opcode Fuzzy Hash: 6cfe7ee7b496830ad9598080d3061cad9a627c9c714045a292e08d82964e92c7
Instruction Fuzzy Hash: 6221DEB27483049BE324AF18E885B66B7E8FB98705F14443EFA86CB380DA75E4458B10

Function 066293E0 Relevance: 4.3, Strings: 3, Instructions: 544
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

QKA$, xrefs: 06629A7E
@$, xrefs: 066294B4
QKA$, xrefs: 06629688

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID: QKA$$QKA$$@$
API String ID: 0-2109498421
Opcode ID: d23f222e80bdfbaa043128416f9db363b0dfa8765d7686e6abf101d9c0f7366d
Instruction ID: 69d3ec6675c08979f11ebcf2a8f8854b331d919f93c73e075353c3d10caf7a4f
Opcode Fuzzy Hash: d23f222e80bdfbaa043128416f9db363b0dfa8765d7686e6abf101d9c0f7366d
Instruction Fuzzy Hash: D412C275A04615DFCFC8EFA5C890A5ABBE5BF88304F185448E969FB350CE35ED008BA5

Function 01083060 Relevance: 3.8, APIs: 3, Instructions: 70
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,010835F7,00000001,?,00000000,?,?,?,?,010F3A2E,?,00100000), ref: 0108308C
VirtualAlloc.KERNEL32(00000000,?,00002000,00000000,?,?,010F3A2E,?,00100000,?,?,?,?), ref: 010830E8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000000,?,?,?,?,?,010835F7,00000001,?,00000000,?,?), ref: 01083106

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: AllocVirtual$Value
String ID:
API String ID: 2246243222-0
Opcode ID: f54da0e265586bd7050f0c0a280a39f2ecfc862f6ddd09ed426e8b5b1619d5d3
Instruction ID: b3ae921d31da938541d2dc2f0ed63d9d38f49a253ea0b3617173cfb781fc717d
Opcode Fuzzy Hash: f54da0e265586bd7050f0c0a280a39f2ecfc862f6ddd09ed426e8b5b1619d5d3
Instruction Fuzzy Hash: 3E112B723082019FF7689A18EC55A36BBDCF7C5651F00497DF1C6CA192DA35D8418720

Function 0CAB7B40 Relevance: 3.4, Instructions: 3399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487938376.000000000CA0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0CA0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d8940f6dcbd04f93ab1b6d20b7675ea0e2b8e6f6cc75aa4f1c497daab3f2bef
Instruction ID: 2c18d1d78f58272ac299c2311ecade9c82869f9b7bde9cb99ff408826c65b974
Opcode Fuzzy Hash: 1d8940f6dcbd04f93ab1b6d20b7675ea0e2b8e6f6cc75aa4f1c497daab3f2bef
Instruction Fuzzy Hash: 6143C571B00204AFDB94EFA5DC80A9FBBB5EF48310F188518E915BB351DA31FD509BA9

Function 2F80C160 Relevance: 3.1, Strings: 2, Instructions: 610
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

-#A$, xrefs: 2F80C34C
-#A$, xrefs: 2F80C42C

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID: -#A$$-#A$
API String ID: 0-360493321
Opcode ID: 8d17bba0a4d3cadd1c44dc8ad6da781e77f18d91e122a9f7cd05e57d2eb3ab99
Instruction ID: f1ea19374cad85c27f32064393bbda2946b13df476b834cff151ec17f654ec51
Opcode Fuzzy Hash: 8d17bba0a4d3cadd1c44dc8ad6da781e77f18d91e122a9f7cd05e57d2eb3ab99
Instruction Fuzzy Hash: DD12F474B04209DBCF84BFB88D80B9EFBA2AF4A204F54812DEA54EF351DA34DD458765

Function 0CA5C580 Relevance: 3.1, Instructions: 3103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487938376.000000000CA0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0CA0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc9346c1af55fe3b5f98f4eca484cd4efa80ee936899d8230255b93b22e388f6
Instruction ID: bedbcd367a79b63d64898fba404084c5a80723cad7dffbb207a52a3eec9c1ed9
Opcode Fuzzy Hash: cc9346c1af55fe3b5f98f4eca484cd4efa80ee936899d8230255b93b22e388f6
Instruction Fuzzy Hash: 9F33C170704100AFDB94AB55CC80F9BBBB6FF88310F188668E959AF356CA31ED508BD5

Function 01046520 Relevance: 3.1, APIs: 2, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fa6558dde7e8f18f26c0fcb89b21846d46fae4cf36db81d39ee96fcb936c278
Instruction ID: 1456cc35ee300301d4725d0307713f5fa59f5475d1a1926b480592bfa11d50fd
Opcode Fuzzy Hash: 2fa6558dde7e8f18f26c0fcb89b21846d46fae4cf36db81d39ee96fcb936c278
Instruction Fuzzy Hash: 3A3174B5A007418FD3609F38D9807ABB7E4FF86330F544A6EE6E6C62D0EB36A4449751

Function 00F4FF40 Relevance: 3.0, APIs: 2, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?Wrap@ObjectWrap@node@@IAEXV?$Handle@VObject@v8@@@v8@@@Z.FOPHOLDE(?), ref: 00F4FF5B
?Replace@Buffer@node@@AAEXPADIP6AX0PAX@Z1@Z.FOPHOLDE(00000000,?,00000000,00000000,?), ref: 00F4FF86

Part of subcall function 00F4FFC0: ??0HandleScope@v8@@QAE@XZ.FOPHOLDE(?,00000000,?,00F4FDAC,?,?,?,?,?), ref: 00F4FFD1

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Buffer@node@@HandleHandle@ObjectObject@v8@@@v8@@@Replace@Scope@v8@@Wrap@Wrap@node@@
String ID:
API String ID: 2128944911-0
Opcode ID: e7bd5f1a602348d5661ab371011cb6ad73e7a0cf40d11d8fc816a1583be4f8b1
Instruction ID: 6acf3aeed92eb717a65ae58a2febc87ac1cb5d558c42648bc52c92d5ba883ec7
Opcode Fuzzy Hash: e7bd5f1a602348d5661ab371011cb6ad73e7a0cf40d11d8fc816a1583be4f8b1
Instruction Fuzzy Hash: 12E01A702057109BE324AF40D915B07BEE1FF44B14F10CC1CF99A5B7D0C7B9A8489B92

Function 00F49BD0 Relevance: 3.0, APIs: 2, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 570532ebfeaddbf3e993780f9349d9fe2384ef9f68f7ce735af695d4debfaf5b
Instruction ID: 07326c097a8dbc9e043d2d9dcc20934d5a80c7c1c2834cf5d9ce566cdd850661
Opcode Fuzzy Hash: 570532ebfeaddbf3e993780f9349d9fe2384ef9f68f7ce735af695d4debfaf5b
Instruction Fuzzy Hash: 9CE0863180424BBFCF21AF54CC45BCB7BA9AB14324F404515FD50120A1DB70A668DBA6

Function 2F812A05 Relevance: 2.6, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

NB$, xrefs: 2F812A39
NB$, xrefs: 2F812A90

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID: NB$$NB$
API String ID: 0-1022639383
Opcode ID: df3df34c88cd7098f40660acb29c3b53c305b5e2681d97d4529bac474d3f65e0
Instruction ID: e722a1a8797f50c747a44027381eee46fe45cf862d7059b7936314ec7923a343
Opcode Fuzzy Hash: df3df34c88cd7098f40660acb29c3b53c305b5e2681d97d4529bac474d3f65e0
Instruction Fuzzy Hash: 5F1121787081008FDB98AE795DD0D1BBF69BF84714B044A49E804DF312D938CD91CBAA

Function 2F812A20 Relevance: 2.6, Strings: 2, Instructions: 59COMMON

Download Yara Rule

Strings

NB$, xrefs: 2F812A39
NB$, xrefs: 2F812A90

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID: NB$$NB$
API String ID: 0-1022639383
Opcode ID: 10b117ffc058311192ea91a508c813e6be08aba9394848238e2642a145bd4ab6
Instruction ID: 0f62427d6f793a03e2ce8ff2b3d4562dc5e2db69047874d1f399c7070504faf5
Opcode Fuzzy Hash: 10b117ffc058311192ea91a508c813e6be08aba9394848238e2642a145bd4ab6
Instruction Fuzzy Hash: 7D1100743081009B9B98AE7A9D94D1BBF99FB84714B044A19E804DF302ED39DD90CBEA

Function 0CA87240 Relevance: 2.5, Instructions: 2538COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487938376.000000000CA0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0CA0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53a2619be7461893a3359cf4c66736bb014d5561d85782fcce59527451404a26
Instruction ID: 0201b38066d380c2de37e6b5a4b5413bbdddf99f693852756296cdd34d826cc5
Opcode Fuzzy Hash: 53a2619be7461893a3359cf4c66736bb014d5561d85782fcce59527451404a26
Instruction Fuzzy Hash: 4313E471B04204AFDF94EFA4CC80A6EB7B6EF88310F284528E915BB351DA35FD548B55

Function 0CA39B60 Relevance: 2.1, Strings: 1, Instructions: 813COMMON

Download Yara Rule

Strings

mNB$, xrefs: 0CA39E54

Memory Dump Source

Source File: 00000004.00000002.1487938376.000000000CA0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0CA0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0a000_fopholde.jbxd

Similarity

API ID:
String ID: mNB$
API String ID: 0-1816172894
Opcode ID: f786c8a4d644382aa454add9001ff1decc2f70621566a0511199fb10daa14808
Instruction ID: 2bd8a623bd8bf24373842c7373796496f138e17f309be68b2d0e93aa315fd813
Opcode Fuzzy Hash: f786c8a4d644382aa454add9001ff1decc2f70621566a0511199fb10daa14808
Instruction Fuzzy Hash: 29521E317047009BE795AB75CCA5B1ABF91AF40354F1C805CFA919F39ACBB6E844CB89

Function 06651740 Relevance: 1.7, Strings: 1, Instructions: 433COMMON

Download Yara Rule

Strings

-#A$, xrefs: 0665183C

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID: -#A$
API String ID: 0-2625030867
Opcode ID: b964a53bb2656abb8d3b179deb4566549f0dab0e437fbc73f32552d26c1a9b1f
Instruction ID: 4ed42eff1342d8c2bb775b85f9fc3b9f4380e91bf00869e2dcc1127a46298223
Opcode Fuzzy Hash: b964a53bb2656abb8d3b179deb4566549f0dab0e437fbc73f32552d26c1a9b1f
Instruction Fuzzy Hash: 38E1BF70E00205AFDF90ABA8CD42BAEFBA6BF0A340F054519ED15FB351D636D951CBA1

Function 06655980 Relevance: 1.6, Instructions: 1574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a1ca9b96c380b4a65e91e697cc8521ccd3a08040858f4d248f152b4d66390dc
Instruction ID: 881120b81f1413d152b24e60b64dd0863d2c3f324775794c395fe792fcab11b7
Opcode Fuzzy Hash: 3a1ca9b96c380b4a65e91e697cc8521ccd3a08040858f4d248f152b4d66390dc
Instruction Fuzzy Hash: 2FA295F43445056BDAE4EA6CDC92B2B67BE9FC8220F24891CB416DB784DD34BC86436D

Function 010464D0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

__close.LIBCMT ref: 010464F5

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: __close
String ID:
API String ID: 1611303643-0
Opcode ID: 6698fc75b6fc313aba4012f3e231ea98849931c2a9de4cb6eadb6096ecac3699
Instruction ID: e6e0421897f88bea8735e2c46736eb26160eceb9e045b83f4671c1be55fa4509
Opcode Fuzzy Hash: 6698fc75b6fc313aba4012f3e231ea98849931c2a9de4cb6eadb6096ecac3699
Instruction Fuzzy Hash: 58E06DB0800B508FCBB4EF38B58039277E0AF05234F500A6ED1AAC7691EB31A4809740

Function 06660120 Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

-#A$, xrefs: 0666016A

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID: -#A$
API String ID: 0-2625030867
Opcode ID: ecb802a37e1bdd616d883e8889ffe6e61ee9da72fc49d5e61576b86b3dd01464
Instruction ID: 368c9e7ba85e5d4fd41ae1e5e815e8fac9f93ba89df8d31545bdf2e185b5f965
Opcode Fuzzy Hash: ecb802a37e1bdd616d883e8889ffe6e61ee9da72fc49d5e61576b86b3dd01464
Instruction Fuzzy Hash: 5781CC70B002059FDFD4DABADA507AEBBA5EF88244F088439FC55EB311EA31DD418795

Function 2F818B40 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

tA$, xrefs: 2F818BF5

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID: tA$
API String ID: 0-2915457903
Opcode ID: f828d99f4e6a39a342859fa4ec7fe390bacd5c475afd90923f868f2ee6587e3a
Instruction ID: cd89825f91657652719582b54bf02105aeda4590044ae4fce7a3ba642a47efa8
Opcode Fuzzy Hash: f828d99f4e6a39a342859fa4ec7fe390bacd5c475afd90923f868f2ee6587e3a
Instruction Fuzzy Hash: 573185B4704200BBDBD4EB65C981A5FFBA9AF84210F28861CE868DF341DE34ED4187A5

Function 2F818B00 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

tA$, xrefs: 2F818BF5

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID: tA$
API String ID: 0-2915457903
Opcode ID: 32c383d7510743d815a1400e1caba7b129fbc3a970b724a39d561e8a79488f92
Instruction ID: 641e0ba0aa199f97440a512f0e29b1ce764eb51a26265eac53f386ab8ae52715
Opcode Fuzzy Hash: 32c383d7510743d815a1400e1caba7b129fbc3a970b724a39d561e8a79488f92
Instruction Fuzzy Hash: 684129B0609340AFCB91DB74C950A5BFFB5AF46210F188789E898DF352DA34DD41C7A6

Function 2F818B25 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

tA$, xrefs: 2F818BF5

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID: tA$
API String ID: 0-2915457903
Opcode ID: e80211e56fe40aa274d7059ac9d6da40b512ea146c49030c4e02bbc7f05f2aed
Instruction ID: 51d13a090640b9d7cb9711120624bc80190cd5b203fef69db0f18efd71cf3dd1
Opcode Fuzzy Hash: e80211e56fe40aa274d7059ac9d6da40b512ea146c49030c4e02bbc7f05f2aed
Instruction Fuzzy Hash: C73197B4A04204BFCB94EB64C981A5FFBA9AF85210F288659E858DF341DA34DD4187A5

Function 010836E0 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,01083687,00100000,?,?,010F3A85,?,?,00000000), ref: 01083700

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 568419aae421650febbc678d68531b39381b24441b6b01853b88825cecbe4a82
Instruction ID: 6780c34092c57e72e5d00b15e4f5b43866ab406a0264624f05afb3d759e77e7c
Opcode Fuzzy Hash: 568419aae421650febbc678d68531b39381b24441b6b01853b88825cecbe4a82
Instruction Fuzzy Hash: 8AF08C71302110AFD7388F1DE884AA5B7E9EB85751B90806EF941C73A4C7B1DC809F21

Function 0CA85C80 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

1%B$, xrefs: 0CA85CCF

Memory Dump Source

Source File: 00000004.00000002.1487938376.000000000CA0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0CA0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0a000_fopholde.jbxd

Similarity

API ID:
String ID: 1%B$
API String ID: 0-2836991365
Opcode ID: 660ab429835c630284eb905793abd3766a54698ce537fd7c4923155dfe8086c3
Instruction ID: cddc76a0932e467c337e7833341d8b5c5e833cbb8ab09b32aacdee2dd3a986ef
Opcode Fuzzy Hash: 660ab429835c630284eb905793abd3766a54698ce537fd7c4923155dfe8086c3
Instruction Fuzzy Hash: 9801A275604104ABCF91AF92DC8084AFF35FF487607584148ED5A6F322D631ED209BE5

Function 010F38A0 Relevance: 1.3, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 010F3908

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: e7c1255cb78124e7e25c6c7e750b4bb8a0c08b26a45025f34a7825976941efbe
Instruction ID: 2b81b2243fc67cb32e2a980f16c74b3a4144f99728d72a15e47ab66cf87e7207
Opcode Fuzzy Hash: e7c1255cb78124e7e25c6c7e750b4bb8a0c08b26a45025f34a7825976941efbe
Instruction Fuzzy Hash: B2016931205701DFE358CF69C488B96FBE8FF01320F18459DE2988B642CBB5B894CBA1

Function 2F812A6E Relevance: 1.3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

NB$, xrefs: 2F812A90

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID: NB$
API String ID: 0-2937546986
Opcode ID: 848c415c4f0b115ba14edc23537d9f766f5362359f565088d03807cafb37ba61
Instruction ID: 38d1bcda2fc52aa23177444e360df66a3591dbae7c281dbe16c71a2760f1c1bb
Opcode Fuzzy Hash: 848c415c4f0b115ba14edc23537d9f766f5362359f565088d03807cafb37ba61
Instruction Fuzzy Hash: 1DF0BE79304100DB9B64AE659CE5D1BBF11FB947247048B45E9059F392C939CC90DBD3

Function 06652D00 Relevance: 1.3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

Strings

I!B$, xrefs: 06652D1A

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID: I!B$
API String ID: 0-10169642
Opcode ID: b112e482a042bf31b2d7d3a9e25de1d43a04920f5c3a6dc66d38f5e52c3e88b8
Instruction ID: 057382a184ccdd919ddeaa8bc5441965cbb6f0628707828a80d929a871db7043
Opcode Fuzzy Hash: b112e482a042bf31b2d7d3a9e25de1d43a04920f5c3a6dc66d38f5e52c3e88b8
Instruction Fuzzy Hash: CAE0D831900204AB4FD19E92D88A86ABF58BFA4760B884248DD045F721D5339D50D7E9

Function 2F815904 Relevance: 1.1, Instructions: 1127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7eca2b293c663dc188c4a245fa6b1a86fde4770a2623b8b763ce97373a1659
Instruction ID: 09e8b187ff443039d0ba95c8285f993dc643f748d74be78d47d187e77d2bb1fe
Opcode Fuzzy Hash: 4e7eca2b293c663dc188c4a245fa6b1a86fde4770a2623b8b763ce97373a1659
Instruction Fuzzy Hash: 71A2B321618B4097E3866771CC55B97BFD05F017A4F08C25CEAA58F39BCBA9E448CF98

Function 066549A0 Relevance: .6, Instructions: 639COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4520a0c4b0ceb14d0ef4d2624e8dd20bca179fd812d495b314ebc6286435461
Instruction ID: e4f0b421cb7f0dc72278c776f7e3fef914a255bccfb9d0aff0201b76933fb172
Opcode Fuzzy Hash: f4520a0c4b0ceb14d0ef4d2624e8dd20bca179fd812d495b314ebc6286435461
Instruction Fuzzy Hash: 3A32E2747042009FDB98EF64C8D1A6ABBA2BF88300F18845DE965EF355CE35EC51CBA4

Function 2F8149C0 Relevance: .6, Instructions: 624COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a39b6171e2421c581d1a24517becf5ba149733a95001748a65b84ce38d0f71
Instruction ID: ae2f46a0b15b20783112bf75b791df50d68113d911b38e6ae0a25f46e5a2846e
Opcode Fuzzy Hash: f3a39b6171e2421c581d1a24517becf5ba149733a95001748a65b84ce38d0f71
Instruction Fuzzy Hash: A522AE70604705EBDB689BA9C980F5BF7E5BF49310F148728E954AF352C631FD418BA2

Function 2F817527 Relevance: .6, Instructions: 569COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21a12c06113a37ec3739feab5177f42b556ce6a8f58c22e377d569949459e48
Instruction ID: 321279cfe018b2ee9410b8a89f2c22167bde88758317248e863a51c2f4967d99
Opcode Fuzzy Hash: d21a12c06113a37ec3739feab5177f42b556ce6a8f58c22e377d569949459e48
Instruction Fuzzy Hash: 272227306047099BE785AB74CC9178FFB916F40354F18C6ACAA048F38ADB76D985CB99

Function 2F81A260 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffa4c75c028d09b427418aaad035634e2143094c9b9b17f15ed34a1db89d3d1
Instruction ID: c8bd093151b03e68ad4a5e2c27c96106bcddc379464112fd15a6aec1dc1d1d42
Opcode Fuzzy Hash: 9ffa4c75c028d09b427418aaad035634e2143094c9b9b17f15ed34a1db89d3d1
Instruction Fuzzy Hash: F0D1A270B04209EBCB889ABCCD50BDFE7A5AF59254F088729D954EF341E635DD0287B1

Function 06628B40 Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c40d0a0b82a947750f7427ec15feb61954428e94d54502b50b6ea852b3d7e8
Instruction ID: 6163c292a88d5aa57a0e061fb5451980acb2466fb58b1b4fe993438bf398392e
Opcode Fuzzy Hash: 95c40d0a0b82a947750f7427ec15feb61954428e94d54502b50b6ea852b3d7e8
Instruction Fuzzy Hash: 14E1F2317087146BE7D92AA58CA5F2B7E55AF41790F0C9018FA259F3D3CE6AC844CBD8

Function 2F819C80 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c147125d6859a5da38f067dd2ee0a6ffe3fc2d594661ab8fcb8e9bfe8a8bfd3
Instruction ID: 114adb082eff00083e3319bd312c9ddd47b789405ec6a7254d86e983ed4c234c
Opcode Fuzzy Hash: 3c147125d6859a5da38f067dd2ee0a6ffe3fc2d594661ab8fcb8e9bfe8a8bfd3
Instruction Fuzzy Hash: 16C1B571F0020AEBCF449BB9C960AEFF7A2AF59244F14862AD914EF311E735D902CB55

Function 2F818180 Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0bcc27c49a37da814b7aa731b0f808dfa7952f36484a449fa06d84dfe469737
Instruction ID: d66d2afd720804e796ac6b61d87e79b50e00401ad665b2aa335d51b63ad9b456
Opcode Fuzzy Hash: b0bcc27c49a37da814b7aa731b0f808dfa7952f36484a449fa06d84dfe469737
Instruction Fuzzy Hash: E7C1DE346043049FCB89EB64C881F9BBBF1BF49250F188299E914DF356DB34E940DBA4

Function 2F8181C0 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad61dc19992a8d0b8cb072b70a26e4deaa02e23d809cfe36ab84a6b5983768a1
Instruction ID: e36cc5bb3216a016b964fef30c924a1b610019af69ea019164c0342766c741f4
Opcode Fuzzy Hash: ad61dc19992a8d0b8cb072b70a26e4deaa02e23d809cfe36ab84a6b5983768a1
Instruction Fuzzy Hash: 32C1CE74600605ABDB88EB64C881F9BFBE1BF48350F18C658E9249F356DB35E940DBA4

Function 2F8181A5 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c0ead3693df1d1cb9bfb5e75b1080b43656ab113b73b398c8df64d4a52a1b1
Instruction ID: 0302f1d2a772a623b9916cbc4a7d2fe2b438eb957b460c37a091ebbae32b8189
Opcode Fuzzy Hash: 58c0ead3693df1d1cb9bfb5e75b1080b43656ab113b73b398c8df64d4a52a1b1
Instruction Fuzzy Hash: 71C1DD74600604EBCB89EB64C881FABFBF1BF48250F18C658E9149F356DB35E940DBA4

Function 2F80AEE0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0b8c54cdf8326658bff0b98b527922188da9ad8c359677b630777256b2237d0
Instruction ID: ea04fcb7d2f60bea8bdc7b0f52f4fd01f7142c02d09ffc90adf82699e4681497
Opcode Fuzzy Hash: c0b8c54cdf8326658bff0b98b527922188da9ad8c359677b630777256b2237d0
Instruction Fuzzy Hash: 48A1B1B5700210EFD750EB6DCD80B5ABBEAAF4C210B40965CE928DF356DA31EC11DB95

Function 2F80A740 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d2d25e743af46873bb42d1511a7b40b76c12888f9306a49896628ee187d67e2
Instruction ID: 94c2c8083c589c77f1ca4ccc96228453804dbd26f5a183094c90dc99e1ba3b6e
Opcode Fuzzy Hash: 1d2d25e743af46873bb42d1511a7b40b76c12888f9306a49896628ee187d67e2
Instruction Fuzzy Hash: C891C471704211EFDB54BB79CE85A5ABBE1EF48250F84861DE944CF362EA31DC02CB91

Function 2F80AFA7 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2896e6933813360ca9896f2150c9478697f59d50225d70ba5af4f9a14db3e803
Instruction ID: 6fc07cb89e5b90e9f88745992dfb6e6f5ea7ae9121cb34c1a9b20a033fbd74d9
Opcode Fuzzy Hash: 2896e6933813360ca9896f2150c9478697f59d50225d70ba5af4f9a14db3e803
Instruction Fuzzy Hash: 0681B3B5700220EFD744EB6CCD90B5AB7EAAF9C210F50965DA928DF356DA31DC01CB94

Function 06642380 Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfca673c8f99fcf4d670ad024758d54dd8833924ae70b01d54f03ef01ab8053
Instruction ID: f9471565c8d19f36267c65531c651e5b97759f5cf2bd5f2c3bdfe14b486fc638
Opcode Fuzzy Hash: 6bfca673c8f99fcf4d670ad024758d54dd8833924ae70b01d54f03ef01ab8053
Instruction Fuzzy Hash: 9071B174B04104EFCF90EFA5CC9095EBBBAFF88250B184409F918EB315DA35EE119BA4

Function 2F8182FF Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b721f1f117f21bda75fc619b204a8e3806e2b5ed92b3d11c4c6987075e3466f
Instruction ID: 009c1df6cef6d91d2178e0051000dd6324957f33c44809433926a83b7b5ba332
Opcode Fuzzy Hash: 7b721f1f117f21bda75fc619b204a8e3806e2b5ed92b3d11c4c6987075e3466f
Instruction Fuzzy Hash: 80819035704204EBDB88EBA4C991FABBBF1AF48210F188558E914DF352DB35ED40DBA4

Function 2F80B05B Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0466b7928e13baab565d0b29f1664f425655d63267da563ef57aaf029894c4d
Instruction ID: 493b7bd8ae9a63f4571ce17ff68ffd13a992840d54b289cfb200f4168645b0d3
Opcode Fuzzy Hash: f0466b7928e13baab565d0b29f1664f425655d63267da563ef57aaf029894c4d
Instruction Fuzzy Hash: 8851C2B4300211EFD744EB6DCD80B5ABBEAAF8C210F50865DA918DF356EA31DC01CB94

Function 2F80B09F Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9b52134e27c27f64d898c5c8bb7f0302ca7c90a2d2f43952992043b1c585bd
Instruction ID: 89b80d8a8ad63c7009afcbc5d3f147ff9213710baa08f895a0b8c820134f1eb5
Opcode Fuzzy Hash: 2e9b52134e27c27f64d898c5c8bb7f0302ca7c90a2d2f43952992043b1c585bd
Instruction Fuzzy Hash: 0151D1B4300211EFD744EB6DCD90B5ABBE6AF8C210F55865CA918DF356EA31EC11CB84

Function 0660F820 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e27737b50f4ca3e92ce812619dc775fc11fafb3220a31ab0ec182461aa6ce98
Instruction ID: 9bc70ea49a08be4c74ff15e8ec4be31a1d2996e662f4c44d6b28025975ff72c7
Opcode Fuzzy Hash: 6e27737b50f4ca3e92ce812619dc775fc11fafb3220a31ab0ec182461aa6ce98
Instruction Fuzzy Hash: E9412571A0C341AFE77D8F58C890A66BFB5FF4131471985BAC8958B3E6C730A852C761

Function 0CA70460 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487938376.000000000CA0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0CA0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65b06bd920c75df69a21beb6c256b904564754b762c9b0a754846f7bdd2fe4d0
Instruction ID: bc6ed0a2aacc309d2aec84d8131f54972f434e2270846a7bfb4c9fba475d21e1
Opcode Fuzzy Hash: 65b06bd920c75df69a21beb6c256b904564754b762c9b0a754846f7bdd2fe4d0
Instruction Fuzzy Hash: 05519975A04205AFCB80EFA4DC81DAEBBF9FF48310F148A58ED55AB311D630ED109B95

Function 2F80AA6C Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063f9f06e3d7f8286a0bbc0435144963edd5408ab333a8d6c3266939c229d457
Instruction ID: 8af001f5fd189364c86d6e6f83413d72e764834e5345c11813473da466a6468f
Opcode Fuzzy Hash: 063f9f06e3d7f8286a0bbc0435144963edd5408ab333a8d6c3266939c229d457
Instruction Fuzzy Hash: 4041D571704200EFCB54AF69DE96A4EBBE1EF48254F84851DE944DF3A2D631DC02CB92

Function 0660FA20 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4489ced6ceb2f40374d3572aa71c9015e856dac8a2c7f126dcec6b8f75a0fc4
Instruction ID: 66c09e55fef222c59288dabd788544ba9b3ab4c545e011af0df0f7e26fa14f1a
Opcode Fuzzy Hash: c4489ced6ceb2f40374d3572aa71c9015e856dac8a2c7f126dcec6b8f75a0fc4
Instruction Fuzzy Hash: DC410670A083818FE77DCF68C8E4566BFB1AF4621071881AAC8958B2E6D334E855CF60

Function 0660F860 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a59dad4eea688ccef79ead1b2a4338b23d01f6589a9b17ed8be74634b324c80
Instruction ID: 51c158e0d9e634cfdf211e40ab7def6da51c9f04198ee31ac2b06c9e727f96fc
Opcode Fuzzy Hash: 2a59dad4eea688ccef79ead1b2a4338b23d01f6589a9b17ed8be74634b324c80
Instruction Fuzzy Hash: 9241F571608201AFFB7D8F58C880A6ABBA5FF44314B19857DD8955B3D6C731E852CB60

Function 066198C2 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7793ca04b09522d19c07f35635ecde6d0b4cb3e1ae81dcc1101bfa5bf962291
Instruction ID: afea329bdc345621c477530fa4c211c58b659f184e88c5b979441080e80890bc
Opcode Fuzzy Hash: a7793ca04b09522d19c07f35635ecde6d0b4cb3e1ae81dcc1101bfa5bf962291
Instruction Fuzzy Hash: BE418E30A18241DFDBA9CF59C4F8A69BBA2BF05310B0C8799D8455F366C731E956CB90

Function 0660A200 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0af8db7246d03ed392dd830ce7846a6e4e3f0e777fb2bf70b2976db1bf2a5461
Instruction ID: 9c6c6f25bd54896b7c59aed3f0605b4b7bff5b1bd05c5d7d9909213545ab2bc8
Opcode Fuzzy Hash: 0af8db7246d03ed392dd830ce7846a6e4e3f0e777fb2bf70b2976db1bf2a5461
Instruction Fuzzy Hash: FF51BF75909305DFD76DCF48E48625AB7E0FB88380F44C92ED844AB39AC330AA55CF92

Function 2F81A220 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a0dc46fc11f9561c43a28b400297f4ec2288c0c9440acf1f4ddd48d1357fd2
Instruction ID: a8c5e26c861b87e11e905522cd2b8bae867e4fc807e054858feeb5000001e544
Opcode Fuzzy Hash: 02a0dc46fc11f9561c43a28b400297f4ec2288c0c9440acf1f4ddd48d1357fd2
Instruction Fuzzy Hash: 5C417D70A08245DFCB41DFB8C980A9FFFB1AF4A200F18869AD854EF212D635D9519BA5

Function 0660FBE0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb4b845d78b6b3b7fa46cca2a3da8d4d9de7a3b83a698e92000c734c314a76f7
Instruction ID: 8620dac5c97e2111477aeb4b609c0b305e0e24fa9ad2f45b118f3c8ef98dc5f2
Opcode Fuzzy Hash: eb4b845d78b6b3b7fa46cca2a3da8d4d9de7a3b83a698e92000c734c314a76f7
Instruction Fuzzy Hash: 8D41047090C3419FE77ECF68D894556BFB1AF52214B2882AAD8959B2E2D7309842CB61

Function 066580E2 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5084ab9cb36053b73158eacade2732b51ca06141dd28ce8dee9229357890e2dc
Instruction ID: 040e15e2b1da328bff56b289e6f2455c720dafac27a4f5b8bf29c89d18268926
Opcode Fuzzy Hash: 5084ab9cb36053b73158eacade2732b51ca06141dd28ce8dee9229357890e2dc
Instruction Fuzzy Hash: C141F8706043129FDBE4DAA8C88675AFBA4AF44300F49851CDD64AB742CB35ED4187E5

Function 2F81A245 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47591df587831f7e422cf4987b24fe079c504271dd6d0d1cf4b9b03dd33a486
Instruction ID: 18e2882862793f445aa89fc356256590ed68aa68340b8055ec2bfaa0547a50e5
Opcode Fuzzy Hash: f47591df587831f7e422cf4987b24fe079c504271dd6d0d1cf4b9b03dd33a486
Instruction Fuzzy Hash: 1F317E70E04209EBCB44DFB9C980A9FFBB5BF49214F14871AE855EF302E630D9419BA5

Function 06614040 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c26adc7163bd873b037ece100faa8ec0d67a179aa13455fc5aae9aa46539aef1
Instruction ID: 55c0ffb108d03e358ff3502b4a45575e928a9e16956620df769c066297cc5a75
Opcode Fuzzy Hash: c26adc7163bd873b037ece100faa8ec0d67a179aa13455fc5aae9aa46539aef1
Instruction Fuzzy Hash: 10310731604742AFDB298F24C8966A9BBB1BF59324F6D4249C8615B3D2CB34F867C7D0

Function 06629BE0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31aee2fef291c24e08f62760b22fee480729a24244a21c74f90fbcd61f708b9e
Instruction ID: 588a2220e5b2f10e3c1123859724e9131ce869eac64a6005acdb5be7f04ae3e6
Opcode Fuzzy Hash: 31aee2fef291c24e08f62760b22fee480729a24244a21c74f90fbcd61f708b9e
Instruction Fuzzy Hash: 4831C834B04125EFCFC0AAA6CC8096E7BA9FF88750B044559FD15EB301DA35ED108BA5

Function 2F8184A2 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e66fe67b032f97d864ccfd9302455810fd37668ad5f6c0628452ed17be3723
Instruction ID: 037b5fffa7ce17814aac58e3b6d53e0eb7ef0c405da7b1d8748dfe343e43efa4
Opcode Fuzzy Hash: b8e66fe67b032f97d864ccfd9302455810fd37668ad5f6c0628452ed17be3723
Instruction Fuzzy Hash: FE419635B04204ABDB84EBA4CD90E6FBBB5EF48210F188559F925EF352CA31DD409BA5

Function 2F81A6B3 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e5721a1cfd29f1cb78eb0195f25a1ddedfdfe85f5dd1ccfc5b71d1f01c5eb49
Instruction ID: af51596cbff47f289b35f11ab0ad16b0dfdfb152101ea6ffb0e8d85193f5feec
Opcode Fuzzy Hash: 2e5721a1cfd29f1cb78eb0195f25a1ddedfdfe85f5dd1ccfc5b71d1f01c5eb49
Instruction Fuzzy Hash: E631E630B00209EBCF44DBA9CA90A9FF7A1AF59254F18831AD915BF351D631DD429BB2

Function 2F818000 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16e998986fd4234a7b4718056f21a6cb502d414148ab9e328ba1bf5b541c40e1
Instruction ID: 47d1edfbf0bfeb9418eb69abceb6c268527278651a17b8590501fa9746eb1a7d
Opcode Fuzzy Hash: 16e998986fd4234a7b4718056f21a6cb502d414148ab9e328ba1bf5b541c40e1
Instruction Fuzzy Hash: 6B41F3315047458FDB469B24CC91B87BFE0AF06354F088299D9848F3A7C73AE919CB9A

Function 0660FA60 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 602e373667d67e55438bc666f8326502373325b02ae16e1795942010dc0ba9bf
Instruction ID: 0cfc7f93fdccfe0bdb14183c76d2cfb9ae13794a1acb0579a406184ecf5ace8c
Opcode Fuzzy Hash: 602e373667d67e55438bc666f8326502373325b02ae16e1795942010dc0ba9bf
Instruction Fuzzy Hash: 2E41D0706082419FEB7CCF18D8E4A2AFBA1BF45310B188179D8955B3D5C734E851CF60

Function 2F8144E5 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d6b85f5f35d40a55ec8261ddb3e3cc893f43c77e874ac53e46b9a79b1d87f37
Instruction ID: 92d8d89a0b100b9314c0ed20b9d2dc98a9764cf794cd81aab73c3274dd97d850
Opcode Fuzzy Hash: 1d6b85f5f35d40a55ec8261ddb3e3cc893f43c77e874ac53e46b9a79b1d87f37
Instruction Fuzzy Hash: A331DDB1504B05DBDB56DF60CD80B9ABBE0AF42794F08C64CEA849F366C734E914CB59

Function 2F819C61 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4641d8e35915bbad82aa34fca72172d937e49ac2df2d9e487786125edc588afc
Instruction ID: 8f9a0d1151f11e24b7eb411808cf842dc767166a758e53533881bf4ea3d65509
Opcode Fuzzy Hash: 4641d8e35915bbad82aa34fca72172d937e49ac2df2d9e487786125edc588afc
Instruction Fuzzy Hash: 5B316D71E04209EFCF44CEB9C9A0A9FFBF1AB48310F14862AE915DF352E635D9508B61

Function 2F819C40 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 369161730fc49a7f388f8c782596cb4d8386752340ef37badd283e3ae7ac4571
Instruction ID: 674edcac3d2ecc594367cdc201dc488b1c1a5274cfcf8b5f35f50f9ad71e3ec8
Opcode Fuzzy Hash: 369161730fc49a7f388f8c782596cb4d8386752340ef37badd283e3ae7ac4571
Instruction Fuzzy Hash: 8E31B071E04209EFCF45CEB9C891A9FFBF1AB49210F04866AE915DF312E63589508B61

Function 0665FB40 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e885dfcf54d965cf548c3ae9f5405bb63d3b70866ba2328ef0cad620bd6eff6d
Instruction ID: 1d98b7b658fab1f3da6c59de886e28083f049a1388fa82d6db778e87be2495d0
Opcode Fuzzy Hash: e885dfcf54d965cf548c3ae9f5405bb63d3b70866ba2328ef0cad620bd6eff6d
Instruction Fuzzy Hash: 3131A2B5B00105BF8F90EF64C9809AF7BA9EF88320B148419FD29DB301DA31ED10DBA1

Function 06614080 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c807be3db7f584694a64162bb9a4fbf5340873fed63a3f21670420dddeaa9d3d
Instruction ID: dde74a6a7a81f510c524f5e7be6f93ea278e18d6dbbf45d2f84fcfc84620ad37
Opcode Fuzzy Hash: c807be3db7f584694a64162bb9a4fbf5340873fed63a3f21670420dddeaa9d3d
Instruction Fuzzy Hash: AA418235600602ABDB68CF24C88696AF7B2BF58354B5D4618D9165B781CB31FC67CBE0

Function 2F818025 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4707c2932959c5ca18ca2dbb3c2dd9cc992edb14a9327b16f857692397b2e910
Instruction ID: bf4cc9380ae47b0d1ae5840322785a3c6305b766818f3cbed27636a8b58ffa32
Opcode Fuzzy Hash: 4707c2932959c5ca18ca2dbb3c2dd9cc992edb14a9327b16f857692397b2e910
Instruction Fuzzy Hash: 0C31D0315007059BEB869B20C881B97FBE0AF04354F08C2ACEA944F35BC736E919DB99

Function 06626A62 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7da9d22d3562d5d6c9c8a421eafda34bf422778ec7856d1baaa1328f89be8d
Instruction ID: eae220273e90e43bcbb13b267769372e9befd5eb795ba1c4ecdc08238e16b8a4
Opcode Fuzzy Hash: ad7da9d22d3562d5d6c9c8a421eafda34bf422778ec7856d1baaa1328f89be8d
Instruction Fuzzy Hash: 9D319230608A679FDF959F68C488A65BBA0AF05360B08C295FC55CF362C335DD228F84

Function 2F814500 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d62390dd58af51d6598c1816a0ccec57d1ee285ba0cd36841ef147bb41d4a143
Instruction ID: 8672db58d1d4129748a831df5cf2eab1f9ee2a3ec853ab9b0f019d739f82c497
Opcode Fuzzy Hash: d62390dd58af51d6598c1816a0ccec57d1ee285ba0cd36841ef147bb41d4a143
Instruction Fuzzy Hash: 2E31EEB1100B05EBDB55EF60CE84B8BBBE0AF42794F08C618EA449F356C735E954CB99

Function 0660FC20 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dcb7784b93d5c47964a2f9e8b68111a490428cd5476e5db9b1d69b65a45f5ad
Instruction ID: 66f8d7d3885f577a01a950a439999b9420a61a9a7438a727d4134da57a116710
Opcode Fuzzy Hash: 3dcb7784b93d5c47964a2f9e8b68111a490428cd5476e5db9b1d69b65a45f5ad
Instruction Fuzzy Hash: 0D31E170A082019FEB7DCF18D884A26BBA1BF45314B28817DD8959B3D5C731E841CB60

Function 2F818040 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68b0adf7509b1d5ceb4f2fd8187691d053d60fad0449f9ba5e8d470f41c8d86a
Instruction ID: 8fd8cf90fea3d8bcf14ccbc3a27c4e460b215d97c9c5ac70757faa4c145874d9
Opcode Fuzzy Hash: 68b0adf7509b1d5ceb4f2fd8187691d053d60fad0449f9ba5e8d470f41c8d86a
Instruction Fuzzy Hash: C531E1315007058BEB86DB20C881B97FBE0AF04350F08C2ACEA544F35BC736E909DB99

Function 0662A2A0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f08ad98dace0d6346103b028c03350cb64b574c5e6135f0ea58fe448745520
Instruction ID: c00e38e4e72bf4c8210b3cfc6f8faa88eea0245594488ca08726375d180a8cd8
Opcode Fuzzy Hash: e1f08ad98dace0d6346103b028c03350cb64b574c5e6135f0ea58fe448745520
Instruction Fuzzy Hash: 6D317F74B00214AFCF80EFA9CC8095EBBA6EF88314B044459FC19EB311CA35ED50DBA9

Function 06613F7A Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87cc2e0a938fe62b3eefc51b7c9cf843e0f41f23a3cbebfcd64d7080392695fa
Instruction ID: d9bec7b785d8daa89df198c152e46b874386d56bedc5b3811bb36a1e2365afbb
Opcode Fuzzy Hash: 87cc2e0a938fe62b3eefc51b7c9cf843e0f41f23a3cbebfcd64d7080392695fa
Instruction Fuzzy Hash: 2221B575204602AFD76CCE18D88559BB7B6FBC4320B298639DA1297780C730FD26CBD1

Function 2F80C9AA Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd87f24497cfcf11441cf03608329386bf22ab37af792f12155e2bab1e99ece
Instruction ID: b2a957601e30778535b65b861e94be6d632a657a93179c0c653815e375cdbc30
Opcode Fuzzy Hash: bbd87f24497cfcf11441cf03608329386bf22ab37af792f12155e2bab1e99ece
Instruction Fuzzy Hash: 1921E175B00108DB8F80BFA88D85A9DF7A1AF4A214F98821DDF04EF351DA34DD058765

Function 2F838C20 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0810dccb66b1312eab58eef58929cbda0058263baaed729ddd509b8c9f0bedf5
Instruction ID: 56f2be9bfc559da14bb845a8e43b9a4af5cce657b7c2673fc32e4d265cd6d22f
Opcode Fuzzy Hash: 0810dccb66b1312eab58eef58929cbda0058263baaed729ddd509b8c9f0bedf5
Instruction Fuzzy Hash: 86317C72D006198BC755DF64C884FAABBF0AF043A0F098168DD546F36AD775A906CFD4

Function 2F8131C0 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec30221aa9728998a426fe9a79cf63539418739e414b11575b1181dc3f694f2d
Instruction ID: 1e6eff1d9c418818bdcd83cd51009587c10df69ed30730eee82bccb4ae90fdff
Opcode Fuzzy Hash: ec30221aa9728998a426fe9a79cf63539418739e414b11575b1181dc3f694f2d
Instruction Fuzzy Hash: AD31F5716043949FDF56AF61CC80A4ABFB1AF06310F0982CAEA449F363C635DD64CBA5

Function 2F8131E5 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad8b619891770a6930ef76d6c71a803d7277526e15da389cffd4d4cc97af026
Instruction ID: bb2c5622e7a3f4ec45d0078cacd5ffcaaa310cb4512b9607eb34979fbd8400e4
Opcode Fuzzy Hash: fad8b619891770a6930ef76d6c71a803d7277526e15da389cffd4d4cc97af026
Instruction Fuzzy Hash: C821F271A00214AFCF55AF61CC81A4ABFB2BF08310F098288EA449F327C631DD65DB95

Function 0CA708DA Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487938376.000000000CA0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0CA0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d26ec31453c8444e5aaff458460d20c4e2684bb0411ae9dec8aba2b64568c930
Instruction ID: d760dd4926f3b7fad5d3d162497842af90df2badb3a5c6a31939138d7c3f0267
Opcode Fuzzy Hash: d26ec31453c8444e5aaff458460d20c4e2684bb0411ae9dec8aba2b64568c930
Instruction Fuzzy Hash: 9121B1B1A093049FE724DF99D8A9315BBE0FB443A0F248A1ED4D4A7395DB31D681CF92

Function 0660A1C0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cb4e95406fe886aee1dfa1dd70f670a888ce4e67726f2cf60a83dd9bdb5b19a
Instruction ID: af1230fef483c00fd04c19d69f7be778f51736a9b36be5b0ea7184a23ccf09bf
Opcode Fuzzy Hash: 8cb4e95406fe886aee1dfa1dd70f670a888ce4e67726f2cf60a83dd9bdb5b19a
Instruction Fuzzy Hash: B41190B584E3848FC7068FA898652857FB0BB06354F1541AFD8959B3A3D3789A05CB52

Function 2F813200 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ede7b939486aac057ec9fdf4d3a614a43d15e0550cf2ea3850280501974f8afc
Instruction ID: e77e81a03c5f22c716183fcd4ccb5dce8740abbb617665f4cfb8c671c171872f
Opcode Fuzzy Hash: ede7b939486aac057ec9fdf4d3a614a43d15e0550cf2ea3850280501974f8afc
Instruction Fuzzy Hash: 6821D171A00214ABCF55AF51CC81A4BBFA2BF48760F498288EA045F326C631DD64DBD5

Function 06625B42 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98fd9fbc9003c946fd28a1c437281f85bb9f63e5ddc6f27ed11be1a56f8384ab
Instruction ID: 5ba75411ef7cd05bc55eeba74ce31056a9db79c74e3a553dc2b5f4c5590201c6
Opcode Fuzzy Hash: 98fd9fbc9003c946fd28a1c437281f85bb9f63e5ddc6f27ed11be1a56f8384ab
Instruction Fuzzy Hash: 0E210270608A16AFDFB0AF04C988969BB61EF44710F488508F8479F360E731ED91CF94

Function 0665BF60 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd38761cbab0ee5d5723feb340e931894e72d0c133c9508eb6cd6b06d626c27e
Instruction ID: adccbe929f9b53a949bddb78675f6b62a2739f60a70d3e2085ff3bfbbfb0c69f
Opcode Fuzzy Hash: cd38761cbab0ee5d5723feb340e931894e72d0c133c9508eb6cd6b06d626c27e
Instruction Fuzzy Hash: BF1108B4A04304AFCF909F25C98556F7BA9BF94320F458149EC19DF341DA31DD518BE4

Function 06658DE0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 802905babebed2e3c803d17e0c39b2b60fb0c9cc2b8618c2b4b196cb0428d2a2
Instruction ID: 48094a450f2630f0d3a4a4a3df2f3fa3cfa89662b6d37eaa4d483a54a5358cef
Opcode Fuzzy Hash: 802905babebed2e3c803d17e0c39b2b60fb0c9cc2b8618c2b4b196cb0428d2a2
Instruction Fuzzy Hash: 1C11DD31600211AFCFA19F41DC8584EBFB1EF49320B498288ED096F322C631ED65EBC5

Function 0660A000 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3ee552fa80d8a2a962ad1d4ebf9a669e2d7f261cc7056f8bbd899e19194412
Instruction ID: b2c6d30b9cb6cd4e93a8e567d1b4fb1d7eb63f807b0f81a58b6481139337f590
Opcode Fuzzy Hash: 1c3ee552fa80d8a2a962ad1d4ebf9a669e2d7f261cc7056f8bbd899e19194412
Instruction Fuzzy Hash: F111AC3164E3889FE3224B50AC53B523F31FB42798F16449BE440AE2E7C2754959C7B1

Function 2F817D40 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8296310afe23be725b9a20f02c07716c54eac7c9393fd262032405b2d990a7b6
Instruction ID: 66b798d78883cb3bd563702dc3c8dbc42edd018bebf66f077231fcbebbd8166c
Opcode Fuzzy Hash: 8296310afe23be725b9a20f02c07716c54eac7c9393fd262032405b2d990a7b6
Instruction Fuzzy Hash: B211027090D3C46FC7538B718CA1A4ABF749F07300B4902CBD884CF2A3C6649D19C7A6

Function 0660A028 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b481cc25262b7277828c16e4ffc51034ac34666e05e18c48d825d9a8a9936396
Instruction ID: fe055733713f735a627ab5a2a0c3a8fcc1223d2819e380ba3ea305b74d7b90ab
Opcode Fuzzy Hash: b481cc25262b7277828c16e4ffc51034ac34666e05e18c48d825d9a8a9936396
Instruction Fuzzy Hash: 86018171A4E349DFE7318F10BC93B52BF22FB41798F544959E0042E38AC27246A1CBA0

Function 06651580 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e24f2ab668ddf9243e9f144974c626ff3b03c58d67fd130341caa047f14a9c19
Instruction ID: 5d679097fb9a0edb2f42b5faf34440d5790686ae5fc542a8d9f7f4055626c823
Opcode Fuzzy Hash: e24f2ab668ddf9243e9f144974c626ff3b03c58d67fd130341caa047f14a9c19
Instruction Fuzzy Hash: 7F11A135A04104FB8F919F92DC8086EFF75EF89350B094589EE546B311C632AD50DF95

Function 0660F740 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54d6d4f43c7cc08446fa1e64d3c9b7c62ce395795edd3eda7232a523283ebd81
Instruction ID: 6bc7d14e56a1b097b81c95c5a43243af007e7804e2374ad595103cd9838a1c4f
Opcode Fuzzy Hash: 54d6d4f43c7cc08446fa1e64d3c9b7c62ce395795edd3eda7232a523283ebd81
Instruction Fuzzy Hash: 27F0F9321003056EEB344DACED8099A3BA9DBC5320F214738EE62E70D1D672F456C642

Function 0661DF82 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4c321342e2d0c9fa5d5b5960563380fe0aa1ced6a8c7205a5061a3972765ea
Instruction ID: a3c59d6fb0f588eaa8f2109ce13c0dc57fbe2108b555e95a1239b65f6daec4ef
Opcode Fuzzy Hash: dd4c321342e2d0c9fa5d5b5960563380fe0aa1ced6a8c7205a5061a3972765ea
Instruction Fuzzy Hash: 2A01FC7470430467DF94BEA69C82F1AFB69DB54700F488129E614AF342D631AD1487F9

Function 066421E0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 987a4931008b6497583dc92a7acc032809b6cad03a3208ecde76d3ac2b10b856
Instruction ID: fdd1e0ba9c007ad60a8d23fb017ca78881a675d7510be3f12bbec4282bd9b3bc
Opcode Fuzzy Hash: 987a4931008b6497583dc92a7acc032809b6cad03a3208ecde76d3ac2b10b856
Instruction Fuzzy Hash: 090142747086006B9FD0BEA58C8092BBBA9AFC4300B2C460DF819EF345CC25ED8087F9

Function 2F817D65 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5e41adcf3b6c3014ada4b2788b145f8b5581055cd78eac488f5213d9e86595
Instruction ID: 8165a85a4ef3b91f6ba689416cfc79a8577e102b4dbbacac342716c947a0ba30
Opcode Fuzzy Hash: 5c5e41adcf3b6c3014ada4b2788b145f8b5581055cd78eac488f5213d9e86595
Instruction Fuzzy Hash: C1F0F4B1908308AFCB91DFA19C91A4EBF70AF05700F884299D854AF343C670AD15CBAA

Function 0660A040 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688a7772b5a6d7603271e644d01c18b1b7724d25ecc6d9f0102077656ec2822e
Instruction ID: 201eef9cc34cbade37a5036c506cf01f160b5cb46be6c066db5cf3a1ee4bda29
Opcode Fuzzy Hash: 688a7772b5a6d7603271e644d01c18b1b7724d25ecc6d9f0102077656ec2822e
Instruction Fuzzy Hash: 60013C70B4A308ABF7318F40FC47F167B15F740BD8F504819E5052E3CAC2B259A18BA1

Function 0660A1E8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9745c02fdc570851b8cf271a0abe75f056029b7eaefdec8070527187713a3f
Instruction ID: 0992b57d4a18b99cc41b55e8a02189b1de17529636a5f061b30187daf1503cf7
Opcode Fuzzy Hash: be9745c02fdc570851b8cf271a0abe75f056029b7eaefdec8070527187713a3f
Instruction Fuzzy Hash: 58F0F0B0848388DFC705CF98C899289BBB1FB05304F10846EE8595B381C3389A05CF02

Function 2F817D80 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92804e35f0c59c1ba86d60b3179cb4a61f4be7c8fe88e7a5b388c007521dcb3c
Instruction ID: 1c3889323b9839aec4ca0a8769346f73e56a78281fc6eaa38d98daf9d83b1199
Opcode Fuzzy Hash: 92804e35f0c59c1ba86d60b3179cb4a61f4be7c8fe88e7a5b388c007521dcb3c
Instruction Fuzzy Hash: 8DF0F671A04308ABCB90DE56DC81A0FFB68DF44710B884258E9185F303C671AD11CBEA

Function 06619A46 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07a0888b7d7e03e606090ab480abb44e6e4f1048143d708d972c478fac0cb07
Instruction ID: cb7ce4c1f5c1a940498cadc9adcee164092dff6401a73674c6a8893833166419
Opcode Fuzzy Hash: d07a0888b7d7e03e606090ab480abb44e6e4f1048143d708d972c478fac0cb07
Instruction Fuzzy Hash: 7CF04F39900104FFCF959F94C891A59FBB1EF48700B088259F9099F260C635EE69EBD1

Function 0660FDC2 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a477ec56e037064662c6b2e5ed25dd97410f3fc0f4548b3b5f582ce3bf9db293
Instruction ID: af8f40c2b8339472f1300378e3d285988ae9a207e17c3cbd44c18315db11f585
Opcode Fuzzy Hash: a477ec56e037064662c6b2e5ed25dd97410f3fc0f4548b3b5f582ce3bf9db293
Instruction Fuzzy Hash: E5F0E774200202ABEB6CDF64D8D581BB765FB483147114168DD125B386D671FC62CBA0

Function 2F83904C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca3fe402f11629554ca0b29a377f713d3e3e9cea5aa94b603617c95868447379
Instruction ID: 2e8735b288ff39ab160be6b0d207c3cd0b63f016a7d9921c326e98e3a212036e
Opcode Fuzzy Hash: ca3fe402f11629554ca0b29a377f713d3e3e9cea5aa94b603617c95868447379
Instruction Fuzzy Hash: 72F05E78A001189FCB04EE54C89AAAABBB9FF04350F504148ED156B715D731ED94CBE1

Function 0660F773 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68fb7694ca9b92917db72d556901e8ccdd8fe52d787c6c0def3657726dfad2c
Instruction ID: 51faa4d51232041f60fd09a4b7621d6bcde398fd8a780abe0216c43cb66a1a8a
Opcode Fuzzy Hash: d68fb7694ca9b92917db72d556901e8ccdd8fe52d787c6c0def3657726dfad2c
Instruction Fuzzy Hash: 76E0D8726002066EDB205EACDD409E977A9EB84304F214538D952E7091EA71F455C642

Function 2F837460 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d395b8dae602a2adbb86a6e31a25f07bbecc82bdbf4de941caf7f1b6d03f2c31
Instruction ID: 8b27f1a72c1875dfba405e825b08c9ca82089ee34c84b96fbfb5b85c5bdfefc3
Opcode Fuzzy Hash: d395b8dae602a2adbb86a6e31a25f07bbecc82bdbf4de941caf7f1b6d03f2c31
Instruction Fuzzy Hash: 25F0A032804308AB8F519F52D8C084EFF28EF09760B488548ED541F322C231BE60DBE9

Function 0CA871A0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487938376.000000000CA0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0CA0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc5191aca356d31faecb6438fb2256495ca5be24c280193b362538ad563798d8
Instruction ID: 67c9d60cfc9bdbc0059bec78b6ba0a6238a499f7d51a1d43e861cb06dd5f7af6
Opcode Fuzzy Hash: cc5191aca356d31faecb6438fb2256495ca5be24c280193b362538ad563798d8
Instruction Fuzzy Hash: 25F0E571504214AB8F91AE52DC8141EBB24AF44710B984248EE455F713E630AD6897E9

Function 0CA723E0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487938376.000000000CA0A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0CA0A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ca0a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9602a5c73059d9af05837a38cdbad2ed605555a66e1fb52ac204209a46f5f6c7
Instruction ID: d5ebe1cd07a28aef3bccdaee428d05e6a2837b5113ed420971fc84868574d4aa
Opcode Fuzzy Hash: 9602a5c73059d9af05837a38cdbad2ed605555a66e1fb52ac204209a46f5f6c7
Instruction Fuzzy Hash: 59F0E571504204EB8F91DE52EC8591ABB64FF48710B88434CDC051F722D630ED24A7E9

Function 06653D80 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1d33be155121e9cb743114e101563d4beb3b30ec133fa3b23544e9aff61518b
Instruction ID: 3a76fabac0aefd0de17d04c965987c5cc2483020a29e99b6355fac9eb9e0ff6a
Opcode Fuzzy Hash: b1d33be155121e9cb743114e101563d4beb3b30ec133fa3b23544e9aff61518b
Instruction Fuzzy Hash: 00E020325042087B8F925E52DC8981EFF28FF54BA0B894248DD086F315D5319D10D7F5

Function 0660F751 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ddc60d752616672777dcd6e48aef0491de1a8cb6bcb57ca61614d69a9925116
Instruction ID: 9cb5bc7d1b831c379cd55ea6e40c55c2fc733d92d7cbb0d6de802527d07dce0e
Opcode Fuzzy Hash: 6ddc60d752616672777dcd6e48aef0491de1a8cb6bcb57ca61614d69a9925116
Instruction Fuzzy Hash: 4AE086360042096BDB248E9CEC409CA77A9DBC5320F214669DA22A71E08631F9668652

Function 06610000 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7357b636536dc185683f2c0f850b481f203c9b9e9c7675a6517d43a180fd3acb
Instruction ID: b1267b1dd29af06b3df9615aab1f93a93be9328a1b76cdfc5c7e4449ddc18f91
Opcode Fuzzy Hash: 7357b636536dc185683f2c0f850b481f203c9b9e9c7675a6517d43a180fd3acb
Instruction Fuzzy Hash: 81C0126134C30876F168114BAC46F936FACEB82B50F10013AF9019A1D3E6C3E8008068

Non-executed Functions

Function 00F501D0 Relevance: 52.8, APIs: 24, Strings: 6, Instructions: 319COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 00F501F1

Part of subcall function 01055870: TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
Part of subcall function 01055870: TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

?IsInt32@Value@v8@@QBE_NXZ.FOPHOLDE ref: 00F5023A
?New@String@v8@@SA?AV?$Local@VString@v8@@@2@PBDH@Z.FOPHOLDE(?,value is not a number,000000FF), ref: 00F5024F
?Error@Exception@v8@@SA?AV?$Local@VValue@v8@@@2@V?$Handle@VString@v8@@@2@@Z.FOPHOLDE(?,00000000), ref: 00F5025E
?Int32Value@Value@v8@@QBEHXZ.FOPHOLDE ref: 00F502E4
?IsInt32@Value@v8@@QBE_NXZ.FOPHOLDE ref: 00F50382
?IsInt32@Value@v8@@QBE_NXZ.FOPHOLDE ref: 00F5040E
?Int32Value@Value@v8@@QBEHXZ.FOPHOLDE(?,00000001), ref: 00F5042B
?Int32Value@Value@v8@@QBEHXZ.FOPHOLDE(?,00000002,?,00000001), ref: 00F50442
?New@String@v8@@SA?AV?$Local@VString@v8@@@2@PBDH@Z.FOPHOLDE(?,Must have start <= end,000000FF,?,00000002,?,00000001), ref: 00F50467
?Error@Exception@v8@@SA?AV?$Local@VValue@v8@@@2@V?$Handle@VString@v8@@@2@@Z.FOPHOLDE(?,00000000,00000002,?,00000001), ref: 00F50476
?ThrowException@v8@@YA?AV?$Handle@VValue@v8@@@1@V21@@Z.FOPHOLDE(?,00000000,?,00000000,00000002,?,00000001), ref: 00F5047E
??1HandleScope@v8@@QAE@XZ.FOPHOLDE(?,?,?,?,00000002,?,00000001), ref: 00F5048A
?New@String@v8@@SA?AV?$Local@VString@v8@@@2@PBDH@Z.FOPHOLDE(?,end cannot be longer than parent.length,000000FF,?,00000002,?,00000001), ref: 00F504B8
?Error@Exception@v8@@SA?AV?$Local@VValue@v8@@@2@V?$Handle@VString@v8@@@2@@Z.FOPHOLDE(?,00000000,00000002,?,00000001), ref: 00F504C7
?ThrowException@v8@@YA?AV?$Handle@VValue@v8@@@1@V21@@Z.FOPHOLDE(?,00000000,?,00000000,00000002,?,00000001), ref: 00F504CF
??1HandleScope@v8@@QAE@XZ.FOPHOLDE(?,?,?,?,00000002,?,00000001), ref: 00F504DB
?Undefined@v8@@YA?AV?$Handle@VPrimitive@v8@@@1@XZ.FOPHOLDE(?,00000002,?,00000001), ref: 00F5050E
??1HandleScope@v8@@QAE@XZ.FOPHOLDE(?,00000002,?,00000001), ref: 00F5051E
?ThrowException@v8@@YA?AV?$Handle@VValue@v8@@@1@V21@@Z.FOPHOLDE(?,00000000,?,00000000), ref: 00F5057F

Strings

Error initializing V8, xrefs: 00F502C5, 00F50360, 00F503EC
v8::Undefined(), xrefs: 00F5021E, 00F502A7, 00F502CA, 00F50342, 00F50365, 00F503CE, 00F503F1
value is not a number, xrefs: 00F50249
Bad argument., xrefs: 00F5053D, 00F50562
Must have start <= end, xrefs: 00F50461
end cannot be longer than parent.length, xrefs: 00F504B2

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Handle@$Exception@v8@@Local@Value@v8@@$HandleScope@v8@@$Error@Int32Int32@New@String@v8@@String@v8@@@2@String@v8@@@2@@ThrowV21@@Value@Value@v8@@@1@Value@v8@@@2@$Value$Primitive@v8@@@1@Undefined@v8@@
String ID: Bad argument.$Error initializing V8$Must have start <= end$end cannot be longer than parent.length$v8::Undefined()$value is not a number
API String ID: 346822919-992243621
Opcode ID: 3226b0564ce4c8e159f09f037224b5e1c94604858ba0e4d7feb965bd5af4f4e6
Instruction ID: b2d8193f96c0975fa4cfd4d9048ae640afc7ac1ac297473abf621da5965a3038
Opcode Fuzzy Hash: 3226b0564ce4c8e159f09f037224b5e1c94604858ba0e4d7feb965bd5af4f4e6
Instruction Fuzzy Hash: 49B19931A003428FCB24EF64D894BAA77A4FF6531AF400469EE8697291EF31EC4DDB51

Function 0111EAC0 Relevance: 24.8, APIs: 1, Strings: 13, Instructions: 336COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0111EE82

Strings

%p [%s]: %d (%.2f%%) free %s, xrefs: 0111ED89
VUUU, xrefs: 0111EB8C
Collected %d evacuation candidates for space %s, xrefs: 0111EF03
[fragmented], xrefs: 0111ED5B
Malloced operator new, xrefs: 0111EE5E
MAP_SPACE, xrefs: 0111EEEA, 0111EF01
Estimated over reserved memory: %.1f / %.1f MB (threshold %d), xrefs: 0111EBFE
OLD_DATA_SPACE, xrefs: 0111EEDC
CELL_SPACE, xrefs: 0111EEF1
LO_SPACE, xrefs: 0111EEF8
CODE_SPACE, xrefs: 0111EEE3
OLD_POINTER_SPACE, xrefs: 0111EED5
NEW_SPACE, xrefs: 0111EECE

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: _free
String ID: %p [%s]: %d (%.2f%%) free %s$CELL_SPACE$CODE_SPACE$Collected %d evacuation candidates for space %s$Estimated over reserved memory: %.1f / %.1f MB (threshold %d)$LO_SPACE$MAP_SPACE$Malloced operator new$NEW_SPACE$OLD_DATA_SPACE$OLD_POINTER_SPACE$VUUU$[fragmented]
API String ID: 269201875-489434612
Opcode ID: ba50e9aafb26d00dda6b0440fbe6a5519b49bbb28587c76b9db7e9988a491384
Instruction ID: b29f318e1e118f9d334fa19cc851c2f10a7c22eae721d773873fec5ac389b1fc
Opcode Fuzzy Hash: ba50e9aafb26d00dda6b0440fbe6a5519b49bbb28587c76b9db7e9988a491384
Instruction Fuzzy Hash: A5D1AF7060A3518FD72ACF68C584A6AFBE5FF85344F80492DF98287359E770E845CB42

Function 0103F710 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 220COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0103F74E
GetLastError.KERNEL32 ref: 0103F758
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104), ref: 0103F89F
GetLastError.KERNEL32 ref: 0103F8A9

Strings

:, xrefs: 0103F96B
\, xrefs: 0103F93A
:, xrefs: 0103F9B0

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ErrorLast$ByteCharCurrentDirectoryMultiWide
String ID: :$:$\
API String ID: 3107270012-3089822572
Opcode ID: 9cec0ba024e6db837594b46de01054274b8c22f94f8a64cb37739a0a4f89aa4f
Instruction ID: 23270a21ffff7cc83fbab43849a36926769df94bf855ccc02e5eb36043a44ece
Opcode Fuzzy Hash: 9cec0ba024e6db837594b46de01054274b8c22f94f8a64cb37739a0a4f89aa4f
Instruction Fuzzy Hash: 6D71E274A042069BE778EB28E448BBF77E9EFD4710F94856EE189C71D0EA3494808753

Function 0104A1B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

PostQueuedCompletionStatus, xrefs: 0104A4E2
malloc, xrefs: 0104A3B6, 0104A3C5

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID: PostQueuedCompletionStatus$malloc
API String ID: 0-1830353163
Opcode ID: 3c96180cac2efbc3cfd8124989b75f0e174085f1a7cccf7f54620e616112abcf
Instruction ID: 523b0b1c52491b05b330bfcbecd349cfb8603fc6257067ef3582a9552ab39292
Opcode Fuzzy Hash: 3c96180cac2efbc3cfd8124989b75f0e174085f1a7cccf7f54620e616112abcf
Instruction Fuzzy Hash: 2631A3B1740702ABE7209F29DC84B17B7E8FF98650F144928EA9597691DB74F800CBA1

Function 0104E510 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

uv_tcp_bind6.FOPHOLDE(?), ref: 0104E5A7

Strings

src\win\tcp.c, xrefs: 0104E66D, 0104E6A1, 0104E719, 0104E74D
((((handle)))->flags & UV__HANDLE_CLOSING) == 0, xrefs: 0104E672, 0104E71E
((handle))->activecnt > 0, xrefs: 0104E6A6, 0104E752

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: uv_tcp_bind6
String ID: ((((handle)))->flags & UV__HANDLE_CLOSING) == 0$((handle))->activecnt > 0$src\win\tcp.c
API String ID: 1385262018-25200887
Opcode ID: e707251d75adc708cb78c2e502ca0f66bdb967374a250608516da178ab64226f
Instruction ID: e9f0929ccbdaf076e6fd629dd273c69ab58d3b7e130ecab215e841cbe6662254
Opcode Fuzzy Hash: e707251d75adc708cb78c2e502ca0f66bdb967374a250608516da178ab64226f
Instruction Fuzzy Hash: DA7107B1A007018FD724CF29D581BA6B7E0FF98314F40466DE9CA9B791EB74E585CB81

Function 0104E2C0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 189COMMON

Download Yara Rule

APIs

uv_tcp_bind.FOPHOLDE(?,?,?,?,?,?,?,?,?,?,0103BFD0), ref: 0104E32E

Strings

src\win\tcp.c, xrefs: 0104E3F4, 0104E428, 0104E4A0, 0104E4D4
((((handle)))->flags & UV__HANDLE_CLOSING) == 0, xrefs: 0104E3F9, 0104E4A5
((handle))->activecnt > 0, xrefs: 0104E42D, 0104E4D9

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: uv_tcp_bind
String ID: ((((handle)))->flags & UV__HANDLE_CLOSING) == 0$((handle))->activecnt > 0$src\win\tcp.c
API String ID: 4142105763-25200887
Opcode ID: 4ac64fb16f3d6d829804bf4423658437efb9499485950af3fd3359d19cba08b6
Instruction ID: beb96e9f7da354090f0f06a81288d97774b2e12e64ec90d8ae8e148c6079bc6a
Opcode Fuzzy Hash: 4ac64fb16f3d6d829804bf4423658437efb9499485950af3fd3359d19cba08b6
Instruction Fuzzy Hash: 6A6133B1A007028FE724DF2DD885BA7BBE0FF94704F40856DE9869B681EB34E445CB81

Function 01049C30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66filenativepipeCOMMON

Download Yara Rule

APIs

SetNamedPipeHandleState.KERNEL32 ref: 01049C50
GetLastError.KERNEL32 ref: 01049C5A
SetLastError.KERNEL32(00002736), ref: 01049C6A
NtQueryInformationFile.NTDLL(?,?,?,00000004,00000010), ref: 01049C89
CreateIoCompletionPort.KERNEL32(?,?,?,00000000), ref: 01049CA0

Strings

0, xrefs: 01049C93

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ErrorLast$CompletionCreateFileHandleInformationNamedPipePortQueryState
String ID: 0
API String ID: 2986766703-4108050209
Opcode ID: 262d1eb7f96f37b88623cd0b45ea557606ea5b77666498f68d611669ea17d536
Instruction ID: 96e420c1d181325881eedadb3255b6003f90779d5041ddc54ddb64172edc00af
Opcode Fuzzy Hash: 262d1eb7f96f37b88623cd0b45ea557606ea5b77666498f68d611669ea17d536
Instruction Fuzzy Hash: DA11D3713003009FE321DE69EC89B57BBE8FF84665F404979FA85D10A1D334E5098BA1

Function 01050790 Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON

Download Yara Rule

APIs

uv_udp_bind.FOPHOLDE(?), ref: 010507B6
inet_addr.WS2_32(?), ref: 010507FD
htonl.WS2_32(00000000), ref: 01050803
inet_addr.WS2_32(?), ref: 01050811
setsockopt.WS2_32(?,00000000,0000000D,?,00000008), ref: 01050856
WSAGetLastError.WS2_32 ref: 01050861

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: inet_addr$ErrorLasthtonlsetsockoptuv_udp_bind
String ID:
API String ID: 2621790547-0
Opcode ID: 75adc78695dab3aae863d2f5291435bf21b5ed59d97d90578519d68ffb19f7b3
Instruction ID: 4380da9970bc73fcfa729e779ddb14b3751863b88b120a0fcc51401a6541224d
Opcode Fuzzy Hash: 75adc78695dab3aae863d2f5291435bf21b5ed59d97d90578519d68ffb19f7b3
Instruction Fuzzy Hash: 8F21AE31A002019BD740DB2CE848B6ABBE0BF84324F548769F998872D5E370D558CBD1

Function 0104FBE0 Relevance: 7.6, APIs: 5, Instructions: 91networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000000), ref: 0104FC23
closesocket.WS2_32(00000000), ref: 0104FC44
setsockopt.WS2_32(000000FF,00000029,0000001B,?,00000004), ref: 0104FC78
bind.WS2_32(000000FF,00000002,00000002), ref: 0104FC89
WSAGetLastError.WS2_32(?,?,?,?,?,0103BF03,?,00000010,?), ref: 0104FC94

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ErrorLastbindclosesocketsetsockoptsocket
String ID:
API String ID: 1404696016-0
Opcode ID: 5c6c8378f05a9a3df75f70e66cdaa53eeaa2b984941a6553277a46c0d6457824
Instruction ID: c8b3bed43a02d0185f192aff88886321ab2449d336e1ca1ba8c40916ad348408
Opcode Fuzzy Hash: 5c6c8378f05a9a3df75f70e66cdaa53eeaa2b984941a6553277a46c0d6457824
Instruction Fuzzy Hash: 992107B2200306ABE6105B2CFD88B55F7D4FF84331F208766FAB5925E1D77198548BD4

Function 0104FCD0 Relevance: 7.6, APIs: 5, Instructions: 87networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000017,00000002,00000000), ref: 0104FD19
WSAGetLastError.WS2_32 ref: 0104FD26
closesocket.WS2_32(00000000), ref: 0104FD68
setsockopt.WS2_32(000000FF,00000029,0000001B,00000004,00000004), ref: 0104FD9D
bind.WS2_32(000000FF,?,0000001C), ref: 0104FDAD

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ErrorLastbindclosesocketsetsockoptsocket
String ID:
API String ID: 1404696016-0
Opcode ID: 066cadbb3656917e6d701624f8fb2437c8793298778bc80349e3afd13c52c433
Instruction ID: 647e18aa20c70231c52e806d512337157b56970a1797c266c1c3fcf92b4bd7bd
Opcode Fuzzy Hash: 066cadbb3656917e6d701624f8fb2437c8793298778bc80349e3afd13c52c433
Instruction Fuzzy Hash: C131D4716047019BD314EB28E885B9AF7E1BF8C334F404729F6E9922D0E774D9808B82

Function 0104FF40 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 78COMMON

Download Yara Rule

APIs

uv_udp_bind.FOPHOLDE(?), ref: 0104FF8C

Strings

(handle)->activecnt > 0, xrefs: 0104FFF4
(((handle))->flags & UV__HANDLE_CLOSING) == 0, xrefs: 0104FFC0
src\win\udp.c, xrefs: 0104FFBB, 0104FFEF

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: uv_udp_bind
String ID: (((handle))->flags & UV__HANDLE_CLOSING) == 0$(handle)->activecnt > 0$src\win\udp.c
API String ID: 4293835443-1231346339
Opcode ID: b0695efe2bd0dd471541e78c7da3c3232201b5606940bfc11d370bf8d59416c2
Instruction ID: 034809f179fdbedefd50eea652ba558aa400a75585ec4dbdcd1053091857d74d
Opcode Fuzzy Hash: b0695efe2bd0dd471541e78c7da3c3232201b5606940bfc11d370bf8d59416c2
Instruction Fuzzy Hash: BC21C1B5B007029FE3209F1DE881BA7B7E4EF89314F14462EE9C69A781D770E4458B90

Function 0106A3A0 Relevance: 5.1, Strings: 4, Instructions: 81COMMON

Download Yara Rule

Strings

CHECK(%s) failed, xrefs: 0106A453
allow_empty_handle || that != 0, xrefs: 0106A44E
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h, xrefs: 0106A45D
v8::Debug::SetDebugEventListener(), xrefs: 0106A3E3

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID: CHECK(%s) failed$allow_empty_handle || that != 0$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h$v8::Debug::SetDebugEventListener()
API String ID: 0-2625061419
Opcode ID: 2bf31058125dcafab9b0421deb038507528162d1992dfbd77461650042f72ad3
Instruction ID: 028c3382f5bed8add4cb64ebbfd3678c504ea837ed0b5b9806a73097ae71010c
Opcode Fuzzy Hash: 2bf31058125dcafab9b0421deb038507528162d1992dfbd77461650042f72ad3
Instruction Fuzzy Hash: E7218B31304202EFDB26AF1CE8407A5B7E9FB81324F4441A5E498A7781DB70BC95CBA1

Function 010472A0 Relevance: 4.6, APIs: 3, Instructions: 77filenativeCOMMON

Download Yara Rule

APIs

NtQueryInformationFile.NTDLL(00000000,?,?,00000028,00000004), ref: 01047302
RtlNtStatusToDosError.NTDLL(00000000), ref: 01047314

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ErrorFileInformationQueryStatus
String ID:
API String ID: 3308321636-0
Opcode ID: 3ac1cbb0182f8e29429e140a9693a73949d3d01046204221e5f22f019a3ab6ba
Instruction ID: dade8451473dd4253f92aa5c52f0b34f60f1d7bd9642c6fa7f6ebe65441b1b13
Opcode Fuzzy Hash: 3ac1cbb0182f8e29429e140a9693a73949d3d01046204221e5f22f019a3ab6ba
Instruction Fuzzy Hash: E421C8B16147049BD360DF38E845BABBBE8FF94621F400B6EF9A6C61D0DB70A4048792

Function 010509D0 Relevance: 4.6, APIs: 3, Instructions: 57networkCOMMON

Download Yara Rule

APIs

uv_udp_bind.FOPHOLDE(?), ref: 01050A03
setsockopt.WS2_32(?,00000029,00000015,?,00000004), ref: 01050A26
WSAGetLastError.WS2_32 ref: 01050A30

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ErrorLastsetsockoptuv_udp_bind
String ID:
API String ID: 1902922526-0
Opcode ID: dbfde610918cb1254f48f1b7fd9479c572d5cd659b7b3f99d7a415c8f295a2d5
Instruction ID: ba21fad6ff25170b1a98b7ee4516f23eeca32dd4294652ce30b98f8a806c177f
Opcode Fuzzy Hash: dbfde610918cb1254f48f1b7fd9479c572d5cd659b7b3f99d7a415c8f295a2d5
Instruction Fuzzy Hash: 0711A371700301AFE3609F28E809B9ABBE4FF84765F048759FA949A2D5D370D8908B91

Function 01050A80 Relevance: 4.6, APIs: 3, Instructions: 56networkCOMMON

Download Yara Rule

APIs

uv_udp_bind.FOPHOLDE(?), ref: 01050AB3
setsockopt.WS2_32(?,00000029,0000000A,?,00000004), ref: 01050AD6
WSAGetLastError.WS2_32 ref: 01050AE0

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ErrorLastsetsockoptuv_udp_bind
String ID:
API String ID: 1902922526-0
Opcode ID: 1cedf55645052a08183b28e9651a26523a6225a0459c4e31452905c37a8bdcaa
Instruction ID: 2b4f35b1f6749a22a12375b6259d3003c0a93322f9088892a596c189781bdd7f
Opcode Fuzzy Hash: 1cedf55645052a08183b28e9651a26523a6225a0459c4e31452905c37a8bdcaa
Instruction Fuzzy Hash: 1011A031700301AFE3509F28E849B5BBBE4FF84365F048659FA948A2D5D330D891CB91

Function 01050B30 Relevance: 4.5, APIs: 3, Instructions: 45networkCOMMON

Download Yara Rule

APIs

uv_udp_bind.FOPHOLDE(?), ref: 01050B5B
setsockopt.WS2_32(?,00000029,0000000B,?,00000004), ref: 01050B7E
WSAGetLastError.WS2_32 ref: 01050B88

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ErrorLastsetsockoptuv_udp_bind
String ID:
API String ID: 1902922526-0
Opcode ID: d6f4182c315a5093fa671c0ac54d940518348f442826bcf2c1e4825e9f185f4d
Instruction ID: 6ea6cd5f7ec4172de60dd72b7b3a3cff811e114e9525fc0c43774b640e9392c8
Opcode Fuzzy Hash: d6f4182c315a5093fa671c0ac54d940518348f442826bcf2c1e4825e9f185f4d
Instruction Fuzzy Hash: AD01BC71B00302AFE3509F2DE845B5BBBA8BF84764F048659FE9486295E730D5508BD1

Function 01050890 Relevance: 4.5, APIs: 3, Instructions: 41networkCOMMON

Download Yara Rule

APIs

uv_udp_bind.FOPHOLDE(?), ref: 010508BB
setsockopt.WS2_32(?,0000FFFF,00000020,?,00000004), ref: 010508D8
WSAGetLastError.WS2_32 ref: 010508E2

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ErrorLastsetsockoptuv_udp_bind
String ID:
API String ID: 1902922526-0
Opcode ID: f62fbb2b4882b372823b8195f44635dde8e7a4c95c50d517e389ebecea19eb32
Instruction ID: 41105a523a5a064619c58f7a67e08a57a911abd3f78f2f130760815a19b5a1bf
Opcode Fuzzy Hash: f62fbb2b4882b372823b8195f44635dde8e7a4c95c50d517e389ebecea19eb32
Instruction Fuzzy Hash: 6901AD71A04302ABE350AF2DE804B5AFBA8BF84721F048669FA94D6295E730D95487E1

Function 01068540 Relevance: 3.9, Strings: 3, Instructions: 171COMMON

Download Yara Rule

Strings

Error initializing V8, xrefs: 010685AE
v8::V8::RemoveMessageListener(), xrefs: 01068590, 010685B3
v8::V8::RemoveMessageListeners(), xrefs: 010685D4

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID: Error initializing V8$v8::V8::RemoveMessageListener()$v8::V8::RemoveMessageListeners()
API String ID: 0-3458968835
Opcode ID: 90f4977c921459154f1013edb9e976b6b2bc49b0d11bf1f528d9d32b2e455bf4
Instruction ID: 8b2096791f53e3ea3fcde55a49b470cbcd5ebbff00f4a5636bccf172b829b9ec
Opcode Fuzzy Hash: 90f4977c921459154f1013edb9e976b6b2bc49b0d11bf1f528d9d32b2e455bf4
Instruction Fuzzy Hash: FF618D70204701CFDB62DF2CC484696B7F4FB89314F4885AAE9E98B396D734E886CB51

Function 010470C0 Relevance: 3.0, APIs: 2, Instructions: 43filenativeCOMMON

Download Yara Rule

APIs

NtSetInformationFile.NTDLL(00000000,?,?,00000008,00000014), ref: 01047116

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: FileInformation
String ID:
API String ID: 4253254148-0
Opcode ID: 97fee2f526aaf0b1a676c1437a4302a9a76a57905ef850e65aaf42d94277df9e
Instruction ID: 999e334225aca425dae926e54ad907b71a23f0559c46392d999dd7018bc7bd65
Opcode Fuzzy Hash: 97fee2f526aaf0b1a676c1437a4302a9a76a57905ef850e65aaf42d94277df9e
Instruction Fuzzy Hash: 56015EB0904B009FD764EF6CD8947D7BBE4BF44324F80895DE5EB86691EB35A0488B91

Function 0106A1F0 Relevance: 2.6, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

Error initializing V8, xrefs: 0106A261
v8::Debug::SetDebugEventListener2(), xrefs: 0106A243, 0106A266, 0106A287

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID: Error initializing V8$v8::Debug::SetDebugEventListener2()
API String ID: 0-625046039
Opcode ID: 5ef355acc57dc7cf8e8a72b227976d64a18d5f2e780ec00f3a96556cc87ed0f9
Instruction ID: c839b5ea18759c137c819b9f3d4998ba9dfad4e9ecac25c036a19769f0b5dbd7
Opcode Fuzzy Hash: 5ef355acc57dc7cf8e8a72b227976d64a18d5f2e780ec00f3a96556cc87ed0f9
Instruction Fuzzy Hash: 2B41C631648312DFDF62EF2CD4807EA77E5FB4A310F4405A9ED89AB285C7719849CB61

Function 01050300 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

uv_udp_bind6.FOPHOLDE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,0103C0F8,?,?), ref: 0105036B

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: uv_udp_bind6
String ID:
API String ID: 1328510616-0
Opcode ID: 6b8757bcf44d94e332452b22447ad8b79137101c5f5bf7b95df4503e2fba9d8a
Instruction ID: cb83599fbd5d117d796d08db09b6fa822b92012beb56163625ff0154dd2c277d
Opcode Fuzzy Hash: 6b8757bcf44d94e332452b22447ad8b79137101c5f5bf7b95df4503e2fba9d8a
Instruction Fuzzy Hash: 72110376A043018BD714DF2DD841AABFBF4BFCC314F408A1DF99882251EB71D5858B82

Function 01050260 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

uv_udp_bind.FOPHOLDE(?,00000000), ref: 010502A2

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: uv_udp_bind
String ID:
API String ID: 4293835443-0
Opcode ID: 6882a44b1f8eb7309ef2efd3c13d6adbcfbc078b4c26b1def28217ca9382bc7e
Instruction ID: 60b3880134cd61580161c9d15ff60e6cd269330c04a86cae9daed3bfc188b094
Opcode Fuzzy Hash: 6882a44b1f8eb7309ef2efd3c13d6adbcfbc078b4c26b1def28217ca9382bc7e
Instruction Fuzzy Hash: 2901D6B2F043015BD710AB1C9801EAFBBE5BFC8320F805D1DF9D582242EB65D55487D2

Function 01052920 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

?Exit@Isolate@v8@@QAEXXZ.FOPHOLDE ref: 01052945

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Exit@Isolate@v8@@
String ID:
API String ID: 15001716-0
Opcode ID: 85d2b823d23421f9cfb78eb351581c229236862273cb002e4c7769f40848f38e
Instruction ID: 5c79fe35e2ec8c284c46483bf59084ee48d8329f9419e73610bd2b2a36511ba0
Opcode Fuzzy Hash: 85d2b823d23421f9cfb78eb351581c229236862273cb002e4c7769f40848f38e
Instruction Fuzzy Hash: 27F0F834204212CFC364EF28E094896B3F1FF6936076189A9E9C5CB361CB31AC42CB90

Function 0106A040 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cee480badd56d7ef4fc6b5879b02ad1475bd760fb0919097fe6b669b67773cf
Instruction ID: 601ccf88937709dbaf1fc7058901ffd5fc3c2f73195d1caf17aaac8885d51d97
Opcode Fuzzy Hash: 2cee480badd56d7ef4fc6b5879b02ad1475bd760fb0919097fe6b669b67773cf
Instruction Fuzzy Hash: E8112774604242DFEB21DF18C8C0A927BF4FB49350F4845B9ED999F28AD730A945CBA2

Function 01068370 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94258938f553f83742472c766279f2cf55e0f5b0f772c490cc8e6862dbb60b23
Instruction ID: 188e12991b74fa8fc47cb156cef26724a96fa57fb287fd864e01f0c6ea08f03f
Opcode Fuzzy Hash: 94258938f553f83742472c766279f2cf55e0f5b0f772c490cc8e6862dbb60b23
Instruction Fuzzy Hash: 59018FB5608702EFD315CF28C484AD6FBF9FB48310F44462AE5A997291E770B998CBD1

Function 0103BE30 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00323192f61838276bbf8eb433ed046fee25c8bfbc1f710496b8e6614371cff5
Instruction ID: 60ce96ba3fea4a65a62c737d9062198402f8788c26f1ae9a8e3bfcf0904042e1
Opcode Fuzzy Hash: 00323192f61838276bbf8eb433ed046fee25c8bfbc1f710496b8e6614371cff5
Instruction Fuzzy Hash: A4017C74A043018BD344DF28C481A6ABBF0AF9C328F948A0CF5D857291EB75D5C9CB82

Function 0103BEC0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be72f1f82867972b92c71526ab9ddfe928a39fc3507bd2ec19a16d61b0bbf94
Instruction ID: cc967fcd89dbf5dcd1f2515633400d2cce6c77219b1e57a3fa59062c06119681
Opcode Fuzzy Hash: 2be72f1f82867972b92c71526ab9ddfe928a39fc3507bd2ec19a16d61b0bbf94
Instruction Fuzzy Hash: 1CF081709143018FC704DF2CD419B6ABBE1BF98718F85895CF49957292E774D988CB82

Function 0103BDB0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0457fb228029104b3147260c71b2e647968c570b5e65dd7ea8bdf137172aa5cd
Instruction ID: f034a92da46dfa86815e8e6820f386b3eb4ee1d46390e5335c49286d23d194fc
Opcode Fuzzy Hash: 0457fb228029104b3147260c71b2e647968c570b5e65dd7ea8bdf137172aa5cd
Instruction Fuzzy Hash: CDF090709143058FD710EF1CC049B1ABBE1AF98314F81CA5CE0D5472A2E7B4D488CB82

Function 0103BF40 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ErrorLastsocket
String ID:
API String ID: 1120909799-0
Opcode ID: 8ee2a6efff3db542a3910d0788e2f640a1a36036e69734b7fbf7a6045e9f55b6
Instruction ID: bee4031e3bb919fed8ec39642acad8bac86b32024c18457e9ddcf7655d20a077
Opcode Fuzzy Hash: 8ee2a6efff3db542a3910d0788e2f640a1a36036e69734b7fbf7a6045e9f55b6
Instruction Fuzzy Hash: A7F0D4709047468BC701DF2CC14461AB7F0BBC5328FA4DA98E4885B256E7B5D985DA82

Function 0103C120 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fd7e87af6096670a31373a442bc8f9e2f29a7a0546ce91a9110388172f3f95
Instruction ID: 98b0be1dc71aa5a5bcdd0cb55c993e5d15d430bd7c80dea2a58a77b7a5bac8aa
Opcode Fuzzy Hash: a0fd7e87af6096670a31373a442bc8f9e2f29a7a0546ce91a9110388172f3f95
Instruction Fuzzy Hash: D3E04F746102018FEB48CF2DD688A1A77F27FC1724F58C59CA4988B2A2D374D804EA05

Function 010493C0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84ade780728cd81bfc757bc77134780ca17369d6cd934e75c53df616e62d9cca
Instruction ID: 67700e5e025b0db2de878a9ea993576a84e974c446afa07f05ed9d99cd1e1ab4
Opcode Fuzzy Hash: 84ade780728cd81bfc757bc77134780ca17369d6cd934e75c53df616e62d9cca
Instruction Fuzzy Hash: 67B092B0204101AB9345DA08C4D081EB7E2EB96325B24CD7CE08A83161CB32DC02DA41

Function 01051290 Relevance: 138.6, APIs: 52, Strings: 27, Instructions: 353libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?), ref: 010512A7
CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 010512B8
CreateSemaphoreA.KERNEL32(00000000,00000001,7FFFFFFF,00000000), ref: 010512D0
CloseHandle.KERNEL32(?), ref: 010512E0
DeleteCriticalSection.KERNEL32(?), ref: 010512F2
CloseHandle.KERNEL32(?,?), ref: 01051318
CloseHandle.KERNEL32(?), ref: 01051325
DeleteCriticalSection.KERNEL32(?), ref: 01051333

Part of subcall function 01050F30: _raise.LIBCMT ref: 01240409
Part of subcall function 01050F30: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0124041A

EnterCriticalSection.KERNEL32(?,?,?), ref: 0105135C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0105137D
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 01051389
LeaveCriticalSection.KERNEL32(?), ref: 01051390
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0105139B
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 010513A7
EnterCriticalSection.KERNEL32(?), ref: 010513AE
WaitForSingleObject.KERNEL32(?,000000FF), ref: 010513BE
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 010513CA
LeaveCriticalSection.KERNEL32(?), ref: 010513D1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 010513DC
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 010513E8
GetModuleHandleA.KERNEL32(ntdll.dll,75573060), ref: 01051426
GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 01051443
GetProcAddress.KERNEL32(00000000,NtQueryInformationFile), ref: 01051458
GetProcAddress.KERNEL32(00000000,NtDeviceIoControlFile), ref: 0105146D
GetProcAddress.KERNEL32(00000000,NtSetInformationFile), ref: 01051482
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 01051497
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 010514AB
GetProcAddress.KERNEL32(00000000,GetQueuedCompletionStatusEx), ref: 010514C1
GetProcAddress.KERNEL32(00000000,SetFileCompletionNotificationModes), ref: 010514CE
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 010514DB
GetProcAddress.KERNEL32(00000000,CancelIoEx), ref: 010514E8
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 010514F5
GetProcAddress.KERNEL32(00000000,AcquireSRWLockShared), ref: 01051502
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0105150F
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockShared), ref: 0105151C
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 01051529
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockShared), ref: 01051536
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 01051543
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 01051550
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0105155D
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 0105156A
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 01051577
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 01051584
GetLastError.KERNEL32 ref: 0105158E

Part of subcall function 01051290: FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,0142F7D8,00000000,00000000,01050C45,?,?,?,0103B1F8), ref: 01051635
Part of subcall function 01051290: LocalFree.KERNEL32(?), ref: 01051689

GetLastError.KERNEL32 ref: 010515A0
GetLastError.KERNEL32 ref: 010515B2
GetLastError.KERNEL32 ref: 010515C4
GetLastError.KERNEL32 ref: 010515D6
GetLastError.KERNEL32 ref: 010515E8
GetLastError.KERNEL32 ref: 010515FA

Strings

InitializeConditionVariable, xrefs: 01051545
ntdll.dll, xrefs: 01051421
WakeConditionVariable, xrefs: 01051579
SleepConditionVariableCS, xrefs: 01051552
GetQueuedCompletionStatusEx, xrefs: 010514BB
NtQuerySystemInformation, xrefs: 01051491
AcquireSRWLockShared, xrefs: 010514F7
NtSetInformationFile, xrefs: 0105147C
%s: (%d) %s, xrefs: 01051650
SetFileCompletionNotificationModes, xrefs: 010514C3
AcquireSRWLockExclusive, xrefs: 01051504
NtQueryInformationFile, xrefs: 01051452
WakeAllConditionVariable, xrefs: 0105156C
TryAcquireSRWLockShared, xrefs: 01051511
CreateSymbolicLinkW, xrefs: 010514D0
NtDeviceIoControlFile, xrefs: 01051467
GetProcAddress, xrefs: 010515A6, 010515B8, 010515CA, 010515DC, 010515EE
GetModuleHandleA, xrefs: 01051594, 01051600
ReleaseSRWLockExclusive, xrefs: 01051538
Unknown error, xrefs: 0105163F, 01051649
ReleaseSRWLockShared, xrefs: 0105152B
SleepConditionVariableSRW, xrefs: 0105155F
RtlNtStatusToDosError, xrefs: 0105143D
TryAcquireSRWLockExclusive, xrefs: 0105151E
kernel32.dll, xrefs: 010514A6
InitializeSRWLock, xrefs: 010514EA
CancelIoEx, xrefs: 010514DD

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: AddressProc$CriticalErrorLastSection$Semaphore$Handle$ObjectReleaseSingleWait$Close$CreateDeleteEnterLeaveModule$FeatureFormatFreeInitializeLocalMessagePresentProcessor_raise
String ID: %s: (%d) %s$AcquireSRWLockExclusive$AcquireSRWLockShared$CancelIoEx$CreateSymbolicLinkW$GetModuleHandleA$GetProcAddress$GetQueuedCompletionStatusEx$InitializeConditionVariable$InitializeSRWLock$NtDeviceIoControlFile$NtQueryInformationFile$NtQuerySystemInformation$NtSetInformationFile$ReleaseSRWLockExclusive$ReleaseSRWLockShared$RtlNtStatusToDosError$SetFileCompletionNotificationModes$SleepConditionVariableCS$SleepConditionVariableSRW$TryAcquireSRWLockExclusive$TryAcquireSRWLockShared$Unknown error$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll$ntdll.dll
API String ID: 3504521690-2814116715
Opcode ID: 276fa8ab2460192671698ae8ea0c5a78fdd6cb336b8ac433399c7d44ee4eff80
Instruction ID: de59aed39eb5493c29269d7a322f5209865a946eba7fdb73ec976057856ba5e2
Opcode Fuzzy Hash: 276fa8ab2460192671698ae8ea0c5a78fdd6cb336b8ac433399c7d44ee4eff80
Instruction Fuzzy Hash: 6FA1A171644302EBDB602B7ABC08B5BBEF9EF44A54B04891AF955E26A4DF74D440CB20

Function 01083290 Relevance: 52.6, APIs: 15, Strings: 15, Instructions: 112libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(dbghelp.dll,?,010F7A05,?,010FA4FC,?,?,?,?), ref: 010832A2

Strings

SymGetOptions, xrefs: 010832C1
CreateToolhelp32Snapshot, xrefs: 01083351
SymGetLineFromAddr64, xrefs: 0108330F
SymGetSymFromAddr64, xrefs: 01083302
SymLoadModule64, xrefs: 010832E8
SymInitialize, xrefs: 010832B9
Module32NextW, xrefs: 01083366
Module32FirstW, xrefs: 01083359
SymSetOptions, xrefs: 010832CE
SymGetSearchPath, xrefs: 010832DB
SymGetModuleBase64, xrefs: 01083329
SymFunctionTableAccess64, xrefs: 0108331C
StackWalk64, xrefs: 010832F5
dbghelp.dll, xrefs: 0108329D
kernel32.dll, xrefs: 01083336

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: LibraryLoad
String ID: CreateToolhelp32Snapshot$Module32FirstW$Module32NextW$StackWalk64$SymFunctionTableAccess64$SymGetLineFromAddr64$SymGetModuleBase64$SymGetOptions$SymGetSearchPath$SymGetSymFromAddr64$SymInitialize$SymLoadModule64$SymSetOptions$dbghelp.dll$kernel32.dll
API String ID: 1029625771-2394516871
Opcode ID: df16058982d148bdc2b2f738a2a1fe373abc525c86c118f89b543d9d0b300763
Instruction ID: 6601c4b080711c92d7573a638d09c2d044df6beb0148c77fa13cb532bbce683a
Opcode Fuzzy Hash: df16058982d148bdc2b2f738a2a1fe373abc525c86c118f89b543d9d0b300763
Instruction Fuzzy Hash: 4A311B35945330E6DB316E7EB80EB56BEF4E781A18FC8405FE184962B8DBB480C9CB51

Function 00F53EC0 Relevance: 38.8, APIs: 18, Strings: 4, Instructions: 273COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 00F53ED5

Part of subcall function 01055870: TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
Part of subcall function 01055870: TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

Part of subcall function 00F51C90: ?InternalFieldCount@Object@v8@@QAEHXZ.FOPHOLDE(00F4FD94,?,?,00000001,?,?), ref: 00F51CB0

?Length@String@v8@@QBEHXZ.FOPHOLDE ref: 00F53F98
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(?,00000000), ref: 00F53FA7
?GetFunction@FunctionTemplate@v8@@QAE?AV?$Local@VFunction@v8@@@2@XZ.FOPHOLDE(?,01987608,01987608,00000000), ref: 00F53FCE
?Set@Object@v8@@QAE_NV?$Handle@VValue@v8@@@2@0W4PropertyAttribute@2@@Z.FOPHOLDE(?,01987608,01987608,00000000), ref: 00F53FD5
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(?,00000000,?,01987608,01987608,00000000), ref: 00F53FE1
?RawClose@HandleScope@v8@@AAEPAPAVObject@internal@2@PAPAV342@@Z.FOPHOLDE(00000000,01987608,00000000), ref: 00F53FEF
??1HandleScope@v8@@QAE@XZ.FOPHOLDE(00000000,01987608,00000000), ref: 00F53FFA
??1HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 00F54027
?Int32Value@Value@v8@@QBEHXZ.FOPHOLDE(?,00000001), ref: 00F54046
?Uint32Value@Value@v8@@QBEIXZ.FOPHOLDE(?,00000002,?,00000002,?,00000001), ref: 00F5409E
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(00000000,00000000,?,00000002,?,00000002,?,00000001), ref: 00F540BF
?GetFunction@FunctionTemplate@v8@@QAE?AV?$Local@VFunction@v8@@@2@XZ.FOPHOLDE(?,?,?,00000000,?,00000001), ref: 00F540E7
?Set@Object@v8@@QAE_NV?$Handle@VValue@v8@@@2@0W4PropertyAttribute@2@@Z.FOPHOLDE(?,?,?,00000000,?,00000001), ref: 00F540EE
??1HandleScope@v8@@QAE@XZ.FOPHOLDE(?,00000002,?,00000002,?,00000001), ref: 00F5410D
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(?,?,00000002,?,00000001), ref: 00F54140
?GetFunction@FunctionTemplate@v8@@QAE?AV?$Local@VFunction@v8@@@2@XZ.FOPHOLDE(?,?,?,00000000,?,?,00000002,?,00000001), ref: 00F54166
?Set@Object@v8@@QAE_NV?$Handle@VValue@v8@@@2@0W4PropertyAttribute@2@@Z.FOPHOLDE(?,?,?,00000000,?,?,00000002,?,00000001), ref: 00F5416D

Part of subcall function 00F4F940: ??0HandleScope@v8@@QAE@XZ.FOPHOLDE(?,?,?,?,?,?,?,?,00F535DB), ref: 00F4F94D
Part of subcall function 00F4F940: ?New@String@v8@@SA?AV?$Local@VString@v8@@@2@PBDH@Z.FOPHOLDE(000000FF,Argument must be a string,000000FF,?,?,?,?,?,?,?,?,00F535DB), ref: 00F4F95A
Part of subcall function 00F4F940: ?TypeError@Exception@v8@@SA?AV?$Local@VValue@v8@@@2@V?$Handle@VString@v8@@@2@@Z.FOPHOLDE(?,00000000,000000FF,Argument must be a string,000000FF,?,?,?,?,?,?,?,?,00F535DB), ref: 00F4F966
Part of subcall function 00F4F940: ?ThrowException@v8@@YA?AV?$Handle@VValue@v8@@@1@V21@@Z.FOPHOLDE(?,00000000,?,00000000,000000FF,Argument must be a string,000000FF,?,?,?,?,?,?,?,?,00F535DB), ref: 00F4F96E

Strings

Argument must be a string, xrefs: 00F5417C
Invalid hex string, xrefs: 00F54017
v8::Undefined(), xrefs: 00F53F15, 00F53F7A
Offset is out of bounds, xrefs: 00F540FD

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Local@$HandleScope@v8@@$Handle@New@$Integer@v8@@Integer@v8@@@2@Object@v8@@$Attribute@2@@FunctionFunction@Function@v8@@@2@PropertySet@Template@v8@@Value@v8@@@2@0$Exception@v8@@String@v8@@ValueValue@Value@v8@@$Close@Count@Error@FieldInt32InternalLength@Object@internal@2@String@v8@@@2@String@v8@@@2@@ThrowTypeUint32V21@@V342@@Value@v8@@@1@Value@v8@@@2@
String ID: Argument must be a string$Invalid hex string$Offset is out of bounds$v8::Undefined()
API String ID: 294770180-2647923068
Opcode ID: 4e9d18dc42de7f9789aa79b25e7439c1cd897b9d0f057b836bf2ac959cc673d3
Instruction ID: 6d7e3c53fade1221d52e6c9a6555c3ae73555ec1ea4fdbb1c5a8d2a54fa72447
Opcode Fuzzy Hash: 4e9d18dc42de7f9789aa79b25e7439c1cd897b9d0f057b836bf2ac959cc673d3
Instruction Fuzzy Hash: 07914636B042019FCB14DF28DC80AAAB7FAEB99354F144469FE458B390DB32ED49D791

Function 06624AA2 Relevance: 36.6, Strings: 29, Instructions: 314COMMON

Download Yara Rule

Strings

)dA$, xrefs: 06624D47
%eA$, xrefs: 06624DDF
M]A$, xrefs: 06624AF1
dA$, xrefs: 06624D34
AcA$, xrefs: 06624CAF
]eA$, xrefs: 06624E05
mbA$, xrefs: 06624C17
qaA$, xrefs: 06624B04
ifA$, xrefs: 06624E8A
ucA$, xrefs: 06624CD5
qgA$, xrefs: 06624EE9
QfA$, xrefs: 06624EC3
eA$, xrefs: 06624DCC
)cA$, xrefs: 06624C9C
]cA$, xrefs: 06624CC2
MdA$, xrefs: 06624D5A
yeA$, xrefs: 06624E18
qdA$, xrefs: 06624D6D
]aA$, xrefs: 06624ADE
cA$, xrefs: 06624C89
bA$, xrefs: 06624BDE
dA$, xrefs: 06624DB9
cA$, xrefs: 06624D21
UbA$, xrefs: 06624C04
1bA$, xrefs: 06624BF1
9fA$, xrefs: 06624EB0
eA$, xrefs: 06624E64
aA$, xrefs: 06624BCB
EeA$, xrefs: 06624DF2

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID: dA$$eA$$bA$$cA$$%eA$$)cA$$)dA$$1bA$$9fA$$AcA$$EeA$$M]A$$MdA$$QfA$$UbA$$]aA$$]cA$$]eA$$ifA$$mbA$$qaA$$qdA$$qgA$$ucA$$yeA$$aA$$cA$$dA$$eA$
API String ID: 0-2939761096
Opcode ID: 54af1315c57e2051a64cd5bc719b335b8d2f86010cd74976ede987478eb9ae16
Instruction ID: 75a6d6ce91cbad2b249f76e9ccec62bf1e64afbdddfb42629570907603cc48fd
Opcode Fuzzy Hash: 54af1315c57e2051a64cd5bc719b335b8d2f86010cd74976ede987478eb9ae16
Instruction Fuzzy Hash: FBB114B424C504AB6DB4BE968CE1D77666AEBC4500B24460D795AFB34CCD20FC8E4BBD

Function 00F53BE0 Relevance: 35.3, APIs: 17, Strings: 3, Instructions: 255COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 00F53BF5

Part of subcall function 01055870: TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
Part of subcall function 01055870: TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

Part of subcall function 00F51C90: ?InternalFieldCount@Object@v8@@QAEHXZ.FOPHOLDE(00F4FD94,?,?,00000001,?,?), ref: 00F51CB0

?Length@String@v8@@QBEHXZ.FOPHOLDE ref: 00F53CB8
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(?,00000000), ref: 00F53CC7
?GetFunction@FunctionTemplate@v8@@QAE?AV?$Local@VFunction@v8@@@2@XZ.FOPHOLDE(?,01987608,01987608,00000000), ref: 00F53CEE
?Set@Object@v8@@QAE_NV?$Handle@VValue@v8@@@2@0W4PropertyAttribute@2@@Z.FOPHOLDE(?,01987608,01987608,00000000), ref: 00F53CF5
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(?,00000000,?,01987608,01987608,00000000), ref: 00F53D01
?RawClose@HandleScope@v8@@AAEPAPAVObject@internal@2@PAPAV342@@Z.FOPHOLDE(?,?,?,?,00000000,?,00000001), ref: 00F53D0F
??1HandleScope@v8@@QAE@XZ.FOPHOLDE(?,?,?,?,00000000,?,00000001), ref: 00F53D1A
?Int32Value@Value@v8@@QBEHXZ.FOPHOLDE(?,00000001), ref: 00F53D39
?Uint32Value@Value@v8@@QBEIXZ.FOPHOLDE(?,00000002,?,00000002,?,00000001), ref: 00F53D91
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(00000000,00000000,?,00000002,?,00000002,?,00000001), ref: 00F53DB2
?GetFunction@FunctionTemplate@v8@@QAE?AV?$Local@VFunction@v8@@@2@XZ.FOPHOLDE(?,?,?,00000000,?,00000001), ref: 00F53DDA
?Set@Object@v8@@QAE_NV?$Handle@VValue@v8@@@2@0W4PropertyAttribute@2@@Z.FOPHOLDE(?,?,?,00000000,?,00000001), ref: 00F53DE1
??1HandleScope@v8@@QAE@XZ.FOPHOLDE(?,00000002,?,00000002,?,00000001), ref: 00F53E02
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(?,?,00000002,?,00000001), ref: 00F53E35

Part of subcall function 01068100: TlsGetValue.KERNEL32(00000002,00000000,00000000,00F53598,?,?,00000002,?,00000001), ref: 01068111

?GetFunction@FunctionTemplate@v8@@QAE?AV?$Local@VFunction@v8@@@2@XZ.FOPHOLDE(?,?,?,00000000,?,?,00000002,?,00000001), ref: 00F53E5B
?Set@Object@v8@@QAE_NV?$Handle@VValue@v8@@@2@0W4PropertyAttribute@2@@Z.FOPHOLDE(?,?,?,00000000,?,?,00000002,?,00000001), ref: 00F53E62

Strings

Argument must be a string, xrefs: 00F53E71
v8::Undefined(), xrefs: 00F53C35, 00F53C9A
Offset is out of bounds, xrefs: 00F53DF2

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Local@$HandleInteger@v8@@Integer@v8@@@2@New@Object@v8@@Scope@v8@@$Attribute@2@@FunctionFunction@Function@v8@@@2@Handle@PropertySet@Template@v8@@ValueValue@v8@@@2@0$Value@Value@v8@@$Close@Count@FieldInt32InternalLength@Object@internal@2@String@v8@@Uint32V342@@
String ID: Argument must be a string$Offset is out of bounds$v8::Undefined()
API String ID: 2871776340-3000252636
Opcode ID: 4a14ef0b97c0d16ef466bf55f360371d1406ad6a4eb053f778626a1c017b6d1e
Instruction ID: 07d88e56626b7c0699cc3cb24b5862aebe7ed410d1f40ceb66dc6fbafd2515ec
Opcode Fuzzy Hash: 4a14ef0b97c0d16ef466bf55f360371d1406ad6a4eb053f778626a1c017b6d1e
Instruction Fuzzy Hash: 95912472A082019FC714DF28DC44AAAB3FAEB99350F00456DFD469B390DB35ED09DB92

Function 00F541D0 Relevance: 35.3, APIs: 17, Strings: 3, Instructions: 254COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 00F541E5

Part of subcall function 01055870: TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
Part of subcall function 01055870: TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

Part of subcall function 00F51C90: ?InternalFieldCount@Object@v8@@QAEHXZ.FOPHOLDE(00F4FD94,?,?,00000001,?,?), ref: 00F51CB0

?Length@String@v8@@QBEHXZ.FOPHOLDE ref: 00F542A8
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(?,00000000), ref: 00F542B7
?GetFunction@FunctionTemplate@v8@@QAE?AV?$Local@VFunction@v8@@@2@XZ.FOPHOLDE(?,01987608,01987608,00000000), ref: 00F542DE
?Set@Object@v8@@QAE_NV?$Handle@VValue@v8@@@2@0W4PropertyAttribute@2@@Z.FOPHOLDE(?,01987608,01987608,00000000), ref: 00F542E5
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(?,00000000,?,01987608,01987608,00000000), ref: 00F542F1
?RawClose@HandleScope@v8@@AAEPAPAVObject@internal@2@PAPAV342@@Z.FOPHOLDE(?,?,?,?,00000000,?,00000001), ref: 00F542FF
??1HandleScope@v8@@QAE@XZ.FOPHOLDE(?,?,?,?,00000000,?,00000001), ref: 00F5430A
?Int32Value@Value@v8@@QBEHXZ.FOPHOLDE(?,00000001), ref: 00F54329
?Uint32Value@Value@v8@@QBEIXZ.FOPHOLDE(?,00000002,?,00000002,?,00000001), ref: 00F54381
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(00000000,00000000,?,00000002,?,00000002,?,00000001), ref: 00F543A2
?GetFunction@FunctionTemplate@v8@@QAE?AV?$Local@VFunction@v8@@@2@XZ.FOPHOLDE(?,?,?,00000000,?,00000001), ref: 00F543CA
?Set@Object@v8@@QAE_NV?$Handle@VValue@v8@@@2@0W4PropertyAttribute@2@@Z.FOPHOLDE(?,?,?,00000000,?,00000001), ref: 00F543D1
??1HandleScope@v8@@QAE@XZ.FOPHOLDE(?,00000002,?,00000002,?,00000001), ref: 00F543F0
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(?,?,00000002,?,00000001), ref: 00F54423

Part of subcall function 01068100: TlsGetValue.KERNEL32(00000002,00000000,00000000,00F53598,?,?,00000002,?,00000001), ref: 01068111

?GetFunction@FunctionTemplate@v8@@QAE?AV?$Local@VFunction@v8@@@2@XZ.FOPHOLDE(?,?,?,00000000,?,?,00000002,?,00000001), ref: 00F54449
?Set@Object@v8@@QAE_NV?$Handle@VValue@v8@@@2@0W4PropertyAttribute@2@@Z.FOPHOLDE(?,?,?,00000000,?,?,00000002,?,00000001), ref: 00F54450

Strings

Argument must be a string, xrefs: 00F5445F
v8::Undefined(), xrefs: 00F54225, 00F5428A
Offset is out of bounds, xrefs: 00F543E0

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Local@$HandleInteger@v8@@Integer@v8@@@2@New@Object@v8@@Scope@v8@@$Attribute@2@@FunctionFunction@Function@v8@@@2@Handle@PropertySet@Template@v8@@ValueValue@v8@@@2@0$Value@Value@v8@@$Close@Count@FieldInt32InternalLength@Object@internal@2@String@v8@@Uint32V342@@
String ID: Argument must be a string$Offset is out of bounds$v8::Undefined()
API String ID: 2871776340-3000252636
Opcode ID: acdaf95a29cd49488b53cf0733d6ea022a3ef284ef9830a44eb08b83c399729d
Instruction ID: b75a8c97f8cf39438d8e92662963761ae961068adb13cb16da559000947b841e
Opcode Fuzzy Hash: acdaf95a29cd49488b53cf0733d6ea022a3ef284ef9830a44eb08b83c399729d
Instruction Fuzzy Hash: A69113726042019FCB14DF64D840BAAB3EAEB99318F10456DFD468B390DB35FC49DB92

Function 00F53900 Relevance: 35.3, APIs: 17, Strings: 3, Instructions: 254COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 00F53915

Part of subcall function 01055870: TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
Part of subcall function 01055870: TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

Part of subcall function 00F51C90: ?InternalFieldCount@Object@v8@@QAEHXZ.FOPHOLDE(00F4FD94,?,?,00000001,?,?), ref: 00F51CB0

?Length@String@v8@@QBEHXZ.FOPHOLDE ref: 00F539D8
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(?,00000000), ref: 00F539E7
?GetFunction@FunctionTemplate@v8@@QAE?AV?$Local@VFunction@v8@@@2@XZ.FOPHOLDE(?,01987608,01987608,00000000), ref: 00F53A0E
?Set@Object@v8@@QAE_NV?$Handle@VValue@v8@@@2@0W4PropertyAttribute@2@@Z.FOPHOLDE(?,01987608,01987608,00000000), ref: 00F53A15
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(?,00000000,?,01987608,01987608,00000000), ref: 00F53A21
?RawClose@HandleScope@v8@@AAEPAPAVObject@internal@2@PAPAV342@@Z.FOPHOLDE(?,?,?,?,00000000,?,00000001), ref: 00F53A2F
??1HandleScope@v8@@QAE@XZ.FOPHOLDE(?,?,?,?,00000000,?,00000001), ref: 00F53A3A
?Int32Value@Value@v8@@QBEHXZ.FOPHOLDE(?,00000001), ref: 00F53A59
?Uint32Value@Value@v8@@QBEIXZ.FOPHOLDE(?,00000002,?,00000002,?,00000001), ref: 00F53AB1
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(00000000,00000000,?,00000002,?,00000002,?,00000001), ref: 00F53AD2
?GetFunction@FunctionTemplate@v8@@QAE?AV?$Local@VFunction@v8@@@2@XZ.FOPHOLDE(?,?,?,00000000,?,00000001), ref: 00F53AFA
?Set@Object@v8@@QAE_NV?$Handle@VValue@v8@@@2@0W4PropertyAttribute@2@@Z.FOPHOLDE(?,?,?,00000000,?,00000001), ref: 00F53B01
??1HandleScope@v8@@QAE@XZ.FOPHOLDE(?,00000002,?,00000002,?,00000001), ref: 00F53B20
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(?,?,00000002,?,00000001), ref: 00F53B53

Part of subcall function 01068100: TlsGetValue.KERNEL32(00000002,00000000,00000000,00F53598,?,?,00000002,?,00000001), ref: 01068111

?GetFunction@FunctionTemplate@v8@@QAE?AV?$Local@VFunction@v8@@@2@XZ.FOPHOLDE(?,?,?,00000000,?,?,00000002,?,00000001), ref: 00F53B79
?Set@Object@v8@@QAE_NV?$Handle@VValue@v8@@@2@0W4PropertyAttribute@2@@Z.FOPHOLDE(?,?,?,00000000,?,?,00000002,?,00000001), ref: 00F53B80

Strings

Argument must be a string, xrefs: 00F53B8F
v8::Undefined(), xrefs: 00F53955, 00F539BA
Offset is out of bounds, xrefs: 00F53B10

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Local@$HandleInteger@v8@@Integer@v8@@@2@New@Object@v8@@Scope@v8@@$Attribute@2@@FunctionFunction@Function@v8@@@2@Handle@PropertySet@Template@v8@@ValueValue@v8@@@2@0$Value@Value@v8@@$Close@Count@FieldInt32InternalLength@Object@internal@2@String@v8@@Uint32V342@@
String ID: Argument must be a string$Offset is out of bounds$v8::Undefined()
API String ID: 2871776340-3000252636
Opcode ID: 180a3a388a86910b26088b7a8c308404cd37af38cbb01fc8e8ad17439ac457d9
Instruction ID: b4087daad7a5dd3d7215a122046d1a924360a0aadac79f108ced39b501ad1ac7
Opcode Fuzzy Hash: 180a3a388a86910b26088b7a8c308404cd37af38cbb01fc8e8ad17439ac457d9
Instruction Fuzzy Hash: E49125767082019FC714DF28D840BAAB3EAEB99350F00456DFD868B390DB35ED09DB92

Function 00F53620 Relevance: 35.3, APIs: 17, Strings: 3, Instructions: 254COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 00F53635

Part of subcall function 01055870: TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
Part of subcall function 01055870: TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

Part of subcall function 00F51C90: ?InternalFieldCount@Object@v8@@QAEHXZ.FOPHOLDE(00F4FD94,?,?,00000001,?,?), ref: 00F51CB0

?Length@String@v8@@QBEHXZ.FOPHOLDE ref: 00F536F8
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(?,00000000), ref: 00F53707
?GetFunction@FunctionTemplate@v8@@QAE?AV?$Local@VFunction@v8@@@2@XZ.FOPHOLDE(?,01987608,01987608,00000000), ref: 00F5372E
?Set@Object@v8@@QAE_NV?$Handle@VValue@v8@@@2@0W4PropertyAttribute@2@@Z.FOPHOLDE(?,01987608,01987608,00000000), ref: 00F53735
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(?,00000000,?,01987608,01987608,00000000), ref: 00F53741
?RawClose@HandleScope@v8@@AAEPAPAVObject@internal@2@PAPAV342@@Z.FOPHOLDE(?,?,?,?,00000000,?,00000001), ref: 00F5374F
??1HandleScope@v8@@QAE@XZ.FOPHOLDE(?,?,?,?,00000000,?,00000001), ref: 00F5375A
?Int32Value@Value@v8@@QBEHXZ.FOPHOLDE(?,00000001), ref: 00F53779
?Uint32Value@Value@v8@@QBEIXZ.FOPHOLDE(?,00000002,?,00000002,?,00000001), ref: 00F537D1
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(00000000,00000000,?,00000002,?,00000002,?,00000001), ref: 00F537F2
?GetFunction@FunctionTemplate@v8@@QAE?AV?$Local@VFunction@v8@@@2@XZ.FOPHOLDE(?,?,?,00000000,?,00000001), ref: 00F5381A
?Set@Object@v8@@QAE_NV?$Handle@VValue@v8@@@2@0W4PropertyAttribute@2@@Z.FOPHOLDE(?,?,?,00000000,?,00000001), ref: 00F53821
??1HandleScope@v8@@QAE@XZ.FOPHOLDE(?,00000002,?,00000002,?,00000001), ref: 00F53840
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(?,?,00000002,?,00000001), ref: 00F53873

Part of subcall function 01068100: TlsGetValue.KERNEL32(00000002,00000000,00000000,00F53598,?,?,00000002,?,00000001), ref: 01068111

?GetFunction@FunctionTemplate@v8@@QAE?AV?$Local@VFunction@v8@@@2@XZ.FOPHOLDE(?,?,?,00000000,?,?,00000002,?,00000001), ref: 00F53899
?Set@Object@v8@@QAE_NV?$Handle@VValue@v8@@@2@0W4PropertyAttribute@2@@Z.FOPHOLDE(?,?,?,00000000,?,?,00000002,?,00000001), ref: 00F538A0

Strings

Argument must be a string, xrefs: 00F538AF
v8::Undefined(), xrefs: 00F53675, 00F536DA
Offset is out of bounds, xrefs: 00F53830

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Local@$HandleInteger@v8@@Integer@v8@@@2@New@Object@v8@@Scope@v8@@$Attribute@2@@FunctionFunction@Function@v8@@@2@Handle@PropertySet@Template@v8@@ValueValue@v8@@@2@0$Value@Value@v8@@$Close@Count@FieldInt32InternalLength@Object@internal@2@String@v8@@Uint32V342@@
String ID: Argument must be a string$Offset is out of bounds$v8::Undefined()
API String ID: 2871776340-3000252636
Opcode ID: f40d4513456e333bac7dd8404b1ceef46fd313298f8ee9e7bbed444cecd5c501
Instruction ID: 10d3d225eb91dda06a4967ae49b4949876b4e292449e5e5b5d305c1a9d3e7864
Opcode Fuzzy Hash: f40d4513456e333bac7dd8404b1ceef46fd313298f8ee9e7bbed444cecd5c501
Instruction Fuzzy Hash: A1911476B08201AFCB14DF28D840BAAB7EAEB99350F10456DF9468B350DB35ED09DB91

Function 00F50E10 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 198COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 00F50E20

Part of subcall function 01055870: TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
Part of subcall function 01055870: TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

?HasInstance@Buffer@node@@SA_NV?$Handle@VValue@v8@@@v8@@@Z.FOPHOLDE(?), ref: 00F50E6D
?ToObject@Value@v8@@QBE?AV?$Local@VObject@v8@@@2@XZ.FOPHOLDE(?), ref: 00F50F1B
?ToObject@Value@v8@@QBE?AV?$Local@VObject@v8@@@2@XZ.FOPHOLDE(?,?), ref: 00F50F78
?Uint32Value@Value@v8@@QBEIXZ.FOPHOLDE(?,?), ref: 00F50FC4
?Uint32Value@Value@v8@@QBEIXZ.FOPHOLDE(?,?), ref: 00F51012
??1HandleScope@v8@@QAE@XZ.FOPHOLDE(?,?), ref: 00F51031
?SetIndexedPropertiesToExternalArrayData@Object@v8@@QAEXPAXW4ExternalArrayType@2@H@Z.FOPHOLDE(?,00000002,00000000,?,?), ref: 00F51066
?Undefined@v8@@YA?AV?$Handle@VPrimitive@v8@@@1@XZ.FOPHOLDE(?,?,00000002,00000000,?,?), ref: 00F51070
??1HandleScope@v8@@QAE@XZ.FOPHOLDE(?,?), ref: 00F51083

Strings

First argument must be a Buffer, xrefs: 00F50E7C
length out of range, xrefs: 00F51047
offset or length out of range, xrefs: 00F51052
offset out of range, xrefs: 00F51020
v8::Undefined(), xrefs: 00F50E50, 00F50EFA, 00F50F54, 00F50FA5, 00F50FF3

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Value@v8@@$HandleScope@v8@@$ArrayExternalHandle@Local@Object@Object@v8@@@2@Uint32ValueValue@$Buffer@node@@Data@IndexedInstance@Object@v8@@Primitive@v8@@@1@PropertiesType@2@Undefined@v8@@Value@v8@@@v8@@@
String ID: First argument must be a Buffer$length out of range$offset or length out of range$offset out of range$v8::Undefined()
API String ID: 2732647405-3217552806
Opcode ID: a20ebb7f160662d333f39e258f324fd3023a39172b8bedd1d5f06ca5a91a4d03
Instruction ID: 3a2ba175063772faabb4a8dd07021f6f7a2d11a1c8b5eb9bc1c00747213ed2f5
Opcode Fuzzy Hash: a20ebb7f160662d333f39e258f324fd3023a39172b8bedd1d5f06ca5a91a4d03
Instruction Fuzzy Hash: 97711632604681CFDB24DE14E5507BA73A2FB94766F64482CED4B5BA80DB34BC4EEB41

Function 06620EC2 Relevance: 22.9, Strings: 18, Instructions: 419COMMON

Download Yara Rule

Strings

9IA$, xrefs: 066210D4
5OA$, xrefs: 06621317
%MA$, xrefs: 0662120D
yIA$, xrefs: 06621054
)RA$, xrefs: 0662135E
}MA$, xrefs: 06621233
qHA$, xrefs: 0662101B
IA$, xrefs: 0662108D
)RA$, xrefs: 06621368
MA$, xrefs: 066211FA
]MA$, xrefs: 06621220
%NA$, xrefs: 0662127F
UIA$, xrefs: 06621041
mNA$, xrefs: 066212A5
INA$, xrefs: 06621292
9LA$, xrefs: 06621198
}#A$, xrefs: 06621445
yRA$, xrefs: 06621340

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID: MA$$%MA$$%NA$$)RA$$)RA$$5OA$$9IA$$9LA$$INA$$UIA$$]MA$$mNA$$qHA$$yIA$$yRA$$}#A$$}MA$$IA$
API String ID: 0-634054856
Opcode ID: a25d40d3ac96d2aafcb88f6a0ac782d3a469775666a38d2b14d6cc5216495844
Instruction ID: 4d7ad428c46084171a6f686100a55dde33259313953cd74b7b38a30100a05152
Opcode Fuzzy Hash: a25d40d3ac96d2aafcb88f6a0ac782d3a469775666a38d2b14d6cc5216495844
Instruction Fuzzy Hash: 7BE12A743081046BEEA8AE968CE1F6B7669EB84200F14550CBA65FF748CD25FC594FBC

Function 01040570 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 261COMMON

Download Yara Rule

APIs

GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 01040599
GetAdaptersAddresses.IPHLPAPI(00000000,00000000,00000000,00000000,?), ref: 010405F4
_free.LIBCMT ref: 0104071E
GetLastError.KERNEL32 ref: 01040726
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000000,00000000,00000000), ref: 01040799
_free.LIBCMT ref: 010405A2

Part of subcall function 01240441: RtlFreeHeap.NTDLL(00000000,00000000,7534EA60,0103B28A,?,?,00000000), ref: 01240455
Part of subcall function 01240441: GetLastError.KERNEL32(?,?,00000000), ref: 01240467

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 01040632
_free.LIBCMT ref: 01040685
_free.LIBCMT ref: 0104082A

Strings

r != ERROR_SUCCESS, xrefs: 010406EF
src\win\util.c, xrefs: 010406EA

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: _free$AdaptersAddressesByteCharErrorLastMultiWide$FreeHeap
String ID: r != ERROR_SUCCESS$src\win\util.c
API String ID: 2515300440-4276533464
Opcode ID: 8e8190802e0614187dafccc9eda8320da0849a2198711328dbe88ff0e1612f29
Instruction ID: 46d2917630f729933180a665c82ac26e1660e46556cfeb6cf1babcb04cdaae1b
Opcode Fuzzy Hash: 8e8190802e0614187dafccc9eda8320da0849a2198711328dbe88ff0e1612f29
Instruction Fuzzy Hash: BF81D2B1B043029BD714DF19D880BAAB7E5FBC8324F144679FA88AB394D731D9458B92

Function 0104F8F0 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 112networkCOMMON

Download Yara Rule

APIs

setsockopt.WS2_32(?,0000FFFF,00000004,00000004,00000004), ref: 0104F943
WSAGetLastError.WS2_32 ref: 0104F94E
ioctlsocket.WS2_32(?,8004667E,00000001), ref: 0104F989
SetHandleInformation.KERNEL32(?,00000001,00000000), ref: 0104F999
GetLastError.KERNEL32 ref: 0104F9A3
CreateIoCompletionPort.KERNEL32(?,?,?,00000000), ref: 0104F9B2
getsockopt.WS2_32(?,0000FFFF,00002005,?,?), ref: 0104F9E2
SetFileCompletionNotificationModes.KERNEL32(?,00000003), ref: 0104F9F7
GetLastError.KERNEL32 ref: 0104FA1E

Strings

handle->socket == INVALID_SOCKET, xrefs: 0104F927
!(handle->flags & UV_HANDLE_IPV6), xrefs: 0104FA56
src\win\udp.c, xrefs: 0104F922, 0104FA51

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ErrorLast$Completion$CreateFileHandleInformationModesNotificationPortgetsockoptioctlsocketsetsockopt
String ID: !(handle->flags & UV_HANDLE_IPV6)$handle->socket == INVALID_SOCKET$src\win\udp.c
API String ID: 564191429-2954483627
Opcode ID: 5053f3e2a56853280e14e1a0e6fdc5936ba18c40d3ea3b7933c50e7762b1cc6c
Instruction ID: 5d89a7b4a11aa7739cc93bf519a33d5d49cefe5453cc7c6439531e61c983775c
Opcode Fuzzy Hash: 5053f3e2a56853280e14e1a0e6fdc5936ba18c40d3ea3b7933c50e7762b1cc6c
Instruction Fuzzy Hash: 0941D4F1604302ABE3749F38E889B6AB7E8BF84728F40863DF296951D0D7709459CB52

Function 00F550B0 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 226COMMON

Download Yara Rule

APIs

?BooleanValue@Value@v8@@QBE_NXZ.FOPHOLDE ref: 00F55108
?IsNumber@Value@v8@@QBE_NXZ.FOPHOLDE ref: 00F55162
?IsUint32@Value@v8@@QBE_NXZ.FOPHOLDE ref: 00F551C8
?NumberValue@Value@v8@@QBENXZ.FOPHOLDE ref: 00F5522B
?Uint32Value@Value@v8@@QBEIXZ.FOPHOLDE ref: 00F5527B
?GetIndexedPropertiesExternalArrayData@Object@v8@@QAEPAXXZ.FOPHOLDE ref: 00F55288
?GetIndexedPropertiesExternalArrayDataLength@Object@v8@@QAEHXZ.FOPHOLDE(?,?,?,?,?,?,?,?,?,00F50BED), ref: 00F552A0

Strings

v8::Undefined(), xrefs: 00F550E9, 00F55146, 00F551A9, 00F5520F, 00F5525C, 00F5532F
value not a number, xrefs: 00F5516B
Trying to write beyond buffer length, xrefs: 00F552AD
offset is not uint, xrefs: 00F551D1

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Value@v8@@$Value@$ArrayExternalIndexedObject@v8@@Properties$BooleanDataData@Length@NumberNumber@Uint32Uint32@
String ID: Trying to write beyond buffer length$offset is not uint$v8::Undefined()$value not a number
API String ID: 1786287033-4214679354
Opcode ID: 046cf8f0aab98d19ea05b425578d5a97b9783b72a82797d4ce4714f50015f3fb
Instruction ID: 2b336261eb1479ae279c5808bb93f4887d5d74db2943a27d9edaa62ccd8d093e
Opcode Fuzzy Hash: 046cf8f0aab98d19ea05b425578d5a97b9783b72a82797d4ce4714f50015f3fb
Instruction Fuzzy Hash: 11814432204E828FCB24DE14E5602B5BBA2FBA5B56F10456DCD8A57F41DB34BC0EE781

Function 00F55360 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 226COMMON

Download Yara Rule

APIs

?BooleanValue@Value@v8@@QBE_NXZ.FOPHOLDE ref: 00F553B8
?IsNumber@Value@v8@@QBE_NXZ.FOPHOLDE ref: 00F55412
?IsUint32@Value@v8@@QBE_NXZ.FOPHOLDE ref: 00F55478
?NumberValue@Value@v8@@QBENXZ.FOPHOLDE ref: 00F554DB
?Uint32Value@Value@v8@@QBEIXZ.FOPHOLDE ref: 00F5552B
?GetIndexedPropertiesExternalArrayData@Object@v8@@QAEPAXXZ.FOPHOLDE ref: 00F55538
?GetIndexedPropertiesExternalArrayDataLength@Object@v8@@QAEHXZ.FOPHOLDE(?,?,?,?,?,?,?,?,?,00F50C0D), ref: 00F55550

Strings

v8::Undefined(), xrefs: 00F55399, 00F553F6, 00F55459, 00F554BF, 00F5550C, 00F555DF
value not a number, xrefs: 00F5541B
Trying to write beyond buffer length, xrefs: 00F5555D
offset is not uint, xrefs: 00F55481

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Value@v8@@$Value@$ArrayExternalIndexedObject@v8@@Properties$BooleanDataData@Length@NumberNumber@Uint32Uint32@
String ID: Trying to write beyond buffer length$offset is not uint$v8::Undefined()$value not a number
API String ID: 1786287033-4214679354
Opcode ID: 86a72e737e8d17ee55ce7f8d09fae4511edaabac70ac8f979d6b01f8e5a0ff9f
Instruction ID: 96a6d49ba4b1d33ff0dc08f7a4617a0f3d9dd1378aeaa486882eb511bd10ae00
Opcode Fuzzy Hash: 86a72e737e8d17ee55ce7f8d09fae4511edaabac70ac8f979d6b01f8e5a0ff9f
Instruction Fuzzy Hash: D9814532204A818FCB24DF14E1702B9B7A2FB95B66F1445ADDD8A43B41DB34BC4EE781

Function 00F54E20 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 216COMMON

Download Yara Rule

APIs

?BooleanValue@Value@v8@@QBE_NXZ.FOPHOLDE ref: 00F54E78
?IsNumber@Value@v8@@QBE_NXZ.FOPHOLDE ref: 00F54ED2
?IsUint32@Value@v8@@QBE_NXZ.FOPHOLDE ref: 00F54F38
?NumberValue@Value@v8@@QBENXZ.FOPHOLDE ref: 00F54F9B
?Uint32Value@Value@v8@@QBEIXZ.FOPHOLDE ref: 00F54FEB
?GetIndexedPropertiesExternalArrayData@Object@v8@@QAEPAXXZ.FOPHOLDE ref: 00F54FF8
?GetIndexedPropertiesExternalArrayDataLength@Object@v8@@QAEHXZ.FOPHOLDE ref: 00F55010

Strings

v8::Undefined(), xrefs: 00F54E59, 00F54EB6, 00F54F19, 00F54F7F, 00F54FCC, 00F55080
value not a number, xrefs: 00F54EDB
Trying to write beyond buffer length, xrefs: 00F5501D
offset is not uint, xrefs: 00F54F41

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Value@v8@@$Value@$ArrayExternalIndexedObject@v8@@Properties$BooleanDataData@Length@NumberNumber@Uint32Uint32@
String ID: Trying to write beyond buffer length$offset is not uint$v8::Undefined()$value not a number
API String ID: 1786287033-4214679354
Opcode ID: d4d2122dacb4fa35a7767e3718f4fff306a2d6bbcdc5ef4b9f213044b3861bfc
Instruction ID: 8e5efab7bcfa1dff5d32cf7bb0a91fe7ced92678cbec6bd97ed7e259eb170281
Opcode Fuzzy Hash: d4d2122dacb4fa35a7767e3718f4fff306a2d6bbcdc5ef4b9f213044b3861bfc
Instruction Fuzzy Hash: 2A7157322046828FDB24DF18E5506B5B3A2FB9575AF00056DDD8757A80DB35BC8EE780

Function 01051350 Relevance: 18.1, APIs: 12, Instructions: 71libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?), ref: 0105135C
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0105137D
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 01051389
LeaveCriticalSection.KERNEL32(?), ref: 01051390
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0105139B
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 010513A7
EnterCriticalSection.KERNEL32(?), ref: 010513AE
WaitForSingleObject.KERNEL32(?,000000FF), ref: 010513BE
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 010513CA
LeaveCriticalSection.KERNEL32(?), ref: 010513D1
WaitForSingleObject.KERNEL32(?,000000FF), ref: 010513DC
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 010513E8
GetModuleHandleA.KERNEL32(ntdll.dll,75573060), ref: 01051426
GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 01051443
GetProcAddress.KERNEL32(00000000,NtQueryInformationFile), ref: 01051458
GetProcAddress.KERNEL32(00000000,NtDeviceIoControlFile), ref: 0105146D
GetProcAddress.KERNEL32(00000000,NtSetInformationFile), ref: 01051482
GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 01051497
GetModuleHandleA.KERNEL32(kernel32.dll), ref: 010514AB
GetProcAddress.KERNEL32(00000000,GetQueuedCompletionStatusEx), ref: 010514C1
GetProcAddress.KERNEL32(00000000,SetFileCompletionNotificationModes), ref: 010514CE
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 010514DB
GetProcAddress.KERNEL32(00000000,CancelIoEx), ref: 010514E8
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 010514F5
GetProcAddress.KERNEL32(00000000,AcquireSRWLockShared), ref: 01051502
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0105150F
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockShared), ref: 0105151C
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 01051529
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockShared), ref: 01051536
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 01051543
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 01051550
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0105155D
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 0105156A
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 01051577
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 01051584
GetLastError.KERNEL32 ref: 0105158E

Part of subcall function 01051290: FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,0142F7D8,00000000,00000000,01050C45,?,?,?,0103B1F8), ref: 01051635
Part of subcall function 01051290: LocalFree.KERNEL32(?), ref: 01051689

GetLastError.KERNEL32 ref: 010515A0
GetLastError.KERNEL32 ref: 010515B2
GetLastError.KERNEL32 ref: 010515C4
GetLastError.KERNEL32 ref: 010515D6
GetLastError.KERNEL32 ref: 010515E8
GetLastError.KERNEL32 ref: 010515FA

Strings

InitializeConditionVariable, xrefs: 01051545
ntdll.dll, xrefs: 01051421
WakeConditionVariable, xrefs: 01051579
SleepConditionVariableCS, xrefs: 01051552
GetQueuedCompletionStatusEx, xrefs: 010514BB
NtQuerySystemInformation, xrefs: 01051491
AcquireSRWLockShared, xrefs: 010514F7
NtSetInformationFile, xrefs: 0105147C
%s: (%d) %s, xrefs: 01051650
SetFileCompletionNotificationModes, xrefs: 010514C3
AcquireSRWLockExclusive, xrefs: 01051504
NtQueryInformationFile, xrefs: 01051452
WakeAllConditionVariable, xrefs: 0105156C
TryAcquireSRWLockShared, xrefs: 01051511
CreateSymbolicLinkW, xrefs: 010514D0
NtDeviceIoControlFile, xrefs: 01051467
GetProcAddress, xrefs: 010515A6, 010515B8, 010515CA, 010515DC, 010515EE
GetModuleHandleA, xrefs: 01051594, 01051600
ReleaseSRWLockExclusive, xrefs: 01051538
Unknown error, xrefs: 0105163F, 01051649
ReleaseSRWLockShared, xrefs: 0105152B
SleepConditionVariableSRW, xrefs: 0105155F
RtlNtStatusToDosError, xrefs: 0105143D
TryAcquireSRWLockExclusive, xrefs: 0105151E
kernel32.dll, xrefs: 010514A6
InitializeSRWLock, xrefs: 010514EA
CancelIoEx, xrefs: 010514DD

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: AddressProc$ErrorLast$CriticalObjectReleaseSectionSemaphoreSingleWait$EnterHandleLeaveModule$FormatFreeLocalMessage
String ID: %s: (%d) %s$AcquireSRWLockExclusive$AcquireSRWLockShared$CancelIoEx$CreateSymbolicLinkW$GetModuleHandleA$GetProcAddress$GetQueuedCompletionStatusEx$InitializeConditionVariable$InitializeSRWLock$NtDeviceIoControlFile$NtQueryInformationFile$NtQuerySystemInformation$NtSetInformationFile$ReleaseSRWLockExclusive$ReleaseSRWLockShared$RtlNtStatusToDosError$SetFileCompletionNotificationModes$SleepConditionVariableCS$SleepConditionVariableSRW$TryAcquireSRWLockExclusive$TryAcquireSRWLockShared$Unknown error$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll$ntdll.dll
API String ID: 4286267632-2814116715
Opcode ID: 074f2f67c2a3626ac357fe62ac0a8aef6344254af22a820ead7777e92f8e5dbf
Instruction ID: e985eea46c79dfe6f1025856d4235a24fbf7251e15c153dc0ac9fb2eb63b0ff8
Opcode Fuzzy Hash: 074f2f67c2a3626ac357fe62ac0a8aef6344254af22a820ead7777e92f8e5dbf
Instruction Fuzzy Hash: 06115472100306FBDB711729EC45E277AE9EF047A17118754F9A5915E6DA32E801CB20

Function 00FB2290 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 76registrywindowCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4), ref: 00FB22A6
GetFileType.KERNEL32(00000000), ref: 00FB22B1
__vfwprintf_p.LIBCMT ref: 00FB22D3

Part of subcall function 01244433: _vfprintf_helper.LIBCMT ref: 01244446

vswprintf.LIBCMT ref: 00FB2309
RegisterEventSourceA.ADVAPI32(00000000,OpenSSL), ref: 00FB232A
ReportEventA.ADVAPI32(00000000,00000001,00000000,00000000,00000000,00000001,00000000,?,00000000), ref: 00FB2352
DeregisterEventSource.ADVAPI32(00000000), ref: 00FB2359
MessageBoxA.USER32(00000000,?,OpenSSL: FATAL,00000010), ref: 00FB2383

Strings

OpenSSL: FATAL, xrefs: 00FB2377
OpenSSL, xrefs: 00FB2323

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Event$Source$DeregisterFileHandleMessageRegisterReportType__vfwprintf_p_vfprintf_helpervswprintf
String ID: OpenSSL$OpenSSL: FATAL
API String ID: 277090408-4224901669
Opcode ID: fab4f5baa00a2b458e0c5316c5046e14375c97314e2c99e7f8c8cc841091f762
Instruction ID: 4561dd71f706c09aed110514ad4f564d69c208ed1b843a53d1188c95ff2c0d86
Opcode Fuzzy Hash: fab4f5baa00a2b458e0c5316c5046e14375c97314e2c99e7f8c8cc841091f762
Instruction Fuzzy Hash: 2E21F871A18301ABE734A720EC46FFB37D9AF68B10F444419F789D51D0EAB49580CB52

Function 00FB2150 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 105libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(FFFFFFFF,00000000,7556F550), ref: 00FB2170
GetProcAddress.KERNEL32(00000000,_OPENSSL_isservice), ref: 00FB2180
GetProcessWindowStation.USER32(00000000,7556F550), ref: 00FB21A4
GetUserObjectInformationW.USER32(00000000,00000002,00000000,00000000,?), ref: 00FB21BF
GetLastError.KERNEL32 ref: 00FB21CD
GetUserObjectInformationW.USER32(00000000,00000002,?,?,?), ref: 00FB2208
_wcsstr.LIBCMT ref: 00FB222D

Strings

_OPENSSL_isservice, xrefs: 00FB217A
Service-0x, xrefs: 00FB2223

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: InformationObjectUser$AddressErrorHandleLastModuleProcProcessStationWindow_wcsstr
String ID: Service-0x$_OPENSSL_isservice
API String ID: 304827962-1672312481
Opcode ID: 2a8a6c7f1c8cd94da600ce01b75f0bbd6225e75f2ff03ef572c82b05c9f0e8a1
Instruction ID: 118564d3193ca869d1ce770b33f949c247643d05f3c0fffc10e84c0c6cac174c
Opcode Fuzzy Hash: 2a8a6c7f1c8cd94da600ce01b75f0bbd6225e75f2ff03ef572c82b05c9f0e8a1
Instruction Fuzzy Hash: 7931E732E001099BDB34DF79EC49BEE77B8EF54720F504259E916E71D0EB3099458B50

Function 01044DE0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 93COMMON

Download Yara Rule

APIs

UnregisterWaitEx.KERNEL32(?,000000FF,?,?,?,?,?,?,?,0103CED2), ref: 01044E2B
GetLastError.KERNEL32(?,?,?,?,?,?,?,0103CED2), ref: 01044E5B

Part of subcall function 01051290: FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,0142F7D8,00000000,00000000,01050C45,?,?,?,0103B1F8), ref: 01051635
Part of subcall function 01051290: LocalFree.KERNEL32(?), ref: 01051689

CloseHandle.KERNEL32(?), ref: 01044ECD

Strings

!handle->exit_cb_pending, xrefs: 01044E83
!((handle)->flags & UV__HANDLE_CLOSING), xrefs: 01044DF6
!(handle->flags & UV_HANDLE_CLOSED), xrefs: 01044EBD
handle->flags & UV__HANDLE_CLOSING, xrefs: 01044EA0
UnregisterWaitEx, xrefs: 01044E61
src\win\process.c, xrefs: 01044DF1, 01044E7E, 01044E9B, 01044EB8

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CloseErrorFormatFreeHandleLastLocalMessageUnregisterWait
String ID: !((handle)->flags & UV__HANDLE_CLOSING)$!(handle->flags & UV_HANDLE_CLOSED)$!handle->exit_cb_pending$UnregisterWaitEx$handle->flags & UV__HANDLE_CLOSING$src\win\process.c
API String ID: 2389481044-3593064582
Opcode ID: f9d26732db9f86c3b9913bbc4330a7c2141be186c85151e9883d029afd58ba26
Instruction ID: e80d2df797bee57e992d966eebf7a2a5f6ceb64c90c7d66f94c249c65a99227a
Opcode Fuzzy Hash: f9d26732db9f86c3b9913bbc4330a7c2141be186c85151e9883d029afd58ba26
Instruction Fuzzy Hash: 3F31C1B1604B00AFD7759F2AE845B52BBE0AF44724F044A6CE9E6DB7D1C770E446CB50

Function 00F4FAE0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 00F4FAEE

Part of subcall function 01055870: TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
Part of subcall function 01055870: TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

?GetCurrent@Context@v8@@SA?AV?$Local@VContext@v8@@@2@XZ.FOPHOLDE(?), ref: 00F4FAF8
?Global@Context@v8@@QAE?AV?$Local@VObject@v8@@@2@XZ.FOPHOLDE(?), ref: 00F4FB07
?NewSymbol@String@v8@@SA?AV?$Local@VString@v8@@@2@PBDH@Z.FOPHOLDE(?,Buffer,000000FF,?), ref: 00F4FB18
?Get@Object@v8@@QAE?AV?$Local@VValue@v8@@@2@V?$Handle@VValue@v8@@@2@@Z.FOPHOLDE(?,000000FF,?), ref: 00F4FB2F
?IsFunction@Value@v8@@QBE_NXZ.FOPHOLDE(?,000000FF,?), ref: 00F4FB3A

Strings

Buffer, xrefs: 00F4FB12

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Local@$Context@v8@@Value$Context@v8@@@2@Current@Function@Get@Global@HandleHandle@Object@v8@@Object@v8@@@2@Scope@v8@@String@v8@@String@v8@@@2@Symbol@Value@v8@@Value@v8@@@2@Value@v8@@@2@@
String ID: Buffer
API String ID: 505833388-922154436
Opcode ID: 22f38471c14ef908134a03c0bf428fae18d9148fe6ec1eb272aaf906dc235287
Instruction ID: c247c8b7195acc0a9adba0eaa070ebc61f5130233eddb4f1907bfe557863a7ef
Opcode Fuzzy Hash: 22f38471c14ef908134a03c0bf428fae18d9148fe6ec1eb272aaf906dc235287
Instruction Fuzzy Hash: D90140B19043069BD704EF60DC5089F77ECAFA5254F440929F896972A0EB30FA4CCB96

Function 01044F00 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

((process)->flags & UV__HANDLE_CLOSING) == 0, xrefs: 010452DE
src\win\process.c, xrefs: 010452D9

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID: ((process)->flags & UV__HANDLE_CLOSING) == 0$src\win\process.c
API String ID: 0-2133490760
Opcode ID: 54233b720e0ebc82b80c4944a694e4b96c0b82f6b785f5da763e1c22666099a7
Instruction ID: baa99defd6d04afaf63909c34d3bf7aae35552d8d374a18eabaed3d3c365d05b
Opcode Fuzzy Hash: 54233b720e0ebc82b80c4944a694e4b96c0b82f6b785f5da763e1c22666099a7
Instruction Fuzzy Hash: E6417FB16003069FE740DF29D88479ABBE0FF94329F144679E9489B2A0D771E955CB82

Function 0105A830 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 121COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 0105A8EC
??1HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 0105A96C
?RawClose@HandleScope@v8@@AAEPAPAVObject@internal@2@PAPAV342@@Z.FOPHOLDE(?), ref: 0105A9A2

Strings

CHECK(%s) failed, xrefs: 0105A847
allow_empty_handle || that != 0, xrefs: 0105A842
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h, xrefs: 0105A851
v8::Message::GetSourceLine(), xrefs: 0105A882
GetSourceLine, xrefs: 0105A8F7

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: HandleScope@v8@@$Close@Object@internal@2@V342@@
String ID: CHECK(%s) failed$GetSourceLine$allow_empty_handle || that != 0$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h$v8::Message::GetSourceLine()
API String ID: 4242311554-1302683532
Opcode ID: e2e8e76861a8be65e2ffa2fe671b757a73f869bb237b7e852e84698da36cd873
Instruction ID: ae3d8588c79d4bc8bcd7e8bfa6d124256b41781a144f02c41d445edc6630e593
Opcode Fuzzy Hash: e2e8e76861a8be65e2ffa2fe671b757a73f869bb237b7e852e84698da36cd873
Instruction Fuzzy Hash: 2141F275704202DFDBA6DF28C4407A7B7E1EF45320F440399EDD58B282D730A84ACBA1

Function 0105B1D0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 0105B26D
?RawClose@HandleScope@v8@@AAEPAPAVObject@internal@2@PAPAV342@@Z.FOPHOLDE(?), ref: 0105B2A6
??1HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 0105B2BF

Strings

CHECK(%s) failed, xrefs: 0105B1E7
allow_empty_handle || that != 0, xrefs: 0105B1E2
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h, xrefs: 0105B1F1
v8::StackFrame::GetFunctionName(), xrefs: 0105B220
functionName, xrefs: 0105B279

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: HandleScope@v8@@$Close@Object@internal@2@V342@@
String ID: CHECK(%s) failed$allow_empty_handle || that != 0$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h$functionName$v8::StackFrame::GetFunctionName()
API String ID: 4242311554-39058584
Opcode ID: d43668d3436759d3b79e2cc680a0000f066c5754cda59cc4cc3f7af4cb671a19
Instruction ID: 9abefc8a6f38060902d4462b99a5d9a9bb1c5f0a990d2bb61bd4952ed699ee3a
Opcode Fuzzy Hash: d43668d3436759d3b79e2cc680a0000f066c5754cda59cc4cc3f7af4cb671a19
Instruction Fuzzy Hash: 433122722043015FD765DF28D840BABB7A6FB51364F840299EDD59B381DB70B894C7E2

Function 0105B0C0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 0105B15D
?RawClose@HandleScope@v8@@AAEPAPAVObject@internal@2@PAPAV342@@Z.FOPHOLDE(?), ref: 0105B196
??1HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 0105B1AF

Strings

CHECK(%s) failed, xrefs: 0105B0D7
allow_empty_handle || that != 0, xrefs: 0105B0D2
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h, xrefs: 0105B0E1
scriptNameOrSourceURL, xrefs: 0105B169
v8::StackFrame::GetScriptNameOrSourceURL(), xrefs: 0105B110

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: HandleScope@v8@@$Close@Object@internal@2@V342@@
String ID: CHECK(%s) failed$allow_empty_handle || that != 0$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h$scriptNameOrSourceURL$v8::StackFrame::GetScriptNameOrSourceURL()
API String ID: 4242311554-1055429042
Opcode ID: 60da5b7b4a871e2427c263b84fb04ce6b90e83d29cfb2bd8de7bd0c8c44cab8f
Instruction ID: c4e3e284dd7024a9017946e3e77a76feb5eff023062f5fff53e2d409536cf642
Opcode Fuzzy Hash: 60da5b7b4a871e2427c263b84fb04ce6b90e83d29cfb2bd8de7bd0c8c44cab8f
Instruction Fuzzy Hash: BD3134722002015FD7A5EF28D841B9BB7E6EB41324F840699EDD59B381E770B849C7D9

Function 0105AFB0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 84COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 0105B04D
?RawClose@HandleScope@v8@@AAEPAPAVObject@internal@2@PAPAV342@@Z.FOPHOLDE(?), ref: 0105B086
??1HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 0105B09F

Strings

CHECK(%s) failed, xrefs: 0105AFC7
allow_empty_handle || that != 0, xrefs: 0105AFC2
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h, xrefs: 0105AFD1
v8::StackFrame::GetScriptName(), xrefs: 0105B000
scriptName, xrefs: 0105B059

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: HandleScope@v8@@$Close@Object@internal@2@V342@@
String ID: CHECK(%s) failed$allow_empty_handle || that != 0$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h$scriptName$v8::StackFrame::GetScriptName()
API String ID: 4242311554-895292338
Opcode ID: 2bf0533d116a5adc185052c4372e6e706750a827a17563fbd13cb0a715e6c5ca
Instruction ID: f529d9d623cc77b369456c00e61e3ebf1b0425e822e3c70d13a37dad876091e6
Opcode Fuzzy Hash: 2bf0533d116a5adc185052c4372e6e706750a827a17563fbd13cb0a715e6c5ca
Instruction Fuzzy Hash: B83122B22043055FD366EF28D8807A7B7E6EB41324F440699FDE64B381E771A848C7D1

Function 0104FDE0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 116COMMON

Download Yara Rule

Strings

handle->flags & UV_HANDLE_READING, xrefs: 0104FDFE
!(handle->flags & UV_HANDLE_READ_PENDING), xrefs: 0104FE1E
src\win\udp.c, xrefs: 0104FDF9, 0104FE19

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID: !(handle->flags & UV_HANDLE_READ_PENDING)$handle->flags & UV_HANDLE_READING$src\win\udp.c
API String ID: 0-2283846035
Opcode ID: 3471e041fde75d9b92c6278c452281927e9444d1a50bb3e0692a9c250e95c2d9
Instruction ID: c7ac1e450d0624751efb1c5bb16da69387df7221ee9ea41ddb7fe84e1bc95747
Opcode Fuzzy Hash: 3471e041fde75d9b92c6278c452281927e9444d1a50bb3e0692a9c250e95c2d9
Instruction Fuzzy Hash: 8741E1B16007029FD320DF1AE8807A3B7F4FF88715F50067EE985D2612E3B5E5498BA0

Function 01044040 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 99COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,?), ref: 01044091

Strings

PostQueuedCompletionStatus, xrefs: 010440A6
src\win\async.c, xrefs: 0104405D, 010440CE, 010440EC
req->type == UV_WAKEUP, xrefs: 010440F1
!(handle->flags & UV__HANDLE_CLOSING), xrefs: 01044062
handle->type == UV_ASYNC, xrefs: 010440D3

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CompletionPostQueuedStatus
String ID: !(handle->flags & UV__HANDLE_CLOSING)$PostQueuedCompletionStatus$handle->type == UV_ASYNC$req->type == UV_WAKEUP$src\win\async.c
API String ID: 2005739868-516301831
Opcode ID: 57d03b7cb32754abe21d8c37cb1720de11f6f9923d2bfc09310581e10f5e76cb
Instruction ID: cae5c9b09a1349495e19b712c08121e14d33cb1756b75d466fa16cd57020c6d0
Opcode Fuzzy Hash: 57d03b7cb32754abe21d8c37cb1720de11f6f9923d2bfc09310581e10f5e76cb
Instruction Fuzzy Hash: C72138726003016FEB209B19AC45B92B7E0BB94714F14447DFA84EB780D370F8658B90

Function 010695B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

??0TryCatch@v8@@QAE@XZ.FOPHOLDE ref: 0106966F
?ToString@Value@v8@@QBE?AV?$Local@VString@v8@@@2@XZ.FOPHOLDE(?), ref: 0106967C
?Length@String@v8@@QBEHXZ.FOPHOLDE(?), ref: 01069689
?Write@String@v8@@QBEHPAGHHH@Z.FOPHOLDE(00000000,00000000,000000FF,00000000), ref: 010696CC
??1TryCatch@v8@@QAE@XZ.FOPHOLDE(?), ref: 010696D5

Strings

v8::String::Value::Value(), xrefs: 01069604
Out of memory, xrefs: 010696B3

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Catch@v8@@String@v8@@$Length@Local@String@String@v8@@@2@Value@v8@@Write@
String ID: Out of memory$v8::String::Value::Value()
API String ID: 484313778-330590307
Opcode ID: 3d8b584642e9113e8208c911be8571e25d9988b0c891b9b0269da68474195d51
Instruction ID: 2b47f44c7f4fea9bfe1812aeb107cadc0d1d8d8689d79fac968b229e3d8ca6f4
Opcode Fuzzy Hash: 3d8b584642e9113e8208c911be8571e25d9988b0c891b9b0269da68474195d51
Instruction Fuzzy Hash: 3331D4716083028FDB65DF28D4807AAB7E8EF58318F04457EF999CB6D1DB709948CBA1

Function 01059EC0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 93COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 01059F61
?RawClose@HandleScope@v8@@AAEPAPAVObject@internal@2@PAPAV342@@Z.FOPHOLDE(?), ref: 01059FC5
??1HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 01059FDE

Strings

CHECK(%s) failed, xrefs: 01059ED7
allow_empty_handle || that != 0, xrefs: 01059ED2
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h, xrefs: 01059EE1
v8::Message::GetStackTrace(), xrefs: 01059F10

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: HandleScope@v8@@$Close@Object@internal@2@V342@@
String ID: CHECK(%s) failed$allow_empty_handle || that != 0$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h$v8::Message::GetStackTrace()
API String ID: 4242311554-4246557932
Opcode ID: a8fb2ce6e36013f1e6f795043c11d4d9ea7887c96f60fa4a30e3b9d8fca38df2
Instruction ID: 326ac9e91f34173e21c9b697d104725268007a51fc86093578e2fd9c557e2599
Opcode Fuzzy Hash: a8fb2ce6e36013f1e6f795043c11d4d9ea7887c96f60fa4a30e3b9d8fca38df2
Instruction Fuzzy Hash: FF31CD72604201DFD7A6DF28D480BD7B7E0EB45328F8946A9ECD59B391D770A884CBD1

Function 01050C50 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 60synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0103B1F8), ref: 01050BBF
SetEvent.KERNEL32(00000000), ref: 01050BE0
CloseHandle.KERNEL32(00000000), ref: 01050C07
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 01050C10

Strings

src\win\thread.c, xrefs: 01050BEC, 01050C1C
result, xrefs: 01050BF1
result == WAIT_OBJECT_0, xrefs: 01050C21

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Event$CloseCreateHandleObjectSingleWait
String ID: result$result == WAIT_OBJECT_0$src\win\thread.c
API String ID: 818936268-1062144757
Opcode ID: 7e57b13558c9e4d4661bf8153039d363bd2fcf4b4202dd96b9e85e3450fcc9a0
Instruction ID: 1f5804d29ccff9095abf31781774d89e5bfa89328f7e4091a8121458a4eb7526
Opcode Fuzzy Hash: 7e57b13558c9e4d4661bf8153039d363bd2fcf4b4202dd96b9e85e3450fcc9a0
Instruction Fuzzy Hash: BD016D32740316BBE361176EBC89F9F7B859FD5B24F14406CF749A92C4EEB28050C290

Function 00F42340 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 40COMMON

Download Yara Rule

APIs

?IsGlobalWeak@V8@v8@@CA_NPAPAVObject@internal@2@@Z.FOPHOLDE(?), ref: 00F42365
?MakeWeak@V8@v8@@CAXPAPAVObject@internal@2@PAXP6AXV?$Persistent@VValue@v8@@@2@1@Z@Z.FOPHOLDE(?,?,?), ref: 00F423AD
?MarkIndependent@V8@v8@@CAXPAPAVObject@internal@2@@Z.FOPHOLDE(?,?,?,?), ref: 00F423B5

Strings

!handle_.IsEmpty(), xrefs: 00F42350
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\src\node_object_wrap.h, xrefs: 00F4234B, 00F42373, 00F4238D
!handle_.IsWeak(), xrefs: 00F42378
refs_ > 0, xrefs: 00F42392

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: V8@v8@@$Object@internal@2@@Weak@$GlobalIndependent@MakeMarkObject@internal@2@Persistent@Value@v8@@@2@1@
String ID: !handle_.IsEmpty()$!handle_.IsWeak()$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\src\node_object_wrap.h$refs_ > 0
API String ID: 3830112689-1207239691
Opcode ID: 99e241b959671725b9dfa990c7a8c19b7d8ad333815aa2b91387af2c0700eeff
Instruction ID: d0115522bf7557b64a267114a95543ad17c09d0732dbbb13705f413a054cd2da
Opcode Fuzzy Hash: 99e241b959671725b9dfa990c7a8c19b7d8ad333815aa2b91387af2c0700eeff
Instruction Fuzzy Hash: CAF0F671E607117ADB703F11AC07F663AA85B60B10F85403CFC5A3B1D0E6AAB8E4A159

Function 01051140 Relevance: 12.1, APIs: 8, Instructions: 72COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 01051165
LeaveCriticalSection.KERNEL32(?), ref: 01051170
LeaveCriticalSection.KERNEL32(?), ref: 01051176
WaitForMultipleObjects.KERNEL32(00000002,?,00000000,?), ref: 01051185
EnterCriticalSection.KERNEL32(?), ref: 0105118E
LeaveCriticalSection.KERNEL32(?), ref: 010511A3
ResetEvent.KERNEL32(?), ref: 010511B0
EnterCriticalSection.KERNEL32(?), ref: 010511BA

Part of subcall function 01050F30: _raise.LIBCMT ref: 01240409
Part of subcall function 01050F30: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0124041A

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CriticalSection$EnterLeave$EventFeatureMultipleObjectsPresentProcessorResetWait_raise
String ID:
API String ID: 1886729580-0
Opcode ID: b25bd151db5bb11f789e047320f0e9207be37aad479c7e455febedfa7e564ad9
Instruction ID: 5851744f07bcdfe3cd8bab4e4fea22517fc309d3973cdb8c2406b7d80aa4e368
Opcode Fuzzy Hash: b25bd151db5bb11f789e047320f0e9207be37aad479c7e455febedfa7e564ad9
Instruction Fuzzy Hash: 81112632A04205EFD7609F69E84875BFFE8FF44220F000566FE8882191D7319804CBD1

Function 011D59E0 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 293COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 011D5C4D

Part of subcall function 01240441: RtlFreeHeap.NTDLL(00000000,00000000,7534EA60,0103B28A,?,?,00000000), ref: 01240455
Part of subcall function 01240441: GetLastError.KERNEL32(?,?,00000000), ref: 01240467

Part of subcall function 010E4D80: _free.LIBCMT ref: 010E4DD5

_free.LIBCMT ref: 011D5C97

Strings

strict_reserved_word, xrefs: 011D5B1E, 011D5C31
strict_param_name, xrefs: 011D5B23
strict_param_dupe, xrefs: 011D5B97, 011D5C7A
reserved_word, xrefs: 011D5B14

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: reserved_word$strict_param_dupe$strict_param_name$strict_reserved_word
API String ID: 776569668-3094029285
Opcode ID: 2facdb3b21a2260adb5b6e4c5cc15b8170ccc3542aa8f9d1dbaf3978e1aa0422
Instruction ID: 0d07c98f6707c231202747e394c9d7631a3c10a8ed9ef6c3460b9dff9dc640f6
Opcode Fuzzy Hash: 2facdb3b21a2260adb5b6e4c5cc15b8170ccc3542aa8f9d1dbaf3978e1aa0422
Instruction Fuzzy Hash: 80C1BC706087819FE769DF28C484B6ABBF2BF95304F14494DE1858B391CB75E889CB92

Function 0103EDD0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0103EE5F
___from_strstr_to_strchr.LIBCMT ref: 0103EE79

Strings

0123456789ABCDEF, xrefs: 0103EE6C, 0103EE71
., xrefs: 0103EF69
:, xrefs: 0103EE85
0123456789abcdef, xrefs: 0103EE51, 0103EE57

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ___from_strstr_to_strchr
String ID: .$0123456789ABCDEF$0123456789abcdef$:
API String ID: 601868998-2335639909
Opcode ID: 952864af0a948a5bf4a51c0a59b427fd1ed4c4292a995b3218fa1958884f4b0b
Instruction ID: e1a02f98b26bce23e7e3be1b979979a6c491857c38f292257d9f2f70e559f14d
Opcode Fuzzy Hash: 952864af0a948a5bf4a51c0a59b427fd1ed4c4292a995b3218fa1958884f4b0b
Instruction Fuzzy Hash: 0D51F4306083468FD714DF18D48066EFBE9AFD4308F644A5EF8D993241E7B0EA49CB52

Function 01050090 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 153networkCOMMON

Download Yara Rule

APIs

WSASendTo.WS2_32(00000000,?,?,?,00000000,?,?,?,00000000), ref: 010500E1
GetLastError.KERNEL32(?,?,010502DC,?,?,?,00000010,?), ref: 010501A4
WSAGetLastError.WS2_32(?,?,010502DC,?,?,?,00000010,?), ref: 010501B1

Strings

((((handle)))->flags & UV__HANDLE_CLOSING) == 0, xrefs: 0105011F, 010501FC
((handle))->activecnt > 0, xrefs: 01050153, 01050230
src\win\udp.c, xrefs: 0105011A, 0105014E, 010501F7, 0105022B

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ErrorLast$Send
String ID: ((((handle)))->flags & UV__HANDLE_CLOSING) == 0$((handle))->activecnt > 0$src\win\udp.c
API String ID: 1282938840-2704775678
Opcode ID: 486e62bb158db79ec57905090f79daa5ceb677bf46928b3a7faffaeebb1da951
Instruction ID: 95aee8631df014456c44d90c9eabae097d89eadd19620e28cf544baf3b449df7
Opcode Fuzzy Hash: 486e62bb158db79ec57905090f79daa5ceb677bf46928b3a7faffaeebb1da951
Instruction Fuzzy Hash: BE51ADB1600306AFEB95CF29D880B96BBE0FF48324F14826EF8489B655D770E491CF85

Function 0104F620 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

shutdown.WS2_32(?,00000001), ref: 0104F645
closesocket.WS2_32(?), ref: 0104F697
closesocket.WS2_32(?), ref: 0104F754

Strings

src\win\tcp.c, xrefs: 0104F6EF, 0104F73B, 0104F76F
(tcp)->activecnt >= 0, xrefs: 0104F6F4, 0104F740
!((tcp)->flags & UV__HANDLE_CLOSING), xrefs: 0104F774

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: closesocket$shutdown
String ID: !((tcp)->flags & UV__HANDLE_CLOSING)$(tcp)->activecnt >= 0$src\win\tcp.c
API String ID: 3079814495-1574407552
Opcode ID: ce6b6e32da1a87d123a6cca1932305917a4cee9589702aea70dddfa69e9d962d
Instruction ID: 4c50b45bd2acc5137f7446a1b03f8d0b02e5e49cccd227436c0cede72e44f1a9
Opcode Fuzzy Hash: ce6b6e32da1a87d123a6cca1932305917a4cee9589702aea70dddfa69e9d962d
Instruction Fuzzy Hash: A8417EB2600B039FEB759E3DC9C4752B7E0AF18368F04467DDAD296AA1D364E446CF80

Function 01059B80 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 112COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 01059C1D
?RawClose@HandleScope@v8@@AAEPAPAVObject@internal@2@PAPAV342@@Z.FOPHOLDE(?), ref: 01059CC2

Strings

CHECK(%s) failed, xrefs: 01059B97
v8::Message::GetScriptResourceName(), xrefs: 01059BD0
allow_empty_handle || that != 0, xrefs: 01059B92
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h, xrefs: 01059BA1

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: HandleScope@v8@@$Close@Object@internal@2@V342@@
String ID: CHECK(%s) failed$allow_empty_handle || that != 0$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h$v8::Message::GetScriptResourceName()
API String ID: 4242311554-599127768
Opcode ID: fde5f6d499cb36aeae31dc0e86999d35096d4f2e1a25189f7d74f6166b943fa7
Instruction ID: 47f80be7eb851a09d6b775dd0731f0ee55ae8f70bf0d563836d921f6af09b380
Opcode Fuzzy Hash: fde5f6d499cb36aeae31dc0e86999d35096d4f2e1a25189f7d74f6166b943fa7
Instruction Fuzzy Hash: 64411471208202DFD365DF28D184AD7BBF1FB84318F5945A9E89A8B381D731F845CBA1

Function 01059D20 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 112COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 01059DBD
?RawClose@HandleScope@v8@@AAEPAPAVObject@internal@2@PAPAV342@@Z.FOPHOLDE(?), ref: 01059E62

Strings

CHECK(%s) failed, xrefs: 01059D37
allow_empty_handle || that != 0, xrefs: 01059D32
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h, xrefs: 01059D41
v8::Message::GetScriptResourceData(), xrefs: 01059D70

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: HandleScope@v8@@$Close@Object@internal@2@V342@@
String ID: CHECK(%s) failed$allow_empty_handle || that != 0$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h$v8::Message::GetScriptResourceData()
API String ID: 4242311554-2822137207
Opcode ID: 7bd5e39caaa209358a5706d8b1e8360104e577dd74f692dce9ba23f00b83da6b
Instruction ID: 85a0075f8a4fbd6cc8ed255d68f2294e092d123fafd728cad848219eaa975644
Opcode Fuzzy Hash: 7bd5e39caaa209358a5706d8b1e8360104e577dd74f692dce9ba23f00b83da6b
Instruction Fuzzy Hash: 9F41E375208202DFD365EF28D484AD6B7F1FB84318F1945ADE8998B381D731F846CBA1

Function 0105AA40 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 97COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 0105AADD
?RawClose@HandleScope@v8@@AAEPAPAVObject@internal@2@PAPAV342@@Z.FOPHOLDE(?,?,?), ref: 0105AB2F

Strings

CHECK(%s) failed, xrefs: 0105AA57
allow_empty_handle || that != 0, xrefs: 0105AA52
v8::StackTrace::GetFrame(), xrefs: 0105AA90
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h, xrefs: 0105AA61

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: HandleScope@v8@@$Close@Object@internal@2@V342@@
String ID: CHECK(%s) failed$allow_empty_handle || that != 0$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h$v8::StackTrace::GetFrame()
API String ID: 4242311554-2618648918
Opcode ID: 38f99e3d16c71b35637843bc7cce02100efda0930fc46792d7cf4a5b0888ac29
Instruction ID: f59e7325e5a4955fe8fdf1cee286503ecfc40a311b26413ff5ef5b3140935c24
Opcode Fuzzy Hash: 38f99e3d16c71b35637843bc7cce02100efda0930fc46792d7cf4a5b0888ac29
Instruction Fuzzy Hash: 7531E3712083029FD756EF28C4507D7B7F1EB85324F18466EE9A98B381D731A845CB91

Function 01069320 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

??0TryCatch@v8@@QAE@XZ.FOPHOLDE ref: 010693DF
?ToString@Value@v8@@QBE?AV?$Local@VString@v8@@@2@XZ.FOPHOLDE(?), ref: 010693EC
?WriteUtf8@String@v8@@QBEHPADHPAHH@Z.FOPHOLDE(00000000,000000FF,00000000,00000000), ref: 0106942E
??1TryCatch@v8@@QAE@XZ.FOPHOLDE(?), ref: 01069437

Strings

v8::String::Utf8Value::Utf8Value(), xrefs: 01069374
Out of memory, xrefs: 01069415

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Catch@v8@@$Local@String@String@v8@@String@v8@@@2@Utf8@Value@v8@@Write
String ID: Out of memory$v8::String::Utf8Value::Utf8Value()
API String ID: 1330797108-1862997491
Opcode ID: 40cf5a18b970ad891fe1ba76b045533c351be0817ba225515bf7b7b3594176e8
Instruction ID: a93ccccd2c68ab35f3e8a130f1e32bf5ab73d2bd289b7d061bae4f857bffd646
Opcode Fuzzy Hash: 40cf5a18b970ad891fe1ba76b045533c351be0817ba225515bf7b7b3594176e8
Instruction Fuzzy Hash: 333104719043128FDB61DF28D580B9AB7E8FF58318F444569E9998B2D1DB309848CBA2

Function 01048FD0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

uv_fs_stat.FOPHOLDE(?,?,?,Function_00119050), ref: 01049032

Part of subcall function 01050F30: _raise.LIBCMT ref: 01240409
Part of subcall function 01050F30: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0124041A

uv_close.FOPHOLDE(?,Function_001191A0), ref: 0104906D
uv_fs_req_cleanup.FOPHOLDE(?,?,Function_001191A0), ref: 01049073

Part of subcall function 01048D50: _free.LIBCMT ref: 01048D69
Part of subcall function 01048D50: _free.LIBCMT ref: 01048D7D

uv_fs_req_cleanup.FOPHOLDE(?), ref: 01049133
uv_close.FOPHOLDE(?,Function_001191A0), ref: 0104914A

Strings

ctx->parent_handle != NULL, xrefs: 01048FE7
src\fs-poll.c, xrefs: 01048FE2, 01049000
ctx->parent_handle->poll_ctx == ctx, xrefs: 01049005

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: _freeuv_closeuv_fs_req_cleanup$FeaturePresentProcessor_raiseuv_fs_stat
String ID: ctx->parent_handle != NULL$ctx->parent_handle->poll_ctx == ctx$src\fs-poll.c
API String ID: 2237548313-3386429158
Opcode ID: 33e1b2ffd61e97c594a3f71639eac3432df595d70aa804f39aef17fd7e2d297a
Instruction ID: bce824a067dbafb124e470d7991b65e4d00deb48b2dc2a486154fc94b29b6f63
Opcode Fuzzy Hash: 33e1b2ffd61e97c594a3f71639eac3432df595d70aa804f39aef17fd7e2d297a
Instruction Fuzzy Hash: CD110DF65003016FC321EB69DC85E9773E8BB58618F00467EFAD9AB341E761A9408695

Function 00F423C0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 00F423CE

Part of subcall function 01055870: TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
Part of subcall function 01055870: TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

?IsGlobalNearDeath@V8@v8@@CA_NPAPAVObject@internal@2@@Z.FOPHOLDE(?), ref: 00F4242C

Strings

value == obj->handle_, xrefs: 00F423FA
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\src\node_object_wrap.h, xrefs: 00F423F5, 00F42412, 00F4243A
!obj->refs_, xrefs: 00F42417
value.IsNearDeath(), xrefs: 00F4243F

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Value$Death@GlobalHandleNearObject@internal@2@@Scope@v8@@V8@v8@@
String ID: !obj->refs_$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\src\node_object_wrap.h$value == obj->handle_$value.IsNearDeath()
API String ID: 1758891250-1571989438
Opcode ID: 6f6f65a4bc1a53fbdfb786acc1b32e6b6f33fa4a9f5a62ddf4335156cd6f4228
Instruction ID: b614a9cdfa9b0e3b5848f282b741439b01d0a01351eaeb6874add4a36229e3ea
Opcode Fuzzy Hash: 6f6f65a4bc1a53fbdfb786acc1b32e6b6f33fa4a9f5a62ddf4335156cd6f4228
Instruction Fuzzy Hash: 6C21D130E183019FDB10EF24D845BAA3BA4EFA4754F58807CFC5E5B2C2D672A885D796

Function 0104A790 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0104A79C

Part of subcall function 01240441: RtlFreeHeap.NTDLL(00000000,00000000,7534EA60,0103B28A,?,?,00000000), ref: 01240455
Part of subcall function 01240441: GetLastError.KERNEL32(?,?,00000000), ref: 01240467

CloseHandle.KERNEL32(?,?,?,?,?,0104A915,?,?,0103CDDF,00000076), ref: 0104A7E0
uv_close.FOPHOLDE(?,0104C450,?,?,0104A915,?,?,0103CDDF,00000076), ref: 0104A839
CloseHandle.KERNEL32(?,?,?,0104A915,?,?,0103CDDF,00000076), ref: 0104A85D

Strings

pipe->flags && UV_HANDLE_CONNECTION, xrefs: 0104A81C
src\win\pipe.c, xrefs: 0104A817

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CloseHandle$ErrorFreeHeapLast_freeuv_close
String ID: pipe->flags && UV_HANDLE_CONNECTION$src\win\pipe.c
API String ID: 2471423792-525480895
Opcode ID: 97bf3d9c3a1deb42d2a946f6e0991790f408f15d37025a5dd0487e93d8f3658e
Instruction ID: 53abd16740bed86dba0d5d502f51ae58611f3fe3faf22b32e22d939f8cfa3481
Opcode Fuzzy Hash: 97bf3d9c3a1deb42d2a946f6e0991790f408f15d37025a5dd0487e93d8f3658e
Instruction Fuzzy Hash: A9118CB1640B019BF270CE3EDCC4B92B6E4BB54224F108A3CE6E7D7290E730E54A8B50

Function 01045520 Relevance: 10.6, APIs: 7, Instructions: 57COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0104552D
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 01045543
GetStdHandle.KERNEL32(000000F5), ref: 01045547
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 01045557
GetStdHandle.KERNEL32(000000F4), ref: 0104555B
SetHandleInformation.KERNEL32(00000000,00000001,00000000), ref: 0104556B
GetStartupInfoW.KERNEL32(?), ref: 01045572

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Handle$Information$InfoStartup
String ID:
API String ID: 4234762616-0
Opcode ID: 9548a8e2c5271cb32db060a08f213aa48472b0a187bb444a6cf27fabae51212e
Instruction ID: ca5c140106f4e6ae77af983adbac821f432197d32d28691583314949f8341ada
Opcode Fuzzy Hash: 9548a8e2c5271cb32db060a08f213aa48472b0a187bb444a6cf27fabae51212e
Instruction Fuzzy Hash: 5F01D6F1A003157BEA70563D8CD8FAA3B9B5F81B70F684B75F264D60E0E660D485C691

Function 01040E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(00000000,?,?,?,01040D30,?,00008000), ref: 01040E20
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000409,00000000,00000000,00000000,?,?,?,?,01040D30,?,00008000), ref: 01040E49
GetLastError.KERNEL32(?,?,?,?,01040D30,?,00008000), ref: 01040E4F
FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,01040D30,?,00008000), ref: 01040E6B
FormatMessageA.KERNEL32(00002500,error: %1!d!,00000000,00000000,00000000,00000000,?,?,?,?,?,01040D30,?,00008000), ref: 01040E8B

Strings

error: %1!d!, xrefs: 01040E81

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: FormatMessage$ErrorFreeLastLocal
String ID: error: %1!d!
API String ID: 1560308098-3423070664
Opcode ID: 29eb7ee25ae2f2949b99b6d18338d0aff2ea24415423946e686b64115c9b6730
Instruction ID: ee62ebac001e42a0450ea5773911c05808569e8ca0b1a6521edda88b4af9fb7c
Opcode Fuzzy Hash: 29eb7ee25ae2f2949b99b6d18338d0aff2ea24415423946e686b64115c9b6730
Instruction Fuzzy Hash: BF0162B2385311BBF630569A9C8AF977A9CDB85F91F208569F704FA1C4D6B1E40086A8

Function 00F505E0 Relevance: 10.6, APIs: 7, Instructions: 55COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 00F505F0

Part of subcall function 01055870: TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
Part of subcall function 01055870: TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

Part of subcall function 00F51C90: ?InternalFieldCount@Object@v8@@QAEHXZ.FOPHOLDE(00F4FD94,?,?,00000001,?,?), ref: 00F51CB0

?HasInstance@Buffer@node@@SA_NV?$Handle@VValue@v8@@@v8@@@Z.FOPHOLDE(?), ref: 00F50650

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Value$Buffer@node@@Count@FieldHandleHandle@Instance@InternalObject@v8@@Scope@v8@@Value@v8@@@v8@@@
String ID:
API String ID: 3392861887-0
Opcode ID: 45255df2c31676eba0e5a1f2a9f56ae27e78274d4f1c518df025989b6c474fb4
Instruction ID: 4857215211939b3f862848bd90ecbea59fd06291cb78a7d7f0126f6b50c7dd33
Opcode Fuzzy Hash: 45255df2c31676eba0e5a1f2a9f56ae27e78274d4f1c518df025989b6c474fb4
Instruction Fuzzy Hash: 8B1125B1900A029FEA10EF28C94569AB364FF54329F004628DD5597382EF30FD69CBC2

Function 01049260 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 50COMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,00000000,00000000,?), ref: 010492B1
GetLastError.KERNEL32 ref: 010492C2

Part of subcall function 01051290: FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,0142F7D8,00000000,00000000,01050C45,?,?,?,0103B1F8), ref: 01051635
Part of subcall function 01051290: LocalFree.KERNEL32(?), ref: 01051689

Strings

src\win\threadpool.c, xrefs: 01049271, 0104928B
PostQueuedCompletionStatus, xrefs: 010492C8
req->work_cb, xrefs: 01049290
req->type == UV_WORK, xrefs: 01049276

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CompletionErrorFormatFreeLastLocalMessagePostQueuedStatus
String ID: PostQueuedCompletionStatus$req->type == UV_WORK$req->work_cb$src\win\threadpool.c
API String ID: 2098653631-2934853814
Opcode ID: 7f49be095bc3c6fa9d09c1c88f14ac9e551dc8fd2e1ccffc8af32aaf86a0f6c1
Instruction ID: 4438c8b547be6b17254f48d22b57679246eff1369f82ef6e35a99fe02acaa726
Opcode Fuzzy Hash: 7f49be095bc3c6fa9d09c1c88f14ac9e551dc8fd2e1ccffc8af32aaf86a0f6c1
Instruction Fuzzy Hash: 46F0C2B2790301BBD260A760ED0AFA776E4BB98605F04483DF646A6A80D7B0B844C762

Function 01051060 Relevance: 10.5, APIs: 7, Instructions: 46COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 01051071
CloseHandle.KERNEL32(?), ref: 0105107E
DeleteCriticalSection.KERNEL32(?), ref: 0105108C
RtlWakeConditionVariable.NTDLL(?), ref: 010510AD
EnterCriticalSection.KERNEL32(?,?,?), ref: 010510BF
LeaveCriticalSection.KERNEL32(?,?,?), ref: 010510CC
SetEvent.KERNEL32(?,?,?), ref: 010510D9

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CriticalSection$CloseHandle$ConditionDeleteEnterEventLeaveVariableWake
String ID:
API String ID: 975408059-0
Opcode ID: 47d22e4af7cb679df9347bf14ec937cdf31f7067ba7212f15c6211d85c57ec89
Instruction ID: f139157d7795b5d02bf137cf91e62aaec19fe94d08a726f25439f05c634ee96e
Opcode Fuzzy Hash: 47d22e4af7cb679df9347bf14ec937cdf31f7067ba7212f15c6211d85c57ec89
Instruction Fuzzy Hash: E0017C31204210EBCBB06F78F84CB9BBFB5FF49702B0485A4F646D64A9C7749440CB61

Function 00F51370 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 00F5137F

Part of subcall function 01055870: TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
Part of subcall function 01055870: TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

?NewSymbol@String@v8@@SA?AV?$Local@VString@v8@@@2@PBDH@Z.FOPHOLDE(000000FF,length,000000FF), ref: 00F51390
?NewSymbol@String@v8@@SA?AV?$Local@VString@v8@@@2@PBDH@Z.FOPHOLDE(?,_charsWritten,000000FF), ref: 00F513B8

Strings

length, xrefs: 00F5138A
_charsWritten, xrefs: 00F513B2

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Local@String@v8@@String@v8@@@2@Symbol@Value$HandleScope@v8@@
String ID: _charsWritten$length
API String ID: 959159405-3783560912
Opcode ID: 87c42c6c527038d2f6791887f56c49ad911d5165cef220049fdd4fdabfe9d7a8
Instruction ID: e9e6ed4e4d1b85607bf7cb5af4f3822b6f108154404fe65c95df199ff8cf896f
Opcode Fuzzy Hash: 87c42c6c527038d2f6791887f56c49ad911d5165cef220049fdd4fdabfe9d7a8
Instruction Fuzzy Hash: DEF0BE71944301ABC320EA659C45F9B73ACAB55734F240B39FAB0971D0FA30F20C8B6A

Function 012464A8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,01246571,?), ref: 012464C2
GetProcAddress.KERNEL32(00000000), ref: 012464C9
EncodePointer.KERNEL32(00000000), ref: 012464D5
DecodePointer.KERNEL32(00000001,01246571,?), ref: 012464F2

Strings

combase.dll, xrefs: 012464BD
RoInitialize, xrefs: 012464B1

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: fba812d0bc321b1fe4089d22d4547821d194c6fd9b4d4e2d3a606544f1d11ca5
Instruction ID: e1d54f05c20f3b90f7016f9ee9ed5423bf5ed5135bbdff118c06bd0f54591163
Opcode Fuzzy Hash: fba812d0bc321b1fe4089d22d4547821d194c6fd9b4d4e2d3a606544f1d11ca5
Instruction Fuzzy Hash: 00E01A70AB2202EFDB705F75FC0DB493A6ABB14B46F809525F202E11E8CBB54084DB04

Function 0124657D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,01246497), ref: 01246597
GetProcAddress.KERNEL32(00000000), ref: 0124659E
EncodePointer.KERNEL32(00000000), ref: 012465A9
DecodePointer.KERNEL32(01246497), ref: 012465C4

Strings

RoUninitialize, xrefs: 01246586
combase.dll, xrefs: 01246592

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 282eb65e6cc5c88fb6651d2d2c30a9e0afa14d6fc1d6ab18b7f8a307d87c721b
Instruction ID: 06b4dd78aa19397124fff95216fd6cbb9e5215437bdf7bc4ed585480dde3ae96
Opcode Fuzzy Hash: 282eb65e6cc5c88fb6651d2d2c30a9e0afa14d6fc1d6ab18b7f8a307d87c721b
Instruction Fuzzy Hash: BDE046B0662202EFEBB05F20F90DB0A3A6AAB00B42F108015FA01F52E8CBB140C4DB52

Function 0661CB02 Relevance: 10.2, Strings: 8, Instructions: 173COMMON

Download Yara Rule

Strings

}@$, xrefs: 0661CCF7
%@$, xrefs: 0661CD0A
@$, xrefs: 0661CC4C
]@$, xrefs: 0661CCE4
e@$, xrefs: 0661CC5F
y@$, xrefs: 0661CD30
A@$, xrefs: 0661CC72
@$, xrefs: 0661CCAB

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID: @$$%@$$A@$$]@$$e@$$y@$$}@$$@$
API String ID: 0-699091084
Opcode ID: 7de094203428bbc8df18bb8092b66b92921ea8c7ceaec12aa9b71b2a00ef7a1e
Instruction ID: 4541421c784b53b8f7680d8f387f6236be05cb990b2981928df1f3643908e99c
Opcode Fuzzy Hash: 7de094203428bbc8df18bb8092b66b92921ea8c7ceaec12aa9b71b2a00ef7a1e
Instruction Fuzzy Hash: 5951DCB424C5006B5DBCAE564C91D27766AEBC4104B34AA1DB952EB308CD24FC7D4BBD

Function 06625502 Relevance: 9.1, Strings: 7, Instructions: 399COMMON

Download Yara Rule

Strings

)tA$, xrefs: 0662582E
itA$, xrefs: 06625902
ItA$, xrefs: 06625863
itA$, xrefs: 066258CD
ItA$, xrefs: 06625898
sA$, xrefs: 0662560F
)tA$, xrefs: 066257F9

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID: )tA$$)tA$$ItA$$ItA$$itA$$itA$$sA$
API String ID: 0-4059677916
Opcode ID: f84d00f39d791c01d01ed86fe85be85f161136643cad1a8c304cc1cd73d53256
Instruction ID: 576477982e394dec162c22a50da58c69961f84dc3f6d96c5fe216f9210b5a544
Opcode Fuzzy Hash: f84d00f39d791c01d01ed86fe85be85f161136643cad1a8c304cc1cd73d53256
Instruction Fuzzy Hash: FAD1E670708A055BEFE46F958C91F6B7A65EB84300F14811CF921FB785CE36EC4A4BA9

Function 01049050 Relevance: 9.1, APIs: 6, Instructions: 119COMMON

Download Yara Rule

APIs

uv_close.FOPHOLDE(?,Function_001191A0), ref: 0104906D
uv_fs_req_cleanup.FOPHOLDE(?,?,Function_001191A0), ref: 01049073

Part of subcall function 01048D50: _free.LIBCMT ref: 01048D69
Part of subcall function 01048D50: _free.LIBCMT ref: 01048D7D

uv_fs_req_cleanup.FOPHOLDE(?), ref: 01049133
uv_close.FOPHOLDE(?,Function_001191A0), ref: 0104914A

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: _freeuv_closeuv_fs_req_cleanup
String ID:
API String ID: 2593067436-0
Opcode ID: 209a50711e60339d5515d9e59a6b7fe8e194dd7d4dd22a6236f624b0187b9de5
Instruction ID: 8af9e9d1d2857b9be8415213084d586307c03a41c0e05935b02da6e70696f4c3
Opcode Fuzzy Hash: 209a50711e60339d5515d9e59a6b7fe8e194dd7d4dd22a6236f624b0187b9de5
Instruction Fuzzy Hash: 8341A4B29003019BDB14DF6CCCC8FA677A8FF99214F0446B9ED899F259E770A544CB51

Function 00F48EF0 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9445c8c4b4b770ea26111e82860efe84262a306ae798fcbb5deb67c35feeb3a9
Instruction ID: 491291f2b6185a1c5d77b89f0341c3938a172a1b78141a7ec992ed8a9f765d2f
Opcode Fuzzy Hash: 9445c8c4b4b770ea26111e82860efe84262a306ae798fcbb5deb67c35feeb3a9
Instruction Fuzzy Hash: 85017972C1431567C611EE719C40D8B779DAF69378F240B25F8A4631D1FB31D65C87A2

Function 0103FD80 Relevance: 9.0, APIs: 4, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(01432458), ref: 0103FD9D

Strings

malloc, xrefs: 0103FD66

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CriticalEnterSection
String ID: malloc
API String ID: 1904992153-2803490479
Opcode ID: cde479ecf8a41fd46155abf20dfb024a638e1f90075111ce74b9255873557a51
Instruction ID: 0107de0a383dbc5f2dcbb44575f31630991dc60881075feed37c64c5be882435
Opcode Fuzzy Hash: cde479ecf8a41fd46155abf20dfb024a638e1f90075111ce74b9255873557a51
Instruction Fuzzy Hash: 58018630B41203DFCB347B24F90CE5F37AAABE4714FA08169F991D22AADB7094508B12

Function 010F35E0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 010F363D
_free.LIBCMT ref: 010F36FF
_free.LIBCMT ref: 010F3733

Strings

Malloced operator new, xrefs: 010F36DB
CodeRange::GetNextAllocationBlock, xrefs: 010F3775

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: _free
String ID: CodeRange::GetNextAllocationBlock$Malloced operator new
API String ID: 269201875-2484319770
Opcode ID: 7f903ee475c2e1f1a38f45a4b062a315397d927ec6d8114b309463d2917b1f84
Instruction ID: 808a05632265e8b638bfffbb66970939c7e9c4ea517a700137bca7d33e60c307
Opcode Fuzzy Hash: 7f903ee475c2e1f1a38f45a4b062a315397d927ec6d8114b309463d2917b1f84
Instruction Fuzzy Hash: 60517AB4600612AFCB14DF18D581A56B7F0FF58314F10466CEA858BB11E731F9A9CBE2

Function 01083400 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0108347E
GetCurrentProcessId.KERNEL32 ref: 010834AC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 01083509
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 01083575

Strings

%d, xrefs: 01083485

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ErrorLast$CloseCurrentHandleProcess
String ID: %d
API String ID: 1245819386-545462948
Opcode ID: 55bbef832bce66a7c05af889c1dbd84985e3ff5bea3e6cc5935ba4f5fc5f806c
Instruction ID: d82a8ceab954884171c59b860afcf29bc2d2ea2bc47b792a4ecac126c969fce6
Opcode Fuzzy Hash: 55bbef832bce66a7c05af889c1dbd84985e3ff5bea3e6cc5935ba4f5fc5f806c
Instruction Fuzzy Hash: C041C6752043409FE331AF28EC48FABB7E8FB84B45F844869F985C6191DB74E545CB61

Function 0104CB90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(014324C8,?,?,?,00000000), ref: 0104CBA6
PostQueuedCompletionStatus.KERNEL32(?,0000001C,0000001C,00000048,?,00000000), ref: 0104CBEC
LeaveCriticalSection.KERNEL32(014324C8,?,00000000), ref: 0104CC40
GetLastError.KERNEL32(?,00000000), ref: 0104CC50

Strings

PostQueuedCompletionStatus, xrefs: 0104CC56

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CriticalSection$CompletionEnterErrorLastLeavePostQueuedStatus
String ID: PostQueuedCompletionStatus
API String ID: 1216617850-3446536168
Opcode ID: eb327894db6ad26440ad8f9e95845a72ebe076de30934be11cf0d72af55698bd
Instruction ID: ee8953fff98c0d1a9eabad8bbd3598471c4e32c56caadd0a9fccad1e3c412afd
Opcode Fuzzy Hash: eb327894db6ad26440ad8f9e95845a72ebe076de30934be11cf0d72af55698bd
Instruction Fuzzy Hash: AE21F7B16027199FEB71DE2DEAC4A66B7D4AB44250F0446B9EDC6C7661E730FC00C794

Function 010571C0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

?New@ObjectTemplate@v8@@CA?AV?$Local@VObjectTemplate@v8@@@2@V?$Handle@VFunctionTemplate@v8@@@2@@Z.FOPHOLDE(?), ref: 01057282

Strings

CHECK(%s) failed, xrefs: 010571D7, 01057297
allow_empty_handle || that != 0, xrefs: 010571D2, 01057292
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h, xrefs: 010571E1, 010572A1
v8::FunctionTemplate::InstanceTemplate(), xrefs: 01057210

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Object$FunctionHandle@Local@New@Template@v8@@Template@v8@@@2@Template@v8@@@2@@
String ID: CHECK(%s) failed$allow_empty_handle || that != 0$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h$v8::FunctionTemplate::InstanceTemplate()
API String ID: 2102707640-3700610921
Opcode ID: 6571abd7666678d7d9bc78ae2772f039c1a2243f41e8a587eb0cb19808ba5766
Instruction ID: 243f1bcb794bf222ea44899bed17dfdf826a2d55e66e1f2a969b22e9a0b52922
Opcode Fuzzy Hash: 6571abd7666678d7d9bc78ae2772f039c1a2243f41e8a587eb0cb19808ba5766
Instruction Fuzzy Hash: 46310172A002008FCB61DF2CD881A92BBF1FB45364F850199FDA8DB382D771E851CBA1

Function 0103DB40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 100networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,48000022,00000000,00000000,00000004), ref: 0103DB8E
getsockopt.WS2_32(?,0000FFFF,00002005), ref: 0103DC0A
WSAGetLastError.WS2_32 ref: 0103DC14

Strings

base_socket != 0 && base_socket != INVALID_SOCKET, xrefs: 0103DBAF
src\win\poll.c, xrefs: 0103DBAA

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ErrorIoctlLastgetsockopt
String ID: base_socket != 0 && base_socket != INVALID_SOCKET$src\win\poll.c
API String ID: 1110927578-4151201771
Opcode ID: 5ee8d43b8d6382eaf6281af52ea4909546256a2f0532eabcd64a39a223913004
Instruction ID: 5aec1a2a41eccd0edf345c36d313ed78e605b7f04d5dc1655ecd4966df7be06c
Opcode Fuzzy Hash: 5ee8d43b8d6382eaf6281af52ea4909546256a2f0532eabcd64a39a223913004
Instruction Fuzzy Hash: 574162B16007019FE374DF25D448B67FBE8BF84714F508A1DE5AA8B2D0D7B4A4088B92

Function 0103CD80 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98COMMON

Download Yara Rule

Strings

!((handle)->flags & UV__HANDLE_CLOSING), xrefs: 0103CE39
src\win\handle.c, xrefs: 0103CE34

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID: !((handle)->flags & UV__HANDLE_CLOSING)$src\win\handle.c
API String ID: 0-3951512300
Opcode ID: cf5a1910237c6abaa19d3ce142f8d6e86efb717efb87fc4fe51bdd3c0dbb76b5
Instruction ID: b595d11ea91a809815f004dc476bf46c25f2623acd425fa10362a0d5dea9518f
Opcode Fuzzy Hash: cf5a1910237c6abaa19d3ce142f8d6e86efb717efb87fc4fe51bdd3c0dbb76b5
Instruction Fuzzy Hash: 6A218732B106044BF620AA1CA541BEA77DD8BC1324F0481AFEECAD7380CA71E85287D2

Function 06668120 Relevance: 8.8, Strings: 7, Instructions: 95COMMON

Download Yara Rule

Strings

-OB$, xrefs: 066681CF
eWB$, xrefs: 06668151
]B$, xrefs: 06668183
I.B$, xrefs: 0666823A
!]B$, xrefs: 06668162
\B$, xrefs: 066681B2
I]B$, xrefs: 0666813E

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID: ]B$$!]B$$-OB$$I.B$$I]B$$eWB$$\B$
API String ID: 0-3679836611
Opcode ID: 5b8a00d6f4426b750c8c778834b3552c07733e8f902e6443a0581adf1f64cfa7
Instruction ID: 2aa6bcd2312fd88b948f6605331af53321d0a982fcce0bb62bf54cf9db39e834
Opcode Fuzzy Hash: 5b8a00d6f4426b750c8c778834b3552c07733e8f902e6443a0581adf1f64cfa7
Instruction Fuzzy Hash: 77313274B045095B9FC0EEB6ED9056EBBE9BF88204B148819FC25EB344EE34DD4187B9

Function 01062BF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 87COMMON

Download Yara Rule

APIs

?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(?,?), ref: 01062C6F
?New@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@H@Z.FOPHOLDE(?,?,?,?), ref: 01062C83

Strings

CHECK(%s) failed, xrefs: 01062C00
allow_empty_handle || that != 0, xrefs: 01062BFB
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h, xrefs: 01062C0A

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Integer@v8@@Integer@v8@@@2@Local@New@
String ID: CHECK(%s) failed$allow_empty_handle || that != 0$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h
API String ID: 2637664565-1498802491
Opcode ID: 2c70f717cf865cec411247a0192531a2573cfcc08cd8901105d21ced87c25b59
Instruction ID: 21a9f28df1f14695414d19e45b37cb0c5a9811aa0b69e6a6727db8cd0b9019f6
Opcode Fuzzy Hash: 2c70f717cf865cec411247a0192531a2573cfcc08cd8901105d21ced87c25b59
Instruction Fuzzy Hash: 953167B6604A00CFC711DF1CC8C0E96B7F8FB99320F4A4599E9899B326D730E805CBA1

Function 01057E90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

APIs

?AddInstancePropertyAccessor@FunctionTemplate@v8@@AAEXV?$Handle@VString@v8@@@2@P6A?AV?$Handle@VValue@v8@@@2@V?$Local@VString@v8@@@2@ABVAccessorInfo@2@@ZP6AX1V?$Local@VValue@v8@@@2@2@ZV42@W4AccessControl@2@W4PropertyAttribute@2@V?$Handle@VAccessorSignature@v8@@@2@@Z.FOPHOLDE(00000001,?,?,?,?,?,?), ref: 01057F86

Strings

v8::ObjectTemplate::SetAccessor(), xrefs: 01057EE0
CHECK(%s) failed, xrefs: 01057EA7
allow_empty_handle || that != 0, xrefs: 01057EA2
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h, xrefs: 01057EB1

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Handle@$AccessorLocal@PropertyString@v8@@@2@$AccessAccessor@Attribute@2@Control@2@FunctionInfo@2@@InstanceSignature@v8@@@2@@Template@v8@@V42@Value@v8@@@2@Value@v8@@@2@2@
String ID: CHECK(%s) failed$allow_empty_handle || that != 0$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h$v8::ObjectTemplate::SetAccessor()
API String ID: 1536619360-125588981
Opcode ID: 1196f488ad7ea99d19976748ddd73c123ffd46d87cb524750eb9404ef4f606df
Instruction ID: 4243c781f32409666eb220e99e562d30a3b63460110fb14a3c589e4d188d4679
Opcode Fuzzy Hash: 1196f488ad7ea99d19976748ddd73c123ffd46d87cb524750eb9404ef4f606df
Instruction Fuzzy Hash: 1631A9366087019FCB66EF68D840AD7BBF1FF48310F84095DE9AA87391D731A810EB91

Function 01058480 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

?SetIndexedInstancePropertyHandler@FunctionTemplate@v8@@AAEXP6A?AV?$Handle@VValue@v8@@@2@IABVAccessorInfo@2@@ZP6A?AV32@IV?$Local@VValue@v8@@@2@0@ZP6A?AV?$Handle@VInteger@v8@@@2@I0@ZP6A?AV?$Handle@VBoolean@v8@@@2@I0@ZP6A?AV?$Handle@VArray@v8@@@2@0@ZV32@@Z.FOPHOLDE(00000001,?,?,?,?,?), ref: 01058573

Strings

CHECK(%s) failed, xrefs: 01058497
allow_empty_handle || that != 0, xrefs: 01058492
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h, xrefs: 010584A1
v8::ObjectTemplate::SetIndexedPropertyHandler(), xrefs: 010584D0

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Handle@$AccessorArray@v8@@@2@0@Boolean@v8@@@2@FunctionHandler@IndexedInfo@2@@InstanceInteger@v8@@@2@Local@PropertyTemplate@v8@@V32@V32@@Value@v8@@@2@Value@v8@@@2@0@
String ID: CHECK(%s) failed$allow_empty_handle || that != 0$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h$v8::ObjectTemplate::SetIndexedPropertyHandler()
API String ID: 4149328788-1073061368
Opcode ID: a94b75fbf7db9103a1e14dd143b697d1dc39f1b73944a16be70a8542c1a528b2
Instruction ID: 303ac93eb6e7c02f04ab81008b24834bef63b7fdfec15bd25b4991fa101b76a8
Opcode Fuzzy Hash: a94b75fbf7db9103a1e14dd143b697d1dc39f1b73944a16be70a8542c1a528b2
Instruction Fuzzy Hash: 7C31AB751086019FC7A6EF29D840AD7BBF1FF44314F04855EEDA987391DB31A814CB91

Function 01057FD0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

?SetNamedInstancePropertyHandler@FunctionTemplate@v8@@AAEXP6A?AV?$Handle@VValue@v8@@@2@V?$Local@VString@v8@@@2@ABVAccessorInfo@2@@ZP6A?AV32@0V?$Local@VValue@v8@@@2@1@ZP6A?AV?$Handle@VInteger@v8@@@2@01@ZP6A?AV?$Handle@VBoolean@v8@@@2@01@ZP6A?AV?$Handle@VArray@v8@@@2@1@ZV32@@Z.FOPHOLDE(00000001,?,?,?,?,?), ref: 010580C3

Strings

CHECK(%s) failed, xrefs: 01057FE7
allow_empty_handle || that != 0, xrefs: 01057FE2
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h, xrefs: 01057FF1
v8::ObjectTemplate::SetNamedPropertyHandler(), xrefs: 01058020

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Handle@$Local@$AccessorArray@v8@@@2@1@Boolean@v8@@@2@01@FunctionHandler@Info@2@@InstanceInteger@v8@@@2@01@NamedPropertyString@v8@@@2@Template@v8@@V32@0V32@@Value@v8@@@2@Value@v8@@@2@1@
String ID: CHECK(%s) failed$allow_empty_handle || that != 0$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h$v8::ObjectTemplate::SetNamedPropertyHandler()
API String ID: 2136125739-1960958966
Opcode ID: c72c7d4cac8225a244ec862a24a4d95a1a8ba9a816a841861e3f3c31505b52e5
Instruction ID: 1dd2563fe908608f3653b722af435b6c2f9bc2dd8ee0020eed1970cb030d807b
Opcode Fuzzy Hash: c72c7d4cac8225a244ec862a24a4d95a1a8ba9a816a841861e3f3c31505b52e5
Instruction Fuzzy Hash: F9319A351087019FCBA6EF29D840AD7BBF1FB44310F04895AFDAA87391DB71A854CB90

Function 010585C0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 81COMMON

Download Yara Rule

APIs

?SetInstanceCallAsFunctionHandler@FunctionTemplate@v8@@AAEXP6A?AV?$Handle@VValue@v8@@@2@ABVArguments@2@@ZV32@@Z.FOPHOLDE(00000001,?), ref: 010586A7

Strings

CHECK(%s) failed, xrefs: 010585D7
allow_empty_handle || that != 0, xrefs: 010585D2
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h, xrefs: 010585E1
v8::ObjectTemplate::SetCallAsFunctionHandler(), xrefs: 01058610

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Function$Arguments@2@@CallHandle@Handler@InstanceTemplate@v8@@V32@@Value@v8@@@2@
String ID: CHECK(%s) failed$allow_empty_handle || that != 0$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h$v8::ObjectTemplate::SetCallAsFunctionHandler()
API String ID: 3936215797-2943672133
Opcode ID: 0e9eb77ca754b63b3d259ed75849aa38b83f1aa31550a38bf417e9392450d10f
Instruction ID: a6c9c854095a071d357a3f0bf4f9f49df603f08ef3f5b35de69785f4f0f44458
Opcode Fuzzy Hash: 0e9eb77ca754b63b3d259ed75849aa38b83f1aa31550a38bf417e9392450d10f
Instruction Fuzzy Hash: 393178756086019FC7A6EF39D480AD7BBF4FB49314F04855EE9AA87391D770A804CB61

Function 06668400 Relevance: 8.8, Strings: 7, Instructions: 78COMMON

Download Yara Rule

Strings

I]B$, xrefs: 0666841C
]B$, xrefs: 06668477
!]B$, xrefs: 066684AA
eWB$, xrefs: 0666845A
]B$, xrefs: 06668497
!]B$, xrefs: 0666842E
\B$, xrefs: 066684EF

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID: ]B$$]B$$!]B$$!]B$$I]B$$eWB$$\B$
API String ID: 0-983191254
Opcode ID: 2a63aaf12ae6af0541985e8018a9ce1dc4e7b6a3c6ca4e0f906d84731b2aa0bf
Instruction ID: 7258442bbc460cbfd7e483a5fff2bc61b525ad90453ef942730f01d594d73412
Opcode Fuzzy Hash: 2a63aaf12ae6af0541985e8018a9ce1dc4e7b6a3c6ca4e0f906d84731b2aa0bf
Instruction Fuzzy Hash: 63217434F18104AB9FC4EABA989496EB7A9AF88314B54C41EAC15EB341DD34DD40C765

Function 01042730 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

WriteConsoleInputW.KERNEL32(?,?,00000001,?), ref: 010427B7
GetLastError.KERNEL32 ref: 010427C1
CloseHandle.KERNEL32(?), ref: 010427F2

Strings

src\win\tty.c, xrefs: 01042774
(handle)->activecnt >= 0, xrefs: 01042779

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CloseConsoleErrorHandleInputLastWrite
String ID: (handle)->activecnt >= 0$src\win\tty.c
API String ID: 251486029-3088373702
Opcode ID: 94a9189036532e0aa697c23dd25339ac264f0d9d43ea05ea52868336295a0048
Instruction ID: 9fe9d0c3bbae9f69344c00f4d60b25b20a4d560594f23204f19576dcea615f8a
Opcode Fuzzy Hash: 94a9189036532e0aa697c23dd25339ac264f0d9d43ea05ea52868336295a0048
Instruction Fuzzy Hash: 9621C1B1700B029FE360DF29E9857A7BBE4BF94720F84466DF89292691D730E485CB91

Function 01048F30 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

uv_close.FOPHOLDE(00000000,010491A0), ref: 01048F90

Strings

ctx->parent_handle != NULL, xrefs: 01048F67
src\fs-poll.c, xrefs: 01048F49, 01048F62, 01048FA1
ctx != NULL, xrefs: 01048F4E
((handle)->flags & UV__HANDLE_CLOSING) == 0, xrefs: 01048FA6

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: uv_close
String ID: ((handle)->flags & UV__HANDLE_CLOSING) == 0$ctx != NULL$ctx->parent_handle != NULL$src\fs-poll.c
API String ID: 651258231-2425673172
Opcode ID: 342b220f7176fb712ab291d7fe8f4af49ad539bdeae6ef8ea1677125019599c8
Instruction ID: 7a76c8de559447dd01ddeb03eae075824c55c216a23b4825d3acfded1b9b6fa3
Opcode Fuzzy Hash: 342b220f7176fb712ab291d7fe8f4af49ad539bdeae6ef8ea1677125019599c8
Instruction Fuzzy Hash: D7012BF26447026FE7215B69E845B41BBE0BF54708F04896DFBC53A680E3B4B5448B45

Function 00F51C90 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

?InternalFieldCount@Object@v8@@QAEHXZ.FOPHOLDE(00F4FD94,?,?,00000001,?,?), ref: 00F51CB0

Strings

c:\workspace\iojs+release\nodes\win2008r2-release-ia32\src\node_object_wrap.h, xrefs: 00F51C9A, 00F51CBB
handle->InternalFieldCount() > 0, xrefs: 00F51CC0
!handle.IsEmpty(), xrefs: 00F51C9F

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Count@FieldInternalObject@v8@@
String ID: !handle.IsEmpty()$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\src\node_object_wrap.h$handle->InternalFieldCount() > 0
API String ID: 3192651143-3347309434
Opcode ID: 620607691bbafdaaf3f93e81d1beef20e3f40a8feb2abb606c46cbd48b445d4d
Instruction ID: 41af51e4703da07d9273766da25be2546ee3cb6fda8275e815d81046ba042d76
Opcode Fuzzy Hash: 620607691bbafdaaf3f93e81d1beef20e3f40a8feb2abb606c46cbd48b445d4d
Instruction Fuzzy Hash: 39F02234B942426FDB18DB18C8A9FA8B3557BA1625F04429CFD56AF3C1C722AC4AE705

Function 00F4F940 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE(?,?,?,?,?,?,?,?,00F535DB), ref: 00F4F94D

Part of subcall function 01055870: TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
Part of subcall function 01055870: TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

?New@String@v8@@SA?AV?$Local@VString@v8@@@2@PBDH@Z.FOPHOLDE(000000FF,Argument must be a string,000000FF,?,?,?,?,?,?,?,?,00F535DB), ref: 00F4F95A
?TypeError@Exception@v8@@SA?AV?$Local@VValue@v8@@@2@V?$Handle@VString@v8@@@2@@Z.FOPHOLDE(?,00000000,000000FF,Argument must be a string,000000FF,?,?,?,?,?,?,?,?,00F535DB), ref: 00F4F966
?ThrowException@v8@@YA?AV?$Handle@VValue@v8@@@1@V21@@Z.FOPHOLDE(?,00000000,?,00000000,000000FF,Argument must be a string,000000FF,?,?,?,?,?,?,?,?,00F535DB), ref: 00F4F96E

Strings

Argument must be a string, xrefs: 00F4F958

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Exception@v8@@Handle@Local@Value$Error@HandleNew@Scope@v8@@String@v8@@String@v8@@@2@String@v8@@@2@@ThrowTypeV21@@Value@v8@@@1@Value@v8@@@2@
String ID: Argument must be a string
API String ID: 4113611828-877334576
Opcode ID: a04fdc514f973032209fc9a20e8da4eb70c6c4550828299bf3e693d60e98069a
Instruction ID: e4ae627621604576bceb8c855203960887721caeaca9499e657bb279986ae196
Opcode Fuzzy Hash: a04fdc514f973032209fc9a20e8da4eb70c6c4550828299bf3e693d60e98069a
Instruction Fuzzy Hash: A601FF759082029FCB00EE68C844ADB7BF9EFD5364F58057DF49C8B292D632940ACB62

Function 06664800 Relevance: 7.8, Strings: 6, Instructions: 261COMMON

Download Yara Rule

Strings

EOB$, xrefs: 066649B4
-OB$, xrefs: 066649A1
mNB$, xrefs: 06664AF5
NB$, xrefs: 06664955
aOB$, xrefs: 066649C7
OB$, xrefs: 06664A6E

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID: -OB$$EOB$$aOB$$mNB$$NB$$OB$
API String ID: 0-2938443396
Opcode ID: 2e14380d553684f60603954a5a43037ba9e160c342f5e891f169d8c42c2d6ae5
Instruction ID: ef9dd7dc68109d6ffe33930cadccf82b76667549bd8b2d968072c51242a86a4c
Opcode Fuzzy Hash: 2e14380d553684f60603954a5a43037ba9e160c342f5e891f169d8c42c2d6ae5
Instruction Fuzzy Hash: AC81D2787043095BDFC0AF25DDA0A2E7B96BF88254B188C1AFD21DF340CD39D8A19B59

Function 06665120 Relevance: 7.7, Strings: 6, Instructions: 222COMMON

Download Yara Rule

Strings

!WB$, xrefs: 0666535C
5WB$, xrefs: 06665382
yWB$, xrefs: 066653CD
QWB$, xrefs: 066653AA
1SB$, xrefs: 06665268
eWB$, xrefs: 066653BD

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID: !WB$$1SB$$5WB$$QWB$$eWB$$yWB$
API String ID: 0-4255674409
Opcode ID: 796974391a041cd92041fbc311e43d357654797b48e12ba5cd014088355428b6
Instruction ID: b4cc749618d7f8436515e008caff887f22cf79d5adb9daa95f6cb110592b9d1b
Opcode Fuzzy Hash: 796974391a041cd92041fbc311e43d357654797b48e12ba5cd014088355428b6
Instruction Fuzzy Hash: B67103787043096BDFC0BE65ACE1A6E7B59AF84250F188C19FD32DE340CE39D8A19759

Function 010F3C50 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 175COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,?,010C5604,?,?,?,?), ref: 010F3DBD

Strings

%s,"%s", xrefs: 010F3CFF
V8 Executable Allocation capacity exceeded, xrefs: 010F3CE9
MemoryChunk, xrefs: 010F3E23
MemoryAllocator::AllocateRawMemory, xrefs: 010F3CEE

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: FreeVirtual
String ID: %s,"%s"$MemoryAllocator::AllocateRawMemory$MemoryChunk$V8 Executable Allocation capacity exceeded
API String ID: 1263568516-4058448131
Opcode ID: c8fc5b392639ca30439f2b643b0d331fe1b3b2b7d7034c0731e7cdb3e3d21c6b
Instruction ID: 98a40029f047e35accd7054a04497b7e7711dea43d2a94235467fdb2380f08cf
Opcode Fuzzy Hash: c8fc5b392639ca30439f2b643b0d331fe1b3b2b7d7034c0731e7cdb3e3d21c6b
Instruction Fuzzy Hash: A661FF706043019FD704DF18D895BAABBE8FF84328F08886DEA998F781D771E945CB91

Function 010B1A30 Relevance: 7.6, APIs: 5, Instructions: 86COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 010B1AE8
_free.LIBCMT ref: 010B1AF0
_free.LIBCMT ref: 010B1AF8
_free.LIBCMT ref: 010B1B00
_free.LIBCMT ref: 010B1B08

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8bfb26d13a5310b1afb5d937865c971f9650e005f0d21dd4b2c0f629af4415af
Instruction ID: 8c1c5abed7961f43a08f17b8f8ad6612923645dc59455ea72a7952500ba8bb3a
Opcode Fuzzy Hash: 8bfb26d13a5310b1afb5d937865c971f9650e005f0d21dd4b2c0f629af4415af
Instruction Fuzzy Hash: 31218B716106229FDB35AF29D8D09EB77F5FFA0200B05097DE6C753921DA31F885CA91

Function 01045380 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(?,00000001), ref: 0104539F
GetExitCodeProcess.KERNEL32(?,?), ref: 010453FB
GetLastError.KERNEL32(?,?), ref: 01045405

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Process$CodeErrorExitLastTerminate
String ID:
API String ID: 1075407963-0
Opcode ID: 031f11ae2ff898fcced242aafd761d21c48dd5ad2a6de5419d72aead3c915c2a
Instruction ID: 317f575b5aff29ce72b55883ba2c3650ba0c937d712b13a0fab7ee7e9e5192f9
Opcode Fuzzy Hash: 031f11ae2ff898fcced242aafd761d21c48dd5ad2a6de5419d72aead3c915c2a
Instruction Fuzzy Hash: 2911E27A302110CBE7259A19F8886EEB799DBC52A3F18C07BF682C1194CF7085869761

Function 0104F320 Relevance: 7.6, APIs: 5, Instructions: 69networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(00000002,00000001,00000000,?,00000000,00000001), ref: 0104F332
WSAGetLastError.WS2_32(?,?,?,0104AB42,?), ref: 0104F33F
SetHandleInformation.KERNEL32(00000000,00000001,00000000,?,?,?,0104AB42,?), ref: 0104F362
GetLastError.KERNEL32(?,?,?,0104AB42,?), ref: 0104F36C
closesocket.WS2_32(00000000), ref: 0104F385

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ErrorLast$HandleInformationSocketclosesocket
String ID:
API String ID: 1159780279-0
Opcode ID: 069400616c232974abecc2bace4f9e885f0ec8fd70e3b368972bc2a8fd6481d4
Instruction ID: b173f2f1e9b8da1e3764361586812182fdc7c9fc39ba2bf1b96cfd7e672a7b02
Opcode Fuzzy Hash: 069400616c232974abecc2bace4f9e885f0ec8fd70e3b368972bc2a8fd6481d4
Instruction Fuzzy Hash: A111D671700211ABD720AB39E888B4AFBA5FF84721F14C765F5558A2D1C7B0D490C7D0

Function 010441E0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?), ref: 010441FA
GetLastError.KERNEL32 ref: 01044206

Strings

r == ws_len, xrefs: 01044256
src\win\process.c, xrefs: 01044251

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID: r == ws_len$src\win\process.c
API String ID: 203985260-4048495732
Opcode ID: 60a9f6986b7d8055797b31e0e4db51ee84ca424abba23ad7a784d0dd38410575
Instruction ID: 064357999170f2665cd936761c9bda9e62c93f003d38ebbdb16eb11b13d0875e
Opcode Fuzzy Hash: 60a9f6986b7d8055797b31e0e4db51ee84ca424abba23ad7a784d0dd38410575
Instruction Fuzzy Hash: 8E014936B44200ABD330BE1ABC45F9B7799DBC5B72F644136FE14DA3C4D624A84987B1

Function 01069280 Relevance: 7.6, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,010D2E64,?,01064549), ref: 01080773
TlsGetValue.KERNEL32(?,?,?,?,?,010D2E64,?,01064549), ref: 0108077D
TlsSetValue.KERNEL32(?,?,?,?,?,?,010D2E64,?,01064549), ref: 01080790
TlsSetValue.KERNEL32(00000000,?,?,?,?,?,010D2E64,?,01064549), ref: 0108079A

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 7bf960017386ec020bef3672d8b75d1fe43bc105383eb3b29ccbbafdf2e4a316
Instruction ID: e9aff72c999cd4f1c30f5440ac2c8f8b54459793b50fe933e95e9239186486a2
Opcode Fuzzy Hash: 7bf960017386ec020bef3672d8b75d1fe43bc105383eb3b29ccbbafdf2e4a316
Instruction Fuzzy Hash: 9A11A935604124DFD7317F64EC84E6EBBF9FB89650F440169F58153278CBB2AC449BA0

Function 01047410 Relevance: 7.6, APIs: 5, Instructions: 55fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000100,00000007,00000000,00000003,02000000,00000000,?,?,?,01048C13), ref: 01047432
GetLastError.KERNEL32(?,01048C13), ref: 01047442
GetLastError.KERNEL32 ref: 01047480
CloseHandle.KERNEL32(00000000), ref: 01047497

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandle
String ID:
API String ID: 614986841-0
Opcode ID: 6bbebb386e64154b38265e4c5589c634a93b1262589c9dc991c50f183f021f93
Instruction ID: 261bb8c6ab1d91862128937b0c81573ebcfeb353abf8a6e1a9ff82687c33291d
Opcode Fuzzy Hash: 6bbebb386e64154b38265e4c5589c634a93b1262589c9dc991c50f183f021f93
Instruction Fuzzy Hash: 7C11C271A01700DBD7709F39A80979ABBE8EB85631F00862AE9AEC66E0DFB164008750

Function 01051020 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 01050C50: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0103B1F8), ref: 01050BBF
Part of subcall function 01050C50: SetEvent.KERNEL32(00000000), ref: 01050BE0

InitializeCriticalSection.KERNEL32(?), ref: 01050FCE
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 01050FDC
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 01050FF1
CloseHandle.KERNEL32(?), ref: 01051001
DeleteCriticalSection.KERNEL32(?), ref: 01051008

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Event$Create$CriticalSection$CloseDeleteHandleInitialize
String ID:
API String ID: 776738967-0
Opcode ID: 92e9263feb6b5d056a8e09133dd1da2e0a77918036deac06c2ade7d9e2e9d076
Instruction ID: 517f1b1e6ca7e544f1a7d3c484fcf013269808d3674f58d3aec49f33ab942494
Opcode Fuzzy Hash: 92e9263feb6b5d056a8e09133dd1da2e0a77918036deac06c2ade7d9e2e9d076
Instruction Fuzzy Hash: 5201BC30304300ABE7B05F28FC09B6B3AE1AB84B11F405559FA96E61D8DBB0E8019B10

Function 01047950 Relevance: 7.5, APIs: 5, Instructions: 48fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000000,00000000,00000000,00000003,02200000,00000000,?,?,01048377), ref: 01047969
GetLastError.KERNEL32 ref: 01047979
GetLastError.KERNEL32 ref: 010479AC
CloseHandle.KERNEL32(00000000), ref: 010479C3

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ErrorLast$CloseCreateFileHandle
String ID:
API String ID: 614986841-0
Opcode ID: d1603a62beef555883b56d2a31da050274bd4be6f763b0c82c2f73336acf76b4
Instruction ID: 85244cc23a5d8ca8b12af84df82482bd06ed7329131b8cd46a23a253c7863e6f
Opcode Fuzzy Hash: d1603a62beef555883b56d2a31da050274bd4be6f763b0c82c2f73336acf76b4
Instruction Fuzzy Hash: 30018071601701DBE7B05B39BC4C78ABBE5AB84721F10892EE997C62E4DB7064408710

Function 0103FAC0 Relevance: 7.5, APIs: 5, Instructions: 46processCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000000,?), ref: 0103FADB
CreateToolhelp32Snapshot.KERNEL32 ref: 0103FAEF
Process32First.KERNEL32(00000000,00000002), ref: 0103FAFD
Process32Next.KERNEL32(00000000,00000002), ref: 0103FB1C
CloseHandle.KERNEL32(00000000), ref: 0103FB29

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32
String ID:
API String ID: 592884611-0
Opcode ID: 08951d23303175ed2d1b5605c625e072375e8b13b50f47da6c18e1f5fcb63bd1
Instruction ID: cada8b0326ef6a473c82b1b5489f8ac3ec0c1db00b2d12c4926e3d8f61edd4ec
Opcode Fuzzy Hash: 08951d23303175ed2d1b5605c625e072375e8b13b50f47da6c18e1f5fcb63bd1
Instruction Fuzzy Hash: E801B171601202DBD320DF14EC58AAEBBE9EB85351F404919F655861D1EB319948CBA2

Function 00F4FD40 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 00F4FD4E

Part of subcall function 01055870: TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
Part of subcall function 01055870: TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

?NewFromUnsigned@Integer@v8@@SA?AV?$Local@VInteger@v8@@@2@I@Z.FOPHOLDE(?,00000000), ref: 00F4FD5A
?GetFunction@FunctionTemplate@v8@@QAE?AV?$Local@VFunction@v8@@@2@XZ.FOPHOLDE(?), ref: 00F4FD73
?NewInstance@Function@v8@@QBE?AV?$Local@VObject@v8@@@2@HQAV?$Handle@VValue@v8@@@2@@Z.FOPHOLDE(?,00000001,?,?), ref: 00F4FD86

Part of subcall function 00F51C90: ?InternalFieldCount@Object@v8@@QAEHXZ.FOPHOLDE(00F4FD94,?,?,00000001,?,?), ref: 00F51CB0

?Replace@Buffer@node@@AAEXPADIP6AX0PAX@Z1@Z.FOPHOLDE(?,?,?,?,?), ref: 00F4FDA7

Part of subcall function 00F4FFC0: ??0HandleScope@v8@@QAE@XZ.FOPHOLDE(?,00000000,?,00F4FDAC,?,?,?,?,?), ref: 00F4FFD1

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Local@$HandleScope@v8@@Value$Buffer@node@@Count@FieldFromFunctionFunction@Function@v8@@Function@v8@@@2@Handle@Instance@Integer@v8@@Integer@v8@@@2@InternalObject@v8@@Object@v8@@@2@Replace@Template@v8@@Unsigned@Value@v8@@@2@@
String ID:
API String ID: 4174871323-0
Opcode ID: ca047c1b4c8f76cc6e59778044647b9845fbad3396c2b69c348ca3d0cc254311
Instruction ID: 97050d40a503f77fae9e243e114d0fd2f6e3642933271dc0610e68909e251c34
Opcode Fuzzy Hash: ca047c1b4c8f76cc6e59778044647b9845fbad3396c2b69c348ca3d0cc254311
Instruction Fuzzy Hash: 33F0AF72414305BFCB00EF60DC01D9F3BACAF58310F008928F999871A0EB31EA28DB92

Function 01048DE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

_calloc.LIBCMT ref: 01048E13

Strings

src\fs-poll.c, xrefs: 01048EF6
((handle)->flags & UV__HANDLE_CLOSING) == 0, xrefs: 01048EFB

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: _calloc
String ID: ((handle)->flags & UV__HANDLE_CLOSING) == 0$src\fs-poll.c
API String ID: 1679841372-3299888654
Opcode ID: f6de1b6840867a7dfc954ae71501793dd5706b0a14513f81aa216a79682d0c2e
Instruction ID: 5c3249350636df13412b0aa3870c8b0fe90e0ba11b71404a5d35e5b3f0b2f04b
Opcode Fuzzy Hash: f6de1b6840867a7dfc954ae71501793dd5706b0a14513f81aa216a79682d0c2e
Instruction Fuzzy Hash: 5341AFB1500B06AFD754CF69C880BA6BBE4FF48358F00896AED888B641E371E564CFD0

Function 010BAD50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 010BAE4B

Part of subcall function 010BB700: _free.LIBCMT ref: 010BB750

Strings

Malloced operator new, xrefs: 010BAD71

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: _free
String ID: Malloced operator new
API String ID: 269201875-3527538379
Opcode ID: 454ec81cb103507c0bbee2a64d7cb05fab3a27aca468b81446e627b8c52c0ac3
Instruction ID: caff930244f0afaa60ef11fc8adadcdcd2df011038991f01fef681760279053d
Opcode Fuzzy Hash: 454ec81cb103507c0bbee2a64d7cb05fab3a27aca468b81446e627b8c52c0ac3
Instruction Fuzzy Hash: 473181715043119BC711EF18C8C0AAAB7E4FB98714F0046ADED9A5B202E731EE55CBC5

Function 01064320 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 86COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 010643BB

Part of subcall function 01055870: TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
Part of subcall function 01055870: TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

Strings

CHECK(%s) failed, xrefs: 01064337
allow_empty_handle || that != 0, xrefs: 01064332
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h, xrefs: 01064341

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Value$HandleScope@v8@@
String ID: CHECK(%s) failed$allow_empty_handle || that != 0$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h
API String ID: 2989282254-1498802491
Opcode ID: 3c79aa063def312183814c23b3fba7775d1a326073671417caa625cdfc7322ed
Instruction ID: 3e8c3caecb63b9e362dd7f44da060988ec706b55bdd51f290611728621674ff3
Opcode Fuzzy Hash: 3c79aa063def312183814c23b3fba7775d1a326073671417caa625cdfc7322ed
Instruction Fuzzy Hash: 4031F9716082019FD711EF28D840ADAB7F4FF54354F04056EF9D99B391DB32A855CB91

Function 01054720 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010547E6

Strings

external memory allocation limit reached, xrefs: 0105477B
%8.0f ms: , xrefs: 01054802
Adjust amount of external memory: delta=%6d KB, amount=%6d KB, isolate=0x%08x., xrefs: 01054835

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: %8.0f ms: $Adjust amount of external memory: delta=%6d KB, amount=%6d KB, isolate=0x%08x.$external memory allocation limit reached
API String ID: 885266447-2537000729
Opcode ID: eb0d58fff1932e83639ebcb057fc85ee1de5c2d3ec00e300dfc6e55b4d9cf6ee
Instruction ID: 1fa82b43579af5330fba01e1b9121bc5806217294746e0e613ffcbc916562411
Opcode Fuzzy Hash: eb0d58fff1932e83639ebcb057fc85ee1de5c2d3ec00e300dfc6e55b4d9cf6ee
Instruction Fuzzy Hash: 9A31D1716407079BE3649E38E851BBBB7E6FBA5204F00092CECAAD7640E771B5908780

Function 0103B0C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000001,00000000,0103B230), ref: 0103B0CB
GetTickCount.KERNEL32 ref: 0103B0EA
GetLastError.KERNEL32 ref: 0103B195

Strings

CreateIoCompletionPort, xrefs: 0103B19B

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CompletionCountCreateErrorLastPortTick
String ID: CreateIoCompletionPort
API String ID: 2127828322-622261631
Opcode ID: 4fd8ba1b069fcf80d652f19d85cd73e6a6683accc3cff4966a6686eaa6d5e3e6
Instruction ID: b9064ddef4d51f79d34bf5801b9c883e5b443f39bf422de517a732be26ea90d3
Opcode Fuzzy Hash: 4fd8ba1b069fcf80d652f19d85cd73e6a6683accc3cff4966a6686eaa6d5e3e6
Instruction Fuzzy Hash: BE21AEB0501B008FE3709F26D568357BBF1BB48718F508A1ED5968BB94E7BAA448CF80

Function 0103FC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetConsoleTitleW.KERNEL32(00002000,00002000), ref: 0103FC92
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000000FF,000000FF,00000000,00000000,00000000,00000000,00000000), ref: 0103FCCB

Strings

malloc, xrefs: 0103FD66

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ByteCharConsoleMultiTitleWide
String ID: malloc
API String ID: 859362121-2803490479
Opcode ID: 54bd0f4c7f4773abeac610a046145dd54db69d67d9d259766223eb34ae22f141
Instruction ID: 758910c383695e65b27c59b85ba901eb1f1277dec6a81b083b01a51fec5d18c0
Opcode Fuzzy Hash: 54bd0f4c7f4773abeac610a046145dd54db69d67d9d259766223eb34ae22f141
Instruction Fuzzy Hash: D311A071A00303ABE734AB28BD09BAB3AE9AB94B10F900525FB54951E4DBB0D440C756

Function 01057DF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

?New@FunctionTemplate@v8@@SA?AV?$Local@VFunctionTemplate@v8@@@2@P6A?AV?$Handle@VValue@v8@@@2@ABVArguments@2@@ZV42@V?$Handle@VSignature@v8@@@2@@Z.FOPHOLDE(01057F3C,00000000,00000000,00000000,?,?,?,01057F3C), ref: 01057E3F

Strings

CHECK(%s) failed, xrefs: 01057DFE, 01057E54
allow_empty_handle || that != 0, xrefs: 01057DF9, 01057E4F
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h, xrefs: 01057E08, 01057E5E

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: FunctionHandle@$Arguments@2@@Local@New@Signature@v8@@@2@@Template@v8@@Template@v8@@@2@V42@Value@v8@@@2@
String ID: CHECK(%s) failed$allow_empty_handle || that != 0$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\deps\v8\src\api.h
API String ID: 3432277103-1498802491
Opcode ID: 585d73ca9c9572417f364ce797aa664a114368b7fb68a0c26315c5322a3c9ede
Instruction ID: 869349d68f9b3900e785f442e2c36459262824e814170c3fe78fbbc6d7daaac9
Opcode Fuzzy Hash: 585d73ca9c9572417f364ce797aa664a114368b7fb68a0c26315c5322a3c9ede
Instruction Fuzzy Hash: C4014471B403016BC755DB1C9C82F93B3F0AB48318F56048CE9A4AB782EB71E8128780

Function 0104F590 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44networkCOMMON

Download Yara Rule

APIs

WSAIoctl.WS2_32(?,48000022,00000000,00000000,?,00000004,?,00000000,00000000), ref: 0104F5CA
CancelIo.KERNEL32(?), ref: 0104F603

Strings

src\win\tcp.c, xrefs: 0104F5EC
socket != 0 && socket != INVALID_SOCKET, xrefs: 0104F5F1

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CancelIoctl
String ID: socket != 0 && socket != INVALID_SOCKET$src\win\tcp.c
API String ID: 85314004-1900506180
Opcode ID: a2f755d95995d9a53bb52f0da0838db07e1676fa5c7e305af519ec8981ed60c3
Instruction ID: 1b0296e21e8512d17282cbb774411c68dd40a9959aa923ee94727dd252f8edad
Opcode Fuzzy Hash: a2f755d95995d9a53bb52f0da0838db07e1676fa5c7e305af519ec8981ed60c3
Instruction Fuzzy Hash: A001DB70744202ABE610EF28EC85F2637E5AF80B11F64C72CFBA0D51D4D771D4198791

Function 0104CDD0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

SetConsoleCtrlHandler.KERNEL32(0104CC70,00000000,0104CEAE), ref: 0104CD39

Strings

0 && "Invalid signum", xrefs: 0104CDF3
uv__signal_control_handler_refs == 1, xrefs: 0104CD25
src\win\signal.c, xrefs: 0104CD20, 0104CD48, 0104CDEE

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ConsoleCtrlHandler
String ID: 0 && "Invalid signum"$src\win\signal.c$uv__signal_control_handler_refs == 1
API String ID: 1513847179-3642529354
Opcode ID: 93d376429af40f1a9915cf884737af4f4bf704d14a9ae107c59f55a1ef4930ff
Instruction ID: 19067d7ec2a9361d8e2d53d91cb198c207852a87b1bd690b60fd2275f10b9312
Opcode Fuzzy Hash: 93d376429af40f1a9915cf884737af4f4bf704d14a9ae107c59f55a1ef4930ff
Instruction Fuzzy Hash: 7FF0B4F3BC2311BBF22436166E47B243A50A3B0B05F5440BCF9C9682D2D2E209544586

Function 06652800 Relevance: 6.6, Strings: 5, Instructions: 367COMMON

Download Yara Rule

Strings

YRPh, xrefs: 06652AE3, 06652B03, 06652B19, 06652B3C, 06652B6C, 06652B8F, 06652BBF, 06652BE2, 06652C12, 06652C35
"B$, xrefs: 06652A4E
q"B$, xrefs: 06652940
Q"B$, xrefs: 06652904
a"B$, xrefs: 06652922

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID: Q"B$$YRPh$a"B$$q"B$$"B$
API String ID: 0-604783836
Opcode ID: 4316d695909eab3125d553d1653bd29913ecb696c490f4470e813a16501c9d52
Instruction ID: 77071c086f4e3af4f954385e3305c947eb5e24d58fccd5f346d61c968bb63b68
Opcode Fuzzy Hash: 4316d695909eab3125d553d1653bd29913ecb696c490f4470e813a16501c9d52
Instruction Fuzzy Hash: BDB1F371704000DFD7E4EA6ACCD19AE7B9CBB48614F12582AEC54DF321E322EE1687C2

Function 06667DA0 Relevance: 6.3, Strings: 5, Instructions: 55COMMON

Download Yara Rule

Strings

eWB$, xrefs: 06667DC9
yWB$, xrefs: 06667DB8
QWB$, xrefs: 06667E08
!WB$, xrefs: 06667DDC
Q/B$, xrefs: 06667E13

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID: !WB$$Q/B$$QWB$$eWB$$yWB$
API String ID: 0-544215912
Opcode ID: d0d59d6974b3467b92beb891cb435c41959ddc891ae2bafd9957e6102195f1b5
Instruction ID: 20e036888defabc514878744796949e247f84a75d9a389b80fb4822669275def
Opcode Fuzzy Hash: d0d59d6974b3467b92beb891cb435c41959ddc891ae2bafd9957e6102195f1b5
Instruction Fuzzy Hash: F911A379604208ABCF81BE61ADD196E3F22BFD4364F144809FC14AB351C935ECE1A7E9

Function 01040EC0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

GetConsoleScreenBufferInfo.KERNEL32(00000000,?), ref: 01040F1C
GetLastError.KERNEL32 ref: 01040F26

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: BufferConsoleErrorInfoLastScreen
String ID:
API String ID: 1230849819-0
Opcode ID: 8dc5712e0bca9025275fbb94d0535ce61b7524e8d87c0c744c9eac58bc3e291b
Instruction ID: e6b2ae7ecb7d3dbffec561fad21b367902f2beff36361c19f968c6dea82a0b25
Opcode Fuzzy Hash: 8dc5712e0bca9025275fbb94d0535ce61b7524e8d87c0c744c9eac58bc3e291b
Instruction Fuzzy Hash: CA511AB1600B019FE364DF29D094757FBF1BF98314F508A2EE1A687690D7B5A089CF81

Function 010690D0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 01069117
TlsSetValue.KERNEL32(00000002), ref: 01069139

Strings

Entering the V8 API without proper locking in place, xrefs: 01069181
V8::TerminateExecution(), xrefs: 01069186

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Value
String ID: Entering the V8 API without proper locking in place$V8::TerminateExecution()
API String ID: 3702945584-4017130779
Opcode ID: 7f70a6fada0ec3b3a0b7716763d91079617a3ca0de640c7f4f0386ce8d74728f
Instruction ID: 797241518b52b290b2a96c37dad19331e77e2e954a66a8754452aa2e36350e44
Opcode Fuzzy Hash: 7f70a6fada0ec3b3a0b7716763d91079617a3ca0de640c7f4f0386ce8d74728f
Instruction Fuzzy Hash: 9A31A335204651CFD331CF1CE448A91B7F5FB85324F9946ACE49A8B6A1C3B6AC86CB50

Function 0103D4D0 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

WSASocketW.WS2_32(?,?,?,?,?,00000001), ref: 0103D54F
SetHandleInformation.KERNEL32(00000000,00000001,00000000,?,?), ref: 0103D561
CreateIoCompletionPort.KERNEL32(00000000,?,00000000,00000000,?,?), ref: 0103D570
closesocket.WS2_32(00000000), ref: 0103D57B

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CompletionCreateHandleInformationPortSocketclosesocket
String ID:
API String ID: 2454369209-0
Opcode ID: 9c6076fadac9687226b2621cccc46cdc6eb79e8e62c8bd810ee6437d5a529fba
Instruction ID: 1188c0ef932c609a6c7d004d97c113ddc299f9aa0fc568a5a93f4f470a0c5255
Opcode Fuzzy Hash: 9c6076fadac9687226b2621cccc46cdc6eb79e8e62c8bd810ee6437d5a529fba
Instruction Fuzzy Hash: 6A21F632B002109BD7209E6CFC44B9A7BAAFFC1734F410665FE65A72E0D721DD598791

Function 0124486C Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0124488B

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 5c91c19e78b1e95781b6c5560da74d8bd660da52a28ee8b2270d565c92c67280
Instruction ID: 2d42cea546a6be015cc09c47e44b2da2f7e7d5ac171909472e76d935bf267a67
Opcode Fuzzy Hash: 5c91c19e78b1e95781b6c5560da74d8bd660da52a28ee8b2270d565c92c67280
Instruction Fuzzy Hash: CA1129324356A7EBEB3D3F74BC087693BD8AF14260F104536FA489A190DF308890C790

Function 0103F660 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00000000), ref: 0103F6A4
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,00000000,00000000,00000000), ref: 0103F6D3
_free.LIBCMT ref: 0103F6E0

Part of subcall function 01240441: RtlFreeHeap.NTDLL(00000000,00000000,7534EA60,0103B28A,?,?,00000000), ref: 01240455
Part of subcall function 01240441: GetLastError.KERNEL32(?,?,00000000), ref: 01240467

_free.LIBCMT ref: 0103F6F4

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: _free$ByteCharErrorFileFreeHeapLastModuleMultiNameWide
String ID:
API String ID: 2975019517-0
Opcode ID: d912a6492f70181d43b2dba45e766ff216bc723c4d4df00391b9e74257e91486
Instruction ID: f45410617fd8f72947a2576bea5af85e3f3249624164e4b7c4c433ea4d83339a
Opcode Fuzzy Hash: d912a6492f70181d43b2dba45e766ff216bc723c4d4df00391b9e74257e91486
Instruction Fuzzy Hash: 61110672A0522267E771593CAC40B7B76D8EFC5B31F240779FAA4D72D0EBA0D8009693

Function 01082960 Relevance: 6.1, APIs: 4, Instructions: 66timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,01082CC3,?,?,?), ref: 0108297A
timeGetTime.WINMM(?,?,?,?,?,?,?,?,01082CC3,?,?,?,?,?,?,?), ref: 01082980
GetSystemTimeAsFileTime.KERNEL32(01432938,?,?,?,?,?,?,?,?,01082CC3,?,?,?), ref: 010829E8
timeGetTime.WINMM(?,?,?,?,?,?,?,?,01082CC3,?,?,?,?,?,?,?), ref: 010829EE

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Time$FileSystemtime
String ID:
API String ID: 760089506-0
Opcode ID: a8f0f0be9fc6f8af14bc1b0ef8dddda3311e9926e8bf016ef02e20a0b757e96d
Instruction ID: 90cd152d71237a51204f5c453eca79ec3f7a64f2226dcfd9ac2a55f73e5051b8
Opcode Fuzzy Hash: a8f0f0be9fc6f8af14bc1b0ef8dddda3311e9926e8bf016ef02e20a0b757e96d
Instruction Fuzzy Hash: AF21A23670A200CFC328EF2CF54465A7BE5EBC4391F1484AAE5C5C33B9D6759844CB61

Function 01055870 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

Strings

HandleScope::HandleScope, xrefs: 01055920
Entering the V8 API without proper locking in place, xrefs: 0105591B

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Value
String ID: Entering the V8 API without proper locking in place$HandleScope::HandleScope
API String ID: 3702945584-1326200472
Opcode ID: d409dfb1acaf2e7fe9f39246ebbf5682bb5cac4b618145acc19ef8d000fa36c7
Instruction ID: 5cd3f5f1ee27d91a3cb0e105db4ba8fe11541ea1bd7eda0cea8d588466fa92d6
Opcode Fuzzy Hash: d409dfb1acaf2e7fe9f39246ebbf5682bb5cac4b618145acc19ef8d000fa36c7
Instruction Fuzzy Hash: 4E210531204551DFD3728F19E844BA2BBF1FB06724F8941B8E8499B762C3B9AC95CB90

Function 0106AD70 Relevance: 6.1, APIs: 4, Instructions: 57synchronizationthreadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 010740F3
WaitForSingleObject.KERNEL32(?,000000FF), ref: 01074103
GetCurrentThreadId.KERNEL32 ref: 01074116
WaitForSingleObject.KERNEL32(?,000000FF), ref: 01074126

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CurrentObjectSingleThreadWait
String ID:
API String ID: 1728940165-0
Opcode ID: 4b9af73c10a659aa13e33d5d4a710d6a1d8ab57a18fe60554e0d2d97b1234589
Instruction ID: 658e9809bcdb392992dfcb42a430fcf44f0127bb793a9381c09ec480bfde61dd
Opcode Fuzzy Hash: 4b9af73c10a659aa13e33d5d4a710d6a1d8ab57a18fe60554e0d2d97b1234589
Instruction Fuzzy Hash: 4521B438600611EFD721AF28E648AA9B7F2FF59321F0541A8E55797AA0CB74BC51CF80

Function 01059670 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 0105968A

Part of subcall function 01055870: TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
Part of subcall function 01055870: TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

?Exception@TryCatch@v8@@QBE?AV?$Local@VValue@v8@@@2@XZ.FOPHOLDE(?), ref: 01059696
?CreateHandle@HandleScope@v8@@SAPAPAVObject@internal@2@PAV342@@Z.FOPHOLDE(?,?), ref: 010596A3
?ThrowException@v8@@YA?AV?$Handle@VValue@v8@@@1@V21@@Z.FOPHOLDE(?,?,?), ref: 010596C6

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: HandleHandle@Scope@v8@@Value$Catch@v8@@CreateException@Exception@v8@@Local@Object@internal@2@ThrowV21@@V342@@Value@v8@@@1@Value@v8@@@2@
String ID:
API String ID: 487482110-0
Opcode ID: 21f7531f37f783641eca0ebff542b4ce19e828936a5fae32331232966ab9a777
Instruction ID: e61150c26959ace0fd25c6762fc3ef80032d0b0464a2b521c7b7ba4b2c601d72
Opcode Fuzzy Hash: 21f7531f37f783641eca0ebff542b4ce19e828936a5fae32331232966ab9a777
Instruction Fuzzy Hash: 44115E755082058BD750DF68D4486D6BBF8FB48358F2806BEE88D8B681DB72A845CB92

Function 01041180 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

GetConsoleScreenBufferInfo.KERNEL32(?,?), ref: 010411A5
GetLastError.KERNEL32 ref: 010411AF
EnterCriticalSection.KERNEL32(01432470), ref: 010411E1
LeaveCriticalSection.KERNEL32(01432470), ref: 010411F5

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CriticalSection$BufferConsoleEnterErrorInfoLastLeaveScreen
String ID:
API String ID: 1301423563-0
Opcode ID: fee4614416a619690bd69fb2a83a0b419bbd24f33755d141ea625a7526479295
Instruction ID: 8ae0b85ca1809e04c77453993e912ec03a1dc74ffaeb265f034b806f785ba8c3
Opcode Fuzzy Hash: fee4614416a619690bd69fb2a83a0b419bbd24f33755d141ea625a7526479295
Instruction Fuzzy Hash: 5F11A575204201DF8710EF38E48495AFBE5FF9C624F91866AF595D3261D730E981CBA2

Function 010454B0 Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000401,00000000,?), ref: 010454C4
GetLastError.KERNEL32 ref: 010454D6
GetLastError.KERNEL32 ref: 010454E9
CloseHandle.KERNEL32(00000000), ref: 0104550A

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ErrorLast$CloseHandleOpenProcess
String ID:
API String ID: 4095320474-0
Opcode ID: 12028436c736e7340ce96f539a6798f49af33f46b4c512c86e554bc1bdb93300
Instruction ID: 00b9f826130195ae89de34d36087f1d2892f5e3185a7d88b239e0b4899681930
Opcode Fuzzy Hash: 12028436c736e7340ce96f539a6798f49af33f46b4c512c86e554bc1bdb93300
Instruction Fuzzy Hash: 8DF0C8767001195B8720AAAEBCC55AAB7C9EBC8172F5482B7EE4CD72C0DD719C0143E4

Function 01051230 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,?,00000000), ref: 0105125C
GetLastError.KERNEL32 ref: 01051269

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ConditionErrorLastSleepVariable
String ID:
API String ID: 3520462461-0
Opcode ID: 10317b411c20bcc054dacc01365d507483d978c14aae02dd3c9c89cf7fbeb2c2
Instruction ID: 718dabacb37dd22716e5d51a4a2c1537ab5bf4c6b127c186f01846a2f9a79454
Opcode Fuzzy Hash: 10317b411c20bcc054dacc01365d507483d978c14aae02dd3c9c89cf7fbeb2c2
Instruction Fuzzy Hash: F901B170264303ABEB69AB30EC05B6B7BA5AF90720F148568FB59940D1EF70C481CB11

Function 00F49E90 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 00F49EB6

Part of subcall function 01055870: TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
Part of subcall function 01055870: TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Value$HandleScope@v8@@
String ID:
API String ID: 2989282254-0
Opcode ID: af2415fe34cf5f66dd8be338a027a583ef6e595831a9e3f6f36c0de5b4ea8996
Instruction ID: 2e33e43a14570ab18b1a93dbf7c8e64c5c5b27a0218ffc8e5a07a14e9eda3f7e
Opcode Fuzzy Hash: af2415fe34cf5f66dd8be338a027a583ef6e595831a9e3f6f36c0de5b4ea8996
Instruction Fuzzy Hash: 0501DB719142019BC720DF18EC04E9777ACAB59334F104729F8A4D72E0EA70AE448B91

Function 01050DC0 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

TryEnterCriticalSection.KERNEL32(?), ref: 01050DE1
TryEnterCriticalSection.KERNEL32(?), ref: 01050DF5
LeaveCriticalSection.KERNEL32(?), ref: 01050E02

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CriticalSection$Enter$Leave
String ID:
API String ID: 2801635615-0
Opcode ID: e04a82588870f82a95c4de6c61709eedbaaee7c6a95b2afa876b0803ea130802
Instruction ID: 97d28dfd96f79c5bb360bf0d35dae34d301fae50ecb62d03d24508e09475c2d8
Opcode Fuzzy Hash: e04a82588870f82a95c4de6c61709eedbaaee7c6a95b2afa876b0803ea130802
Instruction Fuzzy Hash: 20F0903A300511DBDBB05A2AFC4CAAB77E9EFC4312B064666F991C24E9CB30D445E7B1

Function 010510F0 Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

RtlWakeAllConditionVariable.NTDLL(?), ref: 010510FD
EnterCriticalSection.KERNEL32(?), ref: 0105110F
LeaveCriticalSection.KERNEL32(?), ref: 0105111C
SetEvent.KERNEL32(?), ref: 01051129

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CriticalSection$ConditionEnterEventLeaveVariableWake
String ID:
API String ID: 2736521134-0
Opcode ID: e2c204a64f59ca2ceb827a205c72141d274f47b4edb13472d14a2fc268d6c168
Instruction ID: c21aadfee5e7965f3361732e215669d541b6ef8010651d139ab9a6e24aa8a918
Opcode Fuzzy Hash: e2c204a64f59ca2ceb827a205c72141d274f47b4edb13472d14a2fc268d6c168
Instruction Fuzzy Hash: ACE09276200110EBCB215B18F98CACABBB5FB8D702B008594F649D5069C7344400DB61

Function 00F49E00 Relevance: 6.0, APIs: 4, Instructions: 24COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 00F49E0E

Part of subcall function 01055870: TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
Part of subcall function 01055870: TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

?NewSymbol@String@v8@@SA?AV?$Local@VString@v8@@@2@PBDH@Z.FOPHOLDE(?,?,000000FF), ref: 00F49E1D
?MakeCallback@node@@YA?AV?$Handle@VValue@v8@@@v8@@V?$Handle@VObject@v8@@@3@V?$Handle@VString@v8@@@3@HQAV23@@Z.FOPHOLDE(?,?,00000000,?,?), ref: 00F49E35

Part of subcall function 00F49D50: ??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 00F49D5E
Part of subcall function 00F49D50: ?Get@Object@v8@@QAE?AV?$Local@VValue@v8@@@2@V?$Handle@VValue@v8@@@2@@Z.FOPHOLDE(?), ref: 00F49D73

?RawClose@HandleScope@v8@@AAEPAPAVObject@internal@2@PAPAV342@@Z.FOPHOLDE(?), ref: 00F49E45

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Handle@$HandleScope@v8@@$Local@Value$Callback@node@@Close@Get@MakeObject@internal@2@Object@v8@@Object@v8@@@3@String@v8@@String@v8@@@2@String@v8@@@3@Symbol@V23@@V342@@Value@v8@@@2@Value@v8@@@2@@Value@v8@@@v8@@
String ID:
API String ID: 899109653-0
Opcode ID: 49ff6ff4600bc1a3d84e4560f840cb90e65c771820a981f3dde93761be6414ec
Instruction ID: 7a2e8d8117573beb5a0c894572948fa081d0adc5f83e96dbf2e623c98cd6b262
Opcode Fuzzy Hash: 49ff6ff4600bc1a3d84e4560f840cb90e65c771820a981f3dde93761be6414ec
Instruction Fuzzy Hash: 17E0C07241420BABCF01FF64DC05C8B7B69AF54314F540A14B9A4511B5EB31E628DB92

Function 01050D80 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

RtlAcquireSRWLockShared.NTDLL(?), ref: 01050D8D
EnterCriticalSection.KERNEL32(?), ref: 01050D9A
EnterCriticalSection.KERNEL32(?), ref: 01050DAD
LeaveCriticalSection.KERNEL32(?), ref: 01050DB4

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CriticalSection$Enter$AcquireLeaveLockShared
String ID:
API String ID: 1829403526-0
Opcode ID: 76b9b3f06b06a6706af2bb3da5a9cd06cf8e9d219420814d1b90889e40f2a46d
Instruction ID: f49aa2a209d04a2728e513713167513d7ceae8a74a0dd06dbb98c45907335e13
Opcode Fuzzy Hash: 76b9b3f06b06a6706af2bb3da5a9cd06cf8e9d219420814d1b90889e40f2a46d
Instruction Fuzzy Hash: DEE04F31000610EBCB755B54F64C5CEB7FAFF04302B418844F5424246AC734A545CF61

Function 01050E20 Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

RtlReleaseSRWLockShared.NTDLL(?), ref: 01050E2D
EnterCriticalSection.KERNEL32(?), ref: 01050E3A
LeaveCriticalSection.KERNEL32(?), ref: 01050E49
LeaveCriticalSection.KERNEL32(?), ref: 01050E50

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CriticalSection$Leave$EnterLockReleaseShared
String ID:
API String ID: 1029539428-0
Opcode ID: 09c0f685368a56e0cd08a7c857315b68ec4f2c4346bdd703f73217d37bbd135a
Instruction ID: e22c6b1abfd3a25d7bf7bc99b68ec490b39a82c91800aea4f5cdecddf90be890
Opcode Fuzzy Hash: 09c0f685368a56e0cd08a7c857315b68ec4f2c4346bdd703f73217d37bbd135a
Instruction Fuzzy Hash: FDE08C31000110EFCFB1AB14F50C5CFBBB9FF54302B118844F546820AAC334A440DBA1

Function 0108D960 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 215COMMON

Download Yara Rule

Strings

interceptor-named-has, xrefs: 0108DBA4
interceptor-named-get-has, xrefs: 0108DB26

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID: interceptor-named-get-has$interceptor-named-has
API String ID: 0-2474282865
Opcode ID: fa22c758729895545ad602011ba78e73e73033faf76fdc07967a0f6ee75a3c6b
Instruction ID: 9de5d40a812bfcd5dac9ace59f43e15cbd953e7be9476ccd8d56c8e4a1869682
Opcode Fuzzy Hash: fa22c758729895545ad602011ba78e73e73033faf76fdc07967a0f6ee75a3c6b
Instruction Fuzzy Hash: C3A112756087019FC715DF68C480A9ABBF1FF88314F148AAEE8A99B391D731E945CF81

Function 01068ED0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON

Download Yara Rule

Strings

Malloced operator new, xrefs: 010D30B0, 010D3122
v8::V8::AddLeaveScriptCallback(), xrefs: 01068F15

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID: Malloced operator new$v8::V8::AddLeaveScriptCallback()
API String ID: 0-832697358
Opcode ID: e69ed814d74d8ffbafa56365f42d1230a860bf839e4fdfdb394453f367a4e6e4
Instruction ID: dacfb8925cf46b3307f289eed73f21f259191a2532984bd940830fd387bd365f
Opcode Fuzzy Hash: e69ed814d74d8ffbafa56365f42d1230a860bf839e4fdfdb394453f367a4e6e4
Instruction Fuzzy Hash: 76310FB52003028BEB759F5CE4A0BBA77E5FF85314F80886DEAC64B661C775A885CB41

Function 010FA120 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010FA1E3

Strings

debug-queue-event,%s,%15.3f,%s, xrefs: 010FA1FE
Out of memory, xrefs: 010FA166

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: Out of memory$debug-queue-event,%s,%15.3f,%s
API String ID: 885266447-105998847
Opcode ID: 9c4e239cf83024e19de42100f5fbd09846953b0134e973cc36e1c8bb59df5ef1
Instruction ID: 9833842d83d3b014fce7f84b7382c1631ab7ab5aa892a0e3fb3b78281222cc36
Opcode Fuzzy Hash: 9c4e239cf83024e19de42100f5fbd09846953b0134e973cc36e1c8bb59df5ef1
Instruction Fuzzy Hash: CF31E131A043419FCB15EF28C886BABBBE5FF95314F04495CF98987291D731E854CB92

Function 0107D020 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 0107D06F
CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,00000000), ref: 0107D0A0

Strings

Malloced operator new, xrefs: 0107D0C0, 0107D0F4

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CreateSemaphore
String ID: Malloced operator new
API String ID: 1078844751-3527538379
Opcode ID: 04fd4b7ad502e3be9477cd9dead11efd3179b4352b602fbfbf469a1f93a614e7
Instruction ID: a54a8c8118e5e76f9dca7e3cf45bd9dcaca81e8e10eba0497fef3886b4618c0c
Opcode Fuzzy Hash: 04fd4b7ad502e3be9477cd9dead11efd3179b4352b602fbfbf469a1f93a614e7
Instruction Fuzzy Hash: 7731A0B1900701AFE3B09F25E945757BEE0BF44754F10491DE5CA8B6D0E7B5E009CB95

Function 0105F8C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

Strings

Arguments, xrefs: 0105FA1F
[object ], xrefs: 0105FABA

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID:
String ID: Arguments$[object ]
API String ID: 0-3642378227
Opcode ID: 77362d6ec23c1ba809a15d63060d50c6f8ef2c8b785958cb0b71298081616095
Instruction ID: f162ed63adc31f6b1931bde51ec2bc29ce546b8f339ef4eab5b2016e854a72e6
Opcode Fuzzy Hash: 77362d6ec23c1ba809a15d63060d50c6f8ef2c8b785958cb0b71298081616095
Instruction Fuzzy Hash: BB2105766046129FDB62DF1CC880BAAB7F1EB45324F4542B9EC988F386C735AC01CB85

Function 0103B200 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 01050C50: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,0103B1F8), ref: 01050BBF
Part of subcall function 01050C50: SetEvent.KERNEL32(00000000), ref: 01050BE0

Part of subcall function 01051290: FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000,0142F7D8,00000000,00000000,01050C45,?,?,?,0103B1F8), ref: 01051635
Part of subcall function 01051290: LocalFree.KERNEL32(?), ref: 01051689

closesocket.WS2_32(00000000), ref: 0103B27C
_free.LIBCMT ref: 0103B285

Strings

malloc, xrefs: 0103B234

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Event$CreateFormatFreeLocalMessage_freeclosesocket
String ID: malloc
API String ID: 4194484076-2803490479
Opcode ID: 6448c53b23c19413296b4dca8daeab41587ec0245e5a1298549e3f5a48978e2d
Instruction ID: 3a075cc2f7f53cbf2860fe2f2ae87108bfe3318b0bd5152e5f269401b3776339
Opcode Fuzzy Hash: 6448c53b23c19413296b4dca8daeab41587ec0245e5a1298549e3f5a48978e2d
Instruction Fuzzy Hash: 42014932A0012413DA60656C6C447AF76CCDBC1234F9407A1EE9C97695DB24E885C3A5

Function 00F50C20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

??0HandleScope@v8@@QAE@XZ.FOPHOLDE ref: 00F50C2F

Part of subcall function 01055870: TlsGetValue.KERNEL32(?,?,?,?,00F423D3), ref: 010558B1
Part of subcall function 01055870: TlsSetValue.KERNEL32(00000002,?,?,?,?,00F423D3), ref: 010558D3

Strings

Argument must be a string, xrefs: 00F50DB4

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Value$HandleScope@v8@@
String ID: Argument must be a string
API String ID: 2989282254-877334576
Opcode ID: 085dff1e201c262c8e2119126077c104ec2d7fd8e5f73463dac1a22dc58bb5a1
Instruction ID: ae79bb1bfd541b5a53628345683074df1b5fd47e058ee4473292c6fb74f4c0bf
Opcode Fuzzy Hash: 085dff1e201c262c8e2119126077c104ec2d7fd8e5f73463dac1a22dc58bb5a1
Instruction Fuzzy Hash: 1A11B435A086018FDB10DE68C4446DAB7F4EB45364F58446DED9D8B392CB31FC4ADB81

Function 0104FB00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

closesocket.WS2_32(?), ref: 0104FB29

Strings

!((handle)->flags & UV__HANDLE_CLOSING), xrefs: 0104FB3F
src\win\udp.c, xrefs: 0104FB3A

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: closesocket
String ID: !((handle)->flags & UV__HANDLE_CLOSING)$src\win\udp.c
API String ID: 2781271927-2377364951
Opcode ID: 323f9b28f8ad34ff0d0f9cac91e994e50e5891f061c92bc0843ef01bc4366ed5
Instruction ID: a0ca419fc808d2441bbb2153f2892e12fe5ae082e8972c59daebef8e533a46fc
Opcode Fuzzy Hash: 323f9b28f8ad34ff0d0f9cac91e994e50e5891f061c92bc0843ef01bc4366ed5
Instruction Fuzzy Hash: 6B018CB1600B028FE7719F1DD598B52BBE0BF46758F04896DE8C69BA61C370E845CF80

Function 00FB23A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00FB2290: GetStdHandle.KERNEL32(000000F4), ref: 00FB22A6
Part of subcall function 00FB2290: GetFileType.KERNEL32(00000000), ref: 00FB22B1
Part of subcall function 00FB2290: __vfwprintf_p.LIBCMT ref: 00FB22D3

_raise.LIBCMT ref: 00FB23B2

Strings

openssl\crypto\cryptlib.c, xrefs: 00FB23A5
%s(%d): OpenSSL internal error, assertion failed: %s, xrefs: 00FB23A6

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: FileHandleType__vfwprintf_p_raise
String ID: %s(%d): OpenSSL internal error, assertion failed: %s$openssl\crypto\cryptlib.c
API String ID: 3440442494-236469361
Opcode ID: bba936f9cba376738b3bc19fb292fc918727007b2d56fba1dddc6f89186827df
Instruction ID: a0fa89c3fc13def106eaee54eb5ec8b1579b16fc12eaf8c11d877abe02cd230c
Opcode Fuzzy Hash: bba936f9cba376738b3bc19fb292fc918727007b2d56fba1dddc6f89186827df
Instruction Fuzzy Hash: 06E068618951212FEB0927259C12FF7B7D8CF95724F0C408CF4889A54285625D05AAB0

Function 0104D0D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

uv_signal_stop.FOPHOLDE(?,?,?,0103CEC3), ref: 0104D0D7

Part of subcall function 0104CE90: EnterCriticalSection.KERNEL32(014324C8), ref: 0104CEA0

Strings

!((handle)->flags & UV__HANDLE_CLOSING), xrefs: 0104D0EF
src\win\signal.c, xrefs: 0104D0EA

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: CriticalEnterSectionuv_signal_stop
String ID: !((handle)->flags & UV__HANDLE_CLOSING)$src\win\signal.c
API String ID: 3347067879-1774027725
Opcode ID: 21035fc8e03e24b01f9553401dfb6c27b9333a0213dd62d198667f1d431d5f05
Instruction ID: cb7698acf0c822a964d68379d673201b853fb3b6d04c6ee12f96f335c4c1afb5
Opcode Fuzzy Hash: 21035fc8e03e24b01f9553401dfb6c27b9333a0213dd62d198667f1d431d5f05
Instruction Fuzzy Hash: B0F0D1B2900B005FE7719F19D581742BBE0EF61354F00453DEC8686B61D370E446CB80

Function 00F48370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

?IsObject@Value@v8@@QBE_NXZ.FOPHOLDE ref: 00F4837A

Strings

val->IsObject(), xrefs: 00F4838A
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\src\node_buffer.h, xrefs: 00F48385

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Object@Value@v8@@
String ID: c:\workspace\iojs+release\nodes\win2008r2-release-ia32\src\node_buffer.h$val->IsObject()
API String ID: 2818402800-2998431498
Opcode ID: 18253338de262314e64f5f3bf06501cab6789ac4935e9706f8cc4290ef2662cd
Instruction ID: 9dca53dbab682e0540300bbe53bc9fb7da1e298c58b10296ca48c214f0ee6eb9
Opcode Fuzzy Hash: 18253338de262314e64f5f3bf06501cab6789ac4935e9706f8cc4290ef2662cd
Instruction Fuzzy Hash: 35D01236B907266BCD253B0158115BE77594FA9EE0F05006EEFC6BB3C0DA927C5106D9

Function 00F42310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

?ClearWeak@V8@v8@@CAXPAPAVObject@internal@2@@Z.FOPHOLDE(?), ref: 00F42333

Strings

!handle_.IsEmpty(), xrefs: 00F42320
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\src\node_object_wrap.h, xrefs: 00F4231B

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: ClearObject@internal@2@@V8@v8@@Weak@
String ID: !handle_.IsEmpty()$c:\workspace\iojs+release\nodes\win2008r2-release-ia32\src\node_object_wrap.h
API String ID: 4133664180-1359079279
Opcode ID: a491607ab77a579d476ec4079a56b9dc21dd7f3c27bf1969dda9b47a9c217d38
Instruction ID: 207555f70988168143bdf7d1eb154c56769f15fd4e4e1dadb57cf9e9956e6bc6
Opcode Fuzzy Hash: a491607ab77a579d476ec4079a56b9dc21dd7f3c27bf1969dda9b47a9c217d38
Instruction Fuzzy Hash: 75D02271C60B216FC7693A04BE12B9337A48B30B21F05803DFC5B361D0FAA8B8D99681

Function 00F48310 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 15COMMON

Download Yara Rule

APIs

?IsObject@Value@v8@@QBE_NXZ.FOPHOLDE ref: 00F4831A

Strings

val->IsObject(), xrefs: 00F4832A
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\src\node_buffer.h, xrefs: 00F48325

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Object@Value@v8@@
String ID: c:\workspace\iojs+release\nodes\win2008r2-release-ia32\src\node_buffer.h$val->IsObject()
API String ID: 2818402800-2998431498
Opcode ID: 7f503dd9a0837a271a07e4c5d6b75e6121a43a70a83976ff87a546533a2f6351
Instruction ID: 83f523bb01aeec249167597e8e5e0878d765513862cdc25db04defb9e5b51dac
Opcode Fuzzy Hash: 7f503dd9a0837a271a07e4c5d6b75e6121a43a70a83976ff87a546533a2f6351
Instruction Fuzzy Hash: 33D01236B94326ABDD15370159119FE77594FA8EE0F04006EEECABB3C0DA957C5102D9

Function 0104C450 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0104C473

Strings

handle->type == UV_TIMER, xrefs: 0104C465
src\win\pipe.c, xrefs: 0104C460

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: _free
String ID: handle->type == UV_TIMER$src\win\pipe.c
API String ID: 269201875-1006409096
Opcode ID: 41430aca2fd169a89cb0af34854e19f3ac973411e865f1c8cc0e42bfccf27ca6
Instruction ID: ca37d94c8e9a71ab1b7eb72d463a4df32bec00ac1f9fe8c0cb6000651de7a808
Opcode Fuzzy Hash: 41430aca2fd169a89cb0af34854e19f3ac973411e865f1c8cc0e42bfccf27ca6
Instruction Fuzzy Hash: BFC022B2901231ABD00032053C02CE726808BD5214F48803CF54835610E3A25D8085C7

Function 00F48340 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 11COMMON

Download Yara Rule

APIs

?IsObject@Value@v8@@QBE_NXZ.FOPHOLDE ref: 00F48344

Strings

val->IsObject(), xrefs: 00F48354
c:\workspace\iojs+release\nodes\win2008r2-release-ia32\src\node_buffer.h, xrefs: 00F4834F

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Object@Value@v8@@
String ID: c:\workspace\iojs+release\nodes\win2008r2-release-ia32\src\node_buffer.h$val->IsObject()
API String ID: 2818402800-2998431498
Opcode ID: a458d50c4e4784864585ab9b397b3170a265aeb07424571d63a2fdd4ae75afdd
Instruction ID: c9fb949540edceb1a226bef36c54e113c1f5c6b6942c80dc2b5022c7c86fb858
Opcode Fuzzy Hash: a458d50c4e4784864585ab9b397b3170a265aeb07424571d63a2fdd4ae75afdd
Instruction Fuzzy Hash: 9EC08C31B94706BFD928BB028D92A7E33251FE0E80F00002DFE867B2C0DA622C51A50A

Function 06665AE0 Relevance: 5.1, Strings: 4, Instructions: 144COMMON

Download Yara Rule

Strings

aOB$, xrefs: 06665C01
aOB$, xrefs: 06665C21
-OB$, xrefs: 06665C47
EOB$, xrefs: 06665C34

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID: -OB$$EOB$$aOB$$aOB$
API String ID: 0-4203328821
Opcode ID: 7beb2209e893705bab2ddff14cc6eb9cf1158cd1d5a5dc0c4a69315959d0a75e
Instruction ID: c3075c567e19e65bcb68422f748e2f0f2675fd2c40991d45623d1218f6d48a77
Opcode Fuzzy Hash: 7beb2209e893705bab2ddff14cc6eb9cf1158cd1d5a5dc0c4a69315959d0a75e
Instruction Fuzzy Hash: BA41B374B04205AFDF80AFA5DD9096FBBA6BF88200B444819FC26EB340DE35EC5087A5

Function 06666280 Relevance: 5.1, Strings: 4, Instructions: 65COMMON

Download Yara Rule

Strings

!]B$, xrefs: 0666632E
]B$, xrefs: 06666308
\B$, xrefs: 066662F5
eWB$, xrefs: 0666631B

Memory Dump Source

Source File: 00000004.00000002.1487829029.000000000660A000.00000040.00001000.00020000.00000000.sdmp, Offset: 0660A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_660a000_fopholde.jbxd

Similarity

API ID:
String ID: ]B$$!]B$$eWB$$\B$
API String ID: 0-1691033587
Opcode ID: 12a38cef6f39091eb899e56ffa7eff13edbfbcdacf5797bc5158ac85aa3508ef
Instruction ID: 7fb9cb30663a79ab7d89159a7155ce8a9cd2944eb4ac6a637277fa6d2f651c14
Opcode Fuzzy Hash: 12a38cef6f39091eb899e56ffa7eff13edbfbcdacf5797bc5158ac85aa3508ef
Instruction Fuzzy Hash: 7611D23460470467DB81BE25ECA4A2A7F54AF41390F0C8D09FD60DF382CA39D8A1D79A

Function 010817B0 Relevance: 5.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,00F41C2E), ref: 010817C2
TlsGetValue.KERNEL32(?,?,?,?,00F41C2E), ref: 010817E7
TlsSetValue.KERNEL32(?), ref: 0108182E
TlsSetValue.KERNEL32(00000000), ref: 01081837

Memory Dump Source

Source File: 00000004.00000002.1485230564.0000000000F31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00F30000, based on PE: true

Associated: 00000004.00000002.1485164512.0000000000F30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485725540.0000000001262000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485875990.0000000001422000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485899496.0000000001425000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485917069.000000000142A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485938519.000000000142B000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.000000000142D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1485962703.0000000001434000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1486003466.0000000001435000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_f30000_fopholde.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 4d9beec3891f67fec54a74a139ba42083410c4ef4d3da4b25b95de18303bbf0f
Instruction ID: 6c7b7c100160bad5a505ce58548f99ee22d0e2c06ed65181b87177f58e3b38a7
Opcode Fuzzy Hash: 4d9beec3891f67fec54a74a139ba42083410c4ef4d3da4b25b95de18303bbf0f
Instruction Fuzzy Hash: 14116B72B04214EFC721AFA9EC44996BBF4FF4476074440B6DA4487321DB72EC51CB90

Function 2F811C00 Relevance: 5.0, Strings: 4, Instructions: 49COMMON

Download Yara Rule

Strings

yWB$, xrefs: 2F811C6F
eWB$, xrefs: 2F811C2D
yWB$, xrefs: 2F811C4E
!WB$, xrefs: 2F811C1A

Memory Dump Source

Source File: 00000004.00000002.1488912883.000000002F80A000.00000040.00001000.00020000.00000000.sdmp, Offset: 2F80A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f80a000_fopholde.jbxd

Similarity

API ID:
String ID: !WB$$eWB$$yWB$$yWB$
API String ID: 0-1057758566
Opcode ID: d2402eb463b2120da98dafe95d99a1510e5e578757ae855286469b8beda58f7f
Instruction ID: 0e97bb16173b97b1ab653fd0bb7a9c9bd869ac42c3f8ccacbf40b118dc72c8ec
Opcode Fuzzy Hash: d2402eb463b2120da98dafe95d99a1510e5e578757ae855286469b8beda58f7f
Instruction Fuzzy Hash: DF01DE38308204AB8F80BA35A9E092D7F55AFC8224F648919F854EF300CC39C8D1629D

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\IXP000.TMP\bxskiicciwd.bat

C:\Users\user\AppData\Local\Temp\IXP000.TMP\ekkmphakhofgs.iiun

C:\Users\user\AppData\Local\Temp\IXP000.TMP\ekkmphakhofir.iiun

C:\Users\user\AppData\Local\Temp\IXP000.TMP\ekkmphakhofox.iiun

C:\Users\user\AppData\Local\Temp\IXP000.TMP\ekkmphakhofqv.iiun

C:\Users\user\AppData\Local\Temp\IXP000.TMP\fopholde.exe

C:\Users\user\AppData\Local\Temp\IXP000.TMP\gufcrfmk.iiun

C:\Users\user\AppData\Local\Temp\IXP000.TMP\lfssylb.iiun

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
file.exe

Function 00D53D86 Relevance: 40.6, APIs: 11, Strings: 12, Instructions: 309
libraryloaderCOMMON

Function 00D51BD3 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 295
memoryCOMMON

Function 00D52E59 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 185
synchronizationCOMMON

Function 00D55BD2 Relevance: 19.7, APIs: 13, Instructions: 219
COMMON

Function 00D530D6 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 119
libraryfileloaderCOMMON

Function 00D556B2 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100
COMMON

Function 00D5249E Relevance: 12.1, APIs: 8, Instructions: 97
filestringCOMMON

Function 00D52143 Relevance: 42.2, APIs: 16, Strings: 8, Instructions: 180
registrylibrarymemoryCOMMON

Function 00D557ED Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 247
memorystringCOMMON

Function 00D55200 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121
windowCOMMON

Function 00D555D7 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
fileCOMMON

Function 00D56D50 Relevance: 13.6, APIs: 9, Instructions: 144
sleepCOMMON

Function 00D55B19 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73
memoryfileCOMMON

Function 00D541E2 Relevance: 10.6, APIs: 7, Instructions: 96
processsynchronizationwindowCOMMON

Function 00D55411 Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 74
memoryCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre